EFG
Addendum to
IAB Standard Terms v3.1
Addendum to Version 3.0 of the IAB Standard Terms and Conditions for Internet Advertising for Media Buys One Year or Less. This is an Amendment Addendum (“EFG Addendum”) to Version 3.0 of the IAB Standard Terms and Conditions for Internet Advertising for Media Buys One Year or Less (“IAB Standard Terms”) entered into by and between the EFG entity referenced on the corresponding IO (“EFG” or “Media Company”) and the Agency referenced on the corresponding IO (“Agency”). The purpose of this EFG Addendum is to set forth the terms and conditions for the amendment of the IAB Standard Terms. This EFG Addendum shall be considered a part of the IAB Standard Terms and deemed incorporated by reference into any corresponding IO. All capitalized terms used in this EFG Addendum shall have the same meaning as ascribed to such terms in the IAB Standard Terms and IO.
Last updated: 21.01.2026
Part A
Amendment of IAB Standard Terms
1.
Section “III. PAYMENT AND LIABILITY;
(c) Payment Liability” is hereby deleted and replaced by the following:
The following is hereby inserted in place of the above deleted section: “Agency agrees to be solely liable for payments owed by Advertiser to Media Company, regardless of whether proceeds have been cleared from Advertiser to Agency for Ads placed in accordance with the IO. All sums owed to Media Company by Advertiser under the IO shall be due and payable by Agency in accordance with the terms of the IAB Standard Terms or the IO (as applicable). Agency shall make every reasonable effort to collect sufficient funds from the Advertiser to make payments pursuant to the IO, in advance.”
2.
Section “IX. AD MATERIALS”
is amended to add the following subsection immediately after the end of subsection (g):
“h. Warranty, Representation and Undertaking. Advertiser, and Agency for an on behalf of Advertiser, warrants represents and undertakes to EFG that the Ad and Advertising Materials and any content linked to or from the Ad and Advertising Materials; (i) will not infringe the rights, including but not limited to intellectual property rights and privacy rights, of any third party; (ii) will not link to products or services that infringe the rights of any third party (including but not limited to unlawful and counterfeit items); (iii) will be up-to-date and accurate; (iv) will not be misleading, deceptive, involve any misrepresentation, or imply or represent that any party has approval or sponsorship of another party that it does not have; (v) will not be defamatory; (vi) will not contain any virus, trojan horse, malicious code or any other damaging component(s); (vii) will not contain any information or content that is illegal, contrary to any industry code, indecent, obscene, threatening, harassing, discriminatory or in breach of confidentiality; and (viii) will not breach any applicable laws or advertising regulations (including self-regulation) including those laws of the country(ies) in which the Media Company Properties and Network Properties operate in. Advertiser, and Agency for an on behalf of Advertiser, further warrant represent and undertake to EFG that it has obtained all necessary rights, consents, permissions, licences or clearances in relation to the publication of the Advertising Materials, it has complied with all guidance of relevant regulatory bodies and EFG is not required to hold any rights, consents, permissions, licences or clearances in relation to the publication of the Advertising Materials.
3.
Section “X. INDEMNIFICATION;
(a) By Media Company” is hereby deleted in its entirety and replaced by the following:
“By Media Company. Media Company will defend, indemnify, and hold harmless Agency and its Affiliates and Representatives from damages, liabilities, costs and expenses (including reasonable attorneys’ fees) (collectively, “Losses”) resulting from any claim, judgement or proceeding (collectively, “Claims”) brought by a Third Party resulting from (i) Media Company’s breach of Section XII (Non-Disclosure, Data Usage and Ownership, Privacy and Laws); (ii) Media Company’s breach of Section XIV(a) (Necessary Rights); and (iii) Media Company’s proven negligence or willful misconduct. Notwithstanding the foregoing, Media Company will not be liable for any Losses resulting from Claims to the extent that such Claims result from (1) Media Company’s customization of Ads or Advertising Materials based upon detailed specifications, materials, or information provided by the Advertiser, Agency, and/or each of its Affiliates and/or Representatives, or (2) a user viewing an Ad outside of the targeting set forth on the IO, which viewing is not directly attributable to Media Company’s serving such Ad in breach of such targeting.
4.
The following new subsections are hereby added to the end of Section “X.
INDEMNIFICATION; (b) By Advertiser” as follows:
“or (iv) any alleged or actual breach by Advertiser of any Advertiser obligations under these Terms and/or the IO including but not limited to Section IX (h), (v) Advertiser’s breach of Section XII (Non-Disclosure, Data Usage and Ownership, Privacy and Laws), and (vi) the negligence or willful misconduct of Advertiser.
