Data Processing Agreement
|Sportradar||(as set forth in the Insertion Order)|
(the “Data Processor”)
to process on behalf of
|Advertiser||(as set forth in the Insertion Order)|
(the “Data Controller”)
(each a “Party”, together the “Parties”)
1. Definitions and Interpretations
1.1. For the purposes of this Data Processing Agreement, capitalized terms shall have the following meanings, unless defined elsewhere hereto or in the Agreement:
“Approved Jurisdiction” shall mean a member state of the European Economic Area, or other jurisdiction as may be approved as having adequate legal protections for personal data by the European Commission, currently available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en;
“Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to the Agreement;
“CCPA” shall mean the California Consumer Privacy Act, as amended from time to time;
“Competent Data Protection Authority” shall mean a competent data protection authority, which, by way of example, could be the Austrian Data Protection Authority [die österreichische Datenschutzbehörde];
“Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, any national data protection legislation, and any regulations, mandatory guidelines or any other mandatory codes of practice issued by any Competent Data Protection Authority, each as amended from time to time;
“Digital Properties” shall mean website(s) and/or applications(s);
“DMP” shall mean the Data Processor´s data management platform;
“EU Standard Contractual Clauses” shall mean the standard contractual clauses for the transfer of personal data approved by the European Commision, available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en;
“GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time;
“Personal Data” shall have the meaning given to it in clause 3.1 of this Data Processing Agreement.
1.2. For the purposes of this Data Processing Agreement, the terms “controller”, “processor”, “data subject”, “personal data”, “process”, “processing” and “data breach” shall have the meanings attributed to them in the GDPR.
2. Purpose of the Data Processing Agreement
2.1. The purpose of this Data Processing Agreement is to determine the roles and responsibilities of each Party during the provision of the dynamic creative personalization (“DCP“) service under the Agreement in order to ensure Parties’ compliance with the applicable Data Protection Legislation.
2.2. The Data Processor certifies that it understands the terms of this Data Processing Agreement and agrees to comply with them.
3. Details of Processing
3.1. The Data Processor shall process on behalf of the Data Controller some or all of the following types of information that may be considered as personal data under the Data Protection Legislation:
A) Data collected as part of other campaigns provided by the Data Processor to the Data Controller and stored in the Data Processor´s DMP:
a) Cookie ID and other online identifiers, tracking cookies and other cookies;
b) Conversion data (e.g. registration started but not finished, registration finished);
(the “DMP Data”).
B) Data collected via pixels or other tracking technology integrated throughout the Data Controller´s Digital Properties:
a) IP address,
b) Cookie ID and other online identifiers, tracking cookies and other cookies;
c) Information about end users´ activities on the Data Controller´s Digital Properties:
i. Team name;
ii. Team logos, jerseys, or other graphics;
iii. Odds (home win, draw, guest win);
viii. Date and time of an event;
(the “DCP Data”).
3.2. The Data Processor shall process the Personal Data for the following purposes:
a) Creation of personalized advertisement with dynamic content;
b) Detailed measurement, analytics and reporting.
3.3. The processing operations performed by the Data Processor on the Personal Data shall consist of:
a) Collection of DCP Data via pixels or other tracking technology integrated throughout the Data Controller´s Digital Properties;
b) Storage of DCP Data in Data Processor´s DMP;
c) Aggregation of DCP Data in order to extract information about the most interesting content on the Data Controller´s Digital Properties;
d) Processing operations performed in order to create personalized advertisement with dynamic content:
i. In case end user´s Cookie ID was collected as part of the DMP Data and/or DCP Data, personalized advertisement with dynamic content will be created and based on the interests and/or characteristics derived from the DMP Data and/or DCP Data;
ii. In case end user´s Cookie ID was not collected as part of the DMP Data and/or DCP Data, the personalized advertisement with dynamic content will be created and based on aggregated data with the most interesting content from the Data Controller´s Digital Properties created according to the point c) and/or other non-personalized content created independently by the Data Processor;
e) Measurement of the performance of the DCP service (e.g. clicks, views, conversions);
f) Reporting on the performance of the DCP service.
3.4. The data subjects to whom the Personal Data relates are the end users of Data Controller´s Digital Properties.
4. Term and Termination
4.1. This Data Processing Agreement shall run conterminously with the Agreement.
4.2. Upon termination of the Agreement the Data Processor shall proceed in accordance with clause 5.14 of this Data Processing Agreement.
