Verwerkingsovereenkomst — ByTomorrow Stream

Processing agreement ByTomorrow

Article 1. Terms

Capitalized terms in this Processor Agreement that are defined in the GDPR have the meanings assigned to them in the GDPR. In addition, the terms indicated with a capital letter in this Processor Agreement have the following meaning:
- AVG: the General Data Protection Regulation (EU 2016 / 679) of April 27, 2016 and applicable throughout the European Union from May 25, 2018;
- Data subject(s): the person to whom a Personal Data relates;
- Appendix: an appendix to the Processor Agreement that forms an integral part of the Processor Agreement;
- ByTomorrow: Live-Sport BV, also acting under the name ByTomorrow & JUMP (The Netherlands Chamber of Commerce number: 80164560), at the time of entering into the Agreement, established in (3902 HP) Veenendaal at Newtonstraat 19A, legally represented in this matter by its statutory director Mr. P. Van Mil. ByTomorrow fulfils the role of 'processor' within the meaning of the GDPR with regard to the Personal Data that it processes for the Client;
- Data Leak: a Personal Data Breach as referred to in Article 4 paragraph 12 GDPR;
- Customer: the customer who concludes or has concluded an Agreement with ByTomorrow. The Customer is regarded as a 'controller' within the meaning of the GDPR in the Processing of Personal Data;
- Agreement: the agreement concluded between the Parties, by means of the approval of the Terms and Conditions by the Customer, with regard to the services of ByTomorrow, including, but not limited to, offering the Customer an online platform with which the Customer can view the image recordings made by or on behalf of the Customer. stream and make it available to viewers who can access these streamed images via the same online platform. The Terms form an integral part of this Agreement. This processing agreement supplements the Agreement and the Terms and Conditions;
- Party/Parties: ByTomorrow and/or Customer;
- Sub-processor(s): third party(ies) who perform(s) part of ByTomorrow's processing tasks on behalf of ByTomorrow;
- Processing Agreement: the present agreement including Appendices;
- Conditions: the Terms of Use of ByTomorrow that have been accepted by the Customer when entering into the Agreement and which form part of the Agreement concluded between the Parties.

Article 2. Subject of the Processor Agreement

In the context of the implementation of the Processor Agreement, ByTomorrow will Process Personal Data on behalf of and for the benefit of the Customer under the conditions of the Processor Agreement, whereby the Processor Agreement serves as a written instruction from the Customer to ByTomorrow for the Processing of Personal Data.

ByTomorrow will Process the categories of Personal Data listed in Appendix 1 that relate to the categories of Data Subjects listed therein. The nature and purposes of the Processing are also described in Appendix 1.

The Processing Agreement forms an integral part of the Agreement, so that the provisions of that Agreement apply in full to the Processing Agreement, except insofar as the Processing Agreement deviates therefrom.

Article 3. Obligations of the Customer

The Customer guarantees that the instruction for the Processing of Personal Data is in accordance with all applicable laws and regulations, including but not limited to the GDPR. The Customer also guarantees that the Personal Data is accurate, not unlawful, relevant and not excessive in relation to the processing purpose. The Customer indemnifies ByTomorrow against claims by third parties that arise in any way from non-compliance with these guarantee(s).

The Customer is responsible for determining the purpose (the processing purpose) and means of the Processing of Personal Data and is liable to Data Subjects for the damage suffered as a result of a breach of the aforementioned obligations, without prejudice to the obligations of ByTomorrow under this Processor Agreement.

The Customer is responsible for the Processing of the Personal Data in the context of this Processor Agreement and ensures compliance with all obligations under the applicable laws and regulations, including but not limited to the GDPR, relating to the Processing of this Personal Data, such as – but not limited to – keeping a record of processing activities carried out under its responsibility and keeping a (Data Breach) register to comply with its obligation under the GDPR to document and report any Data Breaches.

The Customer is also responsible for taking appropriate technical and organizational measures to ensure and demonstrate that the Processing of Personal Data by ByTomorrow complies with applicable laws and regulations, including but not limited to the GDPR.

The Customer is furthermore responsible for informing Data Subjects, ensuring the rights that Data Subjects can exercise on the basis of applicable laws and regulations, including but not limited to the GDPR, as well as for communication with Data Subjects. Data Subjects can generally only address themselves to the Customer to exercise their rights.

