Data Processing in accordance with Article 28 GDPR
The Data Controller:
Stiege 2/501, 1190 Vienna
(hereinafter referred to as “the Contractor” and “Eversports”)
The Data Processor:
Eversports contractual partner
(hereinafter referred to as “the Principal”)
- Subject of the Agreement
1.1 The subject of this contract is the execution of the following tasks:
- The storage, updating, transfer and deletion of customer, member and/or employee data
- The transfer (import) of customer, member and/or employee data and product data where relevant
- Product administration
- Resource administration (room administration)
- Activity administration
- Trainer and teacher administration
- Processing of support enquiries
- The possibility of exporting and importing customer data
For the purpose of fulfilling the following purposes:
- Customer administration
- Processing of bookings
- Transaction processing
- Adherence to cash register conformity
- Customer communication (registration for newsletters)
This Agreement is to be understood as a supplement to the existing Eversports Corporation Agreement between the Contractor and the Principal
1.2. The following data categories shall be processed:
- Contact details (first name, surname, address, e-mail, telephone number)
- Customer information (customer numbers and groups)
- Account data (creation date)
- Date of birth
- Image data (profile image)
- Bank details (SEPA, credit card)
- Booking data
- Order data (products, purchase date)
- Invoice data
- Registration for newsletter
1.3. The following categories of data subjects shall undergo processing:
- External trainers
3. Duties of the Principal
3.1 The Principal undertakes to obtain the consent of the data subject with regard to the data provided to the Contractor for processing in so far as processing is not necessary within the framework of contractual fulfilment or is not based on another legal basis specified in Article 6 GDPR.
3.2 In particular, the Principal undertakes to process data in special categories (health data) within the framework of customer information only with the express prior consent of the data subject. The Contractor assumes no responsibility with regard to the content entered by the Principal in free text fields.
3.3 The Principal undertakes not to process further, reproduce or publish without the consent of the data subject any customer photographs transmitted by Eversports during the course of a booking.
3.4 The Principal shall alone be responsible for implementing /initiating the timely erasure of data.
3.5 The decision as to any restriction, erasure or rectification of datasets forming the subject of this Agreement shall be made exclusively by the Principal. The Contractor shall therefore act only further to the express and documented instruction of the Principal. In the event that, in this regard, data subjects make direct contact with the Contractor, such enquiries shall be passed on to the Principal.
3.6 The Principal shall include in its newsletter mailing list customers who have booked via the Eversports platform (app, marketplace or widget) only further to their express consent. The terms of Section 107 of the Austrian Telecommunications Act (Telekommunikationsgesetz) or a successor provision must in this context in any event be observed.
5. Place of execution of data processing
Data processing activities shall be undertaken at least partially also outside the EU/EEA, namely in the USA and Canada. A reasonable level of data protection is based on an adequacy decision by the European Commission pursuant to the terms of Article 45 GDPR.
6.1 The Contractor may engage sub-processors.
The Contractor shall obtain the requisite consents from the sub-processor within the meaning of Article 28 (4) GDPR. In this context, it shall be necessary to ensure that the sub-processor enters into the same obligations as those incumbent upon the Contractor on the basis of this Agreement. In the event that the sub-processor does not comply with its data-protection duties, the Contractor shall be liable in relation to the Principal for compliance with the duties of the sub-processor.
6.2 The Contractor shall be entitled to engage other group affiliates as sub-processors, and the Principal hereby gives its advance consent thereto. These are at present, specifically: …
7.1 Each contracting party shall be liable in principle solely and without restriction for all prejudicial consequences of a breach of data-protection duties within the framework of their contractual and/or statutory area of responsibility and shall, in the event of a claim by third parties, indemnify the respective other party and hold such party harmless.
7.2 The said duty of indemnification shall in particular include – to the extent permissible by statute – also monetary fines imposed by authorities upon a contracting party in respect of conduct attributable to the respective other party.
7.3 Liability on the part of the Contractor shall be limited to two times the annual value (fee) under the Eversports Corporation Agreement and to instances of gross negligence or intent. Both liability for minor negligence and liability for consequential losses shall be excluded.
8. Concluding provisions
8.1 In the event that any individual parts of this Agreement should be or become invalid, this shall not affect the validity of the remaining terms hereof. Any invalid provision shall be replaced by such permissible/valid term which comes as close as possible to the economic intent and the purpose pursued by the parties.
8.2 This processing agreement shall, unless otherwise agreed in the underlying contract, be subject solely to Austrian substantive law as well as the terms of EU law governing the relevant subject matter, in particular the GDPR. Place of jurisdiction shall be Vienna.
On behalf of the Principal:
On behalf of the Contractor:
[Name and job title]
[Name and job title]