Appendix 4 Data Cooperation Agreement
1. Definitions
For the purposes of this Data Cooperation Agreement (the “DCA“) the capitalized terms have the following meanings, unless defined elsewhere in this DCA or in the Agreement:
“Approved Jurisdiction” shall mean a country of the European Economic Area (the “EEA“), or other jurisdiction as may be approved as having adequate legal protections for personal data by the European Commission or the UK Government;
“Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to this DCA;
“CCPA” shall mean the US California Consumer Privacy Act of 2018, as amended from time to time;
“Competent Data Protection Authority” shall mean the competent data protection regulator which, by way of example, is the Austrian Data Protection Authority [die österreichische Datenschutzbehörde];
“Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, the CCPA and any national data protection legislation, and any regulations, guidelines or any other documents issued by a Competent Data Protection Authority, each as amended from time to time;
“EU Standard Contractual Clauses” shall mean the standard contractual clauses for the transfer of personal data approved by the European Commision, available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en;
“GDPR” shall means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time;
“MTS Personal Data” shall have the meaning given to it in clause 3.1. of this DCA;
“Marketing Services Personal Data” shall have the meaning given to it in clause 5.1. of this DCA;
“BSS Personal Data” shall have the meaning given to it in clause 6.1. of this DCA;
‘’Live-booking Calendar Personal Data’’ shall have the meaning given to it in the clause 7.1. of this DCA;
“UK Addendum” shall mean the international data transfer addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office, as amended from time to time;
“UK IDTA” shall mean the international data transfer agreement issued by the UK Information Commissioner’s Office, as amended from time to time.
For the purposes of this DCA the terms “controller”, “joint controllers”, “business”, “processor”, “service provider”, “data subject”, “personal data”, “personal information”, “process”, “processing” and “data breach” shall have the meanings attributed to them in the Data Protection Legislation.
2. Purpose of the Data Cooperation Agreement
2.1. The purpose of the DCA is to determine the roles and responsibilities of the Parties during the provision of the Services under the Agreement in order to ensure the Parties´ compliance with the applicable Data Protection Legislation.
2.2. This DCA shall apply if and only to the extent that the Partner choses in the Agreement any or all of the following Services:
a) Managed version of Sportradar’s Managed Trading Services:
b) Betting Stimulation Services,
c) Marketing Services,
d) any other Services that require access to Sportradar’s Live-booking Calendar through which the Partner selects those other Services.
For the avoidance of doubt, clauses in this DCA regarding a Service mentioned above shall not apply if the Partner did not chose that service in the Agreement.
2.3. For the purpose of the DCA, the Parties shall act as:
a) joint controllers under the GDPR or businesses under the CCPA with regards to the MTS Personal Data, and
b) Partner shall act as data controller under the GDPR or business under the CCPA and Sportradar as data processor under the GDPR or service provider under the CCPA with regards to the Marketing Services Personal Data, BSS Personal Data and Live-booking Calendar Personal Data.
3. MTS Personal Data
3.1. If the Partner choses in the Agreement managed version of Sportradar’s MTS, the Parties shall enjoy joint controllership over the following categories of personal data of the following data subjects in the course of their commercial relationship:
(a) personal data of Partner´s Operators’ end users shared between the Parties that is necessary for the Ticket Integration and which includes but is not limited to the personal data contained within the list attached to the Agreement as Appendix 2 (e.g. date/time of each bet, account ID, language, device ID, location (location ID – IP address, ZIP/location of retail or terminal unit), sport, tournament, match, bet´s currency, etc.);
(b) in case of suspicious activity – and only if mutually agreed – any additional personal data of Partner´s Operators’ end users shared between the Parties for fraud detection and prevention purposes (e.g. name, address, telephone number, date account open, IP address usage (i.e. if the bets are continuously coming from a specific IP address), betting history of an end user, etc.);
(the “MTS Personal Data”).
3.2. The processing of the MTS Personal Data shall consist of:
(a) risk management of the Partner´s Operators’ bookmaking services;
(b) in case of suspicious activity – and only if mutually agreed – for fraud detection and prevention.
4. Obligations of the Parties regarding MTS Personal Data
4.1. Rights of the Data Subjects
4.1.1. The Parties shall cooperate in responding to data subjects’ requests to exercise rights under the Data Protection Legislation to:
a. to access, rectification, erasure and object;
b. to restriction of processing;
c. to data portability;
d. in relation to automated decision making and profiling,
e. opt out of the sale of the personal information.
4.1.2. The Parties agree that the responsibility for complying with a data subject request falls to the Partner. The Parties agree to provide reasonable and prompt assistance to each other (within 5 (five) Business Days of such request for assistance) as is necessary to enable them to comply with data subject requests and to respond to any other queries or complaints of any kind whatsoever from data subjects.