The Parties establish that the Personal Data to be Processed, insofar as they directly or indirectly relate to race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health, a person's sexual behavior or sexual orientation, or directly or indirectly relate to criminal convictions and offenses, may be special and/or criminal Personal Data within the meaning of the applicable laws and regulations, including but not limited to the GDPR. The Customer warrants that it has obtained and processes this data in accordance with the specific provisions of the applicable laws and regulations.

The Customer will indemnify ByTomorrow against claims by third parties – including but not limited to Data Subjects – in connection with the performance of this Processor Agreement, unless the Customer demonstrates that these claims are a consequence of an attributable failure of ByTomorrow to fulfill its obligations under this Processor Agreement.

Article 4. Obligations of ByTomorrow

ByTomorrow will Process the Personal Data in a proper and careful manner, in accordance with applicable privacy laws and regulations. ByTomorrow Processes the Personal Data on behalf of and for the benefit of Customer and to the extent necessary in the context of the agreed-upon service for which the Parties have entered into the Agreement. ByTomorrow has no control over the purpose and means of Processing the Personal Data.

ByTomorrow is solely responsible for the Processing of the Personal Data under this Processor Agreement, in accordance with Customer's instructions and under the express (ultimate) responsibility of Customer.

ByTomorrow shall make every reasonable effort to follow all written instructions from Customer regarding the Processing of Personal Data, except for deviating legal obligations, court orders and/or orders/instructions from competent authorities. The Agreement, the Terms and this Processor Agreement serve as generic written instructions for the Processing of Personal Data. ByTomorrow informs Customer if, in its opinion, instructions are contrary to applicable privacy laws and regulations.

ByTomorrow will implement the appropriate technical and organizational security measures described in Article 6.

ByTomorrow will, at Customer's request and within a reasonable period of time, provide information to Customer about the measures taken by it regarding its obligations under this Processor Agreement.

ByTomorrow will not keep copies of the Personal Data, except for agreed internal technical backup procedures, unless it is required to do so by law, court order and/or order of competent authorities or it has received written permission from Customer.

Article 5. Subprocessors

5.1

ByTomorrow will process the Personal Data provided to it. However, ByTomorrow may outsource the Processing of the Personal Data, or parts thereof, to Sub-processors. Customer hereby gives ByTomorrow permission to engage Sub processors. ByTomorrow will make every effort to inform the Customer about the new Sub-processors it has engaged. The Customer has the right to object to any new Sub-processor engaged by ByTomorrow. Where appropriate, the Parties will discuss a solution.

5.2

ByTomorrow will use reasonable efforts to ensure that its engaged Subprocessors comply with its instructions or, if applicable, those of Customer via ByTomorrow. In addition, ByTomorrow will ensure that its engaged Subprocessors assume the same obligations in writing as agreed between Customer and ByTomorrow in this Processing Agreement.

5.3

The Parties agree that the following parties mentioned in this article will act as Subprocessor for ByTomorrow and store and process Personal Data. Customer hereby explicitly grants permission to engage the following parties:

BIT B.V. located at (6716 BP) Ede, Galileïlaan 19 and registered with the Chamber of Commerce under number 09090351;
Depositado, located at (6716 WC) Ede, Da Vincilaan 13D and registered with the Chamber of Commerce under number 09163887;

Article 6. Security Measures

6.1

ByTomorrow will make every effort to implement appropriate technical and organizational security measures - which comply with applicable privacy laws and regulations - that are necessary to ensure the availability, integrity and confidentiality of Personal Data, and to protect it against loss or any form of unlawful processing.

6.2

ByTomorrow may make changes to the implemented security measures if it deems this necessary to continue to provide an appropriate level of security.

6.3

ByTomorrow does not guarantee that security will be effective under all circumstances. ByTomorrow will make every effort to ensure that the security measures comply with a level that, given the state of the art, the costs of implementing the security measures, the nature, scope and context of the Processing, the purposes and intended use of the service for which the Parties have entered into the Agreement, the risks associated with the processing, and the varying probabilities and severity of the risks to the rights and freedoms of data subjects that can be expected in relation to the intended use of this service, is not unreasonable.

