Our Platform
Our Solutions
Our Company
This Data Processing Addendum (“DPA”) forms an integral part of the main agreement (“Agreement”) between Sportority Inc. d/b/a Minute Media and/or its Affiliate entity as set out in the Agreement (“Minute Media”) and the counter party agreeing to those terms (“Customer;” each a “Party” and together the “Parties”). This DPA is entered into by the Parties and supplements the Agreement and any future related documents and business engagements between Parties. This DPA will be effective, and replaces any previously applicable terms relating to its subject matter, from the effective date of the Agreement.
If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand the terms of this DPA; and (c) you agree, on behalf of Customer, to the terms of this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.
This DPA reflect the Parties’ agreement on the processing of Personal Data in connection with the Parties’ obligations under the Agreement in accordance with the Data Protection Laws.
Any ambiguity in this DPA shall be resolved to permit the Parties to comply with all Data Protection Laws.
In the event and to the extent that the Data Protection Laws impose stricter obligations on the Parties than under this DPA, the Data Protection Laws shall prevail.
In this DPA:
(a) “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a Party. For the purpose of this definition, "control" (including, with correlative meanings, the terms "controlling", "controlled by" and "under common control with") means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.
(b) “Approved Jurisdiction” means a member state of the European Economic Area, or other jurisdiction approved as having adequate legal protections for data by the European Commission currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
(c) “Data Protection Laws” means any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state, federal or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including, but not limited to: (i) the Privacy and Electronic Communications Directive 2002/58/EC (as amended, and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); (ii) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”); (iii) the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); (iv) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), and (v) the Canadian Personal Information Protection and Electronic Documents Act and any substantially similar provincial legislation and any amendments or replacements to the foregoing.
(d) “Data Subject” means an individual to whom Personal Data relates.
(e) “EU-U.S. DPF” means the EU-U.S. Data Protection Framework adopted by the Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the Adequate Level of Protection of Personal Data Under the EU-US Data Privacy Framework.
(f) “European Economic Area” or “EEA” consists of the member states of the European Union (“EU”) and Iceland, Liechtenstein and Norway.
(g) “Personal Data” means any personally identifiable information, including “personal data” or “personal information” (as these terms are defined under the applicable Data Protection Laws) that is processed by a Party under the Agreement or in connection with any services provided therein.
(h) “Security Incident” shall mean any accidental or unlawful use, destruction, deletion, loss, alteration, unauthorized disclosure or processing of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach (as defined under the GDPR) will comprise a Security Incident.
(i) “Standard Contractual Clauses" means (a) where the GDPR applies, the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021, as available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en; and (b) with respect to data transfers to which the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which entered into force on 21 March, 2022, as available here: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf ("UK Addendum"); both (a) or (b) above, as applicable, are incorporated herein by reference and subject to the amendments set forth in Schedule A.
(j) “UK-US Bridge” means the Data Protection (Adequacy) (United States of America) Regulations 2023, effective from 12 October 2023.
(k) The terms “controller,” “processing,” and “processor” as used in this DPA have the meanings given to them in the Data Protection Laws. Where applicable, a controller shall be deemed a “Business” and a processor shall be deemed a “Service Provider or "a Contractor", as these terms are defined in the CCPA or CPRA.
(l) Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
The Parties acknowledge and agree that this DPA applies to the extent that: (i) Minute Media processes Personal Data on behalf of the Customer in the course of performing its obligations under the Agreement; and (ii) the Data Protection Laws apply to the processing of such Personal Data.
Independent Controllers. Each Party acknowledges and agrees that it:
(a) is an independent controller of Personal Data under the Data Protection Laws;
(b) will individually determine the purposes and means of its processing of Personal Data; and
(c) will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data.
Restrictions on Processing. Section 4.1 will not affect any restrictions on either Party’s rights to use or otherwise process Personal Data under the Agreement.
Sharing of Personal Data. Each Party may provide Personal Data to the other Party during its performance of its obligations under the Agreement. Each Party shall process Personal Data only for (i) the purposes set forth in the Agreement or as (ii) otherwise agreed to in writing by the Parties, provided such processing strictly complies with (a) the applicable Data Protection Laws, and (b) its obligations under this Agreement (the “Permitted Purposes”). Neither Party shall share any Personal Data with the other Party: (i) that allows Data Subjects to be directly identified (for example by reference to their name and e-mail address); or (ii) that contains Personal Data relating to children under 16 years.
Lawful Grounds and Transparency. Each Party shall maintain a publicly-accessible privacy policy on its mobile apps and websites that is available via a prominent link that satisfies transparency disclosure requirements of the applicable Data Protection Laws. Each Party warrants and represents that it has provided Data Subjects with appropriate transparency regarding data collection and use, as well as all required notices, and obtained any and all consents or permissions necessary under the applicable Data Protection Laws. It is hereby clarified that Customer is the initial Controller of Personal Data. Where Customer relies on consent as its legal basis to process Personal Data, it shall ensure that it obtains a proper affirmative act of consent from Data Subjects in accordance with the applicable Data Protection Laws in order for itself and Minute Media to process such Personal Data as set out herein. Customer acknowledges that Minute Media and its advertisers use cookies and similar tracking technologies in order to provide the services under the Agreement, including for the purpose of cross-site or cross-device advertising. Customer shall ensure that appropriate notice and consent mechanisms are displayed and implemented on all applicable Customer properties with respect to the foregoing. Both Parties will cooperate in good faith in order to identify the information disclosure requirements and each Party hereby permits the other Party to identify it in the other Party’s privacy policy, and to provide a link to the other Party’s privacy policy in its privacy policy.
