Herein, “Data Controller” refers to the Club/Organisation using the MyClubFinances system and the “Data Processor” refers to MyClubFinances.com. The contents of this statement form the basis of a written contract Agreement between the Data Controller and Data Processor.
(A) Under the Irish Data Protection legislation, a written Agreement must be in place between the Data Controller and any organisation which processes personal data on its behalf, governing the processing of that data. A written Agreement is signed by both Data Controller and Data Processor to satisfy that obligation.
(B) The Data Controller is engaging the services of the Data Processor as its agent for the purpose of providing the following data management services– “The Services” :
• Collection of membership data and payments
• Secure hosting of club data
• Communication facilities for club to its members
The subject-matter and the nature of the processing will include:
• Facilitation of club membership registration, communication and administration
(C) The Data Processor agrees to process the personal data strictly within the defined length of time agreed between the Data Controller and the Data Processor. This length of time will be no Less than 1 year.
(D) The Data Controller and the Data Processor have agreed that the type(s) of personal data being processed will be:
• Names, addresses and contact details of members
• Payment details
• Parental approval for underage members
• Members’ preference with regard to communications
• Registration details for club and national governing body
• Demographic information including gender, school attended, etc.
And, where relevant, the following categories of Sensitive Personal Data:
• Health information
(E) The Data Controller shall authorise the Data Processor to process the data in any manner that may reasonably be required in order for the Data Processor to carry out the processing in compliance with this Data Processor Agreement.
(F) The Data Controller shall refrain from providing instructions which are not in accordance with applicable laws and, in the event that such instructions are given, the Data Processor is entitled to resist carrying out such instructions.
(G) The parties now wish to enter into this Agreement in order to regulate the provision, use and processing of Personal Data which the Data Processor will be processing on behalf of the Data Controller.
(H) The terms referred to in this Agreement will be used as they are used in applicable laws or, if not inconsistent with these laws, in accepted general principles and practices. Specifically, the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Sensitive Personal Data” and “Processing” shall be defined as by applicable data protection legislation
1.1 This Agreement shall continue in full force for the duration stated, unless terminated for breach by either party.
2. OBLIGATIONS OF THE DATA CONTROLLER
2.1 The Data Controller shall authorise the Data Processor to process the personal data in any manner that may reasonably be required in order to provide the Services.
2.2 The instructions given by the Data Controller to the Data Processor in respect of the Personal Data shall at all times be in accordance with the laws of Ireland.
2.3 The Club shall, at all times, remain the Data Controller with regard to the personal information of Club members and their families
3. OBLIGATIONS OF THE DATA PROCESSOR
3.1 In discharging its obligations under this Agreement, the Data Processor must comply with all applicable law, in particular data protection regulations. In particular, the Data Processor will ensure that all necessary logging, registrations and notifications are made and will cooperate with the Data Controller in relation to evidential matters, amendments or alterations.
3.2 The Data Processor undertakes that he shall only process the personal data on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law to which the Data Processor is subject.
In such a case, the Data Processor undertakes to inform the Data Controller of that legal requirement before processing takes place, unless that law prohibits such information on important grounds of public interest.
“Third country” or “international organisation” in this context means a destination outside the European Economic Area.
3.3 The Data Processor will process the Personal Data for the following purposes only:
• Registration of club membership
• Facilitation of communications between the Data Controller and its members
• Co-ordination of club fundraising activities, where relevant
• Facilitation of reporting of membership details to the national governing body
• Secure storage and retention of club member data, at the instructions of the Data Controller
3.4 The Data Processor agrees to execute its obligations in this contract using the following process:
• Provision of web-based registration and administration portal
• Provision of individual member profile which can be accessed and updated
• Interactive report generation and data download facility
• Modification and tailoring of the web-based interface, as instructed from time to time by the Data Controller
3.5 The Data Processor will treat the personal data and any other information provided by the Data Controller as confidential and will ensure that access to the personal data is limited only to authorised persons who require to access it for the purposes defined in this Agreement.
The Data Processor will ensure that persons authorised to process the persona data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. In this context, the Data Processor will ensure that all such authorised persons have undergone the required training to discharge the obligation to uphold confidentiality as required by applicable laws.
The Data Processor will not disclose any personal data to a third party in any circumstances other than at the specific written request of the Data Controller, unless such disclosure is necessary in order to deliver the Services, or is required by applicable legislation.
3.6 The Data Processor undertakes to implement the appropriate organisational and technological measures in such a manner that meet the requirements of applicable law, in particular relevant data protection legislation, in order to ensure the protection of the rights of the Data Subjects.
