Data Processing Agreement
1. Definitions and Interpretations
1.1. For the purposes of this Agreement, capitalized terms shall have the following meanings, unless defined elsewhere in the Agreement:
“Approved Jurisdiction” shall mean a member state of the European Economic Area, or other jurisdiction as may be approved as having adequate legal protections for personal data by the European Commission, currently available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequecy-decisions_en;
“Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to this Agreement;
“CCPA” shall mean the US California Consumer Privacy Act of 2018, as amended from time to time;
“Competent Data Protection Authority” shall mean the competent data protection authority, which, by way of example, is the Austrian Data Protection Authority [die österreichische Datenschutzbehörde];
“Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, the CCPA, any national data protection legislation, and any regulations, guidelines or any other documents issued by a Competent Data Protection Authority, each as amended from time to time;
“EU Standard Contractual Clauses” shall mean the standard contractual clauses for the transfer of personal data to data processors established in third countries adopted by the European Commission Decision 2010/87: Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Counsel;
“GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time;
“Personal Data” shall have the meaning given to it in clause 3 of this Agreement.
1.2. For the purposes of this Agreement, the terms “controller”, “processor”, “data subject”, “personal data”, “process”, “processing” and “data breach” shall have the meanings attributed to them in the GDPR.
2. Purpose of the Agreement
2.1. This Agreement authorises Freelancer (hereinafter referred to as the “Data Processor”), to process on the behalf of Sportsdata AG (hereinafter referred to as the “Data Controller”), Personal Data in order to provide the service of data journalist.
2.2. The Data Processor certifies that it understands the terms of this Agreement and agrees to comply with them.
3. Personal Data, Data Subjects, Processing Operations
3.1. The Data Processor shall process on behalf of the Data Controller the following types of personal data of the following categories of data subjects:
a) players´ names,
b) players´ statistics,
c) players´ updates,
d) any other personal data necessary to provide the service specified in the clause 2.1.
(the “Personal Data”).
3.2. The processing of the Personal Data shall consist of:
a) real time data collection carried out by entering live data on the Scout applications,
b) attending sport events for statistics gathering,
c) communicating important facts related to a sport event (e.g. fixtures).
3.3. The Data Processor shall process the Personal Data on behalf of the Data Controller for the purpose of the provision of the services under the clause 2.1.
3.4. The Data Processor may not process Personal Data in a way that is incompatible with the purpose under this Agreement as set out above.
4. Term and Termination
4.1. This Agreement commences on the date on which the Letter of Intent was signed by the Data Processor and is effective for the duration of time in which the Data Processor provides the service under the clause 2.1. of this Agreement to the Data Controller.
4.2. The Data Controller reserves the right to terminate this Agreement at any moment without prior notice to the Data Processor. The Data Controller shall not incur any liability for the termination of this Agreement.
4.3. Upon termination of this Agreement the Data Processor shall proceed in accordance with clause 5.15 of this Agreement.
5. Obligations of the Data Processor
5.1. The Data Processor shall process the Personal Data on behalf of the Data Controller in accordance with this Agreement and only for the business purpose of provision of the service under the clause 2.1.
5.2. The Data Processor shall not process Personal Data for any other purpose other than for providing the service under the clause 2.1. and in no case shall use the Personal Data for its own purposes. In particular, the Data Processor shall not sell, rent, lease, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another business, person, or a third party for monetary or other valuable consideration. The Data Processor shall refrain from taking any action that would cause any transfers of Personal Data to or from the Data Processor to qualify as “selling personal information” as the term is defined under the CCPA.
5.3. The Data Processor shall process Personal Data in accordance with the instructions of the Data Controller and in compliance with the Data Protection Legislation. The Data Processor shall immediately inform in writing the Data Controller if the Data Processor believes that any of the instructions of the Data Controller violate the Data Protection Legislation.
5.4. The Data Processor shall keep a written record of all categories of processing operations carried out on behalf of the Data Controller. This record shall contain:
a. the name and contact details of the Data Processor, of each manager acting on behalf of the Data Processor and, where appropriate, of the representative of the Data Controller or the Data Processor and the data protection officer;
b. the categories of processing operations carried out on behalf of the Data Controller;
c. when applicable, personal data transfers to a third country or international organisation, including the identification of the said third country or international organisation and, in the case of transfers indicated in Article 49, Section 1, paragraph 2 of the GDPR, documentation on appropriate safeguards;
d. a general description of the technical and organisational security measures regarding (i) the pseudonymisation and encryption of the Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5.5. The Data Processor shall not disclose Personal Data to third parties (including any government agency, court, or law enforcement), except with the express prior written consent of the Data Controller. If the Data Processor is obliged to disclose the Personal Data to a law enforcement agency or a third party, the Data Processor agrees to give the Data Controller reasonable notice of the access request prior to granting such access, to allow the Data Controller to seek a protective order or other appropriate remedy. If such notice is legally prohibited, the Data Processor shall take reasonable measures to protect the Personal Data from undue disclosure as if it were the Data Processor´s own confidential information being requested and shall inform the Data Controller promptly as soon as possible if and when such legal prohibition ceases to apply.
