DATA SHARING ADDENDUM - Century Games

THIS DATA SHARING ADDENDUM (the “Addendum”) is entered into as of the Addendum Effective Date by and between: (1) Century Games Pte. Ltd.(“Company”); and (2) [PARTNER] (the “Partner”), hereinafter referred to as also individually “Party” or jointly “Parties”.

Preamble
- 1.1 Company and Partner have entered into the business Agreement, involving the Processing of certain Personal Data (the “Agreement”).
- 1.2 This Addendum between the Parties is incorporated into and forms part of the Agreement and consists of (a) the main body of the Addendum; (b) Attachment 1 (Subject Matter and Details of the Data Processing); (c) Attachment 2 (EU and UK Restricted Transfers); and (d) Attachment 3 (California Annex).
Definitions
- 2.1 In this Addendum the following terms shall have the meanings set out below for this Addendum, unless expressly stated otherwise:
  - 2.1.1 “Addendum Effective Date” means the effective date of the Agreement.
  - 2.1.2 “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder. “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  - 2.1.3 “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations as well as government-issued rules, guidelines, directives and requirements pertaining to the Processing of Personal Data under the Agreement currently in effect and as they become effective that may exist in any relevant jurisdiction, including, without limitation, security breach notification laws, Personal Data security laws and Personal Data disposal laws. For the avoidance of doubt, applicable Data Protection Laws include, but are not limited to, the GDPR and the CCPA;
  - 2.1.4 “EEA” means the European Economic Area.
  - 2.1.5 “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  - 2.1.6 “GDPR” means the UK GDPR and/or EU GDPR (as applicable), together with any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018), and any successor, replacement, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
  - 2.1.7 “Joint Controllers” means any situation where both Parties jointly determine the purposes and means of Processing.
  - 2.1.8 “Process/Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Special Categories of Personal Data” shall have the same meaning as in the Data Protection Laws;
  - 2.1.9 “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
  - 2.1.10 “Services” means those services and activities to be supplied to or carried out pursuant to the Agreement.
  - 2.1.11 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  - 2.1.12 “Supervisory Authority” means an independent public authority responsible for the enforcement of applicable Data Protection Laws which is established pursuant to applicable Data Protection Laws.
  - 2.1.13 “Transfer Solution(s)” means the SCCs and/or the UK Transfer Addendum, as applicable to the relevant Restricted Transfer.
  - 2.1.14 “UK GDPR” means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
  - 2.1.15 “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the Mandatory Clauses included in Part 2 thereof.

2.2 Unless otherwise defined in this Addendum, all capitalized terms in this Addendum shall have the meaning given to them in the Agreement.

Relationship with the Agreement

Partner and Company’s respective obligations under this Addendum are in addition to and not in lieu of their respective obligations under the Agreement.

Roles of the Parties

The Parties acknowledge and agree that:

4.1 For the purpose of GDPR, each Party will act as a separate and independent Controller in relation to the performance of the Agreement and the Processing of Personal Data described in Attachment 1 (Subject Matter and Details of the Data Processing), and shall independently determine the purposes and means of such processing. The Parties agree that they do not operate as Joint Controllers in relation to the performance of the Agreement and the Processing of Personal Data described in Attachment 1 (Subject Matter and Details of the Data Processing); and
4.2 For the purpose of CCPA, Company shall be considered a business and Partner shall be considered a third party in relation to the performance of the Agreement and the Processing of Personal Data described in Attachment 1 (Subject Matter and Details of the Data Processing). To the extent that Partner Processes Company Personal Data protected by the CCPA, then the terms specified in Schedule 3 (California Addendum) shall apply in addition to the terms in this Agreement.