5.
Section “X. INDEMNIFICATION;
(c) By Agency” is hereby deleted in its entirety and replaced by the following:
By Agency. Agency represents and warrants that it has the authority as Advertiser’s agent to bind Advertiser to these Terms, the EFG Addendum and each IO, and that all of Agency’s actions related to these Terms, the EFG Addendum and each IO will be within the scope of such agency. Agency will defend, indemnify, and hold harmless Media Company and each of its Affiliates and Representatives from Losses resulting from (i) Agency’s alleged or actual breach of the foregoing sentence, or (ii) Claims brought by a Third Party alleging that Agency has breached any of the Agency obligations under these Terms and/or the IO including but not limited to Section IX (h); (iii) Claims brought by a Third Party alleging that Agency has breached Section XII (Non-Disclosure, Data Usage and Ownership, Privacy and Laws); and (iv) Agency’s negligence or willful misconduct.
6.
The following section is hereby added to the end of Section “XI LIMITATION OF LIABILITY”:
Excluding Agency’s, Advertiser’s, and Media Company’s respective obligations under Section X, damages that result from a breach of Section XII, or intentional misconduct by Agency, Advertiser, or Media Company, in no event shall each party’s liability to the other party exceed the amount paid by Agency or Advertiser to Media Company under the IO to which the claim relates. It is explicitly understood by Agency and Advertiser that the obligations in this agreement, including but not limited to, any and all indemnities and warranties set forth herein, are from Media Company only and are not offered on behalf of the Kingdom of Saudi Arabia’s Public Investment Fund, Savvy Games Group or any Savvy Games Group subsidiary other than Media Company.
7.
The subsection (c) of Section XII “NON-DISCLOSURE, DATA USAGE AND OWNERSHIP, PRIVACY AND LAWS” is amended to add the following definitions immediately after the end of definition (vii):
“EU SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”), Module One (Controller to Controller);
“Personal Data” means any information relating to and identified or identifiable natural person, including “personally identifiable information” and “personal information”;
“UK SCCs” means standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (specifically, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses)
8.
Section XII “NON-DISCLOSURE, DATA USAGE AND OWNERSHIP, PRIVACY AND LAWS” (d)(i) “Use of Collected Data” is hereby deleted in its entirety and replaced by the following:
Use of Collected Data. i. Unless otherwise authorized by Media Company, Advertiser will not: (A) use Collected Data for Repurposing; (B) disclose IO Details of Media Company or Site Data to any Affiliate or Third Party except as set forth in Section XII(d)(iii);
9.
Section XII “NON-DISCLOSURE, DATA USAGE AND OWNERSHIP, PRIVACY AND LAWS” is amended to add the following subsection immediately after the end of subsection (h):
For the transfer of Personal Data relating to individuals in the European Economic Area (“EEA”) or the UK by Media Company as data exporter to the Agency located in a country outside the EEA or the UK not declared as providing adequate level of data protection by the European Commission (Article 45(3) GDPR), Parties agree to enter into Standard Contractual Clauses, which are incorporated by reference and form part of this Addendum as follows:
(I) In relation to Personal Data about individuals in the EEA, the EU SCCs will apply completed as follows:
A. Module One of the EU SCCs applies;
B. Clause 7, the optional docking clause, applies;
C. in Clause 11, the optional language will not apply;
D. Clause 13(a): the competent supervisory authority is identified in Schedule 1(C);
E. Clause 17, option 1 applies, and the EU SCCs will be governed by the laws of the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia;
F. in Clause 18(b), disputes shall be resolved before the courts of Germany;
G. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this Addendum; and
H. Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this Addendum.
(II) In relation to Personal Data relating to individuals in the UK, the UK SCCs will apply completed as follows:
A. Table 1 shall be deemed completed with the information set out in Schedule 1;
B. Table 2 shall be deemed completed with the information set out at paragraph (I)(A)-(C) above;
C. Table 3 shall be deemed completed with the information set out set out in Schedule 1;
D. for the purposes of Table 4, neither party may end the UK SCCs under Section 19 without the prior written agreement of the other party.
10.
The blank spaces in Section “XIV(d) of the IAB Standard Terms shall be read as “England and Wales” and “the courts of London, England” respectively.
Part B
Addition to the IAB Standard Terms
This section B only applies, where Parties have agreed that EFG shall provide Agency with Custom Products in the corresponding IO.
1.
