Choose your region

North America
SpanishBrazilian PortugueseEnglish
EuropeAfricaMiddle EastAsia Pacific

How we help

How we help

Products
Sports Data Odds Engagement Tools Live Streams Gaming Products Casino Solutions
Trading & Risk Management
Managed Trading Services Operational Insights
Marketing Services
Acquisition & Awareness Retention & Personalisation
Platforms
ORAKO Platform ORAKO Sportsbook SEVEN Platform SEVEN Sportsbook
Data & Content
Sports Data API Storytelling Tools Sports Insights Broadcast Solutions Editorial & Imagery
Audiovisual Services
Media Rights Production Services OTT Solutions
Marketing Services
Sportradar FanID Sponsorship Engagement Tool
Audiovisual Services
Media Rights Representation Production Services OTT Solutions
Marketing Services
Sportradar FanID Sponsorship Engagement Tool
Synergy Coaching & Scouting
Video Capturing Solutions Coaching Solutions Scouting Tools
Integrity Services
Anti-Match-Fixing Compliance, Risk & Governance Anti-Doping Safe Sport
Regulatory Services

Let us know what you want to achieve

Get in touch with our team and find out what our products and services can do for you.

Contact Us

Content & News

Content & News

Content Hub

Discover the latest Sportradar news, content, case studies, and much more

Find out more

News

Stay up to date on the latest news and media coverage from Sportradar

Find out more

Featured content

Latest Case Study

Case Study: Bilyoner
Latest eBook

eBook: The Integrated Sportsbook

About Us

About Us

About us

Partners & Clients

Locations
Investors

Relations
apis

for developers
Futures Hub

For Scale-Ups

Careers

Contact Us

Dark decorative background Dark decorative background

DATA
PROCESSING
AGREEMENT

Paid Social Data Processing Agreement

between

Sportradar (as set forth in the Agreement)

(the “Data Processor”)

to process on behalf of

Advertiser (as set forth in the Agreement)

(the “Data Controller”)

(each a “Party”, together the “Parties”)

1. Definitions and Interpretations

1.1 For the purposes of this Data Processing Agreement, capitalized terms shall have the following meanings, unless defined elsewhere hereto or in Agreement:

Approved Jurisdiction” shall mean a member state of the European Economic Area, or other jurisdiction as may be approved as having adequate legal protections for personal data by the European Commission, currently available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en;

Business Tools” shall mean technologies offered by Social Media Platforms which enable the collection and transmitting of personal data from Digital Properties to Social Media Platforms, such as, but not limited to, the Meta Pixel, the Conversions API, App Events via Facebook SDK, Offline Conversions, and App Events API as developed and offered by Meta Platforms, Inc. and Meta Platforms Ireland Limited;

Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to the Agreement;

CCPA” shall mean the California Consumer Privacy Act, as amended from time to time;

Competent Data Protection Authority” shall mean a competent data protection authority, which, by way of example, could be the Austrian Data Protection Authority [die österreichische Datenschutzbehörde];

Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, the CCPA, any national data protection legislation, and any regulations, mandatory guidelines or any other mandatory codes of practice issued by any Competent Data Protection Authority, each as amended from time to time;

Digital Properties” shall mean website(s) and/or applications(s) of the Data Controller;

GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time;

EU Standard Contractual Clauses” shall mean the standard contractual clauses for the transfer of personal data approved by the European Commission, available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en;

Personal Data” shall have the meaning given to it in clause 3.1 of this Data Processing Agreement;

Social Media Platform” shall mean any application or website through which individuals (Internet users) are able to create and share content and find and connect with other individuals, such as Facebook or Instagram.

1.2 For the purposes of this Data Processing Agreement, the terms “controller”, “processor”, “data subject”, “personal data”, “process”, “processing” and “data breach” shall have the meanings attributed to them in the GDPR.

2. Purpose of the Data Processing Agreement

2.1. The purpose of this Data Processing Agreement is to determine the roles and responsibilities of the Data Controller, the Data Processor and the Social Media Platforms during the provision of Paid Social Campaign(s) under the Agreement in order to ensure the compliance of the Parties to the Agreement with the applicable Data Protection Legislation. For the avoidance of doubt, Social Media Platforms are not parties to this Data Processing Agreement or to the Agreement.

2.2. The Data Controller intends to achieve its marketing goals via Paid Social Campaigns on Social Media Platforms, ie building its brand; acquiring new customers; and/or communicating with existing customers.

