Data processing agreement

Version 1.0 — last updated 1 June 2026

Between

MVC Consulting (ToneelTickets), with registered office at Deken Degryselaan 16, 8500 Kortrijk and company number BE0533.693.208. Hereafter: the "Processor".

And

The organisation (theatre company, association or producer) registering on the ToneelTickets platform and thereby accepting this data processing agreement. Hereafter: the "Controller".

Both parties together referred to as the "Parties".

Whereas

In the context of the online ticket sales and audience administration offered by ToneelTickets, the Processor processes certain Personal Data on behalf of and for the account of the Controller. The Parties wish to put their arrangements regarding this processing in writing, in accordance with article 28 GDPR.

---

Article 1 — Definitions

• GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation).
• Data subject: the natural person to whom a Personal Data item relates (e.g. a ticket buyer).
• Data breach: a breach of security leading to destruction, loss, alteration or unauthorised access to Personal Data.
• Task: the services of ToneelTickets as described in Annex 1.
• Personal Data: any information about an identified or identifiable natural person, as defined in article 4(1) GDPR, that the Processor processes in the context of the Task.
• Processing: any operation on Personal Data, as defined in article 4(2) GDPR.
• Sub-processor: an external party processing Personal Data on behalf of the Processor.

Article 2 — Subject (art. 28 GDPR)

2.1. The Processor processes Personal Data only as described in the Task (Annex 1) and in accordance with the Controller's instructions.

2.2. Any processing outside the Task is prohibited, unless:

• the Controller gives written instructions to do so; or
• a legal (Union or member-state law) provision obliges the Processor. In that case the Processor informs the Controller in advance, unless that law prohibits this on important grounds of public interest.

2.3. The Processor informs the Controller immediately if, in its view, an instruction breaches the GDPR.

Article 3 — Duration

3.1. This agreement lasts as long as the Controller uses the ToneelTickets platform.

3.2. Articles 3.3, 5, 6, 7, 9 and 12 remain in force after termination.

3.3. After termination the Processor stops all processing and deletes all Personal Data and backups within two months, unless storage is legally required (e.g. accounting retention for invoicing data).

Article 4 — Security (art. 32 GDPR)

4.1. The Processor takes appropriate technical and organisational measures to protect Personal Data against destruction, loss, falsification, unauthorised access or unlawful processing. The minimum measures are listed in Annex 2.

4.2. The Processor has a current security policy and reviews it periodically.

Article 5 — Confidentiality (art. 29 GDPR)

5.1. The Processor guarantees the confidentiality of all Personal Data.

5.2. Only staff or appointees who are contractually or legally bound to confidentiality receive access to Personal Data, and only as strictly necessary to perform their tasks.

Article 6 — Subcontracting and sub-processors (art. 28 GDPR)

6.1. The Processor may engage Sub-processors to perform the Task. Key permanent sub-processors of ToneelTickets include:

• Stripe — payment processing (online tickets & extras).
• EEA hosting provider (servers and database).
• Email provider for transactional emails (e.g. order confirmations and e-tickets).

6.2. With every Sub-processor the Processor concludes an agreement with at least equivalent obligations regarding data protection and confidentiality.

6.3. The Processor keeps an up-to-date overview of all Sub-processors and provides it on simple request to the Controller.

Article 7 — Assistance (art. 28 GDPR)

7.1. General. The Processor reasonably assists the Controller in meeting and demonstrating its GDPR obligations.

7.2. Requests from Data subjects. Where a Data subject (e.g. a ticket buyer) approaches the Processor directly to exercise chapter III GDPR rights (access, deletion, objection, …), the Controller is notified without delay. The Processor only answers the request after the Controller's agreement, unless it concerns a request only the Processor can act on.

7.3. Data breaches. The Processor reports any Data breach without undue delay and at the latest within 48 hours after becoming aware, to the Controller (privacy@toneeltickets.be). It provides all reasonable assistance with the notification to the Data Protection Authority (art. 33 GDPR) and — where necessary — to Data subjects (art. 34 GDPR). The actual notification to the supervisory authority remains the Controller's responsibility.

