Search
Duplicate

Data Protection Agreement

(Controller-to-Processor Data Processing Agreement & Joint control Agreement)

PART 1 – General Provisions

A. Parties and Subject of the Agreement

1.
The Parties have entered into an agreement in which Bepro (as defined below) agreed to deliver certain services to Customer, including the production of video recordings of Customer’s football team’s training sessions and public matches, including, as the case may be, their analysis, using Bepro’s proprietary technology (Main Agreement). This Agreement is concluded between the parties of that Main Agreement.
2.
Through PART 2, the Parties enter into a Controller-to-Processor Data Processing Agreement as defined in Art. 28(3) General Data Protection Regulation (GDPR) or applicable other EU Member State’s law. Bepro enters the Data Processing Agreement as the Processor and Customer as the Controller. This Data Processing Agreement is based on the Commission Implementing Decision on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 of 4 June 2021.
3.
Through PART 3, the Parties enter into an agreement on joint controllership according to Art. 26(2) GDPR as Joint Controllers.
4.
The contact person and common point of contact for all data protection related issues shall be the Data Protection Officer of Bepro Europe GmbH: Dr. Bernd Schmidt, c/o PLANIT//LEGAL, Jungfernstieg 1, 20095 Hamburg (Tel.: +49 (0)40 60944190; E-Mail: mail@planit.legal).

B. Responsibilities of the Parties vis-à-vis Data Protection

1.
Insofar as Bepro is the solely responsible controller for the processing of personal data, the provisions of this Data Protection Agreement shall not apply. This is the case, for example, where Bepro processes personal data for internal purposes, such as accounting and bookkeeping.
2.
The Data Processing Agreement (Part 2) shall apply insofar as Bepro processes personal data on behalf of Customer. This is the case in the following situation:
When Bepro produces video recordings of Customer’s private training sessions and training games.
3.
The Joint Control Agreement (Part 3) shall apply insofar as Bepro and Customer jointly decide on the means and purposes of data processing, even if all processing is done, handled and coordinated by Bepro on behalf of (or commissioned by) Customer. This is the case in the following situations:
When Bepro produces video recordings of Customer’s public matches.
When Bepro analyses video recordings of Customer’s public games on Customer’s behalf (regardless of whether the scope of the analysis covers Customer’s team, Customer’s opponent’s team, or both).
When Bepro offers its scouting and recruitment platform to Customer or third parties.

C. Miscellaneous Provisions

1.
Unless otherwise provided for in this Agreement, all services of Bepro under this Agreement shall be compensated with the remuneration in accordance with the Quotation. Insofar as individual instructions go beyond the previous contractual provisions and require additional effort for Bepro, these shall require the prior consent of Bepro and shall be remunerated separately in accordance with the currently valid price list of Bepro.
2.
Amendments or supplements to this Agreement (Quotation) must be made in text form. This also applies to the amendment and cancellation of this clause.
3.
Should provisions of this Agreement be invalid, this shall not affect the validity of the remaining provisions. Parties shall endeavour to find a valid provision in place of the invalid provision which comes as close as possible to the economic meaning of the invalid provision. The same shall apply in the event of a loophole in this Agreement.
4.
This Agreement shall be subject to the laws of the country that the respective Bepro affiliate, branch or subsidiary company that is party to this Agreement (“Bepro”, see above) is established in.

PART 2 – Data Processing Agreement

Standard contractual clauses

Section I

Clause 1: Purpose and Scope

1.
The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2.
The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.
3.
These Clauses apply to the processing of personal data as specified in Annex II.
4.
Annexes I to IV are an integral part of the Clauses.
5.
These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
6.
These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

Clause 2: Invariability of the Clauses

1.
The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
2.
This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3: Interpretation

1.
Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.
2.
These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.
3.
These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4: Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5: Optional - Docking clause

1.
Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.
2.
Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.
3.
The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

Section II: OBLIGATIONS OF THE PARTIES

Clause 6: Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7: Obligations of the Parties

1.
Instructions
a.
The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
b.
The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.
2.
Purpose limitation
The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.
3.
Duration of the processing of personal data
Processing by the processor shall only take place for the duration specified in Annex II.
4.
Security of processing
a.
The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
b.
The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.
Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.
6.
Documentation and compliance
a.
The Parties shall be able to demonstrate compliance with these Clauses.
b.
The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
c.
The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
d.
The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
e.
The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
7.
Use of sub-processors
The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least two weeks in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
a.
Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
b.
At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
c.
The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub- processor to fulfil its contractual obligations.
d.
The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
8.
International transfers
a.
Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
b.
The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8: Assistance to the controller

