This USBC Online Bowling Data Processing Addendum (“DPA”) is incorporated into, and supplements, the Online Bowling Hub Platform Terms of Service between the United States Bowling Congress, Inc. (“USBC”) and Customer governing USBC’s provision and Customer’s access to, use and receipt of the Platform (the “Terms”).
This DPA is an agreement between USBC and the entity who receives the right to access and use the Platform as described in the Terms (“Customer”) and is effective as of the date this DPA is incorporated into the Terms (the “DPA Effective Date”). USBC and Customer are each referred to herein as a “Party” and collectively as the “Parties”.
1. DEFINITIONS
For purposes of this DPA, the following capitalized terms shall have the meanings ascribed thereto. Other capitalized terms used in this DPA are defined in the context in which they are used and shall have the meanings indicated. Capitalized terms which are not defined herein shall have the meanings ascribed to them in the Terms.
1.1 “CCPA” means the California Consumer Privacy Act, Ca. Civ. Code § 1798.100 et. seq. and its implementing regulations, each as amended from time to time, including, without limitation, as amended by the California Privacy Rights Act of 2020.
1.2 “Controller” means the natural or legal person or entity who determines the purposes and means of the Processing of Personal Data.
1.3 “Controller Personal Data” means any Personal Data the Disclosing Controller provides, generates, transfers or makes available to the Receiving Controller under the Terms or this DPA, whether in printed, electronic or other format.
1.4 “Controller Personal Data Breach” means a breach of the Receiving Controller’s security leading to the actual or reasonably suspected accidental or unlawful destruction, loss, alteration, Processing, theft or unauthorized disclosure of or access to Controller Personal Data on systems managed or otherwise controlled by the Receiving Controller.
1.5 “CPA” means the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et. seq. and its implementing regulations, each as amended from time to time.
1.6 “CTDPA” means the Connecticut Data Privacy Act, Conn. Gen. Stat. § 45-151 et. seq., as amended from time to time.
1.7 “Data Protection Laws” means all laws, rules, regulations and orders issued thereunder relating in any way to data protection, breach notification, privacy, electronic marketing enacted within the United States of America, including any state or other jurisdiction within the United States of America, that are applicable to the Processing of Controller Personal Data under the Terms or this DPA, which may include, without limitation, the CCPA, CPA, CTDPA and/or VCDPA.
1.8 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.9 “Data Subject Request” means a request from an individual seeking to exercise rights granted to individuals under the Data Protection Laws.
1.10 “Disclosing Controller” means the Controller that discloses Controller Personal Data to the Receiving Controller.
1.11 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable Data Subject.
1.12 “Processing” (including corollary terms) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including, without limitation, collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.13 “Receiving Controller” means the Controller that receives Personal Data from the Disclosing Controller.
1.14 “Supervisory Authority” means any applicable federal, state, or local government within the United States, or any departmental or other political subdivision thereof, or any entity, body, or authority within the United States having or asserting executive, legislative, judicial, regulatory, administrative, or other governmental functions of any court, department, commission, board, bureau, agency, or instrumentality of any of the foregoing, responsible for or involved in the enforcement and/or oversight of the Data Protection Laws.
1.15 “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code § 59.1-575 et. seq., as amended from time to time.
2. CONTROLLER PERSONAL DATA
2.1 Scope of Controller Personal Data. The types and categories of Personal Data considered Controller Personal Data under this DPA are set forth in Schedule A, attached hereto and incorporated herein by reference.
2.2 Role of the Parties. The Parties acknowledge that each Party is a separate and independent Controller with respect to the Controller Personal Data and shall individually determine the purposes and means of its Processing of such Controller Personal Data. The Parties further acknowledge and agree that, with respect to the Controller Personal Data, neither Party is responsible for determining the requirements of Data Protection Laws applicable to the other Party.
2.3 Purpose of Processing Controller Personal Data.
(a) The specific business purposes for which each Party, acting as the Receiving Controller, Processes the Controller Personal Data it receives from the other Party, acting as the Disclosing Controller, pursuant to the Terms and this DPA are set forth in Schedule A.
