Wizards Play Network Terms and Conditions
Last Updated: August 29, 2023
Wizards of the Coast LLC (“Wizards”) is dedicated to bringing people together through their shared love of gaming. As part of that effort, we created a promotion program: the Wizards Play Network (the “WPN”). There is no fee to join or participate in the WPN, but it does require your active engagement and your agreement to the following WPN Terms and Conditions (“WPN Terms”). By joining the WPN, you acknowledge that, as a purely promotional program, the WPN does not create a franchise or agency relationship. Nothing in these WPN Terms preclude you from selling Wizards’ products or running unsanctioned Magic: The Gathering, Duel Masters or Dungeons & Dragons events.
The WPN Terms govern your participation in the WPN as a Retail Store (defined below) (referred to herein as a “WPN Member”).
By visiting this website and/or participating in the WPN and becoming a WPN Member, you acknowledge and agree that you have read, understood and agree to be bound by the WPN Terms including, but not limited to, the following terms, conditions and policies which are incorporated by reference:
- Wizards Play Network Code of Conduct (“WPN Code of Conduct”);
- Wizards Play Network Privacy Policy (“WPN Privacy Policy”);
- Wizards Terms of Use;
- Wizards Code of Conduct;
- Wizards Event Reporter End User License Agreement; and
- Supplemental terms communicated to you from time to time in connection with WPN programs (“Program Terms”).
It is your responsibility to ensure that you are in compliance with the WPN Terms. Wizards may revise, update or modify these WPN Terms, with or without warning, and in its sole discretion. We recommend that you review these WPN Terms from time to time. Your continued participation in the WPN following the posting of any such changes will constitute your acceptance to those changes.
Do not participate in the WPN if you do not agree with any portion of these WPN Terms. You may cancel your membership in the WPN (“WPN Membership”) at any time by following the procedures set forth in Section 13.
Table of Contents
- Registration
- WPN Orientation
- WPN Membership Levels
- WPN License
- WPN Member Obligations
- Compliance with Laws
- Government Officials
- Event Scheduling, Administration and Reporting
- Promotions and Marketing
- Buy-a-Box Program
- Privacy and Publicity
- Data Processing
- Cancelling Your WPN Membership’
- Termination
- Other Remedies
- Representations and Warranties
- Disclaimer
- Limitation of Liability
- Indemnification
- Privacy Notice
- General
1. Registration. To apply for membership in the WPN, you must complete the application process here and provide any additional information reasonably requested by Wizards. You must be the age of majority in the country or territory where your Retail Store is located (“Territory”). Your Retail Store must participate and graduate from the WPN Orientation Program set forth in Section 2. All information you submit to Wizards must be correct and accurate. During your participation in the WPN, you are solely responsible for ensuring your WPN Membership information is accurate and current. Inaccurate information may result in the termination of your WPN Membership. Wizards reserves the right to accept or reject your application for any reason in its sole discretion.
2. WPN Orientation. Upon completion of the registration process, your Retail Store is required to participate and graduate from an orientation program meant to educate you on the WPN and its programs and offerings (the “WPN Orientation Program”). Upon graduation from the WPN Orientation Program, you will be accepted into the WPN. Failure to participate in or graduate from the WPN Orientation Program will result in the rejection of your application.
3. WPN Membership Levels. Upon acceptance into the WPN, your Retail Store will be required to meet and maintain a WPN Membership level (“WPN Membership Level”). Information regarding each WPN Membership Level and the requirements to maintain each WPN Membership Level can be found here. Failure to meet or maintain your WPN Membership Level requirements may result in a down leveling of your WPN Membership Level and/or your suspension or termination from the WPN.
