Data Processing Agreement
Effective November 30, 2021
Effective December 1, 2021
In connection with the Subscription Agreement between you (“Organisation”, “Data Controller”) and SportsEngine, Inc. a Delaware corporation, having its registered address at 807 Broadway, Minneapolis, MN 55413 (“SportsEngine”, “Data Processor”). SportsEngine, Inc. is part of NBC Sports Next, a subdivision of NBC Sports within the NBCUniversal Media group of companies. The terms of this Data Processing Agreement (“DPA”) shall govern the processing of Organization Data by SportsEngine as a data processor.
Unless otherwise agreed and except where the contrary intention is obvious, if there is any conflict between the terms of this DPA and any Existing Agreement, this DPA shall take precedence.
“Organisation Data” means any Personal Data that relates to the Organisation’s Members (including athletes, parents/legal guardians of athletes, the Organisations workforce (which includes volunteers, coaches, and Administrators (as defined in the Subscription Agreement) or other associated persons of the Organisation that benefit as end-users of the Software and/or Services, collectively known as “Members”) provided to SportsEngine in relation to SportsEngine’s provision of the Software and/or Services, as detailed in the Subscription Agreement.
“Personal Data” means any information that relates to an individual person and that, alone or in combination with other data, can be used to identify, contact, or precisely locate an individual person, or other information that constitutes “personal data” under applicable Data Protection Law.
“SCCs” means the unchanged, EU Commission-approved version of the standard contractual clauses in Commission Decision 2021/914/EU (as set out in https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN), or any successor clauses that have been approved by the European Commission, or any equivalent clauses issued by the UK or Swiss authorities.
“Data Protection Legislation” all laws relating to the processing of personal data, privacy and security, including, without limitation, the UK Data Protection Act 1998, the UK GDPR, the EU General Data Protection Regulation 2016/679, the EU Privacy and Electronic Communications Directive 2002/58/EC, as implemented in each jurisdiction, and all amendments, or all other applicable or replacement international, regional, federal or national data protection laws.
Terms such as “data controller”, “data processor”, “personal data” and “personal data breach” shall have the meanings (or reasonable equivalents) ascribed to them in the applicable Data Protection Legislation.
1.2 APPOINTMENT AND INSTRUCTIONS
Organisation hereby instructs SportsEngine to process Organisation Data in accordance with this DPA and as required to provide the Services and/or Software.
1.3 PROCESSING OVERVIEW
The categories of Organisation Data to be processed by SportsEngine, the processing activities to be performed under this Agreement, and the subcontractors and processing locations that have been approved by Organisation are set out in Schedule 1 (Processing Overview).
1.4 DATA PROCESSOR OBLIGATIONS
1.4.1 Only process Organisation Data in accordance with Organisation’s reasonable, lawful and documented instructions given from time to time, including in the Existing Agreement, this DPA and any applicable Order Forms;
1.4.2 ensure its personnel who may be required by SportsEngine to assist it in meeting its obligations under the Agreement are under a binding obligation to protect the confidentiality of Organisation Data;
1.4.3 implement and maintain appropriate technical and organisational measures to protect Organisation Data, including the measures described in Schedule 2 to this DPA, which may be revised by SportsEngine from time to time in its sole discretion, and including, as appropriate: (i) the pseudonymisation and encryption of Client Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Organisation Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
1.4.4 taking into account the nature of the processing, provide Organisation with reasonable assistance and co-operation, insofar as this is possible, to assist the Organisation in complying with its obligations under Data Protection Legislation with respect to a Organisation Data breach, individual rights requests from Members, and otherwise as required by Data Protection Legislation;
1.4.5 provide Organisation with such information as is necessary to demonstrate compliance with this DPA and, where required by applicable Data Protection Legislation, allow Organisation to audit SportsEngine’s processing of personal data (the terms of which to be agreed by the parties); the parties may agree that such audit shall include a physical inspection where the documentation provided by SportsEngine fails to demonstrate its compliance with Data Protection Legislation;
1.4.6 subcontract processing of personal data only pursuant to a written agreement that shall impose obligations no less onerous than those set out in this DPA and shall remain liable for the actions of its Sub-Processors. Organisation acknowledges and agrees that SportsEngine may engage the Sub-Processors listed in the Processing Overview / Appendix 1 to the C2P SCC. Organisation may reasonably object to SportsEngine using a new Sub-Processor by notifying SportsEngine promptly in writing within ten (10) days after receipt of SportsEngine’s notice to be provided by email, setting out the reasons for its objection. In the event Organisation objects to a new sub-processor, as permitted in this Condition 1.4.6, SportsEngine will use reasonable efforts to make available to Organisation a change in the Services or recommend a commercially reasonable change to Organisation’s configuration or use of the Services to avoid processing of Organisation Data by the objected-to new Sub-processor;
1.4.7 adopt reasonable measures to ensure legally compliant cross-border transfers of Organisation Data pursuant to this Agreement as further specified in clause 1.5;
1.4.8 notify Organisation without undue delay of any personal data breach, including any accidental, unlawful or unauthorised destruction, disclosure, loss, alteration or access in relation to Organisation Data processed on behalf of Organisation;
1.4.9 upon termination or expiry of the Agreement, at Organisation’s choice, promptly delete, return or transfer to Organisation’s successor all Organisation Data in accordance with Condition 10 of the Subscription Agreement.
