Appendix – Data Processing Addendum
1. Definitions
1.1. For the purposes of this DCA, the capitalized terms shall have the following meanings, unless defined elsewhere in this DCA or in the Agreement:
“Agreement” shall mean the agreement to which this DCA is attached and form integral part of;
“Approved Jurisdiction” shall mean a member state of the European Economic Area (“EEA”), or other jurisdiction as may be approved as having adequate legal protections for personal data by the European Commission, currently available here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en;
“Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to this DCA;
“CCPA” shall mean the US California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”) and from time to time;
“Competent Data Protection Authority” shall mean the competent data protection authority;
“Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, the CCPA/CPRA, any national or state data protection legislation, and any regulations, guidelines or any other documents issued by a Competent Data Protection Authority, each as amended from time to time;
“DCA” shall mean this Appendix – Data Cooperation Agreement;
“Shared Personal Data” shall mean any information relating to an identified or identifiable natural person and the categories of the Shared Personal Data processed under this DCA are further described in Annex 1 – Shared Personal Data Processing Description;
“Processor Personal Data” shall mean any information relating to an identified or identifiable natural person and the categories of the Processor Personal Data processed under this DCA are further described in Annex 2 – Processor Personal Data Processing Description;
1.2. For the purposes of this DCA the terms “controller”, “joint controllers”, “business”, “processor”, “service provider”, “data subject”, “consumer” “personal data”, “personal information”, “process”, “processing” and “data breach” shall have the meanings attributed to them in the Data Protection Legislation.
2. Purpose of the DCA
2.1. The purpose of this DCA is to determine the roles and responsibilities of each Party during the provision of the Products and/or Services under the Agreement and associated processing of the Shared Personal Data and the Processor Personal Data in order to ensure Parties’ compliance with the applicable Data Protection Legislation. The categories of the Shared Personal Data and the Processor Personal Data processed, the categories of data subjects to whom the Shared Personal Data and the Processor Personal Data relate and the processing operations performed on the Shared Personal Data and the Processor Personal Data are further detailed in Annex 1 – Shared Personal Data Processing Description and Annex 2 – Processor Personal Data Processing Description.
2.2. This DCA shall apply if and only to the extent that the Client choses in the Agreement any or all of the following Products and/or Services:
a) Betting Entertainment Tools Services;
b) Marketing Services;
c) Live-booking Calendar;
d) Live Channel Online.
For the avoidance of doubt, Sportradar shall perform the respective processing of the Shared Personal Data and/or the Processor Personal Data (as described in Annex 1 – Shared Personal Data Processing Description and Annex 2 – Processor Personal Data Processing Description) only for the Products and/or Services selected in the Agreement by the Client.
2.3. For the purpose of the DCA, the Parties shall act as:
a) joint controllers under the GDPR or businesses under the CCPA with regard to the processing of the Shared Personal Data; and
b) Client shall act as data controller under the GDPR or business under the CCPA and Sportradar as data processor under the GDPR or service provider under the CCPA with regard to the processing of the Processor Personal Data.
3. Term and Termination
3.1. This DCA shall be bound to the term of the Agreement.
3.2. Upon termination of the Agreement, (i) with regard to the Shared Personal Data, Sportradar shall proceed in accordance with clause 4.8 of this DCA, and (ii) with regard to the Processor Personal Data, Sportradar shall proceed in accordance with clause 5.15 of this DCA.
4. Obligations of the Parties regarding Shared Personal Data
4.1. Rights of the Data Subjects
4.1.1. The Parties shall cooperate, as set out below in this clause 4.1., with respect to data subjects’ requests to exercise rights under the Data Protection Legislation.
4.1.2. The Client shall handle and respond to any data subject requests concerning the Shared Personal Data and shall forward any such requests and any information on any actions with respect to such requests to Sportradar without undue delay and in any event withing 72 hours. In the event that Sportradar receives any data subject requests concerning the Shared Personal Data, Sportradar shall forward such requests to the Client for a response to the data subjects.
4.1.3. Sportradar shall provide reasonable and prompt assistance to the Client (within 5 (five) Business Days of such request for assistance) as is necessary to enable the Client to comply with data subject requests and to respond to any other queries or complaints of any kind whatsoever from data subjects.
