THIS DATA SHARING ADDENDUM (the “Addendum”) is entered into as of the Addendum Effective Date by and between: (1) Century Games Pte. Ltd.(“Company”); and (2) [PARTNER](the “Partner”), hereinafter referred to as also individually “Party” or jointly “Parties“.
1. Preamble
1.1 Company and Partner have entered into [name of Agreement], involving the Processing of certain Personal Data (the “Agreement”).
1.2 This Data Sharing Addendum (“Addendum”) between the Parties is incorporated into and forms part of the Agreement and consists of (a) the main body of the Addendum; (b) Attachment 1 (Subject Matter and Details of the Data Processing); (c) Attachment 2 (EU and UK Restricted Transfers); and (d) Attachment 3 (California Annex).
2. Definitions
2.1 In this Addendum the following terms shall have the meanings set out below for this Addendum, unless expressly stated otherwise:
2.1.1. “Addendum Effective Date” means the effective date of the Agreement.
2.1.2. “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder.
2.1.3. “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
2.1.4. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number.
2.1.5. “EEA” means the European Economic Area.
2.1.6. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
2.1.7. “GDPR” means the UK GDPR and/or EU GDPR (as applicable), together with any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018). References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
2.1.8. “Joint Controllers” means any situation where both Parties jointly determine the purposes and means of Processing.
2.1.9. “Personal Data” means all information relating to a Data Subject collected and Processed in accordance with the Agreement.
2.1.10. “Personal Data Breach” means a breach of security leading to the accidental, unlawful or unauthorized destruction, loss, alteration, unavailability, encryption, acquisition, disclosure of, or access to, Personal Data in a Party’s possession, custody or control.
2.1.11. “Process” and inflection thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.1.12. “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
2.1.13. “Services” means those services and activities to be supplied to or carried out pursuant to the Agreement.
2.1.14. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2.1.15. “Supervisory Authority”: shall have the meaning given to that term in the GDPR.
2.1.16. “Transfer Solution(s)” means the SCCs and/or the UK Transfer Addendum, as applicable to the relevant Restricted Transfer.
2.1.17. “UK GDPR” means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
2.1.18. “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof.
2.2 Unless otherwise defined in this Addendum, all capitalized terms in this Addendum shall have the meaning given to them in the Agreement.
3. Relationship with the Agreement
Partner and Company’s respective obligations under this Addendum are in addition to and not in lieu of their respective obligations under the Agreement.
4. Roles of the Parties
The Parties acknowledge and agree that:
4.1 For the purpose of GDPR, each Party will act as a separate and independent Controller in relation to the performance of the Agreement and the Processing of Personal Data described in Attachment 1 (Subject Matter and Details of the Data Processing), and shall independently determine the purposes and means of such processing. The Parties agree that they do not operate as Joint Controllers in relation to the performance of the Agreement and the Processing of Personal Data described in Attachment 1 (Subject Matter and Details of the Data Processing); and
4.2 For the purpose of CCPA, Company shall be considered a business and Partner shall be considered a third party in relation to the performance of the Agreement and the Processing of Personal Data described in Attachment 1 (Subject Matter and Details of the Data Processing). To the extent that Partner Processes Company Personal Data protected by the CCPA, then the terms specified in Schedule 3 (California Addendum) shall apply in addition to the terms in this Agreement.
5. Obligations of the Parties
In addition to and not in lieu of the Parties’ respective obligations under the Agreement, in connection with its Processing performed in connection with the Agreement, each Party shall:
5.1 only Process the Personal Data for the purpose agreed between the Parties and not further process personal data in a way that is incompatible with such purpose;
5.2 comply with its respective obligations under the GDPR in respect of its Processing of Personal Data;
5.3 ensure that all persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality that survive termination of the personnel engagement;
5.4 reasonably cooperate with the other Party to enable such other Party to fulfill its obligations, as applicable, under the GDPR;
5.5 inform promptly the other Party and provide reasonable assistance to the other Party regarding any response to requests of Data Subjects to exercise their rights under the GDPR or any other requests, in respect of personal data processed under this Agreement;
5.6 inform promptly the other Party and reasonably cooperate with the other Party to comply with any request, enquiry, or investigation from a Supervisory Authority;
5.7 co-operate with the other Party, to the extent reasonably requested, in relation to any notification to Supervisory Authorities which is required following a Personal Data Breach involving the Personal Data; and
5.8 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Partner shall implement and maintain appropriate technical and organizational measures to (i) ensure the security, integrity, availability and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security, integrity, availability and confidentiality of Personal Data; and (iii) protect against any Personal Data Breach.
