Data Processing Agreement

1. Introduction, scope of application, definitions

1. "Clubee" means Clubee SARL, a registered company with headquarters in 12, rue de l'Industrie, L-3895 Foetz, R.C.S. Luxembourg B 189.993;
2. "Content" means any data an information uploaded by Customers/Users, including but not limited to designs, images, animations, videos, audio files, fonts, logos, illustrations, compositions, artworks, interfaces, text, literary works and any other materials;
3. "Customer" means any person, organisation or company entering the Contract by choosing one of the Packages and using the related Services offered by Clubee;
4. “Connected Organizations” means any organization or company utilizing Clubee’s Services, being bound to Clubee through a Contract and being connected to the Customer for the purpose of exchanging data and Materials. For example, if the Customer is a club within a federation, and an exchange of player licenses is required between both organizations, then the federation would be a Connected Organization to the Customer. The same logic applies for other organizations to which the Customer may be connected, such as for example another club, company, regional association, national association, international governing body, or others.
5. "Contract" means the binding convention between Clubee and the Customer incorporating these Terms and Conditions, Data Processing Agreement, Terms and Conditions for Users, the Privacy Policy for Users and any amendments to it from time to time;
6. "Materials" means any necessary software, all informational text, software documentation, design of and "look and feel” , photographs, graphics, audio, video, messages, interactive and instant messaging, design and functions, files, documents, images, or other materials, whether publicly posted or privately transmitted, as well as all derivative works thereof. All Materials are owned by Clubee or by third parties;
7. "Package" means a bundle of Services available to the Customer. Each Package offers different Services;
8. "Services" means use and access to the website hosting services, websites, communication tools, Clubee Database and other services that are available through the Site and Customer websites of www.clubee.com. Services include, but are not limited to, Materials, designs, storage, textures, photo elements, team modules and team management, network sharing, external social network management, archiving, linking of media and/or document files (including, but not limited to text, messages, user comments, information, graphics, data, and images). The number of Services available varies in accordance with the selected Package;
9. "Clubee Database" means a data and information collection about people (date of birth, height, weight, age etc.), teams, leagues and game results and other User behavioral sports and non-sports related data. Clubee Database is owned by Clubee and protected under the Directive DIRECTIVE 96/91 EC of the European Parliament and of the council of 11 March 1996 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 11 March 1996 on the legal protection of databases, in compliance with Directive 95/46/EC), the Luxembourg Data Protection Act dated 1 August 2018.
10. "Clubee Advertisement Network" means an online advertisement platform created by Clubee which is used to offer advertisement places on the Customers Site.
11. "Advertisement Partner" means a company or entity which advertises through Clubee Advertisement Network on the Customers Site.
12. "Site" means www.clubee.com and Customer websites or web applications designed or permitted by Clubee;
13. "User" means the person logging in on the Site with his password and email address, once registered the User can post and share Content, communicate with other Users and access Clubee Database, as well as the profile of different Persons;
14. "Person" means a personal profile of a person, summarizing all personal data of a single person and entered by the Customer to the Site. This personal profile including all or part of its data can upon request or depending on the desired set-up be shared with other organizations that are customers of Clubee and that are directly or indirectly linked to the Customer, such as in many cases clubs within a same federation. A Person can also be accessed and modified by a User. The Customer understands the risks and benefits of sharing Persons with other organizations.
15. This contract regulates the rights and obligations of the Customer and Clubee (hereinafter referred to as the "parties") in the context of processing personal data on behalf of the Customer.
16. This contract applies to all activities in which employees of Clubee or subcontractors commissioned by Clubee process personal data of the Customer on the Customer's behalf.
17. Terms used in this contract are to be understood in accordance with their definition in the EU General Data Protection Regulation. In this sense, the Customer is the "controller" and Clubee is the "processor".

2. Object and duration of processing

2.1 Object 

Clubee undertakes the following processing: 

• Membership and license management for the Customer or Connected Organizations. Only first name, last name and date of birth are required, all other data such as e-mail address or telephone number are at the discretion of the Customer.   
• Digital match sheets, player statistics, event management, ticketing, referee management and other sporting and non-sporting events
• Online payments, such as membership fees, participation costs for events, and others
• Attendance tracking and tracking for players and other persons with regard to training sessions, competitions and other events
• Communication tools such as articles, photos and videos that can be shared by the Customer on their website, social networks, mobile app and other platforms
• Management of sponsors, including invitations for sponsors to events, reporting, presentation of these sponsors on various platforms of the Customer
• Forms, e.g. registration forms for memberships, licenses, events, ticketing, etc. of the Customer
• Management of the Customer's website, including all other associated functionalities and tools 
• Email marketing, ticketing, webshops of the Customer
• Financial Data Management, Invoicing and Accounting for the Customer
• Creation of graphic and textual content which the Customer can use for marketing purposes
• Further tools are developed by Clubee at regular intervals and can be made available to the Customer

The processing is based on the existing service contract between the parties, the Terms and Conditions for Customers as well as if applicable completed by a main contract between the Customer and Clubee (both hereinafter referred to as the "Main Contract").

