SPONSORSHIP AGREEMENT STANDARD TERMS – INTERNATIONAL DATA TRANSFERS
Version Date: 17 May 2023
This Data Protection Attachment for Delinian (“DPA”) is incorporated into and made part of the Standard Terms (also referred to as the “Agreement”). Unless otherwise defined in this DPA, capitalised terms will have the meaning given to them in the Standard Terms. In the event of any conflict between these documents, the following order of precedence applies (in descending order): a) the Standard Contractual Clauses as provided herein; b) the body of the DPA; c) any documents attached to the DPA; and d) the Standard Terms.
Data Processing
1.1 For the purposes of this Agreement, the terms “controller”, “data subject”, “personal data”, “processing” and “supervisory authority” all have the meanings given to those terms in Data Protection Laws (and related terms such as “process” and “processed” shall have corresponding meanings).
1.2 Each Party, in relation to their processing of personal data in connection with this Agreement, shall:
a) act as an independent controller;
b) individually and separately comply with all applicable requirements of the Data Protection Laws;
c) process any personal data which it obtains or holds under or in relation to this Agreement for the purposes of carrying out its obligations or obtaining the services under this Agreement, in accordance with its privacy notice or as otherwise permitted by Data Protection Laws;
d) ensure that it has obtained all necessary rights, permissions and/or consents required by, or that it otherwise has an appropriate legal basis under, Data Protection Laws for the disclosure of personal data to the other party;
e) provide notice to data subjects about its collection and use of their personal data, including through its privacy notice as required by Data Protection Laws;
f) provide means by which individuals may request to review, correct, update, suppress, restrict or delete or port their personal data, as required by Data Protection Laws;
g) ensure that it has in place appropriate technical and organizational measures, to protect against unauthorized or unlawful access, acquisition, use or alteration of personal data and against accidental loss or destruction of, or damage to, personal data;
h) unless prohibited by applicable law, notify the other party without undue delay upon becoming aware of any cybersecurity incident relating to the personal data provided by the other party to the extent that such incident is required to be notified under Data Protection Laws to a supervisory authority.
1.3 We shall use your personal data for the purpose of providing the Sponsorship Benefits, including, but not limited to: communications, administration (including before, during and after the provision of the Sponsorship Benefits), invoicing and payment, post-provision of the Sponsorship Benefits feedback, quality checks, research and polling.
1.4 We may share relevant personal data with relevant third parties involved in the Event(s) including without limitation finance partners, service providers and external delivery partners.
1.5 In order to fulfil their respective obligations under the Agreement it may be necessary to make a Restricted Transfer (as defined in Chapter V of the GDPR). If a Restricted Transfer is made, the Addendum is applicable.
1.6 To the extent applicable to the Parties in connection with or pursuant to this Agreement, the Parties will comply with specific requirements stipulated by the Personal Information Protection Law of the People’s Republic of China (“PIPL”) and other relevant Chinese rules and regulations relating to the processing, privacy and use of personal data. The Parties will process individuals’ personal data in accordance with the principles of legality, legitimacy, necessity and good faith. If you have employees, representatives or Participants in the People’s Republic of China, before sharing their personal data with the Company, you hereby confirm, warrant and represent that you will inform such individuals that the Company will be processing their personal data and obtain their consent for their personal data to be processed by us for the purposes of this Agreement including but not limited to that data being shared with any relevant third party (who may be based in any territory) for purposes related to this Agreement. Please refer your employees, representatives or Participants to the Company Privacy Notice for further information in relation to how their personal data is processed and in relation to their data protection rights and provide them with a copy, which the Company Privacy Notice you hereby confirm that you and your employees, representatives or Participants have read and understood.
Addendum
Standard Contractual Clauses and International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
1. Each party acknowledges that in order to fulfil their respective obligations under the Agreement it may be necessary to make a Restricted Transfer (as defined in Chapter V of the GDPR) and therefore each party hereby agrees to the European Commission’s Standard Contractual Clauses of 21 June 2021 (“SCCs”) and/or, where a transfer of UK citizens personal data the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version A1.0 in force 21 March 2022) (the “UK Addendum”).
2. If the Parties manually complete SCCs and/or a UK Addendum specific to this Agreement then such fully completed SCCs and/or UK Addendum shall be deemed incorporated into this Schedule and the rest of this Schedule shall not apply.
3. In the absence of a fully completed SCCs and/or an UK Addendum, each party agrees that the Module 1 SCCs and the template Addendum linked to above is hereby incorporated by reference into this Agreement and it shall be construed to include the following provisions (Table references below refer to Table references in the Addendum and the information at Table 3 is applicable to Annex I and II of the SCCs:
In relation to SCCs, (a) the Parties agree that the Data Protection Commissioner of Ireland shall be the competent Supervisory Authority pursuant to clause 13 of the SCCs; (b) data subjects for whom the Extorter processes EU personal data are third party beneficiaries under the applicable SCCs; (c) the SCCs shall be governed by the law of Ireland, which allows for third party beneficiary rights pursuant to Clause 17 of the SCCs; and (d) any dispute arising from the SCCs shall be resolved by the courts of Ireland pursuant to Clause 18 of the SCCs.
Table 1: Parties
Parties’ details: The Exporter and Importer shall be the relevant parties to this Agreement (depending on which party sends and which party receives the Relevant Transfer)
Key Contact: shall be any relationship managers (or similar) referred to in the Agreement or in the absence of the same the primary liaison points at each of the Exporter and Importer
Signature: the signature to the Agreement shall be deemed to be included in Table 1
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs: the second box in the table shall be deemed to be ticked
Modules: Module 1 ticked with no docking clause permitted and Clause 11 Option ticked.
Table 3: Appendix Information
Annex 1A: List of Parties: means the parties to this Agreement
Annex 1B: Description of Transfer: means the transfer of personal data identified in the Agreement from one party to the other as contemplated by the Agreement
Annex II: Technical and organisational measures: means industry standard and no less than adequate technical and organisational measures to ensure the security of the data, for example standards such as or equivalent to ISO 27001
Annex III: Any sub-processors which either party is using for the purposes of processing personal data under this Agreement and which such party shall notify to the other party in writing
Table 4: Ending this Addendum when the Approved Addendum changes
Each of the Importer and the Exporter can end the Addendum as set out in Section 19