Version 2020 February 10
1. Definitions and Interpretations
1.1. For the purposes of this MGS Platform Data Processing Agreement (“this Agreement”), capitalized terms shall have the following meanings, unless defined elsewhere in this Agreement or in the Main Agreement:
“Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to this Agreement;
Competent Data Protection Authority” shall mean the relevant data protection supervisory authority which is concerned by the processing of Personal Data in the framework of this Agreement.;
“Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, the California Consumer Privacy Act of 2018 (“CCPA”), any national data protection legislation, and any regulations, guidelines or any other documents issued by a Competent Data Protection Authority, each as amended from time to time;
“GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time;
“Main Agreement” shall have the meaning given to it in clause 2.1. of this Agreement;
“Personal Data” shall have the meaning given to it in clause 3 of this Agreement.
1.2. For the purposes of this Agreement, the terms “controller”, “processor”, “data subject”, “personal data”, “processing” and “data breach” shall have the meanings attributed to them in the GDPR.
2. Purpose of this Agreement
2.1. The Data Controller and the Data Processor are parties to an existing agreement under which the Data Processor provides e-gaming and/or sports betting software and information technology services (the “Main Agreement”).
2.2. The purpose of this Agreement is to determine the roles and responsibilities of each Party during the provision of the services under the Main Agreement in order to ensure the Parties’ compliance with the applicable Data Protection Legislation.
2.3. The Data Processor certifies that it understands the terms of this Agreement and agrees to comply with them.
3. Personal Data, Data Subjects, Processing Operations
3.1. The Data Processor may process on behalf of the Data Controller the following types of personal data of the end-users of the MGS platform:
a. Name and surname
b. Data of birth
c. ID or passport
d. Email address
e. Phone number
f. IP address
g. Bank account details
h. Credit card number
i. Utility bill
j. Social security number
k. Address (country, state, region, city, street)
l. Nationality
m. Gender
n. Security question
(the “Personal Data”).
3.2. The processing of the Personal Data shall consist of:
a. Collection of Personal Data through the MGS platform
b. Storage of Personal Data
c. Access management to Personal Data
d. Support and maintenance of the database
e. Display of Personal Data to the appropriate end-user
f. Personal Data transmission across networks
3.3. The Data Processor shall process the Personal Data on behalf of the Data Controller for the purpose of the provision of the services under the Main Agreement and in compliance with the Data Controller´s written instructions (as set out in the Main Agreement or as may be specified by Data Controller from time to time).
3.4. The Data Processor may not process Personal Data in a way that is incompatible with the purpose under this Agreement in relation to the Main Agreement as set out above.
4. Term and Termination
4.1. This Agreement shall be bound to the term of the Main Agreement.
4.2. Upon termination of the Agreement the Data Processor shall proceed in accordance with clause 5.13 of this Agreement.
5. Obligations of the Data Processor
5.1. The Data Processor shall process the Personal Data on behalf of the Data Controller in accordance with this Agreement and only for the business purpose of provision of the services under the Main Agreement. The Data Processor shall not process Personal Data for any other purpose other than for providing the services and in performance of the Main Agreement. In particular, the Data Processor shall not sell, rent, lease, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another business, person, or a third party for monetary or other valuable consideration. The Data Processor shall refrain from taking any action that would cause any transfers of Personal Data to or from the Data Processor to qualify as “selling personal information” as the term is defined under the CCPA. The Data Processor shall retain, use or disclose Personal Data only for the specific purpose of performing the services and within the direct business relationship with the Data Controller.
5.2. The Data Processor shall process Personal Data in accordance with the instructions of the Data Controller and in compliance with the Data Protection Legislation. The Data Processor shall inform in writing the Data Controller if the Data Processor believes that any of the instructions of the Data Controller violate the Data Protection Legislation.
5.3. The Data Processor shall not disclose Personal Data to third parties, unless with the express prior written consent of the Data Controller or when legally acceptable. For the avoidance of doubts, the Data Processor´s affiliates and subsidiaries shall not be considered third parties.
The Data Processor may disclose Personal Data to its group affiliates and subsidiaries and to other processors working for the Data Controller for the provision of the services under the Main Agreement.
In case Personal Data shall be accessed and processed from outside the European Economic Area, the Data Processor shall ensure that an appropriate data transfer mechanism is in place as required by the applicable Data Protection Legislation. If the Data Processor shall transfer Personal Data to a third country or international organisation, pursuant to applicable European Union or Member State law, the Data Processor shall inform the Data Controller of that legal requirement beforehand, unless the law prohibits this on important grounds of public interest.
5.4. The Data Controller authorises the Data Processor to appoint – and permit each sub-processor appointed in accordance with this clause to appoint – sub-processors.
The Data Processor may continue to use those sub-processors already engaged by the Data Processor as at the date of this Agreement, subject to the Data Processor, in each case as soon as practicable, meeting the obligations set out herein.
