Agreement
on

Data Processing in accordance with Article 28 GDPR

The Data Controller:

Eversport GmbH
Heiligenstädterstrasse 31,
Stiege 2/501, 1190 Vienna

(hereinafter referred to as “the Contractor” and “Eversports”)

The Data Processor:

Eversports contractual partner 

 

(hereinafter referred to as “the Principal”)

  1. Subject of the Agreement

    1.1 The subject of this contract is the execution of the following tasks:
  •  


      • The storage, updating, transfer and deletion of customer, member and/or employee data
      • The transfer (import) of customer, member and/or employee data and product data where relevant
      • Product administration
      • Resource administration (room administration)
      • Activity administration
      • Trainer and teacher administration
      • Processing of support enquiries
      • The possibility of exporting and importing customer data

        For the purpose of fulfilling the following purposes: 
      • Customer administration 
      • Processing of bookings
      • Transaction processing 
      • Analysis 
      • Adherence to cash register conformity 
      • Customer communication (registration for newsletters) 

This Agreement is to be understood as a supplement to the existing Eversports Corporation Agreement between the Contractor and the Principal

 

1.2. The following data categories shall be processed:

      • Contact details (first name, surname, address, e-mail, telephone number)
      • Customer information (customer numbers and groups)
      • Account data (creation date)
      • Date of birth
      • Gender
      • Image data (profile image) 
      • Bank details (SEPA, credit card)
      • Booking data 
      • Order data (products, purchase date) 
      • Invoice data 
      • Registration for newsletter

         

1.3. The following categories of data subjects shall undergo processing:



      • Customers 
      • Members
      • Employees 
      • External trainers 
      • Administrators
 
 
 2. Term of Agreement 
This Agreement is concluded for an indefinite period and may be terminated by either party observing the notice period specified in the General Terms and Conditions of Business of Eversports. This Agreement shall end without the requirement of separate declarations upon complete cessation of the Eversports Cooperation Agreement. 
 
The possibility of tendering notice of extraordinary termination for good cause shall not be affected. Such notice of extraordinary termination shall apply – notwithstanding the terms of termination agreed therein – in any event in the same manner with regard to the Eversports Cooperation Agreement in so far as the subject thereof was covered by this Agreement. Only with regard to any remaining elements of performance (which may, from an economic perspective, be reasonably separated) shall the Eversports Corporation Agreement be continued in accordance with the remaining terms thereof. 

 

 

 

3. Duties of the Principal

3.1 The Principal undertakes to obtain the consent of the data subject with regard to the data provided to the Contractor for processing in so far as processing is not necessary within the framework of contractual fulfilment or is not based on another legal basis specified in Article 6 GDPR.

3.2 In particular, the Principal undertakes to process data in special categories (health data) within the framework of customer information only with the express prior consent of the data subject. The Contractor assumes no responsibility with regard to the content entered by the Principal in free text fields.

3.3 The Principal undertakes not to process further, reproduce or publish without the consent of the data subject any customer photographs transmitted by Eversports during the course of a booking.

3.4 The Principal shall alone be responsible for implementing /initiating the timely erasure of data.

3.5 The decision as to any restriction, erasure or rectification of datasets forming the subject of this Agreement shall be made exclusively by the Principal. The Contractor shall therefore act only further to the express and documented instruction of the Principal. In the event that, in this regard, data subjects make direct contact with the Contractor, such enquiries shall be passed on to the Principal.

3.6 The Principal shall include in its newsletter mailing list customers who have booked via the Eversports platform (app, marketplace or widget) only further to their express consent. The terms of Section 107 of the Austrian Telecommunications Act (Telekommunikationsgesetz) or a successor provision must in this context in any event be observed.

