Version 2020 February 10
1. Definitions and Interpretations
1.1. For the purposes of this Managed Betting Services Data Protection Agreement (the “MBS DPA”), capitalized terms shall have the following meanings, unless defined elsewhere in this MBS DPA or in the Main Agreement:
“Business Day” shall mean any day except any Saturday, Sunday or a public holiday in the respective countries of incorporation of the Parties to the Main Agreement;
Competent Data Protection Authority” shall mean the relevant data protection supervisory authority which is concerned by the processing of Personal Data in the framework of this MBS DPA.
“Data Protection Legislation” shall mean all applicable data protection legislation, including the GDPR, the California Consumer Privacy Act of 2018 (“CCPA”), any national data protection legislation, and any regulations, guidelines or any other documents issued by a Competent Data Protection Authority, each as amended from time to time;
“GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as amended from time to time;
“Main Agreement” shall have the meaning given to it in clause 2.1 of this MBS DPA.
“MGS Platform Personal Data” has the meaning given to it in clause 5 of this MBS DPA.
“MTS Personal Data” has the meaning given to it in clause 3 of this MBS DPA.
1.2. For the purposes of this MBS DPA, the terms “controller”, “joint controllers”, “processor”, “data subject”, “personal data”, “process”, “processing” and “data breach” shall have the meanings attributed to them in the GDPR.
2.1. The Parties to this MBS DPA are Parties to an existing agreement (the “Main Agreement”) for the provision of risk management services and e-gaming and/or sports betting software and information technology services.
2.2. The purpose of this MBS DPA is to determine the roles and responsibilities of the Parties to the Main Agreement during the provision of the services under the Main Agreement in order to ensure the Parties’ compliance with the applicable Data Protection Legislation.
2.3. The Parties note that they will act as joint controllers with regards to the MTS Personal Data and that Sportradar will act as a Data Processor and Customer will act as a Data Controller with regards to the MGS Platform Personal Data.
3. MTS Personal Data
3.1. To perform the MTS Services agreed in the Main Agreement, the following types of personal data of the following categories of data subjects shall be shared:
a. Location: Location ID (IP Address, ZIP/location of retail or terminal unit) of each end user of the Customer;
b. Account ID for each end user of the Customer;
c. Device ID of each end user of the Customer,
(the “MTS Personal Data”)
3.2. The processing of MTS Personal Data shall consist of:
a. risk management of the Customer’s bookmaking services;
b. in case of suspicious activities – and only if mutually agreed – the Parties to the Main Agreement may share some or all of the following additional personal data for fraud detection and prevention purposes:
- Telephone Number
- Date Account Opened
- IP Address usage (i.e. if the bets are continuously coming from a specific IP address)
- Betting history of the end user.
3.3. The Parties to the Main Agreement shall process the MTS Personal Data for the purpose of the provision of the services under the Main Agreement.
3.4. The Parties to the Main Agreement may not process MTS Personal Data in a way that is incompatible with the purposes under this MBS DPA in relation to the Main Agreement as set out above.
4. Obligations of the Parties regarding MTS Personal Data
4.1. Rights of the Data Subjects
4.1.1. The Parties to the Main Agreement shall cooperate in responding to data subjects’ requests to exercise rights under the GDPR, the CCPA or any applicable Data Protection Legislation.
4.1.2. The Parties to the Main Agreement agree that the responsibility for complying with a data subject request falls to the Customer. The Parties agree to provide reasonable and prompt assistance to each other (within 5 (five) Business Days of such request for assistance) as is necessary to enable them to comply with data subject requests and to respond to any other queries or complaints of any kind whatsoever from data subjects.
4.2. Information Duty
The Customer shall be responsible to inform the data subjects about the personal data collection and processing under this MBS DPA. The Customer shall, in respect of the MTS Personal Data, ensure that its privacy notices and any other form of communication relating to the collection and processing of the MTS Personal Data are clear and provide sufficient information to the data subjects in order for them to understand what of their personal data is collected and shared with other recipients, the circumstances in which it will be shared and the purposes for the data sharing. In particular, the Customer shall include in its privacy notices an explicit reference to Sportradar as an entity with whom their personal data is shared for the purposes under the Main Agreement.
In the event of a dispute or claim brought by a data subject or a Competent Data Protection Authority concerning the processing of Shared Personal Data against either or both Parties to the Main Agreement, the Parties shall inform each other about any such disputes or claims without delay and shall cooperate with a view to settling them amicably in a timely manner.
