1.1 This agreement regarding processing of personal data (the ”Data Processor Agreement” or “DPA”) regulates Emoji Games GmbH’, Company registration CHE- 331.810.628 and its Affiliates who are under common control by the Emoji Games (the ”Data Processor”) processing of personal data on behalf of the Customer or Advertiser (the ”Data Controller”) and is attached as appendix A to the https://brandedminigames.com/terms-of-use/ (the ”Main Agreement”), in which the parties have agreed the terms for the Data Processor’s delivery of services to the Data Controller (the ”Main Services”). The term “You” in the Main Agreement is the Customer who publishes their branded games by using Branded Mini-Games Studio or by using Branded Mini-Games Enterprise service provided by Emoji Games GmbH for their marketing campaign towards their audience refers to “Data Controller”. “Customer Data” means any personal data that Emoji Games processes on behalf of Customer or Advertiser as a Data Processor in the course of providing the services as described in the Main Agreement and in the DPA.
1.2 This DPA applies where and only to the extent that Emoji Games processes Customer Data that originates from the EEA and/or that is otherwise subject to EU Data Protection Law on behalf of Customer as Data Processor in the course of providing Services pursuant to the Main Agreement.
1.3 Any claims against Emoji Games or its Affiliates under this DPA shall be brought solely against the entity that is a party to the Main Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Emoji Games liability under the Agreement as if it were liability to the Customer under the Agreement.
1.4 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provision in the Main Agreement, unless required otherwise by applicable Data Protection Laws.
2.1 The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the ”Applicable Law”), including in particular:
- (i) The European Parliament and the Council’s Directive 95/46/EF of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as implemented in Danish law with, among others, the Act on Processing of Personal Data (Act No. 429 of 31 May 2000).
- (ii) The European Parliament and the Council’s Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data that entered into force on 24 May 2016 and will be applicable on 25 May 2018 (“GDPR”). Irrespective of the general use and reference to GDPR in this Data Processor Agreement, the parties are not obliged to comply with GDPR before 25 May 2018.
3. Processing of personal data
3.1 Role of the Parties As between Emoji Games and Customer, Customer is the Data Controller of Customer Data, and Emoji Games shall process Customer Data only as a Data Processor acting on behalf of Customer.
3.2 Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Emoji Games; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Emoji Games to process Customer Data and provide the Services pursuant to the Main Agreement and this DPA.
3.3 Emoji Games processing of Customer Data. Emoji Games shall process Customer Data only for the purposes described in this DPA and only in accordance with Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Emoji Games in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Emoji Games.
3.4 Details of Data Processing
- (a) Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
- (b) Duration: As between Emoji Games and Customer, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
- (c) Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Customer and the performance of Emoji Games obligations under the Agreement (including this DPA) or as otherwise agreed by the parties.
- (d) Nature of the processing: Emoji Games provides an HTML5 based game editor, users sign up/sign in automation platform, leaderboard tool and other related services,
- (e) Categories of data subjects: Any individual accessing and/or using the Services through the Customer’s account (“Users”); and any individual
- (f) Types of Customer Data: (i) Customer and Users: identification and contact data (name, address, title, contact details, username);
3.6 ”Personal data” include “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are listed in sub-appendix A. The Data Processor only performs processing activities that are necessary and relevant to perform the Main Services. The parties shall update sub-appendix A whenever changes occur that necessitates an update.
4.1 The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the ”Instruction”). The Instruction at the time of entering into this Data Processor Agreement is that the Data Processor may only process the Personal Data with the purpose of delivering the Main Services as described in the Main Agreement.
4.2 The Data Controller guarantees that the Personal Data transferred to the Data Processor is processed by the Data Controller in accordance with the Applicable Law, including the legislative requirements re lawfulness of processing.
4.3 The Data Processor shall give notice without undue delay if the Data Processor considers the at the time being Instruction to be in conflict with the Applicable Law.
5. The Data Processor’s obligations
- 5.1.1 The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Controller in writing has agreed hereto.
- 5.1.2 The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this Data Processor Agreement with strict confidentiality.
- 5.2.1 The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32.
5.3 The Data Processor shall ensure that access to the Personal Data is restricted to only the employees or the employees of the affiliates (sub-data processor) to whom it is necessary and relevant to process the Personal Data in order for the Data Processor to perform its obligations under the Main Agreement and this Data Processor Agreement.
5.4 The Data Processor shall also ensure that the Data Processor’s employees working processing the Personal Data only processes the Personal Data in accordance with the Instruction.
- 5.4.1 The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.
5.5 Data protection impact assessments and prior consultation
- 5.5.1 If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.
5.6 Rights of the data subjects
- 5.6.1 If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.
- 5.6.2 If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.
5.7 Personal Data Breaches
- 5.7.1 The Data Processor shall give immediate notice to the Data Controller if a breach of the data security occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).
- 5.7.2 The Data Processor shall have and maintain a register of all Personal Data Breaches. The register shall at a minimum include the following:
- (i) A description of the nature of the Personal Data Breach, including, if possible, the categories and the approximate number of affected Data Subjects and the categories and the approximate number of affected registrations of personal data.