4. WPN License. Subject to acceptance into the WPN and your compliance with the WPN Terms, Wizards grants you a limited, revocable, non-assignable, personal, non-sublicensable and non-exclusive right and license to: (a) schedule and report Wizards-sanctioned organized play events including tournaments (individually an “Event” and collectively “Events”) using Wizards’ proprietary online scheduling and reporting tool (the “Wizards Event Reporter” or “WER”); (b) display the WPN logo in your store and on your website to signify that you are a WPN Member; (c) access, reproduce and display WPN marketing materials (including applicable trademarks and artwork) in connection with advertising your Events and Wizards products and Retail Store décor; and (d) identify yourself as a WPN Member (collectively, “Licensed Property”).
(a) Prohibitions. You will not: (i) harm, prejudice, impair or misuse the Licensed Property, Wizards, or Hasbro, Inc., its affiliates and subsidiaries (“Hasbro”) (including its affiliated brands and properties) which includes, but is not limited to, associating the foregoing with obscene, sexually explicit, graphically violent or other inappropriate content as determined by Wizards’ at its sole discretion; (ii) engage in any activity with respect to any product or service bearing any artwork, other representation, name or trademark that has the potential to confuse or that disparages the Licensed Property; or (iii) permit any unauthorized use of the Licensed Property.
(b) Goodwill. You acknowledge the great value of the goodwill associated with the Licensed Property. All goodwill arising from your use of the Licensed Property automatically inures to the benefit of Wizards, and that the Licensed Property has a secondary meaning in the mind of the public.
(c) Wizards’ Ownership. You hereby acknowledge and agree that all right, title and interest in and to all Licensed Property, patents, copyrights, trademarks, databases and any other intellectual property provided to you as a WPN Member, whether registered or unregistered, are owned exclusively by Wizards. You agree to not impair, hinder, encumber or otherwise damage or challenge Wizards’ ownership rights.
(d) No Transfer. You covenant and agree that these WPN Terms will be deemed a non-exclusive limited license, not a transfer, of Wizards’ rights in the Licensed Property, and that you will have no interest in or claim to the Licensed Property or to any of the intellectual property rights associated therewith, except to the limited extent of the limited license granted herein.
5. WPN Member Obligations. As a WPN Member, you will comply with, and be responsible for, the following:
(a) Professional Conduct. You will manage Events and, as applicable, your Retail Store in a professional and diligent manner that enhances the reputation and goodwill attached to Wizards and the Licensed Property.
(b) Responsibility for Staff. You agree that all people and companies you employ, utilize, engage or otherwise contract with to work or provide services in your Retail Store, to assist with conducting Events (collectively "Staff") will comply with these WPN Terms and all Applicable Laws (defined below). You likewise agree to comply with all federal, state, and local laws related to any employment relationship that may exist between you and your Staff consistent with Section 6. You further agree that nothing in these WPN Terms creates an employment relationship between Wizards and your Staff. You remain solely liable for all Staff activity under your WPN Membership. Protect players of all ages, to the extent permitted by Applicable Law, you agree to conduct background checks to meet your obligations under Section 16 on your Staff as well as those you engage with that interact with the public.
(c) Illegal Conduct. You will take all reasonable measures to prevent illegal or otherwise inappropriate conduct in or associated with your Retail Store or at Events.
(d) Events. You may not schedule, run or report fraudulent Events. Your Events must be conducted by you or your Staff.
(e) Event Locations. All Events must occur at your Retail Store or at preapproved all-ages, publicly-accessible venues that are clean, safe, adequately lit, reasonably climate controlled and in compliance with all relevant accessibility, safety, fire, building, and health codes, and local regulations. Wizards reserves the right to reject any location in its sole discretion. Unless otherwise agreed to by Wizards, you may not run an Event in another Retail Store.
(f) Use of Marketing Material. You will use Wizards marketing materials provided by Wizards or Wizards’ authorized distributors solely in connection with the Events, Wizards products and Retail Store décor only and in compliance with Wizards Play Network Marketing Materials Policy. All advertisements and promotions for your Retail Store or Events must be clear, truthful and comply with the laws relevant to your location or your Territory.