DEFINITIONS
1.1. “Activation” means the delivery and operation of any Custom Product (including any Branded Event, Branded Mission and/or Custom Map) as specified in an IO, including enrolment logic, leaderboard/mission logic, reward logic, and any associated placements, creative, and reporting.
1.2. “Applicable Privacy Law(s)” means all applicable federal, state, territorial, and local laws, rules, directives, regulations, and governmental requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of Personal Data, including, to the extent relevant: (i) the Swiss Federal Act on Data Protection, (ii) the Brazil’s General Data Protection Law (No. 13,709 of August 14, 2018), (iii) U.S. Data Protection Law, (iv) the EU General Data Protection Regulation 2016/679 (“GDPR“), the European Privacy and Electronic Communications Directive (Directive 2002/58/EC) and any laws of Member States of the European Economic Area (“EEA”) that intervene on the processing of personal data, (v) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the “UK GDPR”) and any laws implementing, replacing or supplementing any of them, as amended, consolidated, re-enacted or replaced from time to time. Depending on the specific processing activities, the Applicable Privacy Laws shall be determined, and the relevant provisions applied.
1.3. “Authorised Persons” means any person / entity who processes Personal Data on party’s behalf, including a party’s employees, officers, partners, principals, Processors and sub-Processors.
1.4. “Branded event(s)” means a time-limited competition experience made available on EFG Properties (including the FACEIT platform) where eligible users are enrolled (including via auto-join as specified in the IO), accrue points based on in-game activity and/or participation criteria determined by EFG, and are ranked on a leaderboard for the relevant event period, with rewards and/or prizes allocated based on final leaderboard positions and eligibility rules.
1.5. “Branded Missions” means a time-limited mission or challenge experience made available on EFG Properties (including the FACEIT platform) where eligible users are enrolled (including via auto-join as specified in the IO), complete defined in-game actions and/or participation criteria determined by EFG, and receive a reward and/or prize upon completion subject to eligibility rules.
1.6. “Custom Maps” means a bespoke or branded placement, map, experience, or integration delivered by EFG (directly or through a third party platform) within a third-party environment (including Fortnite, Roblox or similar) and/or on EFG Properties, as described in the IO, which may include branding, placement, creative, and/or sponsored features, but does not involve sharing EFG user Personal Data with the advertiser except as expressly stated in the IO.
1.7. “Custom Products” means the Branded Event(s), Mission(s), and Custom Map(s) as set out in the corresponding IO;
1.8. “EEA” means the European Economic Area.
1.9. “EFG Properties” means websites, apps, platforms, channels or services owned, operated, or controlled by EFG (including FACEIT), and any successor properties.
1.10. “Personal Data” means information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. For the avoidance of doubt, Personal Data includes “personally identifiable information” and “personal information”.
1.11. “Prize” means any physical prize, voucher, code, digital item, store credit, FACEIT points, or other reward described in an IO or in EFG’s rules for the Activation.
1.12. “Restricted Transfer” means:
(a) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; or
(b) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
In each case, whether the transfer is direct or via onward transfer.
1.13. “SCCs” means:
(a) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); or
(b) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (specifically, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) (“UK SCCs“).
1.14. “Section” means a section of this Addendum.
1.15. “Security Incident” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to any Personal Data processed under or in connection with the Addendum / IAB Standards Terms.
1.16. “Target Territories” means the countries/territories identified in the IO for eligibility, enrolment and/or targeting.
1.17. The terms “Controller”, “Processor,” and “processing,” have the meanings given to them in Applicable Privacy Laws (or analogous variations of those terms under the Applicable Privacy Laws).
2.
CUSTOM PRODUCTS
(BRANDED EVENTS, BRANDED MISSIONS, CUSTOM MAPS)
2.1. Scope; order of precedence
(a) Custom Products are provided only if expressly set out in the applicable IO.
(b) In the event of any conflict between this Part B and the IO, the IO shall control solely in respect of commercial specifications (including dates, territories, high-level product description, deliverables and pricing). This Part B and EFG’s user-facing rules shall control in respect of all operational mechanics, legal and regulatory compliance, promotions positioning, eligibility, scoring, winner determination, data use, and any matters required to ensure compliance with applicable law, platform policies or regulator guidance. EFG reserves the right to modify, reject or require changes to any prize description, wording or mechanic set out in an IO where reasonably required for compliance or risk mitigation.
