Data Processing Agreement
|Sportradar||(as set forth in the Insertion Order)|
(the “Data Processor”)
to process on behalf of
|Advertiser||(as set forth in the Insertion Order)|
(the “Data Controller”)
(each a “Party”, together the “Parties”)
1. Definitions and Interpretations
1.1. For the purposes of this Data Processing Agreement, capitalized terms shall have the following meanings, unless defined elsewhere hereto or in the Agreement:
“Approved Jurisdiction” shall mean a member state of the European Economic Area, or other jurisdiction as may be approved as having adequate legal protections for personal data by the European Commission, currently available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en;
“Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to the Agreement;
“CCPA” shall mean the California Consumer Privacy Act, as amended from time to time;
“Competent Data Protection Authority” shall mean a competent data protection authority;
“Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, the CCPA, any national data protection legislation, and any regulations, mandatory guidelines or any other mandatory codes of practice issued by any Competent Data Protection Authority, each as amended from time to time;
“Digital Properties” shall mean website(s) and/or applications(s);
“DMP” shall mean the Data Processor´s data management platform;
“EU Standard Contractual Clauses” shall mean the standard contractual clauses for the transfer of personal data approved by the European Commision, available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en;
“GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time;
“Personal Data” shall have the meaning given to it in the context of a particular Campaign as described in Appendix 1 Description of Data Processing Activities.
1.2. For the purposes of this Data Processing Agreement, the terms “controller”, “business”, “processor”, “service provider”, “data subject”, “personal data”, “personal information” “process”, “processing” and “data breach” shall have the meanings attributed to them in the Data Protection Legislation.
2. Purpose of the Data Processing Agreement
2.1. This Data Processing Agreement shall apply if and only to the extent that the Data Controller choses in the Insertion Order any or all of the following campaigns:
a) Programmatic Managed Service Campaign;
b) Programmatic Self-Service Campaign;
c) Dynamic Creative Personalization Service (“DCP“);
2.2. The purpose of this Data Processing Agreement is to determine the roles and responsibilities of each Party during the provision of the Campaign(s) under the Agreement in order to ensure Parties’ compliance with the applicable Data Protection Legislation.
2.3. The Parties acknowledge and agree that for purpose of processing personal information under the CCPA in relation to Campaign(s), Data Controller acts as a business and Data Processor acts as a service provider. The Data Processor certifies that it understands the terms of this Data Processing Agreement and agrees to comply with them.
3. Details of Processing
3.1. The data processing activities that the Data Processor shall perform on behalf of the Data Controller depends on the Campaign(s) chosen by the Data Controller in the Insertion Order. The Parties acknowledge and agree that the Data Controller may chose any or all of the Campaigns in the Insertion Order. The data processing activities for respective Campaigns, including the scope of personal data and processing operations, are described in Annex 1 Description of Data Processing Activities. The Data Processor shall perform only those data processing activities that are relevant for a particular Campaign(s) chosen by the Data Controller in the Insertion Order.
4. Term and Termination
4.1. This Data Processing Agreement shall run conterminously with the Agreement.
4.2. Upon termination of the Agreement the Data Processor shall proceed in accordance with clause 5.14 of this Data Processing Agreement.
5. Obligations of the Data Processor
5.1. The Data Processor shall process Personal Data only for the purposes under this Data Processing Agreement and in relation to the Agreement.
5.2. The Data Processor shall process Personal Data in accordance with the instructions of the Data Controller and in compliance with the Data Protection Legislation. The Data Processor shall notify the Data Controller if the Data Processor believes that any of the instructions of the Data Controller violate the Data Protection Legislation. For the avoidance of doubt, this notification obligation shall not mean that the Data Processor is obliged to perform a comprehensive legal examination with respect to a Data Controller´s instructions.
5.3. The Data Processor shall keep a written record of all categories of processing operations carried out on behalf of the Data Controller in accordance with the Data Protection Legislation.
5.4. The Data Processor shall not disclose Personal Data to third parties, unless with the express prior written consent of the Data Controller or when legally required. For the avoidance of doubts, the Data Processor´s subprocessors/service providers, affiliates and subsidiaries shall not be considered as third parties.
The Data Processor may disclose Personal Data to other processors working for the Data Controller, pursuant to the Data Controller’s instructions. In this case, the Data Controller shall identify, in writing and in advance, the entity Personal Data shall be disclosed to, the Personal Data to be disclosed, and the security measures to be applied for the disclosure.
