Data Processing Agreement

Effective December 1, 2021; Updated July 18, 2023

In connection with the Subscription Agreement between you (“Organization”, “Data Controller”) and SportsEngine, Inc. a Delaware corporation, having its registered address at 807 Broadway, Minneapolis, MN 55413 (“SportsEngine”, “Data Processor”). SportsEngine is part of NBC Sports Next, a division of NBCUniversal Media, LLC. The terms of this Data Processing Agreement (“DPA”) shall govern the processing of Organization Data by SportsEngine as a data processor or Service Provider.

Unless otherwise agreed and except where the contrary intention is obvious, if there is any conflict between the terms of this DPA and the Subscription Agreement, this DPA shall take precedence.

1.1 DEFINITIONS

“Organization Data” means any Personal Data that relates to the Organization’s Members that SportsEngine processes in relation to SportsEngine’s provision of the SportsEngine Services and that is not SportsEngine Data. For avoidance of doubt, Organization Data does not include SportsEngine Data even if the same data was also collected as Organization Data and any such duplicate data relating to the Organization’s Members that SportsEngine processes in relation to SportsEngine’s provision of the SportsEngine Services remains Organization Data.

“Personal Data” means any information that relates to an individual person and that, alone or in combination with other data, can be used to identify, contact, or precisely locate an individual person, or other information that constitutes “personal data” under applicable Data Protection Legislation.

“SCCs” means, in respect of Personal Data processed by SportsEngine or its relevant Affiliates in: (a) the EEA and/or processing EEA Personal Data, the unchanged, EU Commission-approved version of the standard contractual clauses in Commission Decision 2021/914/EU (as set out in https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN) (“the EU SCCs”); (b) the UK and/or processing NBCUniversal Personal Data to which Privacy Laws of the United Kingdom apply (“UK Personal Data”), the EU SCCs as modified by the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under s119A(1) of the Data Protection Act 2018 (“UK SCCs”); and (c) Switzerland and/or processing Swiss Personal Data, a version of the EU SCCs that is deemed to be modified as follows: references to “personal data” will be deemed to include references to legal entities (until the revised Federal Act on Data Protection comes into effect) and references to “sensitive data” will be deemed to be references to “sensitive personal data and personality profiles” (“Swiss SCCs”). .

“Data Protection Legislation” all laws relating to the processing of personal data, privacy and security, including, without limitation, the California Consumer Privacy Act, the California Privacy Rights Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the UK Data Protection Act 1998, the UK GDPR, the EU General Data Protection Regulation 2016/679, the EU Privacy and Electronic Communications Directive 2002/58/EC, as implemented in each jurisdiction, and all amendments, or all other applicable or replacement international, regional, state, federal or national data protection laws and regulations.

Terms such as “Business”, “data controller”, “data processor”, “personal data”, “personal data breach”, and “Service Provider” shall have the meanings (or reasonable equivalents) ascribed to them in the applicable Data Protection Legislation.

1.2 APPOINTMENT AND INSTRUCTIONS

Organization hereby instructs SportsEngine to process Organization Data in accordance with this DPA and as required to provide the Services and/or Software.

 

1.3 PROCESSING OVERVIEW

The categories of Organization Data to be processed by SportsEngine, the processing activities to be performed under this Agreement, and the subcontractors and processing locations that have been approved by Organization are set out in Schedule 1 (Processing Overview).

1.4 DATA PROCESSOR OBLIGATIONS

SportsEngine shall:

1.4.1 Only process Organization Data in accordance with Organization’s reasonable, lawful and documented instructions given from time to time, including in the Existing Agreement, this DPA and any applicable Order Forms;

1.4.2 ensure its personnel who may be required by SportsEngine to assist it in meeting its obligations under the Agreement are under a binding obligation to protect the confidentiality of Organization Data;

1.4.3 implement and maintain appropriate technical and Organizational measures to protect Organization Data, including the measures described in Schedule 2 to this DPA, which may be revised by SportsEngine from time to time in its sole discretion, and including, as appropriate: (i) the pseudonymisation and encryption of Client Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Organization Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and Organizational measures for ensuring the security of the processing;

