This DPA is hereby incorporated into the Agreement which governs the Supplier’s access and/or processing to Huuuge personal data for the purposes of the Supplier providing the Services.
The term “party” or “parties” as used in this DPA refers to Huuuge and the Supplier, unless otherwise expressly stated. Defined terms used in this DPA will have the meanings given to them in Section 1 (Definitions).
This DPA enters into force on the date the provision of the Services under the Agreement commences, and is also binding for any annexes or updates of the Agreement between the parties, as long the scope of the Services is in line with the scope given in this DPA.
- “personal data“, “processing“, “data subject“, “controller“, and “processor” have the meanings given to them by EEA Law or applicable Data Protection Laws to which the personal data may be subject to the extent that such concepts exist in such laws, where the term “personal data” also includes all information that classifies as personally identifiable information.
- “Affiliates” means an entity that owns or controls, is owned or controlled by or is under common control or ownership with a party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by agreement or otherwise.
- “Agreement” means the existing arrangement under which the Supplier provides Services to Huuuge.
- “DPA” or “Addendum” means this Data Processing Addendum and any addenda associated with this Data Processing Addendum.
- “Data Protection Laws” means any applicable law or regulation concerning data protection, privacy and cybersecurity that governs the processing of personal data, including EEA Law and any supervisory guidance published in respect of the same.
- “EEA” means the European Economic Area.
- “EEA Law” means Regulation (EU) 2016/679 of the European Parliament and the Council (i.e., General Data Protection Regulation, abbreviated as GDPR), any successor thereto and any other law relating to the data protection or privacy of individuals that applies in the EEA.
- “Huuuge” means the Huuuge entity identified in the Agreement.
- “Regulator” means the data protection supervisory authority which has jurisdiction over Huuuge’s and/or the Supplier’s processing of personal data pursuant to the Agreement or the Addendum.
- “Restricted Third Country Transfer” transfer to Third Countries that is not based on an adequacy decision of the European Commission or when no appropriate safeguards exist.
- “Security Breach” any security incident, unauthorised access, misappropriation, loss, damage or other compromise of the security, confidentiality, or integrity of personal data processed by or on behalf of the Supplier or a Subprocessor for Huuuge.
- “Services” means the services (or products) provided pursuant to the Agreement.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as currently available at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en, including any subsequent versions thereof released by the European Commission (the latest version shall automatically apply).
- “Subprocessor” means any processor engaged by the Supplier or by any other Subprocessor of the Supplier which agrees to receive from the Supplier, or from any other Subprocessor of the Supplier, personal data, exclusively with the intention for processing activities to be carried out on behalf of Huuuge and in accordance with its instructions, the terms of the Agreement, the Addendum and the terms of the written subcontract.
- “Supplier” means the party defined in the Agreement as such an entity that provides Services.
- “Third Countries” countries outside of the EEA.
- Obligations of the parties
- The parties agree that Appendix 1 to this Addendum sets out the:
- subject matter, duration, nature and purpose of the processing to be undertaken by the Supplier or Subprocessors; and
- the type of personal data and categories of data subjects,
applicable to the Agreement.
- This Addendum applies where Huuuge and/or its Affiliate are sole or joint controllers and the Supplier and/or its Affiliate is a processor.
- Unless expressly specified otherwise, any reference to Huuuge shall also mean a reference to Huuuge’s Affiliates and any reference to Supplier should mean a reference to the Supplier’s Affiliate. Huuuge and the Supplier respectively are fully responsible for their Affiliates in performance of this DPA.
