1. General conditions

This Data Processing Agreement (hereinafter- the “DPA”) shall regulate the Processing of Personal Data of Data Subjects subject to Data Protection Laws for the Purposes specified in Clause 3 herein in the context of performance of the obligations of the Parties under the Agreement. Addendum 1 forms an integral part of this DPA.

2. Definitions

Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the following meanings:

2.1 Controller – a legal person which, alone or jointly with others, determines the Purposes and means of the Processing;

2.2 Data Subject – an End-User or an employee, beneficial owner/principal, shareholder, representative, or director of the Developer, or other natural person, whose Personal Data are Processed in the context of the Agreement;

2.3 Data Protection Laws – the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);

2.4 Personal Data – any information relating to an identified or identifiable Data Subject, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject; the reference to ‘data’ shall be a reference to Personal Data;

2.5 Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;

2.6 Processing – any operation which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

2.7 Processor – a legal person which Processes Personal Data on behalf of the Controller;

2.8 Purposes – Personal Data Processing purposes as specified in Clause 3 of this DPA;

2.9 Services – Distribution and related services provided by 1D3 to the Developer in accordance with the Agreement;

2.10 Sub-Processor – any person appointed by the Processor to Process Personal Data on behalf of the Controller in connection with the Agreement;

2.11 Supervisory Authority – The Data Protection Inspectorate.

3. Roles of the parties

For the purpose of the DPA, the Parties acknowledge and confirm that:

3.1 The Developer shall be the Controller and 1D3 shall be the Processor for the Purpose of Processing of Personal Data, which is necessary to Process in connection with transactions, including chargebacks and refunds, in the course of providing the Services;

3.2 1D3 shall be the Controller in relation to Personal Data where 1D3 determines the purposes and the means of the Processing (specified in detail in Addendum 1), including, but not limited to the following Purposes:

3.2.1 complying with any rule, regulation or law to which 1D3 is subject;

3.2.2 entering into the Agreement with the Developer;

3.2.3 entering into Agreement with an End-User;

3.2.4 managing End-User authentication and authorisation;

3.2.5 conducting risk management activities including fraud monitoring, prevention and detection;

3.2.6 assessing and/or mitigating financial, information security, and other risks arising in connection with the Agreement.

4. Obligations of the controller

The Controller represents and warrants that it:

4.1 Complies with Data Protection Laws in respect of Processing of Personal Data, provides lawful Personal Data Processing instructions to the Processor and relies on a valid legal ground under Data Protection Laws for Processing Personal Data for each Purpose;

4.2 Provides appropriate privacy notices to the Data Subjects regarding the Processing of Personal Data for the Purposes in line with the requirements of the Data Protection Laws;

4.3 Takes reasonable steps to ensure that Personal Data is accurate, complete and current; adequate, relevant and limited to what is necessary in relation to the Purposes for which they are Processed; and kept in a form which permits identification of Data Subjects for no longer than is necessary for the Purposes for which the Personal Data are Processed unless a longer retention is required or allowed under the applicable law;

4.4 Implements appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the Processing of Personal Data is performed in accordance with Data Protection Laws, including, as appropriate, appointing a data protection officer, maintaining records of Processing, complying with the principles of the Personal Data protection by design and by default and, where required, performing Personal Data protection impact assessments and conducting prior consultations with Supervisory Authority;

4.5 Responds to Data Subject requests to exercise their rights of (i) access, (ii) rectification, (iii) erasure, (iv) data portability, (v) restriction of Processing, and (vi) objection to the Processing in accordance with Data Protection Laws;

4.6 Cooperates with the Processor to fulfil its respective Personal Data protection compliance obligations in accordance with Data Protection Laws.

