Data Protection Addendum 25-11-2021

Duration of the processing

The Personal Data shall be processed for the term of the SaaS Agreement.

Data Subjects

The Personal Data processed shall concern the following categories of Data Subjects:

1. Employees, Consultants and Temporary Workers;
2. Suppliers, Schools, Customers; and/or
3. Parents/Adult Participants and their Children

Categories of Personal Data

The Personal Data processed shall concern the following categories of Personal Data (please specify):

1. Personal details including:
   1. Name
   2. NI number
   3. Date of birth
   4. Email address
   5. Postal address
   6. Phone number
   7. Emergency contact
   8. Proof of ID
   9. Payscales
   10. Bank details
2. Device details/IP address/unique identifier;
3. Sport related information including:
   1. Salaried hours
   2. Standard hourly rate
   3. Time recorded
   4. Target utilisation
   5. Role
   6. Skills

Special Categories of Personal Data

The Special Categories of Personal Data processed may concern the following categories (please specify):

1. Ethnic Origin
2. Disability Information
3. Medical Information
4. T-Shirt Size

Criminal Convictions

Basic DBS Checks

Processing Operations (i.e. scope, nature and purpose of processing)

Scope and nature of processing:

1. Processing of Personal Data pursuant to the SaaS Agreement may be undertaken on behalf of the Customer, being the pursuit of its commercial functions including its administrative and sport management functions which are supported by the Provider; and
2. Processing of Personal Data may be carried out in order for the Customer to perform a contract with the Data Subject.

The types of processing operations to be carried out by the Provider include:

copy, reproduce, store, distribute, publish, export, adapt, edit and translate the Customer Data to the extent reasonably required for the performance of the Provider’s obligations under the Agreement.

Sub-Processors at the date of signing

1. DEFINITIONS

   1. In this Data Protection Addendum (the “Addendum”) defined terms shall have the same meaning as in the Agreement. In addition, in this Addendum the following definitions have the meanings given below:
      1. “Agreement” means the Software as a Service Operative Terms;
      2. “Applicable Law” means the following to the extent forming part of the law of United Kingdom (or a part of the United Kingdom) as applicable and binding on either party or the Services:
         1. any law, statute, regulation, byelaw or subordinate legislation in force from time to time;
         2. the common law and laws of equity as applicable to the parties from time to time;
         3. any binding court order, judgment or decree; or
         4. any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
      3. “Authorised Person(s)” means the persons or categories of persons that the Customer authorises to give the Provider written Personal Data processing instructions as identified in the Particulars above and from whom the Provider agrees to accept such instructions;
      4. “Commencement Date” means the date on which the Services commence;
      5. “Commissioner” means the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018);
      6. “Controller” has the meaning defined in the Data Protection Legislation;
      7. “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
      8. “processing” has the meaning given to that term in Data Protection Legislation (and related terms such as process, processes and processed have corresponding meanings);
      9. “Processor” has the meaning defined in the Data Protection Legislation;
      10. “Standard Contractual Clauses (SCC)” the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU or such alternative clauses as may be approved by the Commissioner from time to time;
      11. “Sub-Processors” means a Processor engaged by the Provider or by any other Sub-Processor for carrying out processing activities in respect of the Personal Data on behalf of the Customer.
   2. A reference to writing or written includes e-mail.
   3. In the case of conflict or ambiguity between:
      1. any provision contained in the body of this Addendum and any provision contained in the Annexes, the provision in the body of the Addendum will prevail;
      2. any of the provisions of this Addendum and the provisions of the Agreement, the provisions of this Addendum will prevail; and
      3. any of the provisions of this Addendum and any executed SCC, the provisions of the executed SCC will prevail.

2. PERSONAL DATA TYPES AND PROCESSING PURPOSES

   1. The Provider and the Customer agree and acknowledge that for the purpose of the Data Protection Legislation:
      1. the Customer is the Controller and the Provider is the Processor.
      2. The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider.
      3. The Particulars describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data to fulfil the Business Purpose.

3. CUSTOMER OBLIGATIONS

   1. Without prejudice to the generality of clause 2.1, The Customer will ensure that it has appropriate lawful grounds to transfer the Personal Data and any Special Category Personal Data (as defined by Article 9(1) of the UK GDPR) or Personal Data relating to criminal convictions and offences (as defined by Article 10 of the UK GDPR) to the Provider to process, and, where required, all appropriate consents and notices are in place to enable the lawful transfer of the Personal Data to the Provider for the Term.

