STATS PERFORM – CONTROLLER-TO-PROCESSOR DATA PROCESSING ADDENDUM TO TEAM PERFORMANCE MASTER LICENCE AGREEMENT
This Controller-to-Processor Data Processing Addendum, including any Appendices, Annexes and Schedules attached hereto (together the “DPA”), where applicable, forms part of, and is incorporated in, the Team Performance Master Licence Agreement (“MLA“), Work Order and/or (if applicable) any other agreement (together the “Agreement”) in connection with certain services of the Platform-Accessed Services (as referred in the Work Order and MLA) provided to you (referred to as “Licensee”, “you” or “your”) pursuant to the Agreement where you are data controller and either Perform Content Limited or the relevant Affiliate which is party to the Agreement (the relevant party referred to as “Stats Perform” or “we”, “us” or “our”) acts as data processor.
Where there is conflict between the terms of the MLA and this DPA, the terms of this DPA shall prevail. Subject to this, the MLA will otherwise continue in full force and effect.
NOW IT IS HEREBY AGREED as follows:
1. DEFINITIONS
1.1. In this DPA, capitalised words shall have the meaning as set out below or, as the case may be, elsewhere in the Agreement:
Affiliate | means any entity that directly or indirectly controls, is controlled by, or is under common control with, a party from time to time during the Term. |
Data Protection Law | means all statutes, laws, secondary legislation and regulations pertaining to privacy and/or data protection of personal data which are applicable to the parties, including, where applicable: (i) in respect of the EU, the General Data Protection Regulation (EU) 2016/679 ("EU GDPR") and all relevant member state laws or regulations giving effect to, replacing or supplementing the same; (ii) in respect of the UK, the Data Protection Act 2018 (“UK DPA”), UK GDPR (which has the meaning given to it in the UK DPA) (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426); and (iii) any applicable laws and regulations implementing, amending, extending, re-enacting, replacing, consolidating or supplementing the same from time to time. |
EU SCCs | means the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the EU GDPR as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (and available here by way of link), the relevant annexes of which are set out in this DPA, or any set of clauses approved by the European Commission which amends, replaces, or supersedes these. |
ICO UK Addendum | means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the UK DPA which came into force on 21 March 2022 (and available here by way of link). |
International Transfer | means a transfer which is covered by Chapter V of the EU GDPR or UK GDPR (whichever is applicable). |
International Transfer Clauses | means the EU SCCs and, where applicable, ICO UK Addendum. |
Licensee Personal Data | means any personal data contained within Licensee Data (as defined in the MLA) processed by us in connection with the Services and as set out in the Schedule to this DPA. In accordance with clause 2.2 of this DPA, this may include the personal data of a Licensee Affiliate. |
Services | means the Platform-Accessed Services provided pursuant to the Agreement. |
1.2. The terms “data subject”, “personal data”, “processing” and variations, “controller” and “processor” shall have the meaning attributed to them in Data Protection Law.
2. APPOINTMENT
2. 1. In the course of Stats Perform providing the Services to the Licensee, the Licensee may provide or input into the Services Licensee Personal Data for processing. For such purposes, the Licensee is the controller and Stats Perform is the processor and this DPA applies in such circumstances. The subject matter of processing of Licensee Personal Data to be carried out by Stats Perform on behalf of the Licensee (including the nature, purpose, duration and other aspects) is set out in the Schedule to this DPA.
2.2. Licensee Personal Data may contain personal data in relation to which Licensee Affiliates are controllers. The Licensee confirms that it is authorized to communicate to Stats Perform any instructions or other requirements on behalf of Licensee Affiliates in respect of processing of Licensee Personal Data by Stats Perform in connection with the Services.
2.3. Stats Perform is appointed by the Licensee to process Licensee Personal Data on behalf of the Licensee and/or Licensee Affiliates, as the case may be, as is necessary to provide the Services or as otherwise agreed by the parties in writing.
2.4. The Licensee acknowledges that it, together with any of its Affiliates, are solely responsible for ensuring, and the Licensee warrants and represents, that, in accordance with Data Protection Law, any processing of Licensee Personal Data is carried out under an appropriate lawful ground, the appropriate notices pursuant to the processing of that data are provided to the relevant data subjects, the Licensee Personal Data is accurate and up-to-date, and appropriate data retention periods are defined and implemented in respect of that data.
3. DURATION
This DPA shall apply from the Effective Date and shall continue in full force and effect until the termination or expiration of the Agreement or the Services (the “Term”).
