Joint Controllership Agreement
|Sportradar||(as set forth in the Main Agreement)|
to process on behalf of
|Client||(as set forth in the Main Agreement)|
(each a “Party”, together the “Parties”)
1. Definitions and Interpretations
1.1 For the purposes of this Joint Controllership Agreement, capitalized terms shall have the following meanings, unless defined elsewhere hereto or in the Agreement:
“Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to the Agreement.
“Competent Data Protection Authority” shall mean the competent data protection authority which, by way of example, is the Austrian Data Protection Authority [die österreichische Datenschutzbehörde].
“Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, any national data protection legislation, and any regulations, mandatory guidelines or any other mandatory codes of practice issued by any Competent Data Protection Authority, each as amended from time to time.
“GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time.
“Main Agreement” shall have the meaning given to it in clause 2.1 of this Agreement.
“Personal Data” shall have the meaning given to it in clause 3.1 of this Joint Controllership Agreement.
“Shared Personal Data” shall have the meaning given to it in clause 3 of this Agreement.
1.2. For the purposes of this Data Processing Agreement, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Process”, “Processing” and “Data Breach” shall have the meanings attributed to them in the GDPR.
2. Purpose of the Agreement
2.1. The Parties to this Agreement are parties to an existing agreement under which Client appoints Sportradar and Sportradar agrees to provide Client integrity services (the “Main Agreement”).
2.2. The purpose of this Agreement is to determine the roles and responsibilities of each Party during the provision of the integrity services under the Main Agreement in order to ensure the Parties’ compliance with the applicable Data Protection Legislation.
2.3. The Parties acknowledge that they shall be considered joint data controllers regarding the Shared Personal Data.
3. Shared Personal Data
3.1. The Parties shall have joint controllership over the following types of Personal Data of the following categories of data subjects (the “Data Subjects”) in the course of their business relationship:
a) Statistics of players, managers, officials or other relevant sports personnel in relation to the UFDS monitoring services
b) Name & Surname
e) Date of Birth
h) Identification card
i) Job role & category level
j) Contact details
k) Social Network Analysis
l) Human Intelligence
m) Other forms of capturing personal data (e.g. facial recognition) that are proportional and necessary to perform I&I services
(the “Shared Personal Data”)
3.2. As applicable (depending on the integrity services contracted by the Client under the Main Agreement), the processing of Shared Personal Data shall consist of:
a) Personal Data (if applicable) as part of certain data of Client competitions collected by Sportradar and distributed by Sportradar to Client in the course of Universal Fraud Detection System (“UFDS”) monitoring services and the respective reports provided to Client for Client’s own purposes (i.e. the effective integrity monitoring of the competitions); and/or
b) Personal data (if applicable) as part of certain data collected by Sportradar for integrity purposes and provided to the Client in the context of Intelligence & Investigation (“I&I”) services.
3.3. The Parties shall process the Shared Personal Data for the purpose of the provision of the services under the Main Agreement.
3.4. The Parties may not process Shared Personal Data in a way that is incompatible with the purposes under this Agreement in relation to the Main Agreement as set out above.
This Agreement shall be bound to the term of the Main Agreement.
5. Obligations of the Parties
5.1. Rights of the Data Subjects
5.1.1. The Parties shall cooperate in responding to data subjects’ requests to exercise rights under the Data Protection Legislation, including but not limited to:
a) right to access, rectification, erasure and object;
b) right to restriction of processing;
c) right to data portability;
d) right not to be subject to a decision based solely on automated means,
e) right to opt out of the sale of the personal information.
5.1.2. The Parties agree that the responsibility for complying with a data subject request falls to: the Client.
The Parties agree to provide reasonable and prompt assistance to each other within 5 (five) Business Days of such request for assistance as is necessary to enable them to comply with data subject requests and to respond to any other queries or complaints of any kind whatsoever from data subjects.
