APPENDIX 1

TERMS OF PERSONAL DATA PROCESSING THROUGH THE APPLICATION

1. Subject of the Terms
   1. The subject of these Terms is the processing of personal data through the Application, whereby the company Elevien d.o.o. with its business seat in Osijek, Ulica kralja Zvonimira 5, OIB: 81460325089, or a person related to it and/or any other person authorized by Elevien to contract the services of the Application, acts in the capacity of a processor (hereinafter: “Processor“), while the Owner as defined in the General Terms of Use, acts in the capacity of a controller (hereinafter: “Controller“) as determined by the Applicable Law.
   2. The provisions listed below, as well as the processing of personal data, will apply only in the case when the Processor processes Personal Data on behalf of the Controller based on the General Terms of Use and the agreed terms of cooperation, i.e. during the use of the Application.
2. Definitions
   1. For the purpose of applying these Terms, the following terms have the following meanings:
      1. “Processing System” means categories of Personal Data that are processed as part of the Application service, categories of Data Subjects whose Personal Data are processed and the Purpose of Processing, describes the Processing and contains other information relevant to the description of the process in which personal data is processed within the Application. Notes on the mentioned items are stored within the user’s account on the Application and are available to the Controller and the Processor accordingly. The processing system forms an integral part of these Terms as Appendix 2;
      2. “Data Subject” means the User as determined by the General Terms of Use, that is, a natural person who accesses the Application whose identity has been determined or can be determined;
      3. “Personal Data” means any data relating to an individual whose identity has been determined or can be determined (Data Subject). An identifiable individual is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location data, online identifier or with the help of one or more factors inherent to physical, physiological, genetic, mental , economic, cultural or social identity (according to the definition in the Applicable Law) which is processed by the Processor on behalf of the Controller when enabling the Application services. Categories of Personal Data that are processed as part of the Application service will be defined as part of the Processing System;
      4. “Processing” means any process or set of processes performed on personal data or sets of personal data, whether by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transfer, dissemination or otherwise making available, matching or combining, restriction, erasure or destruction, in accordance with Applicable Law. The processing of Personal Data based on the General Terms of Use and the agreed terms of cooperation is also specified in the Processing System;
      5. “Personal Data Breach” means any breach of security or privacy that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of Personal Data. For the avoidance of doubt, the above includes any injury caused by an employee or subcontractor of the Processor or any person acting under the authority of the Processor (eg consultants, etc.);
      6. “Third country” a country that is not a member of the European Union (EU) and/or the European Economic Community (EEA).
   2. Other expressions, definitions and terms that are defined in the part of the General Terms of Use are also applied accordingly in these Terms.
3. Purpose of personal data processing
   1. The purpose of the processing of personal data that is the subject of these Terms is to perform the Application service, that is, to enable the use of the Application service by the Controller for the purpose of organizing, judging and/or transmitting the Competition, provided that one function of the Application does not exclude others.
4. Obligations of the Data Controller
   1. The controller implements appropriate technical and organizational measures to ensure and to be able to prove that the processing is carried out in accordance with the Applicable Law.
5. Obligations of the Processor
   1. The Processor will process Personal Data exclusively in accordance with the General Terms of Use, these Terms and in accordance with the needs and instructions of the Controller, which are essentially contained within the Processing System, unless specific Processing is required by the Applicable Law. In this case, the Processor will notify the Controller of the stated legal obligation before the Processing, unless such reporting is prohibited by law due to important reasons of public interest.
   2. The processor shall keep the Personal Data confidential and ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality or are under a corresponding legal obligation of confidentiality.
   3. The processor will undertake and implement all necessary measures in accordance with Article 6 of these Terms (Security of Processing).
   4. The processor will keep records of the processing of personal data in the sense of Article 30, paragraph 2 of the GDPR.
   5. The data processor will appoint a Data Protection Officer, if the prerequisites from Article 37 of the GDPR are met.
   6. The Processor, taking into account the nature of the Processing, will assist the Controller through appropriate technical and organizational measures, as far as possible, to fulfill the Controller’s obligation to respond to requests for exercising the Data Subject’s rights established by the Applicable Law.
   7. The Processor shall assist the Controller in ensuring compliance with the obligations in accordance with the Applicable Law, taking into account the nature of the Processing and the information available to the Processor.
   8. The Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller after termination of use of the Application service and delete existing copies, unless there is an obligation to store Personal Data in accordance with the law of the Union or the law of a Member State.
   9. The Processor shall make available to the Controller all the information necessary to prove compliance with the obligations set forth in this Article 5 of these Terms and allow supervision undertaken by the Controller or another auditor authorized by the Controller. In this regard, the Processor shall immediately inform the Controller if, in his opinion, a specific instruction violates the Applicable Law or other relevant provisions of the EU member state on the protection of personal data.
   10. The processor will amend the provisions of the General Terms of Use and/or these Terms in order to comply with the obligations of the Applicable Law.
6. Security of processing
   1. Taking into account the latest achievements, implementation costs and the nature, scope, context and purpose of the Processing, as well as risks of different levels of probability and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures before any Processing in order to ensure a level of security adequate to the risk, including, among others, as necessary:
      1. pseudonymization and encryption of Personal Data;
      2. ability to ensure permanent confidentiality, integrity, availability and resilience of the Processing system;
      3. the ability to timely establish availability and access to Personal Data in the event of a physical or technical incident;
      4. process for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure processing security.
