Data Processing Agreement
Between
The Data Controller:
User of Players 1st software as specified in the main agreement between the Data Controller and the Data Processor
and
The Data Processor
Players 1st
CVR 34694222
Stadion Allé 70
8000 Aarhus C
Denmark
1. Contents
2. Basis for the data processing agreement
3. The rights and obligations of the data controller
4. The data processor shall act in accordance with its instructions
5. Confidentiality
6. Processing security
7. Use of subcontracted data processors
8. Transfer of information to third countries or international organisations
9. Assistance to the data controller
10. Notice of personal data security breaches
11. Deletion and return of data
12. Supervision and audits
13. The parties’ agreements concerning other matters
14. Commencement and termination
15. Contact persons/points of contact with the data processor
Appendix A Information about processing
Appendix B Conditions relating to the data processor’s use of subcontracted data processors and list of authorised subcontracted data processors
B.1 - Conditions relating to the data processor’s use of any subcontracted data
processors
B.2 - Authorised subcontracted data processors
Appendix C Instructions concerning the processing of personal data
C.1 - The subject/ instructions for processing
C.2 - Processing security
C.3 - Retention period/procedures for deletion
C.4 - Processing location
C.5 - Instructions or authorisation concerning the transfer of personal data to third
countries
C.6 - Procedures for the data controller’s supervision of the processing performed at the data processor’s premises
C.7 - Procedures for the supervision of the processing performed at the
subcontracted data processor’s premises
Appendix D The parties’ governance of other matters
D.1 - Main agreement
D.2 - Requests to establish additional security measures
2 Basis for the data processing agreement
This agreement sets out the rights and obligations that apply when the data processor processes personal data on behalf of the data controller.
The agreement has been prepared for the purpose of ensuring the parties’ compliance with Article 28, subsection 3 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free exchange of such data, and on the repeal of Directive 95/46/EU (General Data Protection Regulation), which sets out specific requirements concerning the contents of a data processing agreement.
The data processor’s processing of personal data shall take place for the purpose of fulfilling the parties’ "main agreement", which is the agreement the data controller has entered into with either the data processor or another central sports organisation representing the data controller.
The data processing agreement and the "main agreement" are mutually dependent on one another and cannot be terminated individually. Nevertheless, the data processing agreement may, without termination of the "main agreement," be replaced by another valid data processing agreement.
This data processing agreement shall take precedence over any similar provisions in other agreements between the parties, including the "main agreement".
There are four appendices to this agreement. The appendices act as integral parts of the data processing agreement.
The contents of the data processing agreement Appendix A comprise further information about the processing, including the purpose and nature of the processing, the type of personal data, the category of data subjects and the duration of the processing.
The data processing agreement Appendix B includes the data controller’s conditions for the data processor using any subcontracted data processors, as well as an overview of any subcontracted data processors approved by the data controller.
The data processing agreement Appendix C includes further instructions regarding the processing the data processor will carry out on behalf of the data controller (processing object), the minimum security measures that must be taken, as well as how supervision of the data processor and any subcontracted data processors is carried out.
The data processing agreement Appendix D covers the parties’ governance of circumstances that are otherwise not set out in the data processing agreement or the parties’ "main agreement".
The data processing agreement and associated appendices shall be archived, including electronically, by both parties.
This data processing agreement shall not relieve the data processor of any obligations that directly arise under the General Data Protection Regulation (GDPR) or any other legislation.
3 The rights and obligations of the data controller
The data controller is generally responsible for ensuring that the processing of personal data takes place within the constraints of the GDPR and the Danish Data Protection Act.
The data controller therefore has both the right and obligation to make decisions as to
what purposes the processing shall be carried out for and what tools shall be used.The data controller is, among other things, responsible for ensuring that there is a legal basis for the processing that the data processor is instructed to perform.
4 The data processor shall act in accordance with its instructions
The data processor shall only process personal data in accordance with documented instructions from the data controller unless otherwise required in accordance with EU law or national law in the member states in which the data processor is based; in such a case the data processor shall notify the data controller of such legal requirements prior to processing, unless the legislation in question prevents such notification for reasons of important societal interests, cf. Article 28, subsection 3, item a.
The data processor shall immediately notify the data controller if it believes that an instruction contravenes the General Data Protection Regulation or data protection provisions in other EU legislation or national legislation in member states.
5 Confidentiality
The data processor shall ensure that only the persons authorised to do so have access to the personal data processed on behalf of the data controller. Access to information shall therefore be immediately denied in the event of the authorisation being revoked or expiring.
