Bet:terReturn (vat.nr 42198412) is a Danish authorized institution under Danish law.
Secure payment.
CS:GO
Soccer
Valorant
ROI
Bet:terReturn is committed to ensuring the protection of your personal data
Data Processing Agreement
between
The Data Controller
Better Return ApS
CVR 42198412
Denmark
and
The Data Provider
The user
Data Processing Agreement preamble
1. This Data Processing Agreementsets out the rights and obligations that apply to the Data Processor’s handling of personal data on behalf of the Data Controller.
2. This Agreement has been designed to ensure the Parties’ compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of data processing agreements.
3. The Data Processor’s processingof personal data shall take place for the purposes of fulfilment of the Parties’ ‘Master Agreement’.
4. The Data Processing Agreementand the ‘Master Agreement’ shall be interdependent and cannot be terminated separately. The Data Processing Agreement may however – without termination of the ‘Master Agreement’ – be replaced by an alternative valid data processing agreement.
5. This Data Processing Agreementshall take priority over any similar provisions contained in other agreementsbetween the Parties, including the ‘Master Agreement’.
6. Four appendices are attached to this Data Processing Agreement. The Appendices form an integral part of this Data Processing Agreement.
7. Appendix A of the Data Processing Agreement contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
8. Appendix B ofthe Data Processing Agreement contains the Data Controller’s terms and conditions that apply to the Data Processor’s use of Sub-Processors and a list of Sub-Processors approved by the Data Controller.
9. Appendix C ofthe Data Processing Agreement contains instructions on the processing that the Data Processor is to perform on behalf of the Data Controller (the subject ofthe processing), the minimum security measures that are to be implemented and how inspection with the Data Processor and any Sub-Processors is to be performed.
10. Appendix D ofthe Data Processing Agreement contains the Parties’ provisions for activities that are not contained in this Data Processing Agreement or the Parties’‘Master Agreement’.
11. The Data Processing Agreement and its associated Appendices shall be retained in writing as well as electronically by both Parties.
12. This Data Processing Agreement shall not exempt the Data Processor from obligations to which the Data Processor is subject pursuant to the General Data Protection Regulation or other legislation.
The rights and obligations of the Data Controller
1. The Data Controller shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and the Danish Data Protection Act.
2. The Data Controller shall therefore have both the right and obligation to make decisions about the purposes and means of the processing of personal data.
3. The Data Controller shall be responsible for ensuring that the processing that the Data Processor is instructed to perform is authorised in law.
The Data Processor acts according to instructions
1. The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller unless processing is required under EU or Member State law to which the Data Processor is subject; in this case, the Data Processor shall inform the Data Controller of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
2. The Data Processor shall immediately inform the Data Controller if instructionsin the opinion of the Data Processor contravene the General Data Protection Regulation or data protection provisions contained in other EU or Member Statelaw.
Confidentiality
1. The Data Processor shall ensure that only those persons who are currently authorised to do so are able to access the personal data being processed on behalf of the Data Controller. Access to the data shall therefore without delay be denied if such authorisation is removed or expires.
2. Only persons who require access to the personal data in order to fulfil the obligations of the Data Processor to the Data Controller shall be provided with authorisation.
3. The Data Processor shall ensure that persons authorised to process personal data on behalf of the Data Controller have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality.
4. The Data Processor shall at the request of the Data Controller be able to demonstrate that the employees concerned are subject to the above confidentiality.
Security of processing
1. The Data Processor shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation which stipulates that with consideration for the current level, implementation costs and the nature, scope, context and purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriateto the risk.
2. The above obligation means that the Data Processor shall perform a risk assessment and there after implement measures to counter the identified risk. Depending on their relevance, the measures may include the following:
a. Pseudonymisation and encryption of personal data
b. The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
c. The ability to restore the availability and access to personal data in a timely manner in the event of a physicalor technical incident.
d. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
3. The Data Processor shall inensuring the above – in all cases – at a minimum implement the level ofsecurity and the measures specified in Appendix C to this Data Processing Agreement.
4. The Parties’ possibleregulation/agreement on remuneration etc. for the Data Controller’s or the Data Processor’s subsequent requirement for establishing additional security measures shall be specified in the Parties’ ‘Master Agreement’ or in Appendix Dto this Data Processing Agreement.
Use of Sub-Processors
1. The Data Processor shall meet the requirements specified in Article28, sub-section 2 and 4, of the General Data Protection Regulation in order toengage another processor (Sub-Processor).
2. The Data Processor shall therefore not engage another processor(Sub-Processor) for the fulfilment of this Data Processing Agreement withoutthe prior specific or general written consent of the Data Controller.
