1. SCHEDULE 1: DATA PROCESSING
This Schedule forms part of and is incorporated by reference into the Plus4Events Master Subscription Agreement ("MSA") between the parties. This Schedule sets out the terms that apply to the processing of Personal Data by Plus4Group on Your behalf in connection with the Services provided under the MSA.
1. DEFINITIONS AND INTERPRETATION
1.1. In this Schedule, unless the context otherwise requires:
|
Term |
Definition |
|
Controller |
The party identified as Controller in the MSA, acting as a data controller as defined in Data Protection Law. |
|
Data Protection Law |
All applicable laws and regulations relating to the processing of Personal Data and privacy, including: (a) the UK GDPR; (b) the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025); (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended); (d) any applicable codes of conduct or guidance issued by the Information Commission; and (e) any successor or replacement legislation. |
|
Data Subject |
An identified or identifiable natural person to whom Personal Data relates. |
|
Information Commission |
The UK's data protection supervisory authority (previously known as the Information Commissioner's Office), or any successor body. |
|
Personal Data |
Any information relating to an identified or identifiable natural person, as defined in Data Protection Law. |
|
Personal Data Breach |
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. |
|
Processing |
Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction. |
|
Special Category Data |
Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where processed for identification purposes), data concerning health, data concerning sex life or sexual orientation, and any other categories designated as special category data under Data Protection Law. |
|
Sub-Processor |
Any Processor engaged by Plus4Group to process Personal Data on behalf of Controller. |
|
UK GDPR |
The UK General Data Protection Regulation (Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended). |
1.2. The terms "controller", "processor", "data subject", "personal data", and "processing" shall have the meanings set out in Data Protection Law.
1.3. References to Articles are to Articles of the UK GDPR unless otherwise specified.
2. SCOPE AND ROLE OF PARTIES
2.1. Processor Role: Plus4Group shall process Personal Data only as a processor on behalf of Controller in accordance with Controller's documented instructions, except where processing is required by applicable law.
2.2. Controller Responsibility: Controller shall remain responsible for compliance with its obligations as a controller under Data Protection Law, including but not limited to ensuring that it has a lawful basis for the processing, conducting data protection impact assessments where required, and responding to Data Subject rights requests.
2.3. Processing Instructions: This Schedule, together with the MSA and any written instructions subsequently issued by Controller, constitute Controller's complete instructions to Plus4Group for the processing of Personal Data. Any additional or alternate instructions must be agreed in writing by both parties.
3. CONTROLLER OBLIGATIONS AND WARRANTIES
3.1. Controller warrants and represents that:
3.1.1. it has complied and will continue to comply with all applicable requirements of Data Protection Law in relation to the Personal Data and the processing of such Personal Data;
3.1.2. it has a valid lawful basis for the processing of Personal Data under Article 6 UK GDPR (and, where applicable, Article 9 UK GDPR for Special Category Data);
3.1.3. all Personal Data provided to Plus4Group is accurate, adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
3.1.4. it has provided (or will provide) appropriate privacy notices to Data Subjects and has obtained (or will obtain) all necessary consents, permissions and authorisations required for the processing of Personal Data by Plus4Group in accordance with this Schedule;
3.1.5. it has conducted a sufficient assessment of Plus4Group's technical and organisational measures pursuant to Article 28(1) UK GDPR and considers them appropriate;
3.1.6. the processing instructions provided to Plus4Group do not cause Plus4Group to infringe Data Protection Law; and
3.1.7. where Personal Data is transferred to Plus4Group from outside the United Kingdom, Controller has complied with all applicable requirements regarding international transfers of Personal Data.
3.2. Controller shall notify Plus4Group immediately if it becomes aware that its processing instructions infringe Data Protection Law.
4. PLUS4GROUP OBLIGATIONS
4.1. Compliance with Instructions: Plus4Group shall process Personal Data only on documented instructions from Controller, unless required to do so by applicable law, in which case Plus4Group shall inform Controller of that legal requirement before processing (unless prohibited by law from doing so).