(g) Retail Store. A Retail Store is a legitimate physical retail store with any and all authorizations and/or licenses required by the local law and/or administrative resolutions, for the regular operation of a commercial establishment in the Territory that is regularly and consistently open to the public for business multiple days of the week and sells sealed Wizards’ product on-site to consumers. A Retail Store must have permanently affixed signage, a dedicated store phone line, internet service, a valid email address, reasonably comfortable seating, nearby restrooms and an accepting and appropriate atmosphere for patrons of any age. As a WPN Member, you will ensure your Retail Store is clean, safe, adequately lit, reasonably climate controlled, and in compliance with all relevant safety, fire, building and health codes, and local regulations.
(h) Code of Conduct. You will refrain from violating the WPN Code Conduct and you agree to display in your Retail Store and/or Event Locations, player and community policies as designated by Wizards from time to time.
(i) Infringing Products. You will not permit products infringing Wizards’ intellectual property rights to be sold or traded in your Retail Store or at your Event, and you will notify Wizards immediately if you know or suspect the sale or trade of such infringing products in your Retail Store or at your Event.
(j) Proxy Cards. Retail Stores may only allow “proxy” cards in your Events as described in the current official Magic Tournament Rules. A proxy card is a card issued by a judge at an Event to replace a card that has become damaged during the course of play in such Event and may only be used for the duration of that Event.
(k) Counterfeit Cards. Counterfeit cards are unauthorized reproductions of authentic Wizards cards. Counterfeit cards are strictly prohibited by Wizards. WPN Members who knowingly manufacture, import, use or distribute counterfeit cards (or facilitate the same by a third party) will have their WPN Membership immediately terminated. Wizards reserves all rights in law and at equity to prosecute individuals engaged in the manufacture, importation or distribution of counterfeit cards.
(l) Playtest Cards. A playtest card is most commonly a basic resource with the name of a different card written on it with a marker. Playtest cards are not reproductions of authentic Wizards products and are created by players for personal and non-commercial use to test deck concepts. The use of playtest cards is allowed within Retail Stores only for non-commercial use in unsanctioned events.
(m) Grey Market Products. As a member of the WPN, you agree not to sell or permit grey market products to be sold or traded in your Retail Store or at your Event, and you agree not to engage in grey market activity using Wizards’ product. “Grey Market Products” mean products that infringe Wizards’ intellectual property rights. You will notify Wizards immediately if you know or suspect the sale or trade of Grey Market Products in your Retail Store or at your Events.
(n) Login Credentials. You will not disclose to anyone or permit another person to use your login credentials, and you will notify Wizards immediately if you know or suspect any unauthorized use of your login credentials. You will be fully responsible and liable for all activities conducted through your login credentials.
(o) Inactivity. Your WPN Membership will be terminated if you fail to schedule an Event for a period of sixty (60) consecutive days even if you have met and maintained a WPN Membership Level.
(p) Investigations. As a WPN Member, you expressly acknowledge and agree that your participation is subject to review by Wizards. You agree to cooperate in any Wizards’ investigation of actual or alleged violations of the WPN Terms, the WPN Code of Conduct, Program Terms, or other applicable Wizards policy.
(q) On Sale Dates. You will not offer any Wizards’ products to consumers prior to such products’ first on-sale date as published by Wizards.
6. Compliance with Laws. As a WPN Member, you agree to comply with all applicable laws, ordinances, regulations, guidelines, policies, terms, and other governmental requirements applicable to you, your Retail Store, your Staff and your Events including, but not limited to, marketing and promotion, employment, workers compensation coverage, tax, wage and hour, labor, data and privacy, consumer rights protection, discrimination, and accessibility (“Applicable Laws”). You will pay all required taxes and secure all necessary permits, approvals, and licenses from any governmental authorities necessary to conduct your Events.