3. In the event of general written consent, the Data Processor shallinform the Data Controller of any planned changes with regard to additions toor replacement of other data processors and thereby give the Data Controllerthe opportunity to object to such changes.
4. The Data Controller’srequirements for the Data Processor’s engagement of other sub-processors shallbe specified in Appendix B tothis Data Processing Agreement.
5. The Data Controller’s consentto the engagement of specific sub-processors, if applicable, shall be specifiedin AppendixB tothis Data Processing Agreement.
6. When the Data Processor has the Data Controller’s authorisation touse a sub-processor, the Data Processor shall ensure that the Sub-Processor issubject to the same data protection obligations as those specified in this DataProcessing Agreement on the basis of a contract or other legal document underEU law or the national law of the Member States, in particular providing thenecessary guarantees that the Sub-Processor will implement the appropriatetechnical and organisational measures in such a way that the processing meetsthe requirements of the General Data Protection Regulation. The Data Processor shall therefore be responsible – on the basis ofa sub-processor agreement – for requiring that the sub-processor at leastcomply with the obligations to which the Data Processor is subject pursuant tothe requirements of the General Data Protection Regulation and this DataProcessing Agreement and its associated Appendices.
7. A copy of such a sub-processoragreement and subsequent amendments shall – at the Data Controller’s request –be submitted to the Data Controller who will thereby have the opportunity toensure that a valid agreement has been entered into between the Data Processorand the Sub-Processor. Commercial terms and conditions, such as pricing, thatdo not affect the legal data protection content of the sub-processor agreement,shall not require submission to the Data Controller.
8. The Data Processor shall in hisagreement with the Sub-Processor include the Data Controller as a third partyin the event of the bankruptcy of the Data Processor to enable the DataController to assume the Data Processor’s rights and invoke these as regardsthe Sub-Processor, e.g. so that the Data Controller is able to instruct theSub-Processor to perform the erasure or return of data.
9. If the Sub-Processor does not fulfil his data protectionobligations, the Data Processor shall remain fully liable to the DataController as regards the fulfilment of the obligations of theSub-Processor.
Transfer of data to third countries or international organisations
1. The Data Processor shall solely be permitted to process personal data on documented instructions from the Data Controller, including as regards transfer (assignment, disclosure and internal use) of personal data to third countries or international organisations, unless processing is required under EU or MemberState law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.
2. Without the instructions or approval of the Data Controller, the Data Processor therefore cannot – within the framework of this Data Processing Agreement:
a. disclose personal data to adata controller in a third country or in an international organisation
b. assign the processing of personal data to a sub-processor in a third country
c. have the data processed in another of the Data Processor’s divisions which is located in a third country
3. The Data Controller’s instructions or approval of the transfer of personal data to a third country, if applicable, shall be set out in Appendix C to this Data Processing Agreement.
Assistanceto the Data Controller
1. The Data Processor, taking into account the nature of the processing, shall, as far as possible, assist the Data Controller with appropriate technical and organisational measures, in the fulfilment of the Data Controller’s obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.
This entails that the Data Processor should as far as possible assist the Data Controller in the Data Controller’s compliance with:
a. notification obligation when collecting personal data from the data subject
b. notification obligation if personal data have not been obtained from the data subject
c. right of access by the data subject
d. the right to rectification
e. the right to erasure (‘theright to be forgotten’)
f. the right to restrict processing
g. notification obligation regarding rectification or erasure of personal data or restriction of processing
h. the right to data portability
i. the right to object
j. the right to object to the result of automated individual decision-making, including profiling
2. The Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32-36 ofthe General Data Protection Regulation taking into account the nature of the processing and the data made available to the Data Processor, cf. Article 28,sub-section 3, para f. This entails that the Data Processor should, taking into account the nature of the processing, as far as possible assist the Data Controller in the Data Controller’s compliance with:
a. the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing
b. the obligation to report personal data breaches to the supervisory authority (Danish Data ProtectionAgency) without undue delay and, if possible, within 72 hours of the DataController discovering such breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
c. the obligation – without undue delay – to communicate the personal data breach to the data subject when such breach is likely to result in a high risk to the rights and freedoms of natural persons
d. the obligation to carry out adata protection impact assessment if a type of processing is likely to resultin a high risk to the rights and freedoms of natural persons
e. the obligation to consult with the supervisory authority (Danish Data Protection Agency) prior to processingif a data protection impact assessment shows that the processing will lead to high risk in the lack of measures taken by the Data Controller to limit risk
3. The Parties’ possible regulation/agreement on remuneration etc. for the Data Processor’s assistance to the Data Controller shall be specified in the Parties’ ‘Master Agreement’ orin Appendix D to this Data Processing Agreement.
