1.1 ELEC GAMES N.V. Reg. No 135362, Abraham de Veerstrat 2, Curacao / ANT , (hereinafter the “Company”).
1.2 “Partner”, “Data processor” or “Affiliate”
The above listed parties are each referred to as a “Party” and collectively as the “Parties”.
The following terms, used in this Agreement, have the following meanings:
“Affiliate” means any person or entity who directs Internet traffic to the websites of the Company for the purpose of introducing users to the subscriber who is paid commission by the Company for such introductions.
“Applicable Data Protection Legislation” means the at each time applicable national legislation regarding the Processing of Personal Data, the common EU rules on data protection and the EU regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), which shall be applied from 25 May 2018;
“Data Controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed and entails the Company in its capacity of Data Controller under this Agreement;
“Data Processor” in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the Data Controller and entails the Partner in its capacity of Data Processor (as the case may be);
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2.1 The specific concepts and terms which relate to processing of Personal Data and which are not defined in the Agreement shall have the same meaning as in Applicable Data Protection Legislation.
3 INITIAL PROVISIONS
3.1 The Company and its subsidiaries provides gaming services (“Company’s Services”) and operate a number of casino brands under gambling licenses in different jurisdictions.
3.2 The Partner directs Internet traffic to the websites of the Company for the purpose of introducing users to the subscriber, The Partner is a paid commission by the Company for such introductions.
3.3 The Parties have entered into an affiliate agreement under which the Partner generates traffic to the Company sites (the ”Service Agreement”).
3.4 Within the framework of the Services Agreement:
a) the Partner will autonomously carry on processing activities without use of any data obtained from Company, in the capacity of a Data Controller, during the execution of the Services, which involves directing targeted marketing with the purpose to drive traffic to the Company’s website in order to gain new user of the Company’s Services (“Initial Processing”); and
b) the Parties acknowledge and agree that they do not intend for the Company to process Personal Data pursuant to the Agreement. Notwithstanding this, to the extent that the Company may, if applicable and whereby agreed with the Partner process Personal Data received from the Partner as part of the services rendered in connection with or arising out of the Agreement and only to the extent set out in this addendum, the Parties are of the opinion that the Company is the Data Processor and the Partner is the Data Controller (“Further Processing”).
3.5 The Parties have entered into this data processing agreement (hereinafter the “Agreement”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals subject to the Personal Data.
4 LAWFULNESS AND COMPLIANCE
4.1 The Partner guarantees that both Initial Processing and Further Processing will be lawfully conducted, meaning that any and all of the Partners Personal Data processing activities under the Service Agreement has a lawful basis and are carried out in accordance with, but not limited to, Applicable Data Protection Legislation.
4.2 The Partner shall in accordance with, but not limited to, Applicable Data Protection Legislation ensure lawfulness in all regards in order for the Company to make full use of the Services within its marketing operations.
4.3 The Partner warrants that any employee, agent, consultant or equivalent working for Data Processor shall be bound by confidentiality obligations on a same level as the obligations set out in this Agreement (see Section 6).
4.4 The Partner shall utilize robust precautions to protect the confidentiality and security of the Personal Data, by using necessary technical and organizational security measures, such as firewalls and internal security procedures as required by Applicable Data Protection Legislation.
4.5 The Partner shall implement appropriate technical and organizational measures for the fulfilment of a Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights according to Applicable Data Protection Legislation. The Partner shall do this by for example, but not limited to, enabling the Data Subject’s to correct inaccurate Personal Data or to erase collected Personal Data.
5 PROCESSING OF PERSONAL DATA ON BEHALF OF THE DATA CONTROLLER
5.1 In the event that the Data Processor Process Personal Data on behalf of the Data Controller the following shall apply:
5.1.1 The Data Processor undertakes to Process Personal Data in accordance with the Main Agreement and in accordance with the Data Controller’s documented instructions and notify the Data Processor if any instructions implies a breach of applicable Data Protection Legislation. The Data Processor shall keep a register of all categories of Personal Data Processed on behalf of the Data Controller and assist the Data Controller in carrying out a data protection impact assessment.
5.1.2 The Data Processor shall take and be able to demonstrate appropriate technical and organizational measures to protect the Personal Data that is being Processed on behalf of the Data Controller.
5.1.3 The Data Processor shall agree to audits of the Data Processor’s Personal Data Processing from the supervisory authority or other affected party, which according to the Data Protection Legislation may be required in order to maintain appropriate Personal Data Processing.
5.1.4 The Data Processor agrees to not disclose or otherwise reveal information to third parties about the Processing of Personal Data encompassed by this Agreement, or other information that the Data Processor has received as a consequence of this Agreement or in its position as Data Processor.
5.1.5 The Data Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations survive the termination of that persons’ engagement with the Data Controller.
5.1.6 The Data Processor shall promptly notify the Data Controller if it receives a request from a Data Subject for information regarding, access to, correction, amendment or deletion of that person’s Personal Data.
5.1.7 The Data Processor shall (i) assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR and (ii) in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Data Processor.
5.1.8 The Data Processor has a general authorisation to engage Sub-Processors provided that the Data Processor shall enter into a personal data processing agreement on term no less protective than this Agreement with such Sub-Processor. The Processor remains fully liable to the Data Controller for the performance of a Sub-Processor.
6.1 The Parties warrants and undertakes to treat Personal Data processed under this Agreement strictly confidential and only use such for the purposes of obligations under the Service Agreement and in line with its obligations to ensure compliance with applicable laws and regulations (including, but not limited to, Applicable Data Protection Legislation, anti-money laundering and laws regarding prevention of terrorism).
7 OBLIGATION AFTER THE TERMINATION OF SERVICES
7.1 The Parties agree that on the termination of the Services Agreement, the following shall apply. Data Processor shall (and, where applicable, ensure that the Sub-Processor shall), return all Personal Data to the Data Controller or, at the request of the Data Controller, delete all Personal Data, unless Data Processor is required to store the Personal Data under Union or national law (such as requirements from a competent gambling authority). If the Data Controller decides that Personal Data shall be deleted Data Processor shall confirm to the Data Controller when the deletion is completed.
7.2 In the event that legislation imposed upon Data Processor prevents it from returning or deleting all or part of the Personal Data, Data Processor warrants that it will guarantee the confidentiality of the Personal Data and that it will not actively Process the Personal Data or, alternatively, anonymize the Personal Data in a manner that makes it impossible to recreate the Personal Data in such a manner that a natural person is not or no longer identifiable.
8 TERM AND TERMINATION
8.1 This Agreement shall remain in force as long as the Partner drives traffic towards the Company.
8.2 Termination of this Agreement shall be without prejudice to any rights and obligations of either Party against the other which may have accrued up to the date of such termination.
9.1 The Partner shall indemnify the Company for any breach of the Applicable Data Protection Legislation or marketing laws which renders the Company liable for any costs, fines, claims or expenses howsoever arising.
10 ADDITIONS AND AMENDMENTS
10.1 No amendments or additions to this Agreement may be made except in writing, duly signed by each of the Parties.
11 LAW AND JURISDICTION
11.1 Subject mandatory rules under Applicable Data Protection Legislation, this Agreement is governed by and construed under Swedish law.
11.2 Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce.
11.3 The seat of arbitration shall be Stockholm.
11.4 The language to be used in the arbitral proceedings shall be English.