STANDARD CONTRACTUAL CLAUSES (SCC)

Module 2 – Controller to Processor

SportBooster – International Data Transfers

Based on Commission Implementing Decision (EU) 2021/914

Version: 1.0 SportBooster

Effective Date: 20.2.2026

SECTION I

Clause 1 – Purpose and scope

(a) These Standard Contractual Clauses (“Clauses”) are entered into between:

Data Exporter (Controller):

The Club / Expert / Business Entity using the SportBooster platform

and

Data Importer (Processor):

Milkam s.r.o.

Lúčky 3

90851 Holíč

Slovak Republic

(b) The purpose of these Clauses is to ensure compliance with Chapter V of Regulation (EU) 2016/679 (GDPR) for the transfer of personal data to a third country.

(c) These Clauses apply to the transfer of personal data as specified in Annex I.

Clause 2 – Effect and invariability

(a) These Clauses set out appropriate safeguards within the meaning of Article 46(1) GDPR.

(b) These Clauses prevail over any conflicting provisions of related agreements.

(c) The Clauses may not be modified, except to select appropriate modules or add Annex information.

Clause 3 – Third-party beneficiaries

Data subjects may invoke and enforce these Clauses as third-party beneficiaries.

Clause 4 – Interpretation

(a) These Clauses shall be interpreted in light of the GDPR.

(b) In case of conflict, GDPR prevails.

Clause 5 – Hierarchy

In the event of inconsistency between these Clauses and related agreements, these Clauses shall prevail.

Clause 6 – Description of the transfer(s)

The details of the transfer(s), including categories of personal data and purposes, are specified in Annex I.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 7 – Docking clause

An entity that is not a party to these Clauses may accede to them as either a data exporter or data importer.

Clause 8 – Data protection safeguards

The Data Importer (Processor) shall:

  • process personal data only on documented instructions,
  • ensure confidentiality of personnel,
  • implement appropriate technical and organisational measures (Annex II),
  • assist the Controller in responding to data subject requests,
  • assist in ensuring compliance with Articles 32–36 GDPR,
  • delete or return personal data upon termination,
  • make available information necessary to demonstrate compliance.

Clause 9 – Use of sub-processors

(a) The Processor has general authorisation to engage sub-processors listed in Annex III.

(b) The Processor shall inform the Controller of any intended changes concerning sub-processors.

(c) Sub-processors shall be bound by written agreements in accordance with Article 28 GDPR.

Clause 10 – Data subject rights

The Processor shall promptly notify the Controller of any request received directly from a data subject.

Clause 11 – Redress

Data subjects may lodge complaints with supervisory authorities or courts.

Clause 12 – Liability

Each party shall be liable for the damage it causes by breaching these Clauses.

Clause 13 – Supervision

The competent supervisory authority is:

Office for Personal Data Protection of the Slovak Republic.

Clause 14 – Local laws and practices affecting compliance

(a) The parties warrant that they have no reason to believe that the laws and practices in the third country prevent compliance with these Clauses.

(b) The Processor shall notify the Controller if it becomes aware of any inability to comply.

(c) The parties shall document their transfer impact assessment (TIA).

Clause 15 – Obligations in case of access by public authorities

(a) The Processor shall notify the Controller if it receives a legally binding request from a public authority.

(b) The Processor shall review the legality of such request.

(c) The Processor shall document and challenge disproportionate requests where appropriate.

SECTION III – FINAL PROVISIONS

Clause 16 – Non-compliance and termination

If the Processor is in breach of these Clauses, the Controller may suspend the transfer or terminate the contract.

Clause 17 – Governing law

These Clauses shall be governed by the law of the Slovak Republic.

Clause 18 – Choice of forum and jurisdiction

Disputes shall be resolved by the courts of the Slovak Republic.

ANNEX I – DESCRIPTION OF THE TRANSFER

A. List of parties

Data Exporter:

Club / Expert / Business Entity using SportBooster.

Data Importer:

Milkam s.r.o., Slovakia.

B. Description of transfer

Categories of data subjects:

  • club members
  • minors
  • parents
  • coaches
  • staff
  • experts

Categories of personal data:

  • identification data
  • contact data
  • technical data
  • payment-related data
  • communication data
  • sports-related data

Purpose of transfer:

Provision of SaaS platform services.

Retention period:

For the duration of the service agreement.

C. Competent supervisory authority

Office for Personal Data Protection of the Slovak Republic.

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES

  • TLS encryption in transit
  • Role-based access control
  • Multi-factor authentication
  • Logging and monitoring
  • Encryption of stored data
  • DDoS protection
  • Incident response procedures
  • Regular software updates
  • Internal data protection policies
  • Employee confidentiality agreements

ANNEX III – LIST OF SUB-PROCESSORS

Categories:

  • Cloud hosting provider
  • Database provider
  • Payment processor (Stripe)
  • AI service providers
  • Analytics providers
  • CDN / Security providers

An up-to-date list is available upon request.