5. Obligations of the processor

The Processor shall comply with the Data Protection Laws when Processing Personal Data for the Purposes in the context of the Agreement and it shall:

5.1 Process Personal Data in accordance with the Controller’s lawful written instructions, including but not limited to the instructions set forth by the Agreement, and not for any other Purposes than those specified in Clause 3 of this DPA, unless otherwise agreed by both Parties in writing;

5.2 Provide appropriate privacy notices to the Data Subjects regarding the Processing of Personal Data for the Purposes in line with the requirements of the Data Protection Laws;

5.3 Promptly inform the Controller if, in its opinion, the Controller’s instructions infringe the Data Protection Law, or if the Processor is unable to comply with the Controller’s instructions;

5.4 Cooperate with the Controller to fulfil the Controller’s Personal Data protection obligations under Data Protection Laws, including by providing all information available to the Processor as necessary to demonstrate compliance with the Processor’s own obligations;

5.5 Keep internal records of Processing of Personal Data carried out as a Processor on behalf of the Controller;

5.6 Assist the Controller in fulfilling its obligation to respond to Data Subjects’ requests as provided under Data Protection Laws and specified under Clause 4.5 herein, and notify the Controller about such requests if the Processor receives it directly from the Data Subject;

5.7 Notify the Controller when local laws prevent the Processor (i) from fulfilling its obligations under this Agreement and have a substantial adverse effect on the guarantees provided by this Agreement, and (ii) from complying with the instructions received from the Controller via the Agreement, except if such disclosure is prohibited by the applicable law;

5.8 According to the choice of the Controller, delete, anonymise or return to the Controller any Personal Data provided by the Controller, as well as any existing copies of such Personal Data, upon the expiration or termination of the Agreement or upon a request to delete or return such Personal Data; The Processor shall duly inform the Controller in the event where the applicable law prevents the Processor from deleting, returning or anonymising all or part of the Personal Data or requires storage of the Personal Data;

5.9 Ensure that any Sub-Processors engaged by the Processor in order to Process Personal Data in the context of the Services shall comply with the Data Protection Laws and shall abide with the obligations set out in this Agreement.

6. Sub-processing

6.1 The Developer hereby generally authorises 1D3 to engage internal and external Sub-Processors in order to Process Personal Data in the context of the Services and to continue using the internal and external Sub-Processors already engaged in the provision of the Services, including, but not limited to payment processors.

6.2 The Processor shall conclude a written agreement with the Processor’s internal and external Sub-Processors, wherein the Sub-Processors guarantee to comply with the requirements of Data Protection Laws, with the Controller’s lawful instructions, including, but not limited to the instructions and obligations set forth by the Agreement.

6.3 The Processor shall provide the Controller with a prior written notice regarding any addition of a Sub-Processor. If within 10 (ten) Business Days after the receipt of such notice the Controller does not inform the Processor in writing of having any objections to the proposed appointment of a Sub-processor, the Processor shall consider that the Controller has authorised such appointment.

6.4 The Processor shall not disclose any Personal Data to the proposed Sub-Processor until reasonable steps have been taken to address the objections raised by the Controller and the Controller has been provided with a reasonable written explanation of the steps taken.

7. Privacy notice

7.1 1D3 shall inform the Data Subjects regarding the Personal Data Processing carried out in order to provide products and services by inserting the following statement in the1D3’s privacy notice on the 1D3 Website: “Third-party service providers. We disclose personal data to service providers or agents working on our behalf for the purposes described in this Privacy Policy only when it is necessary to ensure the provision of our services. For instance, such third-party service providers include payment service providers [..]”.

7.2 Developer shall inform the relevant categories of Data Subjects listed in Part 1 of Addendum 1 regarding the Processing carried out by 1D3, and the Developer hereby certifies that it relies on a valid legal ground for such processing.

7.3 The Parties shall provide a contact point for the Personal Data protection enquiries and/or Data Subject access requests, including but not limited to designating a special e-mail address, where Data Subjects may address their requests. 1D3’s contact point shall be dpo@1d3.com. Developer’s contact point for Personal Data protection enquiries shall be indicated in the Agreement.

8. Security and confidentiality of the processing

8.1 The Parties shall implement appropriate technical and organisational measures in order to ensure the appropriate level of security. In this regard the Parties shall take into account the state of the art, the costs of implementation and the nature, scope, context and Purposes of Processing of Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the Processing of Personal Data, in particular from Personal Data Breach.