4.1.4. The Parties shall maintain a record of data subject requests, the decisions made and any information that was exchanged. Records shall include copies of the request for information, details of the personal data accessed and shared and where relevant, notes of any meetings, correspondence or phone calls relating to the request.
4.2. Lawfulness and Transparency
Client shall, at the time of collection, inform the data subjects about the Shared Personal Data processing under this DCA. The Client shall (i) ensure that privacy notices provided to data subjects are clear and provide sufficient information to data subjects in order for them to understand what of their Shared Personal Data is collected and shared, the circumstances in which it will be shared, the purposes for the data sharing, including adding reference to Sportradar as an entity with whom the Shared Personal Data is shared in its privacy notices, (ii) obtain any consent (where necessary) of data subjects as required by and in accordance with the requirements of the Data Protection Legislation to enable lawful processing of the Shared Personal Data, (iii) immediately communicate to Sportradar in writing if the data subjects withdraw their consents with regard to the processing of the Shared Personal Data, and (iv) not provide or otherwise make available to Sportradar Shared Personal Data related to minors (as this term is defined in the applicable laws).
4.3. Processors
The Parties may use one or more processors/service providers provided that each of them shall comply with any applicable Data Protection Legislation.
4.4. Data Protection Impact Assessment
Upon request, the Parties shall provide each other reasonable cooperation and assistance needed to carry out a data protection impact assessment (if applicable) in accordance with the Data Protection Legislation related to the processing of the Shared Personal Data under this DCA.
4.5. Records
Both Parties shall, at their own costs, keep a record of any processing of Shared Personal Data they carry out.
4.6. Complaints
In the event of a dispute or claim brought by a data subject or a Competent Data Protection Authority concerning the processing of Shared Personal Data against either or both Parties, the Parties shall inform each other about any such disputes or claims without delay and shall cooperate with a view to settling them amicably in a timely manner.
4.7. Data Security
4.7.1. With regard to the processing of Shared Personal Data, both Parties shall implement appropriate technical and organisational measures to:
a. ensure a level of security appropriate to the risk involved to protect all Shared Personal Data from unauthorized use, alteration, access or disclosure, and loss, theft, and damage;
b. ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. restore the availability and access to the Shared Personal Data in a timely manner in the event of a physical or technical incident;
d. test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the Shared Personal Data;
e. pseudonymise and encrypt the Shared Personal Data, as appropriate;
4.7.2. Both Parties shall keep accurate records of the security measures which they have in place and shall make such records available to the other Party upon request.
4.8. Personal Data After Termination
4.8.1. Both Parties acknowledge and agree that after the termination of the Agreement, each Party shall delete the Shared Personal Data in accordance with their internal data retention schedules.
4.8.2. In the event that the Client receives any data subject request concerning the processing of the Shared Personal Data by Sportradar after the termination of the Agreement, the Client shall forward such request to Sportradar for a response to the data subjects.
4.9. Data Breach
The Parties shall notify each other of any confirmed data breach involving Shared Personal Data processed under this DCA (the “Data Breach”) a as soon as possible and, in any event, within 3 (three) Business Days of identification of the Data Breach in order to consider what action is required to resolve the issue in accordance with the Data Protection Legislation.
4.10. Confidentiality
4.10.1. Both Parties shall maintain the duty of secrecy regarding the Shared Personal Data, even after the termination of the Agreement.
4.10.2. Both Parties guarantee that the individuals authorised to process the Shared Personal Data expressly undertake in writing to respect confidentiality and to comply with the relevant security measures, of which they must be duly informed.
5. Sportradar´s obligations regarding Processor Personal Data
5.1. Sportradar shall process the Processor Personal Data in accordance with the instructions of the Client and in compliance with the Data Protection Legislation. Sportradar shall immediately inform in writing the Client if Sportradar believes that any of the instructions of the Client violate the Data Protection Legislation. For the avoidance of doubt, this notification obligation shall not mean that Sportradar is obliged to perform a comprehensive legal examination with respect to a Client’s instruction. In addition, this DCA represents the final and complete instructions from the Client with regard to the processing of the Processor Personal Data and any further instructions are subject to mutual agreement between the Parties and may be subject to additional costs.
5.2. Sportradar shall keep a written record of all categories of processing operations carried out on behalf of the Client with regard to the Processor Personal Data as required under the applicable Data Protection Legislation.
