Promoter Data Sharing & Joint Controller Agreement
The agreement governing how Rave Essentials and event promoters jointly handle attendee personal data, under the UK GDPR and PECR.
Version 1.0 — effective 7 May 2026
1. Parties
This Agreement is entered into between:
- Rave Essentials (the "Platform"), a business operating the website at raveessentials.co.uk and acting as a data controller for personal data collected through ticket sales on the Platform; and
- The Promoter ("you", "your"), the natural or legal person who has registered a promoter account on the Platform and is identified by the registration details associated with that account.
Both parties together are referred to as the "Parties".
2. Background and scope
The Platform sells tickets to events promoted by the Promoter. To enable the Promoter to admit attendees at the door, manage guest lists, and operate the event safely, the Platform shares limited personal data with the Promoter. This Agreement governs how the Promoter handles that personal data and sets out the respective responsibilities of the Parties under United Kingdom data-protection law.
This Agreement applies to all Attendee Data (as defined below) the Promoter receives from the Platform from the date the Promoter accepts these terms onwards, and continues for the duration of the Promoter's relationship with the Platform plus any retention period required by law.
3. Definitions
"UK GDPR" means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.
"Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), and any other applicable laws relating to the processing of personal data in the United Kingdom.
"Personal Data", "Process", "Controller", "Processor", "Joint Controllers", "Data Subject" and "Personal Data Breach" have the meanings given in the UK GDPR.
"Sub-Processor" means any third party engaged by the Promoter to Process Attendee Data on the Promoter's behalf.
"Attendee Data" means the categories of Personal Data set out in clause 4.
"ICO" means the UK Information Commissioner's Office.
4. Scope and details of the shared processing
- Subject-matter: management and admission of attendees who have purchased tickets through the Platform to events promoted by the Promoter.
- Duration: for the lifetime of the Promoter's account on the Platform, plus any retention period required by law (typically up to 6 years for accounting and contractual records under the Limitation Act 1980 and HMRC retention requirements).
- Nature and purpose of processing: verifying tickets at the door, maintaining guest lists, communicating with attendees about safety or essential event information (delivered by the Platform on the Promoter's behalf — see clause 6.7), and complying with each Party's legal obligations as Platform operator and event organiser respectively.
- Categories of Personal Data shared by the Platform with the Promoter: attendee full name, ticket type, ticket reference number, QR code data, and check-in status. Where the Promoter separately collects data from an attendee for guest-list purposes, that data is also Attendee Data for the purposes of this Agreement.
- Categories of Personal Data NOT shared by the Platform with the Promoter: attendee email address, phone number, payment details, IP address, and browsing history. These are retained by the Platform and may be used by the Platform to send messages to attendees on the Promoter's behalf, in accordance with clause 6.7 and the Platform's privacy policy.
- Categories of Data Subjects: natural persons who have purchased a ticket through the Platform to an event promoted by the Promoter, and natural persons added by the Promoter to a guest list for an event.
5. Roles of the Parties
The Parties acknowledge that, in respect of the shared processing described in clause 4, they are Joint Controllers within the meaning of Article 26 UK GDPR. Each Party determines, in conjunction with the other, the purposes and means of the shared processing for the door-entry, attendee-management, and event-operations purposes set out in clause 4.
For all other processing — including the Promoter's own legitimate business operations not requiring Attendee Data, and the Platform's own operations of the Platform itself (account management, fraud prevention, payments, platform-level analytics, marketing communications sent on the Platform's own behalf to its account holders) — each Party acts as an independent Controller for its own purposes, and this Agreement does not govern that independent processing.
If, at any point in the future, the Platform makes available a feature, paid tier, or specific arrangement under which the Promoter is granted direct access to attendee contact details (such as email address or telephone number) outside the Platform's systems, the processing of that contact data will be governed by an additional schedule to this Agreement which the Promoter will be required to accept before the data is released. Until and unless such a schedule is in force, no contact details are released to the Promoter under this Agreement.
The Promoter agrees that, regardless of how a Data Subject characterises a request, the obligations set out in this Agreement are the minimum standard the Promoter will meet when handling Attendee Data.
6. Apportionment of responsibilities (Article 26(1))
The Parties apportion their respective responsibilities under UK GDPR as follows. Where a responsibility is allocated to one Party, the other Party will provide reasonable cooperation in connection with that responsibility on request.
6.1 Data Subject information (Articles 13 and 14)
The Platform is responsible for providing Article 13 information to attendees at the point of ticket purchase and for making the essence of this Agreement available to Data Subjects in accordance with Article 26(2) UK GDPR. The Platform discharges this duty through its Privacy Policy. The Promoter is responsible for providing Article 14 information where the Promoter independently obtains personal data about attendees from sources other than the Platform (for example, by collecting contact details at the door).
