ANNEX I
A. LIST OF PARTIES
MODULE ONE: Transfer controller to controller
Data exporter(s):
1. Name: TDI as defined in Agreement
Address: detailed in Agreement
Contact person’s name, position and contact details: Tom Bullock, Company Secretary, Email: [email protected]
Signature and date: detailed in Agreement
Role (controller/processor): controller
2. Name: SRAD as defined in Agreement
Address: detailed in Agreement
Contact person’s name, position and contact details: Stefano Celardo, Data Protection Officer (DPO), email: [email protected]
Signature and date: detailed in Agreement
Role (controller/processor): controller
Data importer(s):
1. Name: Customer as defined in Agreement
Address: detailed in Agreement
Contact person’s name, position and contact details: detailed in Agreement
Signature and date: detailed in Agreement
Role (controller/processor): controller
B. DESCRIPTION OF TRANSFER
MODULE ONE: Transfer controller to controller
Categories of data subjects
The personal data transferred concern the following categories of data subjects:
Players and other data subjects whose personal data is contained within the TDI Content, Data Services and Live Odds Services.
Categories of personal data
The personal data includes data collected and contained within the TDI Content, Data Services and Live Odds Services, as specifically described in any licence agreement to which the data importer is a party.
Sensitive data transferred (if applicable)
N/A
Frequency of the transfer:
Continuous for the term of the Agreement
Purposes of the transfer(s)
The transfer is for the purpose of permitting the exploitation of rights granted by the data exporter, and the use of the TDI Content, Data Services and Live Odds Services for the permitted purposes under any licence agreement to which the data importer is a party.
Retention period
The personal data transferred may be retained for the life of the Agreement and for the length necessary for the purposes permitted by any licence agreement to which the data importer is a party.
C. COMPETENT SUPERVISORY AUTHORITY
See the Agreement
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
1. Access control to premises and facilities
Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:
Access control systems
Surveillance facilities
Logging of facility exits/entries
2. Access control to systems
Measures must be taken to prevent unauthorized access to Customer’s own IT systems. These must include the following technical and organizational measures for user identification and authentication:
Password procedures (incl. special characters, minimum length, change of password)
Central management of system access
Access to internal IT systems subject to approval from HR management and IT system administrators
3. Access control to data
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights. These measures shall include:
Differentiated access rights
Access rights defined according to duties/rights/risks
4. Disclosure control
Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:
Compulsory use of a wholly-owned private network for all data transfers
Creating an audit trail of all data transfers
5. Input control
Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures should include:
Logging internal user activities on IT systems
6. Job control
Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures must include:
Unambiguous wording of contractual instructions
Monitoring of contract performance
7. Availability control
Measures should be put in place to ensure that data are protected against accidental destruction or loss. These measures must include:
Backup procedures
Uninterruptible power supply (UPS)
Business Continuity procedures
Remote storage
Anti-virus/firewall systems
8. Segregation control
Measures should be put in place to allow data collected for different purposes to be processed separately. These should include:
Restriction of access to data stored for different purposes according to staff duties.
Segregation of business IT systems
Segregation of IT testing and production environments
