DPA(數據處理附錄)
譯名
以下中文內容是根據Exit Games公司原英文條款的內容所翻譯的。
如有爭議時,以本網頁下半部中的 英文版 為準。
如有爭議時,以本網頁下半部中的 英文版 為準。
資料處理補充文件 Exit Games, Inc.,一家在美國德拉瓦州註冊之公司,主要營業地點位於 111 SW 5th Ave. STE 3150, Portland OR 97204, USA(以下簡稱Exit Games),與同意本條款之協議對象(以下簡稱:客戶)已同意主要協議、Exit Games 之使用條款(https://dashboard.photonengine.com/en-US/Account/LicenseTerms)或其他Exit Games提供之網路引擎與多人遊戲平台(以下統稱:本系列服務)之書面或電子協議(以下簡稱:主要協議)。本資料處理補充文件及其附件(Data Processing Addendum, including its Annexes,以下簡稱:本DPA)構成主要協議之一部分。 本文中,Exit Games 與客戶都可被稱為「一方」,並合稱為「雙方」。 本DPA將自客戶點擊接受,或雙方以其他方式同意本DPA之日起生效,並取代先前有關其權利或義務主張之任何適用條款(包括有關本系列服務之任何資料處理協議或補充文件)。 若您代表客戶接受本 DPA,則您保證:(a) 您具有使客戶受本DPA約束之全部合法權力;(b) 您已閱讀並理解本 DPA;(c) 您同意代表客戶接受本DPA。若您不具有使客戶受本DPA約束之全部合法權力,請勿接受本 DPA。 締約背景: (A) 關於本系列服務,雙方已預期Exit Games可能會於歐洲經濟區以外地點處理某些「個資」,依據適用之歐盟資料保護法或英國資料保護法,客戶或客戶集團任何成員可能為此類個資之「控制者」。 (B) 雙方已同意簽訂本DPA,以確保於適用範圍內,依據歐盟資料保護法、英國資料保護法與其他適用資料保護法律之要求,針對此類「個資」保護已採取充分保障措施。 1. 定義 1.1 本DPA中,下列名詞意涵應如以下說明,同源詞應受到相應解釋: (a) 「適當國家或地區」是指被公認為已提供充分「個資」保護水準之國家或地區,其個資保護決策是由以下兩者制定(如適用):(i) 資訊委員辦公室和/或適用之英國法律,(包括英國GDPR,一般資料保護規則)。(ii) 準用歐盟GDPR之歐盟委員會。 (b) 就其中一方而言,「相關機構」是指直接、間接控制該方、受該方控制或該方共同控制之任何公司實體(但僅限於存在此類控制之情況下)。 (c) 「客戶團體」是指客戶,以及直接或間接控制客戶、受客戶控制或與客戶共同受控制,且與本DPA有關之任何實體,其中「控制」是指具有權力(直接或間接)任命或罷免該實體之大多數董事,包括相關機構。 (d) 「資料保護法律」是指 (i) 依據主要協議,適用於處理「個資」之歐盟、歐洲經濟區及其成員國之所有法規,包括(如適用)一般資料保護規則(「歐洲議會與理事會2016年4月27日的 (EU) 2016/679規則」(Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016),關於處理「個資」及其自由流通方面,對於自然人之保護(即「歐盟 GDPR」)),或 (ii) 依據主要協議處,所有適用於處理「個資」之英國法規,包括英國「一般資料保護法2016/679」(UK General Data Protection Regulation 2016/679)、「2019年隱私與電子通訊(及修正案等)(脫歐)」(Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019),以及 「2018 年資料保護法」(Data Protection Act 2018)(即「英國 GDPR」)。 (e) 「資料主體請求」是指資料主體或其代表提出之請求,以依據資料保護法行使有關其「個資」之權利。 (f) 「EEA」指歐洲經濟區。 (g) 「歐盟條款」是指依「歐盟委員會2021年6月4日第2021/914號決議」(European Commission's Decision 2021/914 of 4 June 2021,網址為 http://data.europa.eu/eli/dec_impl /2021/914/oj)規定,將「個資」國際傳輸至第三國之標準合約條款,其中將「控制者」傳輸至「處理者」 之模組二納入,並依據附錄2構成本DPA之一部分。(h) 「Exit Games集團」是指 Exit Games 及其任何相關公司。 (i) 「個資」是指 Exit Games 依據本DPA與資料保護法之定義,代表客戶處理之客戶個資。依據本DPA第 2.1 節,這可能包括客戶集團公司之「個資」。 (j) 「受限傳輸」是指:(i) 將「個資」從任何客戶集團公司傳輸至 Exit Games;(ii) 將個資從 Exit Games 轉傳給 Exit Games 之委外廠商。於此兩種情況中,若接收「個資」傳輸之一方並非處於歐洲經濟區範圍內,此類傳輸將被歐盟或英國之一般資料保護規則禁止。 (k) 「安全漏洞」是指 Exit Games任何員工、委外廠商或任何其他已辨認或未被辨認之第三方違反安全之作為或不作為,而導致「個資」意外或非法遭破壞、遺失、更改、未經授權揭露或存取。 (l) 「監督機關」在英國是指英國資訊委員辦公室(Information Commissioner's Office,ICO)(以及適用之國務大臣或政府)。在歐盟是指依一般資料保護規則設立之獨立公共機關。 (m) 「UK」指英國。 (n) 「英國批准之補充文件」是指由英國資訊委員辦公室發佈之模板補充文件 B.1.0 2022,依英國「 2018年資料保護法」第119A條,該法規於2022年2月2日提交給議會,並於3月21日生效。 (o) 「英國強制性條款」是指「英國批准之補充文件」之強制性條款,不定時更新或由資訊委員辦公室發佈之最新版本取代。 1.2 下列情況時,視為某實體「控制」另一實體:(a) 某實體持有另一實體之多數表決權。(b) 某實體為另一實體成員或股東,並有權罷免其董事會或同等管理機構之多數成員。(c) 某實體為另一實體成員或股東,並單獨或依據與其他股東或成員之協議控制其大多數表決權。(d) 依據其章程文件或合約,某實體有權對另一實體其施以支配性影響。或若兩個實體中之任何一個(直接或間接)控制另一實體,或兩者都由同一實體(直接或間接)控制,則兩個實體被視為處於「共同控制」之下。 1.3 名詞「控制者」、「資料主體」、「處理者」與「委外廠商」具有資料保護法賦予它們之含義。 1.4 本DPA中未定義之任何已定義名詞均於主要協議中定義。 2. 角色與遵守資料保護法 2.1 客戶是「個資」之「控制者」,Exit Games是「個資」之「處理者」,其中每一方於處理「個資」時,將遵守(並促使其任何人員遵守並採取商業上合理之行動來促使其委外廠商遵守)適用於該方之資料保護法。於雙方之間,客戶應對「個資」之正確性、品質與合法性以及取得「個資」之方式承擔全部責任。 2.2 為避免疑義,客戶以外之客戶集團公司現在與未來都不會成為主要協議之一方,且於符合以下規定之前提下,僅為本DPA之一方。 2.3 本DPA不影響雙方於主要協議下之實體權利與義務,主要協議將持續具有完全效力。若本DPA與主要協議之條款間相互牴觸,只要標的物牽涉「個資」處理,則以本DPA之條款為準。 3. 處理說明 3.1 標的物、處理之性質與目的、持續時間、「個資」類型與「資料主體」類別如附錄2之附件一所述。 3.2 作為「處理者」,Exit Games 將僅於以下兩種情況處理「個資」: (i) 為按照主要協議約定向客戶提供本系列服務。(ii) 按照客戶書面或電子郵件指示。若適用法律要求除按照客戶之指示處理「個資」外,Exit Games 將通知客戶(除非適用法律禁止)。若 Exit Games 察覺客戶提供之指示違反適用之資料保護法,將儘快以合理可行方式通知客戶。主要協議終止後,除非法律要求繼續儲存「個資」之副本,否則將依據客戶之書面請求,返還或刪除「個資」。 4. 技術與組織安全措施 4.1 Exit Games 負責實施與維護商業上合理與適當之技術、實體與組織保護措施,以針對Exit Games依據主要協議,為使用Exit Games服務之客戶而維護與存取之「個資」,確保其機密性、可用性與完整性。當此類個資被Exit Games 擁有、保管或控制時,Exit Games對於保護此類個資之安全措施應包括本DPA附錄2附件二中所述之措施。Exit Games可能單方面決定修改或更新這些措施,前提是不會因此而損害針對此類「個資」之保護。 4.2 Exit Games將採取合理措施以確保只有授權人員才能存取「個資」,且授權存取「個資」之任何人員均負保密義務。 4.3 在「個資」由客戶擁有、保管或控制期間(包括個資正透過網際網路或其他第三方網路傳輸時),客戶應對個資之安全負責。為進一步履行其安全義務,客戶同意採用所有必要之實體、管理與技術安全措施,以達成下列四點:(i) 保護自己及所授權人員之所有存取憑證。(ii) 保護客戶之資訊科技基礎設施,包括電腦、軟體、資料庫、電子系統(包括資料庫管理系統)與網路,無論是由客戶直接操作還是透過使用第三方服務(即 「客戶系統」)。(iii) 防止任何未經授權,或是直接或間接透過客戶系統或其授權人員存取憑證,對本系列服務的存取或使用。(iv) 當個資傳輸至 Exit Games 期間(包括資料上傳或以其他方式提供給 Exit Games 進行處理時),保護所有個資之機密性、完整性與可用性。 4.4 客戶應負全責單獨確定Exit Games之安全措施是否依照適用法規,以符合客戶要求與資料保護義務。若考量技術發展現狀、實施成本、個資處理之性質、範圍、背景與目的,以及個人面臨之風險,則客戶應確認並同意Exit Games 維護與實施之安全措施與方針符合適用於「個資」相關風險之安全等級。 5. 委外處理與查核 5.1 客戶授權Exit Games依據本節指定委外廠商(並允許委外廠商指定額外之委外廠商)。客戶特此授權並指示「處理者」聘用「委外廠商名單」中所列出者 (網址為https://download.photonengine.com/subprocessors)。委外廠商名單可能會不時更新,並應包括目前所有委外廠商之名稱與位置,及其所進行處理之簡要說明。客戶應確認並同意 Exit Games 得聘用額外委外廠商。對於新任或取代之委外廠商,若客戶有合理之反對理由,則應於通知後15天內以書面形式通知 Exit Games,雙方應抱持誠意尋求解決此疑義。若客戶不認為委外廠商符合安全與隱私保護標準,則其中一方可於上述15天期限內終止主要協議,以作為其唯一之補救措施。 5.2 Exit Games 將與每一委外廠商簽訂書面合約,該合約中,這些委外廠商所承擔之「個資」保護責任不亞於本DPA中Exit Games所承擔之「個資」保護責任 (相關條款2)。除非資料保護法或任何其他適用法律另有要求,若此類委外廠商違反第 13.3 節中規定之任何相關條款,Exit Games應向客戶負法律責任。 