4.2. Information Duty
4.2.1. The Partner shall be responsible to ensure that the data subjects are informed about the MTS Personal Data collection and processing under this DCA and shall ensure that (where necessary) any consents from data subjects are obtained as required under the Data Protection Legislation. The Partner shall, in respect of the MTS Personal Data, ensure that privacy notices provided to the data subjects and any other form of communication relating to the collection and processing of the MTS Personal Data are clear and provide sufficient information to the data subjects in order for them to understand what of their personal data is collected and shared with other recipients, the circumstances in which it will be shared and the purposes for the data sharing. In particular, the Partner shall ensure that such privacy notices include an explicit reference to Sportradar as an entity with whom their personal data is shared for the purposes under this DCA.
4.3. Complaints
4.3.1. In the event of a dispute or claim brought by a data subject or a Competent Data Protection Authority concerning the processing of the MTS Personal Data against either or both Parties to this DCA, the Parties shall inform each other about any such disputes or claims without delay and shall cooperate with a view to settling them amicably in a timely manner.
5. Marketing Services Personal Data
5.1. If the Partner choses in the Agreement the Marketing Services, Sportradar shall process on behalf of the Partner some or all of the following types of personal of the following data subjects and collected as part of the Ticket Integration:
a) Location IDs (IP Address, ZIP/location of retail or terminal unit) of the Partner’s Operators’ end users
b) Account IDs of the Partner’s Operators’ end users,
c) Device ID of the Partner’s Operators’ end users,
d) Age o of the Partner’s Operators’ end users,
e) Gender of the Partner’s Operators’ end users,
f) Signup date of the Partner’s Operators’ end users,
g) Real-time and historical information about of the Partner’s Operators’ end users,
h) Bonus information (signup channel, source of acquisition, campaign ID, bonus ID, bonus type, reward type, award type, accepted date, restriction type (bonus, cashout, non withdrawable, etc.), wager requirements, bonus amount,
i) Transaction information (day and time of transaction, transaction ID, transaction type (deposit, withdrawal, etc.), account ID of Partner’s Operators’ end users, amount, transaction status, payment method,
j) Web analytics data (impressions, clicks, visits, bounces),
(the “Marketing Services Personal Data”).
5.2. The processing of the Marketing Services Personal Data shall consist of:
a) analysing via AI real-time and historical information about each end user (Favorite Bet types, Favorite Sport types, average stakes, etc.)
b) serving the end user with:
1) if applicable, personalized content based on analyzed player life time value of each end user in order to define the best acquisition/retention strategy and to recommend the best promotion/bonus to provide to each end user (e.g. suitable promotions),
2) if applicable, personalized content based on analysed data in order to provide personalized betting recommendations to each end user (e.g. betting recommendations/up-sell),
c) based on the analysed information according to the point a), providing to the Partner’s Operators predictions on the end user´s value and inactivity.
6. BSS Personal Data
6.1. If the Partner choses in the Agreement Betting Stimulation Services, Sportradar shall process on behalf of the Partner some or all of the following types of personal data of the following data subjects:
a) IP addresses and geolocation of Partner’s Operators’ end users;
b) Geolocation;
(the “BSS Personal Data”).
6.2. The processing of the BSS Personal Data shall consist of:
a) collection and processing of IP addresses and geolocation of Partner’s Operators’ end users in order:
i. to perform analytics (to control and develop the Services);
ii. to ensure security and for debugging; and
iii. to verify that the end user is from an allowed country or if applicable from an allowed subdivision or region of a country;
7. Live-booking Calendar Personal Data
7.1. If the Partner choses in the Agreement other Services that require access to Sportradar’s Live-booking Calendar through which the Partner and/or Partner’s Operators selects those other Services, Sportradar shall process on behalf of the Partner and/or Partner’s Operators some or all of the following types of personal data of the following data subjects:
a) IP addresses, names, email addresses, user IDs, usernames of Partner’s and/or Partner´s Operators’ employees;
(the “Live-booking Calendar Personal Data”).
7.2. The processing of the Live-booking Calendar Personal Data shall consist of:
a) collection and processing of IP addresses, names, email addresses, user IDs and usernames of Partner’s and/or Partner’s Operators’s employees in order to:
i. to manage access to Sportradar´s portals;
ii. to create and provide changelogs with autobooking rules and history.
8. Sportradar´s obligations regarding Marketing Services Personal Data, BSS Personal Data and Live-booking Calendar Personal Data
8.1. Sportradar shall process the Marketing Services Personal Data, the BSS Personal Data and Autobooking Calendar Personal Data on behalf of the Partner in accordance with this DCA and only for the business purpose of provision of the Services under the Agreement.