2.2 Duration 

Processing duration is aligned with the duration of the Main Contract. 

3. Type, purpose and data subjects of the data processing:

3.1 Type of processing

The processing is as follows: 

Persons and Users are created either by the Customer, the Users themselves, or other Connected Organizations.

Persons can be linked to Users upon entering or connecting email addresses.

Persons can - depending on the set-up - be shared with Connected Organizations. The Customer understands the risks and benefits of sharing Persons with other organizations. The Customer is the sole Data Controller of Person, unless said Person is shared with Connected Organizations and multiple organizations are authorized to update a Person’s data. In this case, a Person can have multiple data controllers.

Given that Users can be connected to Persons across many organizations and customers of Clubee, no matter whether they are linked with each other through Connected Organizations, Clubee is the data controller as well as data processor for Users.

3.2 Purpose of the processing

The processing serves the following purpose: administration of the Customer, and - if applicable - the clubs affiliated to the association and their members, processing of match report sheets for matches and for notification purposes, as well as any other provision of tools that serve the administration, communication and marketing of the Customer. 

3.3 Type of data

Clubee may upon request share data with Connected Organizations and members. The data that is shared is data of a Person’s profile, including first name, last name, date of birth, nationality, language, address, and possibly other sporting, personal or organizational data required by the Connected Organization and subject to the Customer's consent to the sharing of this data. This consent can be revoked at any time.

• First name and last name
• Date of birth
• Photo
• Any other data specified by the Customer

3.4 Categories of data subjects

Affected by the processing, if desired:

• Members or Athletes of an organization
• Fans, Family and surrounding community members of an organization
• The organization’s employees
• Other persons whose data is registered by the Customer or its Connected Organizations for the purpose of sharing this data with the Connected Organizations

4. Obligations of Clubee

1. Clubee shall process personal data exclusively as contractually agreed or as instructed by the Customer, unless Clubee is legally obliged to process the data in a certain way. If such obligations exist for Clubee, Clubee shall inform the Customer of these prior to processing, unless Clubee is prohibited from doing so by law.
2. Clubee confirms that it is aware of the relevant general data protection regulations. Clubee monitors the principles of proper data processing.
3. Clubee undertakes to maintain strict confidentiality during processing.
4. Persons who may gain knowledge of the data processed must undertake in writing to maintain confidentiality, insofar as they are not already subject to a relevant confidentiality obligation by law.
5. Clubee warrants that the persons employed by it for processing have been familiarized with the relevant provisions of data protection and this contract before the start of processing. Appropriate training and sensitisation measures shall be repeated at regular intervals. Clubee shall ensure that persons deployed for commissioned processing are appropriately instructed and monitored on an ongoing basis with regard to the fulfillment of data protection requirements.
6. In connection with the commissioned processing, Clubee shall support the Customer to the extent necessary in the fulfillment of its obligations under data protection law, in particular in the preparation and updating of the list of processing activities, in carrying out the data protection impact assessment and in any necessary consultation with the supervisory authority. The required information and documentation shall be kept available and forwarded to the Customer upon request.
7. If the Customer is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against him, Clubee undertakes to support the Customer to the extent necessary, insofar as the processing is affected.
8. Clubee may only provide information to third parties or the data subject with the prior consent of the Customer. It shall forward any enquiries addressed directly to it to the Customer.
9. Where required by law, Clubee shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the authorized representative. In cases of doubt, the Customer may contact the data protection officer directly. Clubee shall inform the Customer immediately of the contact details of the data protection officer or explain why no officer has been appointed. Clubee shall inform the Customer immediately of any changes in the person or internal tasks of the authorized representative.
10.  Processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the Customer and under the conditions contained in Chapter V of the General Data Protection Regulation and in compliance with the provisions of this contract.
11. If a Person or Connected Organization of the Customer decides to make use of Clubee's Services itself and enter into a new Contract, potentially under a paid Package, Clubee is obliged to share the relevant data with this Person or Connected Organization. This applies, for example, if a club of a federation wishes to use Clubee's management software for its own purposes or, for example, if a member decides to open its own account with Clubee and obtain access to its own personal data and manage its multiple Person profiles of different organizations within Clubee.