7. Government Officials. You agree that in connection with your WPN Membership, you will not, directly or indirectly:
(a) offer, pay, promise to pay, or authorize the payment of any money, gift or other thing of value to any person who is an official, agent, employee, or representative of any government or to any candidate for political or political party office, or to any other person while knowing or having reason to believe that all or any portion of such money, gift or thing of value will be offered, given, or promised, directly or indirectly, to any of the foregoing;
(b) promise or give any person working for, or engaged by, Wizards or Hasbro, a financial or other advantage to (i) induce that person to perform improperly a relevant function or activity; or (ii) reward that person for improper performance of a relevant function or activity; or
(c) request, agree to receive, or accept any financial or other advantage as an inducement or a reward for improper performance of a relevant function or activity in connection with your WPN Membership.
8. Event Scheduling, Administration and Reporting. Wizards-sanctioned organized play events can be organized by Retail Stores. As a WPN Member, you accept full responsibility for the scheduling, marketing, operation, reporting, and management of your Events including, but not limited to, all costs associated therewith. You will utilize the WER as directed by Wizards for the purposes of scheduling, registration, pairing matches, reporting conduct and reporting Events and for ordering Event and promotional support material. You expressly agree that:
(a) Scheduling Events. You will schedule any proposed Event according to the guidelines set forth in the applicable Event solicitation. All information you provided in the scheduling must be true, complete, and accurate. Wizards reserves the right to reject any Event for any reason in its sole discretion.
(b) Administering Events. You will at all times comply with all requirements applicable to the scheduled Event. Different requirements may apply depending on the type of Event including, but not limited to, product type, date restrictions, and play format. You will ensure that Events comply with these WPN Terms, WPN Code of Conduct, and all other Wizards’ terms, codes of conduct, official organized play and tournament rules and procedures set forth by Wizards.
(c) Reporting Events. Within ninety-six (96) hours following an Event, Event results must be provided to Wizards through the WER. You will report all significant incidents that violate these WPN Terms, the WPN Code of Conduct, and all official organized play and tournament rules to Retail Support.
(d) Player Data. The WER may only be used for scheduling, registration, pairing matches, reporting conduct and reporting Events and for ordering Event and promotional support material. For this limited purpose, you will have limited access to personal data of players as necessary to facilitate Events including first name, last name and country/territory of origin. Your access to and use of this personal data is for the sole purpose of facilitating Events. You expressly acknowledge and agree that you will not access or use this personal data for any other purpose than facilitating Events and that you will not copy, transfer, sell, share, post, transmit or otherwise disclose any such personal information to any third party.
9. Promotions and Marketing. You are solely responsible for promoting and marketing Events. You acknowledge and agree that Wizards is not a sponsor of your Events and that you will take no action to imply or indicate any such sponsorship. You are responsible for ensuring that any and all of your promotional materials and activities comply with applicable local, state, federal and country laws, rules and regulations. Wizards will use good faith efforts to include scheduled Events in its website calendars and event locator tools (“Event Locator”), provided that Wizards may choose for any reason in its sole discretion not to include your Events in its website calendars or in the Event Locator and will have no liability to you for any failure to include such Events on the website or in the Event Locator.
10. Buy-a-Box Program. As a WPN Member, Retail Stores are automatically enrolled in Wizards’ buy-a-box program (“Buy-a-Box Program”) for every Magic: The Gathering trading card game set release. Information regarding Buy-a-Box Program terms can be found here. Retail Stores will be responsible for obtaining any permits or complying with any requirements under the relevant laws and regulations for the conduct of the Buy-a-Box Program.
11. Privacy and Publicity.
(a) Publicity Rights. You grant Wizards the right to use your name, likeness, voice, image, business name, Retail Store logos, images and business information, as well as any photographs and audiovisual recordings of your Events, for its advertising, promotional, commercial, or educational materials. You hereby waive any right to additional consideration or compensation with respect to any such use. This authorization is granted worldwide, non-exclusively and during your participating in the WPN. If you revoke the authorization stated herein, Wizards will be allowed to terminate your WPN Membership.
