Legal

Data Processing Agreement

Version 1.0Effective January 2026

Parties

Data Controller

SeatFillers UK

hello@seatfillers.co.uk

hello@seatfillers.co.uk

Data Processor

The Venue Partner

As identified in the venue signup form

1. Background and Purpose

1.1 SeatFillers UK operates a theatre papering platform through which it makes complimentary tickets available to registered members (“Members”) on behalf of Venue Partners for the purpose of filling unsold seats (“the Service”).

1.2 To administer bookings made through the Service, SeatFillers shares certain personal data about Members with the Venue. This Agreement governs that processing.

1.3 The parties acknowledge that SeatFillers acts as Data Controller and the Venue acts as Data Processor in respect of the Member personal data described in Schedule 1. This Agreement satisfies the requirement under Article 28 UK GDPR for a written contract governing the processing.

1.4 By completing the venue signup process and ticking the acceptance checkbox, the Venue confirms it has read, understood, and agrees to this Agreement on behalf of the organisation identified in the signup form. SeatFillers records the acceptance timestamp with each signup submission.

2. Definitions

In this Agreement:

  • “UK GDPR” means the UK General Data Protection Regulation as it forms part of domestic law in England and Wales by virtue of the European Union (Withdrawal) Act 2018, as amended.
  • “Data Protection Legislation” means the UK GDPR, the Data Protection Act 2018, and any subordinate legislation or regulations made thereunder.
  • “Personal Data”, “Data Subject”, “Processing”, “Personal Data Breach”, “Supervisory Authority” and “Special Category Data” have the meanings given in the Data Protection Legislation.
  • “Booking Data” means the personal data described in Schedule 1.
  • “Permitted Purpose” means the administration of complimentary ticket bookings for shows and productions listed by the Venue on the SeatFillers platform, as further described in Schedule 1.

3. Controller Obligations

3.1 SeatFillers warrants that:

  • it has collected Booking Data from Members on a lawful basis and has provided Members with a fair processing notice that includes disclosure of data sharing with Venue Partners for ticket administration purposes;
  • it has the right to disclose Booking Data to the Venue for the Permitted Purpose; and
  • it will only share Booking Data that is adequate, relevant, and limited to what is necessary for the Permitted Purpose.

4. Processor Obligations

4.1 The Venue shall:

  • process Booking Data only on the documented instructions of SeatFillers as set out in this Agreement, and not for any other purpose, unless required to do so by applicable law (in which case the Venue shall, where legally permitted, inform SeatFillers before processing);
  • process Booking Data solely for the Permitted Purpose and for no other commercial, marketing, or operational purpose, except where a Member has provided separate and explicit consent directly to the Venue for that additional purpose (see clause 7);
  • ensure that all persons authorised to process Booking Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as a minimum the measures described in Schedule 2;
  • not disclose Booking Data to any third party other than as permitted under clause 6; and
  • promptly notify SeatFillers if it receives any request, complaint, or correspondence from a Data Subject, regulatory authority, or third party in connection with the Processing of Booking Data.

5. Data Subject Rights

5.1 Taking into account the nature of the Processing, the Venue shall assist SeatFillers, by appropriate technical and organisational measures insofar as possible, to fulfil SeatFillers’ obligations to respond to requests by Data Subjects to exercise their rights under the Data Protection Legislation.

5.2 The Venue shall not respond directly to a Data Subject’s request relating to Booking Data without first obtaining SeatFillers’ written consent, except where required by law.

5.3 The Venue shall notify SeatFillers within five (5) working days of receiving any such request.

6. Sub-Processors

6.1 The Venue may engage sub-processors (for example, its ticketing system provider or email delivery service) for the Processing of Booking Data, provided that the Venue:

  • imposes obligations on the sub-processor that are no less protective than those set out in this Agreement; and
  • remains fully liable to SeatFillers for the acts and omissions of any sub-processor.

6.2 The Venue shall notify SeatFillers by email to hello@seatfillers.co.uk if it intends to engage a new sub-processor that will have access to Booking Data, and shall do so before that sub-processor accesses the data. SeatFillers may raise reasonable objection within 10 working days of that notice.

7. Venue Mailing Lists and Separate Consent

7.1 Booking Data is shared solely for the Permitted Purpose and does not constitute consent for the Venue to add Members to its mailing lists or send marketing communications.

7.2 The Venue may contact a Member about matters that fall within the Venue’s legitimate interests without separate consent — including, without limitation, booking confirmations, access information, changes to a booked show, and post-show safety or satisfaction communications directly related to an attended performance.

