Transferroom – Data Processing Terms

These Data Processing Terms form part of the agreement for provision of the Transferroom service on the Transferroom Terms of Service ("Agreement") between: (i) Transferroom Ltd, a limited company registered in England and Wales under company number 10380336 and whose registered office is at 5 Elstree Gate, Elstree Way, Borehamwood, Hertfordshire, United Kingdom, WD6 1JD (“Transferroom”); and (ii) the entity specified as the Club on an Order Form or otherwise identified in the Agreement as the Club ("Club”).

The terms used in these Data Processing Terms shall have the meanings set forth in these Data Processing Terms. Capitalised terms not otherwise defined in these Data Processing Terms shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

Except where the context requires otherwise, references in these Data Processing Terms to the Agreement are to the Agreement including these Data Processing Terms.

Definitions

In these Data Processing Terms:

Applicable Law

means as applicable and binding on the Club, Transferroom and/or the Service:

(a)

any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Service are provided to or in respect of;

(b)

the common law and laws of equity as applicable to the parties from time to time;

(c)

any binding court order, judgment or decree; or

(d)

any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

Appropriate Safeguards

means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

Data Controller

has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws;

Data Processor

has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws;

Data Protection Laws

means as applicable and binding on the Club, Transferroom and/or the Service:

(a)

in the United Kingdom, the GDPR, and/or any corresponding or equivalent national laws or regulations;

(b)

in member states of the European Union: the GDPR, once applicable, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and

(c)

any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time.

GDPR

means the General Data Protection Regulation (EU) 2016/679;

International Organisation

means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

Personal Data

has the meaning given to that term in Data Protection Laws;

Personal Data Breach

means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;

Protected Data

means Personal Data received from or on behalf of the Club to the extent that it is processed by Transferroom on the Club’s behalf in connection with the performance of Transferroom’s obligations under the Agreement, but does not include any Personal Data to the extent that it is processed by Transferroom as data controller, or any anonymised, aggregated data derived by Transferroom in whole or in part from any Personal Data;

Data Subject

has the meaning given to that term in Data Protection Laws;

Data Subject Request

means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;

Service

means the Transferroom service to be provided under the Agreement.

Sub-Processor

means another Data Processor engaged by Transferroom for carrying out processing activities in respect of the Protected Data on behalf of the Club; and

Supervisory Authority

means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

Specific interpretive provision(s)

In these Data Processing Terms:

(c)

references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including the GDPR and any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable;

(b)

a reference to a law includes all subordinate legislation made under that law; and

(c)

references to “paragraph numbers” are to paragraphs of these Data Processing Terms.

Data processing provisions

  1. Data Processor and Data Controller
    1. The parties agree that, for the Protected Data, the Club shall be the Data Controller and Transferroom shall be the Data Processor.
    2. Transferroom shall process Protected Data in compliance with:
      1.2.1

      any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Service are provided to or in respect of;

      1.2.2

      the terms of the Agreement.

    3. The Club shall comply with:
      1.3.1

      all Data Protection Laws in connection with the processing of Protected Data, the Service and the exercise and performance of its respective rights and obligations under the Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and

      1.3.2

      the terms of the Agreement.

    4. The Club warrants and undertakes that:
      1.4.1

      all data sourced by the Club for use in connection with the Service, prior to such data being provided to or accessed by Transferroom for the performance of the Service under the Agreement, shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Club providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;

      1.4.2

      it shall ensure that Data Subjects are provided with appropriate information regarding the processing of their Personal Data;

      1.4.3

      all instructions given by it to Transferroom in respect of Personal Data shall at all times be in accordance with all applicable laws including Data Protection Laws; and

      1.4.4

      it has undertaken due diligence in relation to Transferroom's processing operations, and it is satisfied that:

      (a)

      Transferroom’s processing operations are suitable for the purposes for which the Club proposes to use the Service and engage Transferroom to process the Protected Data; and

      (b)

      Transferroom has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

    5. The Club shall not withhold, delay or condition its agreement to any change to the Agreement or the Service requested by Transferroom in order to ensure the Service and Transferroom (and each Sub-Processor) can comply with Data Protection Laws.
  2. Instructions and details of processing
    1. Insofar as Transferroom processes Protected Data on behalf of the Club, Transferroom:
      2.1.1

      unless required to do otherwise by Applicable Law, shall process the Protected Data only on and in accordance with the Club’s documented instructions as set out in this paragraph 2 and Schedule 1 (Data processing details) and (Processing Instructions);

      2.1.2

      if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Club of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and

      2.1.3

      shall inform the Club if Transferroom becomes aware of a Processing Instruction that, in Transferroom’s opinion, infringes Data Protection Laws, provided that:

      (a)

      this shall be without prejudice to paragraphs 1.3 and 1.4;

      (b)

      to the maximum extent permitted by mandatory law, Transferroom shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Club's Processing Instructions following the Club's receipt of that information.