2.2. Operational control; methodology; EFG discretion
(a) EFG retains sole control over the operation of Custom Products on EFG Properties, including all user-facing rules and compliance positioning. This includes, without limitation: (i) enrolment methods (including auto-join), (ii) opt-out mechanisms, (iii) scoring logic, mission criteria and leaderboard rules, (iv) anti-fraud measures, eligibility checks, disqualification decisions and winner determination, and (v) the timing, placement and presentation of Custom Products.
(b) EFG may modify or adjust the mechanics of any Custom Product where reasonably required to maintain platform integrity, prevent abuse, comply with applicable law, regulation or platform policies, reflect requirements of game publishers or third-party platforms, or address technical or operational issues. Where a change materially affects the intended operation of a Custom Product, EFG will use commercially reasonable efforts to notify the Agency/Advertiser.
2.3. Eligibility, enrolment, opt-out, and user communications
(a) Eligibility criteria (including any age gates, residency, account requirements, or other restrictions) will be defined in EFG’s user-facing rules and/or as specified in the IO.
(b) Where the IO specifies auto-join for Branded Events and/or Branded Missions, users located in the Target Territories may be automatically enrolled. EFG will provide an opt-out mechanism within the EFG Property experience.
(c) Agency/Advertiser acknowledges that user participation is voluntary and users may opt out at any time, and that opt-outs may reduce total participation volumes.
2.4. Prizes; fulfilment responsibility; taxes; substitutions
(a) Unless expressly agreed otherwise in the IO, Agency/Advertiser is responsible for sourcing, stocking, and fulfilling all physical Prizes at its sole cost and risk, including shipping, import/export formalities, duties, taxes, and compliance with prize restrictions in the Target Territories.
(b) Where EFG provides digital rewards (e.g., FACEIT points) those are delivered by EFG as described in the IO.
(c) If a Prize becomes unavailable, Agency/Advertiser must promptly provide an equivalent or higher value substitute prize (as reasonably determined by EFG) that complies with applicable law and does not materially increase EFG’s operational burden. EFG may reject a proposed substitute that creates legal/compliance risk or user harm.
(d) Agency/Advertiser is responsible for all tax reporting obligations applicable to Prizes in the Target Territories (including any winner taxes, withholding, reporting, or prize-related filings), unless the IO expressly states otherwise.
2.5. Winner verification; disqualification; fraud
(a) EFG may verify winners and may disqualify any user reasonably suspected of fraud, cheating, abuse, exploitation of bugs, breach of EFG terms, breach of publisher/developer terms, or breach of event rules.
(b) EFG’s determination of winners and disqualifications is final for the purposes of prize entitlement, subject to correction of manifest error.
(c) If a winner is disqualified, EFG may select an alternate winner based on the applicable rules and/or next eligible ranked user.
2.6. No advertiser operational involvement; no endorsement of processing
(a) Agency/Advertiser will not operate, administer, or influence the scoring, ranking, mission completion logic, selection of winners, or moderation decisions.
(b) Except for the limited prize-fulfilment data share set out herein, Custom Products do not require Agency/Advertiser access to EFG user Personal Data, and Agency/Advertiser will not request such access.
2.7. Custom Maps; third-party platforms; pass-through terms
(a) Custom Maps may be delivered on third-party platforms and are subject to the terms, technical constraints, content policies, and approval rights of such third-party platforms and/or game publishers/developers (“Third Party Terms”).
(b) EFG may modify, pause, or cancel a Custom Map deliverable where required by Third Party Terms, legal compliance, or platform integrity. EFG will use commercially reasonable efforts to provide a reasonable alternative placement or make-good if feasible and proportionate, unless prevented by Third Party Terms or where the cause is Agency/Advertiser breach or late delivery of required inputs.
(c) Agency/Advertiser acknowledges that third-party platforms may reject, limit, or remove content and placements in their sole discretion.
2.8. Advertiser materials; approvals; late delivery; compliance
(a) Agency/Advertiser is solely responsible for all advertiser-provided materials (branding, logos, creative, prize descriptions, claims, and any promotional copy) and warrants they comply with applicable law and do not infringe third-party rights.
(b) Agency/Advertiser must deliver all required inputs by the timelines in the IO (or, if none, at least ten (10) Business Days before launch). Late delivery may result in delay, reduced performance, or cancellation, without liability to EFG.
(c) EFG may refuse or remove any materials that create legal, regulatory, safety, or reputational risk or breach EFG, developer, or platform policies.
2.9. Promotions compliance; “no purchase necessary”; not gambling
(a) Agency/Advertiser acknowledges Custom Products are intended to operate as free-to-enter promotional mechanics (no entry fee, no wagering, no purchase requirement), unless the IO expressly states otherwise and EFG agrees in writing.