Notification of personal data breach
1. On discovery of personal databreach at the Data Processor’s facilities or a sub-processor’s facilities, theData Processor shall without undue delay notify the Data Controller. The Data Processor’s notification to the Data Controller shall, ifpossible, take place within 48 hours after the Data Processor has discoveredthe breach to enable the Data Controller to comply with his obligation, ifapplicable, to report the breach to the supervisory authority within 72hours.
2. According to Clause 9.2., parab, of this Data Processing Agreement, the Data Processor shall – taking intoaccount the nature of the processing and the data available – assist the DataController in the reporting of the breach to the supervisory authority. This may mean that the Data Processor is required to assist inobtaining the information listed below which, pursuant to Article 33,sub-section 3, of the General Data Protection Regulation, shall be stated inth Data Controller’s report to the supervisory authority:
a. The nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records
b. Probable consequences of apersonal data breach
c. Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage.
Erasure andreturn of data
1. On termination of the processing services, the Data Processor shallbe under obligation, at the Data Controller’s discretion, to erase or returnall the personal data to the Data Controller and to erase existing copiesunless EU law or Member State law requires storage of the personal data.
Inspection and audit
1. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and this Data Processing Agreement, and allow for and contribute to audits, including inspections performed by the Data Controller or another auditor mandated by the Data Controller.
2. The procedures applicable to the Data Controller’s inspection of the Data Processor are specified in Appendix C to this Data Processing Agreement.
3. The Data Controller’s inspection of sub-processors, if applicable, shall as a rule be performed through the Data Processor. The procedures for such inspection are specified in Appendix C to this Data Processing Agreement.
4. The Data Processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the Data Controller’s and Data Processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the Data Processor’s physical facilities on presentation of appropriate identification.
The Parties’agreement on other terms
1. (Separate) terms relating tothe consequences of the Parties’ breach of this Data Processing Agreement, if applicable, shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D to this Data Processing Agreement.
2. Regulation of other terms betweenthe Parties shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D to this Data Processing Agreement.
Commencement and termination
1. This Data Processing Agreement shall become effective on the date of both Parties’ signature to the Agreement.
2. Both Parties shall be entitledto require this Data Processing Agreement renegotiated if changes to the law orinexpediency of the provisions contained herein should give rise to suchrenegotiation.
3. The Parties’ agreement on remuneration, terms etc. in connection with a mendments to this Data Processing Agreement, if applicable, shall be specified in the Parties’ ‘Master Agreement’or in Appendix D to this Data Processing Agreement.
4. This Data Processing Agreementmay be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the ‘Master Agreement’.
5. This Data Processing Agreement shall apply as long as the processing is performed. Irrespective of the termination of the ‘Master Agreement’ and/or this Data Processing Agreement, the Data Processing Agreement shall remain in force until the termination ofthe processing and the erasure of the data by the Data Processor and anysub-processors.
7 Data Controller and Data Processor contacts/contact points
1. The Parties may contact each other using the following contacts/contact points:
2. The Parties shall be under obligation continuously to inform each other of changes to
contacts/contactpoints.
Appendix A Information about the processing
The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is: that the Data Controller is able to use the system which is owned and managed by the Data Processor to collect and process data about the Data Controller’s members.”
The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing): that the Data Processor makes available system X to the Data Controller and here by stores personal data about the Data Controller’s members on the company servers.
The processing includes the following types of personal data about data subjects: Name, e-mail address, telephone number, address, national identification number, payment details, membership number, type of membership, and any future necessary private information, required to provide the agreed service.
Processing includes the following categories of data subject:Persons who have or have purchased membership from the Data Controller.
The Data Processor’s processing of personal data onbehalf of the Data Controller may be performed when this Data Processing Agreement commences. Processing has the following duration:
Processing shallnot be time-limited and shall be performed until this Data Processing Agreementis terminated or cancelled by one of the Parties.
Appendix B Instructionpertaining to the use of personal data
B.1 The subject of/instruction for the processingThe Data Processor’s processing of personal data on behalf of the Data Controller shall be carried out by the Data Processor performing the following: The Master Agreement is applicable.
B.2 Security of processingThe level of security shall reflect: That the processing involves a large volume of personal data which are subject to Article 9 of the General Data Protection Regulation on ‘special categories of personal data’ which is why a ‘high’ level of security should be established. The Data Processor shall here after be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.
B.3 Storage period/erasure procedures Personal data are stored with the Data Processor until the Data Controller requests that the data are erased or returned.
Bet:terReturn (vat.nr 42198412) is a Danish authorized institution under Danish law.
Secure payment.
CS:GO
Soccer
Valorant
ROI