DATA PROCESSING ADDENDUM
( “ADDENDUM” )

FunPlus International AG, Bahnhofstrasse 2, 6300 Zug, Switzerland, CHE-406.512.803 (”FUNPLUS”)

Applicable to:
(”SERVICE PROVIDER” / “DATA PROCESSOR”)

THESE TERMS AND CONDITIONS FORM AN INTEGRAL PART
OF THE SERVICE AGREEMENT BETWEEN FUNPLUS AND DATA PROCESSOR
(”SERVICE AGREEMENT”)

FunPlus and the Service Provider have entered into the Service Agreement whereby the Service Provider provides Services involving the processing of Personal Data. To the extent the Service Provider may be required to process Personal Data on behalf of FunPlus under the Service Agreement, the Service Provider will do so in accordance with the terms set out in this Data Processing Addendum (“Addendum”). In case of any conflict between a provision of this Addendum and the Service Agreement, or any previous data protection agreement entered between the Parties, the provisions of this Addendum will prevail.  

FunPlus and the Service Provider seek to implement data processing terms that comply with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1. Definition and Interpretation

A. Unless otherwise defined herein, capitalized terms and expressions used in these Addendum shall have the following meaning:

1.1 Contracted Processor means Data Processor or a Sub-processor;

1.2 Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, including the EU GDPR, UK GDPR, PIPL, CCPA, PIPEDA, COPPA, and Swiss revised Federal Act on Data Protection (“Swiss nFADP”);

1.3 Data Transfer means:

  • a) a transfer of FunPlus Personal Data from FunPlus to a Data Processor; or
  • b) an onward transfer of FunPlus Personal Data from Data Processor as a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

1.4 EEA means the European Economic Area;

1.5 EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.6 FunPlus Personal Data means any Personal Data Processed by Data Processor on behalf of FunPlus pursuant to or in connection with the Service Agreement as defined in Annex 1 hereto.

1.7 GDPR means EU General Data Protection Regulation 2016/679;

1.8 New Standard Contractual Clauses” or “SCC 2021” means the agreement pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021 (Commission Implementing Decision (EU) 2021/914 on Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as officially published at https://eurlex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN

1.9 Purpose means the purpose of the collection of the FunPlus Personal Data by Data Processor under the terms of the Service Agreement.

1.10 Services means the services provided by the Service Provider under the Service  Agreement.

1.11 Sub-processor means any person appointed by or on behalf of Processor to process  Personal Data on behalf of FunPlus in connection with the Service Agreement or this Addendum.

B. The terms “Personal Data” used in this Addendum shall encompass all data subjects according to the EU GDPR and Swiss nFADP”.

C. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. FunPlus Personal Data

FunPlus retains control of the FunPlus Personal Data and remains responsible for its compliance obligations under the applicable data protection laws, including providing any required notices, obtaining any required consents, and for the processing instructions it gives to the Service Provider.

3. Description of Processing(s)

The parties acknowledge and agree that with regard to the processing of FunPlus Personal Data, FunPlus is the data controller and Service Provider is a data processor.

The details of processing activities, in particular the categories of personal data and the purpose of processing for which the personal data is processed on behalf of the controller, are specified in Annex i.

4. Processing of Personal Data by the Data Processor

4.1 As described in the Service Agreement, where the Service Provider provides FunPlus with the Service, the Service Provider is processing FunPlus’ personal data as a Data Processor.

4.2 The Data Processor shall process personal data only based on the documented instruction from FunPlus unless required to do so by Union or Member State law to which the Data Processor is the subject. In this case, the Data Processor shall inform FunPlus of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by FunPlus throughout the duration of the processing of personal data. These instructions shall always be documented.

4.3 When the Data Processor processes FunPlus Personal Data for the purposes of Services, the Data Processor will only process FunPlus Personal Data for the specific processing purpose(s), for the specific duration based on FunPlus’ documented instructions, and to the extent that it is required to render the Service under the Service Agreement. The Data Processor will not process FunPlus Personal Data for any other purposes or in a way that does not comply with this Addendum or applicable Data Protection laws.

4.4 Should the Data Processor reasonably believe that a specific processing activity beyond the scope of FunPlus’ instructions is required to comply with a legal obligation to which the Data Processor is subject, the Data Processor must inform FunPlus of that legal obligation and seek explicit authorization from FunPlus before undertaking such processing.