(b) Agency/Advertiser will not add paid boosts, paid entries, or consideration-based advantages (including “premium” participation features) without EFG’s prior written approval, and the Parties will assess any regulatory impact before launch.
2.10. Reporting
Unless otherwise agreed in the IO, EFG will provide standard reporting outputs reasonably available for the relevant Custom Product type (e.g., impressions/participation metrics). EFG does not guarantee minimum participation, completion, or engagement volumes.
2.11. Claims; complaints; indemnity alignment
(a) Agency/Advertiser is responsible for all claims, warranties, safety notices, recalls, and legal compliance relating to physical Prizes it supplies, and for responding to winner enquiries relating to fulfilment, defects, and delivery (except where EFG is expressly responsible under the IO).
(b) Agency/Advertiser will defend, indemnify, and hold harmless EFG and its Affiliates and Representatives for Claims arising from (i) Agency/Advertiser-supplied Prizes, (ii) any breach of the data restrictions in this Addendum (including misuse of winner Personal Data or use for marketing/retargeting/audience building); (iii) any Agency/Advertiser materials, instructions, claims, branding, or content (including allegations of IP infringement, misleading advertising, unfair commercial practices, or regulatory breach); (iv) Agency/Advertiser’s breach of applicable law, regulation, self-regulatory codes, or platform/developer policies in connection with the Activation; (v) any allegation that the Activation constitutes gambling, an illegal lottery, or an unlawful promotion to the extent caused by Agency/Advertiser’s Prize structure, communications, paid features, consideration, or materials; and/or (vi) Agency/Advertiser’s negligence or wilful misconduct. (c) EFG will provide Agency prompt written notice of any claim for which it seeks indemnity under this clause (to the extent legally permitted) and will reasonably cooperate at Agency’s expense. Agency will not settle any claim in a manner that imposes liability or admission of fault on an EFG Indemnified Party without EFG’s prior written consent (not to be unreasonably withheld or delayed). EFG may participate in the defence with counsel of its choosing at its own expense.
2.12. Limitation of liability. For the avoidance of doubt, Section XI (Limitation of Liability) of the IAB Standard Terms (as amended by Part A of this EFG Addendum) applies to Custom Products. (b) Without limiting the foregoing, EFG will not be liable for: (i) participation volumes, completion volumes, engagement outcomes, or commercial performance; (ii) any user disputes or claims relating to Prize quality, fulfilment, delivery, taxes, duties, or import restrictions where Agency/Advertiser is responsible under the IO; or (iii) any removal, rejection, limitation, suspension or modification required by a game publisher/developer or third-party platform. (c) Nothing in this Part B excludes liability that cannot be excluded under applicable law, or limits liability for fraud or wilful misconduct. It is explicitly understood by Agency and Advertiser that any and all obligations, warranties, representations and indemnities set out in this Part B (and any IO for Custom Products) are provided by EFG only, and are not offered on behalf of the Kingdom of Saudi Arabia’s Public Investment Fund, Savvy Games Group or any Savvy Games Group subsidiary other than EFG.
2.13. Suspension; cancellation; make-goods; inputs. (a) EFG may suspend, modify, or cancel any Custom Product (in whole or part) where reasonably required to: (i) comply with law, regulator guidance, self-regulatory codes, or platform/developer policies; (ii) address fraud/abuse/security issues; (iii) respond to third-party platform or publisher/developer demands; (iv) protect users or EFG Properties; or (v) due to force majeure or material technical failure beyond EFG’s reasonable control. (b) Where suspension/cancellation is caused by Agency/Advertiser breach (including late delivery of materials, non-compliant content, or prize non-availability), EFG has no make-good obligation and all amounts remain payable. (c) Where suspension/cancellation is not caused by Agency/Advertiser breach, EFG will use commercially reasonable efforts to propose an alternative delivery, reschedule, or reasonably equivalent make-good, where feasible.
2.14. Governing law; jurisdiction. The governing law and jurisdiction provisions in the IAB Standard Terms (as amended by this EFG Addendum, including the Part A court/jurisdiction fill-ins) apply to this Part B and all Custom Products.
2.15. Order of precedence (Custom Products). If there is any conflict between: (i) this Part B; (ii) the IO; and (iii) the IAB Standard Terms (as amended by Part A), then the following order applies: the IO only for dates, territories, deliverables, and commercial pricing/fee lines; this Part B for Custom Product mechanics, prizes, data sharing, and operational/legal allocation; the IAB Standard Terms (as amended by Part A) for everything else.