4. PROCESSING OF DATA

   1. The Provider, in relation to any Personal Data processed in connection with the performance of its obligations under the Agreement, will:
      1. process Personal Data to the extent and in such a manner, as is necessary for the Business Purpose in accordance with the Customer’s written instructions from Authorised Persons (“Processing Instruction”) for the duration specified in the Particulars.
      2. process the Personal Data only for the specific purpose(s), as set out in the Particulars, unless the Provider receives further instructions from the Customer. The Provider will not process Personal Data in a way that does not comply with this Addendum or Data Protection Legislation.
      3. inform the Customer if the Provider becomes aware of a Processing Instruction that, in the Provider’s opinion, infringes Data Protection Legislation, provided that:
         1. this shall be without prejudice to clauses 2 and 3; and
         2. to the maximum extent permitted by Applicable Law, the Provider shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of that information.
      4. acknowledge any Processing Instructions within 5 Business Days, requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
      5. maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Customer or this Addendum specifically authorises the disclosure, or as required by Applicable Law. If Applicable Law requires the Provider to process or disclose the Personal Data to a third party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the Applicable Law prohibits the giving of such notice.
      6. reasonably assist the Customer, with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, with reporting to and consulting with the Commissioner.
      7. assist the Customer, in relation to Data Subject rights and data protection impact assessments. The Customer will reimburse the Provider for any time expended at the Provider’s then-current professional services rates, which will be made available to the Customer upon request.
      8. ensure that all personnel who have access to and/or process Personal Data are:
         1. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
         2. have undertaken training on handling Personal Data and how it applies to their particular duties; and
         3. are aware of the Provider’s duties and their personal duties and obligations under this Addendum.

5. TECHNICAL AND ORGANISATIONAL MEASURES

   1. The Provider will at all times implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Personal Data to be protected, having regard to the state of the technological development and the cost of implementing any measures.
   2. Security measures implemented by the Provider, appropriate to the risk involved, may include:
      1. the pseudonymisation and encryption of Personal Data;
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
      4. a process for regularly testing, assessing and evaluating the effectiveness of security measures.
      5. A full list of the Provider’s technical and organisational measures can be found here.

6. PERSONAL DATA BREACH

   1. In respect of any Personal Data Breach, the Provider will, without undue delay after becoming aware of a Personal Data Breach:
      1. Notify the Customer of the Personal Data Breach; and
      2. Provide the Customer with details of the Personal Data Breach. Such details shall contain, at least:
         1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
         2. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
         3. the details of a contact point where more information concerning the personal data breach can be obtained;
         4. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects
         5. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
   2. The Provider will reasonably cooperate with the Customer, in the Customer’s handling of the matter.

7. INTERNATIONAL TRANSFERS

   1. Any transfer of data to a third country or an international organisation by the Provider shall be done only on the basis of documented instructions from the Customer or in order to fulfil a specific requirement under UK law to which the Provider is subject and shall take place in compliance with Chapter V of UK GDPR.
   2. The Customer agrees that where the Provider engages a Sub-Processor in accordance with clause 8 for carrying out specific processing activities (on behalf of the Customer) and those processing activities involve a transfer of Personal Data within the meaning of Chapter V of the UK GDPR, the Provider and the Sub-Processor can ensure compliance with Chapter V of UK GDPR by using SCCs adopted by the Commissioner in accordance with of Article 46(2) of UK GDPR, provided the conditions for the use of those standard contractual clauses are met.

8. APPOINTMENT OF SUB-PROCESSORS

   1. The Customer authorises the Provider to appoint Sub-Processors of Personal Data as confirmed in the Particulars. The Provider confirms that it has entered or (as the case may be) will enter with the Sub-Processors a written agreement incorporating terms which are substantially similar to those set out in this Addendum. The Provider shall ensure that the Sub-Processor complies with the obligations to which it is subject to under this Addendum.
   2. The Provider may appoint different or additional Sub-Processors from time to time for business and operational purposes subject to the provisions of clause 7.2 and 8.3.
   3. The Provider will provide the Customer with reasonable prior notice (not less than ten Business Days) of any proposed change to its Sub-Processors with sufficient details to enable the Customer to object (but only on reasonable grounds and without delay, objection to be received by the Provider no later than five Business Days from the notice of proposed change) where relevant before such change. Parties will act reasonably to try to resolve any reasonable objections, but the Provider may elect to terminate the Agreement and this Addendum in the event the Customer continues to object to new or replacement Sub-Processors.
   4. Sub-Processor change notifications will be provided on the Provider’s website, as an announcement or within the Privacy section of the Provider’s website. An email notification will also be issued to the Privacy Notification Contact(s) as specified in the Particulars.
   5. Where the Sub-Processor fails to fulfil its obligations under the written agreement with the Provider, the Provider remains fully liable to the Customer for the Sub-Processor’s performance of its agreement obligations. The Provider shall notify the Customer of any failure of the Sub-Processor to fulfil its contractual obligations.
   6. The Parties agree that the Provider will be deemed to control legally any Personal Data controlled practically by or in the possession of its Sub-Processors.
   7. At the Customer’s request, the Provider shall provide a copy of such a Sub-Processor agreement and any subsequent amendments to the Customer. To the extent necessary to protect business secrets or other confidential information, including Personal Data, the Provider may redact the text of the agreement prior to sharing the copy.