1.5 INTERNATIONAL DATA TRANSFERS
If and to the extent SportsEngine’s provision of the Software and/or Services involves the transfer of personal data from an Organisation established in the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to SportsEngine in the United States, the SCC shall be deemed to be incorporated by reference in this Agreement and the provisions of the controller to processor module shall apply. Any onward transfers to sub-processors made by SportsEngine, Inc shall comply with the requirements of the SCC.
If and to the extent SportsEngine’s provision of the Software and/or Services involves the transfer of personal data from SportsEngine to SportsEngine in the United States, or to a sub-processor established in a third country that does not ensure an adequate level of protection as defined by applicable Data Protection Legislation, SportsEngine shall ensure that such transfer complies with applicable Data Protection Law by executing the SCC with the relevant data recipient, using the provisions of the processor to processor module.
Unless otherwise agreed by the parties, where applicable:
1.5.1 Schedules 1, 2 and 3 of this DPA shall apply and be deemed to be Annexes 1, 2 and 3 of the C2P or P2P SCCs;
1.5.2 The optional Docking clause shall apply;
1.5.3 In Clause 9(a) (use of sub-processors), Option 2 (General Written Authorisation) shall apply, and the time period for informing the data exporter of intended changes to the list of sub-processors shall be 30 days;
1.5.4 The optional wording in Clause 11 (Redress) shall not apply;
1.5.5 The following choice of law, forum and jurisdictions shall apply in the following scenarios:
SCC Clause 17 - Governing Law
SCC Clause 18 - Choice of forum and jurisdiction
Organisation in the EU
Option 2 - the laws of the EU Member State in which the data exporter is established
The courts of the EU Member State in which the data exporter is established
Organisation in UK
Option 1 - the laws of England and Wales
The courts of England and Wales
Organisation in Switzerland
Option 1 - the law of Switzerland
The courts of Switzerland
Nothing in this Agreement shall be construed to prevail over any conflicting clause of the SCCs. Each party acknowledges that it has had the opportunity to review the SCCs. In relation to services provided by SportsEngine for the benefit of an Organisation established in Switzerland, the SCCs will be deemed to be modified to include the corresponding Swiss law references and the terms of such modified SCCs will be incorporated by reference into this DPA.
In relation to services provided by SportsEngine for the benefit of a Organisation established in the UK, the SCCs will be deemed to be modified as follows: references to the GDPR will be deemed to be references to the UK GDPR and the UK Data Protection Act 2018, references to “supervisory authorities” will be deemed to be references to the UK Information Commissioner, and references to “Member State(s)” or the EU will be deemed to be references to the UK.
1.6 PARTNER WARRANTIES
Organisation warrants that its collection and processing of Organisation Data (including the sharing with SportsEngine under this DPA) shall comply with applicable Data Protection Legislation and that its instructions to SportsEngine shall be lawful.
Processing Overview / Annex 1 to the SCC (processors)
A: LIST OF PARTIES:
Details of data exporters (controllers)
The data exporters will be the legal entities identified as “Organisation” in the contract or any applicable order forms
Details of data importers (processors):
Name & Contact
807 Broadway St. NE, Suite 300
Activities relevant to the data transferred under these clauses:
SportsEngine UK Limited
City Quays 1, 7 Clarendon Road
Activities relevant to the data transferred under these clauses: SportsEngine is a provider of technology and management software and services to the data exporter.
