Choose your region

North America
SpanishBrazilian PortugueseEnglish
EuropeAfricaMiddle EastAsia Pacific

How we help

How we help

Products
Sports Data Odds Engagement Tools Live Streams Gaming Products Casino Solutions
Trading & Risk Management
Managed Trading Services Operational Insights
Marketing Services
Acquisition & Awareness Retention & Personalisation
Platforms
ORAKO Platform ORAKO Sportsbook SEVEN Platform SEVEN Sportsbook
Data & Content
Sports Data API Storytelling Tools Sports Insights Broadcast Solutions Editorial & Imagery
Audiovisual Services
Media Rights Production Services OTT Solutions
Marketing Services
Sportradar FanID Sponsorship Engagement Tool
Audiovisual Services
Media Rights Representation Production Services OTT Solutions
Marketing Services
Sportradar FanID Sponsorship Engagement Tool
Synergy Coaching & Scouting
Video Capturing Solutions Coaching Solutions Scouting Tools
Integrity Services
Anti-Match-Fixing Compliance, Risk & Governance Anti-Doping Safe Sport
Regulatory Services

Let us know what you want to achieve

Get in touch with our team and find out what our products and services can do for you.

Contact Us

Content & News

Content & News

Content Hub

Discover the latest Sportradar news, content, case studies, and much more

Find out more

News

Stay up to date on the latest news and media coverage from Sportradar

Find out more

Featured content

Latest Case Study

Case Study: Bilyoner
Latest eBook

eBook: The Integrated Sportsbook

About Us

About Us

About us

Partners & Clients

Locations
Investors

Relations
apis

for developers
Futures Hub

For Scale-Ups

Careers

Contact Us

Dark decorative background Dark decorative background

DATA
PROCESSING
AGREEMENT

Appendix – Data Processing Agreement

1. Definitions

For the purposes of this Processing Agreement (the “DPA“) the capitalized terms have the following meanings, unless defined elsewhere in this DPA or in the Agreement:

Approved Jurisdiction” shall mean a country from the European Economic Area (the “EEA“), or other jurisdiction as may be approved as having adequate legal protections for personal data by the European Commission or the UK Government;

Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to this DPA;

CCPA” shall mean the US California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”) and from time to time;

Competent Data Protection Authority” shall mean the competent data protection regulator which, by way of example, is the Austrian Data Protection Authority [die österreichische Datenschutzbehörde];

Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, the CCPA/ CPRA and any state or national data protection legislation, and any regulations, guidelines or any other documents issued by a Competent Data Protection Authority, each as amended from time to time;

EU Standard Contractual Clauses” shall mean the standard contractual clauses for the transfer of personal data approved by the European Commission, available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en;

GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time;

Marketing Services Personal Data” shall have the meaning given to it in clause 3.1 of this DPA;

BSS Personal Data” shall have the meaning given to it in clause 4.1. of this DPA;

‘’Live-booking Calendar Personal Data’’ shall have the meaning given to it in the clause 5.1. of this DPA;

UK Addendum” shall mean the international data transfer addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office, as amended from time to time;

UK IDTA” shall mean the international data transfer agreement issued by the UK Information Commissioner’s Office, as amended from time to time.

For the purposes of this DPA the terms “controller”, “joint controllers”, “business”, “processor”, “service provider”, “data subject”, “consumer”, “personal data”, “personal information”, “process”, “processing” and “data breach” shall have the meanings attributed to them in the Data Protection Legislation.

2. Purpose of the Data Processing Agreement

2.1. The purpose of the DPA is to determine the roles and responsibilities of the Parties during the provision of the Services under the Agreement in order to ensure the Parties´ compliance with the applicable Data Protection Legislation.

2.2. This DPA shall apply if and only to the extent that the Customer choses in the Agreement any or all of the following Services:

a) Betting Stimulation Services,
b) Marketing Services,
c) any other Services that require access to Sportradar’s Live-booking Calendar through which the Customer selects those other Services.

For the avoidance of doubt, clauses in this DPA regarding a Service mentioned above shall not apply if the Customer did not chose that service in the Agreement.

2.3. For the purpose of the DPA, the Customer shall act as data controller under the GDPR or the business under the CCPA/ CPRA and Sportradar as the data processor under the GDPR or the service provider under the CCPA/ CPRA with regards to the Marketing Services Personal Data, BSS Personal Data and Live-booking Calendar Personal Data.