4. DATA PROTECTION COMPLIANCE
4.1. In relation to its processing of Licensee Personal Data as processor during the Term, save as otherwise required by law, Stats Perform agrees to:
4.1.1. comply with applicable Data Protection Law in relation to its processing of Licensee Personal Data;
4.1.2. process Licensee Personal Data only as required in connection with the provision of the Services, in accordance with the Licensee’s documented lawful instructions reasonably given in the context of the Services from time to time, and for its internal business analysis of anonymised data. Stats Perform may otherwise be required to process Licensee Personal Data in accordance with applicable law to which it is subject and, in such case, it shall inform the Licensee of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Licensee warrants and represents on a continuous basis that its instructions will not put Stats Perform in breach of the law;
4.1.3. inform the Licensee if, in its opinion, an instruction infringes Data Protection Law, and Stats Perform has the right to disregard such instruction;
4.1.4. ensure that all personnel authorised by Stats Perform to process Licensee Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
4.1.5. implement appropriate technical and organisational measures (pursuant to the measures set out in the Schedule to this DPA) to appropriately safeguard Licensee Personal Data having regard to the nature of Licensee Personal Data which is to be protected and the risk of harm which might result from any Security Breach (as defined below);
4.1.6. inform, without undue delay, the Licensee of any data subject requests it receives under Data Protection Law or regulatory or law enforcement requests relating to Licensee Personal Data. Stats Perform may acknowledge each data subject request. Where agreed with the Licensee, Stats Perform may, at Licensee’s expense, assist the Licensee by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Licensee’s obligation to respond to data subject requests made under Data Protection Law;
4.1.7. at Licensee’s expense, provide such assistance as the Licensee may reasonably require in order to ensure the Licensee’s compliance with Data Protection Law in relation to data security, data breach notifications, data protection impact assessments and prior consultations with competent supervisory authorities with responsibility for privacy and data protection matters;
4.1.8. at the choice and expense of the Licensee, delete Licensee Personal Data or return all Licensee Personal Data to the Licensee after the end of the provision of Services, and delete existing copies of all Licensee Personal Data, save for anonymised Licensee data retained for legitimate business purposes or Licensee Personal Data required for on-going storage under applicable law; and
4.1.9. at Licensee’s expense, make available to Licensee information reasonably necessary to demonstrate Stats Perform’s compliance with this DPA and allow for audits and inspections carried out by an independent third party, on reasonable notice as the parties may agree. Where exercising its right of audit pursuant to this clause, the Licensee shall, and shall ensure a party performing an audit shall, subject to clause 5: (a) carry out audits only during the general business hours of Stats Perform’s or its Affiliate’s location where the audit is performed; (b) use all reasonable care to ensure undisturbed business operations when carrying out the audits, especially to ensure that risks to another client’s environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated; (c) observe any applicable provisions of Data Protection Law and reasonable requirements of Stats Perform; (d) exercise the audit rights in a proportional manner, taking into account the complexity of the Services, the risks arising from the Services, the criticality or importance of the Services, and the potential impact of the Services on the continuity of Licensee’s activities; (e) adhere to relevant, commonly accepted, national and international audit standards; (f) ensure that its employees or any third-party auditor possess the appropriate and relevant skills and knowledge to perform the audit; and (g) treat all information shared under this sub-clause as Confidential Information.
5. AUDIT
With regards to clause 4.1.9 above, in relation to its Sub-processors, Stats Perform will exercise its audit rights (pursuant to meeting the requirements of Article 28(3)(h) of the EU GDPR or UK GDPR (as applicable)) subject to its agreement with its sub-Processors. At its own discretion but with due consideration of the legal obligations of the Licensee, Stats Perform shall have the right to refrain from disclosing information if such information is sensitive to Stats Perform’s business or if Stats Perform would violate statutory or contractual obligations by disclosing such information. In particular, Stats Perform shall not grant the Licensee access to any data or information about Stats Perform’s Licensees, about Stats Perform’s costs, about quality and contract management reports or about any other information that is not strictly necessary for the agreed inspection purposes.
6. SUB-PROCESSORS
6.1. Stats Perform will engage any subcontractors involved in the processing of Licensee Personal Data under this DPA (each a “Sub-processor”) in accordance with this clause 6.
6.2. The current list of Sub-processors engaged in processing Licensee Personal Data for the performance of certain data processing activities under this DPA, is listed in the Schedule (as updated from time to time). As of the Effective Date, the Licensee hereby consents to the use of these Sub-processors as it pertains to Licensee Personal Data of the Licensee.