1.4.4 taking into account the nature of the processing, provide Organization with reasonable assistance and co-operation, insofar as this is possible, to assist the Organization in complying with its obligations under Data Protection Legislation with respect to an Organization Data breach, individual rights requests from Members, and otherwise as required by Data Protection Legislation;

1.4.5 provide Organization with such information as is necessary to demonstrate compliance with this DPA and, where required by applicable Data Protection Legislation, allow Organization to audit SportsEngine’s processing of personal data (the terms of which to be agreed by the parties);

1.4.6 subcontract processing of personal data only pursuant to a written agreement that shall impose the same obligations set out in this DPA or obligations that are substantially similar and shall remain liable for the actions of its Sub-Processors. Organization acknowledges and agrees that SportsEngine may engage the Sub-Processors listed in the Processing Overview / Appendix 1 to the C2P SCC. Organization may reasonably object to SportsEngine using a new Sub-Processor by notifying SportsEngine promptly in writing within ten (10) days after SportsEngine has provided notice of such change by updating the list of Sub-Processors maintained in the Processing Overview / Appendix 1 to the C2P SCC online, setting out the reasons for its objection. In the event Organization objects to a new sub-processor, as permitted in this Condition 1.4.6, SportsEngine will use reasonable efforts to make available to Organization a change in the Services or recommend a commercially reasonable change to Organization’s configuration or use of the Services to avoid processing of Organization Data by the objected-to new Sub-processor;

1.4.7 adopt reasonable measures to ensure legally compliant cross-border transfers of Organization Data pursuant to this Agreement as further specified in clause 1.5; and

1.4.8 notify Organization without undue delay of any personal data breach, including any accidental, unlawful or unauthorised destruction, disclosure, loss, alteration or access in relation to Organization Data processed on behalf of Organization.

1.4.9 upon termination or expiry of the Agreement, at Organization’s choice, promptly delete, return or transfer to Organization’s successor all Organization Data.

 

1.5 INTERNATIONAL DATA TRANSFERS

If and to the extent SportsEngine’s provision of the SportsEngine Services involves the transfer of personal data from an Organization established in the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to SportsEngine in the United States, the SCC shall be deemed to be incorporated by reference in this Agreement and the provisions of the controller to processor module shall apply. Any onward transfers to sub-processors made by SportsEngine, Inc shall comply with the requirements of the SCC.

If and to the extent SportsEngine’s provision of the SportsEngine Services involves the transfer of personal data from SportsEngine to SportsEngine in the United States, or to a sub-processor established in a third country that does not ensure an adequate level of protection as defined by applicable Data Protection Legislation, SportsEngine shall ensure that such transfer complies with applicable Data Protection Law by executing the SCC with the relevant data recipient, using the provisions of the processor to processor module.

Unless otherwise agreed by the parties, where applicable:

1.5.1 Schedules 1, 2 and 3 of this DPA shall apply and be deemed to be Annexes 1, 2 and 3 of the C2P or P2P SCCs;

1.5.2 The optional Docking clause shall apply;

1.5.3 In Clause 9(a) (use of sub-processors), Option 2 (General Written Authorisation) shall apply, and the time period for informing the data exporter of intended changes to the list of sub-processors shall be 30 days;

1.5.4 The optional wording in Clause 11 (Redress) shall not apply;

1.5.5 The following choice of law, forum and jurisdictions shall apply in the following scenarios:

 

 

1.5.5 The following choice of law, forum and jurisdictions shall apply in the following scenarios:

 

Nothing in this Agreement shall be construed to prevail over any conflicting clause of the SCCs. Each party acknowledges that it has had the opportunity to review the SCCs. In relation to services provided by SportsEngine for the benefit of an Organization established in Switzerland, the SCCs will be deemed to be modified to include the corresponding Swiss law references and the terms of such modified SCCs will be incorporated by reference into this DPA.

1.6 PARTNER WARRANTIES

Organization warrants that its collection and processing of Organization Data (including the sharing with SportsEngine under this DPA) shall comply with applicable Data Protection Legislation and that its instructions to SportsEngine shall be lawful.