2.3. The Data Processor intends to help the Data Controller achieve its marketing goals by facilitating the integration of Social Media Platforms’ Business Tools on the Data Controller’s Digital Properties.

2.4. The Data Controller acknowledges that Paid Social Campaigns involve collection of personal data directly via Social Media Platforms’ Business Tools deployed on the Data Controller’s Digital Properties and sending of the personal data to the Social Media Platforms for serving of targeted personalized advertising on Social Media Platforms. The Data Controller further acknowledges that Social Media Platforms have business terms, including data processing terms (“Social Media Platforms’ Terms”) which are applicable for each and every Paid Social Campaign, for instance ‘Facebook Business Tools Terms’ available here: https://www.facebook.com/legal/terms/businesstools, as amended from time to time; ‘Facebook Data Processing Terms’ available here: https://www.facebook.com/legal/terms/dataprocessing, as amended from time to time, ‘Facebook Controller Addendum’ available here https://www.facebook.com/legal/controller_addendum, as amended from time to time; and any other applicable terms, addendums, agreements of Social Media Platforms.

3. Personal Data, Data Subjects, Processing Operations

3.1. The Parties to the Agreement understand and agree that the processing of personal data for the provision of Paid Social Campaigns is performed exclusively by Social Media Platforms and any sub-processors, affiliates, and subsidiaries they may have.

3.2. By facilitating the integration of the Business Tools on the Digital Properties, the Data Processor may process/have access to certain information that may be considered as personal data under the Data Protection Legislation: (i) online identifiers of end users (“data subjects”) of the Data Controller (such as cookie ID, mobile device ID, IP address and other technical data such as device and browser type and mouse events); (ii) hashed information about the data subjects (such as names, date of birth, contact details, user ID); (iii) information about the data subjects’ activities on the Data Controller’s Digital Properties (such as team name, odds, match ID, sport) (“Personal Data”).

3.3. The Data Processor shall process the Personal Data for the purpose of facilitating the integration of the Business Tools on the Digital Properties.

3.4. The processing operations performed by the Data Processor on the Personal Data shall consist of:

3.4.1. creating and/or facilitating the deployment of Business Tools on the Data Controller’s Digital Properties

3.4.2. providing non-personal information to be added to the Personal Data collected via the Business Tools to ensure the effectiveness of the Paid Social Campaign(s).

3.5. For the avoidance of doubt, the Data Processor does not process any Personal Data for advertising, matching, measurement and analytics.

3.6. Social Media Platforms are responsible for creating personalized advertisement, matching, detailed conversion tracking, measurement, analytics, reporting and overall performance of the Paid Social Campaign(s) as further described in the applicable Social Media Platforms’ Terms.

4. Term and Termination

4.1. This Data Processing Agreement shall run conterminously with the Agreement.

4.2. Upon termination of the Agreement the Data Processor shall proceed in accordance with clause 5.14 of this Data Processing Agreement.

5. Obligations of the Data Processor

5.1. The Data Processor shall process Personal Data only for the purposes of fulfilling its obligations under this Data Processing Agreement and in relation to the Agreement.

5.2. The Data Processor shall process Personal Data only in accordance with the documented instructions of the Data Controller and in compliance with the Data Protection Legislation, including with regard to transfers of Personal Data to a third country or an international organisation.

5.3. The Data Processor shall keep a written record of all categories of processing operations carried out on behalf of the Data Controller in accordance with the Data Protection Legislation.

5.4. The Data Processor shall not disclose Personal Data to third parties, unless with the express prior written consent of the Data Controller or when legally required. For the avoidance of doubts, the Data Processor’s sub-processors, affiliates and subsidiaries shall not be considered as third parties.

The Data Processor may disclose Personal Data to other processors working for the Data Controller, pursuant to the Data Controller’s instructions. In this case, the Data Controller shall identify, in writing and in advance, the entity Personal Data shall be disclosed to, the Personal Data to be disclosed, and the security measures to be applied for the disclosure.

The Data Processor may transfer the Personal Data outside of the EU only if such transfer is made in accordance with the Data Protection Legislation, i.e. (1) to an Approved Jurisdiction, (2) subject to the EU Standard Contractual Clauses or (3) subject to other legal mechanism for personal data transfer. If the Data Processor shall transfer Personal Data to a third country or international organisation, pursuant to applicable European Union or Member State law, the Data Processor shall inform the Data Controller of that legal requirement beforehand, unless the law prohibits this on important grounds of public interest.