6.2 Data Subject rights (Chapter III UK GDPR)
The Platform is the primary point of contact for Data Subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection). Data Subjects may, however, exercise their rights against either Party as required by Article 26(3).
If the Promoter receives a Data Subject rights request relating to Attendee Data, the Promoter will not respond directly except to confirm receipt and direct the Data Subject to contact the Platform; the Promoter will forward the request to privacy@raveessentials.co.uk within 5 working days and provide reasonable assistance to the Platform in responding.
6.3 Lawful basis
The Platform is responsible for establishing and documenting a lawful basis under Article 6 UK GDPR for sharing Attendee Data with the Promoter. The Promoter is responsible for establishing and documenting a lawful basis for any further processing of Attendee Data the Promoter undertakes within the scope of this Agreement (typically performance of the contract between the Promoter and the attendee, or legitimate interests for door entry and event safety).
6.4 Personal Data Breach notification
Each Party is responsible for notifying the ICO of a Personal Data Breach affecting Attendee Data to the extent that the breach falls within that Party's domain of control. The Promoter will notify the Platform of any Personal Data Breach affecting Attendee Data without undue delay and in any event within 24 hours of becoming aware. The notification will be sent to privacy@raveessentials.co.uk and will include, to the extent the Promoter has the information at that time:
- the nature of the Personal Data Breach including the categories and approximate number of Data Subjects affected and the categories and approximate number of records concerned;
- the likely consequences of the breach;
- measures taken or proposed to address the breach and to mitigate its possible adverse effects.
The Promoter will provide further information promptly as it becomes available, and will not contact the ICO or any affected Data Subjects regarding the breach without first consulting the Platform, except to the extent strictly required by law.
6.5 Records of processing (Article 30)
Each Party will maintain its own records of processing activities relating to Attendee Data, in the form and detail required by Article 30 UK GDPR (where applicable to that Party).
6.6 Data Protection Impact Assessments (Article 35)
Each Party will conduct any Data Protection Impact Assessment required by Article 35 UK GDPR in respect of processing it controls. The Parties will provide reasonable cooperation in any DPIA the other Party conducts that involves the shared processing under this Agreement.
7. Promoter's operational obligations
In addition to the apportioned responsibilities in clause 6, the Promoter undertakes the following operational obligations in respect of Attendee Data.
7.1 Use of Attendee Data only for agreed purposes
The Promoter will Process Attendee Data only for the purposes set out in clause 4 and only as necessary to operate the events for which it has sold tickets through the Platform. The Promoter will not Process Attendee Data for any incompatible purpose without the Platform's prior written authorisation.
7.2 Confidentiality
The Promoter will ensure that any of its personnel, contractors, or agents authorised to access Attendee Data are bound by a written or statutory duty of confidentiality, and will limit access to Attendee Data on a need-to-know basis.
7.3 Security (Article 32)
The Promoter will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing, including, as appropriate to the data and context:
- encryption of Attendee Data in transit;
- access controls preventing unauthorised access to Attendee Data on the Promoter's devices and accounts;
- regular review of the effectiveness of its security measures;
- secure deletion of Attendee Data when no longer required (see clause 7.7).
The Promoter will not store Attendee Data on personal devices or in personal accounts (for example, personal email or personal cloud storage) except where such storage is encrypted and access-controlled and the device or account is owned or managed by the Promoter's organisation.
7.4 No sub-processing without prior written authorisation
The Promoter will not engage any Sub-Processor (including any third-party CRM, mailing list provider, customer-relationship tool, or analytics tool) to Process Attendee Data without the Platform's prior written authorisation. Where the Platform authorises a Sub-Processor, the Promoter will impose on that Sub-Processor data-protection obligations equivalent to those in this Agreement, by way of a written contract, and the Promoter remains fully liable to the Platform for the acts and omissions of the Sub-Processor.
7.5 Marketing and PECR (PECR Regulation 22)
The Promoter will not use Attendee Data to send direct marketing communications to attendees by any electronic channel except where:
- the message is sent on the Promoter's behalf by the Platform through the Platform's own systems, under the Platform's lawful basis and PECR-compliant consent records; or
- the Promoter has obtained valid PECR-compliant consent or is otherwise able to rely on a valid lawful basis under Data Protection Laws and PECR for sending the marketing directly, and is able to evidence that lawful basis on request.
The Promoter will not contact attendees through any communication channel obtained outside this Agreement (including any contact details that attendees may provide directly to the Promoter at the door, on social media, or elsewhere) in a manner that would breach Data Protection Laws or PECR. The Promoter indemnifies the Platform against any administrative fine, claim, or compensation paid by the Platform to a Data Subject as a direct result of the Promoter's breach of this clause.