5. Obligations of the Data Processor
5.1. The Data Processor shall process Personal Data only for the purposes under this Data Processing Agreement and in relation to the Agreement.
5.2. The Data Processor shall process Personal Data in accordance with the instructions of the Data Controller and in compliance with the Data Protection Legislation. The Data Processor shall immediately notify in writing the Data Controller if the Data Processor believes that any of the instructions of the Data Controller violate the Data Protection Legislation. For the avoidance of doubt, this notification obligation shall not mean that the Data Processor is obliged to perform a comprehensive legal examination with respect to a Data Controller´s instruction.
5.3. The Data Processor shall keep a written record of all categories of processing operations carried out on behalf of the Data Controller in accordance with the Data Protection Legislation.
5.4. The Data Processor shall not disclose Personal Data to third parties, unless with the express prior written consent of the Data Controller or when legally required. For the avoidance of doubts, the Data Processor´s subprocessors, affiliates and subsidiaries shall not be considered as third parties.
The Data Processor may disclose Personal Data to other processors working for the Data Controller, pursuant to the Data Controller’s instructions. In this case, the Data Controller shall identify, in writing and in advance, the entity Personal Data shall be disclosed to, the Personal Data to be disclosed, and the security measures to be applied for the disclosure.
The Data Processor may transfer the Personal Data outside of the EU only if such transfer is made in accordance with the Data Protection Legislation, i.e. (1) to an Approved Jurisdiction, (2) subject to the EU Standard Contractual Clauses or (3) subject to other legal mechanism for personal data transfer. If the Data Processor shall transfer Personal Data to a third country or international organisation, pursuant to applicable European Union or Member State law, the Data Processor shall inform the Data Controller of that legal requirement beforehand, unless the law prohibits this on important grounds of public interest.
5.5. The Data Processor may continue to use the sub-processors already engaged by the Data Processor as at the date of the Agreement.
If any processing operation shall be subsequently subcontracted by the Data Processor, the Data Processor shall notify in writing the Data Controller not later than 10 (ten) Business Days in advance, indicating the sub-processor and its contact details as well as the processing operations to be subcontracted. If, within 10 (ten) Business Days of receipt of the notice, the Data Controller notifies the Data Processor in writing of any objections on reasonable grounds to the proposed appointment:
a. the Data Processor shall work with the Data Controller in good faith to make available a commercially reasonable change in the provision of the data processing services agreed under the Data Processing Agreement;
b. where such a change cannot be made within 90 (ninety) days as of the receipt of the Data Controller’s notice by the Data Processor, the Data Controller may, by written notice to the Data Processor, terminate with immediate effect the Agreement to the extent that it relates to the services which require the use of the proposed sub-processor and this termination right is the Data Controller´s sole and exclusive remedy if the change cannot be made.
The Data Processor shall only engage a sub-processor under a written contract that provides similar level of protection as this Data Processing Agreement.
5.6. The Data Processor guarantees that the individuals authorised to process Personal Data are subject to binding obligations of confidentiality and shall comply with the relevant security measures. The Data Processor shall keep documentation accrediting compliance with this obligation available for inspection by the Data Controller upon a reasonable request.
5.7. The Data Processor guarantees that the individuals authorised to process Personal Data have the necessary data protection training.
5.8. The Data Processor shall assist the Data Controller in meeting its obligations in relation to data subjects’ requests to exercise rights under the Data Protection Legislation, for example (i) to access, rectification, erasure and object; (ii) to restriction of processing; (iii) to data portability; (iv) in relation to automated decision making and profiling; (v) to opt out of the sale of personal information. The Data Controller shall reimburse the Data Processor for all reasonable costs and expenses incurred with regard to such assistance.
When data subjects exercise their rights under items (i), (ii), (iii), (iv), and (v) above before the Data Processor, the Data Processor shall promptly notify the Data Controller and in any event not later than 5 (five) Business Days following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request.
5.9. The Data Processor shall notify the Data Controller of any confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data (“Data Breach“) without undue delay and in any event within 3 (three) Business Days of identification of any confirmed Data Breach, together with all available information to document and report the incident.
The following minimum information shall be provided, if available:
a. description of the nature of the Data Breach including, when possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected;
b. the name and contact details of the data protection officer or another point of contact to obtain more information;
c. description of the possible consequences of the Data Breach;
d. description of the measures adopted or proposed to remedy the Data Breach including, if appropriate, the measures adopted to mitigate possible negative effects.
If the above information cannot be provided simultaneously, the information shall be gradually provided without undue delay.