4.2. Confidentiality: Plus4Group shall ensure that all persons authorised to process Personal Data are subject to binding obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3. Security: Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Plus4Group shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
4.3.1. the pseudonymisation and encryption of Personal Data;
4.3.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
4.3.3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
4.3.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
4.4. Sub-processing:
4.4.1. Controller hereby provides general authorisation for Plus4Group to engage Sub-Processors in accordance with this clause 4.4.
4.4.2. Plus4Group shall notify Controller of any intended changes concerning the addition or replacement of Sub-Processors at least thirty (30) days in advance, thereby giving Controller the opportunity to object to such changes.
4.4.3. Where Plus4Group engages a Sub-Processor, Plus4Group shall impose data protection obligations on the Sub-Processor by way of a contract that provides substantially the same level of protection as this Schedule, including obligations regarding data security, confidentiality, Personal Data Breach notification, and assistance with Data Subject rights.
4.4.4. Plus4Group shall remain fully liable to Controller for the performance of the Sub-Processor's obligations.
4.5. International Transfers:
4.5.1. Plus4Group shall not transfer or permit the transfer of Personal Data outside the United Kingdom unless:
4.5.1.1. the transfer is to a country or territory in respect of which the Secretary of State has made regulations pursuant to Article 45 UK GDPR (an "Adequate Country");
4.5.1.2. appropriate safeguards are in place in accordance with Article 46 UK GDPR, including but not limited to the UK International Data Transfer Agreement (IDTA) or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses;
4.5.1.3.the transfer is necessary for one of the reasons set out in Article 49 UK GDPR; or
4.5.1.4. Controller has provided prior written consent to the transfer.
4.5.2. Where Plus4Group relies on appropriate safeguards under Article 46 UK GDPR, Plus4Group shall conduct and document a transfer risk assessment (TRA) in accordance with Information Commission guidance and shall provide a copy of such assessment to Controller upon request.
4.5.3. The parties acknowledge that the standard of protection for data transfers is that the protection provided in the destination country or by the receiving organisation must not be "materially lower" than the equivalent standard in the United Kingdom, as set out in the Data (Use and Access) Act 2025.
4.6. Assistance with Data Subject Rights: Taking into account the nature of the processing, Plus4Group shall, at Controller's cost, provide reasonable assistance to Controller to enable Controller to respond to requests from Data Subjects exercising their rights under Data Protection Law, including rights of access, rectification, erasure, data portability, restriction of processing, and objection to processing.
4.7. Assistance with Compliance Obligations: Plus4Group shall, at Controller's cost, provide reasonable assistance to Controller with:
4.7.1. data protection impact assessments, where required under Article 35 UK GDPR;
4.7.2. prior consultation with the Information Commission, where required under Article 36 UK GDPR;
4.7.3. compliance with Controller's obligations to implement appropriate technical and organisational measures;
4.7.4. demonstrating compliance with Data Protection Law; and
4.7.5. responding to the exercise by Data Subjects of the new right to complain under Article 57A UK GDPR (as introduced by the Data (Use and Access) Act 2025), including acknowledging complaints within thirty (30) days and providing a substantive response without undue delay.
4.8. Records of Processing: Plus4Group shall maintain complete and accurate records of all categories of processing activities carried out on behalf of Controller, in accordance with Article 30 UK GDPR.
5. PERSONAL DATA BREACHES
5.1. Notification: Plus4Group shall notify Controller without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach.
5.2. Information to be Provided: The notification shall include, to the extent possible:
5.2.1. a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
5.2.2. the name and contact details of Plus4Group's point of contact for the breach;
5.2.3. a description of the likely consequences of the Personal Data Breach;
5.2.4. and a description of the measures taken or proposed to be taken to address the Personal Data Breach and to mitigate its possible adverse effects.
5.3 Cooperation: Plus4Group shall cooperate with Controller and provide reasonable assistance in connection with Controller's handling of a Personal Data Breach, including notifying the Information Commission and affected Data Subjects where required.
5.4 Documentation: Plus4Group shall maintain records of all Personal Data Breaches in accordance with Article 33(5) UK GDPR.