7.6 No re-identification of pseudonymised data
Where the Platform shares Attendee Data in pseudonymised or aggregated form, the Promoter will not attempt to re-identify the underlying Data Subjects.
7.7 Deletion or return on termination
On termination of the Promoter's account on the Platform, or on written request from the Platform at any time, the Promoter will delete all Attendee Data in its possession or control (including back-up copies) within 30 days, except to the extent that applicable law requires retention. The Promoter will, on request, provide the Platform with written confirmation of deletion.
7.8 Audit and information rights
The Promoter will make available to the Platform, on reasonable written request, all information necessary to demonstrate compliance with this Agreement. The Platform may, on not less than 14 days' prior notice (other than in cases of suspected breach of this Agreement, where shorter notice is reasonable), request access to documentation, certifications, or records held by the Promoter relating to its processing of Attendee Data. The Platform will not exercise on-site audit rights more frequently than once per twelve-month period unless the Platform has reasonable grounds to suspect a breach, in which case further audits may be conducted as reasonably necessary. The Platform will conduct any audit in a manner that minimises disruption to the Promoter's operations.
8. Platform's operational obligations
The Platform will:
- only share Attendee Data with the Promoter to the extent necessary for the Promoter to operate events for which the Promoter has sold tickets through the Platform;
- maintain the lawful bases on which the Platform shares Attendee Data with the Promoter, and inform the Promoter of any material change to those lawful bases that affects the Promoter's processing under this Agreement;
- maintain a privacy contact at
privacy@raveessentials.co.ukand respond promptly to reasonable assistance requests under clause 6; - maintain appropriate technical and organisational measures (Article 32) to protect Attendee Data while it is held by the Platform.
9. International transfers
The Promoter will not transfer Attendee Data outside the United Kingdom, and will not engage any Sub-Processor that processes Attendee Data outside the United Kingdom, unless:
- the destination is a country covered by adequacy regulations made by the Secretary of State under section 17A of the Data Protection Act 2018; or
- the transfer is governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, executed between the Promoter (as exporter) and the recipient (as importer); or
- another lawful safeguard under Article 46 UK GDPR is in place.
In all cases the Promoter will, on the Platform's request, evidence the transfer mechanism used.
10. Liability and indemnity
Each Party is liable to Data Subjects in accordance with Article 82 UK GDPR. As between the Parties, the Promoter is liable to the Platform for any damage, administrative fine, compensation, or reasonable legal costs incurred by the Platform that arise from the Promoter's breach of this Agreement, Data Protection Laws, or PECR, to the extent that the liability arises from the Promoter's acts or omissions; and the Promoter indemnifies the Platform accordingly.
Where Article 82(4) UK GDPR applies (joint and several liability of joint controllers to a Data Subject), and the Platform pays compensation to a Data Subject in excess of the share corresponding to the Platform's part of the responsibility, the Platform may recover from the Promoter the part of the compensation corresponding to the Promoter's part of the responsibility.
This Agreement does not impose a cap on data-protection liability lower than the cap (if any) in any general terms of service between the Parties; for the avoidance of doubt, where there is a conflict, this Agreement prevails in respect of data-protection matters.
11. Term and termination
This Agreement takes effect on the date the Promoter accepts these terms in the registration flow or in the promoter portal, and continues until the later of: (a) closure of the Promoter's account on the Platform; or (b) the date on which the Promoter no longer holds any Attendee Data.
The Platform may terminate the Promoter's account, suspend the Promoter's access to attendee data, and require deletion under clause 7.7, if the Promoter materially breaches this Agreement and (where the breach is capable of remedy) fails to remedy the breach within 14 days of written notice.
12. Amendments
The Platform may amend this Agreement from time to time. Where the amendment materially changes the Promoter's obligations, the Platform will give the Promoter at least 30 days' prior notice (by email or by notice in the promoter portal) and will require the Promoter to accept the amended Agreement at next portal login. Continued use of the Platform after notice and after the effective date of the amended Agreement constitutes acceptance of the amended terms.
Trivial or non-material amendments (for example, correcting typographical errors or updating contact addresses) may be made without re-acceptance.
13. Governing law and jurisdiction
This Agreement is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this Agreement.
14. Order of precedence
Where this Agreement conflicts with any other agreement between the Parties (including general Terms of Service), this Agreement prevails in respect of data-protection matters. All other matters are governed by the relevant other agreement.
15. Contact
For all data-protection matters arising under this Agreement, including notifications of breach, Data Subject requests forwarded under clause 6.2, and audit information requests, contact: privacy@raveessentials.co.uk.
This document is version 1.0, effective 7 May 2026, and is publicly accessible at /legal/promoter-dpa/. Each Promoter's acceptance of a specific version is recorded against their account record together with the timestamp and IP address of the request, in accordance with standard practice for the enforceability of clickwrap contracts under the laws of England and Wales.