Only persons who require access to personal data in order to fulfil the data processor’s obligations to the data controller shall be authorised.
The data processor shall ensure that the persons authorised to process personal data on behalf of the data controller have consented to confidentiality or are subject to appropriate statutory non-disclosure requirements.
The data processor shall, upon request from the data controller, be able to demonstrate that the relevant employees are subject to the aforementioned confidentiality.
6 Processing security
The data processor shall implement all measures required in relation to Article 32 of the General Data Protection Regulation, which, among other things, states that after taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a security level appropriate to the risk.
The abovementioned obligations mean that the data processor must carry out a risk assessment and subsequently implement measures to manage the identified risks. This could, depending on relevance, include the following measures:
Pseudonymisation and encryption of personal data
The ability to ensure lasting confidentiality, integrity, accessibility and resilience of processing systems and services
Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
A procedure for regular testing, assessment and evaluation of the efficiency of the technical and organisational measures to ensure processing security
In connection with the above, and in all circumstances, the data processor shall, as a minimum, implement the security levels and measures specified in further detail in Appendix C to this agreement.
Any governance/agreement concerning the parties’ remuneration or similar in connection with the data controller or data processor’s subsequent requests to establish further safety measures shall be included in the parties’ "main agreement" or Appendix D to this agreement.
7 Use of subcontracted data processors
In order to use another data processor (subcontracted data processor), the data processor must fulfil the conditions addressed in Article 28, subsection 2 and 4 of the GDPR.
As such, the data processor cannot use another data processor (subcontracted data processor) to fulfil the data processing agreement without prior specific or general written approval from the data controller.
In the event of general written approval, the data processor shall notify the data controller of any planned changes concerning the addition or replacement of other data processors, thereby providing the data controller with the opportunity to object to such changes.
The data controller’s further conditions for the data processor’s use of any subcontracted data processors can be found in Appendix B of this agreement.
The data controller’s approval of any specific subcontracted data processors can be found in Appendix B of this agreement.
Once the data processor has obtained approval from the data controller for the use of a subcontracted data processor, the data processor shall ensure that the subcontracted data processor is bound by the same data protection obligations as those specified in this data processing agreement, through the use of a contract or other legal document in accordance with EU legislation or national legislation in the member states in which the necessary guarantees are provided, to ensure that the subcontracted data processor will implement appropriate technical and organisational measures in such a way that the processing fulfils the requirements set down in the GDPR.
As such, the data processor is responsible, through the execution of a subcontracted data processing agreement, for ensuring that the subcontracted data processor is subject to, as a minimum, the obligations that the data processor itself is subject to under the data protection regulations, as well as this data processing agreement and associated appendices.
A copy of the subcontractor data processing agreement and any later changes thereto must be issued, upon request from the data controller, to the data controller, who shall thereby have the opportunity to assure itself that a valid agreement has been entered into between the data processor and the subcontracted data processor. Any commercial terms, e.g. prices, that do not affect the data protection legislative contents of the subcontractor data processing agreement shall not be issued to the data controller.
In its agreement with subcontracted data processors, the data processor shall include the data controller as a third party beneficiary in the event of the data processor’s bankruptcy so that the data controller can assume the data processor’s rights and invoke these against the subcontracted data processor, e.g. so that the data controller can instruct the subcontracted data processor to make deletions or return any information.
In the event that the subcontracted data processor fails to fulfil its data protection obligations, the data processor shall be fully liable to the data controller for the fulfilment of the subcontracted data processor’s obligations.
8 Transfer of information to third countries or international organisations
The data processor shall only process personal data in accordance with documented instructions from the data controller, including the transfer (transfer, disclosure and internal use) of personal data to third countries or international organisations unless required in accordance with EU legislation or national legislation in member states to which the data processor is subject; in such a case the data processor shall notify the data controller of such legal requirements prior to processing, unless the legislation in question prevents such notification for reasons of important societal interests, cf. Article 28, subsection 3, item a.
Without instructions or approval from the data controller, the data processor can therefore not, within the constraints of the data processing agreement;
disclose personal data to a data controller in a third country or in an international organisation,
transfer the processing of personal data to a subcontracted data processor in a third country,
process the data in another branch of the data processor located in a third country.
Any instructions or approvals from the data controller with respect to the transfer of personal data to a third country can be found in Appendix C of this agreement.
