This Personal Data Processing Agreement (hereinafter ‘the Data Processing Agreement’) has been drawn up between Company and the User. The parties are referred to collectively as ‘the Parties’ and separately as ‘the Party’.
Together with our terms of service, this is an agreement on the processing of personal data in situations where we are considered to be processing personal data on behalf of you or your organization (so-called "DPA" = data processing agreement). Legally, we are then the personal data processor and you or the organization you represent are the data controller. The company's role as a data controller is described in the terms of use of the service.
This Data Processing Agreement lays down the terms under which the Processor will process the personal data on the Controller’s behalf in connection with the agreement accepted between the Controller and the Processor on the day User starts using Qridi Sport service regarding services supplied via a data network (hereinafter ‘the Agreement’).
This Data Processing Agreement will be applied in so far as the Processor serves as the processor and the Controller as the controller of the personal data pursuant to the Agreement, as defined in the EU General Data Protection Regulation (2016/679).
For the duration of the Agreement’s period of validity, the Processor undertakes to process the personal data according to the terms and requirements of the applicable data protection legislation in order to provide the services required by the Controller in its operations, within the meaning of the Agreement.
The Processor will process the personal data disclosed to it by the Controller in connection with the services defined in the Agreement as follows:
The Processor will supply the Controller with the software service defined in the Terms of Service.
The processing of the personal data is necessary to fulfill the Terms of Service accepted by the Controller and the Processor, according to which the services to be delivered via a data network, as described in the Terms of Service, will be procured by the Controller from the Processor and supplied by the Processor to the Controller.
The Processing Measures applied to the personal data concern the following categories of personal data:
Required basic data
Person’s first and last name*
E-mail address of the coach*
Internal identifier used by the system*
Additional information, not required, but without it not all features of the service are necessarily available
E-mail address of the athlete
Guardian’s e-mail address
Information that may contain personal data
Evaluations of the athlete by the athlete and their peers, coaches and parents
Possible messages between different parties
Images and videos uploaded to the system by the athlete or coach
Accumulated activity data of the athlete
Provision of the personal data indicated with an asterisk is a requirement for the provision of the service described in the Agreement.
The personal data processed concern the following categories of data subjects:
Coach
Athlete
Guardian
Head Coach / Club’s Manager / Organization’s administrator
The Controller undertakes to
(a) process the personal data in compliance with the data protection legislation and this Data Processing Agreement;
(b) carry out the measures necessary to ensure that the personal data transferred to the Processor are processed in compliance with the valid data protection legislation; and
(c) provide the Processor with documented instructions concerning the processing of the personal data, which must comply with the applicable data protection legislation.
The Processor undertakes to
(d) process the personal data only on behalf of the Controller in accordance with the data protection legislation and this Data Processing Agreement;
(e) refrain from disclosing the personal data to a third party or transferring the personal data to a country outside the European Union or the European Economic Area, with the exception of transfers carried out with the prior written consent of the Controller and in accordance with written instructions and the data protection legislation;
(f) only process the personal data according to the documented instructions provided by the Controller in each case, unless otherwise required by the legislation applicable to the Processor. In the event of such a situation, the Processor must immediately notify the Controller of this statutory requirement before processing the personal data, unless giving such a notification is prohibited by law. The Processor must immediately notify the Controller in the event that the Processor notices that the Controller’s instructions are in breach of the valid data protection legislation;
(g) ensure that persons who process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(h) assist the Controller by appropriate technical and organisational methods for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subjects’ rights;
(i) assist the Controller in ensuring compliance with the obligations imposed on the Controller in the data protection legislation, such as security measures, impact assessment and prior consultation;
(j) only process the personal data for the duration of the Agreement’s period of validity and provably destroy or return all the personal data to the Controller depending on which option is chosen by the Controller once legal grounds for the processing of the personal data cease to exist;
(k) make available to the Controller all the necessary information proving the Processor’s compliance with the obligations imposed on it in the data protection legislation, and allow and contribute to audits carried out by the Controller. Possible audits carried out by the Controller do not limit the obligations or responsibilities of the Processor or its subcontractors pursuant to this Data Processing Agreement or the Agreement.
The Processor is entitled to charge for the costs incurred from assisting the Controller according to its price list valid at each time. However, each Party bears their own part of the costs incurred from audits.
This Data Processing Agreement lays down the terms under which the Processor will process the personal data on the Controller’s behalf in connection with the agreement accepted between the Controller and the Processor on the day User starts using Qridi Sport service regarding services supplied via a data network (hereinafter ‘the Agreement’).
The Processor undertakes to implement all the appropriate technical and organisational data security measures required by Article 32 of the General Data Protection Regulation to ensure a sufficient level of security appropriate to the risk associated with the personal data processing in question in each case. To implement this, the Processor must implement all the technical, physical and organisational measures required to ensure a high level of security for the personal data processing and to protect the personal data from unauthorised or unlawful processing, as well as accidental loss, destruction, damage, alteration or disclosure. The security measures mentioned above must, at all times, correspond to the requirements imposed by the data protection legislation and the instructions provided by the Controller.