5.3 依據主要協議中規定之保密義務,Exit Games於客戶要求時,應及時提供資訊給客戶,闡明有關Exit Games遵守本DPA中規定之義務,資訊可能包括以下項目:(i) 對合理資訊安全相關問卷之答覆。(ii) 盡可能提供第三方認證與合規審核相關之執行摘要副本。(iii) Exit Games與資料保護與安全相關之營運實施摘要。若客戶認定依照上述方法提供之資訊不充分,則可聯繫Exit Games,以於 Exit Games指定設施,針對保護客戶「個資」之相關程序,安排現場查核。客戶應依照此類現場查核所花費之時間與Exit Games當時之專業服務費率補償 Exit Games,該費率應依客戶要求提供給客戶。此類現場查核開始之前,客戶與 Exit Games應就查核範圍、時間點與持續時間達成共識。針對查核過程中發現之任何不合規情況,客戶應立即通知Exit Games相關資訊。為清楚起見,下文述及之查核不適用於對Exit Games委外廠商之查核。此類查核於要求之範圍內受資料保護法之約束。 6. 安全漏洞、「資料主體請求」與進一步協助 6.1 Exit Games應於發現安全漏洞後48小時內通知客戶,不得無故拖延。 6.2於法律允許之範圍內,若Exit Games收到「資料主體請求」,將立即通知客戶。若客戶同意Exit Games可自行決定是否回應以確認此類請求是否與客戶有關,則Exit Games不會回應「資料主體請求」。客戶應確認並同意,本系列服務可能包含之功能為:讓客戶直接透過本系列服務管理「資料主體請求」,而無需 Exit Games 之額外協助。若客戶並無處理「資料主體請求」之能力,Exit Games 將依客戶之書面請求提供合理之協助,前提是此類協助符合資料保護法之範圍,以促成客戶對「資料主體請求」之回應。 6.3 考量到處理性質與 Exit Games 可用之資訊,Exit Games 將依客戶合理要求,而協助客戶履行以下各項關於資料保護法規定之義務:(i) 資料保護影響評估;(ii) 為因應安全漏洞,依資料保護法向監督機關通報,或經由客戶與資料主體溝通;(iii) 客戶遵守歐盟或英國之一般資料保護規則規定之義務(若適用),此係針對有關安全之處理。 6.4 客戶可能合理要求Exit Games證明其遵守資料保護法所規定「處理者」於處理「個資」之義務,此時Exit Games 應就自己擁有或控制之此類相關資訊提供給客戶。 7. 國際傳輸 7.1 客戶應同意使用本系列服務時,可能涉及將「個資」傳輸至不同國家或地區,並於這些國家或地區處理「個資」,包括Exit Games所在之國家或地區,以及位於歐洲經濟區以外,被視為不適當之國家或地區。 7.2 英國傳輸: 7.2.1 若「個資」被傳輸至Exit Games, 並由英國以外之Exit Games或代表 Exit Games之單位處理,且此單位並非位於適當之國家或地區,而英國一般資料保護規則因無此傳輸機制而禁止此類傳輸,則雙方應同意受英國批准之補充文件約束之歐盟條款將適用。英國批准之補充文件已納入本DPA。 7.2.2 附錄1引用了表1至4所需之資訊,包括英國批准之補充文件。 7.3 歐盟傳輸: 7.3.1 若「個資」被傳輸至Exit Games,並由歐洲經濟區以外之Exit Games或代表Exit Games之單位處理,且此單位並非位於適當之國家或地區,而歐盟一般資料保護規則因無此傳輸機制而禁止此類傳輸,則雙方應同意歐盟條款將適用於該處理,並依據附錄2已納入本DPA。 7.3.2 附錄2之附件包含歐盟條款要求之資訊。 7.4 若歐盟條款或英國批准之補充文件與本DPA之間存在不一致,則依據第7.2或7.3節,若適用時,應以歐盟條款或英國批准之補充文件(視情況而定)為準。若客戶主張歐盟條款或英國批准之補充文件中之權利不利於Exit Games,Exit Games可就因此而產生之服務收取合理費用。 7.5 若客戶主張歐盟條款或英國批准之補充文件中之權利不利於Exit Games,Exit Games可就因此而產生之服務收取合理費用。 7.6 Exit Games可進行下列事項:(i) 依照適用之資料保護法,以任何替代傳輸機制替換歐盟條款或英國批准之補充文件(一般性或關於歐洲經濟區或英國---依情況而定),包括不定時批准之進一步或替代標準合約條款。(ii) 如適用時,藉由通知客戶新傳輸機制或新標準合約條款之內容,以合理進行本DPA之必要更改(前提為其內容符合相關決定或許可)。 8. 加州消費者隱私權法 8.1本DPA第8節中規定之條款僅適用於:(i) Exit Games代表客戶處理加州消費者之「個資」。(ii) 經2020年加州隱私權法(California Privacy Rights Act of 2020)修訂之加州消費者隱私權法(California Consumer Privacy Act,即CCPA)於進行此類處理時適用於客戶。 8.2 除了本DPA或主要協議中單獨定義之當事人與協議參考(例如,對「客戶」與「主要協議」的參考)以外,或是本DPA在本節中之大寫名詞,應具備加州消費者隱私權法及其條例所賦予之含義。 8.3 若加州消費者隱私權法適用於客戶,並且Exit Games代表客戶處理「個資」,則表示客戶應為一家企業,而Exit Games應為處理此類「個資」之服務提供者。 8.4 雙方應同意遵守各自於加州消費者隱私權法及其條例下之義務。Exit Games 將遵守 CCPA 及其條例所有適用部分規定之義務,並對於客戶根據CCPA及其條例所提出之要求而收集的「個資」,提供與主要協議相同等級的隱私保護(例如,與客戶合作以回應並遵守消費者依加州消費者隱私權法提出之要求,以及依據加州民法典(California Civil Code)第 1798.81.5 節,實施適合「個資」性質之合理安全程序與做法,以保護「個資」免遭未經授權或非法存取、破壞、使用、修改或揭露)。 8.5 Exit Games依據主要協議處理「個資」之有限與指定商業目的包括:(i) 於合理必要且符合比例原則地使用「個資」之範圍內,協助確保安全性與完整性。(ii) 進行除錯,以對危害現有預期功能之錯誤加以辨識與修復。(iii) 代表客戶屢行本系列服務及相關支援服務,包括維護帳號、提供客戶服務、提供儲存或代表客戶提供類似服務。(iv) 為了技術開發與示範,進行內部研究。(v) 對於由客戶控制之服務,進行驗證或維護其品質與安全。客戶僅會因有限與指定之目的(即本條款中陳述之有限與指定之商業目的)而揭露「個資」以供Exit Games使用。 8.6 除本DPA或主要協議中規定之商業目的以外,Exit Games不會保留、使用或揭露其依據主要協議收集之「個資」,此處所指之商業目的應包括:(i) 於合理必要且符合比例原則地使用「個資」之範圍內,協助確保安全性與完整性;(ii) 進行除錯,以對危害現有預期功能之錯誤加以辨識與修復;(iii) 代表客戶屢行本系列服務及相關支援服務,包括維護帳號、提供客戶服務、提供儲存或代表客戶提供類似服務;(iv) 為了技術開發與示範,進行內部研究;(v) 對於由客戶控制之服務,進行驗證或維護其品質與安全;(vi) 加州消費者隱私權法及其條例允許之其他活動。除本DPA、主要協議中指定之商業目的或加州消費者隱私權法及其條例允許之其他商業目的以外,此禁令延伸適用於因其他商業目的而對「個資」進行的保留、使用或揭露。 8.7 針對客戶與Exit Games之間直接業務關係以外範圍,除非加州消費者隱私權法及其條例明確允許,Exit Games不會於保留、使用或揭露其依據主要協議收集之「個資」。 8.8 除非為了履行加州消費者隱私權法及其條例所明確允許之商業目的而結合「個資」,Exit Games不會合併或更新「個資」,無論其來源為Exit Games依據主要協議所收集,或是從客戶處或代表客戶處收到之「個資」,而此「個資」為該客戶從其他人或代表其他人及來源所收到的,或因該客戶與消費者之互動而收到的。然而,若消費者已選擇退出銷售或分享「個資」,而這些「個資」來源,是Exit Games 透過或代表擁有Exit Games透過或代表其他人與消費者互動所獲得之「個資」的客戶,則不會合併此等「個資」。 8.9 Exit Games遵守加州消費者隱私權法所定義之此類條款,而不會出售或分享其依據主要協議收集之「個資」。 8.10 針對Exit Games依據主要協議收集之「個資」,Exit Games 將協助客戶遵守消費者依據加州消費者隱私權法提出之要求。 8.11 客戶可採取合理與適當之步驟來協助確保Exit Games使用「個資」之方式符合加州消費者隱私權法及其條例對客戶所賦予之義務,且流程如本DPA第5.3節所規定,此等「個資」為Exit Games依據主要協議所收集,或由客戶傳輸給Exit Games。 8.12 若Exit Games確定其無法再履行加州消費者隱私權法及其條例所規定之義務,將通知客戶此確定事項。 8.13 於客戶收到Exit Games通知,表示其無法再履行加州消費者隱私權法之義務,或客戶通知Exit Games自己將採取措施來終止與補救任何「個資」之未經授權使用後,客戶有權採取合理與適當之措施來終止與補救任何未經授權之「個資」使用。 8.14 針對加州消費者隱私權法之任何修改、修正或更新,雙方將抱持誠信合作,增補或修改合約條款,包括任何適用之監管或自律指導方針。 9. 維吉尼亞州消費者資料保護法 9.1 本DPA第9節中規定之條款僅適用於:(i) Exit Games代表客戶處理維吉尼亞州消費者之「個資」;(ii) 進行此類處理時,維吉尼亞州消費者資料保護法(VCDPA)適用於客戶。 9.2 除DPA中單獨定義之當事人與協議參考(例如,對「客戶」與「主要協議」參考)外,本DPA本節中之大寫名詞應具有維吉尼亞州消費者資料保護法所賦予之含義。 9.3 若維吉尼亞州消費者資料保護法適用於客戶,且Exit Games代表客戶處理「個資」,則客戶應是「控制者」,Exit Games應是處理此類「個資」之「處理者」。 9.4 雙方同意遵守維吉尼亞州消費者資料保護法、主要協議、本DPA以及雙方簽訂之任何其他協議規定之各別義務。此外,每一方應同意尊重另一方於維吉尼亞州消費者資料保護法、主要協議、本DPA以及雙方簽訂之任何其他協議項下之權利。 9.5 Exit Games同意遵守客戶之處理指示。 9.6 針對Exit Games代表客戶處理之維吉尼亞州消費者「個資」,Exit Games同意協助客戶履行維吉尼亞州消費者資料保護法規定之義務。此類協助應包括:(i) 於合理可行之範圍內(考量到處理性質與Exit Games可使用之資訊),藉由Exit Games實施適當之技術與組織措施,協助客戶履行其回應消費者權利請求之義務;(ii) 關於處理「個資」之安全性,以及Exit Games安全系統違規通知,Exit Games應協助客戶履行其義務(考量到處理性質與Exit Games可使用之資訊);(iii) 關於Exit Games依照DPA第5.3節中規定之措施所處理之維吉尼亞州消費者「個資」,Exit Games須提供必要之資訊,使客戶能進行並記錄資料保護評估。 9.7 本DPA附錄2之附件一敘述了正在處理之「個資」類型、此類處理之持續時間、性質與目的。