ATTACHMENT B – DATA PROCESSING ADDENDUM
1. Definitions
For the purposes of this Data Processing Addendum the following terms shall have the following meanings:
“Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to the Supplier Agreement;
“CCPA” shall mean the US California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CPRA) and as amended from time to time;
“Competent Data Protection Authority” shall mean the competent data protection authority;
“DPA” shall mean this Data Processing Addendum;
“Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, the CCPA/CPRA, and any regulations, mandatory guidelines or any other mandatory codes of practice issued by any Competent Data Protection Authority, each as amended from time to time;
“GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
“Personal Data” shall have the meaning given to it in Annex 1 Description of the Processing to this DPA.
For the purposes of this DPA, the terms “controller”, “processor”, “business”, “service provider”, “third party”, “sale”, “share”, “data subject”, “personal data”, “personal information”, “process”, “processing”, “data breach”, “sensitive personal information”, and “special categories of personal data” shall have the meanings attributed to them in the Data Protection Legislation.
Any other term not defined in this DPA shall have the meaning attributed to it in the Addendum.
2. Purpose of the Agreement
2.1. The purpose of this DPA is to determine Supplier’s responsibilities with regard to the processing of the Personal Data performed by the Supplier when providing to Sportradar its Products and/or Services under the Supplier Agreement.
2.2. The subject matter, duration, nature and purpose of the processing, types of personal data and categories of data subjects are defined in Annex 1 Description of the Processing to this DPA.
3. Term and Termination
3.1. The DPA shall be bound to the term of the Supplier Agreement.
4. Processing of the Personal Data
4.1. The Supplier shall process the Personal Data only for the purpose of providing its Products and/or Services under the Supplier Agreement. The Supplier shall not engage in sale or sharing of the personal information as this term is defined in the CCPA.
4.2. The Supplier shall process the Personal Data in accordance with this DPA and the Data Protection Legislation.
5. Transparency and Legal Basis
5.1. If the Personal Data is collected directly by the Supplier or upon request from Sportradar, the Supplier shall (i) ensure that, at the time of the collection of the Personal Data, the data subjects are provided with clear and sufficient information about the collection and processing of their Personal Data under the Supplier Agreement and that the privacy notice provided to data subject contains all information required by the Data Protection Legislation, (ii) ensure that a legal basis for processing of the Personal Data as envisioned under this DPA is secured and any consents of data subjects as required by and in accordance with the Data Protection Legislation are obtained, and (iii) immediately communicate to Sportradar if data subjects decide to withdraw their consent.
5.2. Unless absolutely needed to provide the Products and/or Services under the Supplier Agreement, the Supplier shall not process special categories of personal data or sensitive personal information. If processing of special categories of personal data or sensitive personal information is needed to provide the Products and/or Services under the Supplier Agreement, the Supplier shall ensure that (i) consents for processing special categories of personal data or sensitive personal information are collected from data subjects in accordance with the requirements of the Data Protection Legislation and (ii) all technical and organizational measures and other safeguards as required for special categories of personal data or sensitive personal information under the Data Protection Legislation are implemented and complied with.
6. Third Parties
6.1. The Supplier shall not disclose the Personal Data to third parties (including any government agency, court, or law enforcement), except with the express prior written consent of Sportradar. If the Supplier receives access request to the Personal Data and is obliged to disclose the Personal Data under the applicable law, the Supplier shall notify Sportradar of the access request prior to granting such access, to allow Sportradar to seek a protective order or other appropriate remedy. If such notice is legally prohibited, the Supplier shall take all reasonable measures to protect the Personal Data from undue disclosure as if it were Supplier´s own confidential information being requested and shall inform Sportradar as soon as possible when such legal prohibition ceases to apply.