 

1.7 US State Data Protection Legislation.

Schedule 4 shall apply to SportsEngine’s processing of Personal Data subject to Data Protection Legislation of US States.

 

 

 

 

 

 

 

 

 

SCHEDULE 1

 

Processing Overview / Annex 1 to the SCC (processors)

A: LIST OF PARTIES:

 

Details of data exporters (controllers)

The data exporters will be the legal entities identified as “Organization” in the contract or any applicable order forms

 

Details of data importers (processors)

Name Address Contact person’s name address and contact details Activities relevant to the data transferred under these clauses

SportsEngine Inc., 807 Broadway St. NE, Suite 300 Minneapolis, MN 55413 [email protected]

SportsEngine is a provider of technology and management software and services to the data exporter.

SportsEngine UK, Limited City Quays 1 7 Clarendon Road Belfast Northern Ireland BT1 3BG [email protected]

 

B. DESCRIPTION OF TRANSFER / PROCESSING OVERVIEW

 

 

1. Categories of data subjects whose personal data is transferred

The personal data transferred concern the following categories of data subjects:

 

Organization’s Members

 

2. Categories of personal data transferred

The personal data transferred concern the following categories of data:

 

Members:

 

(a) Athletes: Name, date of birth, gender, contact information, information about club membership and membership in sports bodies and associations, ability group, attendance history, competition results, emergency contact, IP addresses and other website and device usage information, as well as any additional comments, notes or information about an athlete submitted by any Member.

 

(b) Parents / legal guardians or any other athlete’s name, date of birth, and contact details, such as email, phone number and address.

 

(c) Organization’s Administrators, coaches, volunteers, staff, and club/team managers: Membership in sports bodies and associations, background and/or criminal record checks results for club workforce, depending on role and in accordance with applicable legal requirements.

 

3. Special Categories of Data / Sensitive Personal Data

SportsEngine processes some sensitive personal data, such as financial and credit card data, government identification, race, ethnicity, health data, citizenship, geolocation and gender identity, on behalf of the Organizations.

 

4. The frequency of the transfer

The data is transferred on a continuous basis.

5. Nature of the Processing

The personal data transferred will be subject to the following basic processing activities (please specify):

 

In order to provide the SportsEngine Services, SportsEngine will host, maintain and support a system holding Organization Data. SportsEngine will grant Organization’s Members electronic access to this system.

6. Purpose of the data transfer and further processing

 

The purpose of the transfer and processing is as described in paragraph 5 above (nature of the processing).

7. Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

 

The data importer will retain the personal data for the duration of its agreement with the data exporter or as otherwise specified in the Subscription Agreement, unless instructed by data exporter to return or delete the data at an earlier or later date.

8. Transfers to sub-processors

The authorised sub-processors, and the nature of the processing performed by each one is set out in Schedule 3 / Annex III to the SCCs. The processing shall be for the duration of the agreement with the Organization unless SportsEngine notifies the Organization of a change in sub-processor pursuant to clause 1.4.6.

C. COMPETENT SUPERVISORY AUTHORITY

 

This will be the data protection authority that supervises the Organization. In general this will be the data protection authority in the country where the Organization is.

 

 

SCHEDULE 2

Annex III to the C2P SCCs - Technical and Organizational Measures

Description of the technical and Organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

This Appendix 2 forms part of the Clauses and must be completed by the parties.

 

Data importer agrees and warrants that it has implemented and will maintain technical and Organizational measures appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. These measures ensure a level of security appropriate to the risks presented by the processing and the nature, scope, context and purposes of the processing, having regard to the state of the art and the cost of their implementation, including as appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and Organizational measures for ensuring the security of the processing.

The measures data importer has taken include, as appropriate and without limitation:

1. Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of personal data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the data exporter, its customers or employees; and any anticipated threats or hazards to the confidentiality, security, availability or integrity of such information.