- Supplier’s obligations and warranties
The Supplier agrees and warrants that it will:
- process personal data only:
- on behalf of Huuuge and in accordance with its documented instructions, including disclosing the personal data to a third party (unless otherwise required by any Data Protection Laws to which the Supplier is subject);
- for the specific purpose as set out in Appendix 1.B, unless on further instruction from Huuuge; and not for its own purposes; and
- in compliance with the Agreement, this Addendum and applicable Data Protection Laws;
- without undue delay notify Huuuge if the Supplier is unable to follow the instructions or is legally required to process the personal data otherwise (before such processing), and immediately inform Huuuge if it believes Huuuge’s instructions infringe any Data Protection Laws or issuances of any Regulator;
- provide assistance to Huuuge as it reasonably requires in complying with its obligations under Data Protection Laws, including obligations referred to in Articles 32-36 of the GDPR and the obligation to respond to data subjects’ requests for the exercise of their rights under the Data Protection Laws. The Supplier will without undue delay notify Huuuge of any request it has received from a data subject, but will not respond to that request itself unless it has been authorised to do so by Huuuge;
- grant access to the personal data to authorised members of its personnel that are subject to a confidentiality obligation and only to the extent strictly necessary for the implementation, management and monitoring of the DPA or the Agreement;
- it has implemented and will maintain appropriate technical and organisational measures to ensure the security of personal data ensuring a level of security adequate to the risk involved in processing of entrusted personal data and referred to in Article 32 of the GDPR or other applicable Data Protection Laws, as well as will carry out regular checks to ensure that these measures continue to provide an appropriate level of security and provide information about them on Huuuge’s request.
- without undue delay and adequately cooperate with Huuuge with regard to matters concerning personal data processing under the DPA, including responding to requests received to this extent, as well as notify Huuuge about any proceedings, decision or planned or pending audits or inspections, including administrative or judicial proceedings or decisions, relating to processing carried out by the Supplier as stated in the DPA.
- Huuuge acknowledges and agrees that the Supplier may subcontract the provision of the Services, or its elements, to Subprocessors included in the list provided to Huuuge by the Supplier before commencement of the Services under the Agreement, in accordance with Appendix 3.
- The Supplier will specifically inform Huuuge in electronic form of any intended changes to the list specified in point 4.1 at least 7 days in advance, thereby giving Huuuge sufficient time to be able to object to such changes prior to the engagement of the Subprocessor(s).
- Any engagement of the Subprocessor(s) requires a written contract between the Supplier and the Subprocessor which provides for, in substance, the same data protection obligations as those binding the Supplier under the DPA. The Supplier is fully responsible to Huuuge for the performance of the Subprocessor’s obligations under its contract with the Supplier.
- At the request of Huuuge, the Supplier will provide explanations and current lists of the Subprocessors prepared in accordance with Appendix 3, unless such information is available at the Supplier’s website/platform as provided by the Supplier.
- Audit and Supplier’s obligation to provide information
- The Supplier will allow for and contribute to audits conducted upon prior notice by Huuuge or an auditor mandated by Huuuge with regard to compliance with the DPA or Data Protection Laws, based on reasonable grounds, including if:
- the Supplier has experienced a Security Breach; or
- audit is requested by a Regulator or other competent governmental organization.
- The Supplier will cooperate with Huuuge during the audit and will reasonably support Huuuge in the audit, in particular by: (i) ensuring access to documents required for such inspection, personal data processing areas and IT systems within which personal data are processed, as well as providing explanations thereto; (ii) allowing for inspection of procedures aimed at assessing the compliance of personal data processing with Data Protection Laws, including procedures concerning security measures; (iii) allowing for interviews with the Supplier’s personnel or contractors involved in personal data processing; (iv) responding to questions and providing all necessary information.
- Each party shall bear their own costs in respect of Huuuge’s audits.
- The Supplier will provide Huuuge with all information necessary to demonstrate compliance with obligations under the DPA or Data Protection Laws.
- Security Breach
- The Supplier will:
- notify Huuuge immediately after having become aware of a Security Breach;
- take appropriate measures to address the Security Breach, including measures to mitigate its adverse effects; and
- cooperate with and assist Huuuge to enable Huuuge to comply with its obligations under Data Protection Laws, in particular to notify the Regulator and the affected data subjects, taking into account the nature of processing and the information available to the Supplier. The Supplier will not make any notification to a Regulator or data subject in respect of any Security Breach unless expressly authorised by Huuuge in electronic form to do so or unless otherwise required by law.