3.7 The Data Processor will not transfer the Personal data to a destination outside the European Economic Area (EEA), other than at the specific written request of the Data Controller, unless the transfer is required by law.
3.8 The Data Processor shall not engage another processor without the prior specific written authorisation of the Data Controller. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of other processors before such changes are effected, thereby giving the controller the opportunity to object to such changes. (Amend as appropriate).
Where engaging a sub-contractor, the Data Processor will obtain guarantees from such other processor that he will implement organisational, operational and technological processes and procedures in compliance with the principles of appropriate standards and all applicable laws and will use such principles and laws as the basis for discharging his obligations in this regard.
3.9 The Data Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to identified risks, including inter alia as appropriate:
• the pseudonymisation and encryption of personal data,
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
• processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
In assessing the appropriate level of security, the Data Processor will implement all reasonable measures to keep the personal data safe from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3.10 The Data Processor will notify the Data Controller as soon as possible once becoming aware of a personal data breach.
The Data Processor will cooperate with the Data Controller in implementing any appropriate action concerning the breach, including corrective actions, unless such action is contrary to applicable law.
3.11 In the event that the Data Processor receives a complaint, notice or communication which relates directly or indirectly to the processing of the data or other connected activities or which relates directly or indirectly to the compliance of the Data Processor, the Data Controller or other involved parties with relevant laws and relevant data protection legislation, the Data Processor will immediately bring this complaint, notice or communication to the attention of the Data Controller
3.12 The Data Processor will assist the Data Controller to delete or return all the personal data to the Data Controller after the end of the provision of services relating to processing, and deletes existing copies available unless the instruction of the Data Controller conflicts with applicable legislation on the continued retention and storage of such data.
The Data Processor shall not delete or return to the Data Controller any data without the prior written notification for same, allowing the Data Controller reasonable time to object to such deletion or return, even upon the termination, discharge or conclusion of this agreement or the processing activity, as the case may be.
3.13 Without prejudice to other legal provisions concerning the data subject’s right to compensation and liability of the parties generally, as well as legal provisions concerning fines and penalties, the Data Processor will carry full liability in the instance where he is found to have infringed applicable laws, including data protection regulations, by determining the purposes and means of processing.
4. RIGHT OF AUDIT
4.1 The Data Processor will allow for and contribute to audits, including inspections, which may be carried out by the Data Controller or another auditor mandated by the Data Controller.
4.2 In the event that the Data Processor forms the opinion that the instruction of the Data Controller infringes applicable law, he/they will immediately inform the Data Controller.
4.3 The Data Controller is entitled to carry out carry out compliance and information security audits without notice at any time of the day in order to satisfy itself that the Data Processor is adhering to the terms of this agreement.
4.4 The Data Controller may make a written request, or request in the course of an audit or inspection, a copy of all data and data-related activity logs from the Data Processor and such information shall be provided by the Data Processor without unreasonable delay in the format and on media as reasonably specified by the Data Controller.
4.5 Where a sub-contractor has been engaged, the Data Processor agrees that the Data Controller may also, upon giving reasonable notice and within normal business hours, carry out similar compliance and information security audits and checks of the sub-contractor to ensure adherence to the terms of this agreement.
5. DATA SUBJECT RIGHTS
5.1 The Data Processor will assist the Data Controller, whenever reasonably required, in so far as possible, to fulfil the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights as provided by relevant legislation.
In doing so, both the Data Controller and the Data Processor will take into account the nature of the processing and the appropriate technical and organisational measures, which have been implemented.
5.2 The Data Processor will assist the Data Controller in ensuring compliance with its legal obligations as provided by applicable legislation, in particular data protection legislation, concerning the security of processing, the notification requirements to relevant authorities, the requirement to communicate personal data breaches to the data subject, the requirement to carry out data protection impact assessments and the requirement to consult with relevant authorities concerning high-risk processing prior to carrying out such processing. In discharging this obligation, the Data Processor may have regard to the nature of the processing and the information available to him.
The Data Processor will make all the information necessary to demonstrate compliance with the obligations by applicable law, in particular applicable data protection legislation.
5.3 The Data Subject is hereby entitled to enforce the terms and conditions of this Agreement as a third party beneficiary.
Each party shall indemnify the other against all costs, expense, including legal expenses, damages, loss, including loss of business or loss of profits, liabilities, demands, claims, actions or proceedings which a party may incur arising out of any breach of this Agreement howsoever arising for which the other party may be liable.
7. GOVERNING LAW
This policy shall be governed by and construed in accordance with Irish law and each party hereby submits to the non-exclusive jurisdiction of the Irish courts.