Data Subject Rights. It is agreed that where either Party receives a request from a Data Subject with respect to Personal Data controlled by such Party, then such receiving Party shall be responsible to exercise the request, in accordance with Data Protection Laws.
Mutual Assistance. Each Party shall provide the other Party with such:
Assistance as the other Party may reasonably request from time to time to enable it to comply with its obligations under the Data Protection Laws including, without limitation, with respect to Security Incidents, breach notifications, impact assessments and consultations with supervisory authorities or other regulators; and
Information as it may reasonably request in order to: (a) monitor the technical and organizational measures being taken to ensure compliance with the Data Protection Laws, or (b) satisfy any legal or regulatory requirements, including information reporting, disclosure and other related obligations to any regulatory authority from time to time.
Resolution of Disputes with Data Subjects or Supervisory Authorities. If either Party is the subject of a claim by a Data Subject or a supervisory authority, or receives a notice or complaint from a supervisory authority relating to its respective processing activities (a “DP Claim”), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim. Where the DP Claim concerns the respective processing activities of one Party only, then that Party shall assume sole responsibility for disputing and/or settling the DP Claim. Where the DP Claim concerns the respective processing activities of both Parties, then the Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the DP Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.
Either Party may transfer Personal Data outside the European Economic Area or UK, provided it complies with applicable provisions regarding the transfer of Personal Data to countries outside of the EEA or UK under the Data Protection Laws (such as where the transfer of Personal Data is to an Approved Jurisdiction or to a certified entity under the EU-U.S. DPF or UK-US Data Bridge, or through the use of Standard Contractual Clauses, or other applicable frameworks).
If the Parties process Personal Data outside the EEA, UK or an Approved Jurisdiction, or if the data recipient is a U.S. entity not certified under the EU-U.S. DPF or UK-US Bridge, then the Parties shall be deemed to enter into the Standard Contractual Clauses and/or the UK Addendum, as applicable, subject to any amendments contained in Schedule A, in which event: (i) the Standard Contractual Clauses and/or the UK Addendum are incorporated herein by reference; and (ii) the Customer shall be considered the data exporter and Minute Media shall be considered the data importer (as these terms are defined therein).
The Parties will provide a level of protection for Personal Data that is at least equivalent to that required under the Data Protection Laws. Both Parties shall implement appropriate technical and organizational measures to protect the Personal Data. If a Party suffers a confirmed Security Incident, such Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree on such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
Notwithstanding anything else in the Agreement, the total liability of either Party towards the other Party under or in connection with this DPA will be limited to the maximum monetary or payment-based amount at which that Party’s liability is capped under the Agreement, provided that the limitation of liability shall not apply to Customer’s indemnification obligations under Section 8 of this DPA.
Customer will defend, indemnify and hold harmless Minute Media and its past or present partners, officers, directors, shareholders, employees, members, affiliates, parent and subsidiary corporations, agents, successors in interests, predecessors in interests and assigns from any cost, charge, damages, claims, settlements, fines, liabilities, expenses (including attorneys’ fees and costs) or losses incurred as a result of Customer’s breach of this DPA.
If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement, then the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
Customer acknowledges and agrees that Minute Media may amend this DPA as may be required from time-to-time, by posting an amended DPA to this link: https://www.minutemedia.com/policies/data-protection-addendum. Any amendments to the DPA are effective as of the date of posting. Customer’s continued use of the Services after the amended DPA is posted constitutes it’s agreement to, and acceptance of, the terms of the amended DPA.
If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.
If Customer is a controller, then the Parties shall be deemed to enter into the Controller to Controller Standard Contractual Clauses (Module One). If Customer is a processor, then the Parties shall be deemed to enter into the Processor to Controller Standard Contractual Clauses (Module Four).
This Schedule A sets out the Parties' agreed interpretation of their respective obligations under the Standard Contractual Clauses.
The Parties agree that for the purpose of transfer of Personal Data between the Customer (Data Exporter) and the Minute Media (Data Importer), the following shall apply:
(3.1) For Clause 7 of the Standard Contractual Clauses shall not be applicable.
(3.2) For Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
(3.3) For Clause 17, the Parties agree that the clauses shall be governed by the law of the State of Ireland within the EU
(3.4) For Clause 18 the Parties choose the courts of the state mentioned in section 3.4 as their choice of forum.
To the extent the UK Addendum applies, the following shall apply as well:
(4.1) All the information provided under the Standard Contractual Clauses shall apply to the UK Addendum with the necessary changes per the requirement of the UK Addendum. Annexes 1A, 1B and 2 to the UK Addendum shall be replaced with Annexes I–II below, respectively.
(4.2) For Table 4 of the UK Addendum, the Parties agree that either Party may terminate this DPA in accordance with Section19 of the UK Addendum.
The Parties shall complete Annexes I–II below, which are incorporated into the Standard Contractual Clauses by reference.
This Annex forms part of the DPA and describes the technical and organizational security measures implemented by the data importer.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Minute Media shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