5.3. Sportradar shall not disclose the Processor Personal Data to third parties, unless with the express prior written consent of the Client or when required under applicable law. For the avoidance of doubt, the Client acknowledges and agrees that Sportradar’s sub-processors, affiliates and subsidiaries shall not be considered as third parties for the purposes of this DCA.
Sportradar may disclose the Processor Personal Data to other data processors working for the Client, pursuant to the Client’s instructions. In this case, the Client shall identify, in writing and in advance, the entity the Processor Personal Data shall be disclosed to, the Processor Personal Data to be disclosed, and the security measures to be applied for the disclosure.
If Sportradar shall transfer the Processor Personal Data to a third country or international organisation, pursuant to applicable European Union or Member State law, Sportradar shall inform the Client of that legal requirement beforehand, unless the law prohibits this on important grounds of public interest.
5.4. The Client authorises Sportradar to appoint – and permit each sub-processor appointed in accordance with this clause to appoint – sub-processors to process the Processor Personal Data. The current list of sub-processors engaged by Sportradar can be provided to the Client upon request. When appointing new sub-processors, Sportradar shall perform appropriate due diligence on any sub-processor to be engaged in the processing of the Processor Personal Data and conclude a data processing agreement with such sub-processor that provides similar level of protection to the Processor Personal Data as this DCA. Sportradar shall be responsible for all acts and omissions of the sub-processors it engages.
5.5. Sportradar shall maintain duty of secrecy regarding the Processor Personal Data, even after the termination of the Agreement.
5.6. Sportradar shall ensure that the individuals authorised to process the Processor Personal Data expressly undertake in writing to respect the confidentiality of the Processor Personal Data and to comply with any relevant security measures, of which they shall be duly informed.
5.7. Sportradar shall ensure that the individuals authorised to process the Processor Personal Data have appropriate data protection training.
5.8. Taking into account the nature of the processing, Sportradar shall assist the Client by taking appropriate technical and organisational measures, insofar as this is possible, in meeting the Client’s obligation to respond to data subjects’ requests concerning the Processor Personal Data. The Client shall reimburse Sportradar for all reasonable costs and expenses incurred with regard to such assistance.
5.9. Sportradar shall promptly notify the Client of any data subjects’ requests received by Sportradar relating to the processing of the Processor Personal Data under this DCA. The notification shall be accompanied, where appropriate, by other information that may be relevant for the Client to resolve the data subject’s request.
5.10. Sportradar shall notify the Client without undue delay of any confirmed data breach involving the Processor Personal Data processed under this DCA (the “Data Breach”) and will reasonably respond to the Client’s request for further information pertaining to the Data Breach so that the Client may fulfil its obligations under the Data Protection Legislation.
5.11. Sportradar shall provide reasonable support to the Client in sending prior consultations to Competent Data Protection Authorities concerning the processing of the Processor Personal Data.
5.12. Sportradar shall provide reasonable support to the Client in conducting data protection impact assessments concerning processing of the Processor Personal Data.
5.13. Sportradar shall provide the Client with all reasonable information necessary to demonstrate compliance with its obligations under the Data Protection Legislation and related to the processing of the Processor Personal Data and shall allow audits and inspections to be carried out by an independent auditor mutually agreed by the Client and Sportradar, at the cost of the Client, concerning the processing of the Processor Personal Data. Such audit or inspection may only be undertaken once in any 12 (twelve) calendar month period upon a prior written notice during normal business hours. For the avoidance of doubt, providing to the Client information via reports, certifications or Client’s questionnaires or forms, shall be deemed as sufficient provision of information by Sportradar under this clause and on-premise audits and inspections shall be carried out by the Client only in case of a confirmed breach of Sportradar’s material obligations related to the processing of the Processor Personal Data under this DCA.
5.14. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, with regard to the processing of the Processor Personal Data, Sportradar shall implement appropriate technical and organisational measures to:
a. ensure a level of security appropriate to the risk involved in order to protect the Processor Personal Data from unauthorized use, alteration, access or disclosure, loss, theft, and damage;
b. ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. restore the availability and access to the Processor Personal Data in a timely manner in the event of a physical or technical incident;
d. test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the Processor Personal Data;
e. pseudonymise and encrypt the Processor Personal Data, as appropriate;
5.15. The Client instructs Sportradar, upon termination of the Agreement, to delete all Processor Personal Data processed under this DCA from its systems in accordance with Sportradar’s internal data retention schedule, unless instructed otherwise by the Client in writing. The Client acknowledges and agrees that Sportradar shall have the right to use de-identified and/or aggregated data related to or obtained in connection with the Agreement and/or this DPA for its legitimate internal business purposes, such as analytics, reporting, and to improve, benchmark and develop its internal products and services.