6.3. Stats Perform shall duly inform the Licensee of any new, or replacement, Sub-processor(s) which is different to the list of Sub-processors in the Schedule and affects the processing of the Licensee Personal Data. If the Licensee objects to any such change on reasonable grounds, it must notify Stats Perform within 14 days of being informed by Stats Perform in accordance with this clause, otherwise the change will be deemed accepted. In the event of any objection reasonably raised in accordance with this clause, the Parties shall enter into good faith discussions to agree a workaround. However, if no such workaround is agreed in Stats Perform’s reasonable opinion, Stats Perform shall be entitled to terminate the Services relating to the change in Sub-processor.
6.4. When engaging a Sub-processor, Stats Perform will:
6.4.1. carry out reasonable due diligence;
6.4.2. enter into a contract on terms, as far as practicable, which are substantially equivalent to those in this DPA, and which may include International Transfer Clauses (or similar) where required, to provide adequate safeguards with respect to the processing of Licensee Personal Data; and
6.4.3. remain fully liable to the Licensee for the Sub-processor’s performance of its data processing obligations under this DPA.
7. SECURITY INCIDENTS
7.1. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Licensee Personal Data transmitted, stored or otherwise processed by Stats Perform.
7.2. Stats Perform will notify the Licensee without delay if it becomes aware of any Security Breach. Where practicable, Stats Perform will provide phased notifications.
7.3. Stats Perform will investigate the Security Breach and take reasonable action to identify, prevent and mitigate the effects of the Security Breach. At the Licensee’s expense, Stats Perform will take such further action as the Licensee may reasonably request in order to comply with Data Protection Law.
7.4. Subject to requirements of Data Protection Law, the Licensee may not release or publish any filing, communication, notice, press release, or report concerning any Security Breach without Stats Perform’s prior written approval; such approval shall not be unreasonably withheld.
8. INTERNATIONAL DATA TRANSFERS
8.1. The Licensee acknowledges that Stats Perform may make International Transfers of Licensee Personal Data. Stats Perform will ensure that any International Transfer, to the extent it occurs, is based on appropriate safeguards under applicable Data Protection Law, including where necessary entering into the appropriate International Transfer Clauses (or alternative standard contractual clauses) with the relevant importer.
8.2. In the event that the Licensee is subject to the EU GDPR and transfers Licensee Personal Data to Stats Perform for processing outside the European Economic Area, and the transfer is an International Transfer and is not on the basis of an adequacy decision as described in Article 45 of the EU GDPR, then the parties will comply with the Module 2 (or, if applicable, Module 3) version of the EU SCCs, which are deemed incorporated into, and form part of, this DPA and completed as follows:
8.2.1. Clause 7 of the EU SCCs (the Docking clause) will not apply;
8.2.2. option 2 will apply in respect of Clause 9(a) of the EU SCCs where the ‘agreed list’ is set out in the Schedule and the time period is 14 days;
8.2.3. the optional redress language under Clause 11(a) of the EU SCCs will not apply;
8.2.4. where applicable, the competent supervisory authority in accordance with Clause 13 of the EU SCCs is the Irish Data Protection Commission;
8.2.5. option 2 will apply in respect of Clause 17 of the EU SCCs and the applicable governing law is the Republic of Ireland;
8.2.6. the choice of forum and jurisdiction under Clause 18(b) of the EU SCCs are the courts of the Republic of Ireland; and
8.2.7. Annexes I and II of the EU SCCs are deemed to be populated with the information set out in the Schedule below.
8.3. In the event that the Licensee is subject to the UK GDPR and transfers Licensee Personal Data to Stats Perform for processing outside the UK, and the transfer is an International Transfer and is not on the basis of an adequacy decision as described in Article 45 of the UK GDPR, then the EU SCCs shall apply in accordance with clause 8.2 above and shall be deemed amended as specified by the ICO UK Addendum, which shall be deemed executed by the parties and incorporated into, and form part of, this DPA. Where the ICO UK Addendum applies in accordance with this clause 8.3:
8.3.1. Tables 1 and 3 in Part 1 of the ICO UK Addendum shall be deemed completed with the relevant information set out in the Appendix to the EU SCCs and (therefore) the Schedule below;
8.3.2. in Table 2 in Part 1, the “Addendum EU SCCs” are deemed to be the EU SCCs incorporated into this DPA (in accordance with Clause 8.2 above) including the Appendix Information (as defined in the ICO UK Addendum);
8.3.3. Table 4 in Part 1 is deemed completed by selecting “neither party”; and
8.3.4. any conflict between the terms of the EU SCCs and the ICO UK Addendum will be resolved in accordance with Sections 9, 10 and 11 of the ICO UK Addendum.
