Regions
Dark decorative background Dark decorative background

DATA PROTECTION
DATA COOPERATION
AGREEMENT

Data Protection

Data Cooperation Agreement

(the “Agreement”)

Between

  Sportradar (as set forth in the Main Agreement)

(the “Sportradar”)

and

Client (as set forth in the Main Agreement)

(the “Client”)

(each a “Party”, together the “Parties”)

1. Definitions and Interpretations

1.1. For the purposes of this Agreement, capitalised terms shall have the following meanings, unless defined elsewhere in this Agreement or in the Main Agreement:

Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to the Main Agreement;

Competent Data Protection Authority” shall mean the competent data protection authority which, by way of example, is the Austrian Data Protection Authority [die österreichische Datenschutzbehörde];

Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, the California Consumer Privacy Act of 2018 (“CCPA”), any national data protection legislation, and any regulations, guidelines or any other documents issued by a Competent Data Protection Authority, each as amended from time to time;

GDPR” shall mean the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time;

E&P Personal Data” shall have the meaning given to it in clause 5 of this Agreement.

Integrity Personal Data” shall have the meaning given to it in clause 3 of this Agreement.

1.2. For the purposes of this Agreement, the terms “controller”, “joint controllers”, “processor”, “data subject”, “personal data”, “process”, “processing” and “data breach” shall have the meanings attributed to them in the GDPR.

2. Purpose

2.1. The purpose of this Agreement is to determine the roles and responsibilities of the Parties to the Main Agreement during the provision of the integrity services under the Main Agreement in order to ensure the Parties’ compliance with the applicable Data Protection Legislation.

2.2. The Parties note that they will act as Joint Controllers in regard to the Integrity Personal Data and that Sportradar will act as Data Processor in regard to the Education and Prevention Personal Data.

3. Integrity Personal Data (the “Integrity Personal Data”)

3.1. In the context of the FDS, UFDS and I&I services, the Parties shall have joint controllership over the following types of personal data of the following categories of data subjects in the course of their business relationship:

a) For the Fraud Detection System (FDS) and Universal Fraud Detection System (UFDS):

• Statistics of players, managers, officials or other relevant sports personnel in relation to the UFDS monitoring services

b) For the Intelligence & Investigation (I&I):

• Name & Surname
• Photo
• Alias
• Date of Birth
• Nationality
• Gender
• Identification card
• Job role & category level
• Contact details
• Social Network Analysis
• Human Intelligence
• Other forms of capturing personal data (e.g. facial recognition) that are proportional and necessary to perform I&I services

3.2. The processing of Integrity Personal Data shall consist of:

a) Personal data (if applicable) as part of certain data of the Client’s competitions collected by Sportradar and distributed by Sportradar to Client in the course of the FDS/UFDS monitoring services and the respective reports provided to Client for Client’s own purposes (i.e. the effective integrity monitoring of the competitions).

b) Personal data (if applicable) as part of certain data collected by Sportradar for integrity purposes and provided to Client in the context of I&I services.

3.3. The Parties to the Main Agreement shall process the Integrity Personal Data for the purpose of the provision of the integrity services under the Main Agreement.

3.4. The Parties to the Main Agreement may not process Integrity Personal Data in a way that is incompatible with the purposes under this Agreement in relation to the Main Agreement as set out above.

4. Obligations of the Parties regarding Integrity Personal Data

4.1. Rights of the Data Subjects

4.1.1. The Parties to the Main Agreement shall cooperate in responding to data subjects’ requests to exercise rights:

a) to access, rectification, erasure and object;
b) to restriction of processing;
c) to data portability;
d) in relation to automated decision making and profiling.

4.1.2. The Parties to the Main Agreement agree that the responsibility for complying with a data subject request falls to the Client. The Parties agree to provide reasonable and prompt assistance to each other (within 5 (five) Business Days of such request for assistance) as is necessary to enable them to comply with data subject requests and to respond to any other queries or complaints of any kind whatsoever from data subjects.

4.2. Information Duty

The Client shall be responsible to inform the data subjects about the personal data collection and processing under this Agreement. The Client shall, in respect of the Integrity Personal Data, ensure that its privacy notices and any other form of communication relating to the collection and processing of the Integrity Personal Data are clear and provide sufficient information to the data subjects in order for them to understand what of their personal data is collected and shared with other recipients, the circumstances in which it will be shared and the purposes for the data sharing. In particular, the Client shall include in its privacy notices an explicit reference to Sportradar as an entity with whom their personal data is shared for the purposes under the Main Agreement.

4.3. Complaints

In the event of a dispute or claim brought by a data subject or a Competent Data Protection Authority concerning the processing of Integrity Personal Data against either or both Parties to the Main Agreement, the Parties shall inform each other about any such disputes or claims without delay and shall cooperate with a view to settling them amicably in a timely manner.

