Supercell Oy (“Supercell”)

Last Updated: September 27, 2021

1. Definitions
   In these Data Processor Terms (“Terms”), the following terms have the following meanings:

   1. "Applicable Data Protection Law" shall mean all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Parties are subject, including, but not limited to CCPA and GDPR;

   2. "CCPA” means the California Consumer Privacy Act of 2018.

   3. "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law, as defined below;

   4. "EEA” means the European Economic Area.

   5. “GDPR” means the EU General Data Protection Regulation 2016/679.

   6. "Services", "Supercell", "the Consultant", “Party” and “Parties” shall have the meanings set out in the Consulting Agreement or other concluded written agreement (the "Agreement") between Supercell and the Consultant which incorporates these Terms. The details of the processing operations within the Services, and the categories of personal data, are specified in the Agreement. If and to the extent language in these Terms conflicts with the Agreement, these Terms shall control.

   7. “Purpose” means the purpose of processing of personal data in connection with the Services, as described in the Agreement (or as otherwise agreed in writing by the Parties), but in any case, solely for the benefit of Supercell and not the Consultant or any third party.

   8. “Supercell Data” means the personal data processed in the course of providing the Services.

2. Relationship of the Parties:
   

   1. Supercell (the controller) appoints the Consultant as a processor to process Supercell Data for the Purpose. Consultant will act as a "Service Provider" as the term is defined in the CCPA. Neither Consultant nor its subcontractors shall sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Supercell Data to any third party in a way that would constitute "selling" as the term is defined by the CCPA. Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law.

3. Duration and Survival:
   

   1. These Terms will become legally binding upon the effective date of the Agreement or upon the date that the Parties sign these Terms, if completed after the effective date of the Agreement. Consultant will process Supercell Data until the relationship terminates as specified in the Agreement. Consultant's obligations and Supercell's rights under these Terms will continue in effect so long as Consultant processes Supercell Data.

4. Documented Instructions:
   

   1. Consultant and any subcontractors shall process Supercell Data solely for the Purpose of and to the extent necessary to provide the Services to Supercell in accordance with the Agreement, these Terms, and Data Protection Laws. Subsequent documented instructions may also be given by Supercell throughout the duration of the processing of Supercell Data. Consultant will, unless legally prohibited from doing so, inform Supercell in writing if it reasonably believes that there is a conflict between Supercell's instructions and applicable law or otherwise seeks to process Supercell Data in a manner that is inconsistent with Supercell's instructions.

5. International transfers:
   

   1. The Consultant shall not transfer the Supercell Data (or allow the Supercell Data to be transferred) outside of the EEA or countries subject to adequacy decision of the European Commission under Article 45 of the GDPR without Supercell's prior written consent, which, without prejudice to Supercell's right to refuse or prescribe any other conditions, shall be conditional upon the Consultant ensuring, and demonstrating to the reasonable satisfaction of Supercell, that the conditions under Applicable Data Protection Law are satisfied.

   2. For this purpose, the Parties agree to be bound by the Standard Contractual Clauses (SCC) implemented by the European Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. Notwithstanding the foregoing, the SCC will not apply if the Consultant has adopted Binding Corporate Rules for Processors or an alternative recognised compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the EEA. The terms of the SCC shall supersede any conflicting terms of these Terms or the Agreement.

   3. Where Supercell (exporter) transfers Supercell Data to the Consultant (importer) the Parties shall perform the transfer by using Module two of the SCC incorporated into these Terms (“Transfer Controller to Processor").

   4. Where the Consultant engages a sub-processor in accordance with section 7. and those processing activities involve a transfer of Supercell Data, the Consultant and the sub-processor shall perform the transfer by using Module three of the SCC and incorporate the Module into the sub-contracting agreement (“Transfer Processor to Processor").

6. Confidentiality and Security of processing:
   

   1. The Consultant shall (i) only process the Supercell Data itself, (ii) shall do so in the strictest confidence and in accordance with the confidentiality provisions in the Agreement and (iii) shall grant access to Supercell Data to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the Agreement. Any person or third party authorized to process Supercell Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.

   2. Security: The Consultant shall implement appropriate technical and organisational measures to protect the Supercell Data a Security Incident (as defined below). At a minimum, such measures shall include:

      • Pseudonymisation of Supercell Data where appropriate, and encryption of Supercell Data in transit and at rest;

      • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Consultant's processing and Supercell Data;

      • The ability to restore the availability and access to Supercell Data in the event of a physical or technical incident;

      • A process for regularly evaluating and testing the effectiveness of the Consultant's Information Security Program to ensure the security of Supercell Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

      • If the processing involves Supercell Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences, the Consultant shall apply specific restrictions and/or additional safeguards and agree on them with Supercell in the Agreement prior to commencing such processing.

7. Sub-contracting:
   

   1. The Consultant has Supercell ́s general authorisation for the engagement of sub-processor(s) based on a separately agreed list. The Consultant shall specifically inform Supercell in writing of any intended changes to that list through the addition or replacement of sub- processors at least 30 days in advance, thereby giving Supercell sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s) in question. The Consultant shall provide Supercell with the information necessary to enable Supercell to exercise its right to object.

   2. The Consultant shall ensure the sub-processor is subject to no less restrictive data protection obligations as those imposed on the Consultant in accordance with these Terms. The Consultant shall ensure that the sub-processor complies with the obligations to which the Consultant is subject pursuant to these Terms and Applicable Data Protection Law.

