SPM Sportplatz-Media GmbH (hereinafter “Contractor”), Schleidenstraße 3, 22083 Hamburg, operates the website www.spielerplus.de and the corresponding SpielerPlus app. Team leaders/trainers (hereinafter “Clients”) can use this app (hereinafter “SpielerPlus”) to organize their sport teams as administrators. The Client manages the personal data autonomously.

The Contractor processes personal data on behalf of the Client as defined in Art. 4 no. 8 and Art. 28 of the regulation (EU) 2016/679 – General Data Protection Regulation (GDPR). This order processing agreement specifies the data protection obligations of the contracting parties resulting from processing the order data described in the main contract. It applies to all activities related to the main contract and in which the employees of the Contractor or third parties commissioned by the Contractor may come into contact with the Client’s personal data.

1.1 Personal data are individual items of information about personal or factual situations regarding an identified or identifiable natural person (Art. 4 no. 1 GDPR).

1.2 Data processing by order is the collection, processing, and use of personal data as defined in Art. 4 no. 2 GDPR by the Contractor on behalf of the Client.

1.3 Instruction refers to all instructions given by the Client to the Contractor and by which the Contractor is requested to perform a particular action with regard to personal data (e.g., anonymization, restriction, erasure, transmission). The instructions are initially defined in the main contract; subsequently the Client can amend, supplement, or replace them with individual instructions in written form (individual instruction).

1.4 The collection, processing, and use of personal data has the meaning defined in Art. 4 no. 2 GDPR.

The Contractor processes personal data on behalf of the Client. This includes activities specified in the main contract and the description of services. Within the scope of this contract, the Client is solely responsible for compliance with the legal provisions of the data protection laws, particularly for the lawfulness of transferring data to contractors and for the lawfulness of the data processing (“Controller” as defined in Art. 4 no. 7 GDPR). The Contractor has the right to inform the Client if the Contractor believes that the order and/or an instruction refers to legally inadmissible data processing.

3.1 The subject of the order is derived from the main contract/description of services that is referenced herein.

3.2 The duration of this order (term) corresponds to the term of the main contract.

3.3 The right of extraordinary termination shall remain unaffected by this.

The scope, nature, and purpose of the collection, processing, and use of personal data by the Contractor for the Client are specified in the main contract.

The following types/categories of data are the subject of the collection, processing, and use of personal data (list/ description of the data categories):

Type of data (general):

• User name
• First and last name
• Address
• Date of birth
• Email address
• Phone and cell phone number
• Profile picture
• Chat histories
• Representatives and contact persons
• Data entered in the chat or contact forms
• Information related to the player, such as:
  • Garment size
  • Jersey number
  • Position (attack, defense, midfield, etc.)
  • Member number (sports club/team)
  • Confirmations and cancellations of events including the reasons
  • Line-up
  • Participation in carpools
  • Assigned tasks within the team
  • Data from the match report (such as goals, fouls, penalties, etc.)
  • Team treasury (penalties, contributions)
  • Betting behavior (betting community)
  • Voting behavior

Special data category:

• Absence due to illness/injury (health data)

The group of persons affected by the handling of their personal data (data subjects) in the scope of this order includes:

• Trainers/team leaders
• Players/team members
• Contact persons at the association
• In case of minors: Legal guardians

7.1 The Contractor may only correct, erase, or restrict data processed within the scope of the order according to instructions by the Client.

7.2 The Client may demand the rectification, erasure, restriction, and transmission of data at any time during and after the completion of the order or the main contract.

8.1 Within its area of responsibility, the Contractor will ensure that the internal organization meets the special requirements of data protection.

8.2 To adequately protect the Client’s data against misuse and loss, the Contractor will implement technical and organizational measures that will correspond to the requirements of the General Data Protection Regulation (Art. 24, 32 GDPR). Where appropriate, this includes in particular:

• to prevent unauthorized persons from accessing data processing systems that are used to process and utilize the personal data (entry control),
• to prevent the use of data processing systems by unauthorized persons (admission control),
• to ensure that persons authorized to use a data processing system can exclusively access the data they are authorized to access, and that personal data cannot be read, copied, altered, or removed during the processing or use and after the storage (access control),
• to ensure that personal data cannot be read, copied, altered, or removed during the electronic transmission or during its transport or storage on data carriers, and that it is possible to verify and determine in which areas personal data are intended to be transmitted by means of data transfer equipment (transmission control),
• to ensure that it is possible to verify and determine at a later time whether and by whom personal data were entered into data processing systems, altered, or removed (input control),
• to ensure that personal data that are processed for the order can only be processed in accordance with the Client’s instructions (order control),
• to ensure that personal data are protected against accidental destruction or loss (availability control),
• to ensure that data collected for different purposes can be processed separately (separation control),
• the pseudonymization and encryption of personal data,
• the ability to ensure the confidentiality, integrity, availability, and resilience of the systems and services associated with the processing for the long term,
• the ability to quickly restore the availability of the personal data and access to them in case of a physical or technical incident,
• a procedure for the regular review, assessment, and evaluation of the effectiveness of the technical and organizational measures to guarantee the security of the processing.

8.3 The technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement adequate alternative measures. However, the security level of the defined measures must remain adequate. Significant changes must be documented.

9.1 The Client has the right to issue supplementary instructions to the Contractor at any time about the type, scope, and method of the data processing. Instructions can be issued in text form (e.g., email).

9.2 The Contractor may collect, process, or use data only within the scope of the order and the Client’s instructions, unless the Contractor is obligated to process the data under Union law or the law of the Member States.

9.3 Rules regarding the potential remuneration of additional costs incurred by the Contractor resulting from the Client’s additional instructions remain unaffected.