1.
The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
2.
The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions.
3.
In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
a.
the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
b.
the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
c.
the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
d.
the obligations in Article 32 of Regulation (EU) 2016/679.
4.
The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9: Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or under Articles 34 and 35 of Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.
1.
Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller.
a.
in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
b.
in obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
the likely consequences of the personal data breach;
the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay
c. in complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
2.
Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
a.
a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
b.
the details of a contact point where more information concerning the personal data breach can be obtained;
c.
its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

Section III: FINAL PROVISIONS

Clause 10: Non-compliance with the Clauses and termination

1.
Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.
2.
The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
a.
the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
b.
the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
c.
the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
3.
The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
4.
Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

Annex I : List of parties

The Parties are defined in PART 1.

Annex II: Description of the processing

Show All
Search
Category of data
Data subjects
-     Customer’s football team’s players - Referees - Customer’s coaching team - Opponent’s teams’ players - Opponent’s coaching team
Categories of personal data processed
Open
-     Customer’s football team’s players’ name, movements, plays during training -     Movement of coaching team
Sensitive data processed
Open
n/a
Nature of the processing
Open
-     Recording of the videos -     Storage of the videos -     Making the videos available on Bepro’s platform
Purpose(s) for which the personal data is processed on behalf of the controller
Open
-       Making available of the video recordings to Customer
Duration of the processing
Open
The data will be deleted at the end of the contract.

Annex III: Technical and organisational measures including technical and organisational measures to ensure the security of the data

These technical and organisational measures are subject to technical progress and further development. In this respect, it is permissible to implement alternative adequate measures if the safety level defined here is not fallen short of. However, significant changes must be coordinated and documented by the person responsible. In cases of doubt, the processor must prove that the alternative measure guarantees the same protection objective and a comparable level of protection.
1.
Bepro office and Bepro internal
There are no servers in the Bepro office. All servers are in data centres in Frankfurt am Main, Germany.
a. Access Control
Measures to prevent unauthorised access to data processing equipment:
Restriction of access authorisations to office buildings, computer centres and server rooms to the minimum necessary.
Effective control of access authorisations through an adequate locking system.
Regulated and documented access control system, including regular checks.
Measures for prophylaxis and detection of unauthorised access and attempted access (video surveillance, security service, gatekeeper, alarm system).
Written regulations for employees and visitors concerning the handling of technical access control measures.
b. System Access Control
Measures to prevent unauthorised access to data processing systems:
Restrict access rights to computer systems and non-public networks to the minimum necessary.
Effective control of access authorizations through personalized and unique user IDs and a secure authentication process.
Password regulations to ensure a secure and confidential password.
Time-controlled password-protected pause activation (screen saver).
Concept for the regular and documented review of assigned access authorizations (revocation in the event of a company leaving or change in the event of a change within the company).
Measures to secure the network infrastructure:
Network port security according to WPA2;
Virus scanner;
Separation of networks;
Encrypted network protocols;
Written rules for employees on how to deal with the security measures and the secure use of passwords.
Written regulations for employees on secure e-mail and Internet use.
c. Data access control
Measures to ensure appropriate access rights:
Limiting access rights to data subjects to the absolute minimum required.
Rights and role concept for effective control of access authorizations.
Effective control of access permissions through personalized and unique user IDs and a secure authentication process.
Process for requesting, changing and revoking access authorizations (regular review).
Regular and documented verification of access authorizations.
Logging/documentation of accesses to systems, if applicable.
d. Transfer control (For further information please refer to the respective Cloud Providers documentation, as mentioned below)
e. Input control (For further information please refer to the respective Cloud Providers documentation, as mentioned below)
f. Order control
Measures to ensure data processing in accordance with instructions:
Selection of (sub)processors under data protection and technical aspects according to Art. 28 GDPR.
Regular monitoring of the regularity of the application of the data processing programmes used to process personal data.
g. Availability control (not applicable)
h. Separation control (not applicable)
i. Deletion of data / Retention Policy
Measures for the deletion of personal data in compliance with data protection regulations:
Deletion concept with specifications for employees (Data retention Policy).
Secure deletion, to ensure the impossibility of recovering the data (overwriting, formatting, secure destruction of paper documents).
j. Privacy by design and Privacy by default
All employees must adhere to a comprehensive Data Protection Manual which outlines important privacy concepts and is the basis for employee training, to ensure the safety of data subjects rights.
Bepro adheres to the necessary responsibilities of any controller or processor, including:
Data Processing agreements with processors according to Art. 28 GDPR and additional guarantees according to Art. 44 GDPR, if necessary;
Data Privacy Impact Assessment according to Art. 35 GDPR;
Data Breach Process;
A comprehensive Intercompany Agreement to ensure secure and legal data transfers within the company group;
Records of Processing Activities according to Art. 30 GDPR.
Bepro documents and routinely checks the adherence to all relevant GDPR regulations, as part of their Data Privacy Management.
2.
Bepro11 software
a. Physical access control & Logical access control
See Amazon Web Services Inc.´s (AWS) and Google´s LLC (Google Cloud Platform) documents:
b. Data access control
Passwords encrypted;
Authentication and authorization;
c. Data transfer control
Electronic transfer of personal data: HTTPS.
d. Entry control
Bepro´s system logs access, including timestamps and source IP address. Also, authorization attempts are logged, including timestamps, username.
e. Control of instructions
Standard terms and conditions & contract processing of data.
Only two subcontractor host systems with personal data: AWS and GCP
f. Availability control
AWS/GCP guarantee a universally available cloud system;
Redundancies, daily back-ups (up to 35 days), and “point in time”-recovery;
Multi-Availability Zone (AWS) and Multi-Regional-Storage within EU (GCP);
Test recoveries & frequent back up checks.
g. Separation control
Separation of production, development, and testing systems.