6. Client´s obligations regarding Processor Personal Data
6.1. The Client shall provide the Processor Personal Data or otherwise make the Processor Personal Data available to Sportradar and shall not instruct Sportradar to process the Processor Personal Data in violation of the Data Protection Legislation.
6.2. The Client shall comply with all applicable Data Protection Legislation and shall notify without undue delay Sportradar of any relevant changes to the Data Protection Legislation that may have impact on the processing of the Processor Personal Data under this DCA.
6.3. The Client shall ensure that as required by and in accordance with the Data Protection Legislation: (i) at the time of collection, the data subjects are provided with clear and sufficient information about the collection and processing of the Processor Personal Data processed under this DCA, (ii) at the time of collection, legal basis for processing the Processor Personal Data under this DCA is secured and any consents of data subjects are obtained, (iii) the data subjects are provided with the opportunity to exercise their data subject rights under the Data Protection Legislation and their requests to exercise their rights are complied with, (iv) appropriate technical and organizational measures are implemented by the Client to sufficiently protect the Processor Personal Data, and (v) the Client shall not provide or otherwise make available to Sportradar Processor Personal Data related to minors (as this term is defined in the applicable laws).
6.4. The Client shall conduct any relevant data protection impact assessments and prior consultations with respect to the processing operations performed on the Processor Personal Data under this DCA and in relation to the Agreement.
6.5. The Client shall ensure that Sportradar complies with the Data Protection Legislation prior to and during processing of the Processor Personal Data.
7. International Data Transfers
7.1. Sportradar may process (including transfer) the Shared Personal Data and the Processor Personal Data outside of the EEA, United Kingdom (“UK”) and/or Switzerland if such transfer is made in accordance with the applicable Data Protection Legislation, i.e. (1) to an Approved Jurisdiction, (2) subject to applicable model clauses for data transfers (standard contractual clauses) or frameworks approved by a Competent Data Protection Authority, or (3) subject to other legal mechanisms for international data transfers.
7.2. Shared Personal Data
7.2.1. To the extent that either Party transfers the Shared Personal Data from the EEA, the UK or Switzerland to the other Party located outside the EEA, UK or Switzerland, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Legislation, the Parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:
• the receiving Party is the “data importer” and the other Party is the “data exporter”;
• Module One applies, Modules Two, Three and Four, the footnotes, Clause 11(a) Option and Clause 17 Option 2 are omitted, and the applicable annexes are completed respectively with the information set out in the DCA and the Agreement (as applicable);
• the “competent supervisory authority” is the supervisory authority in Austria;
• the Clauses are governed by the law of Austria;
• any dispute arising from the Clauses will be resolved by the courts of Austria; and
• if there is any conflict between the terms of the Agreement and the Clauses and/or the DCA and the Clauses, the Clauses will prevail.
7.2.2. In relation to transfers of the Shared Personal Data from the UK, the Clauses as implemented under clause 6.1 above will apply subject to the following modifications:
• the Clauses are amended as specified by Part 2 of the international data transfer addendum to the European Commission’s standard contractual clauses issued under Section 119A of the UK Data Protection Act 2018, as may be amended or superseded from time to time (“UK Addendum”);
• tables 1 to 3 in Part 1 of the UK Addendum are completed respectively with the information set out in the DCA and the Agreement (as applicable); and
• table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.
7.2.3. In relation to transfers of the Shared Personal Data from Switzerland, the Clauses as implemented under clause 6.2 above will apply subject to the following modifications:
• references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”);
• references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP;
• references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable;
• the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights;
• Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;
• the Clauses are governed by the law of Switzerland; and
• any dispute arising from the Clauses will be resolved by the courts of Switzerland.
7.3. Processor Personal Data
7.3.1. To the extent that Sportradar processes Processor Personal Data originating from or otherwise subject to the Data Protection Legislation of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms.
