PERSONAL DATA TRANSFER AGREEMENT
Subject and duration of agreement
- Terms not defined in this document have the meaning given in the Terms of Service available at this address.
- 321 OÜ based in Lõõtsa tn 5, 11415 Tallinn is the Processor (hereinafter: ‘Processor’).
- Each football club creating a Profile, using website services, entering personal data of club players, persons authorised to log in or other data related to the execution of Service Provision Agreement in the Profile is the Entrusting Entity.
- The Entrusting Entity and the Processor have concluded a service provision agreement whose subject is to provide the Entrusting Entity with access to the Website (hereinafter: ‘Proper Agreement’), in relation to which the Entrusting Entity entrusts the Processor with the processing of personal data to the extent necessary for its execution.
- The Entrusting Entity declares that it acts as the Controller of the personal data entrusted to the Processor within the meaning of Regulation (EU) 2016/679 of the European Parliament and Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as GDPR) and is in possession of necessary consents or other documents required by law that authorise the Entrusting Entity to make the data available to the Processor.
- The purpose of the processing is the fulfilment of obligations provided for in the Proper Agreement.
- The duration of the Agreement is in line with the duration of the Proper Agreement.
Types of personal data and categories of persons
- The subject of personal data processing are all types of personal data processed by the Processor on behalf of the Entrusting Entity in conjunction with the execution of obligations resulting from the Proper Agreement, in particular:
- essential personal data (e.g. first name and surname);
- data necessary for communication (e.g. telephone number, address, e-mail address);
- information related to a player’s football career (e.g. position in the field, height, age, preferred leg, duration of agreement, history of games);
- player’s nationality;
- The personal data processed apply in particular to the following categories of persons:
- persons authorized to use the Profile.
Organizational and technical measures
- The Processor is obliged to observe applicable laws related to the protection of personal data, in particular provisions of GDPR.
- Personal data entrusted to the Processor by the Entrusting Entity on the basis of the Agreement shall be processed on servers dedicated to the Website.
- The Processor shall implement appropriate organisational and technical measures to protect the entrusted personal data according to applicable laws, in particular to Articles 28–33 of GDPR.
- The possessing of personal data provided by the Entrusting Entity may solely be executed by persons employed by the Processor, holding a personal authorisation issued by the Processor, and solely when the processing of the personal data specified in the Agreement by the appointed persons is necessary for the correct execution of the Proper Agreement.
- The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are bound by an appropriate statutory obligation of confidentiality, including after termination of the Agreement;
- The Processor is obliged to keep a register of persons authorised to process personal data.
- Processing of personal data is entrusted at the request of the Entrusting Entity. It may in particular consist in entering the data in the Website.
Control and support
- The Entrusting Entity has the right to conduct controls of how the Processor observes the rules of personal data processing in the place where the personal data is processed in conjunction with the Agreement, after having notified the Processor in writing at least 21 working days in advance.
- The Processor shall provide the Entrusting Entity with all information necessary to demonstrate fulfilment of obligations specified in Article 28 of GDPR.
- Taking info consideration the character of the processing and information available to him, the Processor is obliged to support the Entrusting Entity in the fulfilment of obligations specified in Articles 32–36 of GDPR
- If necessary, the Entrusting Entity and the Processor shall cooperate with relevant supervisory bodies in carrying out their tasks.
- The Processor is obliged to inform the Entrusting Entity of any legally binding request from a public administration body to make personal data available, without prejudice to mandatory provisions of law.
- The Processor is obliged to inform the Entrusting Entity about any control activities and any activities of supervisory bodies if they refer to the Agreement. This also applies to situations when the relevant body commences offence or criminal proceedings in conjunction with personal data processing constituting part of data processing performed by the Processor.
- In the event of an inspection carried out by a supervisory body at the Entrusting Entity, offence or criminal proceedings, proceedings related to a claim by data subject or by third party, or in conjunction with any other claim related to data processing by the Processor, the Processor is obliged to support the Entrusting Entity in this respect to the extent possible.
- In a situation referred to in Article 82 of GDPR, the Parties undertake to support each other and to jointly explain facts fundamental to the actual situation.
- Subcontracting shall be understood as services related directly to the execution of Proper Agreement. It does not apply to auxiliary services used by the Processor, such as telecommunications, mail, transport, maintenance services, services for equipment users, disposal of data carriers and other activities aimed at ensuring confidentiality, availability, integrity and capacity of IT equipment and software.
- However, the Processor is obliged to conclude relevant contractual agreements and undertake control activities aimed at ensuring protection and security of data entrusted by the Processor, including when using auxiliary services.
- The Entrusting Entity hereby expresses its general consent to the Processor’s using services of other processing entities (consent to subcontract). The Entrusting Entity expresses its consent to subcontract work provided a contractual agreement compliant with Article 25(2–4) of GDPR is concluded.
- The Processor is obliged to keep a register of entities commissioned to process personal data in relation to the execution of the Agreement.
- The Processor shall inform the Entrusting Entity about entrusting personal data processing to entities other than mentioned in the consent, and the Entrusting Entity has the right to object to the planned change of Processor within 7 days of receiving the notification.
- In case of entrusting the processing to further entities, the Processor shall oblige the entities employed by it to observe provisions of the Agreement and the applicable provisions of law concerning protection of personal data, including in particular GDPR.
Exercising the Rights of Data Subjects
- The Processor is not entitled to autonomously correct, erase or restrict the scope of data processing which it executes on request. He may solely perform these actions on the basis of a documented instruction by the Entrusting Entity, whereas any oral instructions by the Entrusting Entity shall immediately be confirmed in writing. If a data subject contacts the Processor directly, the Processor shall immediately hand over the data subject’s request to the Entrusting Entity.
- Taking into consideration the character of the processing and information available to it, the Processor is obliged to support the Entrusting Entity in the fulfilment of the obligation to respond to data subject requests.
Guarantees of Parties
- The Entrusting Entity declares that the personal data entrusted to the Processor are collected in compliance with applicable provisions of law.
- Parties are obliged to immediately notify each other about any irregularities concerning the processing of personal data or the processing processes themselves.
Deletion/return of data
- After conclusion of cooperation (termination of Agreement or Proper Agreement) or at an earlier time — at the request of the Entrusting Entity — the Processor is obliged to hand over to the Entrusting Entity all documents, data processing and usage results, as well as data sets that are in its possession as a result of the execution of the agreement; or destroy them in a manner consistent with data protection law, with prior consent.
- The deletion of personal data referred to in point 3 should be understood as effective and permanent destruction of the personal data or such permanent modification of the data that will not allow the identification of the data subject, and confirmation of this fact to the Entrusting Entity in writing.
- The documentation serving to prove the correct and compliant performance of Proper Agreement or Agreement shall be kept by the Processor for the required archiving period, also after termination of the contractual relation.
- In matters not covered by the Agreement, the provisions of the GDPR in the current wording shall apply.
- In the event when the law applicable to the Entrusting Entity imposes any specific requirements related to the protection of personal data, other than those adopted in this Agreement, the Entrusting Entity undertakes to notify the Processor of this fact before entrusting any personal data for processing, and the Processor undertakes to comply with these requirements.