5.10. The Data Processor shall support the Data Controller in sending prior consultations to Competent Data Protection Authorities, when appropriate.
5.11. The Data Processor shall support the Data Controller in conducting data protection impact assessments, when appropriate.
5.12. The Data Processor shall provide the Data Controller with all the information necessary to demonstrate compliance with its obligations under the Data Protection Legislation and shall allow audits and inspections to be carried out by an independent expert mutually agreed by the Data Controller and the Data Processor, at the cost of the Data Controller. Such audit or inspection may only be undertaken once in any 12 (twelve) calendar month period or in the event of any confirmed breach of any obligation under this Data Processing Agreement on a reasonable notice during normal business hours. The Data Processor shall give all necessary assistance to the conduct of any such audits or inspections.
5.13. The Data Processor shall implement appropriate technical and organisational measures as described in the Annex 1 to this Data Processing Agreement to:
a. ensure a level of security appropriate to the risk involved in order to protect the Personal Data from unauthorized use, alteration, access or disclosure, loss, theft, and damage;
b. ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident;
d. test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the Personal Data;
e. pseudonymise and encrypt the Personal Data, as appropriate;
f. prevent a Data Breach.
5.14. The Data Processor shall delete all Personal Data provided by the Data Controller from its systems in accordance with the Data Processor´s internal retention policy, otherwise upon written request of the Data Controller. After the deletion, the Data Processor may retain copies of the Personal Data only to the extent required by the applicable law or to defend legal claims. The Data Controller acknowledges and agrees that the Data Processor shall have the right to use de-identified and/or aggregated data related to or obtained in connection with the DCP service provided under the Agreement for its legitimate internal business purposes, such as analytics, reporting, and to improve, benchmark and develop its internal products and services.
6. Obligations of the Data Controller
6.1. The Data Controller shall comply with all applicable requirements of the Data Protection Legislation and shall notify the Data Processor of any relevant changes to the Data Protection Legislation that may have impact on the processing of Personal Data under this Data Processing Agreement.
6.2. The Data Controller shall provide the Personal Data or otherwise make the Personal Data available to the Data Processor and shall not instruct the Data Processor to process Personal Data in violation of the Data Protection Legislation.
6.3. The Data Controller shall ensure that at the time of collection of the Personal Data (i) the data subjects are provided with clear and sufficient information about the collection and processing of their Personal Data under this Data Processing Agreement, including an explicit reference to the Data Processor as an entity with whom the Personal Data is shared (ii) legal basis for processing of the Personal Data as envisioned under this Data Processing Agreement is secured and any consents of data subjects as required by and in accordance with the Data Protection Legislations are obtained. For the avoidance of doubt, the Data Controller acknowledges and accepts that the Data Processor shall not, in any way, be responsible for the performance of these obligations.
6.4. The Data Controller shall conduct any relevant data protection impact assessments and prior consultations with respect to the processing operations to be carried out by the Data Processor.
6.5. The Data Controller shall ensure that the Data Processor complies with the Data Protection Legislation prior to and during processing of the Personal Data.
6.6. The Data Controller shall supervise the processing operations performed by the Data Processor. The Data Controller may issue additional instructions about the type, scope and method of processing of the Personal Data in writing.
7. Indemnity and Limitation of Liability
To the fullest extent permitted by law, neither the Data Processor nor any of its affiliates or subsidiaries, shall be liable to the Data Controller under or in connection with this Data Processing Agreement for any indirect, special or consequential losses or damages, loss of business or good will, profit or revenue. The Data Processor´s total aggregate liability arising from or in relation to this Data Processing Agreement, whether the liability arises because of a breach of contract, negligence or for any other reason, shall be strictly limited to the amount of fees actually paid by the Data Controller under the Agreement during the 12 (twelve) months preceding the event giving rise to the damages.
The Data Controller acknowledges and accepts the risks connected with the execution of DCP service provided under the Agreement, especially with regard to the Data Controller´s obligations set out in the clause 6.3. and agrees to indemnify and keep the Data Processor indemnified from and against all costs, claims, fines, losses, damages or expenses incurred by the Data Processor, or for which the Data Processor may become liable due to any failure of the Data Controller to comply with its obligations set out in the clause 6.3. For the avoidance of doubt, this indemnity shall be unlimited and shall override any limitation of liability provisions contained in any other agreement between the Parties.