4. Duties of the Contractor 4.1 The Contractor undertakes to process data and processing results exclusively within the framework of the Principal’s written instructions. In the event that the Contractor receives an official order to surrender data of the Principal, then in so far as permitted by statute, it must inform the Principal thereof immediately and refer the authority in question to the Principal. In the same manner, any processing of data for own purposes of the Contractor shall require a written order. 4.2 The Contractor declares on a legally binding basis that it has placed all persons entrusted with data processing under a duty of confidentiality prior to commencement of their work or that such persons are subject to a reasonable statutory duty of confidentiality. In particular, the duty of confidentiality incumbent upon the persons entrusted with data processing shall remain operative also further to termination of their work and departure from the Contractor. 4.3 The Contractor declares on a legally binding basis that it has taken all requisite measures in order to guarantee security of processing pursuant to Article 32 GDPR (for details, see Schedule 1). 4.4 The Contractor shall take the required technical and organisational measures such that the Principal is able to fulfil at all times the rights of data subjects under Chapter 3 of the GDPR (information, access, rectification and erasure, data portability, objection, and automated decision-making in an individual instance) within the statutory time limits, and shall provide the Principal with all requisite information in this regard. If a corresponding request is addressed to the Contractor and if the same shall reveal that the applicant erroneously deems the Contractor to be the Principal in relation to the processing activity operated, the Contractor shall immediately pass the request on to the Principal and notify the same to the applicant. 4.5 The Contractor shall support the Principal in complying with the duties stated in Articles 32 – 36 GDPR (data security measures, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the data subject, data protection impact assessment, prior consultation). The Contractor shall be entitled to invoice any additional costs arising in this regard to the Principal where such costs are not covered by the actual underlying contract. 4.6 With regard to the processing of data transferred by the Principal, the Principal shall be granted the right to inspect and control the data processing facilities. The Contractor undertakes to provide the Principal with any information upon request, which information shall be required for the purpose of verifying observance of the obligations stated in this Agreement. 4.7 Following the end of this Agreement, the Contractor shall be under a duty to anonymize all processing results and documents containing personal data. The Contractor shall be expressly permitted to continue storing and to analyse such anonymized data. 4.8 The Contractor must inform the Principal immediately if it is of the view that any instruction by the Principal breaches data-protection law of the European Union or EU Member States. 4.9 The Contractor undertakes, to delete data from local storage media following the import of data from external tools and the integration into the Eversports database.

 

5. Place of execution of data processing

Data processing activities shall be undertaken at least partially also outside the EU/EEA, namely in the USA and Canada. A reasonable level of data protection is based on an adequacy decision by the European Commission pursuant to the terms of Article 45 GDPR.

 

 

6. Sub-processors

6.1 The Contractor may engage sub-processors.
The Contractor shall obtain the requisite consents from the sub-processor within the meaning of Article 28 (4) GDPR.  In this context, it shall be necessary to ensure that the sub-processor enters into the same obligations as those incumbent upon the Contractor on the basis of this Agreement. In the event that the sub-processor does not comply with its data-protection duties, the Contractor shall be liable in relation to the Principal for compliance with the duties of the sub-processor.

6.2 The Contractor shall be entitled to engage other group affiliates as sub-processors, and the Principal hereby gives its advance consent thereto. These are at present, specifically: …

 

 

7. Liability

7.1 Each contracting party shall be liable in principle solely and without restriction for all prejudicial consequences of a breach of data-protection duties within the framework of their contractual and/or statutory area of responsibility and shall, in the event of a claim by third parties, indemnify the respective other party and hold such party harmless.

7.2 The said duty of indemnification shall in particular include – to the extent permissible by statute – also monetary fines imposed by authorities upon a contracting party in respect of conduct attributable to the respective other party.

7.3 Liability on the part of the Contractor shall be limited to two times the annual value (fee) under the Eversports Corporation Agreement and to instances of gross negligence or intent. Both liability for minor negligence and liability for consequential losses shall be excluded.

 

 

8. Concluding provisions

8.1 In the event that any individual parts of this Agreement should be or become invalid, this shall not affect the validity of the remaining terms hereof. Any invalid provision shall be replaced by such permissible/valid term which comes as close as possible to the economic intent and the purpose pursued by the parties.

8.2 This processing agreement shall, unless otherwise agreed in the underlying contract, be subject solely to Austrian substantive law as well as the terms of EU law governing the relevant subject matter, in particular the GDPR. Place of jurisdiction shall be Vienna.

 

Vienna, dated

On behalf of the Principal:

 

Vienna, dated

On behalf of the Contractor:

 

…………………………………………….

 

[Name and job title]

 

…………………………………………….

 

[Name and job title]