3.
DATA PROTECTION
Relationship of the Parties
3.1. Parties acknowledge and agree that in respect of the processing of Personal Data in connection with Activations agreed upon in the corresponding IO, the parties are independent Controllers. Each party shall comply with its obligations under Applicable Privacy Laws in respect of any Personal Data it processes under this Addendum.
3.2. EFG shall share Personal Data with the Agency for the distribution of Agency prizes to the winners of the Branded Events and/or Branded Missions. Agency shall not further process the Personal Data for its own purposes or those of any third party, including but not limited to direct marketing, and training of AI systems (including in anonymised, pseudonymised and aggregated form).
3.3. In no event will the parties process the Personal Data as joint Controllers. If the parties engage in processing activities where they do not act as independent Controllers, the parties undertake to assess their privacy roles and responsibilities in good faith, and to enter dedicated privacy agreements to govern such processing activities.
Independent Controller Obligations
3.4. Each party will at all times comply, and be entirely and solely responsible for complying, with its own obligations under Applicable Privacy Laws and will process Personal Data according to this Addendum. Each party will not do, cause or permit anything which may result in a breach by the other party of the Applicable Privacy Laws.
3.5. Upon request, provide the other party with: (a) reasonable cooperation with fulfilling its obligations under Applicable Privacy Laws; and (b) a responding in a timely manner and in good faith, including by making relevant information available, to reasonable requests and communications from the other party relating to Personal Data.
3.6. Each party will indemnify the other party from and against any costs, claims, expense (including reasonable legal fees), and liabilities or damage suffered or incurred as a result of the party’s: (a) breach of the Applicable Privacy Laws; and (b) breach of the obligations under this Addendum.
Processing
3.7. Each party may subcontract processing of Personal Data within the context of this Addendum to a Processor, provided that:
(a) the Processors: (a) enter into a written agreement with the party that conforms with Applicable Privacy Laws;
(b) implement appropriate physical, technical and organisational security measures to protect the Personal Data against a Security Incident to substantially similar standards as required by Schedule 2 of this Addendum; and
(c) provide sufficient guarantees that they will process the Personal Data in a manner that will meet the requirements of Applicable Privacy Laws; and
3.8. Each party remains fully liable to the other party for any breach of this Addendum or the Agreement by the former that is caused by an act, error or omission of its own Processor or any further third-party sub-Processor.
Data subjects rights requests and inquiries from competent authorities
3.9. Each party shall promptly inform the other about the receipt of any request from a data subject to exercise their rights under Applicable Privacy Laws, and / or from a competent authority, to the extent that such request directly concerns the other party and the processing activities described sub Schedule 1. The party with whom the data subject is engaged, or the request is submitted shall be responsible for complying with any such requests. The parties agree to not communicate any information on behalf of the other party.
3.10. Notwithstanding Section 3.9 above, the party that is not the addressee of the request submitted by the data subject or by the competent authority shall have full right to protect its own position before the competent authorities and the data subjects.
3.11. Parties shall provide reasonable and timely assistance to each other, to respond to: (i) any legitimate request from an individual to exercise any of its rights under Applicable Privacy Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a regulator or court or any third party in connection with the processing of the Personal Data.
Data access and security measures
3.12. Parties shall ensure that any Authorised Person is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process any Personal Data only for the purposes identified in this Addendum, according to all obligations and safeguards imposed by the Applicable Privacy Law and best practices.
3.13. Having regard to the processing activities, the parties shall adopt appropriate technical and organisational security measures to protect Personal Data from a Security Incident, in accordance with the Applicable Privacy Laws and this Addendum.
Security incidents
3.14. Parties undertake:
(a) that the management of a Security Incident is primarily responsibility of the party that is affected, in its position as an independent Controller;
(b) that each party shall bear its own costs and expenses with regards to the Security Incident occurring in relation its own processing activities;
(c) without prejudice to the above, to cooperate in good faith and assist each other with the fulfilment of the other party’s reporting obligations in relation to any Security Incident; and
(d) to take adequate measures and actions to remedy or mitigate the effects of the Security Incident and to cooperate in respect of the same.
3.15. In the event of a Security Incident, parties shall, without undue delay of becoming aware, notify the other party to the extent that the Security Incident is relevant to the other party, such as affecting the other party’s systems or Personal Data providing written details of the Security Incident. Such notification must include, at a minimum, detail on the nature of the Security Incident including the categories and approximate number of data subjects and number of personal data records concerned; detail on the likely consequences and the measures to be taken or proposed to be taken to address the Security Incident, including measures to mitigate possible adverse effects.
