FLM system logo

Menu

Data Processing Agreement

This Data Processing Agreement (hereinafter the "Agreement"), concluded on the date of acceptance of the League Organizer's GTC between: the Service Provider and the League Organizer, hereinafter also referred to collectively as the Parties or individually as a Party.

1. General Provisions

1.1. This Agreement regulates the rules for the processing of personal data entrusted by the League Organizer to the Service Provider.

1.2. The Parties collectively confirm that Data Protection Law and other applicable legal regulations governing the protection of personal data within Applicable Law apply to the processing of personal data.

1.3. The Personal Data Controller or the entity processing personal data at the controller's request, within the meaning of Data Protection Law, is the League Organizer.

1.4. The League Organizer entrusts the Service Provider with the processing of personal data in accordance with Data Protection Law.

1.5. The entity processing personal data at the League Organizer's request, within the meaning of Data Protection Law, is the Service Provider.

1.6. The nature, purpose, and scope of personal data processing by the Service Provider are regulated by the Agreement and Appendix 1.

2. Representations of the League Organizer

2.1. The League Organizer represents that personal data is obtained and processed in accordance with applicable legal regulations, including Data Protection Law.

2.2. In particular, the League Organizer confirms that the personal data concerns:

2.2.1. persons who have consented to the processing of their personal data for a purpose consistent with the terms of the Agreement;

2.2.2. persons for whom the processing of personal data is necessary for the performance of a contract to which the data subject is a party, or to take steps at the data subject's request prior to entering into the Agreement;

2.2.3. persons for whom the processing of personal data is necessary to fulfill a legal obligation incumbent upon the controller;

2.2.4. persons for whom the processing of personal data is necessary to protect the vital interests of the data subject or another natural person;

2.2.5. persons for whom the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

2.2.6. persons for whom the processing of personal data is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

2.3. The League Organizer confirms that the data subjects – including persons whose data has been entered via the team registration form – have been or will be informed about the processing of their data within the scope and in the manner required by Data Protection Law, and ensures that this obligation is also fulfilled with respect to data entered by persons registering teams.

2.4. The League Organizer confirms that it is entitled to process personal data and entrust its processing to the Service Provider within the scope and purpose specified in the Agreement.

2.5. The League Organizer confirms that in the event of further entrustment of data processing, it has obtained the consent of the appropriate Data Controller, as required by Data Protection Law, to entrust further processing of personal data for the purpose and scope specified in the Agreement.

3. Instructions of the League Organizer

3.1. The Service Provider is obliged to process personal data exclusively in accordance with instructions provided by the League Organizer, unless Applicable Law provides otherwise.

3.2. Instructions of the League Organizer are contained in the Agreement and Appendices or are commissioned and performed via the application, in particular through the functions provided by the application, or in another agreed-upon manner, e.g., in email correspondence by authorized persons.

3.3. The League Organizer ensures that all instructions provided to the Service Provider comply with applicable legal regulations, including personal data protection regulations.

3.4. Any further instructions that go beyond the instructions specified in the Agreement must concern the performance of the subject matter of the Agreement.

3.5. If the implementation of further instructions results in costs for the Service Provider, the Service Provider is obliged to inform the League Organizer of such costs, along with an explanation of the amount of the costs, before performing the instruction.

3.6. After confirmation by the League Organizer that it will bear the costs of performing the instruction and after their payment by the League Organizer, the Service Provider is obliged to implement the instruction.

3.7. The Service Provider shall immediately inform the League Organizer if, in its opinion, an instruction violates Data Protection Law or other provisions of Applicable Law and shall request the League Organizer to withdraw, change, or confirm the questioned instruction.

3.8. Pending the League Organizer's decision, the Service Provider is entitled to suspend the execution of the questioned instruction.

3.9. In a case where the execution of the League Organizer's instruction, despite the explanations provided, would lead to a violation of Applicable Law, the Service Provider is entitled to refrain from implementing that instruction.

3.10. Personal Data Entrustment Period

3.10.1. The League Organizer entrusts the Service Provider with the processing of personal data for the duration of the Agreement concluded by the Parties.

3.10.2. The Parties represent that any change to the personal data entrustment period must be agreed upon by the Parties each time by amending the Agreement or concluding a separate agreement specifying the change to the processing period of the entrusted personal data.