此類「個資」處理之指示則如同主要協議中所述。 9.8 Exit Games將確保每一「個資」處理者均對此類「個資」負有保密義務。 9.9 依據客戶之合理要求,Exit Games將提供給客戶其所擁有之全部必要資訊,以證明Exit Game有依照本DPA第5.3節規定之流程遵守 VCDPA 規定之義務。 9.10 Exit Games 將依據書面合約聘用其所有外包商,而該合約要求外包商履行 Exit Games關於「個資」之義務。此類合約不得免除雙方於VCDPA下各別負擔的責任。 9.11 Exit Games將允許並配合客戶或客戶指定之評估員,以依照本DPA第5.3 節中規定之流程進行合理評估。 9.12 依據客戶之指示,Exit Games將於服務結束時,依要求刪除所有「個資」或將其返還給客戶,除非法律要求須保留這些「個資」。 9.13 針對VCDPA之任何修改、修正或更新,雙方將抱持誠意合作,增補或修改合約條款,包括任何適用之監管或自律指導方針。 10. 科羅拉多州隱私權法 10.1 本DPA第10節中規定之條款僅適用於:(i) Exit Games 代表客戶處理科羅拉多州消費者之「個資」;(ii) 進行此類處理時,科羅拉多州隱私權法(Colorado Privacy Act,CPA)適用於客戶。 10.2 除本DPA中單獨定義之當事人與協議參考(例如,對「客戶」與「主要協議」參考)以外,本DPA在本節中之大寫名詞應具有科羅拉多州隱私權法及其條例所賦予之含義。 10.3 若科羅拉多州隱私權法適用於客戶,且Exit Games代表客戶處理「個資」,則客戶應為「控制者」,Exit Games應為處理此類「個資」之「處理者」。 10.4 雙方同意遵守依照科羅拉多州隱私權法、主要協議、本DPA以及雙方簽訂之任何其他協議之各別義務。此外,每一方同意尊重另一方於 CPA、主要協議、本DPA以及雙方簽訂之任何其他協議下之權利。 10.5 本DPA附錄2之附件一與主要協議中敘述了正在處理之「個資」類型、此類處理之持續時間以及處理指示(包括其性質與目的)。 10.6 Exit Games 將確保每一「個資」處理者均對此類「個資」負有保密義務。 10.7 提供客戶提出反對的機會後,Exit Games將依照符合科羅拉多州隱私權法之書面合約聘用其每一外包商,以要求其履行 Exit Games 關於「個資」之義務。 10.8 一旦客戶要求,Exit Games 將依據本DPA第5.3條規定之流程,向客戶提供所有必要資訊,以證明Exit Games遵守科羅拉多州隱私權法。 10.9 Exit Games將允許並協助客戶或其指定之查核員透過DPA第5.3節中規定之流程,進行合理之查核與檢查。 10.10 依據客戶之選擇,Exit Games將於主要協議中所述之服務提供結束時,依據客戶之要求刪除所有「個資」或將其返還給客戶,除非法律要求保留這些「個資」。 10.11 針對科羅拉多州隱私權法之任何修改、修正或更新,雙方將抱持誠意合作,增補或修改合約條款,包括任何適用之監管或自律指導方針。 11. 康乃狄克州資料隱私法 11.1 本DPA第11節中規定之條款僅適用於:(i) Exit Games代表客戶處理康乃狄克州消費者之「個資」。(ii) 進行此類處理時,康乃狄克州資料隱私法(Connecticut Data Privacy Act,CTDPA)適用於客戶。 11.2 除本DPA 中單獨定義之當事人與協議參考(例如,對「客戶」與「主要協議」參考)以外,本DPA 第 11 條中之大寫名詞應具有康乃狄克州資料隱私法所賦予之含義。 11.3 若康乃狄克州資料隱私法適用於客戶,且 Exit Games 代表客戶處理「個資」,則客戶應為「控制者」,Exit Games 應為處理此類「個資」之「處理者」。 11.4 雙方同意遵守康乃狄克州資料隱私法、主要協議、本DPA以及雙方簽訂之任何其他協議中之各別義務。此外,每一方應同意尊重另一方依據康乃狄克州資料隱私法、主要協議、本DPA以及雙方簽訂之任何其他協議之權利。 11.5 Exit Games同意遵守客戶之處理指示。 11.6 針對Exit Games代表客戶處理之康乃狄克州消費者「個資」,Exit Games 同意協助客戶履行康乃狄克州資料隱私法所規定之義務。此類協助應包括:(i) 於合理可行之範圍內(考量到處理性質與 Exit Games 可使用之資訊),藉由Exit Games實施適當之技術與組織措施,協助客戶履行其回應消費者權利請求之義務;(ii) 協助客戶履行其「個資」安全性義務,以及通知Exit Games安全系統漏洞之義務(考量到處理性質與 Exit Games 可使用之資訊);(iii) 關於Exit Games依照本DPA第5. 節中規定之措施所處理之消費者「個資」,Exit Games須提供必要之資訊,使客戶能進行並記錄資料保護評估。 11.7 本DPA附錄2之附件一中敘述了正在處理之「個資」類型、此類處理之持續時間、性質與目的。此類「個資」處理之指示如主要協議中所述。 11.8 Exit Games將確保每一「個資」處理者均對「個資」負有保密義務。 11.9 依據客戶之合理要求,Exit Games 將依本DPA第5.3條規定之流程,向客戶提供其擁有之所有必要資訊,以證明 Exit Game 遵守康乃狄克州資料隱私法。 11.10 提供客戶提出反對的機會後,Exit Games將依照書面合約聘用其每一外包商,以要求其履行Exit Games關於「個資」之義務。 11.11 Exit Games將允許並配合客戶或客戶指定之評估員,以依照本DPA第5.3節中規定之流程進行合理評估。 11.12依據客戶之指示,Exit Games將於服務結束時,依要求刪除所有「個資」或將其返還給客戶,除非法律要求須保留這些「個資」。 11.13 針對康乃狄克州資料隱私法之任何修改、修正或更新,雙方將抱持誠意合作,增補或修改合約條款,包括任何適用之監管或自律指導方針。 12. 猶他州消費者隱私權法 12.1本DPA第12節中規定之條款僅適用於:(i) Exit Games代表客戶處理猶他州消費者之「個資」;(ii) 進行此類處理時,猶他州消費者隱私權法(Utah Consumer Privacy Act,UCPA)適用於客戶。 12.2 除本DPA中單獨定義之當事人與協議參考(例如,對「客戶」與「主要協議」參考)以外,本DPA第12節中之大寫名詞應具有猶他州消費者隱私權法所賦予之含義。 12.3若猶他州消費者隱私權法適用於客戶,且Exit Games代表客戶處理「個資」,則客戶應為「控制者」,Exit Games 應為處理此類「個資」之「處理者」。 12.4 雙方應同意遵守猶他州消費者隱私權法、主要協議、本DPA以及雙方簽訂之任何其他協議規定之各別義務。此外,各方同意尊重另一方依據猶他州消費者隱私權法、主要協議、本DPA以及雙方簽訂之任何其他協議之權利。 12.5 Exit Games將遵守客戶之處理指示。 12.6 於合理可行之範圍內,考量到處理性質與Exit Games可使用之資訊,透過適當之技術與組織措施,Exit Games將協助客戶履行其依照猶他州消費者隱私權法之義務,包括有關「個資」處理安全之事項,以及通知Exit Games系統安全漏洞。 12.7本DPA附錄2之附件一中敘述了正在處理之「個資」類型、此類處理之持續時間、性質與目的。此類「個資」處理之說明如主要協議中所述。 12.8 Exit Games將確保每一「個資」處理者均對「個資」負有保密義務。 12.9 Exit Games將依據書面合約聘用其每個外包商,該合約要求外包商就此類個資履行與Exit Games相同之義務。 12.10 針對猶他州消費者隱私權法之任何修改、修正或更新,雙方將抱持誠意合作,增補或修改合約條款,包括任何適用之監管或自律指導方針。 13. 一般條款 13.1 雙方將抱持誠意合作,增補或修改合約條款,以因應未來資料保護與隱私法規。 13.2 關於其涵蓋之主題,本DPA列出了雙方已達成協議之所有條款。除詐欺性陳述外,任何其他陳述或條款均不適用或構成本DPA之一部分。 13.3 本DPA不影響雙方於主要協議下之實體權利與義務,主要協議將持續具有完全效力。 13.4 若本 DPA與主要協議之條款間相互牴觸,只要標的物牽涉「個資」處理,則以本DPA之條款為準(包括定義與附錄)。若本DPA與歐盟條款(或視情況而定,受英國批准之補充文件約束之歐盟條款)存在不一致,則以後者 (包括英國批准之補充文件,如適用)為準。 13.5 於適用法律允許之範圍內,且於任何情況下,Exit Games對客戶之最大總體責任(依照本 DPA或與本DPA相關)均不得超過主要協議中所規定、 Exit Games對客戶之最大總體責任。 13.6 本DPA及與之相關之任何行動均應受紐約州法律管轄並據其解釋,但不適用任何法律衝突原則。雙方應同意紐約市法院之屬人管轄權與屬地管轄權。 13.7 本DPA不授予任何第三方受益權,其目的是為了保障本協議雙方及其各別允許之繼承人與受讓人之利益,而非為了任何其他人之利益,也不得由任何其他人強制執行本協議之任何規定。 13.8 本DPA是雙方就本協議標的物達成之最終、完整與排他性協議,並取代與合併雙方之前就此類標的物進行之所有討論與協議。除詐欺性陳述以外,任何其他陳述或條款均不適用或構成本DPA之一部分。除非以電子方式提交並經各方以電子方式確認,否則對於本DPA任何權利之修改、修正或放棄均不生效。 13.9 每一方應向另一方聲明並保證,本DPA之簽署與交付及其於本協議中義務之履行已得到正式授權,且本DPA對雙方均有效且具法律約束力,可依據其條款執行。 13.10 本DPA一式兩份,每份均應視為正本,但合在一起應構成同一份協議。 附錄1:英國傳輸 針對英國批准之補充文件: 1. 本DPA附錄2之附件一中包含了表1所需之資訊,開始日期應被視為與歐盟條款之日期相同。 2. 關於表2,英國批准之補充文件適用之歐盟條款版本是「控制者」至「處理者」之模組二。 3. 關於表3,雙方名單與傳輸說明規定於本DPA附錄2之附件一,Exit Games 之技術與組織措施規定於本DPA附錄2之附件二,而Exit Games之委外廠商應依據 本DPA附錄2之附件三提供之名單。 4. 關於表4,任何一方均無權依據英國強制性條款第19條終止英國批准之補充文件。 附錄2:歐盟條款 1. 針對本附錄2,歐盟條款(模組二,網址為https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from= EN)應被納入本附錄與本DPA, 且應被視為不可分割之一部分,雙方於本DPA中之簽名應被解釋為雙方對歐盟條款之簽名。若本DPA與歐盟條款存在不一致,則以後者為準。 2. 針對歐盟條款,以下內容應適用: - 客戶應為資料匯出者,Exit Games應為資料匯入者。雙方應同意各自依照匯出者與匯入者之角色,就歐盟條款規定之義務,受其約束並加以遵守。 - 第7條(對接條款)應視為包含在內。 - 第9條(委外廠商之使用):選項2 - 一般書面授權應適用。資料匯入者對於該名單意圖進行更改時,應至少提前15天以書面形式,藉由增加或更換委外廠商,明確通知資料匯出者。 - 第11條(補救):可選用條款(獨立爭議解決機構之可選補救機制)應視為不包括在內。 - 第13 (a) 條(監督): o 若客戶設立於歐盟成員國:如附件一之C所述,負責確保資料匯出者遵守有關資料傳輸的(EU) 2016/679法規之監管機構,應作為主管監督機關。 o 若客戶非設立於歐盟成員國,但依據其第3(2)條,屬於(EU) 2016/679法規之領土適用範圍,且已依據(EU) 2016/679法規第27(1)條指定一名代表:如附件一之C所述,此代表所在之成員國之監督機構應作為主管監督機關。 o 若客戶並非設立於歐盟成員國,但屬於(EU) 2016/679法規之領土適用範圍,不過又依據其第3(2)條,無需依據(EU) 2016/679規定之第27(2)條指定代表:當該成員國中資料主體之「個資」是依據這些條款於向他們提供商品或服務時被傳輸,或者他們的行為受到監管,則如附件一之C所述,其中一個成員國之監督機關應作為主管監督機關。 - 第17條(管轄法律):這些條款應受資料匯出者設立地點所在之歐盟成員國之法律管轄。若該地法律不允許第三方受益權,則應受另一個允許第三方受益權之歐盟成員國之法律管轄。雙方應同意此處是指德國之法律。 - 第18 (b)條(法庭與管轄權之選擇):雙方應同意,雙方因歐盟條款引起之任何爭議應由德國之法院裁決。 附錄2之附件一 A. 雙方名單 資料匯出者:本DPA之一方協譯者(客戶,如DPA前文所述),以「控制者」身分提供多人遊戲或其他服務。 資料匯入者: 名稱:Exit Games, Inc. 地址:111 SW 5th Ave. STE 3150, Portland OR 97204, USA 聯絡人姓名、職位與聯繫方式:Christof Wegmann, CTO, privacy@photonengine.com 依據本條款傳輸資料之活動:為多人遊戲提供線上服務(Photonengine) 角色(控制者/處理者):處理者 B. 傳輸說明 「個資」被傳輸之資料主體類別: - 網路線上玩家 - 應用程式使用者 傳輸「個資」類別: - 使用者ID - IP位址 - 聊天內容(同時使用選用過濾器) 傳輸之敏感資料(若適用)與應用之限制或保護措施: - 無。 傳輸頻率(例如,資料是一次性或連續傳輸): 提供本系列服務期間將連續傳輸。 處理之性質: 提供本系列服務。 資料傳輸與進一步處理之目的: - 提供Photonengine服務: o 將使用者路由至目前名稱,並在大廳與遊戲伺服器上對使用者進行處理 o 分析Photonengine.com之錯誤 - 進行符合兒童線上保護法(Children's Online Protection Act,COPPA)與一般資料保護規則(GDPR)之聊天內容過濾。 「個資」之保留期間,以及此舉不可能時,用於決定此期間之標準: 即主要協議持續期間。 對於向處理者(或委外廠商)之傳輸,還應指定處理之主題、性質與 處理輔助服務之持續時間。 C. 主管監督機關 依據第13條判定主管監督機關: 如附錄2所述,客戶之主管監督,取決於選項 (A)、(B) 或 (C) 是否依據歐盟條款第13條之規範適用。 附錄2之附件二 - 技術與組織措施,包括確保資料安全之技術與組織措施 考量到技術發展現狀、實施成本與處理之性質、範圍、背景與目的(請參閱附件一),以及自然人權利與自由之不同可能性與嚴重程度之風險,Exit Games實施適當之技術與組織措施,以確保合適於風險之安全等級,若適用時,包括以下項目: o 「個資」假名與加密。 o 確保處理系統與服務之持續機密性、完整性、可用性與韌性之能力。 o 於發生實體或技術事件時,及時恢復「個資」可用性與存取之能力。 o 定期測試、評估技術與組織措施有效性之流程,以確保處理之安全性。 Exit Games將依客戶要求提供實際技術與組織措施之清單。 附錄2之附件三 - 委外廠商名單 控制者/資料匯出者已授權任用以下委外廠商: https://download.photonengine.com/subprocessors
英文版
DATA PROCESSING ADDENDUM
Exit Games, Inc., a Delaware corporation, whose principal place of business is at 111 SW 5th Ave. STE 3150, Portland OR 97204, USA ("Exit Games") and the counterparty agreeing to this terms ("Customer") have entered into an Main Agreement, Exit Games' Terms of Use (available at https://dashboard.photonengine.com/en-US/Account/LicenseTerms), or other written or electronic agreement for the provision of Exit Games' networking engine and multiplayer platform (collectively, the "Services") provided by Exit Games (the "Main Agreement"). This Data Processing Addendum, including its Annexes, (the "DPA") forms part of the Main Agreement.
Each of Exit Games and Customer may be referred to herein as a "Party" and together as the "Parties".
This DPA will be effective and replace any previously applicable terms relating to their subject matter (including any data processing agreement or addendum relating to the Services), from the date on which Customer clicked to accept or the Parties agreed to this DPA otherwise.
If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.
RECITALS:
(A) In connection with the Services, the Parties anticipate that Exit Games may process outside of the EEA certain Personal Data in respect of which the Customer or any member of the Customer Group may be a Controller under applicable EU Data Protection Laws or UK Data Protection Laws.
(B) The Parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by EU Data Protection Laws, UK Data Protection Laws and other applicable data protection laws, to the extent applicable.
1. Definitions
1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
(a) "Adequate Country" means a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner's Office and/or under applicable UK law (including the UK GDPR), or (ii) the European Commission under the EU GDPR;
(b) "Affiliate" means, with respect to a Party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such Party (but only for so long as such Control exists;
(c) "Customer Group" means the Customer and/or any entity that, directly or indirectly, controls, is controlled by, or is under common control with the Customer and is Party to this DPA, where "control" means the power (directly or indirectly) to appoint or remove a majority of the directors of that entity and includes Affiliates;
(d) "Data Protection Laws" means (i) all laws and regulations of the European Union, the European Economic Area, their member states, applicable to the processing of Personal Data under the Main Agreement, including (where applicable) the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data ("EU GDPR"), or (ii) all laws and regulations of the UK, applicable to the processing of Personal Data under the Main Agreement, including the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018 (the "UK GDPR");
(e) "Data Subject Request" means a request from or on behalf of a data subject to exercise any rights in relation to his/her Personal Data under Data Protection Laws;
