INTERNATIONAL DATA TRANSFER ADDENDUM

SportBooster – Enterprise Version 1.0

Version 1.0 (Enterprise Hardened)

Effective Date: 20.2.2026

This International Data Transfer Addendum (“Addendum”) forms an integral part of:

  • the Data Processing Agreement (DPA),
  • the EU Standard Contractual Clauses (Module 2 – Controller to Processor),
  • and, where applicable, the UK International Data Transfer Addendum.

This Addendum governs international transfers of personal data outside the European Economic Area (EEA) and, where applicable, outside the United Kingdom.

1. PARTIES

For the purposes of this Addendum:

Data Exporter:

The Club / Expert / Business Entity acting as Controller under the DPA.

Data Importer:

Milkam s.r.o., Slovakia, acting as Processor under the DPA.

2. SCOPE

2.1 This Addendum applies to transfers of personal data to third countries that do not benefit from an adequacy decision under Article 45 GDPR.

2.2 This Addendum supplements but does not replace the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

2.3 In the event of conflict, the SCC prevail.

3. LEGAL TRANSFER MECHANISMS

International transfers are conducted under one or more of the following mechanisms:

  • EU Standard Contractual Clauses (Module 2),
  • UK International Data Transfer Addendum (if applicable),
  • Adequacy Decisions under Article 45 GDPR,
  • Supplementary technical and organisational measures,
  • Other lawful transfer mechanisms under GDPR Chapter V.

4. TRANSFER IMPACT ASSESSMENT (TIA)

4.1 The Data Importer confirms that it has assessed the laws and practices of relevant third countries in accordance with Clause 14 SCC.

4.2 The parties shall document their assessment where required.

4.3 The Data Importer shall monitor legal developments in third countries that may affect compliance.

4.4 If the Data Importer becomes aware of circumstances preventing compliance with the SCC, it shall:

  • promptly notify the Data Exporter,
  • cooperate to identify appropriate safeguards,
  • suspend transfers if necessary.

5. SUPPLEMENTARY TECHNICAL AND ORGANISATIONAL MEASURES

In addition to the safeguards under the SCC, the Processor implements:

  • encryption in transit (TLS),
  • encryption at rest (where applicable),
  • strict role-based access control,
  • multi-factor authentication,
  • data minimisation principles,
  • logging and monitoring,
  • incident response procedures,
  • contractual safeguards with sub-processors.

These measures are further described in Annex II of the DPA.

6. GOVERNMENT ACCESS REQUESTS

6.1 If the Data Importer receives a legally binding request from a public authority for access to personal data, it shall:

  • review the legality of the request,
  • assess proportionality,
  • challenge unlawful or disproportionate requests where appropriate,
  • document such requests.

6.2 The Data Importer shall notify the Data Exporter without undue delay unless legally prohibited.

6.3 If legally prohibited from notification, the Data Importer shall use reasonable efforts to obtain a waiver of such prohibition.

6.4 The Data Importer shall maintain internal documentation of government access requests.

7. TRANSPARENCY AND SUB-PROCESSORS

7.1 The Data Importer shall maintain transparency regarding:

  • international transfers,
  • sub-processors,
  • applicable safeguards.

7.2 An up-to-date list of sub-processors is available under Annex III of the DPA.

7.3 Sub-processors engaged outside the EEA shall be subject to SCC or equivalent safeguards.

8. SUSPENSION AND TERMINATION

8.1 Where compliance with GDPR Chapter V cannot be ensured, transfers shall be suspended.

8.2 The Data Exporter may suspend data transfers if the Data Importer is in breach of this Addendum or the SCC.

8.3 Persistent non-compliance may result in termination of the underlying service agreement.

9. AUDIT AND COOPERATION

9.1 The Data Importer shall make available information necessary to demonstrate compliance with this Addendum.

9.2 The Data Exporter may exercise audit rights as set out in the DPA.

10. GOVERNING LAW

This Addendum shall be governed by the same law as the underlying DPA.

11. PRECEDENCE

In the event of conflict:

1. SCC prevail over this Addendum,

2. This Addendum prevails over the DPA,

3. The DPA prevails over other agreements.

This Addendum forms part of the global compliance framework governing the SportBooster platform.