DPF Addendum_
This addendum applies to all employees, contractors, and vendors while doing business with The Music Infrastructure Company and specifically addresses our participation in the EU-U.S. Data Privacy Framework (DPF) program (https://www.dataprivacyframework.gov/). This addendum supplements and is incorporated by reference into our existing GDPR Compliance Policy and Privacy Policy. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
The Music Infrastructure Company participates in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. We are committed to adhering to the EU-U.S. DPF Principles with regard to personal data transferred from the European Union.
We provide clear notice about our data collection, use, and sharing practices through our Privacy Policy and this DPF Addendum. We inform individuals about their rights and choices regarding their personal data.
We provide individuals with opt-out choices for disclosure of their personal data to third parties or use for purposes materially different from those for which the data was originally collected or subsequently authorized. For sensitive personal data, we obtain affirmative express consent (opt-in) before disclosure to third parties or use for different purposes.
Before we transfer personal data to third parties, we ensure that the third party subscribes to the DPF Principles, is subject to the EU GDPR or other adequacy finding, or enters into a written agreement requiring the same level of protection as the DPF Principles. We remain liable under the DPF Principles if our third-party agents process personal data in a manner inconsistent with the DPF Principles, unless we prove we are not responsible for the event giving rise to the damage.
We take reasonable and appropriate measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data.
We limit the use of personal data to purposes that are relevant and compatible with the context in which it was collected or subsequently authorized by the individual. We take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.
MusicInfra does not share user-provided professional contact information (such as name, country of incorporation, email address, phone number, and encrypted password) with any third parties. This information is used exclusively for authentication and personalization purposes within the MusicInfra platform.
For the purpose of managing our day-to-day business operations, MusicInfra collects certain human resources (HR) information from its employees, including name, date of birth, citizenship, physical address, email addresses, and phone numbers. This HR information is not stored on MusicInfra's own infrastructure. Instead, it is shared with our trusted HR system providers, JustWorks and Carta, solely for the purposes of HR administration and management.
MusicInfra does not otherwise disclose personal information to third parties, except as required by law or as described in this policy.
We provide individuals with access to personal data about them and the opportunity to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the DPF Principles, except where the burden or expense would be disproportionate to the risks to the individual's privacy.
We provide effective mechanisms for assuring compliance with the DPF Principles, readily available and affordable independent recourse mechanisms by which individuals' complaints and disputes are investigated and expeditiously resolved, and procedures for verifying that the attestations and assertions made about privacy practices are accurate and implemented as represented.
For all privacy-related matters, including questions about our DPF participation, individuals may contact our designated privacy contact:
The Music Infrastructure Company acknowledges that we may be potentially liable for onward transfers of personal data from the EU to third parties under the DPF. We remain responsible for the processing of personal data we receive under the DPF and subsequently transfer to a third party acting as an agent on our behalf. We remain liable under the DPF Principles if our agent processes such personal data in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.
The Music Infrastructure Company commits to cooperate with:
We will respond promptly to inquiries from the Department of Commerce and relevant authorities concerning our adherence to the DPF Principles and will remedy any problems identified by these authorities.
We may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. In such cases, we will ensure that any disclosure is made in accordance with applicable laws and regulations, and we will take reasonable steps to limit the scope of the information disclosed to what is legally required. Where permitted, we will notify affected individuals of such disclosures.
The Music Infrastructure Company's current DPF certification covers the EU-U.S. DPF only. We do not currently participate in:
Should we extend our participation to these additional frameworks in the future, we will update this addendum accordingly and provide appropriate notice.
The Music Infrastructure Company's DPF compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). We acknowledge that the FTC has jurisdiction over our compliance with the DPF.
For EU individuals, after exhausting other available dispute resolution procedures, binding arbitration may be available as a last resort. This arbitration option is provided at no cost to the individual and is designed to resolve complaints regarding our DPF compliance that cannot be resolved through other mechanisms.
This DPF Addendum supplements and works in conjunction with our existing privacy commitments under:
In case of any conflicts between this DPF Addendum and other privacy policies, the most protective standard for individual privacy rights shall apply.
We will update this DPF Addendum as necessary to reflect changes in our DPF certification status, applicable laws, or our data processing practices. Material changes will be communicated to affected individuals in accordance with the DPF notice requirements.
The Music Infrastructure Company commits to conducting annual self-certification with the U.S. Department of Commerce to verify our ongoing compliance with the DPF Principles and to maintain our active participation in the framework.
The Chief Technology Officer is responsible for ensuring compliance with this DPF Addendum. All employees handling EU personal data under the DPF must be trained on these obligations.
Any suspected violations of this DPF Addendum must be reported immediately to privacy@musicinfra.com or through our incident reporting process at incidents@musicinfra.com.