(b) Sharing Your Information. You understand and agree that by signing up and scheduling Events, your name, phone number, email address, physical address and Retail Store (if applicable) business information may be shared with consumers and other third parties for the purposes of marketing and promoting your Events and facilitating market research and satisfaction surveys about the WPN, Wizards’ products and organized play events.
(c) Accepting Communications. While you are a WPN Member, you agree to accept all forms of communication from Wizards regarding the WPN, your WPN Membership, and Wizards’ products or services. If you opt out of any form of communication from Wizards, Wizards will be allowed to terminate your WPN Membership.
12. Data Processing.
(a) Personal Data. You acknowledge and agree that Wizards will process personal data of players and other individuals during or in connection with your use of the WPN. You hereby instruct Wizards to process any personal data you submit to Wizards (“Personal Data”) in order to provide you with the WPN. When Wizards follows these instructions, you are the controller and Wizards is the processor that processes Personal Data on your behalf. In certain circumstances, Wizards also operates as a controller. For example, Wizards may process and aggregate Personal Data in order to improve the WPN and its other products and services, including to make Personal Data of players available through the WER to other WPN Members. You represent and warrant that any Personal Data has not been collected, stored, and transferred to us in violation of any law, regulation, or contractual obligation applicable to you. You shall have sole responsibility for the accuracy, quality, and legality of the Personal Data and the means by which you acquired Personal Data.
(b) Service Providers. You acknowledge and agree that Wizards may retain third party service providers during or in connection with its use of the WPN. Wizards shall enter into a written agreement with each third party service provider containing data protection obligations not less protective than those in this Section 12 with respect to the protection of Personal Data to the extent applicable to the services provided by the third party service provider.
(c) Security. Wizards shall maintain reasonable and appropriate technical and organizational measures for the protection of the security, confidentiality, and integrity of Personal Data (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss, or alteration or damage, unauthorized disclosure of, or access to, Personal Data). Wizards shall regularly monitor compliance with these measures, and shall not materially decrease the overall security of its applicable services during its provision of the WPN pursuant to these WPN Terms. Wizards shall ensure that persons authorized to carry out processing have committed themselves to confidentiality or are under the appropriate statutory obligation of confidentiality.
(d) Wizards maintains security incident management policies and procedures and shall notify you without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by Wizards or its subprocessors of which Wizards becomes aware (a “Data Incident”). Wizards shall make reasonable efforts to identify the cause of such Data Incident and take steps as Wizards deems necessary and reasonable in order to remediate the cause of such a Data Incident to the extent the remediation is within Wizard's reasonable control. The obligations herein shall not apply to incidents that are caused by you.
(e) Return and Deletion. Upon your written request, and except in situations where Wizards acts as a controller, Wizards will return or delete all Personal Data. Wizards may also refuse such requests where returning or deleting such Personal Data would be prohibited by applicable law, or where Wizards must retain such Personal Data due to legal obligations, to protect its rights or those of a third party, or as required by Wizards for processing pursuant to a legitimate interest as documented by Wizards.
(f) You acknowledge and agree that Personal Data will be stored and processed in the United States and other countries in which Wizards or its affiliates maintain facilities. To the extent your use of the WPN involves Personal Data originating outside of the United States, you (i) acknowledge and consent to the transfer of Personal Data outside of its country of origin; (ii) shall ensure that it has provided any required notice to, and obtained any required consent(s) from, individuals for the processing of their Personal Data by Wizards and for the transfer of their Personal Data outside of its country of origin; and (iii) shall comply with all privacy and data protection laws applicable to such Personal Data. To the extent Personal Data is obtained from a country within the European Union (“EU”), Wizards and you hereby agree to comply with the Controller to Processor standard contractual clauses set forth the Data Transfer Addendum.
