Contact

Data processing agreement

Between the DATA CONTROLLER and the PROCESSOR, as defined in the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016.

WHEREAS

I.-This Agreement is established for the provision of services, which encompass access to, and utilization of an online computer program called ‘Golfmanager.’ This program is designed for the management of sports centers and the booking of services via the Internet, all in accordance with the Terms and Conditions and Privacy Policy accepted by the Data Controller.

The duration of this Agreement shall be tied to the provision of the services.

II.- These services entail the processing of personal data files owned by the Data Controller, specifically those of the partners and/or players associated with the Data Controller. These data must be shared with the Data Processor as they are hosted and managed through the ‘Golfmanager’ platform. The Data Processor is obligated to verify that the necessary measures are in place to ensure compliance with data protection regulations.

III. In order to comply with the provisions of Article 28 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (hereinafter referred to as the GDPR), both parties enter into this contract, formalizing it through mutual agreement, in accordance with the following terms.

 

STIPULATIONS

 

FIRST.-

In accordance with Article 28 of the GDPR, the role of Data Processor is assumed by the natural or legal person who operates on behalf of the Data Controller. The Data Controller is the entity that determines the purpose and usage of the information to which the Data Processor has access.

 

SECOND.- Identification of the Affected Information.

Both parties acknowledge that the DATA CONTROLLER may have access to the files containing personal data owned by the Data Controller. This access is essential for the provision of the aforementioned service. The data shall be incorporated into systems or media owned by the DATA CONTROLLER.

 

THIRD.- Duration.

This agreement shall remain in effect for the duration of the service provision. Upon termination of the service provision, the Data Processor shall be obligated to either return the personal data to the Data Controller or transfer it to another Data Processor designated by the Data Controller, while also deleting any copies in its possession. Nevertheless, the Data Processor may retain the data in a blocked state to fulfill potential administrative or jurisdictional responsibilities.

 

FOURTH.- Obligations of the Data Processor.

A) The data processor and all its personnel are obligated to:

  • Process the personal data, or data collected for inclusion, solely for the purposes specified in this Data Processing Agreement.
  • To process the data in accordance with the instructions of the data controller.
  • Keep, in writing, a record of all categories of processing activities carried out on behalf of the controller, containing:
    • The name and contact details of the processor(s), each controller on whose behalf the processor is acting, and, if applicable, the representative of the controller or processor, as well as the data protection officer’s contact information.
    • The categories of processing conducted on behalf of the controller.
    • An overview of the appropriate technical and organizational security measures being implemented.

 

This record may be provided to the Data Controller or any competent body that requests it.

  • To not disclose the data to third parties, except with the explicit authorization of the data controller, in cases permitted by law. If the processor intends to subcontract, they must inform the data controller and seek their prior authorization.
  • Maintain the obligation of confidentiality regarding the personal data to which it has gained access, even after the contract’s termination.
  • Ensure that individuals authorized to process personal data explicitly commit in writing to maintaining confidentiality and adhering to the necessary security measures, with full awareness of these measures.
  • Maintain documentation that demonstrates compliance with the obligation stated in the preceding section and make it available to the Data Controller upon request.
  • Ensure the necessary training in personal data protection for persons authorized to process personal data.
  • When data subjects exercise their rights of access, rectification, erasure, objection, limitation of processing, and data portability with the data processor, the data processor must promptly communicate this via email to the address provided by the data controller. This communication must be sent immediately, and in no case later than the next working day after receiving the request. Additionally, if relevant, it should include any other information that may be necessary to address the request.

 

B) Notification of Data Security Breaches

The processor shall promptly inform the controller, using the email address provided by the controller, of any security breaches involving the personal data under its responsibility, as soon as it becomes aware of them. This notification shall include all pertinent information required for documenting and communicating the incident.

At a minimum, the following information shall be provided:

  • Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
  • Contact person’s data for further information.
  • Description of the potential consequences of the personal data breach, along with a presentation of the measures already taken or planned to address the breach. This should include any measures aimed at mitigating potential adverse effects.

 

If it is not possible to provide all this information simultaneously, it shall be provided progressively without undue delay.

The Data Processor shall abide by the Security Breach Protocol, as well as the Contingency Plan that ensures the restoration and continuity of the service, attached to this contract as Annex I.

 

C) Likewise, the Data Processor undertakes to:

  • Implement the necessary technical and organizational security measures to ensure the permanent confidentiality, integrity, availability and resilience of the processing systems and services.
  • The Processor shall have a general description of the technical and organizational security measures relating to (i) the pseudonymization and encryption of personal data, if applicable; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services; (iii) the ability to restore availability and access to personal data promptly, in the event of a physical or technical incident; and (iv) the process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to ensure the security of the processing.

 

This description is set forth in Annex II attached to this contract.

 

D) Destination of the Data

The Data Processor undertakes to destroy the personal data within the following deadlines:

  • The contents of closed accounts are removed within six (6) months after the closing date.
  • Backups are kept for three (3) months;

 

FIFTH.- Obligations of the data controller.

It is the responsibility of the data controller to:

  1. Provide the controller with the necessary data to be able to provide the service.
  2. Ensure, prior to and throughout the processing, compliance with the GDPR by the processor.
  3. Supervise processing.

 

SIXTH.- Interpretation and null and void clauses.

The interpretation of this contract shall adhere to the literal meaning of its clauses. In cases where specific provisions are not outlined, the contracting parties shall be governed by the applicable Spanish legislation. If any of the stipulations or conditions in this contract were to be deemed null, invalid, or ineffective under the applicable law, such nullity, invalidity, or ineffectiveness shall not impact the remaining provisions or conditions.

 

SEVENTH.- Jurisdiction and Applicable Law.

The contract shall be interpreted in accordance with Spanish law. In the event of any disputes between the Parties, they agree to attempt amicable resolution within one month. If an amicable resolution is not achieved, the Parties expressly agree to submit to the Courts and Tribunals of Barcelona city, waiving any other jurisdiction that may apply.

Solutions

Always included

Hardware

Resources

Community

Developers

Subscribe our newsletter

The newsletter for digitalized golf managers

Instagram Twitter Youtube Spotify Linkedin Envelope

Copyright © 2024 Golfmanager. All rights reserved

Privacy Policy   |   Cookies Policy   |   ISO27001 Policy   |   Contact