8.2. Sportradar shall process the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data in accordance with the instructions of the Partner and in compliance with the Data Protection Legislation. Sportradar shall immediately notify in writing the Partner if Sportradar believes that any of the instructions of the Partner violate the Data Protection Legislation. For the avoidance of doubt, this notification obligation shall not mean that Sportradar is obliged to perform a comprehensive legal examination with respect to Partner´s instructions.
8.3. Sportradar shall keep a written record of all categories of processing operations carried out on behalf of the Partner in accordance with the Data Protection Legislation.
8.4. Sportradar shall not disclose the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data to third parties, unless with the express prior written consent of the Partner or when legally required. For the avoidance of doubts, Sportradar´s affiliates, subsidiaries or subprocessors/service providers shall not be considered third parties.
Sportradar may disclose the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data to other processors working for the Partner, pursuant to the Partner’s instructions. In this case, the Partner shall identify, in writing and in advance, the entity the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data shall be disclosed to, the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data to be disclosed, and the security measures to be applied for the disclosure.
8.5. The Partner authorises Sportradar to appoint – and permit each sub-processor appointed in accordance with this clause to appoint – sub-processors.
Sportradar may continue to use those sub-processors already engaged by Sportradar as at the date of this DCA.
If any processing operation shall be subsequently subcontracted, Sportradar shall notify in writing the Partner 10 (ten) Business Days in advance, indicating the processing operations to be subcontracted and clearly and unequivocally identifying the subcontractor and its contact details. If, within 10 (ten) days of receipt of the notice, the Partner notifies Sportradar in writing of any objections on reasonable grounds to the proposed appointment:
a. Sportradar shall work with the Partner in good faith to make available a commercially reasonable change in the provision of the data processing services agreed under the DCA;
b. where such a change cannot be made within 90 (ninety) days as of the receipt of the Partner’s notice by Sportradar, the Partner may, by written notice to Sportradar, terminate with immediate effect the Agreement to the extent that it relates to the services which require the use of the proposed sub-processor and this termination right is Partner’s sole and exclusive remedy if the change cannot be made.
Sportradar shall only engage a sub-processor under a written contract that provides similar level of protection as this DCA.
8.6. Sportradar guarantees that the individuals authorised to process the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data have the necessary data protection training.
8.7. Sportradar shall assist the Partner in meeting its obligations in relation to data subjects’ requests to exercise rights under the Data Protection Legislation, e.g.: (i) to access, rectification, erasure and object; (ii) to restriction of processing; (iii) to data portability; (iv) in relation to automated decision making and profiling and (v) to opt out of the sale of personal information. The Partner shall reimburse Sportradar for all reasonable costs and expenses incurred with regard to such assistance.
When data subjects exercise their rights under items under the Data Protection Legislation before Sportradar, Sportradar shall notify the Partner immediately but in any event not later than 5 (five) Business Days following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request.
8.8. Sportradar shall support the Partner in sending prior consultations to Competent Data Protection Authorities, when appropriate.
8.9. Sportradar shall support the Partner in conducting data protection impact assessments, when appropriate.
8.10. Sportradar shall provide the Partner with all the information necessary to demonstrate compliance with its obligations under the Data Protection Legislation and shall allow audits and inspections to be carried out by an independent auditor mutually agreed by the Partner and Sportradar, at the cost of the Partner. Such audit and inspections may only be undertaken once per calendar year on a reasonable prior notice during normal business hours. Sportradar shall give all necessary assistance to the conduct of such audits and inspections.
8.11. Sportradar shall promptly delete all the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data from its systems in accordance with its internal retention policy, unless and to the extent that Sportradar is required to retain copies in accordance with the applicable law.
9. The Partner´s obligations regarding the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data
9.1. The Partner shall comply with all applicable requirements of the Data Protection Legislation and shall notify Sportradar of any relevant changes to the Data Protection Legislation that may have impact on the processing of the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data .
9.2. The Partner shall provide or otherwise make available the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data to Sportradar and shall not instruct Sportradar to process the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data in violation of the Data Protection Legislation.
9.3. The Partner shall, at the time when the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data is obtained, ensure that the data subjects are provided with all information about the collection and processing of the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data and shall ensure that (where necessary) any consents of data subjects are obtained as required by the Data Protection Legislation.
9.4. The Partner shall conduct any relevant data protection impact assessments and prior consultations with respect to the processing operations to be carried out by Sportradar.
9.5. The Partner shall ensure that Sportradar complies with the Data Protection Legislation prior to and during processing of the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data .