6.4

The Customer is entitled to request in writing from ByTomorrow what security measures it has implemented and/or has had implemented within the meaning of this Article 6. ByTomorrow will make every effort to inform the Customer thereof to the extent reasonably required of it.

6.5

The Customer will only make Personal Data available for Processing by ByTomorrow if the Customer has ensured that the required security measures have been implemented. In this context, the Customer indemnifies ByTomorrow against any claims by third parties, including data subjects, which are based on the assertion that the technical and organizational security measures implemented by ByTomorrow are inadequate or insufficient. If the Customer believes that ByTomorrow must implement additional security measures, it will contact ByTomorrow, so that the Parties can jointly determine additional measures. Any costs resulting from this will be borne by the Customer.

Article 7. Transfer outside the Netherlands

7.1

ByTomorrow shall not process or have processed Personal Data by itself or by third parties in countries outside the European Economic Area without obtaining prior written consent from the Client, unless appropriate protection levels have been ensured or appropriate safeguards within the meaning of the applicable laws and regulations have been taken. If ByTomorrow intends to carry out (parts of) the Processing in the countries referred to in the previous sentence or otherwise transfers Personal Data to those countries, it shall inform the Client thereof. The Client shall not unreasonably withhold the consent referred to in the first sentence of this Article.

7.2

The provisions of the previous article shall apply unless the laws and regulations applicable to ByTomorrow oblige it to process in such a country. In that case, ByTomorrow shall inform the Client prior to such Processing, unless it is not permitted to do so under those laws and regulations.

Article 8. Data breaches, Data Subject requests, cooperation, and information

8.1

the nature of the Data Breach;
the categories and number of Data Subjects and Personal Data records concerned;
the possible consequences of the Data Breach for the Data Subjects; and
the measures taken or to be taken by ByTomorrow to address the Data Breach and prevent future Data Breaches.

8.2

For purposes of this Article, “Data Breach” shall mean, without limitation, the following:

any unauthorized access to, Processing, deletion, alteration, loss, or any form of unlawful Processing of the Personal Data;
any breach of security and/or confidentiality, or any other incident, that leads to, or may lead to, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data.

8.3

Klant hereby acknowledges that ByTomorrow's obligation to notify and inform Klant of a Data Breach in no way constitutes an admission of fault or liability by ByTomorrow under this Processing Agreement with respect to the Data Breach.

8.4

ByTomorrow will provide reasonable assistance to Klant with respect to requests and/or complaints from Data Subjects regarding the Processing of their Personal Data. In that context, ByTomorrow will provide reasonable assistance to Klant to:

provide Data Subjects with access to their Personal Data;
remove, correct, transfer to another party, and/or block and supplement Personal Data upon request or complaint of Data Subjects;
inform Klant of any requests, orders, or investigations from a supervisory authority or other competent authority, to the extent permitted by applicable laws and regulations.

Klant shall reimburse ByTomorrow for any reasonable costs incurred in performing its obligation(s) under this Article.

8.5

In the event that a Data Subject makes a request regarding his Personal Data to ByTomorrow, ByTomorrow will forward the request to the Customer and inform the Data Subject accordingly. The Customer will then handle the request independently. If it appears that the Customer needs assistance from ByTomorrow in executing a request from a Data Subject, ByTomorrow will cooperate in accordance with the provisions of article 8.4.

8.6

ByTomorrow will, to the extent reasonably required of it and taking into account the nature of the Processing and the information available to it, provide Customer with the necessary assistance upon request to comply with its obligations under the GDPR, including but not limited to its security obligations, carrying out a data protection impact assessment and prior consultation with the supervisory authority in relation to a Processing operation likely to result in a high risk. The costs reasonably incurred by ByTomorrow in connection with the aforementioned assistance will be reimbursed by Customer.

8.7

The parties will make further agreements about the (privacy) officers they designate as points of contact in case of requests from Data Subjects, requests for cooperation, or in the event of a Data Breach, as well as the mode of communication.

