CONTRACT FOR THE TREATMENT AND PUBLISHING OF DATA IN THE SPORTS PLATFORM

TREATMENT ORDER CONTRACT FOR THE PUBLICATION OF DATA ON THE SPORTS PLATFORM

The parties recognize each other, in the nature in which they intervene, their full capacity to contract and in the case of representing third parties, each of the intervening parties ensures that the power with which they act has not been revoked or limited, and that it is enough to oblige its represented by virtue of this data access contract, and for that purpose:

EXPOSE

I.-That,the object of this contract isto regulate the processingby the DATA PROCESSOR (NBN23 SL) of certain personal data on behalf of the DATACONTROLLER (CLIENT), due to the relationship of provision of services that binds both parties, complying with the obligationsestablished in article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data by which Directive 95/46 / CE (General Data Protection Regulation) is repealed, and in the Spanish regulations for the protection of personaldata.

II.-That,in accordance with the provisions of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights in its article 33.2 “responsible for the treatment and not the manager Who in his own name and without stating that he is acting on behalf of another, establishes relations with those affected even when there is a contract or legal act with the content set out in article 28.3of Regulation (EU) 2016/679, will be considered as the data controller and not as data processor. This provision will not be applicable to treatment orders carried out within the framework of public sector procurement legislation.Additionally, such person/entity whom appearing as data processor uses the data for their own purposes, will also be considered as data controller”(original text translated from Spanish).

And in accordance with the foregoing, the Parties agree to sign this TREATMENT ORDER CONTRACT FOR THE PUBLICATION OF DATA ON THE SPORTS PLATFORM, subject to the following,

CLAUSES AND CONDITIONS

Identification of the parties: The CLIENT (for the purposes of this contract and also identified as thecontroller or data controller), and not NBN23 (also identified as theprocessor or data processor), is the sole person/entityin charge of thepersonaldata treatment/s thatarehostedand publishedthrough the platform, being obliged to comply with the provisions of Regulation (EU) 2016/679, General Data Protection (hereinafter RGPD) and other applicable regulations on the matter. Each party will comply with its obligations regarding the protection of personal data.

Object of the contract. Through these clauses, the DATA PROCESSOR is authorized, to process on behalf of theDATA CONTROLLER, the personal data necessary to provide theservice described in the service contract (hereinafter it will also be understood that within thedefinedterm “Contents”, personal data is understood to be the responsibility of the DATA CONTROLLER).

Nature and purpose of the processing of the affected information: Provision of the services of publication of personal data on the Sports Platform, which includes all the data treatment processes to achieve this purpose.

Processing operations: To carry out the publication of the data on the sports platform, all the data processing operations contemplated in article 4.2 of the RGPD will be carried out by the DATA PROCESSOR.

Identification of the affected information. Categories of data subjects: The DATA PROCESSOR will process on behalf of the DATACONTROLLER the information about the following identified or identifiable natural persons:

-Coaches.

-Assistants.

-Players.

-Legal representatives of the players (parents or guardians).

-Referees.

Identification of the affected information. Type of personal data:

-In relation to the coaches: identifying data (such as name, surname and ID, gender, date of birth, email address, telephone); professional data (such as license,technical level, training and club to which it belongs); data of the matches or competitions (date of celebration, place of celebration) and image.

-In relation to the assistants: identification data (such as name, surname and ID, gender, date of birth,email address, telephone); professional data (such as license and club to which it belongs) and image.

-In relation to the players / athletes / users:identification data (such as name, surname and ID, gender, date of birth, email address, telephone); professional data (such as license, height, weight and club to which you belong); family data (such as father / mother’s name and surname, job, email address, telephone number and parental permission); health data (such as medical check-up); data of the matches or competitions (such as statistics of performance in the competitions, date of celebration, place of celebration) and image.

-In relation to the legal representatives of the players / / users / athletes (parents or guardians): identification data (such as name, surname and ID, gender, date of birth, email address, telephone number).

-In relation to the referees:identification data (such as name, surname and ID, gender, date of birth, email address, telephone); professional data (such as license, referee level and training); other data (if he/she hastransportation); data of the matches or competitions (date of celebration, place of celebration) and image.

In any case, the categories of data subjectsand the types of personal data are subject to the changes that NBN23 deems necessary.

Obligations of the data controller: The CLIENT (data controller) declares and guarantees the following:

1. That it is the legitimate owner of all the rights over the Contents published through the sports platform, including thoseof intellectual and industrial property,or otherwise, is legitimized by its owner with all the rights of all the references that allow NBN23 to publish the Contents through the platform.

2. That, consequently, NBN23 may provide the service of hosting and publishingofthe Contents through the platform, without said publication violating applicable laws or regulations and, in particular, intellectual and industrial property rights, data protection or other rights of third parties.

3. That the CLIENT has all the authorizations necessary to publish the Contents through the platform, especially when these Contents affect the data of minors in relation to image, data protection and protection standards of the rights of the Minor.