9.4 The Contractor must inform the Client about exceptions to the obligation to issue instructions under the law applicable to the Contractor unless this law specifically prohibits such a notification because of an important public interest.

9.5 Insofar as is legally required, the Contractor appoints a data protection officer in writing who can carry out his activities in accordance with Art. 37, 38, 39 GDPR. The Client is provided with the data protection officer’s contact information for the purpose of direct contact.

9.6 The Contractor ensures that the employees involved in the processing of the Client’s personal data are bound to data secrecy (Art. 29 GDPR) and have been instructed in the safeguard provisions of the GDPR. The data secrecy continues to exist even after the processing has finished.

9.7 The Contractor immediately notifies the Client if there is reason to believe that an instruction by the Client violates applicable data protection law.

9.8 The Contractor notifies the Client in the event of serious disruptions to the operating process, if there is a suspected violation of data protection, or if there are other irregularities in the processing of the Client’s data. This also applies to potential control actions, measures by the supervisory authority according to Art. 51–59 GDPR, or investigations according to Art. 83, 84 GDPR.

9.9 It is known that the Client may be subject to information obligations according to § Art. 33 GDPR in case of an unlawful transmission or if knowledge of particular personal data is gained. For that reason, such incidents must be reported to the Client immediately, regardless of the cause. The Contractor’s report to the Client must include the following information in particular:

• a description of the type of personal data breach, if possible with information about the categories and approximate number of affected persons, the affected categories, and the approximate number of affected personal data sets;
• a description of the measures taken or proposed by the Contractor to remedy the personal data breach and, where appropriate, measures to mitigate its potential harmful effects.

In consultation with the Client, the Contractor must take appropriate measures to secure the data and reduce potential adverse effects on the affected parties. Insofar as the Client is subject to obligations according to Art. 33 GDPR, the Contractor must support the Client in this respect.

9.10 The Contractor is obligated to provide the Client with information at any time insofar as the Client’s data and documents are affected by a personal data breach. The Contractor carries out the destruction of material in compliance with data protection laws on the basis of an individual order by the Client. In special cases specified by the Client, the material is stored or handed over.

9.11 The Contractor informs the Client if data subjects assert their rights as data subjects against the Contractor.

10.1 The Client is solely responsible for assessing the permissibility of the collection, processing, or use of data as well as for safeguarding the rights of the data subjects.

10.2 The Client must immediately and comprehensively inform the Contractor if the Client notices errors or irregularities in respect to data protection regulations while reviewing the order results.

10.3 The obligation to keep a processing directory in accordance with Art. 30 GDPR lies with the Client.

10.4 The Client is responsible for the information obligations resulting from Art. 33 GDPR.

10.5 The Client determines the procedures for the return of the provided data carriers and/or deletion of the saved data after the conclusion of the contract either contractually or through an instruction.

If the Client, on the basis of applicable data protection laws, is obligated to provide an individual person with information about the collection, processing, or use of data about this person, the Contractor will assist the Client in providing this information if the Client has asked the Contractor to do so in writing.

Upon request, the Client, Contractor and, if applicable, their representatives, will cooperate with the supervisory authority in the performance of its tasks.

Before the data processing is started and then regularly, the Client will convince itself of the Contractor’s technical and organizational measures and document the result. For this purpose, the Client can obtain information from the Contractor or perform an audit at the Client’s expense. In case of an audit, the Client will bear the costs of the Contractor’s employees who have to participate in such audit.

14.1 The transfer of orders within the scope of this contract and the activities specified in §§ 3, 4, 5, 6 for subcontractors is possible as long as the Contractor ensures that the subcontractor assumes the obligations arising from this contract with the Contractor. If the Contractor places orders with subcontractors, the Contractor is obligated to transfer its obligations from this contract to the subcontractor. In particular, the requirements regarding confidentiality, data protection and data security are applicable between the parties to this contract.

14.2 The Client is to be granted control and inspection rights corresponding to § 13. By means of a written request, the Client is entitled to receive information from the Contractor about the essential content of the contract and the implementation of the contractor’s data protection-related obligations, if necessary also by inspecting the relevant contract documents.

In the processing of data for the Client, the Contractor is obligated to maintain the confidentiality of the data that the Contractor becomes aware of or receives in connection with the order. The Contractor undertakes to observe the same rules of secrecy protection as those the Client must comply with. The Client is obligated to inform the Contractor of any special secrecy protection rules.

16.1 If the Client’s data should be endangered at the Contractor’s business due to seizure or confiscation, insolvency or settlement proceedings, or other events or measures by third parties, the Contractor must immediately report this to the Client. The Contractor will immediately inform all responsible parties in this context that the sovereignty and ownership of the data lie exclusively with the Client as the “responsible party” in the sense of the GDPR.

16.2 The processing and use of the data takes place exclusively within the territory of the Federal Republic of Germany, in a member state of the European Union, or in another state that is a party to the agreement on the European Economic Area. Any relocation to a third country requires the Client’s prior consent and may only take place if the special requirements of Art. 44, 45, 46 of the GDPR are met. The Client is aware that the Contractor is using the services of the subcontractor Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-122 (AWS). AWS also offers hosting services within the EU (including in Germany). In the event of data processing in the USA, AWS offers sufficient guarantees for the data protection-compliant processing as defined in Art. 46 of the GDPR through a US/EU Privacy Shield certification.

16.3 Amendments and supplements to this contract and all its components – including any assurances given by the Contractor – require a written agreement and the express indication that these regulations are to be amended or supplemented. This also applies to any waiver of this formal requirement.

16.4 German law applies, with the exception of the conflict of laws provision.