6. Data Transfers
EU Restricted Transfers
6.1 To the extent that any Processing of Personal Data under this Addendum involves an EU Restricted Transfer from Company to Partner, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (i) populated in accordance with Part 1 of Attachment 2; and (ii) entered into by the Parties and incorporated by reference into this Addendum.
6.2 The Parties acknowledge and agree that Company is acting as the data exporter and Partner is acting as the data importer under this Addendum and for the purposes of the SCCs.
UK Restricted Transfers
6.3 To the extent that any Processing of Personal Data under this Addendum involves a UK Restricted Transfer from Company to Partner, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (i) varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 2; and (ii) entered into by the Parties and incorporated by reference into this Addendum.
General Restricted Transfer Provisions
6.4 Company may on notice vary this Addendum and replace the relevant Transfer Solution(s) with: (i) any new form of the relevant Transfer Solution(s) or any replacement therefor prepared and populated accordingly; or (ii) another transfer mechanism, other than the SCCs and/or UK Transfer Addendum, that enables the lawful transfer of Personal Data under this Addendum in compliance with Chapter V of the GDPR.
6.5 In respect of any given Restricted Transfer, if requested of either Party (“Requesting Party”) by a Supervisory Authority or Data Subject, on specific written request, the other Party shall provide Requesting Party with an executed version of the relevant Transfer Solution(s) responsive to the request made of Requesting Party for countersignature by Requesting Party, onward provision to the relevant requestor and/or storage to evidence Requesting Party’s compliance with the GDPR.
7. Access to Personal Data by public authorities
7.1 To the extent permitted by applicable laws, each Party shall notify the other Party promptly in writing of any subpoena or other judicial or administrative order by a public authority or proceeding seeking access to or disclosure of Personal Data. Such notification shall, to the extent permitted by applicable laws, include details regarding the Data Subject concerned, Personal Data requested, the requesting authority, the legal basis for the request, and any responses provided.
7.2 To the extent permitted by applicable laws, each Party shall not disclose the Personal Data requested until all reasonable challenges to the request have been exhausted and shall provide the minimum of information permissible when responding to an order to disclose the Personal Data.
7.3 Where the notifying Party is prohibited from satisfying Section 7.1 under applicable laws, the notifying Party shall use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible.
7.4 Where a Party becomes aware of any direct access by public authorities to Personal Data (including the reasonable suspicion thereof), this Party shall promptly notify the other Party with all information available, unless otherwise prohibited by applicable laws.
8. Compliance with the GDPR and this Addendum
Each Party shall promptly inform the other Party if the notifying Party is unable to comply with the GDPR and/or this Addendum for whatever reason. Without prejudice to any rights or remedies available in the circumstances, in such a case, the notified Party shall have the right to immediately suspend the Processing or terminate the Agreement without cause.
9. Indemnification
Partner shall indemnify, defend, and hold Company harmless from and against any and all liabilities, claims, losses, suits, judgments, and reasonable legal fees arising from any breach, negligent act, willful misconduct, error or omission of relevant data protection obligations under the GDPR, this Addendum and the SCCs by the offending Party, its employees, representatives or agents.
10. Termination
This Addendum will terminate when Partner ceases to Process Personal Data in application of the Agreement, or as otherwise agreed by the Parties.
11. Miscellaneous
11.1 In the event of any conflict or inconsistency between this Addendum and the Agreement, this Addendum shall prevail to the extent of such conflict or inconsistency; or any Transfer Solution(s) that may apply in accordance with Section 6 and this Addendum and/or the Agreement, said Transfer Solution(s) (as applicable) shall prevail in the context of the Restricted Transfer(s) to which they apply to the extent of any such conflict or inconsistency.