5. Education & Prevention Personal Data (the “E&P Personal Data”).

5.1. The Data Processor may process on behalf of the Data Controller the following types of personal data of the athletes and other sports professionals:

a) Name and surname
b) Email Address
c) Assessment Results
d) Performance Data & Score
e) User IP Address
f) Log-in Password
g) League
h) Club / Organisation
i) Role / Position

5.2. The processing of the E&P Personal Data shall consist of:

a) Providing eLearning tutorials (if applicable) to your desired audience and thereafter a summary of attendance and performance statistics of attendees.
b) Providing Webinars (if applicable) to your desired audience and thereafter summary of attendance and performance statistics of attendees.
c) Providing a standalone Webpage (if applicable) for you to upload desired information relating to your tailored Integrity Programme.

5.3. The Data Processor shall process the E&P Personal Data on behalf of the Data Controller for the purpose of the provision of the integrity services under the Main Agreement and in compliance with the Data Controller´s written instructions (as set out in the Main Agreement or as may be specified by the Data Controller from time to time).

5.4. The Data Processor may not process Personal Data in a way that is incompatible with the purpose under this Agreement in relation to the Main Agreement as set out above.

6. Obligations of the Data Processor regarding the E&P Personal Data

6.1. The Data Processor shall process the E&P Personal Data only for the purpose of the Main Agreement. The Data Processor may not process the E&P Personal Data for its own purposes.

6.2. The Data Processor shall process the E&P Personal Data in accordance with the instructions of the Data Controller and in compliance with the Data Protection Legislation. The Data Processor shall inform in writing the Data Controller if the Data Processor believes that any of the instructions of the Data Controller violate the Data Protection Legislation.

6.3. The Data Processor shall not disclose E&P Personal Data to third parties, unless with the express prior written consent of the Data Controller or when legally acceptable. For the avoidance of doubt, the Data Processor´s affiliates and subsidiaries shall not be considered third parties.

The Data Processor may disclose E&P Personal Data to its group affiliates and subsidiaries and to other processors working for the Data Controller for the provision of the integrity services under the Main Agreement.

In case E&P Personal Data shall be accessed and processed from outside the European Economic Area, the Data Processor shall ensure that an appropriate data transfer mechanism is in place as required by the applicable Data Protection Legislation. If the Data Processor shall transfer E&P Personal Data to a third country or international organisation, pursuant to applicable European Union or Member State law, the Data Processor shall inform the Data Controller of that legal requirement beforehand, unless the law prohibits this on important grounds of public interest.

6.4. The Data Controller authorises the Data Processor to appoint – and permit each sub-processor appointed in accordance with this clause to appoint – sub-processors.

The Data Processor may continue to use those sub-processors already engaged by the Data Processor as at the date of this Agreement, subject to the Data Processor, in each case as soon as practicable, meeting the obligations set out herein.

If any processing operation shall be subcontracted, the Data Processor shall notify in writing the Data Controller thirty (30) Business Days in advance, indicating the processing operations to be subcontracted and clearly and unequivocally identifying the subcontractor and its contact details. If, within thirty (30) days of receipt of the notice, the Data Controller notifies the Data Processor in writing of any objections on reasonable grounds to the proposed appointment:

a) the Data Processor shall work with the Data Controller in good faith to make available a commercially reasonable change in the provision of the data processing services agreed under the Main Agreement;
b) where such a change cannot be made within ninety (90) days as of the receipt of the Data Controller’s notice by the Data Processor, the Data Controller may, by written notice to the Data Processor, terminate with immediate effect the Main Agreement to the extent that it relates to the integrity services which require the use of the proposed sub-processor.

The subcontractor, which shall also be considered a processor for the purposes of this Agreement, shall be equally obliged to comply with the obligations set forth in this Agreement for the Data Processor and with the instructions issued by the Data Controller. The Data Processor shall regulate its contractual relationship with the subcontractor so that the subcontractor is subject to the same conditions (instructions, obligations, security measures, etc.) and the same formal requirements regarding adequate personal data processing and guaranteeing the rights of the data subjects.

6.5. The Data Processor shall maintain the duty of secrecy regarding the E&P Personal Data, even after the termination of the Main Agreement.

6.6. The Data Processor guarantees that the individuals authorised to process E&P Personal Data expressly undertake in writing to respect the confidentiality of the E&P Personal Data and to comply with the relevant security measures, of which they shall be duly informed. The Data Processor shall keep documentation accrediting compliance with this obligation available for the Data Controller.

6.7. The Data Processor shall assist the Data Controller in meeting its obligations in relation to data subjects’ requests to exercise rights (i) to access, rectification, erasure and object; (ii) to restriction of processing; (iii) to data portability; (iv) in relation to automated decision making and profiling. The Data Controller shall reimburse the Data Processor for its reasonable charges for such assistance.

