XAMPION® SERVICE PRIVACY STATEMENT

1. CONTROLLER

Progda Ltd. (business ID 2761180-5) shall act as the Controller.

The contact person for register-related matters is:

Tero Suominen, CEO

Address: Satakunnantie 12, FI-20100 Turku
Email: support@xampion.com

2. NAME OF THE REGISTER

The register is called Xampion® Service User Register.

3. PURPOSE OF PERSONAL DATA PROCESSING

Personal data will be processed for the following purposes:

  • for providing the Service, the related device and overall concept to the data subject;
  • for enabling the use of the Service for the data subject;
  • for managing the Service and carrying out the Controller’s tasks, obligations and rights relating to the Service management;
  • for enabling Service-related contacts;
  • to enable granting access rights to club coaches so that they can invite data subjects to use the Team Service.

The Controller shall process personal data for the aforementioned purposes in connection with matters and tasks relating to these purposes both during the use of the Service and after the use of the Service has ended, to the extent necessary for realising the relevant purpose.

The Controller shall process the personal data within its organisation and use subcontractors that operate on behalf of and for the Controller.

4. LEGAL BASIS FOR PERSONAL DATA PROCESSING

The legal basis for personal data processing shall include the following grounds laid down in the Finnish Personal Data Act:

  • (a) an unambiguous consent provided by the data subject;
  • (b) an assignment given by the data subject, or performance of a contract to which the data subject is a party, or to take steps at the request of the data subject before entering into a contract;
  • (c) a relevant connection between the data subject and the operations of the Controller, based on the data subject having a client relationship or another comparable relationship to the Controller (connection requirement).

The legal basis for personal data processing shall include the following grounds laid down in the EU’s General Data Protection Regulation (“GDPR”):

  • (d) the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • (e) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • (f) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party.

The aforementioned legitimate interest pursued by the Controller shall be based on a relevant and appropriate relationship between the Controller and the data subject, which has resulted from the data subject’s Service use, and on the processing being performed for purposes that the data subject can reasonably have expected to be performed at the time of collecting the personal data and in connection with the appropriate relationship.

If the data subject is under 18 years of age, the aforementioned consent can only be provided by the holder of parental responsibility.

5. DATA CONTENT OF THE REGISTER (processed personal data categories)

Principally, the register contains the following personal data collected from all data subjects:

  • (a) the data subject’s basic information, such as name and contact details;
  • (b) the data subject’s user ID in the Service (email address);

In addition, the register contains the following personal data of data subjects who are players:

  • (c) date of birth (age), gender;
  • (d) the data subject’s biometric data (height, weight);
  • (e) data concerning the data subject’s team and division;
  • (f) the data subject’s playing position;
  • (g) data required for identifying the data subject’s phone and Service-related device and connecting to them;
  • (h) the activity and practice data generated when the data subject has used the Service, including data concerning the data subject’s participation in practices and matches, the intensity of the data subject’s practicing and playing, the number of steps, distance travelled as well as the number and quality of ball touches;
  • (i) the data on the data subject’s use of the Service, such as the automatically collected statistical information on the Service’s performance and on how the data subject uses the Service.

In addition, the register contains the following personal data on the data subject that they have entered to the Service by themselves or that have been entered with their consent:

  • (j) the data subject’s playing position data;
  • (k) the data subject’s normal amount of practice per week;
  • (l) the data subject’s linked social connections in the Service;
  • (m) the data subject’s message history in the Service;
  • (n) the data subject’s membership in communities and groups;
  • (o) the direct marketing consents and/or refusals the data subject has provided;
  • (p) the data subject’s consent to the use of the Service and for sharing their data with the team’s other players, coach(es) and the person responsible for the club’s coaching or to a person in a similar position.

Providing the Controller with the aforementioned personal data is a requirement for using the Service. If the Controller does not receive this personal data, they may not be able to perform their duties as per the contract.