9.6. The Partner shall supervise the processing operations performed by Sportradar. The Partner may issue instructions about the type, scope and method of processing of the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data in writing.
10. Term and Termination
10.1. This DCA shall be bound to the term of the Agreement.
11. Data Security
11.1. The Parties to this DCA shall implement appropriate technical and organisational measures to:
a. ensure a level of security appropriate to the risk involved to protect all personal data from unauthorized use, alteration, access or disclosure, and loss, theft, and damage;
b. ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d. test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the personal data;
e. pseudonymise and encrypt the personal data, as appropriate;
f. prevent a personal data security breach.
11.2. The Parties to this DCA shall keep accurate records of the security measures which they have in place and shall make such records available to the other Party upon request.
12. Data Breach
12.1. The Parties to this DCA shall notify any potential or actual losses of any personal data processed under this DCA to the other Party as soon as possible and, in any event, within 3 (three) Business Days of identification of any potential or actual loss in order to consider what action is required to resolve the issue in accordance with the Data Protection Legislation.
13. Confidentiality
13.1. The Parties to this DCA shall maintain the duty of secrecy regarding any personal data processed under this DCA, even after the termination of the Agreement.
13.2. The Parties to this DCA guarantee that the individuals authorised to process any personal data under this DCA expressly undertake in writing to respect confidentiality and to comply with the relevant security measures, of which they must be duly informed.
13.3. For the avoidance of any doubt, Parties to this DCA acknowledge and agree that they may share the MTS Personal Data, the Marketing Services Personal Data, the BSS Personal Data and Live-booking Calendar Personal Data with their affiliates, subsidiaries, processors and subprocessors for the purpose of providing the Services under the Agreement.
14. International Data Transfers
14.1. The Partner acknowledges and agrees that Sportradar may transfer MTS Personal Data, Marketing Services Personal Data, BSS Personal Data and Live-booking Calendar Personal Data outside the EAA and the UK (the “International Data Transfer“) subject to the International Data Transfer be made in compliance with the requirements under the Data Protection Legislation, i.e. (1) to an Approved Jurisdiction, or (2) subject to the EU Standard Contractual Clauses, the UK Addendum and/or the UK IDTA, where applicable, or (3) subject to other legal mechanisms for personal data transfer.
14.2. If Sportradar shall transfer Personal Data to a third country or international organisation, pursuant to applicable European Union or Member State law, Sportradar shall inform the Partner of that legal requirement beforehand, unless the law prohibits this on important grounds of public interest.
15. Use of de-identified and aggregated data
15.1. The Partner acknowledges and agrees, and shall ensure that Partner’s Operators also agree, that Sportradar shall have the right to use de-identified and/or aggregated data related to or obtained in connection with Services provided under the Agreement for its legitimate internal business purposes, such as analytics, reporting, and to improve, benchmark and develop its internal products and services.
16. Indemnity and Limitation of Liability
16.1. Each party (the “Indemnifying Party”) shall indemnify and hold harmless the other party (the “Indemnified Party”) in respect of all costs, claims, fines, losses, damages or expenses incurred by the Indemnified Party, or for which the Indemnified Party may become liable, due to any failure by the Indemnifying Party to comply with any of its obligations set out in this DCA.
16.2. To the fullest extent permitted by law, neither Sportradar nor any of its affiliates, shall be liable to the Partner under or in connection with this DCA for any indirect, special or consequential losses or damages, loss of business or good will, profit or revenue. Sportradar´s total aggregate liability arising out of or in relation to this DCA, whether the liability arises because of a breach of contract, negligence or for any other reason, shall be strictly limited to the amount of fees actually paid by the Partner under the Agreement during the 12 (twelve) months preceding the event giving rise to the damages.
17. Contact Point
Each Party shall nominate the following contact person within their organisation who can be contacted in respect of queries, complaints or notifications of any kind whatsoever regarding this DCA or the Data Protection Legislation:
For the Sportradar:
Name and Position: Stefano Celardo (Data Protection Officer)
Tel.: +43 1 256 31 41 548
E-mail: [email protected]
For the Partner:
As per the Main Agreement
18. Miscellaneous
18.1. In the event of any conflict between the terms of this DCA, any provision of the Agreement and any other agreement between the Parties, this DCA shall take precedence solely with respect to any data protection matters.
18.2. This DCA shall be governed by and construed in accordance with the Austrian laws.
18.3. All disputes arising out of or in connection with this DCA shall be subject to the exclusive jurisdiction of the Austrian court(s).
18.4. The provisions of this DCA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this DCA shall remain in full force and effect.
18.5. Sportradar may make changes to this DCA at any time by giving 30 days´ written notice to the Partner. The changes to the DCA will not apply retroactively.