Data Processing Agreement

Effective date: April 3, 2023

This Data Processing Agreement (“DPA”) describes how MyGamePlan BV (“MyGamePlan”, “we”, “us”, “our”) processes personal data on behalf of customers (“the Data Controller”) in relation to the services offered through our platform and applications.

This DPA forms an integral part of the contractual relationship between MyGamePlan and the Data Controller, and applies whenever MyGamePlan processes personal data on behalf of the Data Controller.

1. Definitions

Terms used in this DPA have the meaning assigned to them under the GDPR, including:

  • Data Controller: the natural or legal person that determines the purposes and means of the processing of personal data.
  • Data Processor: the natural or legal person that processes personal data on behalf of the controller.
  • Personal Data, Processing, Data Subject, Personal Data Breach, etc., have their meanings defined by the GDPR and applicable Data Protection Laws.
  • Data Protection Laws: the GDPR, the Belgian Privacy Act, and any other applicable regulations.

2. Roles of the Parties

For all processing activities relating to the use of the MyGamePlan platform:

  • The Customer is the Data Controller.
  • MyGamePlan BV is the Data Processor.

MyGamePlan processes personal data solely for the purposes of delivering its services and never for its own purposes.

3. Processing on Documented Instructions

MyGamePlan processes personal data only on documented instructions from the Data Controller, including instructions provided through the use of the MyGamePlan platform.

If MyGamePlan believes an instruction violates Data Protection Laws, it will notify the Controller.

MyGamePlan will not:

  • Process personal data for purposes other than providing the services.
  • Disclose data to third parties unless required by law or approved by the Controller.

4. Security Measures

MyGamePlan implements appropriate technical and organisational measures to protect personal data, including:

  • Encryption
  • Secure infrastructure and hosting
  • Access control and authorisation
  • Back-up and disaster recovery
  • Logging and monitoring
  • Staff confidentiality obligations

A detailed overview of security measures is available upon request.

5. Sub-Processors

MyGamePlan may engage sub-processors for hosting, infrastructure, analytics, or support.

  • Sub-processors are always bound by a written data processing agreement.
  • A list of current sub-processors is available upon request or published on the MyGamePlan website.
  • The Data Controller will be notified of any intended changes to sub-processors.

6. International Data Transfers

MyGamePlan does not transfer personal data outside the European Economic Area unless:

  • the destination country is recognised as adequate by the European Commission, or
  • appropriate safeguards (such as Standard Contractual Clauses) are in place.

7. Confidentiality

MyGamePlan ensures that all personnel and subcontractors with access to personal data are subject to confidentiality obligations and receive regular data protection training.

Access is limited strictly to individuals who require it to perform the services.

8. Rights of Data Subjects

MyGamePlan assists the Data Controller—at no additional cost— with fulfilling its obligations regarding:

  • Right of access
  • Right to rectification
  • Right to deletion
  • Right to restriction
  • Right to data portability
  • Right to object

MyGamePlan never responds to a Data Subject directly unless instructed by the Data Controller or required by law.

9. Personal Data Breaches

If MyGamePlan becomes aware of an incident likely to result in a Personal Data Breach, it will:

  1. Notify the Data Controller without undue delay, no later than 12 hours after confirming the breach.
  2. Provide all available information needed for the Controller to notify supervisory authorities.
  3. Cooperate fully in resolving, mitigating, and documenting the breach.

10. Audits & Compliance

The Data Controller may conduct (or have conducted) audits relating to MyGamePlan’s compliance with this DPA.
Audits must be reasonable, scheduled in advance, and respect MyGamePlan’s confidentiality and security obligations.

MyGamePlan will cooperate with supervisory authorities where required.

11. Liability

MyGamePlan is liable for:

  • breaches of its obligations under this DPA;
  • processing outside or contrary to the Controller’s lawful instructions.

Where MyGamePlan acts according to the Controller’s instructions and those instructions violate the law, the Controller bears responsibility.

12. Deletion or Return of Personal Data

At the end of the contractual relationship or upon written request from the Data Controller:

  • All personal data will be deleted or returned, unless legal retention obligations apply.
  • MyGamePlan will certify completion of deletion upon request.

13. Governing Law & Jurisdiction

This DPA is governed by Belgian law and falls under the jurisdiction of the courts of Leuven, Belgium.

14. Updates

MyGamePlan may update this DPA to reflect changes in legal requirements or service evolutions. The Data Controller will be informed of material changes.