Data Processing Agreement
Between
The Data Controller
User of Players 1st software as specified in the main agreement between the Data Controller and the Data Processor
and
The Data Processor
Players 1st ApS
CVR 34694222
Paradisgade 4C
8000 Aarhus C
Denmark
1. Contents
Basis for the data processing agreement
The rights and obligations of the Data Controller
The Data Processor shall act in accordance with its instructions
Confidentiality
Processing security
Use of subcontracted data processors
Transfer of information to third countries or international organisations
Assistance to the Data Controller
Notice of personal data security breaches
Deletion and return of data
Supervision and audits
The parties’ agreements concerning other matters
Commencement and termination
Contact persons/points of contact with the Data Processor
Appendices
Appendix A – Information about processing
Appendix B – Conditions relating to the Data Processor’s use of subcontracted data processors and list of authorised subcontracted data processors
Appendix C – Instructions concerning the processing of personal data
Appendix D – The parties’ governance of other matters
2. Basis for the data processing agreement
This Agreement sets out the rights and obligations that apply when the Data Processor processes personal data on behalf of the Data Controller.
The Agreement has been prepared for the purpose of ensuring the parties’ compliance with Article 28(3) of Regulation (EU) 2016/679 (GDPR) and the UK GDPR, which set out specific requirements concerning the contents of a data processing agreement.
The Data Processor’s processing of personal data shall take place for the purpose of fulfilling the parties’ “main agreement”, which is the agreement the Data Controller has entered into with either the Data Processor or another central sports organisation representing the Data Controller.
The Data Processing Agreement and the “main agreement” are mutually dependent on one another and cannot be terminated individually. Nevertheless, the Data Processing Agreement may, without termination of the “main agreement”, be replaced by another valid data processing agreement.
This Data Processing Agreement shall take precedence over any similar provisions in other agreements between the parties, including the “main agreement”.
There are four appendices to this Agreement. The appendices form an integral part of the Data Processing Agreement:
Appendix A contains further information about the processing, including the purpose and nature of the processing, the type of personal data, the category of data subjects and the duration of the processing.
Appendix B includes the Data Controller’s conditions for the Data Processor using any subcontracted data processors, as well as an overview of any subcontracted data processors approved by the Data Controller.
Appendix C includes further instructions regarding the processing the Data Processor will carry out on behalf of the Data Controller (processing object), the minimum security measures that must be taken, as well as how supervision of the Data Processor and any subcontracted data processors is carried out.
Appendix D covers the parties’ governance of circumstances that are otherwise not set out in the Data Processing Agreement or the parties’ “main agreement”.
The Data Processing Agreement and associated appendices shall be archived, including electronically, by both parties.
This Data Processing Agreement does not relieve the Data Processor of any obligations that arise directly under the GDPR, the UK GDPR or other applicable data protection legislation.
3. The rights and obligations of the Data Controller
The Data Controller is generally responsible for ensuring that the processing of personal data takes place within the constraints of the GDPR, the UK GDPR and applicable national data protection laws.
The Data Controller therefore has both the right and obligation to make decisions as to what purposes the processing shall be carried out for and what tools shall be used.
The Data Controller is, among other things, responsible for ensuring that there is a legal basis for the processing that the Data Processor is instructed to perform.
4. The Data Processor shall act in accordance with its instructions
The Data Processor shall only process personal data in accordance with documented instructions from the Data Controller unless otherwise required in accordance with EU law, UK law or national law in the member states to which the Data Processor is subject. In such a case the Data Processor shall notify the Data Controller of such legal requirements prior to processing, unless the legislation in question prevents such notification for reasons of important societal interests, cf. Article 28(3)(a) GDPR.
The Data Processor shall immediately notify the Data Controller if it believes that an instruction contravenes the GDPR, the UK GDPR or data protection provisions in other applicable legislation.
5. Confidentiality
The Data Processor shall ensure that only persons authorised to do so have access to the personal data processed on behalf of the Data Controller. Access to information shall be promptly revoked when authorisation is withdrawn or expires.
Only persons who require access to personal data in order to fulfil the Data Processor’s obligations to the Data Controller shall be authorised.
The Data Processor shall ensure that the persons authorised to process personal data on behalf of the Data Controller have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Data Processor shall, upon request from the Data Controller, be able to demonstrate that the relevant employees are subject to the aforementioned confidentiality obligations.
