DATA PROCESSOR AGREEMENT FOR SPOND’S CLUB SOLUTION
This data processor agreement (the “Data Processor Agreement”) is an appendix to the terms of service (the “Terms of Service”) that regulate the use of Spond AS’ (“Spond”) club solution (the “Service”). The parties to the Data Processor Agreement are Spond and the Club that is registered as a user of the Service (the “Club”) on Spond’s web page, and thus has accepted the Terms of Service.
Words and concepts that are otherwise undefined shall have the same meaning as the Personal Data Act, cf. Article 4 of the Data Protection Regulation.
1. PROCESSING OF PERSONAL DATA
When the Club uses the Service, Spond becomes the data processor for the Club and will be processing its personal data. The Club is the data controller.
Spond shall only process personal data in accordance with the Club’s documented instructions, unless otherwise provided by law. Annex 1 contains the Club’s instructions.
2. ASSISTANCE TO THE DATA CONTROLLER
Spond shall help the Club meet its obligations under prevailing privacy legislation.
2.2 Requests from third parties
If the data subject, public authorities or others request information from Spond regarding the processing of personal data pursuant to this Data Processor Agreement, Spond shall refer the request to the Club.
Spond shall not, except as previously instructed by the Club, transfer or otherwise disclose personal data – or other information related to the processing of personal data – to a third party. If Spond is obligated by law to distribute personal data being processed by Spond on behalf of the Club, Spond must immediately notify the Club.
2.3 Making information available
Spond shall provide to the Club all information and assistance needed to demonstrate that the obligations pursuant to this Data Processor Agreement and privacy laws are being complied with. Spond shall contribute to and make revisions possible, including inspections. Any revisions and inspections will be carried out at the Club’s request, but no more than once per year.
2.4 Correction, deletion and return
By using its access to the Service, the Club can correct and delete personal data and other information that is no longer being processed. Upon termination of the Data Processor Agreement and within three – 3- months of expiry of the Data Processor Agreement, Spond will, based on the Club’s instruction, delete or return all personal data it has processed on behalf of the Club. The solution’s data export function will execute such return. This applies unless retainage of the personal data is required by law.
The Club agrees to Spond’s use of subcontractors. On its website, Spond shall maintain a list of subcontractors, and this list shall reflect any subcontractor changes and serve as notification of the same. Therefore, the Club is encouraged to check the list frequently. The Club may object to subcontractor changes, and in such case, it must notify Spond within fourteen – 14 – days after the change was published. If the Club disapproves of the change, Spond may terminate the agreement governing the Service, effective upon implementation of the change.
Spond shall ensure that authorised subcontractors enter into written agreements that impose upon them the same obligations with regard to the protection of personal data as those set out in this Data Processor Agreement.
4. TRANSFER TO THIRD COUNTRIES
The Club agrees that Spond may transfer personal data to third countries identified in the subcontractor list on Spond’s web page, cf. clause 3. Notification of any changes will also be published there. If the Club withdraws its agreement for transfer of personal data to one or more third countries or disapproves of a change, the Club must notify Spond within fourteen – 14 – days at the latest. If ceasing the transfer is impossible, due to technical or other issues, Spond may terminate the agreement for use of the Service, effective as of the expiry of the notification deadline mentioned above. Spond confirms that the applicable privacy law terms for transfers to third countries are fulfilled for all transfers of personal data to third countries, normally by using the EU standard contract for transfers to data processors in third countries.
5. INFORMATION SECURITY AND CONFIDENTIALITY
Spond shall be obliged to implement and document appropriate technical and organisational measures to protect personal data being processed. Spond shall comply with the Club’s and any prevailing written requirements or policies related to data security.
5.2 Duty to maintain adequate levels of security
Spond shall maintain a sufficient level of security for the processing of personal data, taking the risk of the processing into consideration. Spond shall protect personal data from destruction, modification, unauthorised disclosure or unauthorised access.
5.3 Logging and internal control
Spond shall maintain a log of all categories of processing activities that are carried out on behalf of the Club. Spond shall prepare and keep current a description of technical, organisational and physical measures it undertakes to maintain security and comply with applicable data protection laws, hereunder its security organisation, procedures and risk assessments. The documentation shall be made available to the Club.
Spond shall not, without the Club’s prior written approval, disclose or otherwise make personal data processed pursuant to this Data Processing Agreement available to third parties, except for subcontractors who are engaged in accordance with the Data Processor Agreement.
Spond shall ensure that only persons who need access to personal data in order to provide the Service to the Club may access such data and that they have committed themselves to a duty of confidentiality.
The above-mentioned duty of confidentiality survives the termination of this Data Processor Agreement.
6. PERSONAL DATA BREACH PROCEDURES
In case of a personal data breach, Spond will assist the Club in complying with the Club’s obligations, including the obligation to notify of the personal data breach. Without undue delay, Spond shall notify the Club in writing as soon as it becomes aware of such breach. The notification shall:
- describe the type of personal data breach, including, if possible, the categories and approximate number of data subjects and personal data records that are affected;
- include the name and contact information of the person who can be contacted for more information;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed by Spond to deal with the personal data breach, including, if appropriate, measures to reduce potentially adverse impacts.
7. DURATION OF THE AGREEMENT
The Data Processing Agreement remains in force as long as the Club and Spond have a valid agreement for the use of the Service.
Regardless of the termination provisions, the Club can, if Spond violates prevailing privacy laws, the Data Processor Agreement or instructions given in or pursuant to this Data Processor Agreement, instruct Spond and any subcontractors to stop the processing of the personal data with immediate effect.
The parties’ responsibilities and limitations on liability are set out in the Terms.
9. NOTICES AND OTHER ANNOUNCEMENTS
Security breach notifications and other announcements pursuant to the Data Processing Agreement shall be sent to the other party’s contact as provided in connection with registration of the Club as a user of the Service.
10. CHOICE OF LAW AND JURISDICTION
This Data Processor Agreement shall be governed and construed in accordance with the laws of Norway, with Oslo District Court as venue. This also applies upon termination of the Data Processor Agreement.
Annex 1 to the Data Processor Agreement for the Spond Club Solution
Instructions for data processing
|The Club as defined in the Terms
|The data controller’s purpose for processing the personal data is:
Manage the Club’s activities, including internal Club communications, member registry management, management of member accounts and other payments, external member communications.
|Categories of data
|The personal data that will be processed includes the following categories:
Personal contact information such as name, home address, mobile phone number and email address.
Age, date of birth and any other information that the Club registers on the data subjects (e.g., the jersey number, jersey size, position, whether the player is injured or not.)
Guardian relations between data subjects.
If the data subject has provided a valid certificate of good conduct.
Information on payment demands sent out and their status (paid, not paid, due date, etc.)
Communications between the Club and the data subjects.
|Data subject categories
|The data controller’s members, staff and volunteers, members’ guardians
|Collection and retention of personal data in the member registry
Transmittal of personal data in internal communications
Collection and storage of personal data in connection with collection/payment of fees
|Personal data that is being processed must be deleted according to the following guidelines:
To be deleted within three – 3 – months after termination of the agreement or at the request of the data controller
|Subcontractors and transfers to third countries
|See overview here