5. Safety of processing

1. The data security measures listed below are defined as binding. They define the minimum owed by Clubee. The description of the measures must be so detailed that a knowledgeable third party can recognise beyond doubt at any time what the minimum owed should be on the basis of the description alone. Reference to information that cannot be taken directly from this agreement is not permitted.
   
   The aim is to guarantee in particular the confidentiality, integrity and availability of the information processed.
   1. All technical and organizational measures relate to Clubee. 
   2. The internal organization of the controller and its subcontractors is designed to meet the specific requirements of data protection. These measures include:
      1. Written work instructions and guidelines are in place.
      2. Programs and procedures are and will be properly documented.
      3. The storage and access options for machine-generated logs are regulated.
      4. Notifications, requests for information and requests for correction, deletion or blocking are documented
   3. Encryption
      1. Each processing activity is checked to see whether its purpose can also be fulfilled without direct reference to a person. If this is the case, readable information is converted into a character string that is not easy to interpret using a suitable method.
      2. Encryption (HTTPS) of data during transmission with SSL Certificate 
   4. Pseudonymization
      1. Each processing activity must be checked to see whether its purpose can also be realized without direct personal reference. If this is the case, the processing of personal data is carried out in such a way that this data can no longer be attributed to a specific data subject without the use of additional information. 
      2. This additional information must be stored separately and is itself subject to technical and organizational measures to ensure that the personal data cannot be attributed to an identifiable or personal data cannot be attributed to an identifiable or identified natural person.
   5. Confidentiality
      1. The following measures ensure that unauthorized persons do not gain access to the data processing systems and/or premises
         1. Access control: No unauthorized access to data processing systems
         2. Access control: No unauthorized system use
         3. Access control: No unauthorized reading, copying, modification or removal within the system
         4. Separation control: Separate processing of data collected for different purposes
   6. Integrity

1. 1. 1. These precautionary measures, which ensure that personal data cannot be falsified, have been taken
         1. Input control: Determining whether and by whom personal data has been entered into, modified or removed from data processing systems
         2. Transmission control: No unauthorized reading, copying, modification or removal during electronic transmission or transport
         3. Detection of virus intrusion and prevention of malware or the spread of infected content
         4. Individual user identification and individual password
         5. Password must meet certain criteria (special characters, password length, use of lower and upper case letters, letters and numbers)
         6. Access via personalized accounts based on an authorization concept
         7. Differentiated access authorization to application programs
         8. Differentiated editing options (read/update/delete)
         9. Regular review of existing authorizations 
         10. Encryption of data during transmission (SSL)
         11. Logging and evaluation of log files 
         12. No unauthorized introduction of external mobile storage devices by employees
         13. An authorization concept based on the minimum principle has been established for administrative activities
         14. changes to the system are evaluated in advance by business analysts and software architects
         15. extensive tests, such as functional tests, load tests, performance tests and penetration tests, are carried out.
         16. After the acceptance process, the versions are created and transferred to production.
         17. By monitoring and controlling the functions, anomalies can be detected in good time and forwarded to the support staff.
         18. Differentiation of data sets between production and test environments.
   
   7. Availability and resilience

1. 1. These measures, which ensure the constant availability of the systems, have already been taken:
      1. Availability control: protection against accidental or willful destruction or loss
      2. Resilience control: ability of the systems to deal with risk-related changes and demonstrate tolerance and resilience to disruptions
      3. Use of a database with known errors at system and application level
      4. Monitoring and logging, troubleshooting, error correction and escalation
      5. Adequate hardware protection is guaranteed
      6. qualified use of protection software (firewalls, encryption programs, virus scanners, SPAM filters) on all workstations.
      7. Systems that work independently of each other
      8. Automatic reporting of faults 

1. 1. These measures, which ensure that the personal data stored in the systems is protected against accidental destruction or loss even under high workloads, have been introduced:
      1. execution of external software not installed on the workstation is prevented by technical measures 
      2. contractual prohibitions for users
      3. SPAM filters 
      4. updates / patches
      5. Use of firewalls, encryption programs, virus scanners, SPAM filters and other protection software
   
