DATA PROCESSING AGREEMENT FOR PUBLICATION OF EVENT RESULTS
THE PARTIES 1. Brand Channel LTD, with its seat in Dunavarsany, Hungary, who is involved in a Sports Event with participants, who wants to publish event or race results via MYLAPS websites and or Apps; hereinafter referred to as "Customer"; 2. MYLAPS B.V., a company organised under the laws of the Netherlands, whose corporate seat is at Haarlem, the Netherlands, and also acting on behalf of MYLAPS Experience Lab in the Netherlands, in hereinafter referred to as "Data Processor" or MYLAPS;
WHEREAS 1. MYLAPS or a group company of MYLAPS and Customer have a relationship where the customer uses one or more MYLAPS products and/or services for the timekeeping of an Event and all data around that; 2. MYLAPS (also on behalf of MYLAPS group companies) shall execute certain services to Customer, related to personal data, namely the collection and publication of Event Results and Timing/Tracking data for Sports Events (hereafter "Services"); 3. Customer needs to comply with data protection legislation and wish to have MYLAPS secure certain data and therefore Customer wishes to enter into this Data Processing Agreement with MYLAPS;
NOW HEREBY AGREE AS FOLLOWS
1. Meaning of terms Personal Data and Processing
The expression "Process/Processing" shall have the meaning given to it in the General Data Protection Regulation and/or other applicable data protection legislation. Personal data shall mean any information relating to an identified or identifiable natural person. In this Data Processing Agreement Personal Data is defined as any information relating to timing, scoring, ranking, publication of Race Result and additional services such as Live Tracking and Photo/Video (also listed in Annex 1).
2. Processing of Personal Data 2.1 MYLAPS and the persons acting under its authority (as specified in Annex 1) shall only Process such Personal Data insofar as necessary for the performance of the Services and shall only Process such Personal Data by order of and for Customer and in accordance with its instructions, subject to EU or EU member state statutory provisions to the contrary in which case MYLAPS shall inform the Customer of such legal requirement before Processing the Personal Data unless such law prohibits such information on important grounds of public interest. MYLAPS is not allowed to Process the Personal Data for any other purpose and acts as a data processor as defined in the General Data Protection Regulation and/or other applicable data protection legislation. MYLAPS shall immediately inform Customer if, in MYLAPS's opinion, an instruction breaches EU or EU member state data protection provisions. 2.2 MYLAPS shall comply with all applicable data protection laws, rules and regulations including
but not limited to the General Data Protection Regulation (insofar as applicable).
3. Customer responsibility 3.1 Customer makes the Personal Data to be processed available to MYLAPS, via uploads on the internet. These uploads can be executed via exports/imports in the MYLAPS software products such as Orbits, Timing&Scoring, EventCMS or specifically designed API communication software portals. 3.2 Customer is responsible for the obtaining consent of the participants for the registration, processing and publication of all Personal Data, that is to be processed by MYLAPS. Customer needs to record and save the consent of the Participants. 3.3 This specifically includes Live Tracking, where participants are followed live on the course during the Event. And it also includes Photo/Video recordings for publication via screens at the Event and/or publication on the Internet. 3.4 If and when a participant revokes the consent, Customer is obliged to inform MYLAPS with adequate information on this participant. Mylaps shall then replace the identifiable Personal Data into anonymous information. As a result, the participant is removed from the Data. 3.5 Customer shall make sure, that the data to be processed by MYLAPS does not contain illegal or offensive content, and does not include any special Personal Data, such as information on health, biometrics, etcetera. 3.6 Customer needs to make sure that the Personal Data in its possession is properly protected and unauthorized use by its own staff or third parties is not possible. Customer needs to keep usernames and passwords secret and only allow access to those who require access to the Personal Data.
4. Security measures 4.1 MYLAPS warrants it has taken and shall at all times take all appropriate technical and organisational measures to secure the Personal Data and all other information accessed and/or otherwise Processed by MYLAPS on behalf of Customer against unauthorised access, loss or any form of unlawful Processing and shall comply with applicable data protection laws, rules and regulations, by taking among other things, the measures set out in Annex 2. MYLAPS shall warrant an appropriate level of security, taking into account the state of the art and the costs of implementation, and having regard to the risks associated with the Processing and the nature of the data to be protected. The measures shall also aim at preventing unnecessary collection and further Processing of Personal Data. 4.2. Notwithstanding Article 3.1, MYLAPS shall comply with any security requirements expressly required by Customer such as are reasonably necessary to comply with applicable laws, rules and regulations.