9 Assistance to the data controller
The data processor shall assist, depending on the nature of the processing and to the extent possible, the data controller using appropriate technical and organisational measures to fulfil the data controller’s obligation to respond to requests to exercise the rights of the data subject as set down in Chapter 3 of the General Data Protection Regulation.
This means that the data processor shall, to the extent possible, assist the data controller in connection with the data controller ensuring compliance with:
the duty to inform in connection with the collection of personal data from the data subject
the duty to inform in the event that personal data has not been collected from the data subject
the data subject’s right of access
the right to correct
the right to be forgotten
the right to request limited processing
the duty to inform in connection with correction or deletion of personal data or limited processing
the right to data portability
the right to object
the right to object to the results of automatic individual decisions, including profiling
The data processor shall assist the data controller to ensure compliance with the data processor’s obligations pursuant to Articles 32-36 of the GDPR with regard to the nature of the processing and the data available to the data processor, cf Article 28, subsection 3, item f.
This means that the data processor, subject to the nature of the processing, shall assist the data controller in connection with the data controller ensuring compliance with:
the duty to implement appropriate technical and organisational measures to ensure security levels appropriate for the risks associated with the processing
the duty to report personal data security breaches to the supervisory authorities (Danish Data Protection Agency) without undue delay and no later than 72 hours after the data controller has become aware of the breach, unless it is unlikely that the breach of personal data security involves a risk to the rights and freedoms of natural persons
the duty to, without undue delay, notify the data subject(s) of personal data security breaches when such a breach likely carries a high risk to the rights and freedoms of natural persons
the duty to implement an impact analysis concerning data protection if a processing type is likely to carry a high risk to the rights and freedoms of natural persons
the duty to consult the supervisory authority (Danish Data Protection Agency) prior to processing if an impact analysis concerning data protection finds that the processing would result in a high risk due to inadequate measures taken by the data controller in order to mitigate the risk
Any governance/agreement concerning the parties’ remuneration or similar in connection with the data processor’s assistance to the data controller shall be included in the parties’ "main agreement" or Appendix D to this agreement.
10 Notice of personal data security breaches
The data processor shall notify the data controller without undue delay after becoming aware of a breach of personal data security on the part of the data processor or a subcontracted data processor.
The data processor’s notification to the data controller shall, if possible, take place no later than 36 hours after it has become aware of the breach, to ensure that the data controller has the opportunity to comply with its obligation to report the breach to the supervisory authorities within 72 hours.
In accordance with Section 10.2, item b of this agreement, the data processor shall, subject to the nature of the processing and the information available, assist the data controller in reporting breaches to the supervisory authorities.
This could mean that the data processor should assist in obtaining the following information, which, according to Article 33, subsection 3 of the GDPR, must be included in the report from the data controller to the supervisory authority:
The nature of the personal data security breach, including, where possible, the categories and estimated number of affected data subjects, as well as the categories and estimated number of affected personal data records
Probable consequences of the personal data security breach
Measures taken or proposed to manage the personal data security breach, including measures to limit the potential damage, if relevant
11 Deletion and return of data
Upon termination of the processing-related services, the data processor shall be obliged to delete or return all personal data to the data controller, as decided by the data controller, and to delete all existing copies, unless EU legislation or national legislation requires the storage of the personal data.
12 Supervision and audits
The data processor shall make all information necessary to demonstrate the data processor’s compliance with Article 28 of the General Data Protection Regulation and this agreement available to the data controller and shall enable and contribute to audits, including inspections performed by the data controller or another auditor authorised by the data controller.
The procedure for the data controller’s supervision of the data processor can be found in Bilag C of this agreement.
The data controller’s supervision of any subcontracted data processors shall generally take place through the data processor. The procedure for this can be found in Appendix C of this agreement.
The data processor shall be obliged to provide the authorities that, under the legislation applicable at any time, have access to the data controller and data processor’s facilities, or representatives acting on behalf of the authorities, with access to the data processor’s physical facilities upon presentation of appropriate identification.
13 The parties’ agreements concerning other matters
Any (specific) governance of the consequences of the parties’ breach of the data processing agreement can be found in the parties’ "main agreement" or in Appendix D of this agreement.
Any governance of other matters between the parties can be found in the parties’ "main agreement" or in Appendix D of this agreement.
14 Commencement and termination
This agreement shall automatically enter into force upon the data controller’s use of Players 1st software.
Both parties shall be entitled to request renegotiation of the agreement in the event of legislative changes or inexpediencies in the agreement giving rise thereto.