(g) GDPR. To the extent your use of the WPN involves the processing by Wizards of the Personal Data of data subjects located in the EU or otherwise subject to Regulation (EU) 2016/679, the General Data Protection Regulation, together with any additional implementation legislation, rules or regulations that are issued by applicable supervisory authorities ("GDPR"), when Wizards is operating as a processor (and not when Wizards operates as a controller), these “GDPR” provisions apply effective May 25, 2018. Words and phrases shall, to the greatest extent possible, have the meanings given to them in the GDPR.
i. Wizards shall process Personal Data according to your instructions, and in accordance with the GDPR requirements directly applicable to Wizards’ provision of the WPN. The following specifications apply (“Specifications”):
a. The subject matter of the processing is the provision of the WPN to you pursuant to these WPN Terms. Wizards may process the Personal Data for the following purposes: (1) processing in accordance with these WPN Terms; and (2) processing to comply with other documented reasonable instructions provided by you (e.g., via email) where such instructions are consistent with the terms of these WPN Terms.
b. The duration of the processing is for the duration of these WPN Terms except where otherwise required by applicable law, as required by a legal obligation or for Wizards to protect its rights or those of a third party, or as required for Wizards to continue processing Personal Data due to a legitimate interest.
c. The categories of data subjects about whom Wizards processes Personal Data are determined and controlled by you, in your sole discretion, which may include, but are not limited to, your employees and players.
d. The types of Personal Data that Wizards processes are determined and controlled by you, in your sole discretion, and may include, but are not limited to, name, email address, postal address, phone number, username, password, and IP address.
ii. Wizards shall process the Personal Data only on documented instructions from you and in accordance with the Specifications above, unless required to do otherwise by applicable law to which Wizards is subject; in such a case, Wizards shall inform you of that legal requirement before processing Personal Data, unless that law prohibits such disclosure on important grounds of public interest. These WPN Terms constitute your complete and final documented instructions, and any additional or alternate instructions must be agreed upon separately.
iii. Wizards shall, to the extent legally permitted, promptly notify you if Wizards receives a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure ("right to be forgotten"), data portability, objection to processing, or right not to be subject to automated individual decision making ("Data Subject Request"). Taking into account the nature of the processing, Wizards shall assist you, insofar as is possible, in the fulfilment of your obligation to respond to a Data Subject Request. In addition, to the extent you, in your use of the WPN, do not have the ability to address a Data Subject Request, Wizards shall upon your written request provide commercially reasonable efforts to assist you in responding to such Data Subject Request, to the extent Wizards is legally permitted to do so and the response to such Data Subject Request is required under applicable laws. To the extent legally permitted, you shall be responsible for any costs arising from Wizards' provision of such assistance. Please note that Wizards may not be able to fulfill a Data Subject Request where to do so would violate laws applicable to Wizards, would interfere with Wizards' ability to meet legal obligations or protect its rights or those of a third party, or would prevent Wizards from continuing to process Personal Data where it has a legitimate interest in doing so.
iv. You hereby provide Wizards with general written authorization to engage subprocessors in connection with these WPN Terms. Wizards shall make available to you a current list of subprocessors for the WPN upon your written request. You may also make a written request that Wizards notify you of any new subprocessors. If you make such written request, Wizards shall provide notification of new subprocessors before authorizing any new subprocessors to process Personal Data in connection with the provision of the WPN to you. You may object to Wizards' use of a new subprocessor by notifying Wizards promptly in writing within ten (10) business days after receipt of Wizards' notice. In the event you object to a new subprocessor, Wizards will use reasonable efforts to make available to you a change in the WPN or recommend a commercially reasonable change to your configuration or use of the WPN to avoid processing of Personal Data by the objected-to new subprocessors. If Wizards is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, your sole recourse is to stop using Wizards’ services. Wizards shall be liable for the acts and omissions of its subprocessors to the same extent Wizards would be liable if performing the services of each subprocessor directly under the terms of these WPN Terms.
v. Upon your written request at reasonable intervals, and subject to entering into additional confidentiality provisions with you, Wizards shall make available to you a copy of Wizards’ then most recent third party audit with respect to its privacy and data protection practices, as applicable.
vi. Upon your written request, Wizards shall provide you with reasonable cooperation and assistance as needed and appropriate to fulfil your obligations under the GDPR to carry out a data protection impact assessment related to your use of the WPN, to the extent you do not otherwise have access to the relevant information, and to the extent such information is available to Wizards. Wizards shall provide reasonable assistance to you in the cooperation or prior consultation with the supervisory authority in the performance of its tasks relating the data protection impact assessment, to the extent required under the GDPR.