4.5 Data Processor acknowledges that it is prohibited from selling FunPlus‘ Personal Data, retaining, using, or disclosing FunPlus‘ Personal Data for any other purposes other than for the specific purposes of performing the Services under the Service Agreement, unless permitted under applicable laws.

5. Data Security

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall in relation to the FunPlus Personal Data implement appropriate administrative physical, organizational and technical safeguards aimed at maintaining an appropriate level of security, confidentiality, and integrity of FunPlus Personal Data as well as to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. FunPlus’ technical and organizational measures are described in Exhibit B. 

5.2 In assessing the appropriate level of security, the Data Processor shall take into account the risks presented during Processing activities, in particular from a Personal Data BREACHBreach.

5.3 Each Party shall undertake regular compliance monitoring with these safeguards and will not materially reduce the overall security controls during the term of this Addendum.

5.4 The Data Processor will not transfer FunPlus Personal Data to third parties except under written contracts that guarantee at least the same level of data protection and information security as provided herein and will assume responsibility for the acts and omissions of said third parties, in relation to the processing of personal data. 

5.5 When processing FunPlus’ Personal Data, the Data Processor shall take reasonable steps to ensure the reliability of its employee, agent, or contractor who may have access to FunPlus Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant FunPlus Personal Data, as strictly necessary for the purposes of the Service Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

6. Sensitive Personal Data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious, or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“Sensitive Personal Data”), the Data Processor shall apply specific restrictions and/or additional safeguards.

7. Sub-processing

7.1 Data Processor shall not appoint (or disclose any FunPlus Personal Data to) any Sub-processor unless explicitly required or authorized by FunPlus as written in Annex III.

7.2 Subject to FunPlus’ prior written approval, the Data Processor shall safeguard that Sub-processors shall at all times comply with all obligations of the GDPR and other applicable Data Protection Laws and the Data Processor shall therefore impose at least identical terms as those set out in this Agreement to its approved Sub-processors. Furthermore, Data Processor shall remain fully liable for all costs, expenses, and damages (including reasonable legal counsel costs) relating to any breach, default, or non-compliance by any Sub-processor under the GDPR and any applicable terms referred to herein and Data Processor shall forthwith inform FunPlus about any such Sub-processor breaches, if any. 

7.3 Without prejudice to any other rights or remedies that FunPlus may have, Data Processor furthermore acknowledges and agrees that damages alone would not be an adequate remedy for any breach of the terms of this agreement by Data Processor or a Sub-processor. Accordingly, FunPlus shall be entitled to the remedies of injunctions, specific performance, and other equitable relief for any threatened or actual breach of this agreement.

7.4 The Data Processor will notify FunPlus in writing of any intended changes to the agreed sub-processor at least fourteen (14) days in advance, thereby giving FunPlus the opportunity to object to such changes. Such objection must be made in writing to the Provider within ten (10) days of notification.

8. International Transfer of Personal Data

8.1 This section applies to FunPlus Personal Data transfers as required by the Parties to perform their obligations under the Service Agreement including the export and import of Personal Data by FunPlus and the Service Provider.

8.2 Any transfer of data to a third country or an international organization by the Data Processor shall be done only on the basis of documented instructions from FunPlus or in order to fulfill a specific requirement under Union or Member State law to which the Data Processor is subject and shall take place in compliance.

8.3 Transfer of Personal Data which is governed by the GDPR to a country outside of the European Economic Area (EEA) and that is not subject to an Adequacy Decision (“Third Country”) is made in accordance with the EU Standard Contractual Clauses (“EU SCC”), pursuant to the EU Commission Decision C(2021) 3972, in the module specified in Exhibit A of this Addendum.

8.4 To the extent that the processing of FunPlus Personal Data is conducted in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the EU SCCs, which are incorporated by reference, shall apply to any such processing as follows:

  • a. Module 2 (Controller to Processor) shall apply where FunPlus is a Controller; and
  • b. Module 3 (Processor to Processor) shall apply where to the relationship between Data Processor and Sub-Processor.

8.5 Purely for the purpose of description in the SCCs, and only as between the Parties, FunPlus is the “data exporter” and Data Processor is the “data importer” under the SCCs. 