5.2. Information Duty
Client shall be responsible to inform the data subjects about the personal data collection and processing. Client shall, in respect of the Shared Personal Data, ensure that its privacy notices are clear and provide sufficient information to data subjects in order for them to understand what of their personal data is collected and shared, the circumstances in which it will be shared, the purposes for the data sharing and either the entity with whom their personal data is shared or a description of the type of organisation that will receive their personal data. Client shall inform Sportradar about the applicable legal ground for each processing activity. Where such legal ground is consent, Client shall obtain a valid consent from the Data Subjects.
Both Parties to the Agreement shall at their own cost keep a record of any processing of Shared Personal Data they carry out in case that such a record is required by applicable laws.
In the event of a dispute or claim brought by a data subject or a Competent Data Protection Authority concerning the processing of Shared Personal Data against either or both Parties, the Parties shall inform each other about any such disputes or claims without delay and shall cooperate with a view to settling them amicably in a timely manner.
5.5. Data Security
5.5.1. Both Parties to the Agreement shall implement appropriate technical and organisational measures to:
a) ensure a level of security appropriate to the risk involved to protect all Shared Personal Data from unauthorized use, alteration, access or disclosure, and loss, theft, and damage;
b) ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) restore the availability and access to Shared Personal Data in a timely manner in the event of a physical or technical incident;
d) test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the Shared Personal Data;
e) pseudonymise and encrypt the Shared Personal Data, as appropriate;
f) prevent a personal data security breach.
5.5.2. Both Parties to the Agreement shall keep accurate records of the security measures, which they have in place and shall make such records available to the other Party upon request.
5.6. Data Breach
The Parties to the Agreement shall notify any potential or actual losses of Shared Personal Data to the other Party as soon as possible and, in any event, within 24 (twenty-four) hours of identification of any potential or actual loss in order to consider what action is required to resolve the issue in accordance with the Data Protection Legislation.
5.7.1. Both Parties shall maintain the duty of secrecy regarding the Shared Personal Data, even after the termination of the Main Agreement.
5.7.2. Both Parties guarantee that the individuals authorised to process Shared Personal Data expressly undertake in writing to respect confidentiality and to comply with the relevant security measures, of which they must be duly informed.
5.7.3. Both Parties shall not disclose Shared Personal Data to third parties, unless with the express prior written consent of the other Party or when legally acceptable.
6. Indemnity and Limitation of Liability
6.1. Each party (the “Indemnifying Party”) shall indemnify and hold harmless the other Party (the “Indemnified Party”) in respect of all costs, claims, fines, losses, damages or expenses incurred by the Indemnified Party, or for which the Indemnified Party may become liable, due to any failure by the Indemnifying Party to comply with any of its obligations set out in this Agreement.
6.2. To the fullest extent permitted by law, neither Sportradar nor any of its affiliates, shall be liable to the Client under or in connection with this Agreement for any indirect, special or consequential losses or damages, loss of business or good will, profit or revenue. Sportradar´s total aggregate liability arising out of or in relation to this Agreement, whether the liability arises because of a breach of contract, negligence or for any other reason, shall be strictly limited to the cap stipulated in the Main Agreement.
7. Contact Point
Each Party shall nominate the following contact person within their organisation who can be contacted in respect of queries, complaints or notifications of any kind whatsoever regarding this Agreement or the Data Protection Legislation:
Name and position: Stefano Celardo (Data Protection Officer)
Tel.: +43 1 256 31 41 548
E-mail: [email protected]
For Client: Client’s contact person as set forth in the Main Agreement
8.1. In the event of any conflict between the terms of this Agreement and any provision of the Main Agreement and any other agreement between the Parties, this Agreement shall take precedence.
8.2. This Agreement shall be governed by and construed in accordance with the laws chosen by the Parties in the Main Agreement.
8.3. All disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the court(s) chosen by the Parties in the Main Agreement.
8.4. The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this Agreement shall remain in full force and effect.
8.5. Any amendment to this Agreement must be made in writing upon mutual agreement by the Parties.