8.4. Where the International Transfer Clauses apply, their respective provisions shall replace Stats Perform’s data processing obligations (including as set out in clauses 4 to 7) of this DPA. In the event of any conflict between the provisions of the International Transfer Clauses and this DPA or the Agreement, then the International Transfer Clauses shall take precedence. The terms of the Agreement and the terms of this DPA shall not, and do not seek to, vary the International Transfer Clauses in any way.
9. INDEMNITY
9.1. Notwithstanding any exclusion or limitation of liability or any provision in the Agreement to the contrary, the Licensee shall and hereby agrees to indemnify Stats Perform and its Affiliates and their officers, employees, agents and subcontractors (each an “Indemnified Party”) from and against any claims, losses, demands, actions, liabilities, fines, penalties, reasonable expenses, damages and settlement amounts (including reasonable legal fees and costs) incurred by any Indemnified Party as a result of any third party claim, enforcement action or other proceedings arising out of or in connection with the processing of Licensee Personal Data in accordance with the Agreement and this DPA.
9.2. Subject to clauses 9.1 and 10.2, either party’s liability under this DPA shall be subject to any limitation of liability provisions in the Agreement.
10. MISCELLANEOUS
10.1. Clause titles and other headings in this DPA are for convenience of reference only and shall not constitute a part of or otherwise affect the meaning or interpretation of this DPA.
10.2. Nothing in this DPA will exclude or limit the liability of either party which cannot be limited or excluded by applicable law. Subject to the foregoing sentence, (i) this DPA, including any schedules, annexes and appendices, constitute the entire agreement between the parties pertaining to the subject matter hereof and supersedes all prior agreements, understandings, negotiations and discussions of the parties relating to its subject matter; and (ii) in entering into this DPA neither party has relied on, and neither party will have any right or remedy based on, any statement, representation or warranty, whether made negligently or innocently, except those expressly set out in this DPA.
10.3. The Licensee shall pay to Stats Perform within 30 days of invoice date any costs and expenses including without limitation reasonable attorney fees and the cost of preparing and sending correspondence incurred by Stats Perform and/or its Affiliates in connection with carrying out duties at the Licensee’s expense under this DPA.
10.4. All notices of termination or breach must be in English, in writing and addressed to the other party’s primary contact person and legal department. Notice will be treated as given on receipt, as verified by a valid receipt or electronic log. Postal notices will be deemed received 48 hours from the date of posting by recorded delivery of registered post.
10.5. The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA shall remain in full force and effect.
10.6. This DPA is governed by English law and the parties submit to the exclusive jurisdiction of the English courts in relation to any dispute (contractual or non-contractual) concerning this DPA, excepting those disputes arising out of Section 8 providing alternate forums for relief, save that either party may apply to any court for an injunction or other relief to protect its property, intellectual property rights or confidential information
SCHEDULE
DATA PROCESSING PARTICULARS
Part A: Description of parties | |
---|---|
Controller | Processor |
Licensee, whose address, point of contact details, activities and signature (as applicable) are as set out in the Agreement. | Stats Perform, whose address, point of contact details, activities and signature (as applicable) are as set out in the Agreement. |
Stats Perform’s contact email address for the purposes of this DPA is privacy@statsperform.com. |
Part B: Description of Services and Licensee Personal Data | |
---|---|
Description of Services: | The Platform-Accessed Services as set out in the Agreement. |
Subject-matter of processing: | Licensee Personal Data which is uploaded, inputted or provided by the Licensee to Stats Perform’s platform for hosting and related services by Stats Perform during the Term. |
Frequency and duration of processing | On a continuous basis until the termination or expiration of the Agreement, or, if earlier, when the Licensee deletes Licensee Personal Data. |
Nature and purpose of processing: | Stats Perform carries out the following processing activities in respect of the Licensee Personal Data as part of the Services, including: Hosting, service support; and internal software and operational process support, including storage, back-up and database monitoring. |
Type of personal data: | Licensee Personal Data will vary depending on the type of Licensee Data inputted, uploaded or provided to the Service but may including, without limitation: Contact details - email, name, address, Date of birth, Role, Personal history(e.g. previous team information and performance history), Statistical details of participation in sport, Special category data (e.g. health data relating to a player's injuries), Appraisals/opinions and recommendations, Test results, Images and/or biographical pictures video footage |