The Data Processor may transfer the Personal Data outside of the EU/EEA only if such transfer is made in accordance with the Data Protection Legislation, i.e. (1) to an Approved Jurisdiction, (2) subject to the EU Standard Contractual Clauses or (3) subject to other legal mechanism for personal data transfer. If the Data Processor is obliged to transfer Personal Data to a third country or international organisation pursuant to applicable European Union or Member State law, the Data Processor shall inform the Data Controller of that legal requirement beforehand, unless the law prohibits this on important grounds of public interest.
5.5. The Data Processor may continue to use the sub-processors/service providers already engaged by the Data Processor as at the date of the Agreement.
If any processing operation shall be subsequently subcontracted by the Data Processor, the Data Processor shall notify in writing the Data Controller not later than 10 (ten) Business Days in advance, indicating the sub-processor/service provider and its contact details as well as the processing operations to be subcontracted. If, within 10 (ten) Business Days of receipt of the notice, the Data Controller notifies the Data Processor in writing of any objections on reasonable grounds to the proposed appointment:
a. the Data Processor shall work with the Data Controller in good faith to make available a commercially reasonable change in the provision of the data processing services agreed under the Data Processing Agreement;
b. where such a change cannot be made within 90 (ninety) days as of the receipt of the Data Controller’s notice by the Data Processor, the Data Controller may, by written notice to the Data Processor, terminate with immediate effect the Agreement to the extent that it relates to the services which require the use of the proposed sub-processor/service provider and this termination right is the Data Controller´s sole and exclusive remedy if the change cannot be made.
The Data Processor shall only engage a sub-processor/service provider under a written contract that provides similar level of protection as this Data Processing Agreement.
5.6. The Data Processor guarantees that the individuals authorised to process Personal Data are subject to binding obligations of confidentiality and shall comply with the relevant security measures. The Data Processor shall keep documentation accrediting compliance with this obligation available for inspection by the Data Controller upon a reasonable request.
5.7. The Data Processor guarantees that the individuals authorised to process Personal Data have the necessary data protection training.
5.8. The Data Processor shall assist the Data Controller in meeting its obligations in relation to data subjects’ requests to exercise rights under the Data Protection Legislation, for example (i) to access, rectification, erasure and object; (ii) to restriction of processing; (iii) to data portability; (iv) in relation to automated decision making and profiling and (v) to opt out of the sale of personal information.
The Data Controller shall reimburse the Data Processor for all reasonable costs and expenses incurred with regard to such assistance.
When data subjects exercise their rights under items (i), (ii), (iii), (iv) and (v) above before the Data Processor, the Data Processor shall promptly notify the Data Controller and in any event not later than 5 (five) Business Days following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request.
5.9. The Data Processor shall notify the Data Controller of any confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data (“Data Breach“) without undue delay and in any event within 3 (three) Business Days of identification of any confirmed Data Breach, together with all available information to document and report the incident.
The following minimum information shall be provided, if available:
a. description of the nature of the Data Breach including, when possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected;
b. the name and contact details of the data protection officer or another point of contact to obtain more information;
c. description of the possible consequences of the Data Breach;
d. description of the measures adopted or proposed to remedy the Data Breach including, if appropriate, the measures adopted to mitigate possible negative effects.
If the above information cannot be provided simultaneously, the information shall be gradually provided without undue delay.
5.10. The Data Processor shall support the Data Controller in sending prior consultations to Competent Data Protection Authorities, when appropriate.
5.11. The Data Processor shall support the Data Controller in conducting data protection impact assessments, when appropriate.
5.12. The Data Processor shall provide the Data Controller with all the information necessary to demonstrate compliance with its obligations under the Data Protection Legislation and shall allow audits and inspections to be carried out by an independent expert mutually agreed by the Data Controller and the Data Processor, at the cost of the Data Controller. Such audit or inspection may only be undertaken once in any 12 (twelve) calendar month period or in the event of any confirmed breach of any obligation under this Data Processing Agreement on a reasonable notice during normal business hours. The Data Processor shall give all necessary assistance to the conduct of any such audits or inspections.
5.13. The Data Processor shall implement appropriate technical and organisational measures as described in the Annex 2 to this Data Processing Agreement to:
a. ensure a level of security appropriate to the risk involved in order to protect the Personal Data from unauthorized use, alteration, access or disclosure, loss, theft, and damage;
b. ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident;
d. test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the Personal Data;
e. pseudonymise and encrypt the Personal Data, as appropriate;
f. prevent a Data Breach.