11.2 The provisions of this Addendum shall survive the expiration or other termination of the Agreement and remain in force as long as Partner Process Personal Data.
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Agreement with effect from the Agreement effective date.
Attachment 1
Subject Matter and Details of the Data Processing
This Attachment 1 includes certain details of the Processing of Personal Data under the Agreement; and is used to populate Annex I to the SCCs and the UK Transfer Addendum.
Company details
Name: | Century Games Pte. Ltd. |
Address: | As set out in the pre-amble to the Addendum |
Contact Details: | Email: [NTD – to be inserted] |
Company Activities: | Game developer and publisher |
Role: | Controller (data exporter) |
Partner Details
Name: | [Partner – to be inserted] |
Address: | As set out in the pre-amble to the Addendum |
Contact Details: | [NTD – to be inserted] |
Company Activities: | [NTD – to be inserted] |
Role: | Controller (data importer) |
DETAILS OF PROCESSING
Categories of Data Subjects: | End-users |
Categories of Personal Data: |
Relevant Personal Data includes: • [Personal details – for example any information that identifies the Data Subject and their personal characteristics, name, age, date of birth, sex, and physical description.] • [Contact details – for example home and/or business address, email address, telephone details and other contact information such as social media identifiers/handles.] • [Authentication details – for example username, password or PIN code, security questions and other access protocols.] • [Technological details – for example internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.] |
Sensitive Categories of Data, and associated additional restrictions/safeguards: | Categories of sensitive data: None Additional safeguards for sensitive data: N/A |
Frequency of transfer: | Ongoing – as initiated by Company in and through its use, or use on its behalf, of the Services. |
Nature of the Processing: | Processing operations required in order to provide the Services in accordance with the Agreement. |
Purpose of the Processing: | Personal Data will be processed: (i) as necessary to provide the Services as initiated by Company in its use thereof, and (ii) to comply with any other reasonable instructions provided by Company in accordance with the terms of this Addendum. |
Duration of Processing / Retention Period: | For the period determined in accordance with the Agreement and Addendum. |
Attachment 2
EU and UK Restricted Transfers
Notes:
-
In the context of any Restricted Transfer, the SCCs and/or UK Transfer Addendum (as applicable) populated in accordance with this Attachment 2 are incorporated by reference into and form an effective part of the Addendum.
Part 1: EU Restricted Transfers
-
SIGNATURE OF THE SCCs:
Where the SCCs apply in accordance with Paragraph 6 to the Addendum each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.
-
MODULE ONE
Module One of the SCCs applies to any Restricted Transfer involving Processing of Personal Data in respect of which Company is a Controller and data exporter, and Partner is a Controller and data importer.
-
POPULATION OF THE BODY OF THE SCCs
-
3.1 The following applies as and where applicable to Module One and the Clauses thereof:
-
(a) The optional ‘Docking Clause’ in Clause 7 is used and the language of the body of that Clause 7 is retained.
-
(b) The language in Clause 9 is not used and the body of that Clause 9 is left intentionally blank.
-
(c) In Clause 11, the optional language is not used and is deleted.
-
(d) In Clause 13, the following wording is retained “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.” and all other square brackets and all text therein is removed.
-
(e) In Clause 17: OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
-
(f) For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
-
-
3.2 In this Paragraph 3, references to “Clauses” are references to the Clauses of the SCCs.
-
-
POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
-
4.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Attachment 1 to the Addendum, with: Company being ‘data exporter’; and Partner being ‘data importer’.
-
4.2 Annex II to the Appendix to the SCCs is populated as below:
Partner will implement and maintain the Security Measures as set out below.
-
Policy. Implement and maintain an information security policy, which accords with the requirements of GDPR and good industry practice.
-
Personnel. Organizational management and dedicated staff responsible for the development, implementation and maintenance of Partner’s information security program.