(f) "EEA" means the European Economic Area;
(g) "EU Clauses" means the standard contractual clauses for international transfers of Personal Data to third countries set out in the European Commission's Decision 2021/914 of 4 June 2021 (at http://data.europa.eu/eli/dec_impl/2021/914/oj)
incorporating Module Two for Controller to Processor transfers and which form part of this DPA in accordance with Schedule 2; (h) "Exit Games Group" means Exit Games and any of its Affiliates;
(i) "Personal Data" means personal data or personal information of Customer processed by Exit Games on behalf of Customer under this DPA and as defined in the Data Protection Laws. In accordance with Section 2.1 of this DPA, this may include the Personal Data of a Customer Group Company;
(j) "Restricted Transfer" means a (i) transfer of Personal Data from any Customer Group Company to Exit Games; or (ii) an onward transfer of Personal Data from Exit Games to a sub-processor of Exit Games, in each case, where and to the extent the Party receiving the transferred Personal Data is outside the EEA and such transfer would be prohibited under the EU GDPR or the UK GDPR;
(k) "Security Breach" means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data by any of Exit Games' staff or sub-processors, or any other identified or unidentified third-party;
(l) "Supervisory Authority" means in the UK, the Information Commissioner's Office ("ICO") (and, where applicable, the Secretary of State or the government), and in the EU, an independent public authority established pursuant to the GDPR;
(m) "UK" means the United Kingdom;
(n) "UK Approved Addendum" means the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and in force since 21 March 2022; and
(o) "UK Mandatory Clauses" means the Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any final version published by the Information Commissioner's Office.
1.2 An entity "Controls" another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in "Common Control" if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.
1.3 The terms "Controller", "Data Subject", "Processor" and "sub-processor have the meanings ascribed to them in the Data Protection Laws.
1.4 Any defined terms which are not defined in this DPA are as defined in the Main Agreement.
2. Roles and Compliance with Data Protection Laws
2.1 Customer is the Controller of Personal Data, and Exit Games is the Processor of Personal Data. Each Party will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with Data Protection Laws applicable to such Party in the processing of Personal Data. As between the Parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired.
2.2 For the avoidance of doubt, a Customer Group Company other than the Customer is not and does not become a party to the Main Agreement and, subject to the following, is only a party to this DPA.
2.3 This DPA is without prejudice to the rights and obligations of the Parties under the Main Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
3. Description of Processing
3.1 The subject matter, nature and purposes of the processing, duration, types of Personal Data and categories of Data Subject are as set out in ANNEX I to Schedule 2.
3.2 As a Processor, Exit Games will only process Personal Data (i) in order to provide the Services to Customer as agreed in the Main Agreement or (ii) per Customer's instructions in writing or via email. Exit Games will notify Customer (unless prohibited by applicable law) if it is required under applicable law to process Personal Data other than pursuant to Customer's instructions. As soon as reasonably practicable upon becoming aware, inform the Customer if, in Exit Games' opinion, any instructions provided by the Customer infringe applicable Data Protection Laws. Upon termination of the Main Agreement and upon written request of the Customer, return or delete the Personal Data, unless required by law to continue to store a copy of the Personal Data.
4. Technical and Organisational Security Measures
4.1 Exit Games is responsible for implementing and maintaining commercially reasonable and appropriate technical, physical, and organizational safeguards to protect the confidentiality, availability, and integrity of Personal Data that is maintained and accessed by Exit Games for a Customer using Exit Games' Services pursuant to the Main Agreement. Exit Games' security measures for protecting such personal data while it is Exit Games' possession, custody, or control shall include, as appropriate, the measures described in ANNEX II to Schedule 2 of this DPA. Exit Games may modify or update these measures at its discretion provided that such modification or update does not result in a degradation of its protection of such Personal Data.