3.11. Purpose of Processing Entrusted Personal Data

3.11.1. A detailed description of the purpose of entrusting the processing of personal data is contained in Appendix 1.

3.11.2. The Parties represent that any change to the purpose of entrusting the processing of personal data must be confirmed by the Parties by way of an amendment to the Agreement or the conclusion of a separate agreement in documentary form, specifying the change to the purpose of processing the entrusted personal data.

3.12. List of Processing Locations for Entrusted Personal Data

3.12.1. A detailed description of personal data processing locations is contained in Appendix 1.

3.12.2. The Parties represent that any change to the location of processing entrusted personal data must be confirmed by the Parties by way of an amendment to the Agreement or the conclusion of a separate agreement in documentary form, specifying the change to the location of processing entrusted personal data.

3.13. Scope of Processing Entrusted Personal Data

3.13.1. A detailed description of the scope of personal data processing is contained in Appendix 1.

3.13.2. The Parties represent that any change to the scope of processing entrusted personal data must be confirmed by the Parties by way of an amendment to the Agreement or the conclusion of a separate agreement in documentary form, specifying the change to the scope of processing entrusted personal data.

4. Representations of the Service Provider

4.1. The Service Provider undertakes to perform the Agreement with due professional diligence in order to secure the legal, organizational, and technical interests of the League Organizer in the processing of entrusted personal data.

4.2. Taking into account the risk of violation of the rights and freedoms of natural persons and the state of technical knowledge, the costs of implementation, the scope, nature, context, and purposes of personal data processing, the Service Provider undertakes to apply, in accordance with the requirements of Data Protection Law, technical and organizational measures aimed at ensuring security appropriate to the risks and categories of data covered by protection, in particular to secure personal data against its damage, destruction, and disclosure to unauthorized persons. A description of the implemented technical and organizational measures is made available at the request of the League Organizer.

4.3. The Service Provider may change the implemented measures at any time, provided that they do not ensure a lower level of protection than the measures in force at the time of concluding the Agreement.

4.4. The Service Provider undertakes, at the request of the League Organizer, to provide the League Organizer with information on the current technical and organizational measures, along with information on changes in the implemented measures, immediately after any changes have been made.

4.5. The Service Provider undertakes, at the request of the League Organizer, to provide other information necessary to demonstrate compliance with the obligations set forth in Data Protection Law.

4.6. The Service Provider undertakes not to create any working copies of entrusted personal data, except in cases where it is required for the proper performance of the Agreement.

4.7. The Service Provider undertakes to immediately destroy all working and emergency copies of entrusted personal data created during their processing after their use, with the proviso that the Service Provider will be entitled to retain copies of personal data entrusted by the League Organizer until the expiry of the statute of limitations for the League Organizer's claims against the Service Provider.

4.8. The Service Provider undertakes to secure personal data against its disclosure to unauthorized persons, removal by an unauthorized person, damage, destruction, or loss, and shall take all necessary steps to maintain the secrecy of personal data and the manner of its security in accordance with the applicable provisions of Data Protection Law.

4.9. The Service Provider represents that all persons authorized to process personal data have undertaken to maintain its secrecy or are subject to an appropriate statutory obligation of secrecy in accordance with Data Protection Law, and the Service Provider is responsible for their action or omission as for its own.

4.10. The Service Provider undertakes to maintain records of employees engaged in the processing of personal data or having access to IT systems in which personal data is processed, and shall also familiarize them with the provisions of Data Protection Law and the rules regarding personal data protection, as well as the liability for their non-compliance.

4.11. The Service Provider undertakes to support the League Organizer, within its capabilities and to a reasonable extent, in fulfilling its obligations toward data subjects, in particular through the application of appropriate and possible technical and organizational measures necessary for the League Organizer to enable individuals to exercise the rights they are entitled to under Data Protection Law.

4.12. The Service Provider undertakes to support the League Organizer in performing the tasks provided for in the provisions of Data Protection Law by providing the necessary information.

4.13. The Service Provider undertakes to provide the League Organizer with assistance, but only to the extent that the League Organizer's obligations cannot be fulfilled by the League Organizer by other means, with respect to supporting the League Organizer in conducting data protection impact assessments and prior consultations with the supervisory authority. The Service Provider shall inform the League Organizer of the costs of such assistance, and upon confirmation by the League Organizer of the incurrence of these costs, the Service Provider shall provide the required support.

4.14. The Service Provider undertakes to immediately inform the League Organizer of any events resulting in or that may result in a personal data protection breach, in particular leading to a violation of the privacy of persons whose data has been entrusted.