Article 9 Audit

9.1

The Customer is entitled - only after consultation with ByTomorrow and at its own expense - to have the Processing and compliance with the technical and organizational security measures agreed in this Processor Agreement checked by independent auditors by ByTomorrow, without disclosing confidential information from ByTomorrow or from other customers of ByTomorrow. to use and view and without disrupting ByTomorrow's work processes. If and insofar as an audit as referred to in the previous sentence of this paragraph also includes an audit of the (systems of the) Sub-processor(s), the applicable audit conditions and procedures of the relevant Sub-processor(s) will also apply.

9.2

If the audit shows that ByTomorrow does not fully comply with its obligations under this Processor Agreement, ByTomorrow will endeavour to terminate the shortcomings demonstrated by the audit.

9.3

The check will take place at most once a year, unless the Customer has reasonable indications that ByTomorrow is not complying with its obligations under this Processor Agreement. ByTomorrow will provide the Customer with all data and information that the Customer reasonably needs for the check.

9.4

The Client will bear the costs of such an audit, including the costs of ByTomorrow's personnel supervising the audit. If the audit shows that ByTomorrow has failed imputably in its essential obligations under the Processor Agreement, the costs of the audit will be borne by ByTomorrow.

Article 10. Confidentiality

10.1

ByTomorrow is obliged to maintain the confidentiality of all Personal Data that it Processes in connection with this Processor Agreement. ByTomorrow will therefore not disclose the Personal Data or make it available to third parties, unless the Customer has granted prior permission, when this is necessary for the performance of the services under the Agreement - including, but not limited to, understood the services of Sub-processors and/or third parties engaged by ByTomorrow for the purpose of the implementation of the Agreement - or when a legal regulation, court order or an order from a competent authority obliges ByTomorrow to provide the Personal Data.

10.2

ByTomorrow will ensure that anyone acting under its authority will keep the Personal Data of which they become aware confidential. To this end, ByTomorrow will stipulate in the agreements with its staff and anyone else acting under the responsibility of ByTomorrow that those persons will observe confidentiality in a corresponding manner with regard to all (Personal) data and (confidential) information that they of their activities for ByTomorrow, except insofar as any legal regulation, court order or an order of a competent authority obliges them to disclose or the need to disclose arises from their task.

Article 11. Transfer and destruction

11.1

If the Processing Agreement and/or the Agreement ends in any way whatsoever, or at the request of the Customer, ByTomorrow will endeavour to within a reasonable period of time:

discontinue the relevant use or other Processing of the Personal Data; and
ensure within a reasonable period of time that all Personal Data, copies and edits thereof, as well as documents and/or other information carriers containing Personal Data, at the Client's option:
- be returned to Customer (and/or a third party to be designated by Customer) if possible;
- ▪ be removed and destroyed at the written request of the Customer; except insofar as it concerns agreed internal technical back-up procedures or and insofar as this is technically and organizationally possible.

11.2

Upon termination of the Processor Agreement, ByTomorrow will also endeavour to inform all Sub-processors of the termination of the Processor Agreement. The obligations from this article – insofar as necessary and technically possible – apply mutatis mutandis to these Sub-processors.

11.3

The costs involved in the efforts of ByTomorrow referred to in this article will be borne by the Customer.

Artikel 12. Liability

12.1

With regard to the liability of ByTomorrow under this Processing Agreement, the regulation with regard to the limitation of liability included in Article 17 of the Terms and Conditions applies in full.

12.2

In addition, the Parties agree that:

ByTomorrow is not liable to the Customer for:
- any damage suffered by the Customer as a result of the non-compliance by the Customer with any obligation under the GDPR, including in any case, but not limited to, the legal requirements with regard to Processing, Personal Data Security, Data Leaks, data protection and certification, and/ or;
- any penalty imposed on Customer under the GDPR, including in any case, but not limited to, fines resulting from Customer's non-compliance with the legal requirements with regard to Processing, Personal Data Security, Data Breaches, data protection and certification, and;
The Client indemnifies ByTomorrow against claims from third parties in connection with any damage from (a) third party(ies) and/or any fine imposed on (a) third party(ies) (including Data Subjects) for non-compliance with legal obligations under the AVG is imposed, including, in any case, but not limited to damage and/or fines as a result of non-compliance by the Customer with the legal requirements with regard toProcessing, Personal Data Security, Data Leaks, data protection and certification.