4.2 Exit Games will take reasonable steps to ensure that only authorised personnel have access to Personal Data and that any persons whom it authorizes to access the Personal Data are under obligations of confidentiality.
4.3 Customer is responsible for the security of Personal Data throughout the time that such data is in Customer's possession, custody, or control, including while personal data is in transit over the Internet or other third-party network. In furtherance of meeting its security obligations, Customer agrees to employ all physical, administrative, and technical security measures necessary to (i) protect all of its and its Authorized Personnel's access credentials; (ii) protect Customer's information technology infrastructure, including computers, software, databases, electronic systems (including database management systems) and networks whether operated directly by Customer or through the use of third-party services (the
"Customer Systems"); (iii) protect against any unauthorized access to or use of the Services directly or indirectly through Customer Systems or its Authorized Personnel's access credentials; and (iv) protect the confidentiality, integrity, and availability of all personal data while such data is in transit to Exit Games, including while such data is being uploading or otherwise provided to Exit Games for processing.
4.4 Customer is solely responsible for making an independent determination whether Exit Games' security measures meet Customer's requirements and data protection obligations under applicable laws and regulations. Customer acknowledges and agrees that, taking into account the state of the art, cost of implementation, and the nature, scope, context and purposes of the processing of personal data, as well as the risks to individuals, the security practices and policies implemented and maintained by Exit Games provide a level of security appropriate to the risk with respect to Personal Data.
5. Sub-processing and Audits
5.1 Customer authorizes Exit Games to appoint sub-processors (and permits each sub-processor to appoint additional sub-processors) in accordance with this Section. Customer hereby authorizes and instructs Processor to engage those sub-processors set out at https://download.photonengine.com/subprocessors (the "Sub-Processor List"). The Sub-Processor List may be updated from time to time and shall include the name and location of, and a brief description of the processing undertaken by, each current sub-processor. Customer acknowledges and agrees that Exit Games may engage additional sub-processors. If Customer has a reasonable objection to any new or replacement sub-processor, it shall notify Exit Games of such objections in writing within 15 days of the notification and the Parties will seek to resolve the matter in good faith. If Customer is not reasonably satisfied that the sub-processor meets the security and privacy protections then either Party as its sole remedy may, within such 15-day period, terminate the Main Agreement.
5.2 Exit Games will enter into a written contract with each sub-processor which imposes on such sub-processor terms no less protective of Personal Data than those imposed on Exit Games in this DPA (the "Relevant Terms2). Exit Games shall be liable to Customer for any breach by such sub-processor of any of the Relevant Terms as set out in Section 13.3 unless otherwise required under the Data Protection Laws or any other applicable laws.
5.3 Upon Customer's request, and subject to the confidentiality obligations set forth in the Main Agreement, Exit Games shall promptly make available to Customer information regarding Exit Games' compliance with the obligations set forth in this DPA, which may include one or more of the following as Customer may request: (i) responses to a reasonable information security-related questionnaire; (ii) copies of relevant executive summaries of the third-party certifications and compliance audits to the extent available; and (iii) a summary of Exit Games' operational practices related to data protection and security. If Customer determines that information provided in accordance with the preceding methods is insufficient, then Customer may contact Exit Games to schedule an on-site audit at Exit Games' designated facility of the procedures relevant to the protection of Customer Personal Data. Customer shall reimburse Exit Games for any time expended for any such on-site audit at the Exit Games' then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Exit Games shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Exit Games with information regarding any non-compliance discovered during the course of an audit. For clarity, the audits referenced hereunder do not apply to audits of Exit Games' sub-processors. Such audits are subject to the Data Protection Laws, to the extent required.
6. Security Breaches, Data Subject Requests and further Assistance
6.1 Exit Games will notify Customer of any Security Breach without undue delay and within 48 hours after becoming aware of the Security Breach.
6.2 To the extent legally permitted, Exit Games will promptly notify Customer if it receives a Data Subject Request. Exit Games will not respond to a Data Subject Request, provided that Customer agrees Exit Games may at its discretion respond to confirm that such request relates to Customer. Customer acknowledges and agrees that the Services may include features which will allow Customer to manage Data Subject Requests directly through the Services without additional assistance from Exit Games. If Customer does not have the ability to address a Data Subject Request, Exit Games will, upon Customer's written request, provide reasonable assistance to facilitate Customer's response to the Data Subject Request to the extent such assistance is consistent with the Data Protection Laws.
6.3 Taking into account the nature of processing and the information available to Exit Games, Exit Games will provide such assistance as Customer reasonably requests in relation to Customer's obligations under Data Protection Laws with respect to (i) data protection impact assessments, (ii) notifications to the Supervisory Authority under Data Protection Laws and/or communications to data subjects by the Customer in response to a Security Breach, or (iii) Customer's compliance with its obligations under the EU GDPR or UK GDPR (as applicable) with respect to the security of processing.
6.4 Exit Games shall make available to the Customer such information in Exit Games' possession or control as Customer may reasonably request with a view to demonstrating Exit Games' compliance with the obligations of Processors under Data Protection Laws in relation to its processing of Personal Data.
7. International Transfers
7.1 Customer agrees that its use of the Services can involve the transfer of Personal Data to, and processing of Personal Data in, various countries, including the country in which Exit Games is based and other countries outside the EEA that are not recognized as Adequate Country.
7.2 UK transfers:
7.2.1 To the extent Personal Data is transferred to Exit Games and processed by or on behalf of Exit Games outside the UK (except if in an Adequate Country) in circumstances where such transfer would be prohibited by the UK GDPR in the absence of a transfer mechanism, the Parties agree that the EU Clauses subject to the UK Approved Addendum will apply. The UK Approved Addendum is incorporated into this DPA.
7.2.2 Schedule 1 references the information required by Tables 1 to 4 inclusive of the UK Approved Addendum.
7.3 EU transfers:
7.3.1 To the extent Personal Data is transferred to Exit Games and processed by or on behalf of Exit Games outside the EEA (except if in an Adequate Country) in circumstances where such transfer would be prohibited by EU GDPR in the absence of a transfer mechanism, the Parties agree that the EU Clauses will apply in respect of that processing and are incorporated into this DPA in accordance with Schedule 2.
7.3.2 The ANNEXES to Schedule 2 contain the information required by the EU Clauses.
7.4 In case of any discrepancies between the EU Clauses or UK Approved Addendum and the DPA, the EU Clauses or, as the case may be, the UK Approved Addendum shall take precedence when applicable pursuant to Section 7.2 or 7.3.
7.5 Insofar as Customer asserts any rights from the EU Clauses or the UK Approved Addendum against Exit Games, Exit Games may charge a reasonable fee for the services incurred thereby.
7.6 Exit Games may (i) replace the EU Clauses and/or the UK Approved Addendum generally or in respect of the EEA, and/or the UK (as appropriate) with any alternative or replacement transfer mechanism in compliance with applicable Data Protection Laws, including any further or alternative standard contractual clauses approved from time to time and (ii) make reasonably necessary changes to this DPA by notifying Customer of the new transfer mechanism or content of the new standard contractual clauses (provided their content is in compliance with the relevant decision or approval), as applicable.
8. CCPA
8.1 The terms set forth in this Section 8 of the DPA shall only apply to the extent that (i) Exit Games Processes Personal Information of California Consumers on behalf of Customer; and (ii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 ("CCPA"), is applicable to Customer at the time of such Processing.
8.2 With the exception of party and agreement references (e.g., references to "Customer" and the "Main Agreement"), which are separately defined in the DPA, or the Main Agreement the capitalized terms in this Section of the DPA shall have the meaning given to them under the CCPA, and the CCPA Regulations.
8.3 If the CCPA applies to Customer, and Exit Games Processes Personal Information on behalf of Customer, Customer shall be a Business and Exit Games shall be a Service Provider with respect to the Processing of such Personal Information.
8.4 The Parties agree to comply with their respective obligations under the CCPA and the CCPA Regulations. Exit Games will comply with its obligations under all applicable sections of the CCPA and CCPA regulations and will provide the same level of privacy protection regarding Personal Information it Collects pursuant to the Main Agreement Customer as is required of Customer under the CCPA and CCPA regulations (e.g., cooperating with Customer in responding to and complying with Consumers' requests made pursuant to the CCPA; implementing reasonable security procedures and practices appropriate to the nature of the Personal Information to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with California Civil Code section 1798.81.5).
8.5 The limited and specified Business Purposes for which Exit Games is Processing Personal Information pursuant to the Main Agreement include: (i) helping to ensure security and integrity to the extent the use of the Personal Information is reasonably necessary and proportionate for these purposes; (ii) debugging to identify and repair errors that impair existing intended functionality; (iii) performing the Services and related support services on behalf of Customer, including by maintaining or servicing accounts, providing customer service, providing storage, or providing similar services on behalf of Customer; (iv) undertaking internal research for technological development and demonstration; and (v) undertaking activities to verify or maintain the quality and safety of services controlled by Customer. Personal Information is only disclosed by Customer to Exit Games for limited and specified purposes (i.e., the limited and specified Business Purposes set forth in this provision).