7.3 For any other marketing communications (future productions, newsletters, general venue updates), the Venue must obtain separate, freely given, specific, informed, and unambiguous consent directly from the Member, independently of the SeatFillers booking process.

7.4 Where SeatFillers communicates a Member’s marketing consent preference to the Venue as part of a booking (indicating the Member has opted in to the Venue’s mailing list through the SeatFillers platform), the Venue may treat that as a record of consent. The Venue accepts responsibility for maintaining and honouring that consent record, including processing any subsequent withdrawal of consent communicated directly by the Member.

7.5 If a Member opts out of the Venue’s mailing list — whether directly or via SeatFillers — the Venue must remove that Member from its marketing communications within five (5) working days.

8. Personal Data Breaches

8.1 The Venue shall notify SeatFillers without undue delay, and in any event within 24 hours of becoming aware of, any Personal Data Breach affecting Booking Data.

8.2 Such notification shall include, to the extent then known: a description of the nature of the breach; the categories and approximate number of Data Subjects affected; the categories and approximate number of personal data records affected; the likely consequences; and the measures taken or proposed to address the breach.

8.3 The Venue shall cooperate with SeatFillers in any investigation, notification to the ICO, or communications to affected Data Subjects arising from a breach.

9. Data Retention and Deletion

9.1 The Venue shall retain Booking Data only for as long as is necessary for the Permitted Purpose and shall delete or return it promptly upon the earlier of:

  • SeatFillers’ written request;
  • termination of the Venue’s relationship with SeatFillers; or
  • the expiry of the Venue’s legitimate business need for the data, which shall not exceed 12 months from the date of the relevant booking unless a longer period is required by law (for example, for accounting records).

9.2 Where legally required to retain data beyond that period, the Venue shall notify SeatFillers and restrict its Processing to that which is legally required.

10. International Transfers

10.1 The Venue shall not transfer Booking Data outside the United Kingdom without the prior written consent of SeatFillers and the implementation of an appropriate transfer mechanism under the Data Protection Legislation (including, where applicable, the UK International Data Transfer Agreement or an equivalent adequacy mechanism).

11. Audit and Compliance

11.1 The Venue shall make available to SeatFillers, on reasonable written request, all information necessary to demonstrate compliance with this Agreement.

11.2 SeatFillers (or a third-party auditor subject to confidentiality obligations) may, on reasonable notice and at SeatFillers’ cost, carry out audits or inspections of the Venue’s Processing activities to verify compliance. Such audits shall be conducted in a manner that minimises disruption and shall not occur more than once in any 12-month period, except where SeatFillers has reasonable grounds to suspect non-compliance.

12. Liability

12.1 Each party’s liability to the other under or in connection with this Agreement shall be subject to any limitation of liability provisions set out in the Venue Partner Terms agreed between the parties.

12.2 Nothing in this clause limits either party’s liability for (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited by law.

13. Duration and Termination

13.1 This Agreement shall remain in force for the duration of the Venue’s participation in the SeatFillers platform and shall survive termination of that relationship to the extent necessary to govern the disposal of Booking Data under clause 9.

13.2 SeatFillers may terminate this Agreement immediately on written notice if the Venue materially breaches any obligation under this Agreement and fails to remedy that breach within 14 days of written notice requiring it to do so.

14. Governing Law

14.1 This Agreement is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

Schedules

Schedule 1 — Description of Processing

Categories of Data SubjectsRegistered Members of SeatFillers UK who have made a booking for a show or production at the Venue
Categories of Personal DataFirst name; Last name; Email address; Outward postcode (first portion only, e.g. "SW1A")
Special Category DataNone — SeatFillers does not share accessibility or health data with Venues through this process
Permitted PurposeAdministering complimentary ticket bookings: issuing booking confirmations; managing seating allocation; sending operational communications about booked shows; post-show follow-up directly related to the attended performance
Frequency of TransferOn a per-booking basis, at the point of booking confirmation
Duration of ProcessingSee clause 9

Schedule 2 — Minimum Security Measures

The Venue shall implement, as a minimum:

  1. Access controls ensuring that Booking Data is accessible only to personnel who require it to carry out the Permitted Purpose.
  2. Password-protected or otherwise authenticated access to any systems storing Booking Data.
  3. Reasonable measures to prevent unauthorised access to email accounts or ticketing systems that hold Booking Data.
  4. A process for identifying and reporting Personal Data Breaches in accordance with clause 8.

SeatFillers acknowledges that the Venue is not a data processor by trade and that proportionate, not enterprise-grade, measures are expected for organisations of the Venue’s size and type.

Questions about this agreement?

hello@seatfillers.co.uk