Annex IV: List of sub-processors

The controller has authorised the use of the following sub-processors:
Show All
Search
Name
Address / Contact persons’ name, position and contact details
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised)
Location of the Data Processing
Bepro Company Co., Ltd.
Open
Unit 527, Toegye-ro 18, Jung-gu, Seoul Republic of Korea (04637)
Analysis of matches
Seoul, South Korea
Amazon Web Services Inc.´s (AWS)
Open
410 Terry Avenue North, Seattle, WA 98109-5210, United States
Server
Frankfurt am Main, Germany
Google LLC (Google Cloud Platform and G Suite)
Open
Gordon House, Barrow Street, Dublin 4, Ireland
Storage, E-Mail, Calendar
Frankfurt am Main, Germany
Slack Technologies Limited
Open
One Park Place, Upper Hatch Street, Dublin 2, Ireland
Internal communications
n/a
Notion Labs, Inc.
Open
548 Market St #74567, San Francisco, CA 94104-5401 United States
Internal workspace
n/a
Jira from Atlassian
Open
Level 6, 341 George Street, Sydney, NSW 2000, Australia
Programming
n/a
Twilio Inc.
Open
375 Beale St #300, San Francisco, CA 94105, United States
Password recovery by e-mail
Bepro offices

PART 3 – Joint Controllership Agreement

This PART 3 applies to any data processing in which Parties jointly determine the means and purposes of processing personal data so that they are considered as joint controllers within the meaning of Art. 26(1) GDPR.
In all other respects, Parties are independent controllers and only self-responsible within the meaning of Art. 4(7) GDPR. The following section regulates who complies with which obligations of the GDPR in connection with jointly processing of personal data. Parties to this PART 3 are specified in PART 1.
1.
Subject Matter of the Processing
The subject matter of the processing is defined in Annex 1.
2.
Duration of the Processing
This assignment of processing has an indefinite term unless otherwise specified in Annex 1.
3.
Nature, Scope and Purpose of the Processing
Nature, scope and purpose of the processing are defined in Annex 1.
4.
Type of Personal Data
The type of personal data being subject to the processing is defined in Annex 1.
5.
Categories of Data Subjects
The categories of data subjects are defined in Annex 1.
6.
Joint Controller's Rights and Obligations
The Joint Controller’s rights and obligations in regard to personal data under their joint controllership follow from this Agreement and Annex 1.
7.
Contact persons for data processing and common point of contact
The contact person for data protection issues and the common point of contact is set out in PART 1 of this Agreement and shall be notified to the data subjects by the Party responsible under this Annex.
The respective Party is also responsible for making the essence of the arrangement on joint data processing available to the data subjects concerned (Art. 26(2) GDPR).
Irrespective of the terms of this arrangement, the data subject may exercise his or her rights under the GDPR in respect of and against each of the Parties.
8.
Data Protection Obligations and Data Subject Rights
Each Controller is responsible vis-à-vis the data subjects in the external relationship for compliance with data protection law and can be held liable by data subjects (Art. 26(3) GDPR).
The Joint Controllers support each other in fulfilling and recording the data protection obligations and internally agree the responsibilities according to Annex 1, in particular with regard to the exercise of data subjects' rights pursuant to Art. 15 - 22 GDPR and the information obligations pursuant to Art. 12 – 14 GDPR.
If no further details are given here, it is to be assumed that both Parties are equally responsible for the fulfilment of information duties / processing of requests of data subjects. If one Party is to be solely responsible to fulfil information obligation / processing requests of data subjects, the other Party shall immediately forward any requests for data subjects to the contact address the responsible Party provided it with for this purpose and shall provide the responsible Party with any information necessary for answering the request for data subjects on a case-by-case basis.
9.
Technical and Organizational Measures
Requirements for the implementation of technical and organizational measures result from Art. 32 GDPR. Overall, these are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. In doing so, the state of the art, the implementation costs and the type, scope and purpose of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32(1) GDPR must be taken into account. The Joint Controllers shall coordinate their internal organization with regard to joint responsibility and take technical and organizational measures for the appropriate protection of personal data which meet the aforementioned requirements.
Technical and organizational measures are subject to technical development. For the duration of the processing, the Joint Controllers continuously develop and improve the technical and organizational measures as required. The level of protection shall not fall below the level described here.
