Independent Controller Data Processing Addendum

This Data Processing Addendum (the “Addendum”) is entered into between Microsoft Corporation (“Microsoft”) and an Eligible Streaming Service (“Company”) and supplements the Streaming Provider License for Cloud Game Streaming Providers pursuant to the Commitments entered into by Microsoft and made legally binding by the European Commission in its decision under Article 8(2) of Regulation (EC) 139/2004 in case M. 10646 -Microsoft/Activision Blizzard (the “Streaming Provider License”). All capitalized terms are either defined herein or have the same meanings as those ascribed to them in the Streaming Provider License.

1. Definitions:

1.1.Data Protection Law” means any law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution, applicable to Company or Microsoft, relating to data security, protection, Processing and/or privacy, and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted. Data Protection Law includes the General Data Protection Regulation (“GDPR”).

1.2.Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) and any other data or information that constitutes personal data or personal information under any applicable Data Protection Law.

2. Data Protection Law Compliance. With respect to the Personal Data transferred between the parties under this Addendum, the parties agree that both Company and Microsoft are independent data Controllers, and not joint Controllers, as defined in the GDPR, of the Personal Data that each independently Processes. As used in this Section 2, “Controller” means the entity that determines the purpose and means of Processing of Personal Data, and “Process” or “Processing” means any operation or set of operations that a party performs on Personal Data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction. “Processed” will have a corresponding meaning. As independent Controllers of Personal Data, the parties agree as follows:

2.1. General. Each party is independently responsible for compliance and will comply with Data Protection Law (e.g., obligations of Controllers), including without limitation providing notice to Data Subjects as required by Data Protection Law (e.g., GDPR Articles 13 and 14, as applicable), responding as required by Data Protection Law (e.g., Chapter III of GDPR) to Data Subjects’ requests to exercise their rights, and identifying a lawful basis of Processing (e.g., consent or legitimate interest). Where required by applicable Data Protection Law, each party will obtain sufficient consent from end users prior to transferring such end users’ Personal Data to the other party where necessary to allow access to Microsoft’s games on Company’s services as contemplated under the Streaming Provider License.

2.2. Cooperation. If either party receives any type of request or inquiry from a governmental, legislative, judicial, law enforcement, or regulatory authority (e.g., a European data protection authority), or faces an actual or potential claim, inquiry, or complaint in connection with the parties’ Processing of Personal Data under this Addendum (collectively, an “Inquiry”), such party will notify the other party without undue delay unless such notification is prohibited by applicable law. The receiving party will promptly provide the other party with information relevant to the Inquiry, including any information relevant to the defense of a claim, to enable such party to respond to the Inquiry. Upon request, a party will provide relevant information to the other party to fulfill its obligations (if any) to conduct data protection impact assessments or prior consultations with data protection authorities.

2.3. Data Security. Each party must ensure its network, operating system, software, databases, and other relevant computer systems are properly built, configured, and operated to store, manage and protect any Personal Data received or obtained from the other party in a secure manner. Each party will take all measures required in accordance with good industry practice and by Data Protection Law relating to data security (including, but not limited, to those required pursuant to Article 32 of the GDPR and Module 1 of the SCCs).

2.4. Confidentiality. Each party will ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality obligations no less protective than those set forth in the Addendum or are under an appropriate statutory obligation of confidentiality, even after the end of their employment contract or at the end of their assignment or engagement.

2.5. Each party will comply with the other’s instructions on receiving Data Subject rights requests from end users.

2.6. Upon termination of the Addendum both parties will immediately delete all copies of Personal Data received from the other under this Addendum except to the extent the receiving party has the right or obligation under applicable Data Protection Law to retain Personal Data after termination.

2.7. International Personal Data Transfer Requirements. Some jurisdictions require that an entity transferring Personal Data to a recipient in another jurisdiction take extra measures to ensure that the Personal Data has special protections if the law of the recipient’s jurisdiction does not protect Personal Data in a manner equivalent to the transferring entity’s jurisdiction (an “International Data Transfer Mechanism”). The parties will comply with any International Data Transfer Mechanism that may be required by applicable Data Protection Law, including the Standard Contractual Clauses. “Standard Contractual Clauses” or “SCC” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021. The parties further agree as follows:

2.7.1. If the International Data Transfer Mechanism on which the parties rely is invalidated or superseded, the parties will work together in good faith to find a suitable alternative.