4.15. The Service Provider undertakes to support the League Organizer in the performance of the League Organizer's obligations, where appropriate, to inform the supervisory authority or the data subject, by providing available information in accordance with the provisions of Data Protection Law.

4.16. In the event of a personal data protection breach by the Service Provider, the League Organizer is entitled, in particular, to a refund of all reasonable costs of a legally concluded process, including legal representation and any compensation awarded by a final judgment in favor of the persons affected by the breach, regardless of contractual penalties and compensation claims to which the League Organizer is entitled under the Agreement.

5. Rules for Using Sub-processors

5.1. To ensure the proper performance of the Agreement, the League Organizer consents to the Service Provider's use of Sub-processors and to the further entrustment of personal data processing to them.

5.2. Further entrustment of personal data processing may take place only within the limits and for the purpose of performing the Service.

5.3. A complete and current list of Sub-processors is available at […].

6. Return or Deletion of Data

6.1. The Service Provider shall delete or transfer the entrusted personal data to the League Organizer in the manner specified by the League Organizer within 7 days from the termination of the Agreement in the following cases:

6.1.1. in the event of termination of the Agreement;

6.1.2. upon any request from the League Organizer.

7. Governing Law and Jurisdiction

7.1. This Agreement shall be governed by and construed in accordance with the laws of Poland.

7.2. Any future disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the court having jurisdiction over the Service Provider's registered office.

Contact: FINGOWEB SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ SPÓŁKA KOMANDYTOWA, ul. Ostatnia 1C/B14, 31-444 Kraków, Poland, contact@flmsystem.com

Appendix 1 to the Data Processing Agreement concluded between the Service Provider and the League Organizer

1. Nature of Personal Data Processing

1.1. The processing of personal data will be of a manual and automatic nature.

1.2. Personal data will be processed exclusively by persons authorized to process personal data.

1.3. Personal data will be processed by the Service Provider's IT systems and the IT systems of Sub-processors.

2. Purpose of Personal Data Processing

2.1. The entrustment of personal data processing includes processing for the purpose of performing the Agreement between the Service Provider and the League Organizer for the use of FLM System.

3. Categories of Personal Data Subjects

3.1. The entrustment of personal data processing covers the following categories of data subjects:

3.1.1. League Organizers

3.1.2. Players / Participants

3.1.3. Team Managers

3.1.4. Referees

3.1.5. other categories of data subjects whose personal data are processed by the League Organizer.

4. Scope of Entrusted Personal Data

4.1. The entrustment of personal data processing includes processing of data in the following scope:

4.1.1. League Organizer: first name, last name, organization name, e-mail address, phone number (optional)

4.1.2. Player: first name, last name, date of birth, profile picture (optional), description (optional)

4.1.3. Team Manager: first name, last name, e-mail address, phone number (optional)

4.1.4. Referee / Coordinator: first name, last name, e-mail address, profile picture (optional), description (optional)

5. Period of Processing Entrusted Personal Data

5.1. The entrustment of personal data processing includes processing from the moment the Agreement is concluded until 7 days after the termination or expiry of the Agreement, subject to the retention of copies of data until the expiry of the statute of limitations for the Parties' claims arising from the Agreement.

6. List of Processing Locations for Entrusted Personal Data

6.1. The entrustment of personal data processing includes data storage within the territory of the EEA or outside the EEA (in the event of using Sub-processors).

6.2. In the event of using Sub-processors from outside the EEA, the Service Provider ensures that the basis for the transfer of data to the aforementioned third countries consists of:

  • in the case of the United Kingdom, Canada, Israel, Japan, and South Korea – European Commission adequacy decisions finding an adequate level of protection of personal data in each of the aforementioned third countries.
  • in the case of the USA – Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, finding an adequate level of protection of personal data provided under the EU-U.S. Data Privacy Framework.
  • in the case of the USA, Chile, Brazil, Saudi Arabia, Qatar, India, China, Singapore, Taiwan (Republic of China), Indonesia, and Australia – contractual clauses ensuring an adequate level of protection, compliant with the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

7. Sub-processors

7.1. The Service Provider uses Sub-processors for the purpose of further entrusting the processing of the League Organizer's personal data, in connection with ensuring the proper performance of the Agreement.

This Agreement is effective from 10 June 2026.

Data Processing Agreement | FLM System