6.2. The Supplier is allowed to engage processor(s) to assist with performing the processing of the Personal Data to provide the Products and/or Services under the Supplier Agreement, subject to complying with the following obligations:
a) the Supplier shall perform due diligence on any engaged processor to ensure that the processor complies with the requirements of the Data Protection Legislation;
b) the Supplier shall enter into binding contracts with engaged processors that provides the same level of protection to the Personal Data as this DPA;
c) with regard to international data transfers, the Supplier shall perform all required transfer impact assessments, where necessary, prior to engaging processor(s) and shall use appropriate transfer tools (such as standard contractual clauses approved by the European Commission, the United Kingdom, or any other applicable jurisdiction) in accordance with the applicable Data Protection Legislation. If a transfer impact assessment reveals that the Personal Data will not be provided with an adequate level of protection as required under the applicable Data Protection Legislation, the Supplier shall either (i) implement supplementary measures as per the Data Protection Legislation to ensure the adequate level of protection to the Personal Data or (ii) not engage such processor;
d) the Supplier shall be fully responsible for the acts and omission of the engaged processor as if the processing was performed by the Supplier.
7. Data Subject Requests
7.1. The Supplier shall assist Sportradar in meeting its obligations in relation to data subjects’ requests to exercise rights under the Data Protection Legislation, for example (i) to access, rectification, erasure and object; (ii) to restriction of processing; (iii) to data portability; (iv) in relation to automated decision making and profiling; (v) to opt out of the sale and sharing of personal information.
7.2. When data subjects exercise their data subject rights under the Data Protection Legislation before the Supplier, the Supplier shall promptly notify Sportradar and in any event not later than 5 (five) Business Days following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request.
8. Audit
8.1. The Supplier shall permit Sportradar, on reasonable notice during normal business hours, but without notice in case of any reasonably suspected breach of any obligation under this DPA to:
a) gain access to, and take copies of, all records, documents and other information related to the processing of the Personal Data under this DPA held at the Supplier’s premises or on the Supplier’s computer systems; and
b) inspect all records, documents and other information and Supplier’s computer systems, facilities and equipment related to the processing of the Personal Data under this DPA
for the purpose of auditing Supplier’s compliance with its obligations under this DPA. The Supplier shall give all necessary assistance to the conduct of any such audits.
9. Security
9.1. The Supplier shall implement appropriate technical and organizational measures to:
a) ensure a level of security appropriate to the risk involved in order to protect the Personal Data from unauthorized use, alteration, access or disclosure, loss, theft, and damage;
b) ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident;
d) test, assess and evaluate the effectiveness of technical and organizational measures implemented for ensuring the security of the processing of the Personal Data;
e) pseudonymize and encrypt the Personal Data, as appropriate;
f) prevent a personal data security breach.
9.2. The Supplier shall notify Sportradar without undue delay of any breach, whether actual or potential, it is aware of to the security of the Personal Data it holds, together with all relevant information to document and report the incident.
The following minimum information shall be provided, if available:
a) description of the nature of the personal data security breach including, when possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected;
b) the name and contact details of the data protection officer or another point of contact to obtain more information;
c) description of the possible consequences of the personal data security breach;
d) description of the measures adopted or proposed to remedy the personal data security breach including, if appropriate, the measures adopted to mitigate possible negative effects.
If the above information cannot be provided simultaneously, the information shall be gradually provided without undue delay.
10. Assistance to Sportradar and Records of Processing Operations
10.1. The Supplier shall support Sportradar in sending prior consultations to Competent Data Protection Authorities.
10.2. The Supplier shall support Sportradar in conducting data protection impact assessments.
10.3. The Supplier shall keep a written record of all categories of processing operations carried out in connection with providing the Products and/or Services under the Supplier Agreement.
11. Confidentiality and Trainings
11.1. The Supplier shall maintain the duty of confidentiality regarding the Personal Data, even after the termination of the Supplier Agreement.
11.2. The Supplier guarantees that the individuals authorised to process Personal Data expressly undertake in writing to respect the confidentiality of the Personal Data and to comply with the relevant security measures, of which they shall be duly informed. The Supplier shall keep documentation accrediting compliance with this obligation available for inspection by Sportradar.