2.7.2. With respect to Personal Data of Data Subjects located in a jurisdiction that requires an International Data Transfer Mechanism (e.g., the EEA, Switzerland, or the United Kingdom) that a party transfers to other party or permits the other party to access, the parties agree that by executing this Addendum they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of this Addendum. The parties agree that, with respect to the elements of the Standard Contractual Clauses that require the parties’ input, Schedule 1 contains information relevant to the Standard Contractual Clauses’ Annexes. The parties agree that, for Personal Data of Data Subjects in Switzerland or another country specified in Schedule 1, they adopt the modifications to the Standard Contractual Clauses listed in Schedule 1 to adapt the Standard Contractual Clauses to local law, as applicable.

2.8. Schedule 1. Schedule 1 describes the purposes of the parties’ Processing, the types or categories of Personal Data involved in the Processing, the categories of Data Subjects affected by the Processing, and the parties’ statuses under relevant Data Protection Law. Neither party will seek to access nor retain Personal Data from the other party other than as set forth in Schedule 1.

SCHEDULE 1 – DESCRIPTION OF THE PROCESSING

Processing Activity Status of the Parties Categories of Personal Data that May Be Processed

The categories listed are descriptive and do not necessarily mean that the parties are Processing each category of data listed.		 Categories of Sensitive Data that May Be Processed

The categories listed are descriptive and do not necessarily mean that the parties are Processing each category of data listed.		 Applicable SCCs Module
Company and Microsoft collect or receive Personal Data as a Controller. Both parties are Processing the data for purposes of verifying entitlement information to facilitate cloud gaming. Microsoft is an Independent Controller. Company is an Independent Controller.
  • Game entitlement/ license information.
  • Encrypted user tokens (MSA tokens)
 Where the aforementioned categories of Personal Data belong to a Data Subject who is a child Module 1

1. Information for International Transfers

a. Frequency of Transfer: Continuous for all Personal Data.

b. Retention Periods: As Controllers, the parties retain Personal Data for as long as they have a business purpose for it or for the longest time allowable by applicable law.

2. For the purpose of the Standard Contractual Clauses:

a. The following definitions shall apply:

i. “Data Exporter” means the party that (1) has a corporate presence or other stable arrangement in a jurisdiction that requires an International Data Transfer Mechanism; and (2) transfers Personal Data, or makes Personal Data available to, the Data Importer.

ii. “Data Importer” means the party that is (1) located in a jurisdiction that is not the same as the Data Exporter’s jurisdiction; and (2) receives Personal Data from the Data Exporter or is able to access Personal Data made available by the Data Exporter.

b. Clause 7: The parties do not adopt the optional docking clause.

c. Clause 11(a): The parties do not select the independent dispute resolution option.

d. Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is Ireland.

e. Clause 18: The parties agree that the forum is Ireland.

f. Annex I(A): The data exporter is the Data Exporter (defined above) and the data importer is the Data Importer (defined above).

g. Annex I(B): The parties agree that Schedule 1 describes the transfer.

h. Annex I(C): The competent supervisory authority is the Irish Data Protection Commission.

i. Annex II: The parties agree that Schedule 1 describes the technical and organizational measures applicable to the transfer.

3. For the purpose of localizing the Standard Contractual Clauses:

a. Switzerland

i. The parties adopt the GDPR standard for all data transfers.

ii. Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.

iii. Clause 17: The parties agree that the governing jurisdiction is Ireland.

iv. Clause 18: The parties agree that the forum is Ireland. The parties agree to interpret the Standard Contractual Clauses so that Data Subjects in Switzerland are able to sue for their rights in Switzerland in accordance with Clause 18(c).

v. The parties agree to interpret the Standard Contractual Clauses so that “Data Subjects” includes information about Swiss legal entities until the revised Federal Act on Data Protection becomes operative.

4. Technical and Organizational Security Measures. Both parties will comply with the technical and organizational measures as set out in Section 2.3 of the Addendum.