   9. Ensuring availability
   1. These measures ensure the ability to quickly restore the availability of personal data and access to it following a physical or technical incident:
      1. multi-level data backup concept (backup & recovery concept) 
      2. Emergency manual/plan
   
   10. Procedures for regular review, assessment and evaluation
   1. Security audits are carried out at regular intervals to ensure regular review, assessment and evaluation of the effectiveness.
   2. This means that the systems and the upstream protection systems are subjected to penetration tests, which include the following steps
      1. Vulnerability scanning with commercial assessment tools and open source programs 
      2. Additional manual testing to identify security gaps and vulnerabilities
      3. Data protection management: system for regular review, assessment and evaluation of data protection measures
      4. Incident response management: system for preparing, identifying and reporting security incidents
      5. Data protection-friendly default settings
   3. Any vulnerabilities identified are used to create a clear overview of the current security situation in the company. After the audit, the risks/vulnerabilities and systems found are assessed. The assessment is followed by a description of the weaknesses and a corresponding recommendation of measures. For security reasons, this assessment can only be shared with the Customer once any risks/vulnerabilities have been eliminated.
   
   11. Recoverability
   1. Article 32 GDPR refers to the “ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident”. This means that companies must be able to make the data available again.
      1. Backup system with the ability to restore data

1. The data security measures may be adapted in line with further technical and organizational development as long as they do not fall below the level agreed here. Clubee shall immediately implement any changes required to maintain information security. The Customer must be informed of any changes without delay. Significant changes must be agreed between the parties.
2. If the security measures taken do not or no longer meet the Customer's requirements, Clubee shall inform the Customer immediately.
3. Copies or duplicates will not be made without the Customer's knowledge. This does not apply to technically necessary, temporary copies, provided that any impairment of the level of data protection agreed here is excluded.

6. Regulations on the rectification, erasure and blocking of data

1. Clubee shall only correct, delete or block data processed within the scope of the order in accordance with the contractual agreement made or in accordance with the Customer's instructions, unless the data owner itself issues a legally valid request to the Customer.

7. Subcontracting relationships

1. The commissioning of subcontractors (e.g. technical service providers) is authorised within the framework of the legally applicable conditions.
2. Consent is only possible if the subcontractor has been contractually bound to data protection obligations that are at least comparable to those agreed in this contract.
3. The responsibilities of Clubee and the subcontractor must be clearly delineated.
4. Clubee shall carefully select the subcontractor, paying particular attention to the suitability of the technical and organizational measures taken by the subcontractor.
5. The forwarding of data processed to the subcontractor is only permitted if Clubee has satisfied itself that the subcontractor has completely fulfilled its obligations.
6. The commissioning of subcontractors who do not perform processing exclusively from the territory of the EU or the EEA is only possible if the conditions set out in Chapter 4 (10) and (11) of this contract are observed. In particular, it is only permitted if and as long as the subcontractor offers appropriate data protection guarantees.
7. Clubee must carry out an appropriate review of the subcontractor's compliance with its obligations on a regular basis.
8.  The below listed subcontractors are authorized. This list can be updated by Clubee depending on needs and necessity:
   1. All subcontractors listed in the company’s Privacy Policy, which can be found on https://get.clubee.com/privacy-policy
   2. "Bannerbear.com" is a service provided by Bannerbear Ltd., 68 Hanbury Street, London, E1 5JL, United Kingdom. We use Bannerbear.com to automate the creation of visual content as well as documents for our Customers. Among other things, Bannerbear.com enables us to generate dynamic images and videos, manage design templates, and streamline our Customers’ visual content production process. The use of Bannerbear.com is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the efficient management and automation of visual content creation and customer engagement. For more information, please consult Bannerbear.com’s Privacy Policy: https://www.bannerbear.com/privacy
   3. "ChatGPT API" (optional) is a service provided by OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA. We use the ChatGPT API to allow faster creation of content for our Customers, as for example writing articles to promote events and games. Personal Data such as names of players mentioned in game articles could be shared with ChatGPT API, only if this service is used by the Customer. The use of the ChatGPT API is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in providing the most efficient and effective customer communication possible. For more information, please consult OpenAI’s Privacy Policy: https://openai.com/privacy.
   4. "Facebook" and "Facebook Connect" (optional) are services of Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland Instead of registering directly on this website, you also have the option to register using Facebook Connect.

The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook’s statement the collected data will be transferred to the USA and other third-party countries too.