6. AUDITS AND INSPECTIONS
6.1. Audit Rights: Plus4Group shall, at Controller's cost, make available to Controller all information necessary to demonstrate compliance with this Schedule and the obligations under Article 28 UK GDPR.
6.2. Frequency: Controller may conduct audits and inspections of Plus4Group's processing activities no more than once per calendar year, unless:
6.2.1. there is a reasonable suspicion of a breach of this Schedule or Data Protection Law;
6.2.2. required by the Information Commission or another supervisory authority;
6.2.3. following a Personal Data Breach; or
6.2.4. required by applicable law or regulation.
6.3. Audit Procedure: Any audit or inspection shall be:
6.3.1. conducted during normal business hours with at least thirty (30) days' prior written notice (unless responding to a Personal Data Breach or regulatory request);
6.3.2. carried out in a manner that does not unreasonably interfere with Plus4Group's business operations;
6.3.3. subject to appropriate confidentiality obligations; and
6.3.4. compliant with Plus4Group's security and site access policies.
6.4. Alternative Compliance Evidence: Plus4Group may satisfy its obligations under this clause by providing Controller with a valid independent audit report (such as ISO 27001, SOC 2 Type II, or equivalent) demonstrating compliance with appropriate security standards, provided such report is no more than twelve (12) months old.
7. DATA DELETION AND RETURN
7.1. Upon Termination: Upon termination or expiry of the MSA, or upon Controller's written request, Plus4Group shall, at Controller's option:
7.1.1. delete all Personal Data; or
7.1.2. return all Personal Data to Controller in a commonly used and machine-readable format.
7.2. Retention Obligations: Plus4Group may retain Personal Data to the extent required by applicable law, provided that Plus4Group shall ensure the confidentiality of such Personal Data and shall only process it as necessary to comply with such legal obligation.
7.3. Certification: Plus4Group shall provide Controller with written certification of deletion or return within thirty (30) days of completing the deletion or return.
7.4. Any Personal Data held after termination under any circumstances will be handled in line with Our Data Retention Policy: https://plus4events.com/legal
7.5. Plus4Group reserves the right to withhold, remove and/or discard Customer Data, not containing Personal Data, without notice in response to any breach, including, without limitation, Your non-payment.
7.6. Upon termination for cause, Your right to access or use Customer Data immediately ceases, and Plus4Group shall have no obligation to maintain or forward any Customer Data, except for any Personal Data.
7.7. Backups: Where Personal Data is retained in backup systems, Plus4Group shall ensure such data is isolated and protected, and shall permanently delete such data in accordance with its standard backup retention and deletion procedures.
8. LIMITATION OF LIABILITY AND INDEMNITY
8.1. Mutual Liability: Each party shall be liable to the other for any damage caused by processing of Personal Data that infringes Data Protection Law, subject to the limitations set out in the MSA and this clause 8.
8.2. Plus4Group Liability: Plus4Group shall be liable for damage caused by processing only where it has not complied with obligations under Data Protection Law specifically directed to Plus4Groups or where it has acted outside or contrary to lawful instructions from Controller.
8.3. Controller Indemnity: Controller shall indemnify and hold harmless Plus4Group against all losses, claims, damages, liabilities, penalties, fines, costs and expenses (including reasonable legal fees) arising from:
8.3.1. Controller's breach of its obligations under this Schedule or Data Protection Law;
8.3.2. Controller's processing instructions that cause Plus4Group to infringe Data Protection Law;
8.3.3. any claim brought by a Data Subject against Plus4Group arising from Controller's breach of Data Protection Law; or
8.3.4. any enforcement action or investigation by the Information Commission or other regulatory authority arising from Controller's breach of Data Protection Law.
8.4. Joint and Several Liability: Where under Data Protection Law (including Article 82 UK GDPR) Plus4Group and Controller incur joint and several liability to a Data Subject or regulatory authority, the parties shall be liable only to the extent of their respective responsibility for the damage or breach.
8.5. Cap on Liability: Subject to clause 8.6, Plus4Group's total aggregate liability arising out of or in connection with this Schedule shall be limited to the lower of:
8.5.1. the total fees paid or payable by Controller to Plus4Group under the MSA in the twelve (12) months immediately preceding the event giving rise to the liability; or
8.5.2. the limitation of liability cap specified in the MSA.