11.3. The Supplier guarantees that the individuals authorized to process Personal Data have the necessary data protection training.
12. International Data Transfers
To the extent that Sportradar transfers Personal Data from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to the Supplier and the Supplier is located outside the EEA, UK or Switzerland, the Parties shall be deemed to have entered into the applicable standard contractual clauses as approved by the European Commission, respectively the United Kingdom in respect of such transfer as set out in Annex 2 International Data Transfers – Standard Contractual Clauses to this DPA.
13. Deletion of the Personal Data
13.1. After termination of the Agreement, the Supplier shall immediately return all Personal Data and, if applicable, the media on which the Personal Data is recorded to Sportradar.
13.2. Following the return of the Personal Data to Sportradar, the Supplier shall promptly delete all Personal Data in its entirety from its systems and destroy any copies it made of the Personal Data.
14. Liability
The Supplier shall indemnify and shall keep Sportradar indemnified from and against all costs, claims, fines, losses, damages or expenses incurred by Sportradar, or for which Sportradar may become liable due to any failure by the Supplier to comply with any of its obligations or warranties set out in this DPA. For the avoidance of doubt, this indemnity shall be unlimited and shall override any limitation of liability provisions contained in any other agreement between the Parties.
15. Contact Points
Sportradar nominates the following contact person within its organization who can be contacted in respect of queries, complaints or notifications of any kind whatsoever regarding this DPA or the Data Protection Legislation:
Name and position: Stefano Celardo (Data Protection Officer)
E-mail: [email protected]
16. Miscellaneous
16.1. In the event of any conflict between the terms of this DPA and any provision of the Addendum, the Supplier Agreement and any other agreement between the Parties, this DPA shall take precedence.
16.2. If Supplier is an entity other than a North American Supplier, the DPA shall be governed and construed in accordance with the Austrian law and all disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the Austrian courts. If Supplier is a North American Supplier, the DPA shall be governed and construed in accordance with the laws of the State of New York, without regard to its conflict of law principles and all disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the State of New York.
16.3. The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this Agreement shall remain in full force and effect.
16.4. Any amendment to this Agreement must be made in writing upon mutual agreement by the Parties.
Annex 1 Description of the Processing
1. Categories of data subjects whose personal data is processed
The Supplier shall process Personal Data related to Sportradar’s end users, clients, employees, contractors or any other data subjects whose personal data is needed for the Supplier to provide its Products and/or Services under the Supplier Agreement.
2. Categories of personal data processed
The Supplier shall process some or all of the following categories of personal data when providing its Products and/or Services under the Supplier Agreement:
A. Electronic communication data (e.g. IP address, cookies, URLs, traffic data, device data, OS data, browsing data, login and account information);
B. Identification data (e.g. name, surname, address, email, IDs, age marital status, passport, );
C. Transactional data (e.g. booking history, payments, card numbers);
D. Financial data (e.g. income, financial transactions, bank statements, invoices);
E. Employment related data (e.g. salary, position, bonuses, employment history, employment contracts, records);
F. any other personal data necessary for the Supplier to provide its Products and/or Services under the Supplier Agreement;
(the “Personal Data”).
3. Special categories of personal data
The supplier shall not process any special categories of personal data or sensitive information, unless such processing is absolutely necessary for the purposes of providing to Sportradar its Products and/or Services under the Supplier Agreement.
4. The frequency of the processing and the period for which the personal data will be retained
The Supplier shall (i) process the Personal Data for as long as necessary to provide to Sportradar its Products and/or Services under the Supplier Agreement and (i) upon termination of the Supplier Agreement shall delete the Personal Data in accordance with this DPA.
5. Nature of the processing
The nature of the processing of the Personal Data performed by the Supplier when providing to Sportradar its Products and/or Services shall consist of collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
6. Purpose of the processing
The Supplier shall process the Personal Data only for the purpose of providing to Sportradar its Products and/or Services under the Supplier Agreement.
