Data Processing Agreement for Marketing Services and Betting Stimulation
1. Definitions and Interpretations
1.1. For the purposes of this DPA, capitalized terms shall have the following meanings, unless defined elsewhere in the Agreement:
“Agreement” shall mean the agreement to which this DPA is attached and under which Sportradar is providing to the Partner Managed Marketing Services and Betting Stimulation Services:
“Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to this DPA;
“Competent Data Protection Authority” shall mean the competent data protection authority, which, by way of example, is the Austrian Data Protection Authority [die österreichische Datenschutzbehörde];
“Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, any state or national data protection legislation, and any regulations, guidelines or any other documents issued by a Competent Data Protection Authority, each as amended from time to time;
“DPA” shall mean this data processing agreement;
“GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time;
“Personal Data” shall have the meaning given to it in clause 3 of this DPA.
1.2. For the purposes of this DPA, the terms “data controller”, “data processor”, “data subject”, “personal data”, “process”, “processing” and “data breach” shall have the meanings attributed to them in the GDPR.
2. Purpose of this DPA
2.1. The purpose of this DPA is to determine the roles and responsibilities of each Party during the provision of Managed Marketing Services and Betting Stimulation Services by Sportradar to the Partner under the Agreement in order to ensure the Parties’ compliance with the Data Protection Legislation.
2.2. For the purpose of this DPA, the Partner shall act as the data controller and Sportradar as the data processor.
3. Personal Data, Data Subjects, Processing Operations
3.1. Sportradar shall process on behalf of the Partner some or all of the following types of personal data of the following categories of data subjects:
A. Managed Marketing Services:
a) Location IDs (IP Address, ZIP/location of retail or terminal unit) of the Partner´s end users
b) Account IDs of the Partner´s end users,
c) Device ID of the Partner´s end users,
d) Age o of the Partner´s end users,
e) Gender of the Partner´s end users,
f) Signup date of the Partner´s end users,
g) Real-time and historical information about of the Partner´s end users,
h) Bonus information (signup channel, source of acquisition, campaign ID, bonus ID, bonus type, reward type, award type, accepted date, restriction type (bonus, cash-out, non-withdrawable, etc.), wager requirements, bonus amount of Partner´s end users,
i) Transaction information (day and time of transaction, transaction ID, transaction type (deposit, withdrawal, etc.), account ID, amount, transaction status, payment method of Partner´s end users,
j) Web analytics data (impressions, clicks, visits, bounces) of Partner´s end users,
B. Betting Stimulation Services:
a) IP addresses of Partner´s end users,
b) geolocation of Partner´s end users,
(the “Personal Data”).
3.2. The processing of the Personal Data shall consist of:
A. Managed Marketing Services:
a) analysing via AI real-time and historical information about each of Partner’s end users (Favorite Bet types, Favorite Sport types, average stakes, etc.)
b) serving Partner’s end users with:
1) if applicable, personalized content based on analyzed player life time value of each end user in order to define the best acquisition/retention strategy and to recommend the best promotion/bonus to provide to each end user (e.g. suitable promotions),
2) if applicable, personalized content based on analysed data in order to provide personalized betting recommendations to each end user (e.g. betting recommendations/up-sell),
c) based on the analysed information according to the point a), providing to the Partner predictions on the end user´s value and inactivity.
B. Betting Stimulation Services:
a) to perform analytics (to control and develop the Betting Stimulation Services),
b) to ensure security and for debugging,
c) to verify that the end user is from an allowed country or if applicable from an allowed subdivision or region of a country.
3.3. Sportradar may not process Personal Data in a way that is incompatible with the purpose under this DPA as set out above.
4. Term and Termination
4.1. This DPA shall be bound to the term of the Agreement.
4.2. Upon termination of the Agreement Sportradar shall proceed in accordance with clause 5.14 of this DPA.
5. Obligations of Sportradar
5.1. Sportradar shall process Personal Data in accordance with the instructions of the Partner and in compliance with the Data Protection Legislation. Sportradar shall immediately inform in writing the Partner if Sportradar believes that any of the instructions of the Partner violate the Data Protection Legislation. For the avoidance of doubt, this notification obligation shall not mean that Sportradar is obliged to perform a comprehensive legal examination with respect to Partner´s instruction.