8.2 The Parties shall ensure that any person acting under their authority and having access to Personal Data is subject to a duly enforceable contractual or statutory confidentiality obligation.

8.3 The Parties shall ensure that any person acting under their authority and having access to Personal Data is appropriately trained in line with their responsibilities under applicable data protection law.

9. Personal data breach

9.1 The Parties shall notify a Personal Data Breach that relates to Personal Data Processed in the context of the Services to the other Party, without undue delay, and no later than 48 (forty-eight) hours after having become aware of a Personal Data Breach. The notifying Party shall provide sufficient information to allow the other Party to meet its obligations under the Personal Data Protection Laws.

9.2 The Parties shall cooperate to reach an agreement on notifying a Personal Data Breach to the Supervisory Authority and to the Data Subjects and assist in the investigation, mitigation and remediation of each Personal Data Breach.

9.3 The Parties shall thoroughly document all Personal Data Breaches, including all the relevant facts relating to the Personal Data Breach, its effects and the remedial action taken.

10. Audit rights

10.1 Upon prior written request by the Controller, the Processor agrees to cooperate and within reasonable time provide the Controller with information necessary to demonstrate compliance with the Data Protection Laws and this Agreement.

10.2 If the information provided is not sufficient to confirm compliance with Data Protection Laws or reveals material issues, subject to the strictest confidentiality obligations, the Processor allows the Controller to request an audit of the Processor’s data protection compliance program by external independent auditors, which are jointly selected by the Parties. The Parties shall mutually agree upon the scope, timing, and duration of the audit. The Processor shall make available to the Controller the result of the audit.

Addendum 1

Description of the processing activities

1. DEVELOPERS*

Purposes of the Processing

1D3 Processes Personal Data pursuant to the Agreement for the performance of the Services as described therein, which may include, without limitation:

• entering into the Agreement with the Developer;
• providing access and services related to the Developer Account;
• assessing and/or mitigating financial, information/data security risks arising in connection with the Agreement.

*For the purposes of Addendum 1, the “Developer” may as well include Affiliates.

Categories of Data Subjects

1D3 may Process Personal Data relating to the following categories of Data Subjects, as applicable:

• The Developer’s directors and representatives;
• The Developer’s staff.

Types of Personal Data

1D3 may Process Personal Data, including but not limited to, the following categories of Personal Data:

• First and last name;
• Date of birth;
• Home, work or other physical address;
• Postal code/zip;
• Country;
• Telephone number;
• Mobile phone number;
• Email address;
• IP address;
• Company name;
• Company registration number;
• Current Position;
• Passport or ID data;
• Data related to the use of the Developer Account;
• Communication data.

Duration of the Processing

Personal Data may be Processed and stored for the period necessary to fulfil the agreed Purposes of Processing pursuant to the Agreement, or as otherwise authorised by the applicable law.

2. END-USERS*

Purposes of the Processing

1D3 Processes Personal Data pursuant to the Agreement for the performance of the 1D3 services as described therein, which may include, without limitation:

• entering into an agreement with an End-User;
• managing authentication and authorisation;
• providing 1D3 services and products;
• improving the content and features of 1D3 website;
• carrying out marketing activities;
• conducting risk management activities including fraud monitoring, prevention and detection.

Categories of Data Subjects

1D3 may Process Personal Data relating to the following categories of Data Subjects, as applicable:

• End-Users of the 1D3’s website, platform, products and services.

Types of Personal Data

1D3 may Process Personal Data, including but not limited to, the following categories of Personal Data:

• End-User’s first and last name;
• End-User’s nickname - in-game name;
• End-User’s in-game login credentials;
• End-User’s age;
• End-User’s gender;
• End-User’s unique identification number in connection with the End-User’s account;
• Postal address;
• E-mail address;
• IP address;
• Game data;
• Transaction data;
• Purchase - product data;
• Location data;
• Communication data.

‍

Duration of the Processing

Personal Data may be Processed and stored for the period necessary to fulfil the agreed Purposes of Processing pursuant the Agreement, or as otherwise authorised by the applicable law.