6. Processing security
The Data Processor shall implement all measures required in relation to Article 32 GDPR / UK GDPR. After taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
This includes, where appropriate:
Pseudonymisation and encryption of personal data.
The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In all circumstances, the Data Processor shall, as a minimum, implement the security levels and measures specified in Appendix C to this Agreement.
Any arrangements concerning the parties’ remuneration or similar in connection with the Data Controller’s or the Data Processor’s subsequent requests to establish further security measures shall be included in the parties’ “main agreement” or in Appendix D to this Agreement.
7. Use of subcontracted data processors
In order to use another data processor (subcontracted data processor), the Data Processor must fulfil the conditions set out in Article 28(2) and (4) GDPR / UK GDPR.
The Data Processor may not use another data processor to fulfil this Data Processing Agreement without prior specific or general written approval from the Data Controller.
In the event of general written approval, the Data Processor shall notify the Data Controller of any planned changes concerning the addition or replacement of other data processors, thereby providing the Data Controller with the opportunity to object to such changes.
The Data Controller’s further conditions for the Data Processor’s use of any subcontracted data processors can be found in Appendix B of this Agreement. The Data Controller’s approval of specific subcontracted data processors can also be found in Appendix B.
Once the Data Processor has obtained approval from the Data Controller for the use of a subcontracted data processor, the Data Processor shall ensure that the subcontracted data processor is bound by the same data protection obligations as those specified in this Data Processing Agreement, through the use of a contract or other legal document in accordance with EU or UK law, including obligations to implement appropriate technical and organisational measures so that processing meets the requirements of the GDPR / UK GDPR.
The Data Processor is responsible for ensuring that any subcontracted data processor is, as a minimum, subject to the obligations that the Data Processor itself is subject to under the data protection regulations, this Data Processing Agreement and its appendices.
A copy of the subcontracted data processing agreement and any later changes thereto must, upon request, be made available to the Data Controller, who shall thereby have the opportunity to assure itself that a valid agreement has been entered into between the Data Processor and the subcontracted data processor. Any commercial terms (e.g. prices) that do not affect the data protection content of the subcontracted data processing agreement may be redacted.
In its agreement with subcontracted data processors, the Data Processor shall, where relevant, include the Data Controller as a third-party beneficiary in the event of the Data Processor’s bankruptcy so that the Data Controller can assume the Data Processor’s rights and invoke these against the subcontracted data processor, e.g. in order to instruct the subcontracted data processor to delete or return personal data.
In the event that a subcontracted data processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the fulfilment of the subcontracted data processor’s obligations.
8. Transfer of information to third countries or international organisations
The Data Processor shall only process personal data in accordance with documented instructions from the Data Controller, including any transfer (transmission, disclosure or internal use) of personal data to third countries or international organisations, unless required in accordance with EU or UK law to which the Data Processor is subject.
In such a case the Data Processor shall notify the Data Controller of such legal requirements prior to processing, unless the legislation in question prevents such notification for reasons of important societal interests, cf. Article 28(3)(a).
Without instructions or approval from the Data Controller, the Data Processor shall not:
disclose personal data to a data controller in a third country or in an international organisation,
transfer the processing of personal data to a subcontracted data processor in a third country, or
process the data in another branch of the Data Processor located in a third country.
Any instructions or approvals from the Data Controller with respect to the transfer of personal data to a third country, and the safeguards applied (including Standard Contractual Clauses (SCCs) and any supplementary measures), can be found in Appendix C of this Agreement.
9. Assistance to the Data Controller
The Data Processor shall, taking into account the nature of the processing and to the extent possible, assist the Data Controller by appropriate technical and organisational measures in fulfilling the Data Controller’s obligation to respond to requests to exercise the data subject’s rights as set out in Chapter III GDPR / UK GDPR.
This includes assistance, where relevant, in relation to:
the duty to inform in connection with the collection of personal data from the data subject,
the duty to inform in the event that personal data has not been obtained from the data subject,
the data subject’s right of access,
the right to rectification,
the right to erasure (“right to be forgotten”),
the right to restriction of processing,
the duty to notify recipients regarding rectification, erasure or restriction,
the right to data portability,
the right to object,
the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects the data subject.