Obligations of the Parties

In addition to and not in lieu of the Parties’ respective obligations under the Agreement, in connection with its Processing performed in connection with the Agreement, each Party shall:

5.1 only Process the Personal Data for the purpose agreed between the Parties and not further process Personal Data in a way that is incompatible with such purpose;
5.2 comply with its respective obligations under the GDPR in respect of its Processing of Personal Data;
5.3 ensure that all persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality that survive termination of the personnel engagement;
5.4 reasonably cooperate with the other Party to enable such other Party to fulfill its obligations, as applicable, under the GDPR;
5.5 inform promptly the other Party and provide reasonable assistance to the other Party regarding any response to requests of Data Subjects to exercise their rights under the GDPR or any other requests, in respect of Personal Data processed under this Agreement;
5.6 inform promptly the other Party and reasonably cooperate with the other Party to comply with any request, enquiry, or investigation from a Supervisory Authority;
5.7 co-operate with the other Party, to the extent reasonably requested, in relation to any notification to Supervisory Authorities which is required following a Personal Data Breach involving the Personal Data; and
5.8 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Partner shall implement and maintain appropriate technical and organizational measures to (i) ensure the security, integrity, availability and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security, integrity, availability and confidentiality of Personal Data; and (iii) protect against any Personal Data Breach.

Data Transfers

EU Restricted Transfers

6.1 To the extent that any Processing of Personal Data under this Addendum involves an EU Restricted Transfer from Company to Partner, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (i) populated in accordance with Part 1 of Attachment 2; and (ii) entered into by the Parties and incorporated by reference into this Addendum.
6.2 The Parties acknowledge and agree that Company is acting as the data exporter and Partner is acting as the data importer under this Addendum and for the purposes of the SCCs.

UK Restricted Transfers

6.3 To the extent that any Processing of Personal Data under this Addendum involves a UK Restricted Transfer from Company to Partner, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (i) varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 2; and (ii) entered into by the Parties and incorporated by reference into this Addendum.

General Restricted Transfer Provisions

6.4 Company may on notice vary this Addendum and replace the relevant Transfer Solution(s) with: (i) any new form of the relevant Transfer Solution(s) or any replacement therefor prepared and populated accordingly; or (ii) another transfer mechanism, other than the SCCs and/or UK Transfer Addendum, that enables the lawful transfer of Personal Data under this Addendum in compliance with Chapter V of the GDPR.
6.5 In respect of any given Restricted Transfer, if requested of either Party (“Requesting Party”) by a Supervisory Authority or Data Subject, on specific written request, the other Party shall provide Requesting Party with an executed version of the relevant Transfer Solution(s) responsive to the request made of Requesting Party for countersignature by Requesting Party, onward provision to the relevant requestor and/or storage to evidence Requesting Party’s compliance with the GDPR.
6.6 Where Partner is certified under a scheme (such as the EU–U.S. Data Privacy Framework and/or UK Extension to the EU–U.S. Data Privacy Framework (as applicable)) that benefits from an adequacy decision of the EU Commission and/or UK Government (as applicable), Partner may rely on such scheme and corresponding adequacy decision for transfers of Personal Data. In case Partner withdraws from such scheme or such scheme and/or respective adequacy decision is invalidated, Company and Partner shall automatically be bound by the additional obligations of this Section 6 with respect to Restricted Transfer(s).