3. Marketing Services Personal Data

3.1. If the Customer choses in the Agreement the Marketing Services, Sportradar shall process on behalf of the Customer some or all of the following types of personal of the following data subjects and collected as part of the Ticket Integration:

a) Location IDs (IP Address, ZIP/location of retail or terminal unit) of the Data Controller´s end users
b) Account IDs of the Data Controller´s end users,
c) Device ID of the Data Controller´s end users,
d) Age of of the Data Controller´s end users,
e) Gender of the Data Controller´s end users,
f) Signup date of the Data Controller´s end users,
g) Real-time and historical information about of the Data Controller´s end users,
h) Bonus information (signup channel, source of acquisition, campaign ID, bonus ID, bonus type, reward type, award type, accepted date, restriction type (bonus, cashout, non withdrawable, etc.), wager requirements, bonus amount,
i) Transaction information (day and time of transaction, transaction ID, transaction type (deposit, withdrawal, etc.), account ID of Data Controller´s end users, amount, transaction status, payment method,
j) Web analytics data (impressions, clicks, visits, bounces),

(the “Marketing Services Personal Data”).

3.2. The processing of the Marketing Services Personal Data shall consist of:

a) analysing via AI real-time and historical information about each end user (Favorite Bet types, Favorite Sport types, average stakes, etc.)
b) serving the end user with:
1) if applicable, personalized content based on analyzed player life time value of each end user in order to define the best acquisition/retention strategy and to recommend the best promotion/bonus to provide to each end user (e.g. suitable promotions),
2) if applicable, personalized content based on analysed data in order to provide personalized betting recommendations to each end user (e.g. betting recommendations/up-sell),
c) based on the analysed information according to the point a), providing to the Data Controller predictions on the end user´s value and inactivity.

4. BSS Personal Data

4.1. If the Customer choses in the Agreement Betting Stimulation Services, Sportradar shall process on behalf of the Customer some or all of the following types of personal data of the following data subjects:

a) IP addresses and geolocation of Customer´s end users;
b) Geolocation;

(the “BSS Personal Data”).

4.2. The processing of the BSS Personal Data shall consist of:

a) collection and processing of IP addresses and geolocation of Customer´s end users in order:
i. to perform analytics (to control and develop the Services);
ii. to ensure security and for debugging; and
iii. to verify that the end user is from an allowed country or if applicable from an allowed subdivision or region of a country;

5. Live-booking Calendar Personal Data

5.1. If the Customer choses in the Agreement other Services that require access to Sportradar’s Live-booking Calendar through which the Customer selects those other Services, Sportradar shall process on behalf of the Customer some or all of the following types of personal data of the following data subjects:

a) IP addresses, names, email addresses, user IDs, usernames of Customer´s employees;

(the “Live-booking Calendar Personal Data”).

5.2. The processing of the Live-booking Calendar Personal Data shall consist of:

a) collection and processing of IP addresses, names, email addresses, user IDs and usernames of Customer´s employees in order to:
i. to manage access to Sportradar´s portals;
ii. to create and provide changelogs with autobooking rules and history.

6. Sportradar´s obligations regarding Marketing Services Personal Data, BSS Personal Data and Live-booking Calendar Personal Data

6.1. Sportradar shall process the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data on behalf of the Customer in accordance with this DPA and only for the business purpose of provision of the Services under the Agreement and to comply with the requirements of the applicable law.

6.2. Sportradar shall process the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data in accordance with the instructions of the Customer and in compliance with the Data Protection Legislation. Sportradar shall immediately notify in writing the Customer if Sportradar believes that any of the instructions of the Customer violate the Data Protection Legislation. For the avoidance of doubt, this notification obligation shall not mean that Sportradar is obliged to perform a comprehensive legal examination with respect to Customer´s instructions.

6.3. Sportradar shall keep a written record of all categories of processing operations carried out on behalf of the Customer in accordance with the Data Protection Legislation.

6.4. Sportradar shall not disclose the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data to third parties, unless with the express prior written consent of the Customer or when legally required. For the avoidance of doubts, Sportradar´s affiliates, subsidiaries or subprocessors/service providers shall not be considered third parties.

