Sportority Inc. (“Company”) and the Audio Content Provider as named in the IO (“Customer”) have entered into an agreement to monetize the Content (the “Monetization”), as described in the parties' agreement (the “Agreement”) and are agreeing to these Data Protection Terms (“DPA”). This DPA is entered into by Company and Customer and supplement the Agreement. This DPA will be effective, and shall replace any previously applicable terms relating to the subject matter of this DPA.
1.
Introduction
1.
This DPA reflect the parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws.
2.
Any ambiguity in this DPA shall be resolved to permit the parties to comply with all Data Protection Laws.
3.
In the event and to the extent that the Data Protection Laws impose stricter obligations on the parties than under this DPA, the Data Protection Laws shall prevail.
2.
Definitions and Interpretation
2.1.
In this DPA:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Data Protection Laws” means, any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
“Cross Advertising” means the collection of data through websites or applications owned or operated by different entities on a particular device for the purpose of delivering advertising based on the preferences or interests known or inferred from the data collected.
“Data Subject” means a data subject to whom Personal Data relates.
“Personal Data” means any personal data that is processed by a party under the Agreement in connection with its provision or use (as applicable) of the Monetization.
"Relevant Privacy Requirements" mean all (i) applicable laws, data protection authorities guidelines and opinions, governmental regulations, and court or government agency orders and decrees relating in any manner to the collection, use or dissemination of Personal Data, internet traffic or otherwise relating to privacy rights, or with respect to the sending of marketing and advertising communications; (ii) posted privacy policies; and (iii) for mobile applications, the terms of service for the applicable mobile operating system.
"Security Incident" shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will comprise a Security Incident
The terms “controller”, “processing” and “processor” as used in this have the meanings given in the GDPR.
Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
3.
Application of this DPA
3.1.
This DPA will only apply to the extent all of the following conditions are met:
3.1.1.
Company processes Personal Data that is made available by the Customer in connection with the Agreement;
3.1.2.
The Data Protection Laws applies to the processing of Personal Data.
3.2.
This DPA will only apply to the Monetization for which the parties agreed to in the Agreement, which incorporates the DPA by reference.
4.
Roles and Restrictions on Processing
1.
Independent Controllers. Each party:
2.
Restrictions on Processing. Section 4.1 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Personal Data under the Agreement.
3.
Sharing of Personal Data. In performing its obligations under the Agreement, a party may provide Personal Data to the other party. Each party shall process Personal Data only for (i) the purposes set forth in the Agreement or as (ii) otherwise agreed to in writing by the parties, provided such processing strictly complies with (iii) Data Protection Laws, (ii) Relevant Privacy Requirements and (iii) its obligations under this Agreement. Each party shall not share any Personal Data with the other party (i) that allows Data Subjects to be directly identified (for example by reference to their name and e-mail address); (ii) that contains Personal Data relating to children under 16 years.
4.
Lawful grounds and transparency.
4.1.
Each Party shall maintain a publicly-accessible privacy policy on its mobile apps and websites that is available via a prominent link that satisfies transparency disclosure requirements of Data Protection Laws. Each Party warrants and represents that it has provided Data Subjects with appropriate transparency regarding data collection and use and all required notices as necessary under Data Protection Laws and Relevant Privacy Requirements. Both parties will cooperate in good faith in order to identify the information disclosure requirements and each party hereby permits the other party to identify it in the other party’s privacy policy, and to provide a link to the other party’s privacy policy in its privacy policy, as needed.
4.2.
It is hereby clarified that Customer is the initial Controller of Personal Data. Customer shall rely solely on freely given, specific, informed and unambiguous consent as its legal basis to process Personal Data under the Agreement and this DPA, including by Company.
4.3.
Customer acknowledges that Company and its advertisers use cookies and similar tracking technologies (such as mobile device identifiers) in order to provide the Monetization, including with respect to Cross Advertising. Customer shall ensure that appropriate notice and consent mechanisms as required by Data Protection Laws and Relevant Privacy Requirements are displayed and implemented on all applicable Customer properties from which Personal Data is collected so that Company can serve Cookies lawfully through such properties and provide the Monetization.
4.1.
Data Subject Rights. It is agreed that where either party receives a request from a Data Subject in respect of Personal Data controlled by such party, then such party shall be responsible to exercise the request in accordance with Data Protection Laws. Each party shall provide the other party with reasonable assistance (having regard to the data available to it) to enable the other party to comply with any Data Subject requests received by the other party and to respond to any other queries or complaints from Data Subjects.
4.2.
Mutual Assistance. Each party shall:
4.2.1.
provide the other party with such assistance as the other party may reasonably request from time to time to enable the other party to comply with its obligations under the Data Protection Laws including (without limitation) in respect of security, breach notifications, impact assessments and consultations with supervisory authorities or other regulators;
4.2.2.
provide the other party with such information as it may reasonably request in order to: (a) monitor the technical and organizational measures being taken to ensure compliance with the Data Protection Laws, or (b) satisfy any legal or regulatory requirements, including information reporting, disclosure and other related obligations to any regulatory authority from time to time;
5.
Resolution of Disputes with Data Subjects or Supervisory Authorities. If either party is the subject of a claim by a Data Subject or a supervisory authority or receives a notice or complaint from a supervisory authority relating to its respective processing activities (a "DP Claim"), it shall promptly inform the other party of the DP Claim and provide the other party with such information as it may reasonably request regarding the DP Claim. Where the DP Claim concerns the respective processing activities of one party only, then that Party shall assume sole responsibility for disputing or settling the DP Claim. Where the DP Claim concerns the respective processing activities of both parties, then the parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other party in advance.
5.
Personal Data Transfers
5.1.
Transfers of Personal Data Out of the European Economic Area. Either party may transfer Personal Data outside the European Economic Area if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Laws (such as through the use model clauses or transfer of Personal Data to jurisdictions as may be approved as having adequate legal protections for data by the European Commission).
6.
Protection of Personal Data.
6.1.
The parties will provide a level of protection for Personal Data that is at least equivalent to that required under Data Protection Laws. Both parties shall implement appropriate technical and organizational measures to protect the Personal Data. In the event that a party suffers a confirmed Security Incident, each party shall notify the other party without undue delay and the parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
7.
Liability
7.1.
Notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with this DPA will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Laws).
7.2.
Where pursuant to Article 82(4) of the GDPR, either Party is found to be liable for the entire damage arising from a breach or breaches of the GDPR relating to activities under this Agreement, in order to ensure effective compensation of one or more individuals, then the other Party shall indemnify that Party for that portion of the compensation attributable to any breaches of GDPR giving rise to the compensation for which it is responsible.
8.
Priority
8.1.
Effect of this DPA. If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
9.
Changes to this DPA.
9.1.
If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.
9.2.
Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the parties as independent controllers of Personal Data under the Data Protection Laws; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Company.
9.3.
Notification of Changes. If Company intends to change this DPA under this Section, and such change will have a material adverse impact on Customer, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.