5.5. The Data Processor may continue to use the sub-processors already engaged by the Data Processor as at the date of the Agreement.

If any processing operation shall be subsequently subcontracted by the Data Processor, the Data Processor shall notify in writing the Data Controller not later than 10 (ten) Business Days in advance, indicating the sub-processor and its contact details as well as the processing operations to be subcontracted. If, within 10 (ten) Business Days of receipt of the notice, the Data Controller notifies the Data Processor in writing of any objections on reasonable grounds to the proposed appointment:

5.5.1. the Data Processor shall work with the Data Controller in good faith to make available a commercially reasonable change in the provision of the data processing services agreed under the Data Processing Agreement;

5.5.2. where such a change cannot be made within 90 (ninety) days as of the receipt of the Data Controller’s notice by the Data Processor, the Data Controller may, by written notice to the Data Processor, terminate with immediate effect the Agreement to the extent that it relates to the services which require the use of the proposed sub-processor and this termination right is the Data Controller´s sole and exclusive remedy if the change cannot be made.

The Data Processor shall only engage a sub-processor under a written contract that provides similar level of protection as this Data Processing Agreement.

5.6. The Data Processor guarantees that the individuals authorised to process Personal Data are subject to binding obligations of confidentiality and shall comply with the relevant security measures. The Data Processor shall keep documentation accrediting compliance with this obligation available for inspection by the Data Controller upon a reasonable request.

5.7. The Data Processor guarantees that the individuals authorised to process Personal Data have the necessary data protection training.

5.8. The Data Processor shall assist the Data Controller in meeting its obligations in relation to data subjects’ requests to exercise rights under the Data Protection Legislation, for example (i) to access, rectification, erasure and object; (ii) to restriction of processing; (iii) to data portability; (iv) in relation to automated decision making and profiling; (v) to opt out of the sale of personal information. The Data Controller shall reimburse the Data Processor for all reasonable costs and expenses incurred with regard to such assistance.

When data subjects exercise their rights under items (i), (ii), (iii), (iv), and (v) above before the Data Processor, the Data Processor shall promptly notify the Data Controller and in any event not later than 5 (five) Business Days following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request.

5.9. The Data Processor shall notify the Data Controller of any confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data (“Data Breach“) without undue delay and in any event within 3 (three) Business Days of identification of any confirmed Data Breach, together with all available information to document and report the incident.

5.10. The Data Processor shall support the Data Controller in sending prior consultations to Competent Data Protection Authorities, when appropriate.

5.11. The Data Processor shall support the Data Controller in conducting data protection impact assessments, when appropriate.

5.12. The Data Processor shall provide the Data Controller with all the information necessary to demonstrate compliance with its obligations under the Data Protection Legislation and shall allow audits and inspections to be carried out by an independent expert mutually agreed by the Data Controller and the Data Processor, at the cost of the Data Controller. Such audit or inspection may only be undertaken once in any 12 (twelve) calendar month period or in the event of any confirmed breach of any obligation under this Data Processing Agreement on a reasonable notice during normal business hours. The Data Processor shall give all necessary assistance to the conduct of any such audits or inspections.

5.13. The Data Processor shall implement appropriate technical and organisational measures to:

a) ensure a level of security appropriate to the risk involved in order to protect the Personal Data from unauthorized use, alteration, access or disclosure, loss, theft, and damage;
b) ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident;
d) test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the Personal Data;
e) pseudonymise and encrypt the Personal Data, as appropriate;
f) prevent a Data Breach.

5.14. The Data Processor shall delete all Personal Data provided by the Data Controller from its systems in accordance with the Data Processor´s internal retention policy, otherwise upon written request of the Data Controller. After the deletion, the Data Processor may retain copies of the Personal Data only to the extent required by the applicable law or to enforce rights and defend legal claims. The Data Controller acknowledges and agrees that the Data Processor shall have the right to use de-identified and/or aggregated data related to or obtained in connection with the Paid Social Campaign(s) provided under the Agreement for its legitimate internal business purposes, such as analytics, reporting, and to improve, benchmark and develop its internal products and services.