8.6 Exit Games will not retain, use, or disclose the Personal Information that it has Collected pursuant to the Main Agreement for any purpose other than the Business Purposes specified n this DPA or the Main Agreement, which shall include (i) helping to ensure security and integrity to the extent the use of the Personal Information is reasonably necessary and proportionate for these purposes; (ii) debugging to identify and repair errors that impair existing intended functionality; (iii) performing the Services and related support services on behalf of Customer, including by maintaining or servicing accounts, providing customer service, providing storage, or providing similar services on behalf of Customer; (iv) undertaking internal research for technological development and demonstration; and (v) undertaking activities to verify or maintain the quality and safety of services controlled by Customer, or (vi) as otherwise permitted by the CCPA and CCPA Regulations. This prohibition extends to the retention, use, or disclosure of Personal Information for a commercial purpose other than the Business Purposes specified in this DPA, the Main Agreement, or as otherwise permitted by the CCPA and CCPA Regulations.
8.7 Exit Games will not retain, use, or disclose Personal Information that it Collects pursuant to the Main Agreement outside of the direct business relationship between Customer and Exit Games, unless expressly permitted by the CCPA and CCPA regulations.
8.8 Exit Games will not combine or update Personal Information that Exit Games Collects pursuant to the Main Agreement or otherwise receives from, or on behalf of, Customer with Personal Information that it received from, or on behalf of, another person or source or from its own interaction with a Consumer, other than combining Personal Information to perform any Business Purpose that is expressly permitted by the CCPA and CCPA Regulations. However, Exit Games will not combine the Personal Information of Consumers who have opted-out of the Sale or Sharing of Personal Information that Exit Games receives from, or on behalf of, Customer with Personal Information that Exit Games receives from, or on behalf
of, another person or collects from its own interactions with Consumers.
8.9 Exit Games will not Sell or Share, as such terms are defined under the CCPA, the Personal Info rmation it Collects pursuant to the Main Agreement.
8.10 Exit Games will enable Customer to comply with Consumer requests made pursuant to the CCPA that involve Personal Information Exit Games has Collected pursuant to the Main Agreement.
8.11 Customer may take reasonable and appropriate steps to help ensure that Exit Games uses Personal Information that is Collected pursuant to the Main Agreement, or otherwise transferred to Exit Games by Customer, in a manner consistent with the obligations imposed on Customer under the CCPA and CCPA Regulations, through the process set forth in Section 5.3 of the DPA.
8.12 In the event Exit Games ever determines that it can no longer meet its obligations under the CCPA and CCPA Regulations, Exit Games will notify Customer of such determination.
8.13 Upon Customer's receipt of notice from Exit Games that it can no longer meet its CCPA obligations or Customer's provision of Exit Games with notice that it will be taking steps to stop and remediate any unauthorized use of Personal Information, Customer shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information.
8.14 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the CCPA, including any applicable regulatory or self-regulatory guidance.
9. VCDPA
9.1 The terms set forth in this Section 9 of the DPA shall only apply to the extent that (i) Exit Games Processes Personal Data of Virginia Consumers on behalf of Customer; and (ii) the Virginia Consumer Data Protection Act ("VCDPA") is applicable to Customer at the time of such Processing.
9.2 With the exception of party and agreement references (e.g., references to "Customer" and the "Main Agreement"), which are separately defined in the DPA, the capitalized terms in this Section of the DPA shall have the meaning given to them under the VDCPA.
9.3 If the VCDPA applies to Customer, and Exit Games Processes Personal Data on behalf of Customer, Customer shall be a Controller and Exit Games shall be a Processor with respect to the Processing of such Personal Data.
9.4 The Parties agree to comply with their respective obligations under the VDCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the VDCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.
9.5 Exit Games agrees to adhere to the Processing instructions of Customer.
9.6 Exit Games agrees to assist Customer in meeting Customer's obligations under the VDCPA with respect to any Personal Data of Virginia Consumers that Exit Games Processes on behalf of Customer. Such assistance will include (i) assisting Customer in fulfilling its obligation to respond to Consumer rights requests through Exit Games' implementation of appropriate technical and organizational measures, insofar as is reasonably practicable (taking into account the nature of the Processing and the information available to Exit Games); (ii) assisting Customer in meeting Customer's obligations in relation to the security of Processing the Personal Data and in relation to the notification of a breach of security system of Exit Games (taking into account the nature of Processing and the information available to Exit Games); and (iii) providing necessary information to enable Customer to conduct and document data protection assessments relating to Personal Data of Virginia Consumers that is Processed by Exit Games through the measures set forth in Section 5.3 of the DPA.
9.7 The types of Personal Data being Processed, the duration of such Processing, and the nature and purpose(s) of such Processing, are described in ANNEX I to Schedule 2 of this DPA. The instructions for such Personal Data Processing are as set forth in the Main Agreement.
9.8 Exit Games will ensure that each person Processing the Personal Data is subject to a duty of confidentiality with respect to such Personal Data.
9.9 Upon the reasonable request of Customer, Exit Games will make available to Customer all information in its possession necessary to demonstrate Exit Game's compliance with its obligations under the VCDPA through the process set forth in Section 5.3 of the DPA.
9.10 Exit Games will engage each of its subcontractors pursuant to a written contract that requires the subcontractor to meet the obligations of Exit Games with respect to the Personal Data. Such contract shall not relieve the Parties of their respective liabilities under the VCDPA.
9.11 Exit Games will allow, and cooperate with, reasonable assessments by Customer or the Customer's designated assessor through the process set forth in Section 5.3 of the DPA.
9.12 At Customer's direction, Exit Games will either delete or return all Personal Data to Customer as requested at the end of the provision of services, unless retention of the Personal Data is required by law.
9.13 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the VCDPA, including any applicable regulatory or self-regulatory guidance.
10. CPA
10.1 The terms set forth in this Section 10 of the DPA shall only apply to the extent that (i) Exit Games Processes Personal Data of Colorado Consumers on behalf of Customer; and (ii) the Colorado Privacy Act ("CPA") is applicable to Customer at the time of such Processing.
10.2 With the exception of party and agreement references (e.g., references to "Customer" and the "Main Agreement"), which are separately defined in the DPA, the capitalized terms in this Section of the DPA shall have the meaning given to them under the CPA and the CPA Rules.
10.3 If the CPA applies to Customer, and Exit Games Processes Personal Data on behalf of Customer, Customer shall be a Controller and Exit Games shall be a Processor with respect to the Processing of such Personal Data.
10.4 The Parties agree to comply with their respective obligations under the CPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the CPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.
10.5 The type of Personal Data being Processed, the duration of such Processing, and the processing instructions, including the nature and purpose(s) of such Processing, are described in ANNEX I to Schedule 2of this DPA and in the Main Agreement.
10.6 Exit Games will ensure that each person Processing the Personal Data is subject to a duty of confidentiality with respect to such Personal Data.
10.7 After providing Customer an opportunity to object, Exit Games will engage each of its subcontractors pursuant to a written contract in accordance with the CPA that requires the subcontractor to meet the obligations of Exit Games with respect to the Personal Data.
10.8 Upon request, Exit Games will make available to Customer all information necessary to demonstrate its compliance with the CPA in accordance with the process set forth in Section 5.3 of the DPA.
10.9 Exit Games will allow for, and contribute to, reasonable audits and inspections by Customer or Customer's designated auditor through the process set forth in Section 5.3 of the DPA.
10.10 At the choice of Customer, Exit Games will delete or return all Personal Data to Customer as requested by Customer at the end of the provision of services described in the Main Agreement, unless retention of the Personal Data is required by law.
10.11 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the CPA, including any applicable regulatory or self-regulatory guidance.
11. CTDPA
11.1 The terms set forth in this Section 11 of the DPA shall only apply to the extent that (i) Exit Games Processes Personal Data of Connecticut Consumers on behalf of Customer; and (ii) the Connecticut Data Privacy Act ("CTDPA") is applicable to Customer at the time of such Processing.
11.2 With the exception of party and agreement references (e.g., references to "Customer" and the "Main Agreement"), which are separately defined in the DPA, the capitalized terms in this Section 11 of the DPA shall have the meaning given to them under the CTDPA.
11.3 If the CTDPA applies to Customer, and Exit Games Processes Personal Data on behalf of Customer, Customer shall be a Controller and Exit Games shall be a Processor with respect to the Processing of such Personal Data.
11.4 The Parties agree to comply with their respective obligations under the CTDPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the CTDPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.