7.3.2. To the extent that the Client transfers Processor Personal Data from the EEA, the UK or Switzerland to a subsidiary or affiliate of Sportradar located outside the EEA, UK or Switzerland, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Legislation, the Parties will be deemed to have entered into the Clauses in respect of such transfer, whereby:
a. the Client is the “data exporter” and Sportradar is the “data importer”;
b. the footnotes, Clause 9(a) Option 1, Clause 11(a) Option and Clause 17 Option 1 are omitted, the time period in Clause 9(a) Option 2 is 14 days, and the applicable annexes are completed respectively with the information set out in the DCA and the Agreement;
c. to the extent that the Client acts as a data controller and Sportradar acts as a data processor, Module Two applies and Modules One, Three and Four are omitted, and to the extent that the Client acts as a data processor and Sportradar acts as a sub-processor, Module Three applies and Modules One, Two and Four are omitted;
d. the “competent supervisory authority” is the supervisory authority in Austria;
e. the Clauses are governed by the law of Austria;
f. any dispute arising from the Clauses will be resolved by the courts of Austria; and
g. if there is any conflict between the terms of the Agreement and/or the DPA, on the one hand, and the Clauses, on the other hand, the Clauses will prevail.
7.3.3. In relation to transfers of the Processor Personal Data from the UK, the Clauses as implemented under clause 7.3. above will apply subject to the following modifications:
a. the Clauses are amended as specified by Part 2 of the international data transfer addendum to the European Commission’s standard contractual clauses issued under Section 119A of the UK Data Protection Act 2018, as may be amended or superseded from time to time (“UK Addendum”);
b. tables 1 to 3 in Part 1 of the UK Addendum are completed respectively with the information set out in the DPA and the Agreement (as applicable); and
c. table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.
7.3.4. In relation to transfers of the Processor Personal Data from Switzerland, the Clauses as implemented under clause 7.3. above will apply subject to the following modifications:
a. references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”);
b. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP;
c. references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable;
d. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights;
e. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;
f. the Clauses are governed by the law of Switzerland; and
g. any dispute arising from the Clauses will be resolved by the courts of Switzerland.
8. Use of de-identified and aggregated data
The Client acknowledges and agrees that Sportradar shall have the right to use de-identified and/or aggregated data related to or obtained in connection with the Agreement and this DCA for its legitimate internal business purposes, such as analytics, reporting, and to improve, benchmark and develop its internal products and services, including for the purpose of developing and training of artificial intelligence algorithms and models.
9. Indemnity and Limitation of Liability
9.1. The Client shall be liable and shall hold Sportradar harmless from and against any and all losses, fines, liabilities, damages, costs, claims, amounts paid in settlement and expenses (including legal fees, disbursements, costs of investigation, litigation, settlement, judgment, interest and penalties) that are sustained or suffered or incurred by, awarded against or agreed to be paid, by Sportradar, as a result of, or arising from, a breach by the Client of its obligations under this DCA and/or the Data Protection Legislation.
9.2. To the fullest extent permitted by law, neither Sportradar nor any of its affiliates, shall be liable to the Client under or in connection with this DCA for any indirect, special or consequential losses or damages, loss of business or good will, profit or revenue. Notwithstanding anything to the contrary in the Agreement, the total aggregate liability of Sportradar to the Client under or in connection with this DCA (whether the liability arises because of a breach of contract, negligence, breach of statutory duty or otherwise) for any loss or damage of whatsoever nature and howsoever caused shall not exceed the lower of either (i) the total amount of fees actually paid by the Client under the Agreement during the 12 (twelve) months prior to the event giving rise to the claim, or (ii) 150,000,- (one hundred and fifty thousand) EUR.
10. Contact Point
Each Party nominates the following contact person within their organisation who can be contacted in respect of queries, complaints or notifications of any kind whatsoever regarding this DCA or the Data Protection Legislation:
For the Sportradar:
Name and Position: Stefano Celardo (Global Data Protection Officer)
E-mail: [email protected]
For the Customer:
As per the Agreement
11. Miscellaneous
11.1. In the event of any conflict between the terms of this DCA and any provision of the Agreement and any other agreement between the Parties, this DCA shall take precedence. In the event of any conflict between the Clauses and the DCA, the Clauses shall prevail.
11.2. This DCA shall be governed by and construed in accordance with the law chosen by the Parties in the Agreement. All disputes arising out of or in connection with this DCA shall be subject to the exclusive jurisdiction of court(s) chosen by the Parties in the Agreement.