    2. The Club shall not withhold, delay or condition its agreement to any change to the Agreement or the Service requested by Transferroom in order to ensure the Service and Transferroom (and each Sub-Processor) can comply with Data Protection Laws.
  3. Technical and organisational measures
    1. Transferroom shall implement and maintain, at its cost and expense, appropriate technical and organisational security measures in relation to the processing of Protected Data by Transferroom.
  4. Using staff and other processors
    1. The Club provides general written authorisation to Transferroom to engage Sub-Processors to perform the Service. The Club shall be given the opportunity to object to any new Sub-Processor and state its grounds for doing so. The Club acknowledges that Sub-Processors are essential in order for Transferroom to provide the Service and that objecting to the use of a Sub-Processor may prevent Transferroom from continuing to provide the Service to the Club. In the event that Transferroom is unable to adequately address those objections, either party may terminate the Agreement upon notice without liability to the other. For the avoidance of doubt, in such circumstances Transferroom shall not be obliged to refund any Subscription Fees paid by the Club. The Club authorises the appointment of any of the following Sub-Processors: Microsoft Azure (for the purposes of hosting the Service); Mailjet (for sending email newsletters comprised in the Service); and Mailchimp (for email services).
    2. Transferroom shall:
      4.2.1

      prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract substantially on the standard terms of business of that Sub-Processor, or containing materially the same obligations as under these Data Processing Terms, that is enforceable by Transferroom;

      4.2.2

      ensure each such Sub-Processor complies with all such obligations; and

      4.2.3

      remain fully liable for all the acts and omissions of each Sub-Processor which constitutes a breach of these terms as if they were its own.

    3. Transferroom shall ensure that all persons authorised by it to process Protected Data are subject to an obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law.
  5. Assistance with the Club’s compliance and Data Subject rights
    1. Transferroom shall refer all Data Subject Requests it receives to the Club within 7 days of receipt of the request, provided that if the number of Data Subject Requests exceeds 5 per calendar month, the Club shall pay Transferroom’s charges calculated on a time and materials basis at Transferroom’s then current rates for recording and referring the Data Subject Requests in accordance with this paragraph 5.1.
    2. Transferroom shall provide such reasonable assistance as the Club reasonably requires (taking into account the nature of processing and the information available to Transferroom) to the Club in ensuring compliance with the Club’s obligations under Data Protection Laws with respect to:
      5.2.1

      security of processing;

      5.2.1

      data protection impact assessments (as such term is defined in Data Protection Laws);

      5.2.1

      prior consultation with a Supervisory Authority regarding high risk processing; and

      5.2.1

      notifications to the Supervisory Authority and/or communications to Data Subjects by the Club in response to any Personal Data Breach,

      provided the Club shall pay Transferroom’s charges for providing the assistance in this paragraph 5.2, such charges to be calculated on a time and materials basis at Transferroom’s then-current rates.
  6. International data transfers
    1. The Club agrees that Transferroom may transfer Protected Data to Sub-Processors in countries outside the United Kingdom or to any International Organisation(s) (an International Recipient), provided all transfers by Transferroom of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws.
  7. Records, information and audit
    1. Transferroom shall maintain, in accordance with Data Protection Laws binding on Transferroom, written records of all categories of processing activities carried out on behalf of the Club.
    2. Transferroom shall, in accordance with Data Protection Laws, contribute and allow for audits either by (at its option): (i) making available to the Club upon request any which the Club must treat confidentially under the confidentiality provisions of the Agreement or under a non-disclosure agreement concluded between the Parties; or (ii) responding to a written security questionnaire submitted to it by the Club provided that the Club will not exercise this right more than once per year and will hold Transferroom’s responses in confidence under the confidentiality provisions of the Agreement.
  8. Breach notification
    1. In respect of any Personal Data Breach involving Protected Data, Transferroom shall, without undue delay:
      8.1.1

      notify the Club of the Personal Data Breach; and

      8.1.2

      provide the Club with details of the Personal Data Breach.

  9. Deletion or return of Protected Data and copies
    1. Transferroom shall, at the Club’s written request, either delete or return all the Protected Data to the Club within a reasonable time after the earlier of:
      9.1.1

      the end of the provision of the relevant Service related to processing; or

      9.1.2

      once processing by Transferroom of any Protected Data is no longer required for the purpose of Transferroom’s performance of its relevant obligations under the Agreement,

      and delete existing copies (unless storage of any data is required by Applicable Law and, if so, Transferroom shall inform the Club of any such requirement).

SCHEDULE 1

DATA PROCESSING DETAILS


  1. Subject-matter of processing:

    Provision of the Transferroom service.

  2. Duration of the processing:

    For the duration of the provision of the Service.

  3. Nature and purpose of the processing:

    To provide the Transferroom service to the Club, including the following features:

    - Make players available for loan and sale

    - Pitch players to other clubs

    - Edit players contract expiry, position, height, foot, video and notes (player description)

    - Player search, browse players and see players availability on sale or loan, and prices, other search criteria based on the player data

    - Shortlist, add players to shortlist

    - Create player ads / club ads: Specify their requirements in terms of player profiles

    - My player ads: Manage their ads - and receive player pitches from other clubs

    - Club ads: Pitch players to other clubs in response to Club Ads from other clubs.

    - Messaging: Use messaging feature in the Service to communicate with other clubs.

    - Place offers and declare interest in players

    - Create friendly ads: Specify their friendly requirements

    - My friendly ads: Manage their friendly ads, keep them up to date

    - Marketplace. Access information about other clubs’ friendly requirements (and contact clubs if they are interested in those)

    - Directory: Collect details of other users of TransferRoom

  4. Type of Personal Data:

    For contacts listed in the Directory: Name, email address, business phone number, job title. For the Club’s Players, and for other clubs’ players shortlisted or viewed by the Club: name, nationality, date of birth, position, transfer status (whether for loan and/or sale), current club and parent club (if player is on loan), valuation (optional), contract expiry date, performance statistics (including appearances, starting appearances, goals, assists, separated by competition), video and text]; Club history/career history: Season/Years, club, contract (permanent or on loan); contact details of players and players’ representatives.

  5. Categories of Data Subjects:

    Players, as defined in the Agreement. Club staff whose contact details are listed in the Directory feature in the Service. Football playing staff and contacts of other clubs using the Service, which are listed in the Service.