The Data Processor may disclose Personal Data to other processors working for the Data Controller, pursuant to the Data Controller’s instructions. In this case, the Data Controller shall identify, in writing and in advance, the entity Personal Data shall be disclosed to, the Personal Data to be disclosed, and the security measures to be applied for the disclosure.
5.6. If the Data Processor collects and process the Personal Data within the EU/EEA and must subsequently transfer the Personal Data outside of the EU/EEA, it shall obtain a prior written consent of the Data Controller. If approved by the Data Controller, the Data Processor may transfer the Personal Data outside of the EU/EEA only if such transfer is made in accordance with the Data Protection Legislation, i.e. (i) to an Approved Jurisdiction, or (ii) subject to the EU Standard Contractual Clauses. In any case, before transferring the Personal Data to a third country outside of the EU/EEA, the Data Processor shall ensure that notwithstanding any applicable law in such a third country, the Personal Data shall be subject to the adequate factual and legal protection in the same extent as if the Personal data would be processed within the EU/EEA and that the Personal Data shall be encrypted, in transit and at rest, in a way that no third party can have access to it.
If the Data Processor collects and process the Personal Data in a country outside of the EU/EEA and must subsequently transfer the Personal Data to another country, the Data Processor shall ensure that such transfer is made in accordance with the requirements of the applicable law of the country where the Personal data was collected and that any consent and any information as required under the applicable law of the country where the Personal Data was collected was obtained and provided.
5.7. The Data Processor shall not subcontract any obligation under this Agreement that entails processing of Personal Data.
5.8. The Data Processor shall maintain the duty of secrecy regarding the Personal Data, even after the termination of this Agreement.
5.9. The Data Processor shall assist the Data Controller in meeting its obligations in relation to data subjects’ requests to exercise rights under the Data Protection Legislation, including but not limited to:
a) right to access, rectification, erasure and object;
b) right to restriction of processing;
c) right to data portability;
d) right not to be subject to a decision based solely on automated means,
e) right to opt out of the sale of the personal information.
When data subjects exercise their rights before the Data Processor, the Data Processor shall notify the Data Controller immediately but in any event not later than 1 (one) Business day following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request and shall be sent to the following email address: firstname.lastname@example.org.
5.10. The Data Processor shall notify the Data Controller without undue delay and in any event before the maximum period of 24 hours, and via the following email address: email@example.com, of any breach it is aware of to the security of the Personal Data it holds, together with all relevant information to document and report the incident.
The following minimum information shall be provided, if available:
a. description of the nature of the personal data security breach including, when possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected;
b. the name and contact details of the data protection officer or another point of contact to obtain more information;
c. description of the possible consequences of the personal data security breach;
d. description of the measures adopted or proposed to remedy the personal data security breach including, if appropriate, the measures adopted to mitigate possible negative effects.
If the above information cannot be provided simultaneously, the information shall be gradually provided without undue delay.
5.11. The Data Processor shall support the Data Controller in sending prior consultations to Competent Data Protection Authorities.
5.12. The Data Processor shall support the Data Controller in conducting data protection impact assessments.
5.13. The Data Processor shall provide, upon request by the Data Controller, written evidence demonstrating its compliance with this Clause 5 and the Data Protection Legislation and shall allow audits and inspections to be carried out as required by the Data Controller.
5.14. The Data Processor shall implement appropriate technical and organisational measures with regard to the Personal Data as required under the Data Protection Legislation. The Data Processor shall keep accurate records of the security measures which it has in place and shall make such records available to the Data Controller upon request.
5.15. The Data Processor shall return all Personal Data, and if appropriate the media on which they are recorder, to the Data Controller after completing the service specified in the clause 2.1. For the avoidance of doubt, the return of Personal data includes deleting all data from the computers or any other device used by the Data Processor.
6. Obligations of the Data Controller
6.1. The Data Controller shall conduct any relevant data protection impact assessments and prior consultations with respect to the processing operations to be carried out by the Data Processor, when applicable.
6.2. The Data Controller shall supervise the processing operations performed by the Data Processor, including by conducting audits and inspections in accordance with clause 5.13 above. The Data Controller may issue instructions about the type, scope and method of processing of the Personal Data in writing.
The Data Processor shall indemnify and shall keep the Data Controller indemnified from and against all costs, claims, fines, losses, damages or expenses incurred by the Data Controller, or for which the Data Controller may become liable due to any failure by the Data Processor to comply with any of the obligations set out in this Agreement. For the avoidance of doubt, this indemnity shall be unlimited and shall override any limitation of liability provisions contained in any other agreement between the Parties.
8.1. In the event of any conflict between the terms of this Agreement and any provision of any other agreement between the Parties, this Agreement shall take precedence.
8.2. This Agreement shall be governed by and construed in accordance with the Austrian laws.
8.3. All disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the Austrian court(s).
8.4. The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this Agreement shall remain in full force and effect.
8.5. Any amendment to this Agreement must be made in writing upon mutual agreement by the Parties.