3.16. To the extent required by Applicable Privacy Laws, parties shall record the Security Incident in an internal record to be provided to the competent supervisory authorities upon request.
Data transfers
3.17. Each party shall (and shall procure that any Processor shall) not make any Restricted Transfers unless such transfer or export complies with Applicable Privacy Laws, and if necessary for such compliance, the party enters into an appropriate data transfer agreement or SCC’s with the relevant parties.
3.18. The parties agree that, when the transfer of Personal Data from one party to the other party is a Restricted Transfer (the details of which are set out under Schedule 1 to this Addendum), it shall be subject to the appropriate SCCs as set out in “PART: A. Amendment of IAB Standard Terms, No. 9”.
Deletion of Personal Data
3.19. Upon termination or expiry of the corresponding IO, the Agency shall destroy all Personal Data (including copies) in its possession or control (including any Personal Data processed by its Processors), also ensuring that the natural persons in charge immediately cease all processing activities. This requirement shall not apply to the extent that the Agency:
3.19.1. has its own purpose for retaining the Personal Data, provided the Agency has a valid legal basis (as provided under the GDPR) and comply with Applicable Privacy Laws; or
3.19.2. is required by any Applicable Privacy Laws to retain some or all of the Personal Data, in which event the parties shall isolate and protect the Personal Data from any further processing except to the extent required by such law, informing the other party of such an obligation, to the extent allowed by the Applicable Privacy Laws.
General
3.20. In no event does this Section 3 of Part B of this Addendum restricts or limits the rights of any data subject or of any competent supervisory authority.
3.21. The obligations placed upon the parties under this Section 3 of Part B of this Addendum shall survive so long as the parties and/or its Processors processes Personal Data, except for the situation described in Section 13.19.
3.22. This Addendum shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the corresponding IO, unless required otherwise by Applicable Privacy Laws or the SCCs.
Schedule 1
Data sharing Description
This Schedule 1 forms part of the Addendum and describes the transfer from EFG to Agency and sets out the details of the Personal Data that will be shared by the parties and processed whilst acting as independent Controllers as indicated under Section 3 of the Addendum. This Schedule 1 is also completed to define the perimeter of the Restricted Transfer, if this occurs.
A. LIST OF PARTIES
Data exporter(s):
1. | Name: | EFG, as set out in the IO |
| Address: | EFG, as set out in the IO |
| Contact person’s name, position and contact details: | Fabia Cairoli, Legal Counsel, Data & Privacy, privacy@efg.gg |
| Activities relevant to the data transferred under these Clauses: | The activities specified under Schedule 1(B) below. |
| Signature and date: | This Schedule 1 shall automatically be deemed executed when the IO is executed by EFG. |
| Role (controller/processor): | Controller |
| 1. | Name: | The entity identified as Agency in the IO |
| Address: | The Agency’s address as set out in the IO | |
| Contact person’s name, position and contact details: | The Agency contact person’s details included in the corresponding IO | |
| Activities relevant to the data transferred under these Clauses: | The activities specified under Schedule 1(B) below. | |
| Signature and date: | This Schedule 1 shall automatically be deemed executed when the IO is executed by Agency. | |
| Role (controller/processor): | Controller For Restricted Transfers from EFG to Agency, Agency shall be the data importer. |
| EU SCC Module: | C2C (Module 1) |
| Categories of Data Subjects whose Personal Data is transferred: | EFG users |
| Categories of Personal Data transferred: | EFG shares the following categories of Personal Data to Agency: EFG users’ full name, contact details and shipment address details. |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards: | N/A |
| Legal basis for Personal Data sharing: | Performance of a contract with the data subjects (ie addressing their request to receive the prizes they win). |
| Frequency of the transfer: | On a couple of times during the duration of the corresponding IO. |
| Nature of the Processing: | Collection, using and sharing of Personal Data. |
| Purpose(s) of the data transfer and further Processing/ Processing: | The Personal Data is transferred to enable Agency distribute (physical) prizes. |
| Duration of the Processing: | The duration of the data Processing under this Addendum is until the termination of the corresponding IO in accordance with its terms. |
| Retention period (or, if not possible to determine, the criterial used to determine the period): | 90 Days post expiration/termination of the corresponding IO or as set out in the corresponding IO. |
C. COMPETENT SUPERVISORY AUTHORITY
| Identify the competent supervisory authority/ies in accordance (e.g., in accordance with Clause 13 SCCs): | When the EU GDPR applies, the competent supervisory authority shall be, the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, Kavalleriestr. 2-4, 40213 Düsseldorf. When the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner’s Office. |
Schedule 2 – Security Measures
Description of the technical and organisational measures implemented by the Data importer(s) (including any relevant certifications) to ensure an appropriate level of security:
1. Personal data Access and Management Controls.
Client implements formal procedures to limit its personnel’s access to Personal Data as follows:
1.1. Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for Cloud Hosting administrator access and individually assigned Secure Socket Shell (SSH) keys for external engineer access.