-
Audits. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Partner’s organization, monitoring and maintaining compliance with Partner’s policies and procedures, in each case conducted by a suitably-qualified and reputable third-party provider, and associated reporting of the condition of its information security and compliance to internal senior management.
-
Separation, access control and permissions. Data security controls which include at a minimum logical segregation of data, restricted (e.g., role based) access and monitoring. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
-
Encryption. At a minimum, Personal Data shall encrypted on all occasions where it is:
-
ptransmitted over public networks (i.e. the Internet), using modern Transport Layer Security protocols; and
-
at rest, using Advanced Encryption Standard (AES) 256 bit encryption.
Policies shall be maintained and enforced that prohibit storage or transmission unless required encryption has been applied
-
-
Password management. Password controls designed to manage and control password strength, expiration and usage – including, at a minimum, requiring passwords controlling access to Personal Data to have minimum complexity requirements, be at least 8 characters in length, and be changed frequently (and at least every 90 days); maintaining a secure method for selecting and assigning passwords and requiring use of multi-factor authentication and other reasonable authentication technologies; and assignment of unique user identifications and passwords, which are not vendor-supplied default passwords.
-
Logging. System audit or event logging and related monitoring procedures to proactively record user access and system activity (including systems storing or that may be used to access Personal Data).
-
Physical Security. Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to protect information assets from unauthorized physical access or damage.
-
Technology configuration and data destruction. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Partner’s possession.
-
Change management. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Partner’s technology and information assets.
-
Personal Data Breach Management. Personal Data Breach management procedures that allow Partner to investigate, respond to, mitigate and notify events related to Personal Data and associated technology and information assets, which, at a minimum, are sufficient to enable Partner to comply with its relevant obligations under GDPR.
-
Firewalls. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.
-
Testing. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
-
BC; DR. Business resiliency/continuity and disaster recovery procedures to ensure the availability of Personal Data and associated technology and information assets, and to maintain service and/or recovery from emergency situations or disasters.
Partner may update or modify these Security Measures, on written notice to Company, from time to time; provided that such updates and modifications do not decrease the overall security of the Personal Data and associated technology and information systems or assets, nor prejudice the warranty and representation set out in this Addendum.
-
-
Part 2: UK Restricted Transfers
- Where relevant in accordance with Paragraph 6 to the Addendum, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
-
1.1 Part 1 to the UK Transfer Addendum. The Parties agree:
-
(a) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Attachment 1 to the Addendum and the foregoing provisions of this Attachment 2 (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
-
(b) Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Exporter’ being deemed to have been ticked.
-
-
1.2 Part 2 to the UK Transfer Addendum. The Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
-
-
As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1 of this Part 2; provided that the Parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).
-
In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the Addendum to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1 of this Part 2.
Attachment 3
California Annex
-
Order of Precedence. To the extent that the terms in this California Annex conflict with the terms in the rest of the Agreement, the terms in this California Annex prevail. Furthermore, the Parties hereby agree that the terms of this California Annex supersede and replace any respective obligations of the Parties that relate to the Processing of Personal Data to the extent that such processing is subject to the CCPA.
-
Definitions. CCPA and other capitalized terms not defined in this California Annex are defined in the Addendum.
-
2.1. “Business,” “sell,” “share,” and “third party” shall have the meanings given in the CCPA.
-
2.2. The definition of “Personal Data” includes “personal information” as defined in the CCPA.
-
-
Obligations.
-
3.1. Company is providing Personal Data to Partner under the Agreement for the limited and specified purposes described in Attachment 1
(Subject Matter and Details of the Data Processing).
-
3.2. Where the provision of Personal Data by Company to Partner pursuant to the Agreement constitutes a sell and/or sharing of Personal Data under the CCPA, Partner:
-
a. shall comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Personal Data as is required by the CCPA;
-
b. acknowledges that Company has the right to take reasonable and appropriate steps to ensure that Partner’s use of Personal Data is consistent with Company’s obligations under the CCPA;
-
c. shall notify Company in writing, no later than five (5) business days, after it makes a determination that it can no longer meet its obligations under the CCPA; and
-
d. acknowledges that the Company has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate Partner’s unauthorized use of Personal Data.
-
-