- (ii) A description of the likely as well as actually occurred consequences of the Personal Data Breach.
- (iii) A description of the measures that the Data Processor has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures taken to mitigate its adverse effects.
- 5.7.3 The register of Personal Data Breaches shall be provided to the Data Controller in copy if so requested in writing by the Data Controller or the relevant Data Protection Agency.
5.8 Documentation of compliance
- 5.8.1 The Data Processor shall after the Data Controller’s written request hereof provide documentation substantiating that:
- (i) the Data Processor complies with its obligations under this Data Processor Agreement and the Instruction; and the Data Processor complies with the Applicable Law in respect of the processing of the Data Controller’s Personal Data.
- 5.8.2 The Data Processor’s documentation of compliance shall be provided within reasonable time.
- 5.8.3 The Data Processor shall make available to the controller all information necessary to demonstrate compliance with its obligations and allow and cooperate fully with audits, including inspections, conducted by the controller and another person authorised to this end by the controller.
5.9 Location of the Personal Data
- 5.9.1 The Personal Data is only processed by the Data Processor or by approved Sub-Data Processors premise. Especially any Personal Data of EU will be exclusively stored in Amazon Service Website located in Ireland.
- 5.9.2 Any transfer of the Personal Data to any non-approved third countries or international organizations in the future shall only be done to the extent such transfer is permitted and done in accordance with applicable law.
6.1 Authorized Sub-processors. Customer agrees that Emoji Games may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Emoji Games and authorized by Customer are listed in the Sub-appendix B.
Upon Customer confirmation on paid pricing for additional analytics and integration service, Emoji Games may engage with the following processors.
6.2 Sub-processor Obligations. Emoji Games shall: (i) enter into a written agreement with the Subprocessor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Emoji Games to breach any of its obligations under this DPA.
6.3 The Data Processor is given general authorization to engage third-parties (who are nor any affiliates of the nor contractor) to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wish to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within seven (7) calendar days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed a consent to the relevant Sub-Processor.
6.4 The Data Processor shall conclude a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.
6.5 The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.
6.6 The Data Processor is at the time of entering into this Data Processor Agreement using the Sub-Processors listed in sub-appendix B. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in sub-appendix B under paragraph 2.
7. Breach and liability
7.1 The Main Agreement’s regulation of breach of contract and the consequences hereof shall apply equally to this Data Processor Agreement as if this Data Processor Agreement is an integrated part hereof.
7.2 Each party’s cumulated liability under this Data Processor Agreement is limited to the payments made under the Main Agreement in the 12 months before the occurrence of the circumstances leading to a breach of contract. If the Data Processor Agreement has not been in force for 12 months before the occurrence of the circumstances leading to a breach of contract, the limited liability amount shall be calculated proportionately based on the actual performed payments.
7.3 The limitation of liability does not apply to the following:
- (i) Losses as a consequence of the other party’s gross negligence or willful misconduct.
- (ii) A party’s expenses and resources used to perform the other party’s obligations, including payment obligations, towards a relevant data protection agency or any other authority.
8.1 The Data processor Agreement shall remain in force until the Main Agreement is terminated.
9.1 The Data Processor’s authorization to process Personal Data on behalf of the Data Controller shall be annulled at the termination of this Data Processor Agreement.
9.2 The Data Processor shall continue to process the Personal Data for up to three months after the termination of the Data Processor Agreement to the extent it is necessary and required under the Applicable Law. In the same period, the Data Processor is entitled to include the Personal Data in the Data Processor’s backup. The Data Processor’s processing of the Data Controller’s Personal Data in the three months after the termination of this Data Processor Agreement shall be considered as being in accordance with the Instruction.
9.3 At the Data Controllers choosing, the Data Processor and its Sub-Processors shall return the Personal Data processed under this Data Processor Agreement to the Data Controller, provided that the Data Controller is not already in possession of the Personal Data. The Data Processor is hereafter obliged to delete all the Personal Data and provide documentation for such deletion to the Data Controller.
1. Personal Data
1.1 The Data Processor processes the following types of Personal Data in connection with its delivery of the Main Services:
- (i) Ordinary contact information on relevant employees from the Data Controller.
- (ii) Users of the Main Services: names, telephone numbers, e-mails and user type.
- (iii) Personal data provided by the users in connection with their use of the Main Services (these personal data are not seen or accessed by the Data Processor unless the Data Processor after the request hereof from the Data Controller assists with support and bug fixing).
2. Categories of data subjects
2.1 The Data Processor processes Personal Data about the following categories of data subjects on behalf of the Data Controller:
- (i) Customers
- (ii) End-users
1. Approved Sub-Processors
1.1 The following Sub-Processors shall be considered approved by the data Controller at the time of entering into this Data Processor Agreement:
- (i) Storage of data in case of add-on agreement: Amazon Web Services for clouding server located in Ireland
2. New Sub-Processors
2.1 The following Sub-Processors have been added and communicated to the Data Controller prior to the relevant sub-processing:
- (i) [insert when relevant]