Data Processing Information

The PARTIES: Clients of the platform referred to as “the client”.

and

Silverfish CSR Limited (Company number: 08726657) registered in England with offices at Silverfish CSR Limited in the United Kingdom referred to as "the Processor",

hereinafter also individually referred to as a "Party" and collectively as “the Parties",

CONSIDERING THAT:

1. “THE CLIENT” receives services and/or products from the Processor (hereinafter referred to as the "Agreement");
2. Under the Agreement, the Processor Processes Personal Data on behalf of and under instruction from “THE CLIENT”;
3. Under the Applicable Privacy Legislation, “THE CLIENT” is the “Data Controller” (the party with responsibility for the Processing) and the Processor is the processor of that Personal Data;
4. The Parties to this agreement (hereinafter the "Data Processing Agreement"), having regard to the provisions of Article 28, paragraph 3 of the General Data Protection Regulation (GDPR), wish to make further arrangements with regard to the Processing of Personal Data by the Processor in performance of the Agreement, and that this Data Processing Agreement is a schedule of and forms part of the Agreement.

AGREE AS FOLLOWS:

Annex 1 Processing of Personal Data

Description of Processing of Personal Data and processing purposes: In accordance with the Assignment, “THE CLIENT” will upload information regarding Responsible Gaming practices. This will help “THE CLIENT” to have a clear overview of all her Responsible Gaming plans, activities and evidence. This evidence can be used for the (partial) Responsible Gaming audit which will take place every 1,5 year.

Categories of Data Subjects: (Potential) “THE CLIENT” employees, (“THE CLIENT” points of sale).

Categories of Personal Data: Name, email address.

Retention Periods for Personal Data: For as long as this is useful for the coming audit and activities for “THE CLIENT” on Responsible Gaming.

Annex 2 Security Measures

Description of the technical and organisational security measures to be taken by the Processor:
Features to be addressed:

• Policy document for the security of information. The policy document explicitly sets out the measures taken by the Processor to ensure the security of the Processed Personal Data. The document has been approved at administrative or managerial level and made known to all employees and relevant external parties.
• Assigning responsibilities for the security of information. All responsibilities, both at management level and at executive level, are clearly defined and covered.
• Security awareness. All employees of the organisation and, where applicable, hired staff and external users receive suitable training and regular refresher training on the organisation’s policy and procedures for the security of information, as far as relevant for their function. Within the training and refresher training explicit attention is paid to the handling of (special or otherwise sensitive) Personal Data.
• Physical security and security of equipment. IT facilities and equipment are physically protected against unauthorised access and against damage and malfunctions. The protection provided is in line with the identified risks.
• Access security. There are procedures in place to allow authorised users to access the information systems and services they need for the performance of their tasks and to prevent unauthorised access to information systems. The procedures cover all phases in the lifecycle of user access, from the initial registration of new users to the final removal of users who no longer need access to information systems and services. Where applicable, special attention is paid to managing access rights for users with extra broad powers, such as system administrators.
• Logging and control. Activities that users perform with Personal Data are recorded in log files. The same applies to other relevant events, such as attempts to gain unauthorised access to Personal Data and disruptions that can lead to mutilation or loss of Personal Data. The log files are periodically checked for indications of unauthorised access or unauthorised use of the Personal Data and where necessary action is taken. The Processor must take into account that if the data in the log files are traceable to persons, there is a Processing of Personal Data in the sense of the Applicable Privacy Legislation.
• Correct processing in application systems. Security measures are built into all application systems, including applications developed by users themselves. These security measures include the control that the import, the internal processing and the export comply with predefined requirements (validation). For systems in which special or sensitive Personal Data are Processed or that have an influence on the Processing of special or sensitive Personal Data, additional security measures may be required.
• Management of technical vulnerabilities. Software, such as browsers, virus scanners and operating systems, is kept up-to-date. The Processor also installs solutions that the supplier of the software in question issues for security Breaches in this software. More generally, the Data Controller receives timely information about technical vulnerabilities of the information systems used. The extent to which the organisation is exposed to such vulnerabilities is evaluated and the Processor takes appropriate measures to deal with the associated risks.
• Incident management. There are procedures for the timely and effective handling of information security incidents and vulnerabilities in security as soon as they are reported. The assessment of the risks for those involved and the effective informing of those involved and, where applicable, the supervisory authority is included in these procedures. The lessons learned from the incidents handled are used to structurally improve security where possible. If a follow-up procedure following an information security incident involves legal action (civil or criminal), the evidence is collected, stored and presented in accordance with the evidence requirements for the relevant jurisdiction.
• Handling of data Breaches and security incidents. The Processor reports Data Breaches that are subject to a legal obligation to report to “THE CLIENT”.
• Continuity management. Personal Data may be lost due to natural disasters, accidents, equipment failures or deliberate actions. By organising continuity management in the organisation, the consequences are limited to an acceptable level, using a combination of preventive measures and remedial measures.

Annex 2 Contact persons (and substitutes)