7.4. Other assistance. The Processor assists the Controller, where relevant, with:

• security of processing (art. 32 GDPR);
• carrying out a data protection impact assessment (DPIA, art. 35 GDPR);
• consulting the supervisory authority if necessary (art. 36 GDPR).

Article 8 — Place of processing

The Processor processes Personal Data only within the European Economic Area (EEA). Where, for specific functionality, a transfer outside the EEA would be necessary (e.g. via Stripe), this takes place with the appropriate safeguards as provided in chapter V GDPR (e.g. standard contractual clauses).

Article 9 — Control (art. 28 GDPR)

9.1. The Controller has the right to (have) verify compliance with this agreement, subject to written notice at least ten business days in advance and during office hours.

9.2. The Processor provides relevant information and documentation on simple request and provides reasonable assistance with audits.

Article 10 — Liability (art. 82 GDPR)

10.1. The Processor's liability is limited as set out in the Terms and conditions, without prejudice to article 82 GDPR.

10.2. Each Party remains fully liable for its own breaches of the GDPR.

Article 11 — Termination

11.1. The Controller may terminate the cooperation at any time in writing by closing its account. The Processor then deletes all Personal Data within two months, except for the legal exceptions (see art. 3.3).

Article 12 — Other

12.1. This agreement is governed by Belgian law. Disputes are submitted to the competent courts of the district where the Processor is established.

12.2. If any provision is void or invalid, the remaining provisions remain fully in force and the Parties negotiate in good faith on a substitute valid provision with the most similar effect.

12.3. Amendments to this agreement are indicated by a new version number.

---

Annex 1 — Description of the Task

ToneelTickets provides an online platform for ticket sales and audience management for theatre companies, theatres and related organisations.

Webshop, ticket sales & extras

The Processor processes for the Controller, among other things:

• Name of the buyer
• Email address of the buyer
• Phone number (optional)
• Any additional fields the Controller configures (e.g. menu choice, bus, dietary requirements)
• Seat/place choice and chosen ticket types
• Order references and payment status

This data is used to handle the order, send e-tickets and order confirmations, enable scan/door entry, provide support, and secure the platform and perform debugging.

Technical data

In addition the Processor processes IP addresses, useragents and log files of visitors. This is necessary for network traffic, debugging, abuse detection and security. IP addresses are not used to track visitors, unless in the context of a legal obligation (e.g. fraud investigation). Logs are retained no longer than necessary, with a maximum of one year.

For online payments the IP address — when requested by the payment provider (Stripe) — is forwarded to the payment provider for fraud prevention.

Own responsibility of the Controller

The Controller decides which (additional) fields are requested in the order flow and is responsible for:

• the existence of a valid legal basis (art. 6 GDPR) for each category of personal data collected;
• correct communication to Data subjects (own privacy policy);
• managing and answering requests from Data subjects.

Excluded

The following data falls outside this data processing agreement and is processed by the Processor as own controller (see the privacy policy):

• Name and email of administrators of an organisation
• Address and invoicing data of the organisation

Annex 2 — Security measures

Layered security

ToneelTickets applies multiple independent security layers, so that failure of one measure does not automatically lead to a Personal Data leak.

HTTPS everywhere

All traffic between browsers and ToneelTickets servers runs over an encrypted HTTPS connection.

Access control

Industry best practices are applied for server access: no password-based logins, only cryptographic keys, a firewall on each server, and regular software updates.

Physical security & data centres

Personal Data is stored in certified data centres within the European Economic Area (Belgium, Germany or the Netherlands). The providers used hold the relevant security certifications (such as ISO 27001).

Encrypted backups

Databases are encrypted-backed-up daily to a separate location. Backups are retained for up to 90 days and the backup system is automatically monitored.

Password hashing

Passwords are never stored in readable form. They are hashed with an algorithm specifically developed for passwords (with salt). Even with access to the database, passwords cannot be reconstructed.

Responsible disclosure

Found a security issue? Report it via privacy@toneeltickets.be. We ask that you only disclose found issues publicly after we've had sufficient time to fix them.

---

Questions about this DPA? Mail us at info@toneeltickets.be.