10.
Notification in case Instructions Infringe Data Protection Law
Both Parties must inform each other immediately and completely if errors or irregularities in data processing or violations of provisions of this arrangement or applicable data protection law (in particular the GDPR) are discovered to have happened or are likely to have happened.
Each Party is obliged to inform the other Party immediately if a data protection supervisory authority turns to it, as far as this concerns a processing which is within the joint responsibility under this arrangement. The Parties shall coordinate their responses to requests from the data protection supervisory authorities regarding the data processing in question unless this is prohibited by law. The Parties agree that request and orders from the supervisory authorities must be complied with in principle. If necessary, the Parties will agree on a legal action vis-à-vis the supervisory authority.
11.
Correction, Deletion and Blocking of Data
The Parties shall correct, delete or block personal data which are subject of joint responsibility in accordance with the legal requirements. They agree on this and document the concrete requirements in a deletion concept. The responsibility for the deletion concept is defined in Annex 1. Before each deletion of data, the other Party must be informed of the intended deletion with a reasonable lead time.
12.
Mutual Information Duties and Notifications on Infringements
The Parties shall keep each other informed on an ongoing basis of changes relevant to the processing within the framework of Joint Controllership. They shall inform each other immediately in the event of a personal data breach or in the event of other serious infringements of data protection law. This applies in particular if it cannot be ruled out that the infringement will lead to a notification obligation pursuant to Art. 33 (1) GDPR or Art. 34(1) GDPR.
Each of the Joint Controllers is obliged to immediately check the existence of a notification obligation pursuant to Art. 33(1) GDPR or Art. 34(1) GDPR as soon as it has become aware of the possibility of a personal data breach. The respective Controller shall immediately inform the other Controller and the Parties shall agree on the necessary steps and measures for the protection of the data, the notification to the supervisory authority as well as the information of data subjects. The responsibility for notification and informing data subjects is governed by Annex 1.
Each Controller is entitled to report and inform the data subjects if the legal requirements are met and coordination with the other Controller is not possible within the statutory period pursuant to Art. 33 / Art. 34 GDPR.
13.
Accountability and Data Protection Impact Assessment
Each Controller shall keep a record of processing activities (Art. 30 GDPR). The Joint Controllers support each other in preparing the records to the extent that the jointly processing is concerned. In particular, they shall provide each other with the information necessary for this purpose. The Joint Controllers examine whether a data protection impact assessment is necessary for the jointly processing and carry it out if necessary. The responsibility for the examination and, if necessary, performance of the data protection impact assessment is governed by Annex 1.
14.
Commitment of Involved Personnel to Confidentiality and compliance with applicable Data Protection Law
The Joint Controllers ensure that personnel deployed for the processing of personal data under the Joint Controllership have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality as well as to compliance with data protection requirements.
15.
Place of data processing
The place of processing and any measures necessary to achieve an adequate level of data protection pursuant to Art. 44 et seq. GDPR shall be as set out in Annex 1.
16.
Liability
The Parties shall be liable in the external relationship towards the data subjects in accordance with the statutory law.
The Parties shall release the respective other Party from liability in the internal relationship if the cause giving rise to liability lies within the assigned area of responsibility of the respective other Party. This also applies to a fine imposed on a Party for a violation of data protection law by a supervisory authority.
Subject to deviating provisions in a main contract, expressly including infringements of data protection law, the Parties shall be liable to each other in accordance with the statutory law. The Parties shall be liable for infringements by data processors deployed in the jointly data processing as for their own fault.
17.
Costs
Unless otherwise stipulated in a main contract, the Joint Controllers shall provide services within the framework of joint responsibility free of charge.