The Data Processor shall also assist the Data Controller in ensuring compliance with Articles 32–36 GDPR / UK GDPR, taking into account the nature of processing and the information available to the Data Processor, cf. Article 28(3)(f). This includes assistance, where relevant, regarding:
the implementation of appropriate technical and organisational security measures,
reporting personal data breaches to the competent supervisory authority without undue delay,
notifying affected data subjects where a breach is likely to result in a high risk to their rights and freedoms,
carrying out data protection impact assessments (DPIAs),
consulting the supervisory authority prior to high-risk processing where required.
Any arrangements concerning the parties’ remuneration or similar in connection with the Data Processor’s assistance shall be included in the parties’ “main agreement” or Appendix D to this Agreement.
10. Notice of personal data security breaches
The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Data Controller, whether at the Data Processor or at a subcontracted data processor.
Where possible, the notification shall take place no later than 36 hours after the Data Processor has become aware of the breach, to ensure that the Data Controller has the opportunity to comply with its obligation to report the breach to the competent supervisory authority within 72 hours.
Subject to the nature of the processing and the information available, the Data Processor shall assist the Data Controller in reporting breaches to the supervisory authority.
The Data Processor shall, to the extent possible, provide the information referred to in Article 33(3) GDPR, including:
a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,
the likely consequences of the personal data breach,
the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
11. Deletion and return of data
Upon termination of the processing-related services, the Data Processor shall, at the choice of the Data Controller, delete or return all personal data to the Data Controller and delete existing copies, unless EU or UK law or other applicable law requires storage of the personal data. The procedures for deletion and retention are described in Appendix C.3.
12. Supervision and audits
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 GDPR / UK GDPR and this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
The procedure for the Data Controller’s supervision of the processing performed at the Data Processor’s premises can be found in Appendix C of this Agreement.
The Data Controller’s supervision of any subcontracted data processors shall generally take place through the Data Processor. The procedure for this can be found in Appendix C of this Agreement.
The Data Processor shall be obliged to provide the authorities that, under applicable legislation, have access to the Data Controller’s and Data Processor’s facilities, or representatives acting on behalf of such authorities, with access to the Data Processor’s physical facilities upon presentation of appropriate identification.
13. The parties’ agreements concerning other matters
Any specific governance of the consequences of the parties’ breach of the Data Processing Agreement can be found in the parties’ “main agreement” or in Appendix D of this Agreement.
Any governance of other matters between the parties can be found in the parties’ “main agreement” or in Appendix D of this Agreement.
14. Commencement and termination
This Agreement shall automatically enter into force upon the Data Controller’s use of the Players 1st software.
Both parties shall be entitled to request renegotiation of the Agreement in the event of legislative changes or circumstances that make amendments necessary.
The Data Processing Agreement can be terminated in accordance with the termination terms, including notice period, specified in the “main agreement”.
The Agreement shall apply for as long as the processing takes place. Regardless of termination of the “main agreement” and/or the Data Processing Agreement, the Data Processing Agreement shall remain in force until the end of the processing and the deletion or return of the data by the Data Processor and any subcontracted data processors.
15. Contact persons/points of contact with the Data Processor
All contact concerning data processing with the Data Processor shall take place via: privacy@players1stgroup.com
Appendix A – Information about processing
Purpose of the processing
The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is to enable ongoing measurement and analysis of members’ and/or guests’ experiences at the club and to provide the Players 1st Services, including:
issuing electronic questionnaires about member, guest or event experiences,
collecting and aggregating survey responses,
providing dashboards and reports to the Data Controller,
enabling follow-up with respondents who have consented to be contacted, and
providing additional functionality, including an AI Assistant, to help analyse and interpret open comment feedback.
Nature of the processing
The Data Processor’s processing primarily relates to:
sending emails or other electronic messages containing links to electronic questionnaires,
collecting responses (including ratings and open comments),
calculating and presenting results in an online dashboard and in downloadable reports, including aggregated and/or anonymised format,
displaying individual open comments to the Data Controller where the respondent has actively consented to this,
processing usage data (e.g. login activity, navigation patterns) for product analytics and service improvement,
processing open comment feedback through the AI Assistant to generate insights and responses based on the Data Controller’s own dataset.
Types of personal data
Processing includes, as relevant:
Name
Membership type or customer type
Gender
Age or age group
Email address
Information about time and place of visits or rounds played at the club
Club affiliation and role (for platform users)
Usage data (e.g. login times, features used, navigation paths)
Open text comments and feedback submitted in surveys
Any contact details voluntarily provided by respondents for follow-up (e.g. telephone number)
Only general personal data is intentionally processed. Special categories of data (Article 9 GDPR / UK GDPR) are not intentionally processed but may appear in open text comments at the data subject’s own initiative.