11.5 Exit Games agrees to adhere to the Processing instructions of Customer.
11.6 Exit Games agrees to assist Customer in meeting Customer's obligations under the CTDPA with respect to any Personal Data of Connecticut Consumers that Exit Games Processes on behalf of Customer. Such assistance will include (i) assisting Customer in fulfilling its obligation to respond to Consumer rights requests through Exit Games' implementation of appropriate technical and organizational measures, insofar as is reasonably practicable (taking into account the nature of the Processing and the information available to Exit Games); (ii) assisting Customer in meeting Customer's Personal Data security obligations and obligations for notification of any breach of security of a system of Exit Games (taking into account the nature of Processing and the information available to Exit Games); and (iii) providing necessary information to enable Customer to conduct and document data protection assessments relating to Personal Data of Consumers that is Processed by Exit Games through the measures set forth in Section 5.3 of the DPA.
11.7 The types of Personal Data being Processed, the duration of such Processing, and the nature and purpose(s) of such Processing, are described in ANNEX I to Schedule 2 of this DPA. The instructions for such Personal Data Processing are as set forth in the Main Agreement.
11.8 Exit Games will ensure that each person Processing the Personal Data is subject to a duty of confidentiality with respect to the Personal Data.
11.9 Upon the reasonable request of Customer, Exit Games will make available to Customer all information in its possession necessary to demonstrate Exit Game's compliance with the CTDPA in accordance with the process set forth in Section 5.3 of the DPA.
11.10 After providing Customer an opportunity to object, Exit Games will engage each of its subcontractors pursuant to a written contract that requires the subcontractor to meet the obligations of Exit Games with respect to the Personal Data.
11.11 Exit Games will allow, and cooperate with, reasonable assessments by Customer or Customer's designated assessor through the process set forth in Section 5.3 of the DPA.
11.12 At Customer's direction, Exit Games will either delete or return all Personal Data to Customer, as requested, at the end of Exit Games' provision of services, unless retention of the Personal Data is required by law.
11.13 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the CTDPA, including any applicable regulatory or self-regulatory guidance.
12. UCPA
12.1 The terms set forth in this Section 12 of the DPA shall only apply to the extent that (i) Exit Games Processes Personal Data of Utah Consumers on behalf of Customer; and (ii) the Utah Consumer Privacy Act ("UCPA") is applicable to Customer at the time of such Processing.
12.2 With the exception of party and agreement references (e.g., references to "Customer" and the "Main Agreement"), which are separately defined in the DPA, the capitalized terms in this Section 12 of the DPA shall have the meaning given to them under the UCPA.
12.3 If the UCPA applies to Customer, and Exit Games Processes Personal Data on behalf of Customer, Customer shall be a Controller and Exit Games shall be a Processor with respect to the Processing of such Personal Data.
12.4 The Parties agree to comply with their respective obligations under the UCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the UCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.
12.5 Exit Games will adhere to the Processing instructions of Customer.
12.6 Taking into account the nature of the Processing and information available to the Exit Games, by appropriate technical and organizational measures, insofar as reasonably practicable, Exit Games will assist Customer in meeting Customer's obligations under the UCPA, including obligations relating to the security of Processing Personal Data and notification of a breach of system security of Exit Games.
12.7 The types of Personal Data being Processed, the duration of such Processing, and the nature and purpose(s) of such Processing, are described in ANNEX I to Schedule 2 of this DPA. The instructions for such Personal Data Processing are as set forth in the Main Agreement.
12.8 Exit Games will ensure that each person Processing Personal Data is subject to a duty of confidentiality with respect to the Personal Data.
12.9 Exit Games will engage each of its subcontractors pursuant to a written contract that requires the subcontractor to meet the same obligations as Exit Games with respect to such Personal Data.
12.10 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the UCPA, including any applicable regulatory or self-regulatory guidance.
13. General
13.1 The Parties will cooperate in good faith to enter into additional or modified contract terms to address future data protection and privacy laws and regulations.
13.2 This DPA sets out all of the terms that have been agreed between the Parties in relation to the subjects covered by it. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.
13.3 This DPA is without prejudice to the rights and obligations of the Parties under the Main Agreement which shall continue to have full force and effect.
13.4 In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms (including definitions and the Schedules) of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data. In the event of an inconsistency between the DPA and the EU Clauses (or, as the case may be, the EU Clauses subject to the UK Approved Addendum) the latter, including the UK Approved Addendum, if applicable, will prevail.
13.5 To the extent allowed under the applicable laws, Exit Games' maximum aggregate liability to Customer under or in connection with this DPA shall not under any circumstances exceed the maximum aggregate liability of Exit Games to the Customer as set out in the Main Agreement.
13.6 This DPA and any action related thereto shall be governed by and construed in accordance with the laws of the State of New York, without giving effect to any conflicts of laws principles. The Parties consent to the personal jurisdiction of, and venue in, the courts of New York City.
13.7 This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the Parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
13.8 This DPA is the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the DPA will be effective unless submitted electronically and electronically confirmed by each Party.
13.9 Each Party represents and warrants to the other that the execution and delivery of this DPA, and the performance of such Party's obligations hereunder, have been duly authorized and that this DPA is a valid and legally binding agreement on each such Party, enforceable in accordance with its terms.
13.10 This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement.
SCHEDULE 1: UK TRANSFERS
For the purposes of the UK Approved Addendum,
1. the information required for Table 1 is contained in ANNEX I of Schedule 2 of this DPA and the start date shall be deemed dated the same date as the EU Clauses;
2. in relation to Table 2, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor;
3. in relation to Table 3, the list of Parties and description of the transfer are as set out in ANNEX I of Schedule 2 of this DPA, Exit Games' technical and organisational measures are set
in ANNEX II of Schedule 2 of this DPA, and the list of Exit Games' sub-processors shall be provided pursuant to ANNEX III of Schedule 2 of this DPA; and
4. in relation to Table 4, neither Party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses.
SCHEDULE 2: EU CLAUSES
1. For the purposes of this Schedule 2, the EU Clauses (Module II), currently available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, shall be incorporated by
reference to this Schedule and the DPA and shall be considered an integral part thereof, and the Parties' signatures in the DPA shall be construed as the Parties' signature to the EU Clauses. In the event of an inconsistency between the DPA and the EU Clauses, the latter will prevail.
2. For the purposes of the EU Clauses, the following shall apply:
- Customer shall be the data exporter and Exit Games shall be the data importer. Each Party agrees to be bound by and comply with its obligations in its role as exporter and importer respectively as set out in the EU Clauses.
- Clause 7 (Docking clause) shall be deemed as included.
- Clause 9 (Use of sub-processors): OPTION 2 - GENERAL WRITTEN AUTHORISATION shall apply. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance.
- Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) shall be deemed as not included.
- Clause 13 (a) (Supervision):
o Where Customer is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I. C, shall act as competent supervisory authority.
o Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I. C, shall act as competent supervisory authority.
o Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I. C, shall act as competent supervisory authority.
- Clause 17 (Governing law): These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.
- Clause 18 (b) (Choice of forum and jurisdiction): The Parties agree that any dispute between them arising from the EU Clauses shall be resolved by the courts of Germany.
ANNEX I to Schedule 2
A. LIST OF PARTIES
Data exporter(s): is the agreeing Party to this DPA (Customer, as described in the DPA above), providing multiplayer games or other services, as controller.
Data importer(s):
Name: Exit Games, Inc.
Address: 111 SW 5th Ave. STE 3150, Portland OR 97204, USA
Contact person's name, position and contact details: Christof Wegmann, CTO,
privacy@photonengine.com
Activities relevant to the data transferred under these Clauses: Provision of online services for multiplayers (Photonengine)
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose Personal Data is transferred
- Networking Online Players
- Application Users
Categories of Personal Data transferred
- User ID
- IP address
- Chat content (while using optional filter)
Sensitive data transferred (if applicable) and applied restrictions or safeguards
- None.
The frequency of the transfer (eg. whether the data is transferred on a one-off or continuous basis).
Continuous while providing the Services.
Nature of the processing
Provision of the Services.
Purpose(s) of the data transfer and further processing
- Providing Photoengine Services:
o Routing user to/ processing user on current Name-, Lobby- and Game-Server
o Analyzing Photonengine.com errors
- Children's Online Protection Act (COPPA) and GDPR compliant chat content filtering
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
Duration of the Main Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Auxiliary services.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
The competent supervisory for the Customer, depending on whether Option (A), (B) or (C) applies according to the specifications with regard to Clause 13 of the EU Clauses, as described in Schedule 2.
ANNEX II to Schedule 2 - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing (see Annex I) as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Exit Games implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
o the pseudonymization and encryption of Personal Data;
o the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
o the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
o a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Exit Games will provide a list of the actual technical and organizational measures on request of the Customer.
ANNEX III to Schedule 2 - LIST OF SUB-PROCESSORS
The controller / data exporter has authorised the use of the following sub-processors:
https://download.photonengine.com/subprocessors