Skip to Main Content

Stats Perform – Controller to Controller DPA

Controller to Controller Addendum to Master Licence Agreement


This Data Protection Addendum (“DPA”) is incorporated into the terms, and forms part, of the Master Licence Agreement (“MLA”) between STATS Perform (as identified on any Work Order executed by the Parties) and the Licensee (as identified on any Work Order executed by the Parties). In the event of any conflict between the MLA and this DPA or any Work Order and this DPA, the DPA shall prevail. All capitalised terms not defined herein shall have the meaning set forth in the MLA.


This DPA applies in the event that STATS Perform, or any of its Affiliates, from within the UK or EEA, transfers or makes available Personal Data to the Licensee for Processing in a jurisdiction outside the UK or EEA, and that jurisdiction is not covered by an “adequacy” finding  made by the UK government or EU Commission (whichever is applicable) or subject to another lawful transfer mechanism which satisfies the requirements of the Data Protection Legislation governing such transfer (for the purposes of this DPA, a “Relevant Data Transfer”).

This DPA incorporates:

  1. The EU Standard Contractual Clauses (“SCCs”) pursuant to the EU Commission’s decision of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to third countries which do not ensure an adequate level of data protection (the “EU SCCs”), specifically Module 1 (Controller-Controller); and
  2. The international data transfer addendum to the EU SCCs issued for use in the UK under Section 119A of the Data Protection Act 2018 as approved 21 March 2022 (the “IDTA Addendum”).

Where the Relevant Data Transfer is governed by the UK GDPR, the IDTA Addendum shall apply. Where the Relevant Data Transfer is governed by the EU GDPR, the EU SCCs shall apply. The Parties agree that by signing and dating the Work Order they agree and accept to be bound by the IDTA Addendum and EU SCCs including Annex 1 and Annex 2 as applicable.

Where the EU SCCs apply to the Relevant Data Transfer, the parties agree that to the following optionality:

  1. Clause 11(a): The Parties do not select the independent dispute resolution option.
  2. Clause 17: The Parties select option 1. The Parties agree that the governing law will be the law of Ireland.
  3. Clause 18(b): The Parties agree that those shall be the courts of Ireland.
  4. Annex I(A): The data exporter is STATS Perform. The data importer is the Licensee. For contact details, please see the relevant Work Order.
  5. Annex I(B): The Parties agree that Annex 2 describes the transfer.
  6. Annex I(C): The competent supervisory authority is the supervisory authority in Ireland.

Annex II: The Parties agree that the technical and organisational measures applicable to the transfer are as set out in Annex 1 to this DPA.

Where the IDTA Addendum applies, the parties agree that the following information shall constitute the table contents for the purposes of the IDTA:

Table 1: Parties

  • Start date: date of the Work Order
  • The Parties: as set out on the Work Order
  • Key contacts: as set out in the Work Order

Table 2: Selected SCCs, Modules and Selected Clauses

The version of the EU SCCs which this IDTA Addendum is appended to, detailed below, including the Appendix information:

  • Date: date of the Work Order
  • Reference: EU SCCs Module 1
  • Other identifier: N/A

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the EU SCCs (other than the Parties), and which for this Addendum is set out above and in the Annexes below.

Table 4: Ending this Addendum when the Approved Addendum Changes:

Without prejudice to the rights of the Parties under the MLA to modify or terminate it, no Party may end this Addendum unilaterally as set out in Section 19 of the IDTA Addendum.

Part 2: Mandatory Clauses

The parties agree to be bound by the Mandatory Clauses set out in the ITDA Addendum.

ANNEX 1 (Technical and Organisational Measures)

The data importer shall ensure it has appropriate technical and organisational measures to ensure the security of any Personal Data received by it under the MLA (including any Work Order or this DPA).  Such measures may include:

  • confidentiality obligations imposed on personnel accessing Personal Data;
  • appropriate access controls;
  • training and policies issued to personnel accessing Personal Data;
  • secure login controls and password use;
  • multi-factor authentication;
  • firewall, anti-virus and data loss prevention software;
  • ISO certification;
  • data breach response plan; and
  • penetration testing.

The data importer shall provide the data exporter with a full list of all technical and organisational measures upon request and without undue delay.

ANNEX 2 (Processing Information)


The personal data transferred concern the following categories of data subjects:

Personal Data contained within the Data or Licensed Materials (as defined in the MLA) which includes information relating to sports players, athletes and related sporting professionals.


The transfers are made for the following purposes:

Use of the Personal Data by the data importer for the purposes set out in the Work Order and MLA.  The processing will be commercial in nature.


The personal data transferred concern the following categories of data and other categories from time to time:

Category of personal data (all sport related)

  • Sports-related Personal Data (including match performance and match event data relating to sporting individuals)
  • Special categories of personal data (all sport related)
  • Sports-related Personal Data (including information relating to injuries and health)


The personal data transferred may be disclosed only to the following recipients or categories of recipients:

The recipients as permitted in the Work Order and/or MLA.


Will be provided on request.


The data being transferred is not Personal Data by nature although may include Personal Data.  Any Personal Data transferred will be publicly available and/or well known.


See Work Order for contact details.


Data importer shall retain the Personal Data for only so long as is required for the purposes.