4. That the CLIENT has provided the data subjectswhose data is published through the sports platform with all the information provided for in article 13 and 14 of Regulation (EU) 2016/679, General Data Protection, and that ithas complied with all obligationsit has assignedas data controllerof said data, especially with regard to the concurrence of the mandatory legal bases that legitimize the treatment and of the principles applicable to the processingof personal data provided for in the aforementioned regulation.

5. Deliver the data referred to in this document to the data processor or make them available to it.

6. Carry out a personal dataprotection impact assessmentof the processing operations to be carried out by data processor.

7. Carry out the prior consultations that correspond in each case to the control authority.

8. Ensure, previously and throughout the processing, the data processor’s compliance with Regulation (EU) 2016/679.

9. Supervise the processingcarried out by the data processor.

Obligations of the data processor: NBN23, in its roleas data controller, and all its staff undertake to:

1. Use the personal data subject to processing, or those collected for inclusion, for the purpose of providing the service. In the event that theDATA PROCESSORviolates the provisions of the GDPRwhen determining the purposes and means of the treatment, itwill be considered controllerfor processingwith respect to said processing.

2. Processthe data in accordance with the instructions of the data controller. For such purposes, it will be understood that the Service Contract that accompanies this treatment order contract constitutes, without prejudice to other instructions that theDATACONTROLLER may communicate to DATA PROCESSOR, the set of documented instructions that the DATA PROCESSORmust take into account. If the DATA PROCESSORconsiders that any of the instructions violates Regulation (EU) 2016/679 or any other provision on data protection of the Union or of the Member States, the processor will immediately inform the data controller about it.

3. When appropriate, in accordance with the provisions of article 30.2 of the GDPR, keep in writing, a record of all categories of processingactivities carried out on behalf of the data controller.

4.NBN23 may communicate the data to other processors of thecontroller, in accordance with the instructions ofthe controller. In this case, the data controllerwill identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication. If NBN23 must transfer personal data to a third country or to an international organization, by virtue of the Law of the Union or of the Member States that is applicable, it will inform the data controller of this legal requirement in advance, unless such Law bans itfor important reasons of public interest.

5. NBN23 may subcontract all the services and auxiliary services necessary for the correct normal operation of the service. Specifically, access to the data made by the natural persons who provide their services to NBN23 acting within its organizational framework by virtue of a commercial and non-labor relationship is authorized. Likewise, access to the data is authorized to companies and professionals that NBN23 has contracted in its internal organizational scope to provide general or maintenance services (computer services, advice, audits or others). In particular, and without prejudice to the incorporation of new sub-processorsthe correct functioning of the service, the DATACONTROLLER authorizes NBN23 to subcontract the services detailed below:

-With the entity MICROSOFT CORPORATION on its AZURE platform. MICROSOFT (https://privacy.microsoft.com/es-es/privacystatement) (https://www.microsoft.com/es-ww / trust-center / privacy)

-With the entity GOOGLE CLOUD EMEA LIMITED on its GOOGLE CLOUD platform. The Google Cloud platform is ISO 27001, ISO 27017 and ISO 27018 certified and its servers are located within the EU. (https://cloud.google.com/security/gdpr?hl=es) (https://policies.google.com/privacy?utm_source=google&utm_medium=pushdown-auth & utm_campaign = Emmett)

-With the entity MILEYENDA ENTERTAINMENT S.L. on its LEVERADE platform. MILEYENDA ENTERTAINMENT S.L. C and in turn, the subcontracting by this entity ofGOOGLE whose servers are within the EU. (https://leverade.com/es/terms)

-With the entity AMAZON WEB SERVICES, Inc. (https://aws.amazon.com/es/privacy/)

-With the entity MONGODB CLOUD, which is an entity that complies with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 regarding the protection of natural persons with regard to treatment of personal data and the free circulation of these data.

-With the entity PIXELLOT LIMITED, which is an entity that complies with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 regarding the protection of natural persons with regard to treatment of personal data and the free circulation of these data

-With the entity Nothingbutnet S.L. that it is an entity adhered to compliance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and free movement of these data.

In these cases, the subcontractors, who are alsodata processors, are also obliged to comply with the instructions issued by the DATA CONTROLLER regarding the adequate treatment of personal data and the guarantee of the rights of thedata subjects. In the event of non-compliance by the sub-processors, NBN23 will continue to be fully responsible upon the DATACONTROLLER in relation to compliance with the obligations.