   3. The Consultant shall keep a list of current sub-processors (i.e. sub-processors agreed by Supercell) and at Supercell ́s request, provide a copy of sub-processor agreements and any subsequent amendments to Supercell. To the extent necessary to protect business secret or other confidential information, including personal data, the Consultant may redact the text of the agreement prior to sharing the copy.

   4. The Consultant shall remain fully responsible to Supercell for the performance of the sub-processor’s obligations in accordance with these Terms. The Consultant shall notify Supercell of any failure by the sub-processor to fulfil its contractual obligations.

   5. The Consultant will include a third party beneficiary clause with the sub-processor whereby - in the event the Consultant has factually disappeared, ceased to exist in law or has become insolvent – Supercell shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return Supercell Data.

8. Cooperation and data subjects' rights and Data Protection Impact Assessment:
   
   The Consultant shall provide reasonable and timely assistance to Supercell:
   

   1. to enable Supercell to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Supercell Data. In case any such request, correspondence, enquiry or complaint is made directly to the Consultant, the Consultant shall promptly inform Supercell providing full details of the same and shall not respond to the request itself, unless authorised to do so by Supercell;

   2. to carry out any data protection impact assessment that may be required under Applicable Data Protection Law including possible consulting with the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk;

   3. to ensure that Supercell Data is accurate and up to date, by informing Supercell without delay if the Consultant becomes aware that Supercell Data it is processing is inaccurate or has become outdated;

   4. to fulfil the security obligations under Article 32 of GDPR.

9. Security incidents:
   

   1. If the Consultant becomes aware of a confirmed or reasonably suspected breach of security leading to the accidental or unauthorized destruction, loss, alteration, disclosure of, or access to Supercell Data processed by the Consultant, its sub-processors or Supercell (a“Security Incident”), the Consultant shall inform Supercell without undue delay (in no case longer than 48 hours) and shall provide reasonable information and cooperation to Supercell so that it can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law.

   2. The Consultant, shall at its own expense, take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident, including (i) assist Supercell in providing notice to public and/or regulatory authorities, individuals, or other persons, or (ii) undertaking other remedial measures (including, without limitation, notice to credit monitoring services and the establishment of a call center to respond to inquiries. Consultant shall keep Supercell informed of all material developments in connection with the Security Incident, and shall provide Supercell with drafts of notices to public and/or regulatory authorities, individuals, or other persons before providing such notices to their recipients.

   3. If Supercell chooses to carry out the remedial actions described above itself, Consultant agrees to reimburse Supercell for its reasonable costs. If the breach concerns Supercell Data processed by Supercell, then Supercell shall reimburse the Consultant for its reasonable costs of carrying out the remedial measures and actions requested by Supercell.

10. Deletion or return of Supercell Data:
    

    1. Upon termination or expiry of the Agreement, the Consultant shall (at Supercell's election):
       
       a) destroy or return to Supercell all Supercell Data in its possession or control; or
       
       b) allow an authorised representative of Supercell to have reasonable access to the systems and storage devices used by the Consultant in providing the Services for the purpose of destroying or returning all Supercell Data in the Consultant's possession or control.

    2. This requirement shall not apply to the extent that the Consultant is required by applicable law to retain some or all of the Supercell Data.

11. Audits and non-compliance:
    

    1. The Consultant shall also respond to any written audit questions submitted to it by Supercell and co-operate with any request to audit its practices more generally, which may include access to premises, systems or software used by the Consultant to process the Supercell Data, provided that Supercell shall use such access only for the purposes of assessing the Consultant's compliance with these Terms and the Agreement when processing the Supercell Data. The Parties shall make the information referred to in this section, including the results of any audits, available to the competent supervisory authority/ies on request

    2. To the extent that any material security vulnerabilities or other material breaches of these Terms are identified in audits or otherwise, Consultant shall remediate those breaches within fifteen (15) days of the completion of the applicable audit or date of written notice given by Supercell, unless any breach by its nature cannot be remedied within such time, in which case the remediation must be completed within a mutually agreed upon time not to exceed sixty (60)days.

    3. in the event that the Consultant is in material, persistent or frequent breach of its obligations under these Terms, Supercell may instruct the Consultant to suspend the processing of Supercell Data until the latter complies with these Terms or until the Agreement is terminated. The Consultant shall promptly inform Supercell in case it is unable to comply with these Terms, for whatever reason.

    4. Supercell is entitled to terminate the Agreement with immediate effect if:
       
       a) the processing of Supercell Data by the Consultant has been suspended by Supercell pursuant to section 11.3 and if compliance with these Terms is not restored within the times specified in section 11.2;
       
       b) the Consultant fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Terms or to Applicable Data Protection Law.

    5. The Consultant shall be entitled to terminate the Agreement where, after having informed Supercell that its instructions infringe Applicable Data Protection Law in accordance with section 4, Supercell insists on compliance with the instructions.

    6. Indemnification: Consultant agrees to indemnify, defend and hold harmless Supercell and each of its officers, directors, employees, subcontractors, representatives and agents from any and all damages, actions, third party claims, liabilities, costs and expenses, including reasonable attorneys' fees and expenses resulting from such actions or claims, arising out of or relating to: (i) a Security Incident; (ii) Consultant's negligence or willful misconduct related to Supercell Data; and/or (iii) Consultant's breach of these Terms (including the Standard Contractual Clauses for International Data Transfers ).

12. Amendments:
    

    1. Supercell reserves the right to change, modify, add or remove portions of these Terms at any time by posting the amended Terms on supercell.com.