1.2. Limits the Personal data accessible to Client personnel on a “need to know basis”.
1.3. Limits access to Client’s production environment by Client’s personnel on the basis of business need.
1.4. Prohibits Client personnel from storing Personal Data on electronic portable storage devices, such as computer laptops, portable drives, and other similar devices.
1.5. Logically separates each of Client’s users’ data and maintains measures designed to prevent Personal data from being exposed to or accessed by other users.
2. Data Encryption.
Client provides industry standard encryption for Personal data as follows:
2.1. Implements encryption in transport and at rest.
2.2. Uses strong encryption methodologies to protect EFG Personal Data, including AES 256-bit encryption for Personal Data stored in Client’s production environment.
2.3. Encrypts all Personal Data located in cloud storage while at rest; and
2.4. Implements full-disk encryption for hard-drives on all personnel individual workstations.
3. Network Security, Physical Security and Environmental Controls.
3.1. Client implements properly configured and patched firewalls, network access controls and other technical measures designed to prevent unauthorized access to systems Processing EFG Personal Data.
3.2. Client maintains effective controls to ensure that security patches for systems and applications used to provide the Service are properly assessed, tested and applied.
3.3. Client monitors privileged access to applications that process EFG Personal Data, including cloud services.
3.4. Remote access to Client’s environments is controlled with a virtual private network or other device (“VPN”) or private lines, consistent with industry best practices. Two-factor authentication is required for all remote access.
3.5. Personal Data hosted in the cloud is AES-256 encrypted both in transit and at rest. Cloud service provider (Subcontractor) does not have access to unencrypted Personal Data.
4. Independent Security Assessments.
Client periodically assesses the security of its systems, and the Service as follows:
4.1. Annual penetration testing of the Service is conducted by independent third-party security experts that includes black box automated and manual penetration testing of the infrastructure and application (including mobile versions). At EFG’s request, Client will provide to EFG a high-level summary of the most recent penetration test, subject to reasonable confidentiality protections;
4.2. Client hires accredited third parties to perform audits and to attest to SOC 2, Type 2 and SOC 3 compliance standards annually (if applicable); and
4.3. Monthly vulnerability scanning.
5. Incident Response.
If Client becomes aware of unauthorized access or disclosure of Personal Data under its control (an “Incident”), Client will:
5.1. Take reasonable measures to mitigate the harmful effects of the Incident and prevent further unauthorized access or disclosure;
5.2. Upon confirmation of the Incident, notify the EFG’s designated security contact by email within 72 hours. Notwithstanding the foregoing, Client is not required to make such notice to the extent prohibited by Laws, and Client may delay such notice as requested by law enforcement and/or in light of Client’s legitimate need to investigate or remediate the matter before providing notice; and
5.3. Each notice of an Incident will include:
5.3.1 The extent to which Personal Data has been, or is reasonably believed to have been, used, accessed, acquired, or disclosed during the Incident.
5.3.2 A description of what happened, including the date of the Incident and the date of discovery of the Incident, if known.
5.3.3 The scope of the Incident, to the extent known; and
5.3.4 A description of Client’s response to the Incident, including steps Client has taken to mitigate any harm caused by the Incident.
6. Business Continuity Management.
6.1. Client maintains a business continuity and disaster recovery plan in accordance with industry trends and standards; and
6.2. Client maintains processes to ensure failover redundancy with its systems, networks, and data storage.
7. Personnel Management.
7.1. Client performs employment verification, including proof of identity validation, check of education records and employment track, and criminal background checks for new hires in positions requiring access to systems and applications storing Personal Data in accordance with Applicable Law.
7.2. Client provides training for its personnel who are involved in the Processing of Personal data to ensure they understand their obligations to not collect, process or use Personal data without authorization and to keep Personal Data confidential, including following the termination of any role involving EFG Personal Data.
7.3. Client conducts routine and random monitoring of employee systems activity; and
7.4. Upon employee termination, whether voluntary or involuntary, Client immediately disables all access to Client systems, including Client’s physical facilities.