Categories of data subjects
Members of the club
Guests or participants in activities arranged by or in collaboration with the club
Users of the Players 1st platform acting on behalf of the Data Controller (e.g. staff, administrators)
Duration of the processing
The Data Processor’s processing of personal data on behalf of the Data Controller may begin upon commencement of this Agreement. The processing is not time-limited and shall remain in place until all licence periods are terminated by either party and all personal data has been deleted or returned in accordance with Section 11 and Appendix C.3.
Appendix B – Conditions relating to the Data Processor’s use of subcontracted data processors
B.1 Conditions relating to the Data Processor’s use of subcontracted data processors
The Data Processor has the Data Controller’s general approval to use subcontracted data processors. Nevertheless, the Data Processor must notify the Data Controller of any planned changes concerning the addition or replacement of other data processors, thereby providing the Data Controller with the opportunity to object to such changes. Such notification shall be received by the Data Controller no later than 30 days before the use or change is to enter into force. If the Data Controller objects, it shall notify the Data Processor within 14 days of receiving the notification and may object only if it has reasonable, specific grounds.
B.2 Authorised subcontracted data processors
Upon commencement of the Data Processing Agreement, the Data Controller has approved the use of the following subcontracted data processors for the processing described below:
Name | Address | Region | Description of processing |
Microsoft Azure |
| EU data centres (Ireland, Netherlands) and other regions as applicable for non-EEA/UK customers | Hosting and data storage for the Players 1st platform. For EEA/UK customers, data is hosted in EU data centres. |
Twilio SendGrid | 1801 California Street, Suite 500, Denver, CO 80202, United States |
| Email delivery service for transactional and service-related emails (survey invitations, notifications). Configured to use EU subusers to ensure data remains within the EU wherever possible. In rare cases where data may be processed by Twilio’s U.S. infrastructure, such transfers are subject to SCCs and appropriate safeguards. |
Intercom | Intercom R&D Unlimited Company and Intercom, Inc. |
| User management, in-app messaging, and customer support for platform users. |
Plausible Analytics | Plausible Insights OÜ, Estonia |
| Cookieless website and traffic analytics. Processes aggregated, non-identifying analytics data. |
PostHog | PostHog, Inc. (EU-hosted infrastructure) |
| Product analytics and usage tracking to understand feature usage and improve the Players 1st Services. |
Sentry |
| Functional Software, Inc. (Sentry), EU region (Frankfurt data centre) | Error tracking and application performance monitoring. |
Players 1st ApS | Paradisgade 4C, 8000 Aarhus C, Denmark |
| Internal processing and support operations. |
The Data Processor may update this list in accordance with B.1. The Data Processor shall not use any subcontracted data processor for “other” processing than that which has been approved, without specific written approval from the Data Controller.
Appendix C – Instructions concerning the processing of personal data
C.1 The subject / instructions for processing
The Data Processor shall process personal data only for the purposes described in Appendix A and in accordance with the Data Controller’s documented instructions, including:
recording and processing membership and guest information supplied by the Data Controller where surveys are selected,
processing information about activity (e.g. green fee rounds, events, visits),
sending survey invitations and reminders,
collecting and storing responses,
presenting aggregated and/or anonymised results via dashboards and reports,
making individual open comments available where the respondent has consented,
processing platform usage data for service monitoring and improvement,
processing open comment feedback via the AI Assistant solely for the purpose of generating insights and responses based on the Data Controller’s dataset.
The Data Processor shall process information as necessary and relevant to fulfil these instructions. Data shall be collected either directly from the Data Controller or from another data processor designated by the Data Controller. The Data Controller shall ensure that any such third-party processor is authorised to disclose the data to the Data Processor.
C.2 Processing security
The level of security shall reflect that the processing concerns general personal data relating to a potentially large number of data subjects.
The Data Processor is entitled and obliged to determine the specific technical and organisational security measures used to achieve the agreed security level, subject to the following minimum requirements:
All communication with the Players 1st system shall be encrypted (HTTPS/TLS).
Data shall be stored and processed with reputable infrastructure providers (such as Microsoft Azure) under appropriate DPAs.