(b) The Disclosing Controller’s disclosure of Controller Personal Data to the Receiving Controller is only for the limited and specified business purpose(s) set forth in the Terms and this DPA.
2.4 Ownership of Controller Personal Data. The Parties acknowledge and agree that: (1) as between the Parties, each Party owns the Personal Data that such Party has collected in its capacity as the Controller of such Personal Data and the other Party does not own, have any proprietary or intellectual property interest in, or control the other Party’s Personal Data; (2) each Party, in its capacity as a Controller, maintains Personal Data about Data Subjects derived from numerous sources, including, Personal Data collected directly from Data Subjects; (3) the same data element (e.g., a Data Subject’s name) may, as between the Parties, be independently owned by both Parties, and each party has a separate proprietary interest in such data elements; and (4) to the extent the Disclosing Controller provides Controller Personal Data to the Receiving Controller, it shall do so in compliance with the Terms, this DPA, its privacy policy and the applicable Data Protection Laws.
2.5 Privacy Policy. In addition to any privacy policy or notice requirements under the Terms, each party agrees to provide all notices and Disclosures to Data Subjects required to be provided by such Party under applicable Data Protection Laws regarding the Processing of Personal Data contemplated under the Terms and this DPA, including, where applicable and without limitation, all disclosures regarding a Data Subject’s right to opt-out of the sale of Personal Data.
2.6 Receiving Controller Requirements. Without limiting anything set forth in the Terms or this DPA, each Party, as the Receiving Controller, shall:
(a) Process the Controller Personal Data in compliance with applicable Data Protection Laws and this DPA;
(b) promptly notify the Disclosing Controller of any request for disclosure of Controller Personal Data by a governmental or regulatory body or law enforcement authority, including, without limitation, any Supervisory Authority, or direct access to Controller Personal Data by a governmental or regulatory body or law enforcement authority unless otherwise prohibited by law or a legally binding order such body or authority;
(c) shall provide all assistance reasonably requested by the Disclosing Controller to the extent necessary to enable the Disclosing Controller to take reasonable and appropriate steps to ensure the Disclosing Controller’s compliance with its obligations under applicable Data Protection Laws;
(d) upon request, provide the Disclosing Controller, with respect to the applicable Controller Personal Data, an attestation that the Receiving Controller treats the Controller Personal Data in the same manner that the Disclosing Controller is obligated to treat such Controller Personal Data under applicable Data Protection Laws;
(e) provide the Disclosing Controller, upon notice, the right to take reasonable and appropriate steps to stop and remediate the Receiving Controller’s unauthorized use of Controller Personal Data;
(f) notify the Disclosing Controller after the Receiving Controller determines that it can no longer meet its obligations under applicable Data Protection Laws;
(g) not sell or share (as such terms are defined in applicable Data Protection Laws) any Controller Personal Data;
(h) implement and maintain appropriate administrative, physical, organizational and technical safeguards to protect the security, confidentiality and integrity of the Controller Personal Data and regularly monitor its compliance with such safeguards;
(i) make available to the Disclosing Controller or its designee all information reasonably necessary to demonstrate the Receiving Party’s compliance with this DPA and applicable Data Protection Laws; and
(j) in the event of a Controller Personal Data Breach, notify the Disclosing Controller promptly and without undue delay after the Receiving Controller discovers such Controller Personal Data Breach. Each Party shall reasonably cooperate with and provide sufficient information to the other Party necessary for each Party to comply with its respective obligations to report such Controller Personal Data Breach under applicable Data Protection Laws. For clarity, each Party shall be separately responsible for complying with its obligations under applicable Data Protection Laws arising out of any such Controller Personal Data Breach, including, where applicable and without limitation, complying with any requirements to notify affected Data Subjects, applicable Supervisory Authorities or other third parties.
2.7 Disclosing Controller Requirements. Without limiting anything set forth in the Terms or this DPA, each Party, as the Disclosing Party, shall:
(a) provide legally compliant privacy notices to, and obtain all necessary consents and permissions from, Data Subjects as required under applicable Data Protection Laws to provide the Controller Personal Data to the Receiving Controller;
(b) notify the Receiving Controller of any changes in, or revocation of, the permission to use, disclose or otherwise Process the Controller Personal Data it provides to the Receiving Controller under the Terms and this DPA that would impact the Receiving Controller’s ability to comply with the Terms, this DPA or applicable Data Protection Laws.