Annex 1: Details of the Joint Controllership

Default view
Search
Processing Activity
Joint Controllers
a) Subject Matter; b) Means of Processing; c) Purposes
a) Categories of personal data; b) Categories of data subjects; c) Duration of Processing; d) Location of Processing
a) Point of Contact; b) Transparency Obligations; c) Data Subject Rights; d) Deletion Concept; e) Data Breach Notifications; f) DPIAs; g) Other Responsibilities
Video Recording of Public Matches
Open
Bepro and Customer
a) Production of video recordings of public soccer matches that Customer engages in b) Camera system placed in the match location c) Creation and preparation of video material for later viewing and possibly analysis by Bepro and/or customer
a) Names, movements, plays and other activities during the match b) Players, referees and assistants, teams and trainers c) During the match and afterwards until the end of the respective contract d) Location of the match that is being recorded.
a) Bepro (DPO of Bepro Europe GmbH see PART 1) b) Bepro c) Bepro d) Bepro e) Bepro f) Bepro g) Bepro
Event Analysis
Open
Bepro and Customer
a) Analysis of video recordings of public soccer matches that Customer or competing teams engaged in, or of private trainings b) Analysis by proprietary software of Bepro, assisted by manual analysis by Bepro personnel where necessary c) Creation and preparation of detailed play analyses (e.g. on the number and success rate of passes between players) for use by Customer (to improve play) and for Bepro (for providing analyses for Customer, creating an archive and competitor analyses for competing teams)
a) Names, movements, plays and other activities during the match, statistics on the efficiency and/or playstyle of the players b) Players of Customer’s or Customer’s competitors’ teams c) During the analysis and afterwards until the end of the respective contract d) EU and South Korea; if applicable, country where Customer accesses the data or where match is being recorded
a) Bepro (DPO of Bepro Europe GmbH see PART 1) b) Bepro c) Bepro d) Bepro e) Bepro f) Bepro g) Bepro
Optical Tracking Analysis
Open
Bepro and Customer
a) Analysis of video recordings of public soccer matches that Customer or competing teams engaged in, or of private trainings b) Analysis by proprietary software of Bepro, assisted by manual analysis by Bepro personnel where necessary c) Creation and preparation of detailed play analyses (e.g. on the number and success rate of passes between players) for use by Customer (to improve play) and for Bepro (for providing analyses for Customer, creating an archive and competitor analyses for competing teams)
a) Names, movements, plays and other activities during the match, statistics on the efficiency and/or playstyle of the players b) Players of Customer’s or Customer’s competitors’ teams c) During the analysis and afterwards until the end of the respective contract d) EU and South Korea; if applicable, country where Customer accesses the data or where match is being recorded
a) Bepro (DPO of Bepro Europe GmbH see PART 1) b) Bepro c) Bepro d) Bepro e) Bepro f) Bepro g) Bepro
Competitor Analysis
Open
Bepro and Customer
a) Analysis of video recordings of public soccer matches. Recordings and analyses are made available to all teams of the same league that make their own recordings/analyses available for the same purpose. b) Analysis by proprietary software of Bepro, assisted by manual analysis by Bepro personnel where necessary c) Creation and preparation of detailed play analyses (e.g. on the number and success rate of passes between players) for Customer (to improve counter-tactics against competing teams through getting access to the Bepro archive by offering recordings and analyses of their own) and for Bepro (to offer an archive of recordings and analyses for competing teams that incentivizes them to share their own videos and analyses in the same archive)
a) Names, movements, plays and other activities during the match, statistics on the efficiency and/or playstyle of the players b) Players of Customer’s or Customer’s competitors’ teams c) During the analysis and afterwards until the end of the respective contract d) EU and South Korea; if applicable, country where Customer accesses the data or where match is being recorded
a) Bepro (DPO of Bepro Europe GmbH see PART 1) b) Bepro c) Bepro d) Bepro e) Bepro f) Bepro g) Bepro