If you decide to register via Facebook Connect and click on the “Login with Facebook”/„Connect with Facebook” button, you will be automatically connected to the Facebook platform. There, you can log in using your username and password. As a result, your Facebook profile will be linked to this website or our services. This link gives us access to the data you have archived with Facebook. These data comprise primarily the following: Facebook name, Facebook profile photo, e-mail address archived with Facebook, Facebook-ID, date of birth, gender and location.

This information will be used to set up, provide and customize your account.

The registration via Facebook Connect and the affiliated data processing transactions are implemented on the basis of your consent (Art. 6(1)(a) GDPR). You may revoke this consent at any time, which shall affect all future transactions thereafter.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 DSGVO). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing by Facebook that takes place after the onward transfer is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in a joint processing agreement. The wording of the agreement can be found under: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook tool and for the privacy-secure implementation of the tool on our website. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g., requests for information) regarding data processed by Facebook directly with Facebook. If you assert the data subject rights with us, we are obliged to forward them to Facebook. Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://www.facebook.com/help/566994660333381 and https://www.facebook.com/policy.php.

For more information, please consult the Facebook Terms of Use and the Facebook Data Privacy Policies. Use these links to access this information: https://www.facebook.com/about/privacy and https://www.facebook.com/legal/terms/.

We also offer the possibility to share content (e.g. news articles, galleries, videos and images) automatically on Facebook.This service can be optionally activated for you at Clubee, if you want to use this tool. If you select automatic republication of club updates on Facebook, the data you have entered will be transferred to Facebook. You will be expressly asked by Facebook for further consent in advance. You can find more information on this topic here: https://www.facebook.com/legal/terms/dataprocessing

5. "HubSpot" is a service provided by HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1. We use HubSpot to manage our own connection and relationship with our customers and clubs. Among other things, HubSpot enables us to create internal team tasks at Clubee, manage existing and potential customers as well as customer contacts. With HubSpot, we are able to capture, sort, and analyze customer interactions via email, telephone, and across different channels. The personal data collected in this way can be evaluated and used for communication with the potential customer or for marketing measures (e.g., newsletter mailings). The use of HubSpot is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the most efficient customer management and customer communication possible. For more information, please consult HubSpot’s Data Privacy Policy: https://legal.hubspot.com/privacy-policy.

6. ”Mailcheap” (optional) is a service provided by Cyberlabs, Inc, 9450 SW Gemini DR, PMB 90201, Beaverton, Oregon 97008-7105, USA. On our platform you have the option to set up email accounts with your domain (e.g. max.mustermann@vereinsname.com). This service can be optionally activated for you if you want to take advantage of this tool. When setting up the account, we will enter your first and last name, club name and a backup email address, which will then be stored on Mailcheap's servers. Subsequently, you will be informed about the registration and asked to create an account. The processing done by Mailcheap after the forwarding is not part of the shared responsibility. The registration with Mailcheap and the related data processing operations are based on your consent (Art. 6(1)(a) GDPR). You can read details about this in Mailcheap's privacy policy under the following link: https://www.mailcheap.co/privacypolicy.html

7. "Mailerlite" (only club managers) is a service of UAB "MailerLite", J. Basanavi?iaus 15, LT-03108 Vilnius, Lithuania. We use Mailerlite to communicate with our customers, more precisely the club managers, by e-mail. We regularly send e-mails to club managers to inform them about changes, improvements, or other developments on our platform in order to facilitate a better and easier use. Data such as first and last name, e-mail, club name, package, language and country of the club are stored on MailerLite's servers. You can unsubscribe from the newsletter at any time. For this purpose, we provide a corresponding link in every newsletter message. MailerLite enables us to analyze our newsletter campaigns. For example, we can see whether a newsletter message was opened, and which links were clicked on, if any. In this way we can determine which links were clicked on particularly often. MailerLite also enables us to divide the newsletter recipients into different categories (“clustering”). The newsletter recipients can be divided according to language or country, for example. In this way, the newsletters can be better adapted to the respective target groups. Detailed information on the functions of MailerLite can be found at the following link: https://www.mailerlite.com/features. The MailerLite privacy policy can be found at: https://www.mailerlite.com/legal/privacy-policy.

8. ”Quickbooks” is a service provided by Intuit, Inc, 2700 Coast Ave, Mountain View, California 94043, USA. We use Quickbooks as our accounting tool.

The use of Quickbooks is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the most efficient customer management and customer communication possible. If a corresponding consent was requested, the processing is based exclusively on Art. 6(1)(a) GDPR. Consent can be revoked at any time. For details, see Intuit's privacy policy: https://www.intuit.com/privacy/protect-your-privacy/.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://quickbooks.intuit.com/uk/legal/data-processing-agreement/.