8.6 FunPlus agrees that where the Data Processor engages a Sub-Processor in accordance with Article 7 of this Addendum for carrying out specific processing activities (on behalf of the Data Controller) and those processing activities involve a transfer of personal data of  Chapter 5 of the GDPR, the Data Processor and the Sub-Processor can ensure compliance with Chapter 5 of the GDPR by using EU SCC adopted by the Commission in accordance with the Article 46.2 of the GDPR, provided the conditions for the use of those standard contractual clauses are met. 

8.7 Transfer from Switzerland

The Parties agree that the following provision shall apply with respect to data transferred that are governed by the Swiss nFADP, when the Data Processor processes FunPlus Personal Data in the course of providing Services pursuant to the Agreement:

  • a. to the extent the Data Processor processes any Personal Data subject to the Swiss nFADP, the parties agree to comply with the EU SCC, as amended by sections sub b-f of this clause 8.7;
  • b. references to (articles in) the EU GDPR 2016/679 shall be deemed to refer to (respective articles in) the Swiss nFADP;
  • c. reference to the competent Supervisory Authority in Annex I.C in Clause 13 shall be deemed to refer to the Swiss Federal Data Protection and Information Commissioner (“FDPIC”);
  • d. references to Member State(s)/ EU Member State(s) shall be deemed to include Switzerland;
  • e. reference to European Union in Annex I (A) shall be deemed to include Switzerland; and
  • f. where the Clauses use terms that are defined in the EU GDPR, those terms shall be deemed to have the meaning as the equivalent terms are defined in the Swiss nFADP. 

9. Personal Data Breach

9.1 In the event the Data Processor becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data (“Personal Data Breach”), the Data Processor shall assist FunPlus:

  • a. In notifying the Personal Data Breach to the competent supervisory authority/ies, without undue delay after FunPlus or Data Processor has become aware of it, where relevant (unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons);
  • b. In obtaining the following information which shall be stated in Data Controller’s notification, and must include:
    • ⅰ. The nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    • ⅰⅰ. The likely consequences of the Personal Data Breach;
    • ⅰⅰⅰ. The measures taken or proposed to be taken by the Data Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall be provided without undue delay.

  • c. In complying with the obligation to communicate without undue delay the Personal Data Breach to the Data Subject, when the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons.

 

9.2 In the event of a Personal Data Breach concerning FunPlus Personal Data processed by the Data Processor, the Data Processor shall notify the Data Controller without undue delay after the Data Processor has become aware of the breach. Such notification shall contain, at least:

  • a. A description of the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
  • b. The details of a contact point where more information concerning the Personal Data Breach can be obtained;
  • c. Its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

10. Data Subject Rights

10.1 Taking into account the nature of the Processing, Data Processor shall assist FunPlus by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the FunPlus obligations, as reasonably understood by FunPlus, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

10.2 Data Processor shall:

  • a. promptly notify FunPlus if it receives a request from a Data Subject under any Data Protection Law in respect of FunPlus Personal Data; and
  • b. ensure that it does not respond to that request except on the documented instructions of FunPlus or as required by Applicable Laws to which the Data Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform FunPlus by email to privacyoffice@funplus.com of that legal requirement before the Contracted Processor responds to the request.

11. Data Protection Impact Assessment (DPIA) and Prior Consultation

Data Processor shall provide reasonable assistance to FunPlus with any Data Protection Impact Assessments (DPIA) and prior consultations with Supervising Authorities or other competent data privacy authorities, which FunPlus reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of FunPlus Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

12. Deletion or return of FunPlus Personal Data

12.1 Where the Service Agreement requires the Service Provider to retain FunPlus Personal Data, the Service Provider will delete that FunPlus Personal Data within the time period agreed to in the Service Agreement, unless the Service Provider is permitted or required by the applicable law to retain such personal data for a longer period. 

12.2 Where the retention of personal data has not been addressed in the Service Agreement, the Data Processor will within 10 business days either delete, destroy or return all personal data to FunPlus and any existing copies upon the later of:

  • a. The Service Agreement is terminated by both Parties;
  • b. This Addendum terminates;
  • c. FunPlus requests the Service Provider to do so in writing; or
  • d. The Service Provider has otherwise fulfilled all purposes agreed in the context of Service Agreement related to the processing activities here FunPlus does not require the provider to do any further processing.

12.3 The Service Provider will provide FunPlus with a destruction certificate at FunPlus’ request.

12.4 On the termination of this Addendum, the Data Processor will notify all Sub-Processors supporting its own processing and make sure that they either destroy the personal data or return the personal data to FunPlus, at the discretion of FunPlus.