5. Audit 5.1 Customer is entitled to periodically inspect compliance with the Data Processing Agreement (including the security measures taken. Customer may contract out this inspection to an external independent auditor. If it emerges from such an inspection that MYLAPS failed to properly comply, in whole or in part, with the Data Processing Agreement and/or any applicable laws, rules and regulations, MYLAPS must bear the costs of such investigation. MYLAPS shall make available all information necessary to demonstrate compliance with its obligations and shall provide all reasonable assistance. 5.2 MYLAPS shall perform regular security checks and shall provide summaries of the outcome of such checks on request, which minimally contain an overview of risks, measures taken to mitigate and remedy such risks, and updates implemented.
6. Transfer/access outside the European Union
MYLAPS shall only Process Personal Data within the European Union and shall not grant access to or transfer Personal Data (or any other information Processed by MYLAPS on behalf of Customer to a recipient located in a country outside the European Union, unless Customer consented to this in writing prior to such access or transfer. Customer may, at its sole discretion, provide such written consent subject to the fulfilment of further conditions. This obligation is subject to EU or EU member state statutory provisions to the contrary in which case MYLAPS shall inform the Customer of such legal requirement before granting access to or transferring Personal Data unless such law prohibits such information on important grounds of public interest.
7. Subcontracting 7.1 MYLAPS shall not use any subcontractor(s) unless Customer has given its prior written approval of such subcontracting. MYLAPS shall remain fully and liable for the performance by any subcontractor of the obligations or parts of it arising out of any agreement between Customer and MYLAPS. Hosting of data on external data servers (such as Microsoft Azure) under the control of MYLAPS is explicitly approved by the Customer. In case the Services include payment traffic, MYLAPS shall outsource all payment traffic related to its Services to an independent internationally renowned payment provider, while applying appropriate safeguards that protect the relevant data subjects' privacy, especially to the extent such payment provider is located outside of the EEA. 7.2 MYLAPS shall also prior to using any subcontractor(s) enter into a written agreement with such subcontractor which obliges this subcontractor to comply with all obligations imposed on the MYLAPS in this Data Processing Agreement.
8. Confidentiality 8.1 Anyone acting under the authority of the MYLAPS, as well as the MYLAPS itself, where they have access to Personal Data, may only Process such Personal Data if they are required to treat as confidential the Personal Data which comes to their knowledge, except where the communication of such Personal Data is required by the proper performance of their duties or EU or EU member state law to which MYLAPS is subject in which case MYLAPS shall inform the Customer of such legal requirement before communicating the Personal Data unless such law prohibits such information on important grounds of public interest. 8.2 All Personal Data and all other information provided by Customer including all copies in whatever form in the MYLAPS's possession or control shall further and according to the instructions of Customer at the Customer's choice either be i) destroyed, or ii) returned to Customer upon the Customer's first request, unless EU or EU member state law require MYLAPS to store the data in which case MYLAPS shall inform the Customer of such legal requirement unless such law prohibits such information on important grounds of public interest.