Sportradar may disclose the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data to other processors working for the Customer, pursuant to the Customer’s instructions. In this case, the Customer shall identify, in writing and in advance, the entity the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data shall be disclosed to, the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data to be disclosed, and the security measures to be applied for the disclosure.

6.5. The Customer authorises Sportradar to appoint – and permit each sub-processor appointed in accordance with this clause to appoint – sub-processors.

Sportradar may continue to use those sub-processors already engaged by Sportradar as at the date of this DPA.

If any processing operation shall be subsequently subcontracted, Sportradar shall notify in writing the Customer 10 (ten) Business Days in advance, indicating the processing operations to be subcontracted and clearly and unequivocally identifying the subcontractor and its contact details. If, within 10 (ten) days of receipt of the notice, the Customer notifies Sportradar in writing of any objections on reasonable grounds to the proposed appointment:

a. Sportradar shall work with the Customer in good faith to make available a commercially reasonable change in the provision of the data processing services agreed under the DPA;

b. where such a change cannot be made within 90 (ninety) days as of the receipt of the Customer´s notice by Sportradar, the Customer may, by written notice to Sportradar, terminate with immediate effect the Agreement to the extent that it relates to the services which require the use of the proposed sub-processor and this termination right is Customer´s sole and exclusive remedy if the change cannot be made.

Sportradar shall only engage a sub-processor under a written contract that provides similar level of protection as this DPA.

6.6. Sportradar guarantees that the individuals authorised to process the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data have the necessary data protection training.

6.7. Sportradar shall assist the Customer in meeting its obligations in relation to data subjects’ requests to exercise rights under the Data Protection Legislation, e.g.: (i) to access, rectification, erasure and object; (ii) to restriction of processing; (iii) to data portability; (iv) in relation to automated decision making and profiling and (v) to opt out of the sale or sharing of personal information. The Customer shall reimburse Sportradar for all reasonable costs and expenses incurred with regard to such assistance.

When data subjects exercise their rights under items under the Data Protection Legislation before Sportradar, Sportradar shall notify the Customer immediately but in any event not later than 5 (five) Business Days following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request.

6.8. Sportradar shall notify the Customer without undue delay and in any event before the maximum period of 3 (three) Business Days of any confirmed breach it is aware of to the security of the Marketing Services Personal Data, BSS Personal Data and Live-booking Calendar Personal Data it holds, together with all relevant information to document and report the incident.

The following minimum information shall be provided, if available:

a. description of the nature of the personal data security breach including, when possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected;

b. the name and contact details of the data protection officer or another point of contact to obtain more information;

c. description of the possible consequences of the personal data security breach;

d. description of the measures adopted or proposed to remedy the personal data security breach including, if appropriate, the measures adopted to mitigate possible negative effects.

If the above information cannot be provided simultaneously, the information shall be gradually provided without undue delay.

6.9. Sportradar shall support the Customer in sending prior consultations to Competent Data Protection Authorities, when appropriate.

6.10. Sportradar shall support the Customer in conducting data protection impact assessments, when appropriate.

6.11. Sportradar shall maintain the duty of secrecy regarding the Marketing Services Personal Data, the BSS Personal Data and the Live-booking Calendar Personal Data even after the termination of the Agreement.

6.12. Sportradar guarantee that the individuals authorised to process the Marketing Services Personal Data, BSS Personal Data and the Live-booking Calendar Personal Data under this DPA expressly undertake in writing to respect confidentiality and to comply with the relevant security measures, of which they must be duly informed.

6.13. Sportradar shall provide the Customer with all the information necessary to demonstrate compliance with its obligations under the Data Protection Legislation and shall allow audits and inspections to be carried out by an independent auditor mutually agreed by the Customer and Sportradar, at the cost of the Customer. Such audit and inspections may only be undertaken once per calendar year on a reasonable prior notice during normal business hours. Sportradar shall give all necessary assistance to the conduct of such audits and inspections.

6.14. Sportradar shall implement appropriate technical and organisational measures to:

a. ensure a level of security appropriate to the risk involved in order to protect the Marketing Services Personal Data, the BSS Personal Data, the Live-booking Calendar Personal Data from unauthorized use, alteration, access or disclosure, loss, theft, and damage;
b. ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. restore the availability and access to the Marketing Services Personal Data, the BSS Personal Data, the Live-booking Calendar Personal Data in a timely manner in the event of a physical or technical incident;
d. test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the Marketing Services Personal Data, the BSS Personal Data, the Live-booking Calendar Personal Data;
e. pseudonymise and encrypt the Marketing Services Personal Data, the BSS Personal Data, the Live-booking Calendar Personal Data, as appropriate;
f. prevent a personal data security breach.