When data subjects exercise their rights under items (i), (ii), (iii) and (iv) above before the Data Processor, the Data Processor shall notify the Data Controller immediately but in any event not later than five (5) Business Days following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request.

6.8. The Data Processor shall notify the Data Controller without undue delay and in any event before the maximum period of forty-eight (48) hours of any breach it is aware of to the security of the E&P Personal Data it holds, together with all relevant information to document and report the incident.

The following minimum information shall be provided, if available:

a) description of the nature of the personal data security breach including, when possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected;
b) the name and contact details of the data protection officer or another point of contact to obtain more information;
c) description of the possible consequences of the personal data security breach;
d) description of the measures adopted or proposed to remedy the personal data security breach including, if appropriate, the measures adopted to mitigate possible negative effects.

If the above information cannot be provided simultaneously, the information shall be gradually provided without undue delay.

6.9. The Data Processor shall support the Data Controller in sending prior consultations to Competent Data Protection Authorities, when appropriate.

6.10. The Data Processor shall support the Data Controller in conducting data protection impact assessments, when appropriate.

6.11. The Data Processor shall provide the Data Controller with all the information necessary to demonstrate compliance with its obligations under the Data Protection Legislation and shall allow audits and inspections to be carried out by an independent auditor mutually agreed by the Data Controller and the Data Processor, at the cost of the Data Controller.

6.12. The Data Processor shall implement appropriate technical and organisational measures to:

a) ensure a level of security appropriate to the risk involved in order to protect the E&P Personal Data from unauthorized use, alteration, access or disclosure, loss, theft, and damage;
b) ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) restore the availability and access to the E&P Personal Data in a timely manner in the event of a physical or technical incident;
d) test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the E&P Personal Data;
e) pseudonymise and encrypt the E&P Personal Data, as appropriate;
f) prevent a personal data security breach.

6.13. The Data Processor shall promptly delete all E&P Personal Data provided by the Data Controller in its entirety from its systems and destroy any copies it made of the E&P Personal Data after completing the integrity services unless and to the extent that the Data Processor is required to retain copies in accordance with the applicable legislation.

7. Obligations of the Data Controller regarding E&P Personal Data

7.1. The Data Controller shall provide the E&P Personal Data or otherwise make the E&P Personal Data available to the Data Processor.

7.2. The Data Controller shall, at the time when E&P Personal Data is obtained, provide the data subjects with all information about the collection and processing of the E&P Personal Data and collect consent as required by the GDPR, the CCPA and any other applicable Data Protection Legislation.

7.3. The Data Controller shall supervise the processing operations performed by the Data Processor. The Data Controller may issue instructions about the type, scope and method of processing of the E&P Personal Data in writing.

8. Term and Termination

This Agreement shall be bound to the term of the Main Agreement.

Upon termination of the Main Agreement, for the E&P Personal Data only, the Data Processor shall proceed in accordance with clause 6.13 of this Agreement.

9. Indemnity and Limitation of Liability

9.1. Each Party (the “Indemnifying Party”) shall indemnify and hold harmless the other Party (the “Indemnified Party”) in respect of all costs, claims, fines, losses, damages or expenses incurred by the Indemnified Party, or for which the Indemnified Party may become liable, due to any failure by the Indemnifying Party to comply with any of its obligations set out in this Agreement.

9.1. To the fullest extent permitted by law, neither Sportradar nor any of its affiliates, shall be liable to the Client under or in connection with this Agreement for any indirect, special or consequential losses or damages, loss of business or good will, profit or revenue. Sportradar´s total aggregate liability arising out of or in relation to this Agreement, whether the liability arises because of a breach of contract, negligence or for any other reason, shall be strictly limited to the liability cap set forth in the Main Agreement.

10. Contact Point

Each Party shall nominate the following contact person within their organisation who can be contacted in respect of queries, complaints or notifications of any kind whatsoever regarding this Agreement or the Data Protection Legislation:

For Sportradar:
Name and Position: Stefano Celardo (Data Protection Officer)
Tel.: +43 1 256 31 41 548
E-mail: [email protected]r.com

For the Client: Client’s contact person as set forth in the Main Agreement

11. Miscellaneous

11.1. In the event of any conflict between the terms of this Agreement and any provision of the Main Agreement and any other agreement between the Parties, this Agreement shall take precedence.

11.2. This Agreement shall be governed by and construed in accordance with the laws chosen by the Parties in the Main Agreement.

11.3. All disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the court(s) chosen by the Parties in the Main Agreement.

11.4. The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this Agreement shall remain in full force and effect.

11.5. Any amendment to this Agreement must be made in writing upon mutual agreement by the Parties.

Contact Decorative Stadium background

GET IN TOUCH WITH OUR TEAM

Contact us