The data processing agreement can be terminated in accordance with the termination terms, including notice period, specified in the "main agreement
The agreement shall apply for as long as the processing takes place. Regardless of termination of the "main agreement" and/or the data processing agreement, the data processing agreement shall remain in force until the end of the processing and the deletion of the data on the part of the data processor and any subcontracted data processors.
15 Contact persons/points of contact with the data processor
All contact concerning data processing with the data processor shall take place via: privacy@players1stgroup.com
Appendix A Information about processing
The purpose of the data processor’s processing of personal data on behalf of the data controller is:
The data controller wishes to implement ongoing measuring of its members and/or guests’ experiences at the club. For this purpose, data relating to members and/or guests will be transferred so that the data processor can issue electronic questionnaires about the member or guest experience at the club. The responses will be reported and made available in aggregated format to the data controller via an electronic dashboard administered by the data processor.
The data controller shall also receive individual open comments from the responses. This shall exclusively take place in cases where the respondent has actively consented to the data controller viewing the comment, and when the respondent has provided their contact information so that the data controller has the opportunity to contact the respondent in accordance with their expressed consent.
The data processor’s processing of personal data on behalf of the data controller primarily relates to (nature of the processing):
Issuing e-mails with a link to an electronic questionnaire.
Illustrating survey results in an online dashboard and reports. Results being reproduced in aggregated and/or anonymous format
Processing includes the following types of personal data relating to data subjects:
Name, membership type, gender, age, e-mail address and information about the time and place of the visit to the club in the event that it relates to an activity linked to a respondent’s specific activity at the club. Only general personal data is processed.
Processing includes the following data subject categories:
Persons who are either members of the club or who have participated in an activity arranged by the club or in collaboration with the club.
The data processor’s processing of personal data on behalf of the data controller may be initiated upon commencement of this agreement. The duration of the processing is as follows:
The processing shall not be time-limited and shall remain in place until all licence periods are terminated by either party.
Appendix B Conditions relating to the data processor’s use of subcontracted data processors and list of authorised subcontracted data processors
B.1 Conditions relating to the data processor’s use of any subcontracted data processors
The data processor has the data controller’s general approval to use subcontracted data processors. Nevertheless, the data processor must notify the data controller of any planned changes concerning the addition or replacement of other data processors, thereby providing the data controller with the opportunity to object to such changes. Such notification shall be received by the data controller no later than a minimum of 30 days before the use or change is to enter into force. In the event that the data controller objects to the changes, the data controller shall notify the data processor within 14 days of receiving the notification. The data controller may object only if the data controller has reasonable, specific reasons for doing so.
B.2 Authorised subcontracted data processors
Upon commencement of the data processing agreement, the data controller has approved the use of the following subcontracted data processors:
Name | CVR no. | Address | Description of processing |
Microsoft Azure | Azure Data Cen-tres in Ireland, the Nether-lands, Virginia USA, Texas USA, California USA, Canberra Australia | Hosting, data storage takes place in: Europe for the data processor’s European customers, the USA for the data processor’s North American customers, Australia for the data processor’s Australi-an customers | |
SendGrid | Denver, CO, 1801 California Street, Suite 500, Denver, CO 80202 | E-mail service | |
MailJet | FR67524536992 | Mailjet SAS 37 bis Rue du Sentier 75002 Paris FRANCE | E-mail service |
Zendesk | Zendesk, Inc. 1019 Market St. San Francisco CA 94103, United States | Management of support enquiries | |
Google Analytics | 1600 Amphitheatre Parkway, Mountain View, CA, 94043 | Website usage data is collected in Google Analytics |
Upon commencement of the data processing agreement, the data controller has specifically approved the use of the abovementioned subcontracted data processors for the processing described for each party. The data processor cannot, without specific written approval from the data controller, use the subcontracted data processors for "other" processing than that which has been agreed or permit another subcontracted data processor to carry out the specified processing.
Appendix C Instructions concerning the processing of personal data
C. The subject/ instructions for processing
Databehandlerens behandling av personopplysninger på vegne av behandlingsansvarlig skal finne sted ved at databehandleren utfører ett eller flere av følgende:
recording the necessary membership information concerning the data controller’s members if member survey(s) are selected.
processing information about green fee rounds played with the data controller if guest survey(s) are selected.
The data processor shall process information as necessary and relevant to fulfil the instructions from the data controller. Information shall be collected either directly from the data controller or from another data processor (third-party data processor) specified by the data controller. The data controller shall enter into agreements with third-party processors concerning the disclosure of the necessary data to the data processor under this agreement.
