This Data Processing Agreement (“DPA”), by and between Subscriber and Socialie is entered into pursuant to the Subscription Agreement by and between Subscriber and Socialie (the “Agreement”).
1. Definitions. Capitalized terms not otherwise defined in this DPA have the meanings ascribed to them in the Agreement. In this DPA:
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, and
includes a “business” as defined by applicable Data Protection Laws;
“Data Protection Authority” means a legislative, executive, administrative or regulatory entity, judicial body, or other public agency or authority of any country, state, territory, or political subdivision thereof, or a person or entity acting under a grant of authority from or under contract with such public agency or authority, that is authorized by law to enforce, or to oversee or monitor compliance with, Data Protection Laws;
“Data Protection Laws” means all laws and regulations relating to or impacting the processing, privacy or security of Personal Data, in each case as may be amended or replaced from time to time, including (a) the GDPR, (b) any national law of an EU member state adopted pursuant to the GDPR, (c) the Switzerland Federal Act on Data Protection, and (d) the United Kingdom Data Protection Act of 2018;
“Data Subject” means an identified or identifiable natural person, and includes a “consumer” under applicable Data Protection Laws;
“GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data;
“Personal Data” means any information relating to an identified or identifiable natural person, including information that meets the definition of “personal information,” “personal data,” “personally identifiable information,” “sensitive personal information” or similar term under applicable Data Protection Laws and for purposes of this DPA is limited to information Processed by Socialie on behalf of Subscriber in providing the Platform pursuant to the Agreement;
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process” and “Processed” shall be construed accordingly; and
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, and includes a “service provider” as defined under applicable Data Protection Laws.
2. Role of the Parties. With respect to the Personal Data subject to this DPA, Subscriber is the Controller and Socialie is the Processor.
3. Description of Processing.
|Duration, nature and purpose of processing|
|Duration of Processing||Unless stated otherwise in the Agreement, or agreed in writing between the parties, Personal Data will be processed for the term of the Agreement, and any such additional period stated in the Agreement.|
|Individuals may include any of:||Suggester users, Publisher users, and Fan users, which may include Subscriber employees and social media users with whom subscriber and/or publisher has a relationship such as athletes and their agents.|
|Categories of Personal Data may include any of:||Names, email addresses, phone numbers, social media handles, social media posts|
|Special categories of Personal Data may include any of:||The Parties do not anticipate that Socialie will Process any special categories of Personal Data.|
4. General Terms.
a. Socialie will Process the Personal Data only on documented instructions from the Subscriber, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by any law to which Socialie is subject, in which case Socialie will inform the Subscriber of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Socialie will not sell or share (as such terms are defined by Data Protection Laws) Personal Data. Socialie will not:
i. retain, use, or otherwise disclose Personal Data for any purpose other than to provide the Platform and services as specified in the Agreement or outside of the direct business relationship between Subscriber and Socialie; or
ii. combine Subscriber Personal Data with Personal Data Socialie receives from, or on behalf of, another person or persons, or which Socialie collects from its own interactions with an individual,
except as permitted by the Agreement and applicable Data Protection Laws
b. Subscriber generally authorizes Socialie to engage subprocessors to assist with or conduct the processing of Personal Data subject to this DPA. Socialie may make changes to the subprocessors it engages from time to time in its reasonable discretion. Socialie will:
i. provide prior notice to Subscriber of such changes and give Subscriber an opportunity to object to changes concerning the addition or replacement of subprocessors; provided, that (A) Subscriber will not object except with reasonable cause, and that if Subscriber does so object, Subscriber will work in good faith with Socialie to find an alternative subprocessor; and (B) if Subscriber does not object to such change within five (5) business days, Subscriber is deemed to have accepted such subprocessor; and
ii. impose the same data protection obligations as set out in this DPA on such subprocessor.
c. In its performance of the Platform, Socialie will, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk. Socialie shall maintain technical and organizational measures that are consistent with Socialie’s Security Policy.
d. Socialie will:
i. require that persons authorized to process Personal Data under the Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
ii. taking into account the nature of the processing, and at Subscriber’s cost, assist the Subscriber by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligation to respond to requests for exercising the Data Subject’s rights under Data Protection Laws;
iii. on reasonable request and at Subscriber’s cost, assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Socialie;
iv. promptly delete or return all Personal Data to the Controller after the end of the provision of services relating to processing; provided, that Socialie may retain a copy of the Personal Data for such period of time as is necessary for purposes of compliance with Socialie’s regulatory obligations or applicable laws;
v. Socialie will inform Subscriber if, in its opinion, an instruction from Subscriber to Socialie infringes Data Protection Laws; and
vi. make available to the Subscriber, upon no less than thirty (30) days prior written notice, all information necessary to demonstrate compliance with the obligations set forth in this DPA and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber; provided, that any audit or inspection: (A) may be limited in scope by Socialie to the extent reasonably necessary to prevent the violation of Socialie’s and its subprocessors’ confidentiality obligations related to the information of Socialie’s and its subprocessors’ other clients; (B) shall at all times be supervised by and performed in the presence of Socialie security personnel and in accordance with Socialie’s security policy and procedures; and (C) shall only apply with respect to Socialie’s systems and sites relevant to the processing of Personal Data subject to this DPA or to the extent required in writing by a competent supervisory authority with responsibility for privacy or data protection matters under the GDPR. Each auditor who is not subject to rules of professional conduct requiring confidentiality must enter into a written agreement with Socialie protecting the confidentiality of any information gathered during the conduct of such audit. The results of such audit, as well as any documentation prepared by the auditor or Subscriber as a result of the conduct of such audit, shall be shared with Socialie and be deemed the Confidential Information of both Socialie and Subscriber. Subscriber shall bear its own costs in relation to such audit and shall reimburse Socialie for costs incurred by Socialie in connection with such audits. The parties agree that, as a general matter, the parties will first look to independent third party audit reports provided by Socialie and/or Socialie’s subprocessors to fulfill the foregoing requirements.