Access to Personal Data by public authorities
- 7.1 To the extent permitted by applicable laws, each Party shall notify the other Party promptly in writing of any subpoena or other judicial or administrative order by a public authority or proceeding seeking access to or disclosure of Personal Data. Such notification shall, to the extent permitted by applicable laws, include details regarding the Data Subject concerned, Personal Data requested, the requesting authority, the legal basis for the request, and any responses provided.
- 7.2 Where Partner receives such request, Company shall have the right to defend such legal challenge in lieu of and/or on behalf of Partner to the extent permitted by applicable laws. Company may, if it so chooses, seek a protective order. Partner shall reasonably cooperate with Company in such defense.
- 7.3 To the extent permitted by applicable laws, each Party shall not disclose the Personal Data requested until all reasonable challenges to the request have been exhausted and shall provide the minimum of information permissible when responding to an order to disclose the Personal Data.
- 7.4 Where the notifying Party is prohibited from satisfying Section 7.1 under applicable laws, the notifying Party shall use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Partner agrees to document its best efforts in order to be able to demonstrate them on request of Company.
- 7.5 Where a Party becomes aware of any direct access by public authorities to Personal Data (including the reasonable suspicion thereof), this Party shall promptly notify the other Party with all information available, unless otherwise prohibited by applicable laws.
- 7.6Partner represents and warrants that (i) Partner has not purposefully created backdoors or similar programming that could be used to access its systems or Personal Data, (ii) Partner has not purposefully created or changed its business processes in a manner that facilitates access to its systems or to Personal Data by public authorities and shall not voluntarily cooperate with public authorities in relation to the same, and (iii) no applicable law or government policy to which Partner is subject requires Partner to create or maintain backdoors or to facilitate access to Personal Data or systems or for Partner to be in possession of any corresponding encryption keys.
Compliance with the GDPR and this Addendum

Each Party shall promptly inform the other Party if the notifying Party is unable to comply with the GDPR and/or this Addendum for whatever reason. Without prejudice to any rights or remedies available in the circumstances, in such a case, the notified Party shall have the right to immediately suspend the Processing or terminate the Agreement without cause.

Indemnification

Partner shall indemnify, defend, and hold Company harmless from and against any and all liabilities, claims, losses, suits, judgments, and reasonable legal fees arising from any breach, negligent act, willful misconduct, error or omission of relevant data protection obligations under the GDPR, this Addendum and the SCCs by the offending Party, its employees, representatives or agents.

Termination

This Addendum will terminate when Partner ceases to Process Personal Data in application of the Agreement, or as otherwise agreed by the Parties.

Miscellaneous
- 11.1 In the event of any conflict or inconsistency between this Addendum and the Agreement, this Addendum shall prevail to the extent of such conflict or inconsistency; or any Transfer Solution(s) that may apply in accordance with Section 6 and this Addendum and/or the Agreement, said Transfer Solution(s) (as applicable) shall prevail in the context of the Restricted Transfer(s) to which they apply to the extent of any such conflict or inconsistency.
- 11.2 The provisions of this Addendum shall survive the expiration or other termination of the Agreement and remain in force as long as Partner Process Personal Data.

Attachment 1

Subject Matter and Details of the Data Processing

This Attachment 1 includes certain details of the Processing of Personal Data under the Agreement; and is used to populate Annex I to the SCCs and the UK Transfer Addendum.

Company details

Name:	Century Games Pte. Ltd.
Address:	As set out in the Agreement
Contact Details:	As set out in the Agreement
Role:	Controller (data exporter)

Partner Details

Name:	As set out in the Agreement
Address:	As set out in the Agreement
Contact Details:	As set out in the Agreement
Role:	Controller (data importer)

DETAILS OF PROCESSING

Categories of Data Subjects:	· End-users
Categories of Personal Data:	Relevant Personal Data includes:[Personal details – for example any information that identiﬁes the Data Subject and their personal characteristics, name, age, date of birth, sex, and physical description.][Contact details – for example home and/or business address, email address, telephone details and other contact information such as social media identifiers/handles.][Authentication details – for example username, password or PIN code, security questions and other access protocols.][Technological details – for example internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.]
Sensitive Categories of Data, and associated additional restrictions/safeguards:	Categories of sensitive data:NoneAdditional safeguards for sensitive data:N/A
Frequency of transfer:	Ongoing – as initiated by Company in and through its use, or use on its behalf, of the Services.
Nature of the Processing:	Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the Processing:	Personal Data will be processed: (i) as necessary to provide the Services as initiated by Company in its use thereof, and (ii) to comply with any other reasonable instructions provided by Company in accordance with the terms of this Addendum.
Duration of Processing / Retention Period:	For the period determined in accordance with the Agreement and Addendum.