   2. When assessing the appropriate level of security, special consideration is given to the risks posed by Processing, especially the risks of accidental or illegal destruction, loss, alteration, unauthorized disclosure of Personal Data or unauthorized access to Personal Data that have been transferred, stored or otherwise Processed.
   3. The Controller and Processor shall take steps to ensure that any natural and legal person acting as an authorized Controller or Processor who thus has access to Personal Data does not process said data except in the manner determined by these Terms, the Applicable Law and in in accordance with any initial instructions and wishes of the Controller regarding the configuration of the Application. An exception is the situation if such a person is obliged to do so under the law of the European Union or the law of an EU member state.
   4. The Processor shall notify the Controller within 24 (twenty-four) hours if it becomes aware of any Personal Data Breach. Such notification will be sent to the contact address of the Data Controller, which is used in normal communication for the needs of the Application, while simultaneously sending a copy to the email [email protected]. When and to the extent that it is not possible to provide all information about a Personal Data Breach at once, the remaining information may be provided in stages, but without undue further delay.
7. Subcontractors of the Processor
   1. By using the services of the Application, the Controller is aware that, due to the need for web analytics services and in order to advance the functionality of the Application, the Processor uses subcontractors, and that there is a possibility that in the future the Processor may have to engage additional subcontractors or change the existing ones. The Controller hereby gives general consent for engaging such subcontractors as Sub-Processors.
   2. In order to ensure the maintenance of a high level of protection of personal data and the security of the Application, the Processor shall make the decision on the selection of individual processing Sub-Processors cautiously and applying a high standard of professional care. The processor will not subcontract any Personal Data Processing without entering into a written contract with the Sub-Processors that will contain obligations to protect personal data as specified in these Terms.
   3. If the Controller does not agree to the subcontracting of the Processing by the Processor, the Controller may terminate cooperation with the Processor in relation to the Application services.
8. Supervision and audit
   1. The Processor has the right, independently or by appointing an independent third party (who is not a competitor of the Processor and with the Processor’s approval), to monitor whether the Processor complies with the obligations from these Terms and whether it acts in accordance with the initial requests and instructions of the Processor. The data processor will cooperate and assist the data controller or the third party performing the audit by providing the requested information, providing the requested documentation, providing access to business premises, IT systems and other means necessary for effective supervision of compliance with the provisions of these Terms.
   2. The Processor shall ensure that the Controller has equal rights in relation to all selected processing subcontractors. The Processor may offer alternative monitoring solutions, for example an audit performed by an independent third party, which the Controller may or may not accept.
   3. The supervision referred to in this article must be announced to the Processor no later than 30 days before it takes place, and must be carried out based on a framework plan that will be agreed upon by the Controller and the Processor before the supervision is carried out. In the event that they fail to agree on an outline plan, the Data Controller has the right to determine it independently.
   4. The processor will provide the supervisory authority responsible for data protection at the level of the Republic of Croatia or the EU, the possibility of conducting surveillance in the business premises of the processor.
   5. In the event that any body responsible for data protection or another (supervisory) body initiates a review of the Processing of Personal Data by the Controller, or if the Data Subject submits a complaint against the Controller, and the subject is related to the Processing which is assumed to have been carried out by on the part of the Processor, the Processor will assist the Controller with documentation and other information related to the processing, in order to enable the Controller to satisfy the competent authorities in their supervision and respond to any complaint.
9. Additional protective measures
   1. Notice: The Processor shall constantly and timely provide the Controller with all current information about the Processing, which the Controller may reasonably request when necessary to fulfill its obligations under the Applicable Law.
   2. Violations of Personal Data: At the request of the Controller, the Processor will cooperate with the Controller and provide him with information about the nature, circumstances and causes of the Personal Data Breach. The processor will take all actions necessary to prevent further losses or otherwise limit the consequences of a Personal Data Breach. The processor will conduct a professional forensic and security check and audit regarding the Personal Data Breach. Breach of Personal Data will be resolved in accordance with the Applicable Law and the instructions that the Controller may give to the Processor.
   3. Obligation cooperation in order to ensure the Data Subject’s rights: The Processor will, if requested by the Data Controller, at no additional cost to the Data Controller or the Data Subjects:
      1. immediately deliver to the Controller a copy of the Personal Data in an understandable form, and/or
      2. according to the decision of the Controller, at any time provide them with access to Personal Data, and/or
      3. immediately modify, correct, block or delete Personal Data in the manner prescribed by the Applicable Law.
   4. Dealing with requests and complaints from public entities: depending on what is permitted by the Applicable Law, in the event that the Processor receives a request or complaint from a competent authority regarding any Personal Data, it will notify the Controller without delay indicating which competent authority is involved, the scope of the request and the basis stated in the request or complaints. In this regard, the Processor shall without delay send the request or complaint of the Competent Authority to the Controller so that the Controller responds to the request or complaint of the Competent Authority after consultation with the Processor, unless otherwise determined by the Applicable Law or other law applicable to these Terms.

APPENDIX 2

PROCESSING SYSTEM

Purpose of Processing:

Facilitating the organization of gymnastics competitions, their judging and transmission, whether they take place live, remotely (online) or in a hybrid form.

Data Subject categories:

Physical persons who have access to the Application, whether gymnasts (competitors), judges, recorders, viewers and organizers of a sports competition or members of the coaching and/or professional team related to an individual participant of a competition and/or sports club or sports federation.

Categories of Personal Data:

1. Mandatory data: network identifier.
2. Optional data: name/names, current surname/surnames, face and body footage, mobile phone number, information about the country from which the person comes, information on membership in a gymnastics club or other association that is a member of the Croatian Gymnastics Federation or another foreign gymnastics federation.