We have concluded a data processing agreement with the above-mentioned provider. This is a contract required by data protection law, which ensures that this provider only processes the personal data of our visitors according to our instructions and in compliance with the GDPR.

8. Rights and obligations of the Customer

1. The Customer alone is responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.
2. The Customer ensures that any exchange of data with Connected Organizations has been legally clarified and safeguarded. The Customer ensures that the legally required Data Processing Agreements between the Customer and Connected Organizations are in place. By instructing Clubee to set up a data sharing structure with Connected Organizations, the Customer agrees to indemnify and hold harmless Clubee from any claims, liabilities, damages, or expenses arising directly or indirectly from the sharing of such data. The Customer is integrally liable for any grievances and legal consequences that arise from this data exchange.
3. The Customer ensures that it has received Consent by the Persons and Users to manage their personal data.
4. The Customer shall issue all orders, partial orders or instructions in writing, per email or written letter. In urgent cases, instructions may be issued verbally. The Customer shall confirm such instructions in writing without delay.
5. The Customer shall inform Clubee immediately if it discovers errors or irregularities.

9. Notification obligations

1. a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, the categories concerned and the approximate number of personal data records concerned;
2. the name and contact details of the data protection officer or other contact point for further information;
3. a description of the likely consequences of the personal data breach;
4. a description of the measures taken or proposed to be taken by Clubee to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects 

10. Termination of the data processing

1. If, upon termination of the contractual relationship of the Main Contract, data processed or copies thereof are still in Clubee's power of disposal, Clubee shall, at the Customer's discretion, either destroy the data or hand it over to the Customer. The Customer must make this choice 4 weeks prior to the contract termination. Failing to do so will result in the destruction of data at the day of contract termination. The destruction must be carried out in such a way that it is no longer possible to restore even residual information with reasonable effort. Physical destruction shall be carried out in accordance with DIN 66399.
2. Clubee is obliged to arrange for the destruction or return of the goods.
3. Documentation that serves as proof of proper data processing shall be retained by Clubee at least until the end of the second calendar year after the end of the contract. Clubee may hand them over to the Customer for the Customer's discharge.

11. Liability

1. The Customer and Clubee are jointly and severally liable for compensation for damages suffered by a person due to unauthorised or incorrect data processing within the scope of the contractual relationship.
2. Clubee shall bear the burden of proof that damage is not the result of a circumstance for which it is responsible, insofar as the relevant data was processed by it under this agreement. Clubee shall be liable to the Customer for any damage culpably and solely caused by Clubee, its employees or the subcontractors engaged by it to perform the contract in connection with the provision of the commissioned contractual service.
3. Points (1) and (2) shall not apply if the damage was caused by the correct implementation of the commissioned service or an instruction issued by the Customer. In such an event, the Customer will solely be liable.

12. Contractual penalty

1. In the event of culpable breaches of its obligations under this contract, Clubee shall forfeit a contractual penalty commensurate with the breach. The contractual penalty shall be forfeited in particular in the event of deficiencies in the implementation of the agreed technical and organizational measures.
2. In the event of a breach of the data processing agreement by Clubee, the penalty payable by Clubee shall be limited to a single payment. This payment shall not exceed a maximum of 10% of the annual subscription fee paid by the Customer to Clubee, limited to the applicable fee of the current contractual year only. The penalty shall only be applicable if the Customer has paid all of its invoices emitted by Clubee within due time.
3. The contractual penalty shall become due upon declaration of its amount to Clubee.
4. The contractual penalty has no influence on other claims of the Customer.

13. Miscellaneous

1. This Data Processing Agreement was written in English, and translated into other languages for visitors and Customers/Users convenience. Visitors and Customers/Users may access and view other language versions by changing Customers/Users Clubee website language settings. If a translated (non-English) version of these Terms and Conditions conflicts in any way with their English version, the provisions of the English version shall prevail.
2. Both parties are obliged to treat all knowledge of business secrets and data security measures of the other party obtained within the scope of the contractual relationship as confidential, even after the termination of the contract. If there is any doubt as to whether information is subject to the confidentiality obligation, it must be treated as confidential until it has been released in writing by the other party. 
3. If the Customer's property is jeopardised by third-party measures (such as seizure or confiscation), insolvency or composition proceedings or other events, Clubee must inform the Customer immediately.
4. Ancillary agreements must be made in writing and make express reference to this agreement.
5. Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.