B. DESCRIPTION OF TRANSFER / PROCESSING OVERVIEW
1. Categories of data subjects whose personal data is transferred
The personal data transferred concern the following categories of data subjects:
2. Categories of personal data transferred
The personal data transferred concern the following categories of data:
(a) Athletes: Name, date of birth, gender, contact information, information about club membership and membership in sports bodies and associations, ability group, attendance history, competition results, emergency contact, IP addresses and other website and device usage information, as well as any additional comments, notes or information about an athlete submitted by any Member.
(b) Parents / legal guardians or any other athlete’s name, date of birth, and contact details, such as email, phone number and address.
(c) Organisation’s Administrators: Membership in sports bodies and associations, background and/or criminal record checks results for club workforce, depending on role and in accordance with applicable legal requirements.
3. Special Categories of Data / Sensitive Personal Data
4. The frequency of the transfer
The data is transferred on a continuous basis.
5. Nature of the Processing
The personal data transferred will be subject to the following basic processing activities (please specify):
In order to provide the Software and/or Services, SportsEngine will host, maintain and support a system holding Organisation Data. SportsEngine will grant Organisation’s Members electronic access to this system.
6. Purpose of the data transfer and further processing
The purpose of the transfer and processing is as described in paragraph 5 above (nature of the processing).
7. Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
The data importer will retain the personal data for the duration of its agreement with the data exporter or as otherwise specified in the Subscription Agreement, unless instructed by data exporter to return or delete the data at an earlier or later date.
8. Transfers to sub-processors
The authorised sub-processors, and the nature of the processing performed by each one is set out in Annex III. The processing shall be for the duration of the agreement with the Organisation unless SportsEngine notifies the Organisation of a change in sub-processor pursuant to clause 1.4.6.
C. COMPETENT SUPERVISORY AUTHORITY
This will be the data protection authority that supervises the Organisation. In general this will be the data protection authority in the country where the Organisation is.
Annex III to the C2P SCCs - Technical and Organizational Measures
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
This Appendix 2 forms part of the Clauses and must be completed by the parties.
Data importer agrees and warrants that it has implemented and will maintain technical and organisational measures appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. These measures ensure a level of security appropriate to the risks presented by the processing and the nature, scope, context and purposes of the processing, having regard to the state of the art and the cost of their implementation, including as appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The measures data importer has taken include, as appropriate and without limitation:
- Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of personal data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the data exporter, its customers or employees; and any anticipated threats or hazards to the confidentiality, security, availability or integrity of such information.
- Adopting and implementing appropriate policies and standards related to security;
- Assigning responsibility for information security management;
- Devoting adequate personnel resources to information security;
- Carrying out verification checks on permanent staff who will have access to personal data;
- Conducting appropriate background checks and requiring employees, vendors and others with access to the personal data to enter into written confidentiality agreements;
- Conducting training to make employees and others with access to personal data aware of information security risks and to enhance compliance with data importer’s policies and standards related to data protection;
- Preventing unauthorized access to the personal data through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with data importer’s policies and standards related to data protection on an ongoing basis. In particular, data importer has implemented and complies with, as appropriate and without limitation:
- Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, burglar alarms, video surveillance and exterior security);
- Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements, firewalls, etc.);
- Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization (virtual access controls);
- Data transmission control measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission, transport or storage on data media, and transfer and receipt of records. In particular, data importer’s information security program shall be designed (transfer control):
- To encrypt in storage any data sets in data importer’s possession, including sensitive personal data.
- To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside data importer’s IT system or transmitted over a wireless network is encrypted to protect the security of the transmission.
- Data Entry control measures to ensure data importer can check and establish whether and by whom personal data has been input into data processing systems, modified, or removed (input control);
c. Availability and resilience
Availability control includes measures to ensure that personal data are protected against accidental destruction and loss.
d. A process for regularly testing, assessing and evaluating
- Organizational control
- Privacy by default
- Subcontractor supervision measures to ensure that, in the case data importer is permitted to use sub-processors, the data is processed strictly in accordance with the controller's instructions including, as appropriate and without limitation;
- Measures to ensure that personal data is protected from accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs;
- Measures to ensure that data collected for different purposes can be processed separately including, as appropriate and without limitation, physical or adequate logical separation of client data.
9. Taking such other steps as may be appropriate under the circumstances.
Annex III to the C2P SCCs – LIST OF SUB-PROCESSORS
The Sub-Processors SportsEngine engages vary depending on the Software and Services the Organisation receives and the country where they are located. The Organisation has authorised the use of the following sub-processors.