5. MGS Platform Personal Data
5.1. The Data Processor may process on behalf of the Data Controller the following types of personal data of the end-users of the MGS platform:
a. Name and surname
b. Data of birth
c. ID or passport
d. Email address
e. Phone number
f. IP address
g. Bank account details
h. Credit card number
i. Utility bill
j. Social security number
k. Address (country, state, region, city, street)
n. Security question
(the “MGS Platform Personal Data”).
5.2. The processing of the MGS Platform Personal Data shall consist of:
a. Collection of Personal Data through the MGS platform
b. Storage of Personal Data
c. Access management to Personal Data
d. Support and maintenance of the database
e. Display of Personal Data to the appropriate end-user
f. Personal Data transmission across networks
5.3. The Data Processor shall process the MGS Platform Personal Data on behalf of the Data Controller for the purpose of the provision of the services under the Main Agreement and in compliance with the Data Controller´s written instructions (as set out in the Main Agreement or as may be specified by Data Controller from time to time).
5.4. The Data Processor may not process MGS Platform Personal Data in a way that is incompatible with the purpose under this MBS DPA in relation to the Main Agreement as set out above.
5.5. The Data Processor certifies that it understands the terms of this MBS DPA and agrees to comply with them.
6. Obligations of the Data Processor regarding the MGS Platform Personal Data
6.1. The Data Processor shall process the MGS Platform Personal Data on behalf of the Data Controller in accordance with this MBS DPA and only for the business purpose of provision of the services under the Main Agreement. The Data Processor shall not process MGS Platform Personal Data for any other purpose other than for providing the services and in performance of the Main Agreement. In particular, the Data Processor shall not sell, rent, lease, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, MGS Platform Personal Data to another business, person, or a third party for monetary or other valuable consideration. The Data Processor shall refrain from taking any action that would cause any transfers of MGS Platform Personal Data to or from the Data Processor to qualify as “selling personal information” as the term is defined under the CCPA. The Data Processor shall retain, use or disclose MGS Personal Data only for the specific purpose of performing the services and within the direct business relationship with the Data Controller.
6.2. The Data Processor shall process MGS Platform Personal Data in accordance with the instructions of the Data Controller and in compliance with the Data Protection Legislation. The Data Processor shall inform in writing the Data Controller if the Data Processor believes that any of the instructions of the Data Controller violate the Data Protection Legislation.
6.3. The Data Processor shall not disclose MGS Personal Data to third parties, unless with the express prior written consent of the Data Controller or when legally acceptable. For the avoidance of doubts, the Data Processor´s affiliates and subsidiaries shall not be considered third parties.
The Data Processor may disclose MGS Platform Personal Data to its group affiliates and subsidiaries and to other processors working for the Data Controller for the provision of the services under the Main Agreement.
In case MGS Platform Personal Data shall be accessed and processed from outside the European Economic Area, the Data Processor shall ensure that an appropriate data transfer mechanism is in place as required by the applicable Data Protection Legislation. If the Data Processor shall transfer MGS Platform Personal Data to a third country or international organisation, pursuant to applicable European Union or Member State law, the Data Processor shall inform the Data Controller of that legal requirement beforehand, unless the law prohibits this on important grounds of public interest.
6.4. The Data Controller authorises the Data Processor to appoint – and permit each sub-processor appointed in accordance with this clause to appoint – sub-processors.
The Data Processor may continue to use those sub-processors already engaged by the Data Processor as at the date of this MBS DPA, subject to the Data Processor, in each case as soon as practicable, meeting the obligations set out herein.
If any processing operation shall be subcontracted, the Data Processor shall notify in writing the Data Controller 30 (thirty) Business Days in advance, indicating the processing operations to be subcontracted and clearly and unequivocally identifying the subcontractor and its contact details. If, within 30 (thirty) days of receipt of the notice, the Data Controller notifies the Data Processor in writing of any objections on reasonable grounds to the proposed appointment:
a. the Data Processor shall work with the Data Controller in good faith to make available a commercially reasonable change in the provision of the data processing services agreed under the Main Agreement;
b. where such a change cannot be made within 90 (ninety) days as of the receipt of the Data Controller’s notice by the Data Processor, the Data Controller may, by written notice to the Data Processor, terminate with immediate effect the Main Agreement to the extent that it relates to the services which require the use of the proposed sub-processor.
The subcontractor, which shall also be considered a processor for the purposes of this MBS DPA, shall be equally obliged to comply with the obligations set forth in this MBS DPA for the Data Processor and with the instructions issued by the Data Controller. The Data Processor shall regulate its contractual relationship with the subcontractor so that the subcontractor is subject to the same conditions (instructions, obligations, security measures, etc.) and the same formal requirements regarding adequate personal data processing and guaranteeing the rights of the data subjects.