6.15. Sportradar shall promptly delete all the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data from its systems in accordance with its internal retention policy, unless and to the extent that Sportradar is required to retain copies in accordance with the applicable law.

7. Customer´s obligations regarding the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data

7.1. Customer shall comply with all applicable requirements of the Data Protection Legislation and shall notify Sportradar of any relevant changes to the Data Protection Legislation that may have impact on the processing of the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data.

7.2. The Customer shall provide or otherwise make available the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data to Sportradar and shall not instruct Sportradar to process the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data in violation of the Data Protection Legislation.

7.3. The Customer shall, at the time when the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data is obtained, provide the data subjects with all information about the collection and processing of the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data and (where necessary) obtain unambiguous consent of data subjects as required by the Data Protection Legislation.

7.4. The Customer shall conduct any relevant data protection impact assessments and prior consultations with respect to the processing operations to be carried out by Sportradar.

7.5. The Customer shall ensure that Sportradar complies with the Data Protection Legislation prior to and during processing of the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data .

7.6. The Customer shall supervise the processing operations performed by Sportradar. The Customer may issue instructions about the type, scope and method of processing of the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data in writing.

8. Term and Termination

8.1. This DPA shall be bound to the term of the Agreement.

8.2. Upon termination of the Agreement the Data Processor shall proceed in accordance with clause 6.15 of this Agreement.

9. International Data Transfers

9.1. The Customer acknowledges and agrees that Sportradar may transfer the Marketing Services Personal Data, BSS Personal Data and Live-booking Calendar Personal Data outside the EAA and the UK (the “International Data Transfer“) subject to the International Data Transfer be made in compliance with the requirements under the Data Protection Legislation, i.e. (1) to an Approved Jurisdiction, or (2) subject to the EU Standard Contractual Clauses, the UK Addendum and/or the UK IDTA, where applicable, or (3) subject to other legal mechanisms for personal data transfer.

9.2. If Sportradar shall transfer the Marketing Services Personal Data, BSS Personal Data and the Live-Booking Calendar Personal Data to a third country or international organisation, pursuant to applicable European Union or Member State law, Sportradar shall inform the Customer of that legal requirement beforehand, unless the law prohibits this on important grounds of public interest.

10. Use of de-identified and aggregated data

10.1. The Customer acknowledges and agrees that Sportradar shall have the right to use de-identified and/or aggregated data related to or obtained in connection with Services provided under the Agreement for its legitimate internal business purposes, such as analytics, reporting, and to improve, benchmark and develop its internal products and services.

11. Indemnity and Limitation of Liability

11.1. To the fullest extent permitted by law, neither Sportradar nor any of its affiliates, shall be liable to the Customer under or in connection with this DPA for any indirect, special or consequential losses or damages, loss of business or good will, profit or revenue. Sportradar´s total aggregate liability arising out of or in relation to this DPA, whether the liability arises because of a breach of contract, negligence or for any other reason, shall be strictly limited to the amount of fees actually paid by the Customer under the Agreement during the 12 (twelve) months preceding the event giving rise to the damages.

12. Contact Point

Each Party shall nominate the following contact person within their organisation who can be contacted in respect of queries, complaints or notifications of any kind whatsoever regarding this DPA or the Data Protection Legislation:

For the Sportradar:
Name and Position: Stefano Celardo (Data Protection Officer)
Tel.: +43 1 256 31 41 548
E-mail: [email protected]

For the Customer:
As per the Agreement

13. Miscellaneous

13.1. In the event of any conflict between the terms of this DPA, any provision of the Agreement and any other agreement between the Parties, this DPA shall take precedence solely with respect to any data protection matters.

13.2. This DPA shall be governed by and construed in accordance with the Austrian laws. All disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the Austrian court(s).

13.3. The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this DPA shall remain in full force and effect.

13.4. Sportradar may make changes to this DPA at any time by giving 30 days´ written notice to the Customer. The changes to the DPA will not apply retroactively.

Contact Decorative Stadium background

GET IN TOUCH WITH OUR TEAM

Contact us