8. Contact Point
In case of any queries, complaints or notifications of any kind whatsoever regarding this Data Processing Agreement or the Data Protection Legislation and for the purposes of receipt of notices under this Data Processing Agreement, the Parties shall use the following contact details:
For the Data Processor:
Name and position: Stefano Celardo (Data Protection Officer)
Tel.: +43 1 256 31 41 548
E-mail: [email protected]
For the Data Controller:
Advertiser Contact as set forth in the IO.
9.1. In the event of any conflict between the terms of this Data Processing Agreement and any provision of the Agreement and any other agreement between the Parties, this Data Processing Agreement shall prevail solely with respect to any data protection matters.
9.2. Notwithstanding the governing law of the Agreement, this Data Processing Agreement shall be governed by and construed in accordance with the Austrian law. All disputes, controversy, or claims arising out of or in connection with this Data Processing Agreement shall be subject to the exclusive jurisdiction of the Austrian court(s).
9.3. The provisions of this Data Processing Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this Data Processing Agreement shall remain in full force and effect.
9.4. Any amendment to this Data Processing Agreement must be made in writing upon mutual agreement by the Parties.
ANNEX 1 LIST OF TECHNICAL AND ORGANIZATIONAL MEASURES
The Data Processor implements, maintains, and monitors a comprehensive written information security program that (i) is designed to protect the Data Processor against anticipated threats or hazards to its confidentiality, integrity, or availability (e.g. unauthorized access, collection, use, copying, modification, disposal, or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage, or any other form of unauthorized processing); and (ii) contains appropriate administrative, technical, and physical safeguards (“Information Security Program”). The Information Security Program is designed and implemented to:
A set of security policies are approved by the management. Security policies are updated regularly.
Regular security awareness and trainings are provided to all people having access to our information system.
Security awareness and trainings includes:
• Mandatory courses, for everyone;
• Additional training, for specific groups of people;
• Regular communication about security.
Secure Software Development Life Cycle
A Secure Software Development Life Cycle (SSDLC) is implemented and ensure:
• The confidentiality of the data handle in the systems using:
o Access control (least privilege principle);
• The availability and resilience of the systems and services provided using:
o Reliable architecture;
o Tested backups;
o Disaster Recovery Plan.
• The integrity of the systems and services provided but also of the data handled using access control and cryptography (encryption, hash, logging).
• Code is analysed for security issues and vulnerabilities before being deployed to production.
The SSDLC ensures to have security and privacy aspects covered from the beginning of the projects.
In addition, Secure Development Guidelines are followed by the development teams. The Data Processor follows the following guidelines: https://github.com/sportradar/secdevguideline (open source under the MIT license).
• Nominative accounts are used.
• High privilege accounts are used to perform high privilege tasks only.
• Accesses are granted through an access approval workflow. It follows the principle of least privilege
• Access requests are documented.
• A password policy is implemented. Multi factor authentication is implemented on employee’s accounts.
At all locations that collect, process, store and transmit data, physical access controls are implemented to restrict access to authorized personnel only.
Workstations are managed centrally and includes:
• A malware protection up to date, at the state of the art, including forensics capabilities.
• Patches are deployed regularly.
• Users do not have administrative rights on their workstation, unless it is needed, justified, and approved through the access approval workflow.
• Disk are encrypted, using industry-standard technologies
The Data Controller shall inform the Data Processor of any security breach that could impact the Data Processor without undue delay unless prohibited by applicable laws and regulations that degrade service delivery or the Data Controller´s ability to comply with the information security terms and conditions contained in this agreement.
Unless prohibited by applicable law, the Data Controller will provide periodic updates relating to the investigation and resolution of the security breach until it has been resolved, and upon reasonable request, cooperate in investigating such security breach.
Servers and applications are monitored for security issues. Patches are deployed accordingly.
Security alerts are monitored daily by the security staff. The alerts come from all the security tools deployed (network monitoring, Active Directory, user reports, SIEM, endpoint protection, etc.).
Every year, an audit program is established and performed in order to assess the effectiveness of the security measures within the company.
Upon written notice to the Data Controller, the Data Controller shall provide the Data Processor with a copy of their most recent AICPA Service Organization Control Type 2 Report (SOC2), if applicable.
When personal data are encrypted, industry-standard encryption algorithms are used.
End-user IP addresses are pseudonymised after 12 months from the date of collection. This is achieved by masking the last octet/byte for IPv4 and the last segment for IPv6.
A security process is documented and implemented in order to perform appropriate due diligence on subcontractors prior to utilizing their services for the delivery of services required by the Agreement.