6. Obligations of the Data Controller

6.1. The Data Controller shall comply with all requirements of the applicable Data Protection Legislation and shall notify the Data Processor of any relevant changes to the Data Protection Legislation that may have impact on the processing of Personal Data under this Data Processing Agreement.

6.2. The Data Controller shall provide the Personal Data or otherwise make the Personal Data available to the Data Processor and shall not instruct the Data Processor to process Personal Data in violation of the Data Protection Legislation.

6.3. The Data Controller shall ensure that at the time of collection of the Personal Data (i) the data subjects are provided with clear and sufficient information about the collection and processing of their Personal Data under this Data Processing Agreement, including the recipients or categories of recipients of the processed Personal Data, and (ii) legal basis for processing of the Personal Data is secured and any consents of data subjects as required by and in accordance with the Data Protection Legislation are obtained. For the avoidance of doubt, the Data Controller acknowledges and accepts that the Data Processor shall not, in any way, be responsible for the performance of these obligations.

6.4. The Data Controller shall conduct any relevant data protection impact assessments (including any data transfer impact assessments as required under the EU Standard Contractual Clauses and the Data Protection Legislation) and prior consultations with respect to the processing operations to be carried out by the Data Processor. The Data Controller acknowledges that the Data Processor shall not be responsible for conducting any such assessments or prior consultations.

6.5. The Data Controller shall ensure that the Data Processor complies with the Data Protection Legislation prior to and during processing of the Personal Data.

6.6. The Data Controller shall supervise the processing operations performed by the Data Processor. The Data Controller may issue additional instructions about the type, scope and method of processing of the Personal Data in writing.

7. Indemnity and Limitation of Liability

7.1. The Data Controller declares to have read and understood the Social Media Platforms’ Terms applicable to the Paid Social Campaign(s) under the Agreement pursuant to clause 2.4 of the Agreement.

7.2. The Data Controller declares to be fully aware of the obligations it has under the applicable Social Media Platforms’ Terms.

7.3. The Data Controller guarantees and acknowledges that it has met and fulfilled all obligations under the applicable Social Media Platforms’ Terms or it shall do so prior to the deployment of any Business Tools on its Digital Properties.

7.4. To the fullest extent permitted by law, neither the Data Processor nor any of its affiliates or subsidiaries shall be liable to the Data Controller under or in connection with this Data Processing Agreement for any indirect, special or consequential losses or damages, loss of business or good will, profit or revenue. The Data Processor’s total aggregate liability arising from or in relation to this Data Processing Agreement, whether the liability arises because of a breach of contract, negligence or for any other reason, shall be strictly limited to the amount of fees actually paid by the Data Controller under the Agreement during the 12 (twelve) months preceding the event giving rise to the damages.

7.5. The Data Controller shall indemnify and shall keep the Data Processor indemnified from and against all costs, claims, fines, losses, damages or expenses incurred by the Data Processor, or for which the Data Processor may become liable due to any failure of the Data Controller to comply with its obligations set out in clause 6 of this Data Processing Agreement, any of its obligations under the applicable Social Media Platforms’ Terms or the Data Protection legislation. For the avoidance of doubt, this indemnity shall be unlimited and shall override any limitation of liability provisions contained in any other agreement between the Parties.

8. Contact Point

In case of any queries, complaints or notifications of any kind whatsoever regarding this Data Processing Agreement or the Data Protection Legislation and for the purposes of receipt of notices under this Data Processing Agreement, the Parties shall use the following contact details:

For the Data Processor:
Name and position: Stefano Celardo (Data Protection Officer)
Tel.: +43 1 256 31 41 548
E-mail: [email protected]

For the Data Controller:
Advertiser Contact as set forth in the Agreement.

9. Miscellaneous

9.1. In the event of any conflict between the terms of this Data Processing Agreement and any provision of the Agreement and any other agreement between the Parties, this Data Processing Agreement shall prevail solely with respect to any data protection matters.

9.2. Notwithstanding the governing law of the Agreement, this Data Processing Agreement shall be governed by and construed in accordance with the Austrian law. All disputes, controversy, or claims arising out of or in connection with this Data Processing Agreement shall be subject to the exclusive jurisdiction of the Austrian court(s).

9.3. The provisions of this Data Processing Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this Data Processing Agreement shall remain in full force and effect.

9.4. Any amendment to this Data Processing Agreement must be made in writing upon mutual agreement by the Parties.

Contact Decorative Stadium background

GET IN TOUCH WITH OUR TEAM

Contact us