2. Adopting and implementing appropriate policies and standards related to security;

3. Assigning responsibility for information security management;

4. Devoting adequate personnel resources to information security;

5. Carrying out verification checks on permanent staff who will have access to personal data;

6. Conducting appropriate background checks and requiring employees, vendors and others with access to the personal data to enter into written confidentiality agreements;

7. Conducting training to make employees and others with access to personal data aware of information security risks and to enhance compliance with data importer’s policies and standards related to data protection;

8. Preventing unauthorized access to the personal data through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection

technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with data importer’s policies and standards related to data protection on an ongoing basis. In particular, data importer has implemented and complies with, as appropriate and without limitation:

a. Confidentiality

(1) Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance and exterior security);

(2) Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements, firewalls, etc.);

(3) Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization (virtual access controls);

b. Integrity

(1) Data transmission control measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission, transport or storage on data media, and transfer and receipt of records. In particular, data importer’s information security program shall be designed (transfer control):

i. To encrypt in storage any data sets in data importer’s possession, including sensitive personal data.

ii. To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside data importer’s IT system or transmitted over a wireless network is encrypted to protect the security of the transmission.

(2) Data Entry control measures to ensure data importer can check and establish whether and by whom personal data has been input into data processing systems, modified, or removed (input control);

c. Availability and resilience

Availability control includes measures to ensure that personal data are protected against accidental destruction and loss.

d. A process for regularly testing, assessing and evaluating

(1) Organizational control

(2) Privacy by default

(3) Subcontractor supervision measures to ensure that, in the case data importer is permitted to use sub-processors, the data is processed strictly in accordance with the controller's instructions including, as appropriate and without limitation;

i. Measures to ensure that personal data is protected from accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs;

ii. Measures to ensure that data collected for different purposes can be processed separately including, as appropriate and without limitation, physical or adequate logical separation of client data.

9. Taking such other steps as may be appropriate under the circumstances.

 

SCHEDULE 3

Annex III to the C2P SCCs – LIST OF SUB-PROCESSORS

The Sub-Processors SportsEngine engages vary depending on the Software and Services the Organisation receives and the country where they are located. The Organisation has authorised the use of the following sub-processors. 

View the full list of sub-processors 

 

SCHEDULE 4

Addendum for the Processing the Data of United States Residents

1. SportsEngine shall not, without Organization’s prior written consent, process Organization’s Personal Data for any independent purposes including outside the direct relationship with the parties, any purposes that are unrelated to providing the Services, or for the commercial benefit of SportsEngine or any of SportsEngine’s other clients (to the extent permitted under Data Protection Legislation, detecting data security incidents, exercising and defending claims, and protecting against fraudulent or illegal activity are not considered commercial benefits).

2. SportsEngine shall not sell or share (as such terms are defined in applicable Data Protection Legislation) Organization Personal Data.

3. SportsEngine shall not combine Organizational Personal Data with or match Organization Personal Data to Personal Data from its own or third parties’ interactions with an individual.

4. SportsEngine shall comply with the obligations of CPRA and shall provide at least the same level of privacy protection as required by CPRA.

5. SportsEngine shall inform Organization if it makes a determination that it cannot meet the requirements of this Addendum or Data Protection Legislation.

6. Organization shall have the right to take reasonable and appropriate steps to help ensure that SportsEngine uses Organization Personal Data in a manner consistent with Organization’s obligations under Data Protection Legislation.

7. Organization shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate the unauthorized use of Organization Personal Data.

8. If Organization directs SportsEngine to cease or limit processing of sensitive information (as defined by Data Protection Legislation) provided by Organization to SportsEngine, then it shall promptly do so, and cause its personnel to do the same.

9. SportsEngine shall regularly review the security measures it has implemented to protect Organization Personal Data so as to ensure their appropriateness with regard to risk to the rights and freedoms of natural persons, which may evolve over time.

10. SportsEngine shall permit Organization to carry out ongoing manual reviews and automated scans for the purpose of monitoring SportsEngine’s compliance with this Addendum.

11. SportsEngine certifies that it understands and will comply with the requirements and restrictions in this Addendum.