Data Processing Agreement

BACKGROUND

  1. The Developer and Playgap entered into Playgap's Terms of Service, whereby Playgap provides the Developer with access to and or use of its Services. Such Terms of Service may require Playgap to process Personal Data on behalf of the Developer.
  2. This Data Processing Agreement ("DPA") sets out the additional terms, requirements and conditions on which Playgap will process Personal Data when providing the Services under the Terms of Service.

AGREED TERMS

  1. Status of the Parties

    1. The Developer and Playgap agree and acknowledge that for the purpose of the Data Protection Legislation the Developer is the Controller and Playgap is the Processor.
    2. When processing Personal Data, each Party shall comply with the obligations set out in this DPA and the Data Protection Legislation.
    3. The Developer and Playgap shall regularly review the information listed in Annex 1 to this DPA to confirm its current accuracy and update it when required to reflect current practices.

  2. Developer Obligations

    1. The Developer must obtain the appropriate consents for the Processing of Personal Data and ensure that it provides clear and sufficient information to Data Subjects in accordance with the Data Protection Legislation, including that the Personal Data may be transferred to and retained by Playgap for the fulfilment of the Services.
    2. The Developer is responsible for ensuring it has in place appropriate technical and organisational security measures to protect against unauthorised or unlawful Processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data, appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected.
    3. The Developer will be responsible for responding to any request by a Data Subjects to exercise their rights under the Data Protection Legislation.

  3. Playgap Obligations

    1. Playgap will only process the Personal Data to the extent, and in such a manner, as is necessary for the provision of the Services in accordance with the Developer's written instructions, which are set out in the Terms of Service, this DPA, and any documents incorporated into those agreements. Playgap will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or Data Protection Legislation. Playgap will notify the Developer if, in its opinion, the Developer's instructions do not comply with Data Protection Legislation.
    2. Playgap will comply promptly with any Developer written instructions requiring Playgap to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing as are necessary to comply with Data Protection Legislation.
    3. Playgap will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Developer or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires Playgap to process or disclose the Personal Data to a third-party, Playgap must first inform the Developer of such legal or regulatory requirement and give the Developer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
    4. Playgap will reasonably assist the Developer with meeting the Developer's compliance obligations pursuant to Articles 32 to 36 of the UK GDPR, taking into account the nature of Playgap's processing and the information available to Playgap, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under Data Protection Legislation.
    5. Playgap will notify the Developer without undue delay if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
    6. Playgap will ensure that its employees ensure who have access to and/or process the Personal Data are obliged to keep the Personal Data confidential.
    7. Playgap shall at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
    8. In the event of a Personal Data Breach, Playgap shall notify the Developer without undue delay, and shall cooperate with the Developer and provide all reasonable assistance to the Developer that Playgap is required to provide by Data Protection Legislation in Playgap's role as Processor, which may include making available relevant information records, logs, files, reports, and similar.
    9. The Developer agrees that Playgap (and any sub-processor) may transfer or otherwise process the Personal Data outside the UK subject to the following conditions:
      1. Playgap is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
      2. Playgap participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Playgap (and, where appropriate, the Developer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR.
    10. If an adequate protection measure for the international transfer of Personal Data is required under Data Protection Legislation (and has not otherwise been arranged by the parties) the Standard Contractual Clauses shall be incorporated into this DPA in Annex 2 as if they had been set out in full.
    11. The Developer acknowledges that Playgap may use meta-data, statistics and such other information derived from the Personal Data which cannot be identified as originating or deriving directly from such Personal Data, and cannot be reverse-engineered by a third party such that it can be so identified, for the improvement of the Services.

  4. Sub-processors

    1. Playgap may only authorise a third-party sub-processor to process the Personal Data if:
      1. the Developer is provided with an opportunity to object to the appointment of each sub-processor within 10 working days after Playgap supplies the Developer with full details in writing regarding such sub-processor;
      2. Playgap enters into a written contract with the sub-processor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures; and
      3. the sub-processor's contract terminates automatically on termination of this DPA for any reason.
    2. Those sub-processors approved as at the commencement of this DPA are as set out in Annex 1 to this DPA.
    3. Where the sub-processor fails to fulfil its obligations under the written agreement with Playgap, Playgap remains fully liable to the Developer for the sub-processor's non-compliance.

  5. Data return and destruction

    1. Subject to Clause 5.2, on termination of the Terms of Service for any reason or expiry of its term, Playgap will securely delete or destroy or, if directed in writing by the Developer, return and not retain, all or any of the Personal Data related to this DPA in its possession or control.
    2. If any law, regulation, or government or regulatory body requires Playgap to retain any Personal Data that Playgap would otherwise be required to return or destroy, it will notify the Developer in writing of that retention requirement, giving details of the Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

  6. Audit

    1. Playgap shall maintain complete and accurate records and information to demonstrate its compliance with this DPA.
    2. If requested by the Developer (at the Developer's cost and expense, with such request to be made no more than one in any 12 calendar months), Playgap shall conduct an audit of its processing of the Personal Data under this Agreement, providing the Developer with a summary of such audit for the Developer's review.
    3. The Developer will treat any such audit summaries provided as Playgap's confidential information under the Terms of Service.