5.14. The Data Processor shall delete all Personal Data provided by the Data Controller from its systems in accordance with the Data Processor´s internal retention policy, otherwise upon written request of the Data Controller. After the deletion, the Data Processor may retain copies of the Personal Data only to the extent required by the applicable law or to enforce rights and defend legal claims. The Data Controller acknowledges and agrees that the Data Processor shall have the right to use de-identified and/or aggregated data related to or obtained in connection with the Campaign(s) provided under the Agreement for its legitimate internal business purposes, such as analytics, reporting, and to improve, benchmark and develop its internal products and services.
6. Obligations of the Data Controller
6.1. The Data Controller shall comply with all applicable requirements of the Data Protection Legislation and shall notify the Data Processor of any relevant changes to the Data Protection Legislation that may have impact on the processing of Personal Data under this Data Processing Agreement.
6.2. The Data Controller shall provide the Personal Data or other-wise make the Personal Data available to the Data Processor and shall not instruct the Data Processor to process Personal Data in violation of the Data Protection Legislation.
6.3. The Data Controller shall ensure that at the time of collection of the Personal Data (i) the data subjects are provided with clear and sufficient information about the collection and processing of their Personal Data under this Data Processing Agreement, including an explicit reference to the Data Processor as an entity with whom the Personal Data is shared, and (ii) legal basis for processing the Personal Data as envisioned under this Data Processing Agreement is secured and any consents of data subjects as required by and in accordance with the Data Protection Legislations are obtained. For the avoidance of doubt, the Data Controller acknowledges and accepts that the Data Processor shall not, in any way, be responsible for the performance of these obligations.
6.4. The Data Controller shall conduct any relevant data protection impact assessments and prior consultations with respect to the processing operations to be carried out by the Data Processor.
6.5. The Data Controller shall ensure that the Data Processor complies with the Data Protection Legislation prior to and during processing of the Personal Data.
6.6. The Data Controller shall supervise the processing operations performed by the Data Processor. The Data Controller may is-sue additional instructions about the type, scope and method of processing of the Personal Data in writing.
7. Indemnity and Limitation of Liability
To the fullest extent permitted by law, neither the Data Processor nor any of its affiliates or subsidiaries, shall be liable to the Data Controller under or in connection with this Data Processing Agreement for any indirect, special or consequential losses or damages, loss of business or good will, profit or revenue. The Data Processor´s total aggregate liability arising from or in relation to this Data Processing Agreement, whether the liability arises because of a breach of contract, negligence or for any other reason, shall be strictly limited to the amount of fees actually paid by the Data Controller under the Agreement during the 12 (twelve) months preceding the event giving rise to the damages.
The Data Controller acknowledges and accepts the risks connected with the execution of the Campaign(s) provided under the Agreement, especially with regard to the Data Controller´s obligations set out in the clause 6.3. and agrees to indemnify and keep the Data Processor indemnified from and against all costs, claims, fines, losses, damages or expenses incurred by the Data Processor, or for which the Data Processor may become liable due to any failure of the Data Controller to comply with its obligations set out in the clause 6.3. For the avoidance of doubt, this indemnity shall be unlimited and shall override any limitation of liability provisions contained in any other agreement between the Parties.
8. Contact Point
In case of any queries, complaints or notifications of any kind whatsoever regarding this Data Processing Agreement or the Data Protection Legislation and for the purposes of receipt of notices under this Data Processing Agreement, the Parties shall use the following contact details:
For the Data Processor:
Name and position: Stefano Celardo (Data Protection Officer)
Tel.: +43 1 256 31 41 548
E-mail: [email protected]
For the Data Controller:
Advertiser Contact as set forth in the IO.
9.1. In the event of any conflict between the terms of this Data Processing Agreement and any provision of the Agreement and any other agreement between the Parties, this Data Processing Agreement shall prevail solely with respect to any data protection matters.
9.2. Notwithstanding the governing law of the Agreement, this Data Processing Agreement shall be governed by and construed in accordance with the Austrian law. All disputes, controversy, or claims arising out of or in connection with this Data Processing Agreement shall be subject to the exclusive jurisdiction of the Austrian court(s).
9.3. The provisions of this Data Processing Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this Data Processing Agreement shall remain in full force and effect.
9.4. The Data Processor may make changes to this Data Processing Agreement at any time by giving 30 days´ written notice to the Data Controller. The changes to the Data Processing Agreement will not apply retroactively.