Annex 2 International Data Transfers – Standard Contractual Clauses
1. Data transfers outside the EEA
The Parties agree that the terms of the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“EEA Standard Contractual Clauses”) are hereby incorporated by reference and shall apply to any data transfers outside the EEA:
A. Module Two (Controller to Processor) of the EEA Standard Contractual Clauses shall apply where the EEA transfer is effectuated by Sportradar as the data controller of the Personal Data and the Supplier is the data processor of the Personal Data.
B. Module Three (Processor to Processor) of the EEA Standard Contractual Clauses shall apply where the EEA transfer is effectuated by Sportradar as the data processor of the Personal Data and the Supplier is a sub-processor of the Personal Data.
C. Clause 7 of the EEA Standard Contractual Clauses (Docking Clause) shall not apply.
D. Option 2: General Written Authorization in Clause 9 of the EEA Standard Contractual Clauses shall apply, whereby the time period for prior notice of sub-processor changes shall be 10 Business Days in advance.
E. In Clause 11 of the EEA Standard Contractual Clauses, the optional language will not apply.
F. In Clause 17 of the EEA Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the EEA Standard Contractual Clauses shall be governed by the laws of the Republic of Austria.
G. In Clause 18(b) of the EEA Standard Contractual Clauses, disputes will be resolved before the courts of the Republic of Austria.
H. Annex I.A and B to the EEA Standard Contractual Clauses shall be completed with the information set out in the DPA and the Supplier Agreement.
I. Annex I.C to the EEA Standard Contractual Clauses shall be completed as follows:
“The competent supervisory authority in accordance with Clause 13 is the supervisory authority in Austria.”
J. Clause 9 of the DPA serves as Annex II to the EEA Standard Contractual Clauses.
K. To the extent there is any conflict between the EEA Standard Contractual Clauses and any other terms in this DPA or the Supplier Agreement, the provisions of the EEA Standard Contractual Clauses will prevail.
2. Data transfers outside the UK
A. This section 2 is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country or an international organisation in reliance on Articles 46 of the UK GDPR and with respect to data transfers from controllers to processors and/or processors to processors.
B. Where this section 2 uses terms that are defined in the EEA Standard Contractual Clauses, those terms shall have the same meaning as in the EEA Standard Contractual Clauses. In addition, the following terms have the following meanings:
a. “UK Data Protection Laws” – all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018
b. “UK GDPR” – the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
C. This section 2 shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.
D. This section 2 shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
E. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this DPA has been entered into.
F. In the event of a conflict or inconsistency between this section 2 and the provisions of the EEA Standard Contractual Clauses or other related agreements between the Parties, existing at the time the DPA is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
G. This section 2 incorporates the EEA Standard Contractual Clauses which are deemed to be amended to the extent necessary so they operate:
a. for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
b. to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR Laws.
H. The amendments include (without limitation):
a. References to the “Clauses” mean this section 2 as it incorporates the EEA Standard Contractual Clauses
b. Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
c. References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent article or section of UK Data Protection Laws.
d. References to Regulation (EU) 2018/1725 are removed.
e. References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”
f. Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner;
g. Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales”.
h. Clause 18 is replaced to state:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
i. The footnotes to the Clauses do not form part of this section 2.
j. The Parties may agree to change Clause 17 and/or 18 to refer to the laws and/or courts of Scotland or Northern Ireland.
k. The Parties may amend this section 2 provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the EEA Standard Contractual Clauses and making changes to them in accordance with paragraph G above.
3. Data transfers outside Switzerland
In relation to transfers of personal data from Switzerland, the EEA Standard Contractual Clauses as implemented under section 1 above will apply subject to the following modifications:
a. references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”);
b. references to specific articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP;
c. references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable;
d. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights;
e. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;
f. the Clauses are governed by the law of Switzerland; and
g. any dispute arising from the Clauses will be resolved by the courts of Switzerland.
