Data Processing Addendum
for Coach ISM Services SaaS Cloud Solution
This Data Processing Addendum (“DPA”) forms part of the Agreement concluded between AGAP2 (hereinafter “Coach ISM Services”), with registered address at Rua Sousa Martins, nº 10 3º Dto 1050-217 Lisboa, company number PT507431073, registered at the Commercial registry Office of Lisbon, with share capital of 300 000.00€, and the final Customers.
1. Definitions
Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, Customer acts as the Controller;
Processor means the legal person which processes personal data on behalf of the Controller. For the purposes of this DPA, Coach ISM Services acts as the Processor;
Customer Personal Data means the Data Subjects’ Personal Data processed by Coach ISM Services on Customer’s behalf when providing the services comprised in the Software License Agreement as a SaaS Cloud Solution;
Data Protection Law means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”), and Portuguese Law no. 58/2019 of 8 August (“Portuguese Data Protection Act”).
“Data Subject”, “Processing”, “Personal Data”, “Personal Data Breach”, “Supervisory Authority” shall have the meaning set out in Article 4 of the GDPR.
2. Processing of Personal Data
2.1. The DPA shall apply where Coach ISM Services process the Customer Personal Data as a Data Processor during the provision to Customer of the services described in the Software License Agreement as a SaaS Cloud Solution.
2.2. The purpose of the data Processing is to provide the SaaS Cloud Solution to Customer and it shall be carried out until the provision of services included in the Software License Agreeement terminate. The following table sets out the “Data Processing Specifications”, comprising the purpose of the Processing, the categories of Customer Personal Data that Coach ISM Services processes, the categories of Data Subjects whose Customer Personal Data is processed, the Processing operations, the Processing location, and the Sub-Processors.
Data Processing Specifications | |
---|---|
Purpose of the processing | The processing of Customer Personal Data in order for the Coach lSM to provide the services described in the Software License Agreement when Customer opt for the SaaS Cloud Solution |
Categories of personal data | Contact data; (telephone, email)Identification data: (name, id number, nationality, birthdate)Other categories (Height, Weight, Performance and training data) |
Categories of data subjects | Football Players |
Processing operations | Collection, Structuring, Storage, Erasure. |
Processing location | Portugal, Ireland, Netherlands, France |
Sub-Processors | Microsoft Ireland Operations, Ltd. (Microsoft Azure);Coach lSM shall maintain an updated list of Sub-Processors in use for the provision of services included in the Software License Agreement that may be accessed at Customer’s request. |
Coach ISM Services shall not carry out any kind of processing of Personal Data other than as necessary for the Services included in the Software License Agreement and shall only process Customer Personal Data on documented instructions described in this DPA.
Coach ISM Services shall promptly notify Customer if an instruction for the Processing of Customer Personal Data given by Customer infringes the applicable Data Protection Law.
Coach ISM Services ensures that persons involved in the processing of Personal Data have committed themselves to confidentiality obligations in respect of the Personal Data Processing.
Coach ISM Services will not retain Personal Data any longer than necessary for the purposes of performing its obligations under the Software License Agreement. Upon Customer’s first request, Coach ISM Services will promptly delete and/or return all Personal Data to Customer.
3. Sub-Processing
3.1. Customer hereby provides a general authorization to Coach ISM Services to engage Sub-Processors, subject to compliance with the requirements set out in this DPA.
3.2. In case of intended changes concerning the addition or replacement of Sub-Processors, Coach ISM Services shall inform the Customer.
3.3. Coach ISM Services shall maintain an updated list of Sub-Processors in use for the provision of services included in the Software License Agreement that may be accessed at Customer’s request.
3.4. Coach ISM Services shall engage the authorized Sub-processors with a contract imposing the same obligations concerning the Processing of Personal Data as described in this DPA.
4. Cooperation
4.1. Coach ISM Services shall assist Customer in fulfilling its obligations under Article 28 of the GDPR, notably, where possible, to respond to requests from data subjects exercising their rights, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the information available to Coach ISM Services, and by making available to Customer all information reasonably requested in what regards to the appointment of Sub-Processors.
4.2. Coach ISM Services shall notify Customer without undue delay if it detects that a breach of security leads to a Personal Data Breach of the Customer Personal Data processed on behalf of the Customer.
4.3. Coach ISM Services shall also reasonably cooperate with Customer with respect to any investigations relating to the Personal Data Breach, providing any information reasonably requested by Customer in relation to the Personal Data Breach.
5. Audits
5.1. Coach ISM Services shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
5.2. Both parties agree that this Section 5 sets out the entire scope of the Customer’s audit rights as against Coach ISM Services unless otherwise decided by a Supervisory Authority.
5.3. Customer shall provide Coach ISM Services with at least 1 (one) month’s prior written notice of any audit.
5.4. Customer, or any appointed auditor acting on its behalf, shall only be entitled to conduct an audit once per year of subscription.
5.5. Should the audit be conduct by an independent auditor other than the Customer itself, Customer hereby grants the right to Coach ISM Services of objecting the choice of that auditor. Customer may then propose other auditors subject to the same requirements.
5.6. The scope of the audit shall be limited to systems, processes, and documentation relevant to the Processing of Customer Personal Data, and auditors will conduct audits subject to any appropriate and reasonable confidentiality restrictions requested by Coach ISM Services. In this regard, the scope of any audit shall never require Coach ISM Services to disclose to Customer, or to the appointed auditors acting on its behalf, any information of any other Coach ISM Services customer, or any Coach ISM Services trade secret.
5.7. Within the following 15 business days upon the audit, Customer will promptly provide Coach ISM Services with full details regarding the results of the audit.
6. Security Measures
Coach ISM Services Suplier has implemented all measures required pursuant to Article 32 of the GDPR, as well as all the adequate technical and organizational measures, namely encrypting sensitive information, data anonymization, protecting data from unauthorized access, extract report with subject personal data, manage user consent norms and audit all data accesses and permissions.
7. Limitation of liability
Coach ISM Services’s total liability, in the aggregate, for any loss or damages related to the Processing of Personal Data for the provision of the SaaS Cloud Solution services included in the Software Licensed Software (including to its related components and documentation) will be limited to an amount equivalent to the license fee paid by Customer to Coach ISM Services under that License.
8. Final Provisions
8.1. This DPA is governed by the Data Protection Law as well as the Laws of Portugal.
8.2. Any dispute concerning the interpretation or execution of this DPA will fall, in the absence of amicable agreement, under the exclusive jurisdiction of the Portuguese courts.
8.3. This DPA shall become effective on the same date as the Software License Agreement concluded between Coach ISM Services and Customer, and will terminate upon termination of that Software License Agreement.