If any processing operation shall be subcontracted, the Data Processor shall notify in writing the Data Controller 30 (thirty) Business Days in advance, indicating the processing operations to be subcontracted and clearly and unequivocally identifying the subcontractor and its contact details. If, within 30 (thirty) days of receipt of the notice, the Data Controller notifies the Data Processor in writing of any objections on reasonable grounds to the proposed appointment:
a. the Data Processor shall work with the Data Controller in good faith to make available a commercially reasonable change in the provision of the data processing services agreed under the Main Agreement;
b. where such a change cannot be made within 90 (ninety) days as of the receipt of the Data Controller’s notice by the Data Processor, the Data Controller may, by written notice to the Data Processor, terminate with immediate effect the Main Agreement to the extent that it relates to the services which require the use of the proposed sub-processor.
The subcontractor, which shall also be considered a processor for the purposes of this Agreement, shall be equally obliged to comply with the obligations set forth in this Agreement for the Data Processor and with the instructions issued by the Data Controller. The Data Processor shall regulate its contractual relationship with the subcontractor so that the subcontractor is subject to the same conditions (instructions, obligations, security measures, etc.) and the same formal requirements regarding adequate personal data processing and guaranteeing the rights of the data subjects.
5.5. The Data Processor shall maintain the duty of secrecy regarding the Personal Data, even after the termination of the Main Agreement.
5.6. The Data Processor guarantees that the individuals authorised to process Personal Data expressly undertake in writing to respect the confidentiality of the Personal Data and to comply with the relevant security measures, of which they shall be duly informed. The Data Processor shall keep documentation accrediting compliance with this obligation available for the Data Controller.
5.7. The Data Processor shall assist the Data Controller in meeting its obligations in relation to data subjects’ requests to exercise rights under the GDPR, the CCPA or any other applicable Data Protection Legislation. The Data Controller shall reimburse the Data Processor for its reasonable charges for such assistance.
When data subjects exercise any such rights before the Data Processor, the Data Processor shall notify the Data Controller immediately but in any event not later than 5 (five) Business Days following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request.
5.8. The Data Processor shall notify the Data Controller without undue delay and in any event before the maximum period of 48 hours of any breach it is aware of to the security of the Personal Data it holds, together with all relevant information to document and report the incident.
The following minimum information shall be provided, if available:
a. description of the nature of the personal data security breach including, when possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected;
b. the name and contact details of the data protection officer or another point of contact to obtain more information;
c. description of the possible consequences of the personal data security breach;
d. description of the measures adopted or proposed to remedy the personal data security breach including, if appropriate, the measures adopted to mitigate possible negative effects.
If the above information cannot be provided simultaneously, the information shall be gradually provided without undue delay.
5.9. The Data Processor shall support the Data Controller in sending prior consultations to Competent Data Protection Authorities, when appropriate.
5.10. The Data Processor shall support the Data Controller in conducting data protection impact assessments, when appropriate.
5.11. The Data Processor shall provide the Data Controller with all the information necessary to demonstrate compliance with its obligations under the Data Protection Legislation and shall allow audits and inspections to be carried out by an independent auditor mutually agreed by the Data Controller and the Data Processor, at the cost of the Data Controller.
5.12. The Data Processor shall implement appropriate technical and organisational measures to:
a. ensure a level of security appropriate to the risk involved in order to protect the Personal Data from unauthorized use, alteration, access or disclosure, loss, theft, and damage;
b. ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident;
d. test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the Personal Data;
e. pseudonymise and encrypt the Personal Data, as appropriate;
f. prevent a personal data security breach.
5.13. The Data Processor shall promptly delete all Personal Data provided by the Data Controller in its entirety from its systems and destroy any copies it made of the Personal Data after completing the service unless and to the extent that the Data Processor is required to retain copies in accordance with the applicable legislation.
6. Obligations of the Data Controller
6.1. The Data Controller shall provide the Personal Data or otherwise make the Personal Data available to the Data Processor.
6.2. The Data Controller shall, at the time when Personal Data is obtained, provide the data subjects with all information about the collection and processing of the Personal Data and collect consent as required by the GDPR and any other applicable Data Protection Legislation.
6.3. The Data Controller shall supervise the processing operations performed by the Data Processor. The Data Controller may issue instructions about the type, scope and method of processing of the Personal Data in writing.
7. Contact Point
The following contact person within Sportradar can be contacted in respect of queries, complaints or notifications of any kind whatsoever regarding this Data Processing Agreement or the Data Protection Legislation and for the purposes of receipt of notices under this Data Processing Agreement:
For the Data Processor:
Name and Position: Stefano Celardo (Data Protection Officer)
Tel.: +43 1 256 31 41 548
E-mail: privacy@sportradar.com
8. Miscellaneous
8.1. In the event of any conflict between the terms of this Data Processing Agreement and any provision of the Main Agreement and any other agreement between the Parties, this Data Processing Agreement shall take precedence solely with respect to any data protection matters.
8.2. This Agreement shall be governed by and construed in accordance with the laws chosen by the Parties in the Main Agreement.
8.3. All disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the court(s) chosen by the Parties in the Main Agreement.
8.4. The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this Agreement shall remain in full force and effect.
8.5. Any amendment to this Agreement must be made in writing upon mutual agreement by the Parties.