Kadermanager Data Processing Addendum (DPA)

May 2018

1. Introduction
   1. This addendum applies to processing personal data on behalf of a Data Controller (e.g. a sports club or registered association) by Kadermanager.de ("Data Processor").
   2. Data Processor complies with the applicable data protection and privacy legislation (the "Applicable Law"), including in particular the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
2. Processing of personal data
   1. In connection with the Data Processor’s delivery of services, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.
   2. The Data Processor only performs processing activities that are necessary and relevant to perform its services.
   3. The categories and types of personal data processed by the Data Processor on behalf of the Data Controller are listed on the Data Processor’s terms of use.
3. Data confidentiality and security
   1. The Data Processor shall treat all the Personal Data as strictly confidential information.
   2. The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this DPA with strict confidentiality.
   3. Personal Data will only be made available to employees that require access to such Personal Data for the delivery of services.
   4. The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.
   5. Data Processor may use sub-processors to deliver the service.
4. Data controller support
   1. If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller to fulfill the Data Controller's obligations.
   2. Ordinarily, the Data Controller will self-service to fulfill its obligations. The service provides tools for both the Data Controller and data subjects to list, modify, and delete their data.
   3. If further assistance is required, the Data Controller shall remunerate the Data Processor based on time spent based on an hourly rate.
5. Duration and termination
   1. The DPA shall remain in force as long as the Data Controller uses the service or their data are deleted from the service.
   2. Following expiration or termination of the DPA, the Data Processor will delete the Data Controller's Personal Data in its possession except to the extent the Data Processor is required by Applicable law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.