Categories of data subjects: | Licensee’s personnel, Athletes/sportspeople and related sports professionals, contractors (and personnel), Suppliers (and personnel). |
Retention period of any personal data: | As long as necessary to fulfil the obligations of the parties under the Agreement. |
Part C: List Sub-processors | ||
---|---|---|
Name | Type of processing | Location of processing |
Third Parties | ||
Google Cloud | Data hosting | Belgium |
Amazon Web Services (AWS) | Data hosting | Either UK, Australia or Ireland regions. |
K-Sport Universal S.R.L | Data hosting (in relation to Dynamix) | Either UK, Australia or Ireland regions. |
Stats Perform Affiliates | ||
Stats LLC | Data hosting | USA |
Perform Content Services Limited | Data hosting | UK |
RunningBall GmbH | Data hosting | Switzerland |
RunningBall Informacao Desportiva Unipessoal, Lda. | Data hosting | Portugal |
RunningBall SDN BHD | Data hosting | Malaysia |
RunningBall Services and Consulting Limited | Data hosting | Cyprus |
RunningBall Sports Information GmbH | Data hosting | Austria |
Opta Sports Data Inc. | Data hosting | USA |
Opta Sports Data Limited | Data hosting | UK |
Opta Sports Data Srl | Data hosting | Italy |
OptaSports SA | Data hosting | Spain |
Part D: Technical and Organisational Measures | |
---|---|
Security Measure | Practice |
Encryption | Industry-accepted encryption practices are applied to the relevant Services to protect data and communications; data is encrypted in transit and at-rest. |
Ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Stats Perform shall use reasonable endeavours to ensure that Services are available to the Licensee’s users during Normal Working Hours; any Defects are remedied in accordance with the MLA; and (c) the Licensee Data uploaded to the Service is backed up on a regular basis. Appropriate security incident management policies and procedures are in place in the event of an incident. The Licensee may contact Stats Perform at any time during Normal Working Hours to report a Defect. Stats Perform shall use reasonable endeavours to provide a fix or workaround of the relevant Defect in accordance with the terms of the MLA. Stats Perform has put in place, and maintains, a written business continuity and disaster recovery plan. |
Ongoing Confidentiality, Integrity, Availability and Resilience | The Services are hosted in secure data centres, primarily Amazon Web Services (AWS) and Google Cloud. Commercially reasonable and appropriate methods and safeguards are utilised to protect the confidentiality, availability, and integrity of Licensee Data (including Licensee Personal Data). Stats Perform ensures that personnel authorised to access Licensee Data (including Licensee Personal Data) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All Stats Perform staff are duly trained on data security and must comply with relevant security practices and policies. System administrators, developers and other users with privileged access receive special and on-going training. Anti-malware and ant-virus controls are maintained to help prevent malicious software from causing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Licensee Data (including Licensee Personal Data). Physical access to our offices is controlled via access cards, fobs and/or biometrics (finger or facial recognition). Our technology is set up, and catered, to comply with any data rights requests made by individuals so as to make it simpler to meet our Licensees’ and our respective obligations under applicable data privacy laws. We are able to retrieve and delete an individual’s personal data upon request from the Licensee. |
Regularly Testing, Assessing and Evaluating the Effectiveness of the Measures | Stats Perform conducts quarterly continuous testing on 2 concurrent end points which is rotated by quarter across end points. Stats Perform’s HR onboarding and off-boarding processes handle provisioning and de-provisioning of accounts and access. When selecting any potential provider involved in the processing of personal data, we undertake appropriate due diligence on those providers to ensure that personal data, if any, that is processed by these third parties is carried out in accordance with applicable data protection laws. We keep and maintain appropriate IT, security and data protection policies internally that address the roles and responsibilities of personnel, including both technical and non-technical personnel, who have access to Licensee Data (including Licensee Personal Data) in connection with providing our Services. These include our Group Data Protection Policy and Information Security Handbook. Where it is necessary to transfer personal data to a provider based outside the UK and/or EEA, and within a country with no EU or UK adequacy decision, we put in place the appropriate safeguards to ensure protection of that personal data and adherence with data privacy laws. In addition, we have robust processes in place that review staff access to systems and respond promptly to security threats. Stats Perform maintains commercially reasonable controls for information governance and data management in connection with the Services. Stats Perform shall make reasonable efforts to use the minimum necessary personal data to provide its Services. |