PERSONAL DATA PROCESSING AGREEMENT

1) PARTIES

This Personal Data Processing Agreement (hereinafter ‘the Data Processing Agreement’) has been drawn up between Company and the User. The parties are referred to collectively as ‘the Parties’ and separately as ‘the Party’.

Together with our terms of service, this is an agreement on the processing of personal data in situations where we are considered to be processing personal data on behalf of you or your organization (so-called "DPA" = data processing agreement). Legally, we are then the personal data processor and you or the organization you represent are the data controller. The company's role as a data controller is described in the terms of use of the service.

2) BACKGROUND AND PURPOSE

2.1

This Data Processing Agreement lays down the terms under which the Processor will process the personal data on the Controller’s behalf in connection with the agreement accepted between the Controller and the Processor on the day User starts using Qridi Sport service regarding services supplied via a data network (hereinafter ‘the Agreement’).

2.2

This Data Processing Agreement will be applied in so far as the Processor serves as the processor and the Controller as the controller of the personal data pursuant to the Agreement, as defined in the EU General Data Protection Regulation (2016/679).

2.3

For the duration of the Agreement’s period of validity, the Processor undertakes to process the personal data according to the terms and requirements of the applicable data protection legislation in order to provide the services required by the Controller in its operations, within the meaning of the Agreement.

3) NATURE, DURATION AND PURPOSE OF THE PROCESSING

3.1

The Processor will process the personal data disclosed to it by the Controller in connection with the services defined in the Agreement as follows:

3.2

The processing of the personal data is necessary to fulfill the Terms of Service accepted by the Controller and the Processor, according to which the services to be delivered via a data network, as described in the Terms of Service, will be procured by the Controller from the Processor and supplied by the Processor to the Controller.

4) DATA CATEGORIES

4.1

The Processing Measures applied to the personal data concern the following categories of personal data:

Required basic data

Additional information, not required, but without it not all features of the service are necessarily available

Information that may contain personal data

Provision of the personal data indicated with an asterisk is a requirement for the provision of the service described in the Agreement.

5) DATA SUBJECTS

5.1

The personal data processed concern the following categories of data subjects:

6) GENERAL RIGHTS AND RESPONSIBILITIES OF THE PARTIES

6.1

The Controller undertakes to

6.2

The Processor undertakes to

6.3

The Processor is entitled to charge for the costs incurred from assisting the Controller according to its price list valid at each time. However, each Party bears their own part of the costs incurred from audits.

6.4

The aforementioned also applies to subcontractors used by the Processor.

This Data Processing Agreement lays down the terms under which the Processor will process the personal data on the Controller’s behalf in connection with the agreement accepted between the Controller and the Processor on the day User starts using Qridi Sport service regarding services supplied via a data network (hereinafter ‘the Agreement’).

7) DATA SECURITY AND BACK-UP COPIES

7.1

The Processor undertakes to implement all the appropriate technical and organisational data security measures required by Article 32 of the General Data Protection Regulation to ensure a sufficient level of security appropriate to the risk associated with the personal data processing in question in each case. To implement this, the Processor must implement all the technical, physical and organisational measures required to ensure a high level of security for the personal data processing and to protect the personal data from unauthorised or unlawful processing, as well as accidental loss, destruction, damage, alteration or disclosure. The security measures mentioned above must, at all times, correspond to the requirements imposed by the data protection legislation and the instructions provided by the Controller.

7.2

The Processor must ensure, by means of agreements or otherwise, that the persons, as well as possible subcontractors, with access to the personal data processed by the Processor comply with confidentiality and other requirements imposed by the data protection legislation. The personal data must only be processed for the purpose agreed upon, as required by work duties or a subcontracting agreement.

7.3

Each Party must ensure that the part of the delivery and the part of the Contracting Party’s own environment that are under the Party’s responsibility according to the Agreement, such as the equipment, communications network, premises and facilities used in the provision of services for which the Party is responsible, are protected against security risks in accordance with the appropriate data security policies followed by the Party and that the procedures related to the protection and back-up of the data are followed. Neither Party is responsible for the data security of the general communications network or any disruptions that may occur therein.