11.3. Clause 4.2, 4.8, 6., 8., and 9. of this DCA shall survive the termination or the expiry of this DCA and the Agreement.
11.4. The provisions of this DCA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this DCA shall remain in full force and effect.
11.5. Any amendment to this DCA must be made in writing upon mutual agreement by the Parties.
Annex 1 – Personal Data Processing Description
| Product/Service provided under the Agreement | Live Channel Online (LCO) |
| Categories of the personal data processed | a. IP addresses of end users of the Licensee, b. Geographical coordinates (if applicable) of end users of the Licensee, c. Unique client-side IDs (Unikey) of end users of the Licensee, d. User agent strings of end users of the Licensee, e. Log files and client-facing APIs which may contain personal data of end users of the Licensee, f. IP addresses, names, email addresses, user IDs, usernames of Licensee´s employees.(the “LCO Personal Data”) |
| Categories of data subjects | The data subjects to whom the LCO Personal Data processed for Internet and Mobile Live Streaming Rights for online betting services relates are Client’s end users and employees. |
| Processing operations performed
|
a. verify that an end user is from an allowed country or subdivision or region of a country; to create stream-token; to troubleshoot API-integration enquires, b. classify which country, subdivision or region of a country an end user streams from; to calculate the number of streaming sessions; to troubleshoot support cases where an end user repeatedly experienced issues; to debug situations with high error rate, repeated failures to play streams, or where fraud is taking place, c. understand how the content is consumed, i.e. to monitor the success rate for the playback of the streams; standard viewing analytics to monitor traffic, country distribution and (if applicable) countriesꞌ subdivision distribution, volume, etc.; to support Licensee support requests, d. perform internal researches and analysis about an end user’s streaming experience, e. manage access to Sportradar’s portals and to create and provide changelogs with auto booking rules and history, f. perform fraud detection and prevention. |
Annex 2 – Processor Personal Data Processing Description
| Product/Service provided under the Agreement | Betting Entertainment Tools Services |
| Categories of the personal data processed | a) IP addresses; b) geolocations and timezones; c) other browsing metadata such as: device information, web analytics data, ISP, landing page loads, referring URL, URL visited, user agent string and browser metadata, number of clicks, user behavior, and language; d) (applicable only for BET Concierge) userID e) (where applicable) comments and chat conversations;(the “BET Personal Data”). |
| Categories of data subjects | The data subjects to whom the BET Personal Data processed for Betting Entertainment Tool Services relates are Client’s end users. |
| Processing operations performed
|
a) collecting the BET Personal Data via CDN logs; b) processing the BET Personal Data: i. to deliver the Betting Entertainment Tools Services; |
| Product/Service provided under the Agreement | Marketing Services |
| Categories of the personal data processed | Sports/Casino Personalization and Insights:
a) location IDs (IP Address, ZIP/location of retail or terminal unit); (the “Punter Personal Data”); Bingo: a) Bingo participants/users: i. user IDs and usernames; b) Bingo chat hosts: i. user IDs and usernames; (the “Bingo Personal Data”); |
| Categories of data subjects | The data subjects to whom the Punter Personal Data, the Bingo Personal Data and the Widget Personal Data processed for AI MTS Marketing Services relates are Client’s end users, punters and/or chat hosts. |
| Processing operations performed | Sports/Casino Personalization and Insights:
a) collecting and/or receiving from Client the Punter Personal Data; i. (if applicable) personalized content based on analyzed end user and/or punter life-time value in order to define the best acquisition/retention strategy and to recommend the best promotion/bonus to provide to each end user and/or punter (e.g. suitable promotions); d) based on the analyzed information according to the point b), providing to the Client predictions on the end user´s and/or punter’s value and inactivity. Bingo a) receiving from the Client the Bingo Personal Data; i. how Client’s chat hosts are moderating the bingo game and end users’ and/or punters’ betting activities; |
| Product/Service provided under the Agreement | Live-booking Calendar Personal Data |
| Categories of the personal data processed | a) IP addresses, names, email addresses, user IDs, usernames of Customer´s employees
(the “Live-booking Calendar Personal Data”). |
| Categories of data subjects | The data subjects to whom the Live-booking Calendar Personal Data processed are Client’s employees. |
| Processing operations performed | a) to manage access to Sportradar´s portals; b) to create and provide changelogs with autobooking rules and history. |