C.2 Processing security
The security level shall reflect:
Processing of general personal data
The data processor shall thereby be entitled and obliged to make decisions concerning the technical and organisational security measures that will be used to create the necessary (and agreed) security level concerning the information. Nevertheless, the data processor shall be obliged to ensure the following:
All data in communication with the Players 1st system shall be transmitted encrypted via "https" as standard.
Players 1st shall store and process all data with internationally recognised IT companies.
Players 1st hosting shall be encrypted and confidential.
Players 1st has complete documentation relating to functionality, data tracking and data security.
Players 1st processes personal data only upon instruction from the data controller.
Players 1st shall ensure that all persons managing personal data are subject to confidentiality agreements.
C.3 Retention period/procedures for deletion
Personal data shall be stored by the data processor until the data controller requests the deletion or return of the data.
After 24 months, the data processor shall automatically perform pseudonymisation of all personal data received from the data controller. In connection with pseudonymisation, any personal data that is no longer relevant will be deleted.
After 10 years, the data processor will automatically delete all personal data.
C.4 Processing location
Processing of the personal data covered by the agreement cannot, without prior written consent from the data controller, take place at locations other than the following:
Name | Address | Comments |
Microsoft Azure | Azure Data Centres in Ireland, the Netherlands, Virginia USA, Texas USA, California USA, Can-berra Australia | Hosting, data storage takes place in: Europe for the data processor’s European customers, the USA for the data processor’s North American customers, Australia for the data processor’s Australian customers |
SendGrid | 1801 California Street, Suite 500, Denver, CO 80202 | |
MailJet | Mailjet SAS, 37 bis Rue du Sentier, 75002 Paris, FRANCE | |
Zendesk | Zendesk, Inc. 1019 Market St. San Francisco CA 94103, United States | |
Google Analytics | 1600 Amphitheatre Parkway, Mountain View, CA, 94043 | |
Players 1st | Stadion Allé, 8000 Aarhus C, Denmark |
C.5 Instructions or authorisation concerning the transfer of personal data to third countries
The data processor shall transfer, via subcontracted data processors, personal data to third parties, as e-mail addresses are transferred to an American supplier (SendGrid) for use when issuing e-mails (does not apply however to German e-mail addresses). Zendesk shall be used to manage support enquiries from players and clubs who are able to contact Players 1st support via e-mail. The requestor’s e-mail address is transferred to Zendesk upon contact. Google Analytics is used at an aggregated level to monitor the browsers and devices used by users. Information is used to optimise the user experience in the questionnaires.
Transfer takes place pursuant to the Privacy Shield agreement, cf. Article 46 of the General Data Protection Regulation. The data processor shall be responsible for ensuring that subcontracted data processors in third countries comply with the data processor’s obligations as specified in this agreement.
C.6 Procedures for the data controller’s supervision of the processing performed at the data processor’s premises
Once per year, the data processor shall obtain an audit declaration from an independent third party concerning the data processor’s compliance with this data processing agreement and associated appendices. The audit declaration shall be obtained for the first time in 2019, and the audit declaration shall be made available to the data controller.
Until the aforementioned audit declaration is available, the data controller shall have an annual opportunity to carry out physical or written supervision of compliance with this data processing agreement.
In addition to scheduled supervision, supervision of the data processor may also be carried out when the data controller considers there to be a need to do so.
Any costs incurred by the data controller in connection with physical or written supervision shall be covered by the data controller itself. Nevertheless, the data processor shall be obliged to allocate the resources (predominantly time) that are reasonable and necessary for the data controller to carry out such supervision.
C.7 Procedures for the supervision of the processing performed at the subcontracted data processor’s premises
Once per year, the data processor shall obtain an audit declaration from an independent third party concerning the subcontracted data processor’s compliance with this data processing agreement and associated appendices.
The parties have agreed that the following audit declaration types can be used: ISAE 3402 type 2 reports
The audit declaration shall be made available to the data controller via the dashboard solution from the data processor.
Appendix D The parties’ governance of other matters
D.1 Main agreement
Circumstances that fall outside of this agreement shall be governed in the main agreement between the parties.
D.2 Requests to establish additional security measures
Remuneration or similar in connection with the data controller or data processor’s subsequent requests to establish further security measures in addition to this agreement shall be paid for by the party making the request. Remuneration shall typically cover time spent to establish the extended security measures.