7.4

Each Party is responsible for taking back-ups of their own data and files as well as checking their functionality.

8) PERSONAL DATA BREACHES

8.1

The Processor must notify the Controller of a Personal Data Breach without undue delay after learning of such a breach. After becoming aware of a personal data breach, the Processor must take all the necessary measures to protect the personal data and limit adverse effects.

8.2

The Processor must provide the Controller with the following information about the data breach that has occurred:

8.3

The Processor must document all data breaches, including the facts related to the data breach, its effects and the corrective measures taken.

8.4

If the Customer’s materials in the Software Service have been destroyed, lost, altered or damaged after the Customer has used their ID, or the Customer has otherwise, with their own actions, destroyed, lost, altered or damaged the Customer’s materials in the Software Service, the Company is entitled to charge for the recovery of such materials according to the charging principles agreed upon.

9) SUBCONTRACTORS

9.1

The Processor has the right to use subcontractors in the processing of the personal data, unless otherwise agreed upon in writing between the Parties. By request of the Controller, the Processor must provide information on the subcontractors used by the Processor. If the Processor uses the services of another personal data processor:

9.2

The Processor is fully liable for the performance of the obligations of any other personal data processor it uses in relation to the Controller. The Processor must notify the Controller in writing (e.g email newsletter) of all planned changes that concern adding or replacing other personal data processors. If the Controller does not accept a new subcontractor, it has the right to terminate the Agreement and this Data Processing Agreement, effective in 30 days. After this, the customer's user account is closed.

10) RETENTION OF PERSONAL DATA

10.1

The personal data processed under the Agreement is primarily kept in servers located in the EU. Personal data may be transferred outside the EU for technical reasons. The precondition for such transfer is that the European Commission has found the level of data protection in the target country to be sufficient or that the party receiving the data outside the EU has agreed to establish the appropriate safeguards to protect personal data. Upon request, we will provide you with up-to-date information on all of our personal data processing partners and will further clarify the safeguards in the event of data being transferred outside the EU.

11) CONFIDENTIALITY

11.1

The Parties undertake to keep all materials and information received from the other Party confidential. Confidentiality is otherwise subject to the Agreement’s confidentiality terms.

12) LIABILITIES

12.1

Regarding liabilities related to administrative fines imposed by supervisory authorities or requests made by Data Subjects within the meaning of the Data Processing Agreement, the Parties agree that the general division of liability between the Parties is based on each Party being required to fulfil their own obligations pursuant to the data protection legislation. Therefore, all administrative fines or damages must be paid by the Party who has neglected their statutory obligations defined in the data protection legislation. For the sake of clarity, the Controller is responsible for implementing the rights of Data Subjects within the meaning of the data protection legislation.

12.2

The liabilities between the Parties are otherwise subject to the terms of the Agreement in question regarding damages and limitations of liability.

13) VALIDITY AND TERMINATION OF THE AGREEMENT

13.1

This Data Processing Agreement will enter into force once User start using the software service (creates an account), and it will remain in force until the end of the Agreement’s period of validity. This Data Processing Agreement will end automatically if the Agreement ends. If one of the Parties is in material breach of this Data Processing Agreement and fails to rectify this breach, provided that rectification is possible, the other Party has the right to terminate this Agreement thirty (30) days from the date on which the Parties notified the infringing Party about the breach.

14) APPLICABLE LAW AND SETTLEMENT OF DISPUTES

14.1

This Data Processing Agreement is subject to the legislation applied to the Agreement and the terms of the Agreement concerning the settlement of disputes.

15) OTHER TERMS

15.1

This Data Processing Agreement is an integral part of the Agreement.

15.2

Changes to this Data Processing Agreement must be made in writing and the Company must inform changes in a reasonable way (email and/or in the software service). The Parties undertake to change this Data Processing Agreement if required by the processing of the personal data and its principles as agreed upon between the Parties.

15.3

The processor may not transfer this Data Processing Agreement or its part to a third party without informing (e.g. email newsletter) the controller.