The Processor must ensure, by means of agreements or otherwise, that the persons, as well as possible subcontractors, with access to the personal data processed by the Processor comply with confidentiality and other requirements imposed by the data protection legislation. The personal data must only be processed for the purpose agreed upon, as required by work duties or a subcontracting agreement.
Each Party must ensure that the part of the delivery and the part of the Contracting Party’s own environment that are under the Party’s responsibility according to the Agreement, such as the equipment, communications network, premises and facilities used in the provision of services for which the Party is responsible, are protected against security risks in accordance with the appropriate data security policies followed by the Party and that the procedures related to the protection and back-up of the data are followed. Neither Party is responsible for the data security of the general communications network or any disruptions that may occur therein.
Each Party is responsible for taking back-ups of their own data and files as well as checking their functionality.
The Processor must notify the Controller of a Personal Data Breach without undue delay after learning of such a breach. After becoming aware of a personal data breach, the Processor must take all the necessary measures to protect the personal data and limit adverse effects.
The Processor must provide the Controller with the following information about the data breach that has occurred:
(a) a description of the nature of the data breach;
(b) identifying the data affected by the data breach;
(c) if the data affected by the data breach include personal data, the Processor must provide a description of the groups of people in question and the total number of persons affected;
(d) a description of the probable and/or actual consequences of the data breach;
(e) a description of the corrective measures that the Processor has taken or will take to prevent data breaches in the future; and
(f) a description of the measures taken by the Processor to minimise the adverse effects of the data breach.
The Processor must document all data breaches, including the facts related to the data breach, its effects and the corrective measures taken.
If the Customer’s materials in the Software Service have been destroyed, lost, altered or damaged after the Customer has used their ID, or the Customer has otherwise, with their own actions, destroyed, lost, altered or damaged the Customer’s materials in the Software Service, the Company is entitled to charge for the recovery of such materials according to the charging principles agreed upon.
The Processor has the right to use subcontractors in the processing of the personal data, unless otherwise agreed upon in writing between the Parties. By request of the Controller, the Processor must provide information on the subcontractors used by the Processor. If the Processor uses the services of another personal data processor:
(a) it may only use personal data processors that implement sufficient and appropriate technical and organisational protective measures to make sure that the processing meets the requirements of the data protection legislation and ensures the protection of the data subjects’ rights; and
(b) it must apply at least the same data protection obligations confirmed in this Data Processing Agreement to the agreement signed with the other personal data processor in question.
The Processor is fully liable for the performance of the obligations of any other personal data processor it uses in relation to the Controller. The Processor must notify the Controller in writing (e.g email newsletter) of all planned changes that concern adding or replacing other personal data processors. If the Controller does not accept a new subcontractor, it has the right to terminate the Agreement and this Data Processing Agreement, effective in 30 days. After this, the customer's user account is closed.
The personal data processed under the Agreement is primarily kept in servers located in the EU. Personal data may be transferred outside the EU for technical reasons. The precondition for such transfer is that the European Commission has found the level of data protection in the target country to be sufficient or that the party receiving the data outside the EU has agreed to establish the appropriate safeguards to protect personal data. Upon request, we will provide you with up-to-date information on all of our personal data processing partners and will further clarify the safeguards in the event of data being transferred outside the EU.
The Parties undertake to keep all materials and information received from the other Party confidential. Confidentiality is otherwise subject to the Agreement’s confidentiality terms.
Regarding liabilities related to administrative fines imposed by supervisory authorities or requests made by Data Subjects within the meaning of the Data Processing Agreement, the Parties agree that the general division of liability between the Parties is based on each Party being required to fulfil their own obligations pursuant to the data protection legislation. Therefore, all administrative fines or damages must be paid by the Party who has neglected their statutory obligations defined in the data protection legislation. For the sake of clarity, the Controller is responsible for implementing the rights of Data Subjects within the meaning of the data protection legislation.
The liabilities between the Parties are otherwise subject to the terms of the Agreement in question regarding damages and limitations of liability.
This Data Processing Agreement will enter into force once User start using the software service (creates an account), and it will remain in force until the end of the Agreement’s period of validity. This Data Processing Agreement will end automatically if the Agreement ends. If one of the Parties is in material breach of this Data Processing Agreement and fails to rectify this breach, provided that rectification is possible, the other Party has the right to terminate this Agreement thirty (30) days from the date on which the Parties notified the infringing Party about the breach.
This Data Processing Agreement is subject to the legislation applied to the Agreement and the terms of the Agreement concerning the settlement of disputes.
This Data Processing Agreement is an integral part of the Agreement.
Changes to this Data Processing Agreement must be made in writing and the Company must inform changes in a reasonable way (email and/or in the software service). The Parties undertake to change this Data Processing Agreement if required by the processing of the personal data and its principles as agreed upon between the Parties.
The processor may not transfer this Data Processing Agreement or its part to a third party without informing (e.g. email newsletter) the controller.