9. COMPLAINTS, DATA SUBJECT REQUESTS AND THIRD-PARTY RIGHTS

   1. The Provider, at no additional cost to the Customer, will promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.
   2. The Provider must notify the Customer:
      1. Without undue delay, in writing, if it receives any complaint, notice or communication from the Commissioner that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation; and
      2. within five Business Days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation. The Provider shall not respond to the request itself, unless authorised to do so by the Customer.
   3. The Provider will give the Customer, its full cooperation and assistance in responding to any Data Subject request under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data. The Customer will reimburse the Provider for any time expended at the Provider’s professional services rates, which will be made available to the Customer upon request.

10. AUDIT

    1. The Provider shall maintain complete and accurate records and information of its processing activities in accordance with Article 30 of the UK GDPR and shall cooperate with and provide such information as reasonably requested by the Customer.
    2. The Provider shall make available to the Customer, all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR, and allow for, and contribute to audits, including inspections where reasonable, conducted by the Customer or another auditor mandated by the Customer.
    3. The Customer will reimburse the Provider for any time expended for any audit at the Provider’s then-current professional services rates, which will be made available to the Customer upon request. Before the commencement of any such audit, the Customer and the Provider will agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which the Customer will be responsible.
    4. The Parties shall make the information referred to in this clause 10, including the results of any audits, available to the Commissioner and/or competent supervisory authorities on request.

11. INDEMNITY

    1. The Customer shall indemnify, keep indemnified and defend at its own expense the Provider against all costs, claims, damages or expenses incurred by the Provider or for which the Provider may be liable due to any failure by the Customer or its employees, subcontractors or agents to comply with any of its obligations under these terms or the Data Protection Legislation.

12. TERM AND TERMINATION

    1. These terms shall commence on the Commencement Date and shall terminate automatically upon the termination or expiry of the Agreement. Where the Agreement is extended, these terms shall automatically extend for any renewal Term.
    2. Without prejudice to any provisions of the Data Protection Legislation, in the event that the Provider is in breach of its obligations under this Addendum, the Customer may instruct the Provider to suspend the processing of Personal Data until the latter complies with this Addendum or the Agreement is terminated. The Provider shall promptly inform the Customer in case it is unable to comply with this Addendum, for whatever reason.
    3. The Customer shall be entitled to terminate the Agreement insofar as it concerns processing of Personal Data in accordance with this Addendum if:
       1. the processing of Personal Data by the Provider has been suspended by the Customer pursuant to point (a) and if compliance with this Addendum is not restored within a reasonable time and in any event within one month following suspension;
       2. the Provider is in substantial or persistent breach of this Addendum or its obligations under the Data Protection Legislation;
       3. the Provider fails to comply with a binding decision of a competent court or the competent supervisory authority regarding its obligations pursuant to this Addendum or to the Data Protection Legislation.
    4. The Provider shall be entitled to terminate the Agreement insofar as it concerns processing of Personal Data under this Addendum where, after having informed the Customer that its instructions infringe Applicable Laws in accordance with clause 4.1.3, the Customer insists on compliance with the instructions.

13. EFFECT OF TERMINATION

    1. In the event of termination of the Agreement, the Provider shall:
       1. cease processing the Personal Data;
       2. at the written direction of the Customer, delete all Personal Data processed on behalf of the Customer and certify to the Customer that it has done so, or securely return, delete or destroy the Personal Data (save where the Provider must keep a copy of the Personal Data under Applicable Law). Until the data is deleted or returned, the Provider shall continue to ensure compliance with this Addendum.

14. GENERAL

    1. These terms shall be subject to the following provisions in the Agreement: variation, waiver, severance, assignment, entire agreement, third party rights, notices, no partnership or agency and governing law and jurisdiction.

15. NOTICES

    1. Where, under this Addendum, the Provider is required to notify the Customer, such notification will be sent by e-mail to the appropriate notification contact set out in the Particulars.
    2. Contact details may be amended at any time by the Customer by notice in writing to the Provider at privacy@coordinate.cloud. Notices properly addressed and sent in accordance with this clause shall be deemed delivered at the time of sending (if sent during working hours on Business Days), or on the next Business Day (if sent outside working hours on a Business Day).