9.1 MYLAPS shall keep the Personal Data logically separate to data Processed on behalf of any other third party and from its own data. When the information is meant for publication on internet, this may be an integrated part of a large quantity of Data. 9.2 MYLAPS shall grant applicable supervisory authorities and other competent authorities where such authorities have the legal right to carry out an investigation of Customer's or MYLAPS's Processing activities, such access to its premises, computer and other information systems and records as may be reasonably required. 9.3 MYLAPS shall implement appropriate procedures and any associated measures that will ensure that Customer's instructions can be complied with, including but not limited to comply with any request of a data subject to access, correct, supplement, delete or block Personal Data. MYLAPS shall assist Customer, where necessary and upon Customer's first request, in ensuring compliance with any data protection obligations including but not limited to deriving from the carrying out of a data protection impact assessment and from prior consultation of a supervisory or other competent authority. 9.4 MYLAPS shall notify Customer immediately (and at least within 36 hours) of, and provide
details of: i) any known breach of its technical and/or organisational security measures, any possible Personal Data leakage, loss, unauthorised access, or any form of unlawful Processing, any known breach of confidentiality obligations or any other violation of applicable data protection laws, rules and regulations, as well as a) cooperate with Customer upon such company's first request to provide adequate information to data subjects and b) include in such report all details which allow Customer to comply with the General Data Protection Regulation and/or other applicable data protection laws, rules and regulations and provide all information which Customer request; ii) any investigation of any supervisory authority or other competent authority insofar as this is allowed pursuant to applicable laws, rules and regulations; and/or iii) any complaint, question, or request of a data subject whose Personal Data are Processed. 9.5 In the event of a conflict between a provision in this Data Processing Agreement and a provision in any other agreement between Customer and MYLAPS (including any general terms and conditions), the provision in the Data Processing Agreement shall prevail. 9.6 This Data Processing Agreement shall be governed by and construed in accordance with Dutch law. Any dispute arising in connection with this Data Processing Agreement shall be submitted to the exclusive jurisdiction of the competent court in Amsterdam, the Netherlands. 9.7 Customer may amend this Data Processing Agreement if reasonably required to comply with
applicable laws, rules and regulations or by change in the Personal Data Processed.
AGREED by the Parties' following authorised representatives For and on behalf of Customer For and on behalf of MYLAPS
_____________________(Signature) __________________(Signature) Name: Name: Title: Title: Date: Date:
1. Categories of Personal Data and Categories of data subjects: The personal data related to participants at Sports Events and can consist of:
- Name - Address, city, country - Email address - Telephone number - Date of birth - Gender - Event details, such as name, place, date - Event Result details, such as (split) times, pace, (overall and categorial) rankings - Payment details, if part of the Services
2. Nature and purposes of Processing / description of service of MYLAPS:
- Publish these rankings on internet, with no more information than:
o Name o City o Start number o Realized time o Ranking in the race o Age o Gender
3. Which employees or groups of employees of MYLAPS have access to which Personal Data and which activities can these staff members perform with the Personal Data:
MYLAPS Support department MYLAPS IT -Software department.
Annex 2. Technical and Organizational Security Measures
MYLAPS takes appropriate technical and organisational measures to protect Personal Data against loss or any form of unlawful processing (the “Measures”). The Measures are intended to prevent unnecessary collection and further processing of Personal Data. In particular, MYLAPS arranges for the following technical and organisational Measures:
1. MYLAPS arranges for logical access control to the systems on which Personal Data are
processed. 2. MYLAPS arranges for additional protection when sending Personal Data via the Internet, storing Personal Data on portable devices or on removable media such as USB sticks and in other situations in which Personal Data are susceptible to unauthorised access (e.g. Personal Data that can be accessed via the Internet). 3. MYLAPS uses hashing and salting when storing and processing passwords. 4. MYLAPS arranges for spot checks or other forms of audit for compliance with the Measures. 5. MYLAPS arranges for the securing of external network connections using Secure Socket Layer
(SSL) technology. 6. MYLAPS arranges for monitoring of the activities on the systems on which Personal Data are
recorded. 7. MYLAPS ensures that all software, browsers, virus scanners and operating systems are kept up to date and that all security measures of the supplier of the software, browsers, virus scanners and operating systems are immediately installed. 8. MYLAPS has appointed a Data Processing Officer who is responsible for data security and who arranges for the coordination of data security. That officer monitors the process, draws up procedures and acts as the contact within MYLAPS’s organisation with regards to any questions and requests of MYLAPS. 9. The persons who process Personal Data under MYLAPS’s authority and who have access to the Personal Data (the “Users”), including but not limited to employees of MYLAPS, are aware of the vulnerability of the Personal Data, understand the importance of data security and comply with the security measures taken. 10. Functional and technical descriptions of information systems in which Personal Data are
processed are available. 11. All Users who have access to the data systems used to process the Personal Data are bound by
a duty of confidence in their employment contracts. 12. Procedures are in place to give authorised Users access to the data systems used to process the
Personal Data. Those procedures also prevent unauthorised access to the Personal Data. 13. MYLAPS ensures that all the security measures taken are mandatory in the systems and cannot
be circumvented by the persons who process Personal Data under MYLAPS’s authority.