5.2. Sportradar shall keep a written record of all categories of processing operations carried out on behalf of the Partner in accordance with the Data Protection Legislation.
5.3. Sportradar shall not disclose Personal Data to third parties, unless with the express prior written consent of the Partner or when legally acceptable. For the avoidance of doubts, Sportradar´s affiliates, subsidiaries and subprocessors shall not be considered third parties.
Sportradar may disclose the Personal Data to other processors working for the Partner, pursuant to the Partner’s instructions. In this case, the Partner shall identify, in writing and in advance, the entity the Personal Data shall be disclosed to, the Personal Data to be disclosed, and the security measures to be applied for the disclosure.
The Partner acknowledges and agrees that Sportradar may make the Personal Data available to its affiliates, subsidiaries and/or subprocessors in other countries outside of the EU/EEA and the Partner authorizes Sportradar to transfer the Personal Data outside of the EU/EEA, subject Sportradar complying with the requirements of the Data Protection Legislation.
If Sportradar shall transfer Personal Data to a third country or international organisation, pursuant to applicable European Union or Member State law, Sportradar shall inform the Partner of that legal requirement beforehand, unless the law prohibits this on important grounds of public interest.
5.4. The Partner authorizes Sportradar to use those sub-processors already engaged by Sportradar as at the date of the Agreement.
If any processing operation shall be subcontracted in the future, Sportradar shall notify in writing the Partner 30 (thirty) Business Days in advance, indicating the processing operations to be subcontracted and clearly and unequivocally identifying the subcontractor and its contact details. If, within 30 (thirty) days of receipt of the notice, the Partner notifies Sportradar in writing of any objections on reasonable grounds to the proposed appointment, Sportradar shall work with the Partner in good faith to make available a commercially reasonable change in the provision of the data processing services agreed under this DPA.
The subcontractor, which shall also be considered a processor for the purposes of this DPA, shall be equally obliged to comply with the obligations set forth in this DPA for Sportradar and with the instructions issued by the Partner. Sportradar shall regulate its contractual relationship with the subcontractor so that the subcontractor is subject to the similar conditions (instructions, obligations, security measures, etc.) and the similar requirements regarding adequate personal data processing and guaranteeing the rights of the data subjects.
5.5. Sportradar shall maintain the duty of secrecy regarding the Personal Data, even after the termination of this DPA.
5.6. Sportradar guarantees that the individuals authorized to process the Personal Data expressly undertake in writing to respect the confidentiality of the Personal Data and to comply with the relevant security measures, of which they shall be duly informed. Sportradar shall keep documentation accrediting compliance with this obligation available for the Partner.
5.7. Sportradar guarantees that the individuals authorized to process Personal Data have the necessary data protection training.
5.8. Sportradar shall assist the Partner in meeting its obligations in relation to data subjects’ requests to exercise rights (i) to access, rectification, erasure and object; (ii) to restriction of processing; (iii) to data portability; (iv) in relation to automated decision making and profiling. The Partner shall reimburse Sportradar for all reasonable costs and expenses incurred with regard to such assistance.
When data subjects exercise their rights under items (i), (ii), (iii) and (iv) above before Sportradar, Sportradar shall notify the Partner immediately but in any event not later than 5 (five) Business Days following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request.
5.9. Sportradar shall notify the Partner without undue delay and in any event before the maximum period of 3 (three) Business Days of any confirmed breach it is aware of to the security of the Personal Data it holds, together with all relevant information to document and report the incident.
The following minimum information shall be provided, if available:
a. description of the nature of the personal data security breach including, when possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected;
b. the name and contact details of the data protection officer or another point of contact to obtain more information;
c. description of the possible consequences of the personal data security breach;
d. description of the measures adopted or proposed to remedy the personal data security breach including, if appropriate, the measures adopted to mitigate possible negative effects.