Hosting environments shall be access-controlled, monitored and protected against unauthorised access.
The AI Assistant shall only process the Data Controller’s own data and such data shall not be used for AI model training.
The Data Processor shall maintain documentation relating to functionality, data flows and data security.
Personal data shall only be processed upon instructions from the Data Controller.
All persons with access to personal data shall be subject to confidentiality obligations.
Appropriate measures shall be implemented and maintained in accordance with Article 32 GDPR / UK GDPR, including regular testing, assessment and evaluation of the security measures.
C.3 Retention period / procedures for deletion
Personal data shall be stored by the Data Processor until the earlier of:
the Data Controller requesting deletion or return of the data; or
termination of the “main agreement” and this Data Processing Agreement, followed by deletion in accordance with Section 11.
As part of its standard retention practice:
After 24 months, the Data Processor shall automatically pseudonymise personal data received from the Data Controller so that directly identifying elements are removed where no longer required for reporting, and delete personal data that is no longer relevant.
After 10 years, the Data Processor shall automatically delete all remaining personal data, unless a longer retention period is required by law or agreed in writing with the Data Controller.
C.4 Processing location
Processing of personal data covered by this Agreement may only take place at the following locations, unless the Data Controller has given prior written consent to additional locations:
Microsoft Azure EU data centres (Ireland, Netherlands) and, for non-EEA/UK customers where relevant, other Azure regions.
Twilio SendGrid EU infrastructure and, where necessary, U.S. infrastructure subject to SCCs.
Intercom’s EU and U.S. infrastructure, subject to SCCs and other appropriate safeguards.
Plausible (EU-based infrastructure).
PostHog (EU-based infrastructure).
Sentry (EU – Frankfurt data centre).
Players 1st ApS premises and systems in Denmark and relevant hosting environments within the EU.
Any changes to processing locations shall be notified and approved in accordance with Appendix B.1.
C.5 Instructions or authorisation concerning the transfer of personal data to third countries
The Data Processor is authorised to transfer personal data to third countries (including the United States) only where:
such transfers are necessary to provide the Services (e.g. through Intercom, Twilio SendGrid), and
appropriate safeguards are in place in accordance with Chapter V GDPR / UK GDPR, such as Standard Contractual Clauses (SCCs) and any required supplementary measures.
Transfers may include, in particular:
limited transfer of email addresses and related metadata to Twilio SendGrid for email issuance,
transfer of user and usage data to Intercom for support and in-app messaging.
The AI Assistant runs within the Data Processor’s Microsoft Azure infrastructure in the EU and does not itself give rise to additional third-country transfers beyond those described above.
The Data Processor shall ensure that each subcontracted data processor in a third country provides at least the same level of data protection as required under this Agreement and the GDPR / UK GDPR.
C.6 Procedures for the Data Controller’s supervision of the processing performed at the Data Processor’s premises
Once per year, the Data Processor shall obtain an audit declaration (e.g. ISAE or equivalent) from an independent third party concerning the Data Processor’s compliance with this Data Processing Agreement and its appendices. The audit declaration shall be made available to the Data Controller.
In addition to the above, the Data Controller may, where reasonably required, conduct its own supervision (physical or remote) of the Data Processor’s compliance with this Agreement. Any direct costs incurred by the Data Controller in connection with such supervision shall be borne by the Data Controller. The Data Processor shall allocate the reasonable resources necessary for such supervision.
C.7 Procedures for the supervision of the processing performed at the subcontracted data processors’ premises
Once per year, the Data Processor shall obtain an audit declaration from an independent third party concerning each relevant subcontracted data processor’s compliance with applicable data protection obligations (for example, ISAE 3402 Type II or equivalent reports, where available).
The Data Processor shall make relevant audit reports or summaries available to the Data Controller via the Players 1st platform or upon request, to enable the Data Controller to assess compliance.
Appendix D – The parties’ governance of other matters
D.1 Main agreement
Matters not regulated by this Data Processing Agreement shall be governed by the “main agreement” between the parties.
D.2 Requests to establish additional security measures
Where the Data Controller or the Data Processor subsequently requests that additional security measures be established in addition to those set out in this Agreement, the costs of such measures shall be borne by the party making the request, unless otherwise agreed in writing. Remuneration will typically cover time spent and any third-party costs incurred to implement the extended security measures.