Article 13. Duration and Termination

13.1

The Processor Agreement enters into force after (online) acceptance thereof by the Customer and is entered into for a period equal to the duration of the Agreement, including any extensions thereof.

13.2

The Processor Agreement ends by operation of law upon termination of the Agreement. This Processing Agreement cannot be cancelled or terminated prematurely.

13.3

Obligations which, by their nature, are intended to continue after termination of the Processor Agreement, will continue to apply after termination of the Processor Agreement. These obligations include in any case those arising from the provisions in the Processor Agreement relating to “Confidentiality”, “Liability”, “Transfer and destruction”, “Final provisions” and “Applicable law and disputes”.

Article 14. Final provisions

14.1

This Processor Agreement will be adjusted in mutual consultation between the Customer and ByTomorrow if this is required pursuant to (future) applicable legal regulations or policy rules or instructions from the Dutch Data Protection Authority or other regulators, or if other Personal Data are Processed than provided for when entering into the Processor Agreement. In the event of any changes to the obligations or activities to be performed by the Customer and/or ByTomorrow under the Processor Agreement that may have consequences for the Processing, the parties will always consult with each other about the possibly necessary changes to the Processor Agreement.

14.2

Changes or additions to the Processor Agreement can only be agreed in writing.

14.3

If one or more provisions of the Processor Agreement prove to be non-binding, the other provisions of this Processor Agreement will remain in force. The parties undertake to replace the non-binding provision with such a provision that is binding and that deviates as little as possible from the non-binding provision, given the purpose and purport of the Processor Agreement.

Article 15. Applicable law and choice of forum

15.1

This Processor Agreement, as well as all legal relationships to which the Processor Agreement applies or which may arise from the Processor Agreement, are governed by Dutch law.

15.2

All disputes that may unexpectedly arise between the Parties in connection with or because of the Processor Agreement will, after the exclusive choice of ByTomorrow, be decided in the first instance by the competent court of the District Court of Gelderland.

Overview of processing personal data ByTomorrow (Article 2.2 processing agreement)

Activity	Categories of Personal Data	Purpose of Processing	Nature of Processing	Categories of Data Subjects	Retention Period
Retrieval of image recording from OTT provider and streaming image recording via ByTomorrow's video platform or establishing a livestream via ByTomorrow's video platform by means of a sent video signal to the OTT provider	Image recordings of a Data Subject	To retrieve the video from an OTT provider for streaming and to provide the image recordings to viewers	Retrieval, streaming, and provision of Personal Data	Persons visible on the image recordings	Up to one (1) month after termination of Agreement
Customer environment on video platform and management of viewers	Image recordings of a Data Subject as well as personal data such as name, address, e-mail address, date of birth, phone number, and viewer login information	To allow the customer to log in to its own environment within the video platform and to enable it to determine which viewers, if any, may access its video, whether for payment or under other conditions	Streaming, storage, provision, and provision of Personal Data	Persons visible on the image recordings and viewers	Up to one (1) month after termination of Agreement
		To be displayed or streamed as well as to allow the customer to manage viewer data
Viewer environment on video platform	Image recordings of a Data Subject as well as personal data such as name, address, e-mail address, date of birth, phone number, and viewer login information	To enable authorized viewers, whether for payment or under other conditions, to access and view the customer's video recordings	Streaming, storage, provision, and provision of Personal Data	Persons visible on the image recordings and viewers	Up to one (1) month after termination of Agreement
Contact options	Personal data such as name, address, e-mail address, date of birth, phone number of (representatives of) customer and/or viewers	To enable customer and/or viewers to communicate with each other and/or with ByTomorrow through a chatbot and/or ESP	Storage, provision, and provision of Personal Data	(Representatives of) customer and/or viewers	Up to one (1) month after termination of Agreement
News updates viewers	Personal data (name, address, and email) of the viewer	Informing and keeping the viewer informed about the activities of the client, after obtaining opt-in or consent from the viewer	Storage and processing of personal data	Viewers	Up to one (1) month after termination of the Agreement

Cookie management

Processing agreement ByTomorrow

Overview of processing personal data ByTomorrow (Article 2.2 processing agreement)