13. Audits

13.1 The Data Processor shall make available to FunPlus on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by FunPlus or an auditor mandated by FunPlus in relation to the Processing of the FunPlus Personal Data by the Contracted Processors.

13.2 Information and audit rights of FunPlus only arise under section 13 to the extent that this Addendum does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

13.3 Without prejudice to any rights of FunPlus under this Addendum, the Parties will in good faith agree on the exact timing, scope, and methods of any audit hereunder.

14. Duration, and Termination

14.1 This Addendum will take effect as of the Effective Date of the Service Agreement and will remain in force so long as the Service Agreement remains in effect or the Service Provider retains any FunPlus Personal Data related to the Service Agreement in its possession or control.

14.2 FunPlus shall be entitled to terminate this Addendum insofar as it concerns the processing of its personal data in accordance with this Addendum if:

  • a. The Processing of personal data by the Data Processor has been suspended by FunPlus due to Non-Compliance with this Addendum and if compliance with this Addendum is not restored within a reasonable time and in any event within one month following suspension;
  • b. The Data Processor is in substantial or persistent breach of this Addendum and its obligations under the GDPR;
  • c. The Data Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this Addendum or to the GDPR.

14.3 The Data Processor shall be entitled to terminate this Addendum insofar as it concerns the processing of personal data under this Addendum where, after having informed FunPlus as the Data Controller that its instructions infringe the applicable legal requirements and FunPlus insists on compliance with the instructions. 

14.4 Following the termination of this Addendum, the Data Processor shall, at the choice of FunPlus, delete all personal data processed on behalf of FunPlus and certify to FunPlus that it has done so, or, return all the personal data to the Data Controller and delete existing copies unless Union or Member State law requires the storage of the personal data. Until the data is deleted or returned, the Data Processor shall continue to ensure compliance with this Addendum.

15. General Terms

15.1 Non-Compliance with the Addendum. In the event that the Data Processor is in breach of its obligations under this Addendum, FunPlus may instruct the Data Processor to suspend the processing of personal data until the later complies with this Addendum or the Service Agreement is terminated. The Data Processor shall promptly inform FunPlus in case it is unable to comply with this Addendum, for whatever reason. 

15.2 Confidentiality. Each Party must keep this Addendum and the information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

  • a) disclosure is required by law;
  • b) the relevant information is already in the public domain.

15.3 Notices. All notices and communications given under this Addendum must be in writing and will be delivered personally, sent by post or sent by email to the contact details of FunPlus or the Provider as provided in Annex I.

15.4 The exhibits and annexes to this Addendum form an integral part hereof by reference.

16. Governing Law and Jurisdiction

16.1 This Addendum is governed by the laws of Spain. 

16.2 Any dispute arising in connection with this Addendum, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Madrid, Spain.

 

List of Exhibits and Annexes

Exhibit A: Standard Contractual Clauses For Personal Data Transfer from FunPlus to The Service Provider
Annex I: Processing details of FunPlus’ Personal Data by the Provider
Annex II: Technical And Organisational Measures To Ensure The Security Of The Personal Data By Data Processor
Annex III: List of Sub-Processors
Exhibit B: FunPlus’ Technical And Organisational Measures To Ensure The Security Of The Personal Data

 

 

NOTE:

EXHIBIT A & ANNEXES I, II, AND III  WILL BE PROVIDED BY FUNPLUS AND SHALL BE COMPLETED BY THE PARTIES SEPARATELY.

 

 

EXHIBIT B

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE  THE SECURITY OF THE PERSONAL DATA

FUNPLUS INTERNATIONAL AG

Below is the description of Technical and Organizational Measures (TOM) implemented by FunPlus International AG.  In order to satisfy FunPlus’ obligations under article 32 of the EU GDPR, articles 7 & 8 OF the Swiss revised FADP (“Swiss nFADP”), article 3 of Ordinance to the Swiss nFADP and section 5 of FunPlus Data Breach Policy, FunPlus management, employees, and dedicated staff are responsible for the development, implementation and maintenance of this TOM for Personal Data Protection. FunPlus will ensure an appropriate level of security, considering the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of the data subjects.  

FunPlus reserves the right to change or modify the security measures contained in this TOM at any time and in our sole discretion, without reducing the data protection security level.