If the above information cannot be provided simultaneously, the information shall be gradually provided without undue delay.
5.10. Sportradar shall support the Partner in sending prior consultations to Competent Data Protection Authorities, when appropriate.
5.11. Sportradar shall support the Partner in conducting data protection impact assessments, when appropriate.
5.12. Sportradar shall provide the Partner with all the information necessary to demonstrate compliance with its obligations under the Data Protection Legislation and shall allow audits and inspections to be carried out by an independent expert mutually agreed by the Partner and Sportradar, at the cost of the Partner. Such audit or inspection may only be undertaken once in any 12 (twelve) calendar month period or in the event of any confirmed breach of any obligation under this Data Processing Agreement on a reasonable notice during normal business hours. Sportradar shall give all necessary assistance to the conduct of any such audits or inspections.
5.13. Sportradar shall implement appropriate technical and organisational measures to:
a. ensure a level of security appropriate to the risk involved in order to protect the Personal Data from unauthorized use, alteration, access or disclosure, loss, theft, and damage;
b. ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident;
d. test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the Personal Data;
e. pseudonymise and encrypt the Personal Data, as appropriate;
f. prevent a personal data security breach.
5.14. Sportradar shall promptly delete all Personal Data provided by the Partner in its entirety from its systems and destroy any copies it made of the Personal Data in accordance with the Sportradar’s retention schedule, unless and to the extent that Sportradar is required to retain copies in accordance with the applicable Data Protection Legislation. The Partner acknowledges and agrees that Sportradar may use anonymized and aggregated data for the purposes of improving and developing its products or services.
6. Obligations of the Partner
6.1. The Partner shall provide the Personal Data or otherwise make the Personal Data available to the Sportradar.
6.2. The Partner shall, at the time when Personal Data is collected, provide the data subjects with all information about the collection and processing of the Personal Data and obtain unambiguous consent of data subjects (where necessary) as required by and in accordance with the GDPR and any other applicable Data Protection Legislation. The Partner shall, in respect of the Personal Data, ensure that its privacy notices are clear and provide sufficient information to the data subjects in order for them to understand what of their personal data is collected and shared with other recipients, the circumstances in which it will be shared and the purposes for the data sharing. In particular, the Partner shall include an explicit reference to Sportradar in its privacy statements as an entity with whom their personal data is shared.
6.3. The Partner shall conduct any relevant data protection impact assessments and prior consultations with respect to the processing operations to be carried out by Sportradar.
6.4. The Partner shall ensure that Sportradar complies with the Data Protection Legislation prior to and during processing of the Personal Data.
6.5. The Partner shall supervise the processing operations performed by Sportradar. The Partner may issue instructions about the type, scope and method of processing of the Personal Data in writing.
7. Indemnity and Limitation of Liability
To the fullest extent permitted by law, neither Sportradar nor any of its affiliates or subsidiaries, shall be liable to the Partner under or in connection with this DPA for any indirect, special or consequential losses or damages, loss of business or good will, profit or revenue. Sportradar´s total aggregate liability arising from or in relation to this DPA, whether the liability arises because of a breach of contract, negligence or for any other reason, shall be subject to Sportradar’s limitation of liability agreed in the Agreement.
8. Contact Point
Each Party shall nominate the following contact person within their organisation who can be contacted in respect of queries, complaints or notifications of any kind whatsoever regarding this DPA or the Data Protection Legislation:
Name and Position: Stefano Celardo (Data Protection Officer)
Tel.: +43 1 256 31 41 548
E-mail: [email protected]
For the Partner:
As per the Agreement
9.1. In the event of any conflict between the terms of this DPA, the Agreement, and any provision of any other agreement between the Parties, this DPA shall take precedence.
9.2. This DPA shall be governed by and construed in accordance with the Austrian law.
9.3. All disputes, controversy, or claims arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the Austrian court(s).
9.4. The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this DPA shall remain in full force and effect.
9.5. Any amendment to this DPA must be made in writing upon mutual agreement by the Parties.