Inadditiontothespecificauthorisationtohirethecontrollerslistedabove, theDATACONTROLLERgrantsageneralauthorisationtoNBN23tohireothernewsub-processorsand/ortoreplacethosepreviouslyagreed, wherethisisnecessaryfortheperformanceoftheservicesoftheservicecontractandwiththesameguaranteesastheprevioussub-processors. Forthesecasesandunderthegeneralauthorisationgrantedinconnectionwithnewhiringand/orreplacementofexistingprocessors, NBN23willinformtheDATACONTROLLERinwritingofadditionsorreplacementsofsub-processorsatleast1monthinadvancesothattheDATACONTROLLERhassufficienttimetoobjecttosuchchangesbeforethesub-processororsub-processorsconcernedareengaged. NBN23willprovidetheDATACONTROLLERwiththenecessaryinformationtoenablehimtoexercisehisrighttoobject. Intheeventofsuchopposition, itwillbeunderstoodthatthereisa“unilateralwithdrawaloftheservicecontract”bythecontroller, inthiscaseclause11. coftheservicecontractapplies.

6. Maintain the duty of secrecy regarding the personal data to which it hashad access by virtue of this assignment, even after its purpose ends.

7. Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.

8. Maintain at the disposal of thedata controller thesupporting documentation of the fulfillment of the obligation established in the previous sectiong).

9. Guarantee the necessary training in the protection of personal data of the persons authorized to process personal data.

10. Assist the data controller in responding to the exercise of rights, for which, if NBN23 receives a request, it will transfer it to the data controller so that itcan proceed to reply.

11. Notification of data security breaches: NBN23 will notify thedata controller, without undue delay, and in any case before the maximum period of twenty-four (24) hours and through means that leave a record of the communication, about the security breachesof the personal data in his charge of which he has knowledge, together with all the relevant information for the documentation and communication of the incident. Notification will not be necessary when it is unlikely that said breach of security constitutes a risk to the rights and freedoms of natural persons. Notification of security breach to the control authority and, where appropriate, when applicable, to the interested parties, will be a task or obligation of the security officer.

12. Provide support to the data controller in carrying out impact assessments related topersonaldata protection, and where appropriate, prior consultations.

13. Provide support to the data controller in carrying out prior consultations with the supervisory authority, when appropriate.

14. Make available to the data controllerall the information necessary to demonstrate compliance with their obligations, as well as to carry out the audits or inspections carried out by the person in charge or another auditor authorized by him.

15. NBN23 guarantees the application of the securitymeasures adopted, in compliance with article 32 of the RGPD, based on the risk analysis carried out taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for the rights and freedoms of the natural persons who present the data processing, and will verify, evaluate and audit the effectiveness of said measures on a regular basis, updating them if necessary, according to the result ofsaid evaluations.

16. Designate a data protection officer and communicate itsidentity and contact details to the data controller, when appropriate.

17. Once the service is finished, NBN23 will proceed to return or delete all personal data following the instructions of the data controller. In any case and without prejudice to this, NBN23 will not have the obligation to eliminate the information that, as a result of a disassociation process to comply with the obligation to erase the information, it may carry out. Said dissociated and anonymous information, which is therefore no longer personal idata, will be the property of NBN23 who will exploit it for statistical and analytical purposes to apply and treat it for purposes related to its corporate purpose in the development of projects. NBN23 will adopt all the appropriate guarantees in the treatment of statistical and research datathat ensure that technical and organizational measures are applied to guarantee that the data subjectscannot be identified in anycase and therefore, their complete anonymity.

In compliance with the provisions of section 3.g) of article 28 of the GDPR, NBN23 will keep a copy, with the data duly blocked, when the conservation of personal data is required under Union or State members’ law, as long as responsibilities for the execution of the provision may be derived.

Duration. This contract will enter into force from the date of its signature and will be in force together with its updates until the date of termination of the relationship of provision of services between the DATA CONTROLLER and the DATA PROCESSOR.

Previous agreements and contracts on the same object: This contract constitutesthe agreement between the Parties in relation to its object and renders without effect any other negotiation, obligation, contract or communication of any nature between them, on the same object, whether verbal or in writing, made prior to the date on which it is signed, thus leavingthose without effect and replaced by this contract.

Applicable law and forum. This contract will be governed and interpreted in accordance with Spanish legislation in that which is not expressly regulated. If any of the stipulations or conditions of this contract turns out to be null, invalid or ineffective and could not take effect due to the legislation applicable to it, said nullity, invalidity or ineffectiveness will not affect the rest of the stipulations or conditions.

Foranydisputes that may arise in relation to this contract,the parties submitto the jurisdiction of the Courts and Tribunals reflected in the service contract, waiving any other forum that may correspond to them.

Basic and detailed information on the protection of personal data addressed to the signatories and interlocutors of this contract: The entity NBN23, S.L. (hereinafter NBN23) with address at C / Juan de la Cierva, 27 Edificio Wellness 1 46980 Paterna (Valencia) and contact email address dpd@nbn23.com is responsible for the processing of personal data of the legal representatives and interlocutors of the parties included in this contract and will treat them for the correct execution and development of this contract. Interested parties can exercise their data protection rights of articles 15 to 22 of the RGPD before NBN23 by contacting the indicated addresses. Detailed information on data processing in the Service Contract that accompanies this document.