1. SECURITY MEASURES TO ENSURE THE CONFIDENTIALITY OF PERSONAL DATA

A. Access control

The access control has been designed to prevent access by unauthorized people to the data processing facilities. These measures also ensure that the authorized people may only access the data in accordance with their access authorization and that personal data cannot be read, copied, modified, altered, or deleted without authorization during the processing and retention period.

FunPlus has implemented and maintains suitable measures to prevent unauthorized persons from gaining access to the personal data held by FunPlus. FunPlus employees are assigned minimum access rights depending on their job requirements.

B. Entrance Control

FunPlus implements an entrance control to prevent unauthorized entrance to its premises and facility rooms. The employees are provided with an access control validation  (e.g., badge access system) to be able to enter FunPlus’ premises. FunPlus’ office services providers such as cleaning service personnel and plant service personnel (“Office Service Providers”)  are provided with badges to enter the facility. The Office Service Providers have signed a confidentiality agreement and must comply with the Service Provider Notice which contains information about general security and confidentiality obligations towards any FunPlus’ confidential information. 

C. Data Usage

On the back-end, all servers and applications use a unified identity management system for privilege authentication. FunPlus’ employees must use their role to submit a permission request and the applicant must specify the content of the data to be accessed, the reason for the access and the duration of the access. Permissions granted to employees are reviewed periodically each time they are granted and are automatically revoked when they are transferred or leave. At the database level, all insertions, queries, updates, and deletions are subject to storage of operation logs, regular analysis of operation traffic, and alerting and blocking of illegal.

2. SECURITY MEASURES TO ENSURE THE AVAILABILITY AND INTEGRITY OF PERSONAL DATA

A. Data Storage

All data is stored in a unified data warehouse platform (Snowflake and AWS) and is graded into tables based on the sensitivity level of the data. For personal privacy-related data, strong encryption algorithms are used for encrypted storage.

B. Transport Control (Data Transfer) 

All internet application communications need to be traffic encrypted using TLS or other encryption methods. Specific keys are used for signing, authentication, and encryption during data interactions. This ensures the confidentiality, integrity, and reliability of the data.

C. Data Recovery (Protection Against a Technical Incident)

FunPlus protects personal data against accidental destruction or loss. For this purpose, the architecture of data processing systems, including network infrastructure, the power supply, and the connection to the internet must be designed redundantly. A comprehensive backup and recovery concept is in place to prevent data loss.

Measures are taken to ensure that the data can be recovered quickly in the event of data loss. A combination of redundant systems and backup solutions are used to protect against the loss of data. All data is backed up at least once per day. In case of data loss, this data can be recovered from the existing backups.

D. Data Integrity

The data system is backed up daily, and the monitoring system monitors in real-time whether the data system has a malfunction. If there are any problems, it will automatically trigger the backup switch mechanism to restore system availability.

E. System Security 

All new features of all businesses will undergo security testing before going online. If security vulnerabilities are found, they will be submitted to the development staff for repair. At the same time, penetration testing of online services will be conducted every day to ensure that new vulnerabilities are discovered and repaired in a timely manner.

F. Data Audit

A log of all the above data lifecycle operations needs to be kept. Information security can be monitored by using technologies such as semantic analysis and behavioral filtering. For example, illegal access to sensitive data, the elevation of privileges, failed login events, etc. If abnormal behavior is detected, the system will issue alerts to ensure that each breach can be tracked.

G. Data Destruction

A user data erasure interface and a stop switch for each data service must be provided. When users apply to stop sharing their personal privacy data, their personal data must be erased from the data platform in a timely manner.

All games already launched a self-service account and data deletion function within the game. Currently, players can apply for account and data deletion through customer service or Privacy Office email address (privacyoffice@funplus.com).

Our copies of data are mainly stored in the following places:

  • Mysql database on the server
  • Aws S3 object storage
  • Snowflake’s data lake

When FunPlus uses the data to delete programs and delete user data, the data in Mysql and Snowflake will perform database commands to delete the personal data. S3 data is formatted in the cold standby data and can not be directly deleted, but after the data in the database is deleted, the data in the S3 is unable to restore the data for the Data Subjects, so it is taken as anonymous.

FunPlus cannot delete the personal data collected by the third party directly. Most of the third parties do not provide methods to delete the data. FunPlus can only rely on the storage validity of the other party, which is generally destroyed automatically after one year.