  7. Term and termination

    1. This DPA will remain in full force and effect so long as the Terms of Service remains in effect.
    2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Terms of Service in order to protect the Personal Data will remain in full force and effect.

  8. Notice

    1. Any notice given to a party under or in connection with this DPA must be in writing and delivered by email to:
      • For the Developer: the contact details provided by the Developer in writing when entering into the Terms of Service with Playgap.
      • For Playgap: contact@playgap.io
    2. Clause 8.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
    3. Any notice by email shall be deemed to have been delivered at the time of transmission (unless the time of transmission occurs outside of normal business hours, in which case the notice shall be deemed to have been delivered at 8.00am on the following Business Day).

  9. Definitions and Interpretation

    The following definitions and rules of interpretation apply in this DPA.

    1. Definitions:

      Business Day: a day other than a Saturday, Sunday or bank or public holiday in England.

      Commissioner: the Information Commissioner's Office (see Article 4(A3), UK GDPR and section 114, DPA 2018).

      Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in Data Protection Legislation.

      Developer: means as defined in the Terms of Service.

      Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) ("DPA 2018"); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended, and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).

      DPA: has the meaning given in Recital (B) above.

      Playgap: means Playgap Ltd (company number: 14949926), a company incorporated in England with its registered address at 20 Wenlock Road, London, England, N1 7GU.

      Services: means as defined in the Terms of Service.

      Standard Contractual Clauses: means, together, the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission under Commission Decision (EU) 2021/914 2021 ("EU SCCs") and the UK International Transfer Addendum to the EU SCCs ("UK Addendum").

      Terms of Service: has the meaning given in Recital (A) above.

      UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

    2. This DPA is subject to the terms of the Terms of Service and is incorporated into the Terms of Service. Interpretations and defined terms set forth in the Terms of Service apply to the interpretation of this DPA.
    3. The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
    4. In the case of conflict or ambiguity between:
      1. any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;
      2. the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
      3. any of the provisions of this DPA and the provisions of the Terms of Service, the provisions of this DPA will prevail.

ANNEX #1 Processing Particulars

Subject matter of Processing: Personal Data relating to Playgap's provision of the Services for the Developer.

Duration of Processing: The duration of the Terms of Service until deletion of all Personal Data by Playgap in accordance with the DPA.

Nature and Purpose of Processing: Providing the Services to the Developer in accordance with the DPA and the Terms of Service as initiated by the Developer in its use of the Services.

Personal Data Categories: Personal Data relating to individuals provided to Playgap via the provision of the Services, including but not limited to technical data (such as IP address, device data and location data) and marketing preferences.

Data Subject Types: Data subjects include individual end-users whose Personal Data is provided to Playgap via the Services, at the direction of the Developer.

Approved Sub-processors:

  • Amazon Web Services, Inc.
  • BunnyWay d.o.o.

ANNEX #2 Standard Contractual Clauses

To the extent clause 3.10 applies the terms in this Annex 2 shall apply.

  1. Parties

    1. Exporter (Processor): Playgap
    2. Importer (Controller): Developer

  2. Selected EU SCCs Modules and Clauses

    1. Module 4 of the EU SCCs and no other optional clauses unless explicitly specified, are incorporated into this Annex 2 as if they had been set out in full.
    2. Competent Supervisory Authority. For the purposes of clause 13 of the EU SCCs, the competent Supervisory Authority shall be the Irish Data Protection Commissioner.
    3. Governing Law & Jurisdiction. For the purposes of clauses 17 and 18 of the EU SCCs, the parties agree that the governing law and choice of jurisdiction shall be where the exporter is established. If those laws do not allow for third party rights, the law of Ireland shall apply and the courts of Ireland will have exclusive jurisdiction.

  3. Processing Particulars

    1. Categories of data subjects: As set out in Annex 1.
    2. Categories of personal data transferred: As set out in Annex 1.
    3. Sensitive data transferred: None.
    4. Frequency of the transfer: Continuous.
    5. Nature of the processing: As set out in Annex 1.
    6. Purpose of the processing: As set out in Annex 1.
    7. Duration of the processing: The duration of the DPA.
    8. Sub-Processor Transfers: As set out in clause 4.1.

  4. Termination of the UK Addendum

    In the event the template UK Addendum issued by the Commissioner and laid before Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section 18 is amended, either party may terminate this Annex 2 on written notice to the other in accordance with Table 4 and paragraph 19 of the UK Addendum and replace it with a mutually acceptable alternative.