6.5. The Data Processor shall maintain the duty of secrecy regarding the MGS Platform Personal Data, even after the termination of the Main Agreement.
6.6. The Data Processor guarantees that the individuals authorised to process MGS Platform Personal Data expressly undertake in writing to respect the confidentiality of the MGS Platform Personal Data and to comply with the relevant security measures, of which they shall be duly informed. The Data Processor shall keep documentation accrediting compliance with this obligation available for the Data Controller.
6.7. The Data Processor shall assist the Data Controller in meeting its obligations in relation to data subjects’ requests to exercise rights under the GDPR, the CCPA or any other applicable Data Protection Legislation. The Data Controller shall reimburse the Data Processor for its reasonable charges for such assistance.
When data subjects exercise any such rights before the Data Processor, the Data Processor shall notify the Data Controller immediately but in any event not later than 5 (five) Business Days following the receipt of the request. The notification shall be accompanied, where appropriate, by other information that may be relevant to resolve the request.
6.8. The Data Processor shall support the Data Controller in sending prior consultations to Competent Data Protection Authorities, when appropriate.
6.9. The Data Processor shall support the Data Controller in conducting data protection impact assessments, when appropriate.
6.10. The Data Processor shall provide the Data Controller with all the information necessary to demonstrate compliance with its obligations under the Data Protection Legislation and shall allow audits and inspections to be carried out by an independent auditor mutually agreed by the Data Controller and the Data Processor, at the cost of the Data Controller.
6.11. The Data Processor shall promptly delete all MGS Platform Personal Data provided by the Data Controller in its entirety from its systems and destroy any copies it made of the MGS Platform Personal Data after completing the service unless and to the extent that the Data Processor is required to retain copies in accordance with the applicable legislation.
7. Obligations of the Data Controller regarding MGS Platform Personal Data
7.1. The Data Controller shall provide the MGS Platform Personal Data or otherwise make the MGS Platform Personal Data available to the Data Processor.
7.2. The Data Controller shall, at the time when MGS Platform Personal Data is obtained, provide the data subjects with all information about the collection and processing of the MGS Platform Personal Data and collect consent as required by the GDPR and any other applicable Data Protection Legislation.
7.3. The Data Controller shall supervise the processing operations performed by the Data Processor. The Data Controller may issue instructions about the type, scope and method of processing of the MGS Platform Personal Data in writing.
8. Term and Termination
This MBS DPA shall be bound to the term of the Main Agreement.
9. Data Security
9.1. The Parties to the Main Agreement shall implement appropriate technical and organisational measures to:
a. ensure a level of security appropriate to the risk involved to protect all Personal Data from unauthorized use, alteration, access or disclosure, and loss, theft, and damage;
b. ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
d. test, assess and evaluate the effectiveness of technical and organisational measures implemented for ensuring the security of the processing of the Personal Data;
e. pseudonymise and encrypt the Personal Data, as appropriate;
f. prevent a personal data security breach.
9.2. The Parties to the Main Agreement shall keep accurate records of the security measures which they have in place and shall make such records available to the other Party upon request.
10. Data Breach
The Parties to the Main Agreement shall notify any potential or actual losses of Personal Data to the other Party as soon as possible and, in any event, within 48 (forty-eight) hours of identification of any potential or actual loss in order to consider what action is required to resolve the issue in accordance with the Data Protection Legislation.
11.1. The Parties to the Main Agreement shall maintain the duty of secrecy regarding the Personal Data, even after the termination of the Main Agreement.
11.2. The Parties to the Main Agreement guarantee that the individuals authorised to process Personal Data expressly undertake in writing to respect confidentiality and to comply with the relevant security measures, of which they must be duly informed.
12. Contact Point
The following contact person within Sportradar can be contacted in respect of queries, complaints or notifications of any kind whatsoever regarding this MBS DPA or the Data Protection Legislation and for the purposes of receipt of notices under this MBS DPA:
Name and Position: Stefano Celardo (Data Protection Officer)
Tel.: +43 1 256 31 41 548
13.1. In the event of any conflict between the terms of this MBS DPA and any provision of the Main Agreement and any other agreement between the Parties, this MBS DPA shall take precedence solely with respect to any data protection matters.
13.2. This MBS DPA shall be governed by and construed in accordance with the laws chosen by the Parties in the Main Agreement.
13.3. All disputes arising out of or in connection with this MBS DPA shall be subject to the exclusive jurisdiction of the court(s) chosen by the Parties in the Main Agreement.
13.4. The provisions of this MBS DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision and the rest of this MBS DPA shall remain in full force and effect.
13.5. Any amendment to this MBS DPA must be made in writing upon mutual agreement by the Parties.