5. Personal Data Breach. Socialie will, without undue delay following Socialie’s discovery of any loss or breach of security of the Personal Data, inform the Subscriber of such loss or breach, provide the Subscriber with sufficient information to allow the Subscriber to meet any obligations to report or inform Data Subjects and any data protection authorities of the Personal Data breach under Data Protection Laws. Socialie shall report on the nature of the breach including, to the extent known by Socialie, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned. Socialie shall co-operate with the Subscriber and take reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data breach.
6. Data Transfer.
a. For purposes of this DPA, “Standard Contractual Clauses” means the Standard Contractual Clauses set out in Decision (EU) 2021/915 with the clauses corresponding to module two (controller to processor) selected. Subscriber (as data exporter) and Socialie (as data importer) shall comply with the Standard Contractual Clauses with respect to Personal Data exported from the European Economic Area to the United States of America or other third country that has not been deemed by the European Commission to ensure an adequate level of protection for such Personal Data. The Standard Contractual Clauses are hereby incorporated into this Agreement by this reference, with the following information deemed selected and prepopulated:
i. Option 2 of Clause 9(a) of the Standard Contractual Clauses, “general written authorization,” is deemed to be selected, with Socialie to inform Subscriber in writing of any addition or replacement of sub-processors at least 14 days in advance.
ii. Clause 7 shall be deemed incorporated into the Standard Contractual Clauses.
iii. Option 1 of Clause 17 of the Standard Contractual Clauses is deemed to be selected, with the law of the EU Member State where the data exporter is established deemed to be selected for purposes of such Clause.
iv. Clause 18(b) of the Standard Contractual Clauses is deemed to be prepopulated with “the EU Member State where the data exporter is established”.
v. Annex I.A of the Standard Contractual Clauses is deemed to be prepopulated as follows: (a) the identity and the contact details of the data exporter are deemed to be prepopulated with the name and address of Subscriber as specified in the Agreement, the “Contact person’s name, position and contact details” is deemed to be the name and contact details of the Subscriber contact on the PO, the “Activities relevant to the data transferred under these Clauses” is deemed to be the provision of the Platform and services as set forth in the Agreement, the “Role” is deemed to state “controller”, and Subscriber’s duly authorized representative is deemed to have signed and dated Annex I.A as of the Effective Date of the Agreement; and (b) the identity and the contact details of the data exporter are deemed to be prepopulated with the name and address of Socialie as specified in the Agreement, the “Contact person’s name, position and contact details” is deemed to be the name and contact details of Socialie’s contact on the PO, the “Activities relevant to the data transferred under these Clauses” is deemed to be the provision of access to the Platform as set forth in the Agreement, the “Role” is deemed to state “processor”, and Socialie’s duly authorized representative is deemed to have signed and dated Annex I.A as of the Effective Date of the Agreement.
vi. Annex I.B of the Standard Contractual Clauses is deemed to be prepopulated with the information specified the relevant sections of Section 3 of this DPA.
vii. Annex I.C is deemed to be prepopulated with the name of the supervisory authority of the jurisdiction of the Subscriber’s main establishment.
viii. Annex II is deemed to be prepopulated with the technical and organizational measures specified in the Socialie Security Schedule.
ix. All other optional clauses are deemed not to be included in the Standard Contractual Clauses.
b. For purposes of this DPA, “UK Addendum” means the addendum to the Standard Contractual Clauses issued pursuant to Section 119A of the United Kingdom Data Protection Act. With respect to Personal Data exported from the United Kingdom to the United States or any other third country that has not been deemed by the United Kingdom to ensure an adequate level of protection for such Personal Data, the Standard Contractual Clauses shall apply to such transfers as provided in Section 6(a), above, the UK Addendum shall be deemed executed between the parties, and the Standard Contractual Clauses shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data from the United Kingdom to countries that have not been the subject of an adequacy decision.
c. Where any mechanism for international transfers of Personal Data ceases for any reason to be a valid means of complying with the restrictions on transferring Personal Data to a third country as set out in Data Protection Laws, or otherwise ceases to apply for any reason, the parties shall act in good faith to agree the implementation of an alternative solution to enable both parties to comply with Data Protection Laws.
7. Term. This DPA will remain effective (and the duration of the processing will last) as long as Socialie provides Platform for Subscriber or processes Personal Data received from Subscriber or in the context of providing Platform for Subscriber.
8. Conflict. In the event of a conflict between this DPA and the Agreement, this DPA will control solely with respect to Socialie’s processing of Personal Data subject to this DPA.
9. Limitation of Liability. The limitations of liability and disclaimers of damages set forth in the Agreement apply to this DPA and each Party’s respective obligations and liability to each other under arising out of or relating to this DPA. Such limitations and disclaimers are hereby incorporated into this DPA by this reference.
Last Revised: August 2, 2022