- If a Security Breach for reasons attributable to the Supplier results in an administrative penalty or obligation to pay damages being imposed on Huuuge, the Supplier undertakes to indemnify Huuuge from liability and to refund any related losses and costs incurred.
- Third Country transfer
- The parties acknowledge and agree that the Supplier may process personal data in Third Countries, as well as that personal data may respectively be processed in, transferred to or accessed from Third Countries by the Affiliates and Subprocessors of the Supplier when providing the Services in accordance with the Agreement provided that the specific conditions set out in Data Protection Laws have been fulfilled.
- The Supplier represents and Huuuge agrees that in the event when the personal data are not to be processed exclusively on EEA territory, it will ensure that transfer to Third Countries will be based on an adequacy decision of the European Commission or appropriate safeguards will be in place in accordance with relevant Data Protection Laws. In case there are no other appropriate safeguards or an adequacy decision of the European Commission in place the transfer shall be governed by the SCCs, with respect to the provisions set out below (Restricted Third Country Transfer).
- By entering into the DPA, the Supplier and Huuuge conclude the SCCs by reference with the options and optional modules selected as follows:
- All Sections: Module TWO (Transfer controller to processor)
- Section II, Clause 9(a): OPTION 2, period for informing Huuuge of changes to the list of Subprocessors: at least 7 days
- Section IV, Clause 17: OPTION 1, governing law: the law governing the Agreement, provided that it is law of one of the EU Member States and allows for third-party beneficiary rights, if not, the law of Poland
- Section IV, Clause 18(b): court jurisdiction: as specified in the Agreement, provided that it is the jurisdiction of one of the EU Member States, if not, the court jurisdiction relevant for the seat of Huuuge Games sp. z o. o.
where Huuuge should be deemed a data exporter and the Supplier a data importer.
- In the event of a Restricted Third Country Transfer between Huuuge and the Supplier, Appendix 1 and Appendix 2 to the Addendum will also form part of the SCCs respectively as its Annexes I and II.
- In the event of a Restricted Third Country Transfer between the Supplier and Subprocessors, the Supplier warrants that conditions for such transfer are met, in particular, that SCCs were concluded with the options and optional modules selected as follows:
- All Sections: Module THREE (Transfer processor to processor)
- Section II, Clause 9(a): OPTION 2, period for informing Huuuge of changes to the list of Subprocessors: at least 7 days
- At Huuuge’s request the Supplier will provide explanations and current lists of the Third Countries where personal data are processed by the Supplier or Subprocessors, and the appropriate safeguards for such transfer, unless such information is available at the Supplier’s website/platform as provided by the Supplier.
- Deletion of data and duration of the processing
- If this is determined by the character of the Services, Huuuge may instruct at any time that the Supplier cease processing of certain personal data on Huuuge’s behalf and delete them in order to fulfil data subject rights or to comply with its retention policies, and the Supplier undertakes to comply with it.
- The DPA is concluded for the duration of the Agreement, and termination or expiration of the Agreement shall result in simultaneous termination or expiration of the DPA, with no additional statements of will required to be made by the parties, unless agreed otherwise.
- After the end of the provision of the processing services, the Supplier and Subprocessors will within a maximum of 30 days delete all personal data processed on behalf of Huuuge’s under this DPA, unless instructed by Huuuge or agreed by the parties otherwise (e.g. when data need to be deleted within another period or returned instead).
- Until the data is deleted or returned, the Supplier shall continue to ensure compliance with the DPA.
- The Supplier is obliged to prove the fact that it deleted the personal data in compliance with this Section and relevant Data Protection Laws at the request of Huuuge. Huuuge is entitled to terminate the DPA with immediate effect if:
- the Supplier processes personal data for a purpose or in a manner other than stated in the DPA;
- the Supplier is in failure to meet obligations under Section 4 (Subprocessors) and Section 7 (Third Country transfer), or any obligations regarding deletion of personal data under this Section 8;
- the Supplier after a notice from Huuuge fails to comply with the Data Protection Laws.