6. REGULAR DATA SOURCES

Personal data shall primarily be collected from the data subject.

In addition, the Controller shall collect calendar information on practices from the team.

7. PERSONAL DATA RETENTION PERIOD

The collected data shall be retained only for the duration and in the extent necessary for the successful realisation of the original or compatible purposes for which the data was compiled.

The need to retain personal data shall be assessed in intervals of five (5) years, and in any case, data on a data subject shall be removed from the register seven (7) years after the relevant data subject’s user relationship to the Service hosted by the Controller has ended, and the obligations and measures related to the user relationship have been performed.

The Controller shall regularly assess the need to retain the data (as per the internal code of conduct). Furthermore, the Controller shall perform all possible and required measures to ensure that personal data which is too inaccurate, erroneous or outdated for the purposes of processing is deleted or corrected without delay.

8. THE RECIPIENTS OF PERSONAL DATA (RECIPIENT CATEGORIES) AND THE REGULAR DISCLOSURE OF DATA

Personal data shall not be disclosed to parties external to the data subject’s team or club.

9. TRANSFERRING DATA OUTSIDE OF THE EU OR THE EEA

The data contained in the register shall not be transferred outside of the EU or EEA.

10. PRINCIPLES OF REGISTER PROTECTION

Data material containing personal data is retained in a locked facility that can only be accessed by appointed persons whose duties require access authority.

The database containing personal data is on a server which is kept in a locked facility that can only be accessed by appointed persons whose duties require access authority. The server is protected with an appropriate fire wall and technical protection.

The databases and systems can only be accessed with separately granted personal user IDs and passwords. The Controller has restricted the access rights and the authorisations to access data systems and other mediums such that the data can only be accessed and processed by persons who are needed with regard to lawful processing. In addition, the database and system transactions are registered in the Controller’s IT system’s log.

The Controller’s employees and other personnel have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.

11. RIGHTS OF THE DATA SUBJECT

The data subject shall have the following rights laid down in the Finnish Personal Data Act:

  • the right of access, after having supplied sufficient search criteria, to the data on them in the person register, or to a notice that the register contains no such data as well as to information of the regular sources of data in the register, on the uses for the data in the register and the regular destinations of disclosed data;
  • the right to demand the correction, removal or supplementation of data which is erroneous, unnecessary, incomplete or obsolete for the purposes of the processing and which is contained in the register;

The data subject shall have the following rights laid down in the EU’s General Data Protection Regulation:

  • the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, if that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data has been or will be disclosed; (iv) if possible, the planned period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) if personal data is not collected from the data subject, any available information as to the data’s source. The described basic data (i)–(vii) shall be given to the data subject with this form;
  • the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning the data subject, and taking into account the purposes of the processing, the right to have incomplete personal data completed by means of, for example, providing a supplementary statement;
  • the right to obtain from the Controller the erasure of personal data concerning the data subject without undue delay provided that (i) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and there are no longer legal grounds for the processing; (iii) the data subject objects to the processing on the grounds of a special personal situation and there are no overriding legitimate grounds for the processing; (iv) the personal data has been unlawfully processed; or (v) the personal data has to be erased for compliance with a legal obligation in the EU or national law to which the Controller is subject;
  • the right to obtain from the controller restriction of processing if (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing on the grounds of a special personal situation pending the verification whether the legitimate grounds of the controller override those of the data subject;
  • the right to receive the personal data concerning the data subject, which they have provided to the Controller, in a structured, commonly used and machine-readable format, and the right to transfer that data to another controller without hindrance from the Controller to which the personal data has been provided if the processing is based on consent set out in the GDPR and the processing is carried out automatically;
  • the right to lodge a complaint with a supervisory authority if the data subject considers that the EU’s General Data Protection Regulation is violated in the processing of personal data concerning them.

Requests concerning the realisation of the data subject’s rights shall be addressed to the Controller’s contact person mentioned in Section 1.