3. SECURITY MEASURES TO ENSURE THE TRACEABILITY OF PERSONAL DATA

A. Input Control

The data system has a logging function and all operations will leave logs for audit.

B. Disclosure Control

All data transmission actions need to submit an application and only after explaining the usage method and disclosure object, and obtaining approval, is transmission allowed.

C. Remediation

All operation logs will be recorded. If unauthorized operations occur, the audit system will detect and alert. Upon receiving the alert, security personnel will review and inquire in a timely manner to prevent the occurrence of violations.

4. INDUSTRY STANDARDS

FunPlus’ information security and privacy program will be based upon recognized industry standards such as ISO 27000:2013 for Information security management systems and ISO 27701: 2019 for Privacy Information Management Systems. 

5. ORGANIZATIONAL SECURITY MEASURES

A. Employees’ Training

All new employees receive onboarding and mandatory security and data protection awareness training which must be completed during their first two weeks. The trainings are aimed to provide them knowledge about data protection and security measures when doing their job. FunPlus will also make sure that all respective accounts will be disabled as soon as employees leave the organization.

FunPlus has provided its employees with the Data Protection Policy and its sub-policies as a guideline for the employees in doing their day-to-day business activities. 

B. Passwords

Password controls are designed to manage and control password strength, expiration, and usage including prohibiting employees from sharing passwords.

C. Personal Data Transfer

FunPlus ensures that Personal Data can only be accessed by authorized parties during the transfer or storage of personal data.  When the Personal Data must be transferred, the following measures are taken to control the transfer of Personal Data:

  • The transfer of personal data is encrypted.
  • Personal Data shall not be transferred to a third-country outside of the European Union and EEA countries with the absence of an adequacy decision. FunPlus will take measures to compensate for the lack of data protection in such third countries by way of appropriate safeguards for the Data Subjects.
  • FunPlus utilizes EU Standard Contractual Clauses (EU SCCs) as our primary international data transfer mechanism of Personal Data outside the European Union and EEA countries to third-party countries or international organizations, to ensure the level of protection of such Personal Data. In light of the requirements of the EU SCCs, FunPlus observes additional security measures such as encryption at rest and in transit.

 

D. Privacy Management

FunPlus operates an internal Data Protection Impact Assessment at the early stage of a new project or system to ensure privacy by design for any new platform features. 

FunPlus and the contracted processors must establish appropriate technical and organizational security measures to ensure their safe data processing activities. Both FunPlus and the contracted processor must also regularly review the effectiveness of these measures for critical approval according to an appropriate process.

E. Personal Data Breach Management

In case of a personal data breach, FunPlus shall without undue delay, where feasible, not later than 72 hours after having become aware of the breach, notify the personal data breach to the Supervisory Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural personal persons. The following measures are taken to respond to the incident:

  • FunPlus takes the confidentiality and protection of the personal data of its global players, employees, job applicants and partners very seriously. A
  • When an individual suspects a data protection incident, this must be reported to the Privacy Office. The Privacy Office Coordinator and Legal Team will immediately assess the report and decide if the incident involves personal data or not. If the conclusion of the report is a personal data breach, FunPlus will make a report to the Supervisory Authority within 72 hours after becoming aware of the incident and follow the handling procedure as described in Data Breach Policy. Privacy Office Coordinator and the Ad-hoc team will investigate the report, data breaches, and exposures, and notify the data subjects affected.

6. REGULAR REVIEW

A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing must be implemented. This measure is to be implemented in the form of a data protection management system, tested, and optimized within the scope of a continuous improvement process.

7. CONTACT DETAILS OF FUNPLUS’ PRIVACY OFFICE, AND EU & UK REPRESENTATIVE

A. Privacy Office

FunPlus International AG

Address: Bahnhofstrasse 2, 6300 Zug

E-mail: privacyoffice@funplus.com

B. FunPlus EU Representative: 

FunPlus Games Spain SL 

Address: Carrer Casp 21, Pl. 5ª 08010, Barcelona, Spain

E-mail: EUrepresentativeoffice@funplus.com

C. FunPlus UK Representative

GRCI Law Limited

E-mail: ukrep@grcilaw.com

Please include “FunPlus International AG” when contacting our UK Representative

FunPlus International AG – Bahnhofstrasse 2 – 6300 Zug, Switzerland