- The parties agree that termination of the DPA in the circumstances listed in point 8.5 shall result in the simultaneous termination of the Agreement on the grounds of fault on the part of the Supplier without the need for any additional statements, unless otherwise contemplated in the Huuuge’s notice of termination.
- The persons authorized and responsible for supervising and executing the DPA are the same as under the Agreement.
- To the extent that the Agreement has been entered into by any Supplier’s Affiliate or any Huuuge’s Affiliate, the Supplier and Huuuge respectively hereby represent and warrant that they have been duly and effectively authorised by each such Supplier’s Affiliate or Huuuge’s Affiliate to bind such Supplier’s Affiliate or Huuuge’s Affiliate by entering into the DPA on its behalf, to modify the Agreement on the terms set out in the DPA, and to enforce the provisions of the DPA, including any SCCs entered pursuant to it, and the Agreement on its behalf. In the absence of such authority, the Supplier represents and warrants that it will swiftly arrange for the relevant Supplier Affiliate to become a party to the DPA and will without undue delay notify Huuuge accordingly. The Supplier agrees that Huuuge shall be entitled to enforce the provisions of the DPA, including any SCCs entered pursuant to it, and the Agreement on behalf of any relevant Huuuge Affiliate.
- The Addendum and its Appendixes form an integral part of the Agreement. The appendixes to the Addendum form an integral part of the DPA.
- In the event of a Restricted Third Country Transfer, the Addendum governs the relationship between the parties to the extent not specified in the SCCs and provided that it does not contradict, directly or indirectly, the SCCs or prejudice the fundamental rights or freedoms of data subjects. To this extent, in the event of any contradiction between the provisions of the Addendum or the Agreement and the SCCs, the SCCs shall prevail.
- In the event of any inconsistencies between the provisions of the Addendum and other arrangements between the parties, including the Agreement, the provisions of the Addendum shall prevail with regard to the parties’ data protection obligations relating to personal data. The Addendum shall prevail, in particular, where it cannot be clearly established whether a provision relates to a party’s data protection obligations. For the avoidance of any doubts, the Supplier shall be liable for any damage suffered by Huuuge, data subjects or third parties in relation to non-performance or improper performance of the DPA or breach of Data Protection Laws by the Supplier, in particular if made in violation of Data Protection Laws concerning engaging Subprocessors or transferring personal data to Third Countries.
List of appendixes to the Addendum:
- Appendix 1 – Details of processing
- Appendix 2 – Technical and organisational measures including technical and organisational measures to ensure the security of the data
- Appendix 3 – List of Subprocessors
Appendix 1 to the Data Processing Addendum
Annex I to the Standard Contractual Clauses
- LIST OF PARTIES
Data exporter(s): The data exporters are entities identified as Huuuge in the Data Processing Addendum, acting as controllers or joint controllers. Data exporter(s) use the Services provided pursuant to the Agreement.Data importer(s): The data importers are entities identified as the Supplier in the Data Processing Addendum, acting as processors. They are providers of the Services pursuant to the Agreement.
- DESCRIPTION OF PROCESSING
Categories of data subjects whose personal data is processedHuuuge services (games) users/ players or prospectus usersCategories of personal data processed
- Device identifiers (e.g. device ID, Advertiser ID)
- Information about the device (e.g. operating system and version it uses)
- Information about the internet connection (e.g. IP address)
- Information about the app (e.g. how frequently and for how long player use the app)
- Location-related information (e.g. location of IP address)
- Others data from cookies or similar trackers
- Other data indispensable to provide the Services
Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature and purpose of the processing
- The purpose and nature of processing follows directly from and is limited to tasks or Services as specified in the Agreement, and include the operations that are necessary to perform the Services under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- Processing is limited to the duration of the Services provided under the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- Processing by Subprocessors is limited to the extent strictly necessary as required by the scope of provided services. The subject matter, nature and duration of the processing are consistent with and do not exceed the subject matter, nature and duration of the processing carried out by the processors.
- COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
- The supervisory authority identified in accordance with Clause 13 and Huuuge’s country of establishment as specified in the Agreement, provided that it is one of the EU Member States, if not, a Member State in which it has the representative or in which the data subjects whose personal data is transferred in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
Appendix 2 to the Data Processing Addendum
Annex II to the Standard Contractual Clauses
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
- The data importer undertakes an analysis of the risks presented by its processing, and uses this to assess the appropriate level of security it needs to put in place.
- When deciding what measures to implement, the data importer takes account of the state of the art and costs of implementation.
- The data importer has an information security policy (or equivalent) and takes steps to make sure the policy is implemented.
- Where necessary, the data importer has additional policies and ensures that controls are in place to enforce them.
- The data importer makes sure that it regularly reviews its information security policies and measures and, where necessary, improves them.
- The data importer has put in place basic technical controls such as those specified by established frameworks like Cyber Essentials (secure its Internet connection, secure its devices and software, control access to its data and services, protect from viruses and other malware, keep its devices and software up to date).
- The data importer puts other technical measures in place depending on its circumstances and the type of personal data it process.
- The data importer uses encryption and/or pseudonymisation where it is appropriate to do so.
- The data importer understands and applies the requirements of confidentiality, integrity and availability for the personal data it process.
- The data importer makes sure that it can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
- The data importer conducts regular testing and reviews of its measures to ensure they remain effective, and acts on the results of those tests where they highlight areas for improvement.
- Where appropriate, the data importer implements measures that adhere to an approved code of conduct or certification mechanism.
- The data importer ensures that any data sub-processor it uses also implements appropriate technical and organisational measures.
- The data importer undertakes to provide information on the access to personal data by public authorities (e.g. by enumerating the laws and regulations applicable to the importer or statistics on access by public authorities to personal data), indicate measures to prevent such access and provide information on all requests of access which the importer has received.
- The importer certifies that it has not created back doors or similar programming that could be used to access the data and that is has not facilitated access to the personal data to any government or public authority.
- The data exporter is authorised to conduct audits on data disclosure by the data importer to public authorities. The data importer undertakes to secure that access logs and other similar trails will be tamper proof so that they can be audited by the data exporter.
- The data importer undertakes to inform promptly (before access is granted to the data) the data exporter of its inability to comply with the contractual commitments (e.g. due to changes in the third country’s legislation or practice).
- The data importer undertakes to review the legality of any order to disclose data, and to challenge the order if there are grounds under the law of the country of destination to do so. The importer undertakes also to providing the minimum amount of information permissible when responding to the order. The importer further undertakes that the challenges to the orders will have a suspensive effect under the law of the third country.
- The data importer undertakes to notify the data subjects of a request or order received from public authorities to access the personal data.
- The data importer certifies that it has adopted adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of covert or official requests from public authorities to access the data. Moreover, the data importer developed specific training procedures for personnel in charge of managing requests for access to personal data from public authorities.
- The data importer certifies that it is documenting and recording the request for access received from public authorities and the response provided and that it will make them available to the data exporter and the data subject.
- The data importer regularly publishes transparency reports or summaries regarding governmental requests for access to data.
- The data importer uses already existing organisational requirements under the accountability principle, such as the adoption of strict and granular data access and confidentiality policies and best practices, based on a strict need-to-know principle, monitored with regular audits and enforced through disciplinary measures. Data minimisation measures should be accompanied with technical measures as to ensure that data are not subject to unauthorised access.
- The data exporter developed best practices to appropriately and timely involve and provide access to information to the data protection officer, if existent, and to the legal and internal auditing team on matters related to international transfers of personal data transfers.
- The data importer adopted strict data security and data privacy policies, based on EU certification or codes of conducts or on international standards (e.g. ISO norms) and best practices (e.g. ENISA).
- The data exporter undertakes to regularly review internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions when necessary.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
In the event of a Restricted Third Country Transfer to Subprocessors, at least all measures referred in this Appendix 2 shall be implemented.
Appendix 3 to the Data Processing Addendum
LIST OF SUBPROCESSORS
||Location of data processing
||Purpose of subprocessing