2.8 Security.
(a) The Receiving Controller shall implement and maintain appropriate administrative, physical, organizational and technical safeguards to protect the security, confidentiality and integrity of the Controller Personal Data and regularly monitor its compliance with such safeguards.
(b) The Receiving Controller shall allow for and cooperate in audits by the Disclosing Controller or the Disclosing Controller’s designated third party with respect to the Receiving Controller’s compliance with this DPA, no more frequently than on an annual basis, except upon the occurrence of Controller Personal Data Breach. The Disclosing Controller shall provide at least thirty (30) days’ advance notice for any audit.
2.9 Data Subject Requests. The Receiving Controller shall promptly notify the Disclosing Controller of any Data Subject Request received by the Receiving Controller concerning the Controller Personal Data where such Data Subject Request identifies the Disclosing Controller as the Controller of such Controller Personal Data and shall comply with all applicable Data Protection Laws in connection with the response and fulfillment of such Data Subject Request.
3. ADDITIONAL TERMS
3.1 Liability and Indemnification. With respect to any claim, loss, or liability based upon, arising out of, resulting from, or in any way connected with a Party’s performance or breach of this DPA: (1) such Party shall only be obligated to indemnify, defend, and hold the other Party harmless to the extent such obligation exists pursuant to such Party’s indemnification, defense, and hold harmless obligations set forth in the Terms (if any); and (2) each Party’s total liability to the other Party is limited in accordance with the applicable limitations of liability set forth in the Terms.
3.2 Term. This DPA shall be effective as of the DPA Effective Date and continue in full force and effect until USBC ceases providing the Platform to Customer under and in accordance with the Terms. The provisions of this DPA which by their nature are intended to survive the expiration or earlier termination of this DPA shall continue as valid and enforceable obligations of the Parties notwithstanding any such termination or expiration. Without limitation, the provisions regarding confidentiality, compliance with applicable laws, and restrictions on the processing of Customer Personal Data shall survive the expiration or earlier termination of this DPA.
3.3 Relationship to Terms. This DPA shall be governed by and construed in accordance with the Terms as if fully set forth herein. Without limiting anything set forth herein, the Parties acknowledge and agree that they have taken all actions (if any) required under the Terms to incorporate this DPA therein. Any dispute arising out of this DPA shall be resolved as set out in the Terms. The requirements set forth in this DPA are in addition to, and not in lieu of, any similar requirements set forth in the Terms. Notwithstanding anything to the contrary in the Terms, to the extent any conflict or inconsistency between the terms of this DPA and the Terms, this DPA shall control. Except as set forth in this DPA, the Terms remain in full force and effect, as amended, and are hereby ratified and confirmed in all respects.
3.4 Invalidity. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as completely as possible; or (2) if (1) is not possible, construed in a manner as if the invalid or unenforceable part had never been contained in this DPA.
3.5 Amendments. USBC may update or modify this DPA from time to time by, without limitation, posting a revised version of this DPA on USBC’s website and publishing a general notice of such changes via the USBC website or, as applicable and feasible, through the Platform. Subject to compliance with applicable laws, Customer’s access to or use of the Platform after receiving notice of changes to this DPA, whether by general notice or direct notice provided by USBC to Customer, shall constitute Customer’s acceptance of such updates or modifications.
SCHEDULE A
CONTROLLER PERSONAL DATA
Purposes of Processing – USBC as Receiving Controller
The business purposes for which USBC, acting as the Receiving Controller, Processes the Controller Personal Data it receives from Customer, acting as the Disclosing Controller are to create and maintain an individual’s USBC membership.
Purposes of Processing – Customer as Receiving Controller
The business purposes for which Customer, acting as the Receiving Controller, Processes the Controller Personal Data it receives from USBC, acting as the Disclosing Controller are to manage and conduct bowling leagues based on an individual’s historical play information associated with the individual’s USBC membership.