8.6. Unlimited Liability: Nothing in this Schedule shall exclude or limit either party's liability for:
8.6.1. death or personal injury caused by its negligence;
8.6.2. fraud or fraudulent misrepresentation;
8.6.3. breach of confidentiality obligations;
8.6.4. wilful misconduct or gross negligence; or
8.6.5. any other liability that cannot be excluded or limited by applicable law.
9. GENERAL PROVISIONS
9.1. Changes in Law: The parties acknowledge that Data Protection Law continues to evolve. If any change in Data Protection Law prevents either party from fulfilling its obligations under this Schedule, the parties shall negotiate in good faith to amend this Schedule to comply with such changes.
9.2. Conflict: In the event of any conflict between this Schedule and the MSA, this Schedule shall prevail to the extent of the conflict in relation to data protection matters.
9.3. Severability: If any provision of this Schedule is found to be invalid, illegal or unenforceable, the parties shall negotiate in good faith to agree a replacement provision that achieves the original commercial intention as closely as possible.
9.4. Duration: This Schedule shall remain in force for the duration of the MSA and for so long as Plus4Group processes Personal Data on behalf of Controller.
9.5. Termination Rights: Either party may terminate this Schedule (and consequently the MSA) immediately by written notice if:
9.5.1. the other party commits a material breach of this Schedule that is not remediable;
9.5.2. the other party commits a material breach of this Schedule that is remediable but fails to remedy such breach within thirty (30) days of written notice;
9.5.3. changes in Data Protection Law make it impossible or unlawful for Plus4Group to continue processing Personal Data; or
9.5.4. the Information Commission or other regulatory authority orders cessation of the processing.
9.6. Governing Law and Jurisdiction: This Schedule shall be governed by and construed in accordance with the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales for all disputes arising out of or in connection with this Schedule.
9.7. Third Party Rights: Data Subjects shall have the right to enforce clauses of this Schedule as third-party beneficiaries to the extent provided under Data Protection Law.
REF: P4E_DPS
08/02/2026
APPENDIX A: PROCESSING DETAILS
|
Subject matter of processing |
Provision of cloud-based event management, feedback collection and marketing lead generation services. |
|
Duration of processing |
As defined in the MSA |
|
Purpose of processing |
Collection, recording, organisation, storage, hosting, retrieval, use, disclosure, alignment, restriction, deletion and anonymisation of personal data, including user authentication, access control, analytics and reporting. |
|
Nature of processing |
Administration of event registration and attendance Communication relating to events Collection and analysis of feedback Generation and qualification of marketing leads Integration with CRM and marketing systems Platform security and performance monitoring |
|
Type of Personal Data |
Contact details, professional information, marketing preferences, attendance data, survey responses, engagement metrics, IP addresses and system log data, location, financial information. |
|
Categories of Data Subjects |
Users as defined in the MSA, event registrants, attendees, speakers, sponsors, marketing prospects |
|
Special Category Data (if applicable) |
Dietary and accessibility requests. |
|
Approved Sub-Processors |
The list will be maintained separately |
APPENDIX B: TECHNICAL AND ORGANISATIONAL MEASURES
Plus4Group shall implement and maintain the following technical and organisational measures (or equivalent measures providing an appropriate level of security):
Confidentiality:
· Access control to premises and facilities
· Access control to systems
· Access authorisation procedures
· Encryption of data in transit
· Pseudonymisation where appropriate
Integrity:
· Data transfer controls
· Input controls and validation
· Segregation of processing for different purposes
· Change management procedures
· Malware protection
Availability and Resilience:
· Backup and disaster recovery procedures
· Business continuity management
· Regular testing of security measures
· Incident response procedures
Procedures for Testing and Review:
· Regular security assessments and penetration testing
· Monitoring and logging of access to Personal Data
· Staff training on data protection
· Supplier management and due diligence
· Annual review of security measures
Note: The specific technical and organisational measures may be updated by Plus4Group from time to time provided that such updates maintain or enhance the level of security. Material changes shall be notified to Controller.