13. Cancelling Your WPN Membership. You have the right to cancel your WPN Membership at any time by contacting Retail Support.
14. Termination. Wizards may terminate your WPN Membership at any time, with or without a reason: (a) upon ninety (90) days prior written notice (email sent to your WPN account email address sufficient for this purpose); or (b) immediately with written notice (email sent to your WPN account email address sufficient for this purpose) upon the occurrence of any of the following: (i) you, at Wizards’ sole discretion, violate these WPN Terms, the WPN Code of Conduct or Wizards’ other published policies or procedures; or (ii) You engage in conduct that damages, harms or disparages Wizards’ brands or its products. Wizards expressly agrees to waive and set aside its respective rights and obligations under any applicable law in the event of any termination of your WPN Membership to the extent that such law requires any judicial pronouncement for the termination.
15. Other Remedies. In the event any of Section 14(a) though (b)(ii) occurs, Wizards may, at any time, in its sole discretion and without notice or any liability to you exercise any of the below remedies: (a) cancel or modify any of your scheduled Events; (b) decline to sanction your future Events or locations; or (c) temporarily suspend your WPN Membership or down level your WPN Membership Level.
Wizards may communicate its actions (but not the reason for taking such actions) to third parties and consumers. You understand and acknowledge that your WPN Membership has no monetary value to you and that you have no interest, monetary or otherwise, in any feature, content, or program of the WPN. You expressly acknowledge and agree that Wizards has no liability to you for terminating your WPN Membership or ending, modifying, changing, or terminating portions of or the entire WPN.
All remedies set forth in this Section 15 are available to Wizards in addition to, and not in lieu of, its rights of termination and any other available remedies at law or in equity.
16. Representations, Warranties and Covenants. You represent and warrant to Wizards that: (a) you have the power and authority to enter into this agreement, accept these WPN Terms and that all information you provide to Wizards is true, complete and accurate; (b) you will comply with all applicable laws and regulations governing your Staff, Retail Store and Events including, but not limited to, securing necessary permits, approvals and licenses from third parties to conduct Events; (c) notwithstanding anything in these WPN Terms, you will be, and will remain, responsible for all obligations and liabilities associated with your Staff, your store and Events; (d) Unless preempted by applicable law, you will not employ or otherwise engage Staff who (i) appear on a sex offender registry (or its international equivalent), and/or (ii) have been convicted by a court of competent jurisdiction for a violent sexual offense or crimes against children. Some jurisdictions prohibit inquiries regarding criminal history (your compliance with local law will not constitute a breach of WPN Terms); however, you remain solely liable for ensuring your Retail Location and Events are safe for players of all ages.
17. Disclaimer. THE WPN, ITS PROGRAMS, OFFERINGS, PROMOTIONS, TRADEMARKS, LOGOS, AND THE LICENSED PROPERTY ARE PROVIDED “AS IS” WITHOUT ANY REPRESENTATION, WARRANTY, CONDITION OR GUARANTEE (WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE) INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
18. Limitation of Liability. NEITHER WIZARDS, NOR ITS PARENT OR AFFILIATES, LICENSORS OR RELATED ENTITIES WILL BE LIABLE IN ANY WAY TO YOU OR A THIRD PARTY FOR ANY ANTICIPATED OR LOST PROFITS, REVENUE, DATA, CONTENT, HARDWARE, SOFTWARE, INJURY, INFORMATION OR SPECIAL, EXEMPLARY, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES (HOWEVER ARISING INCLUDING, BUT NOT LIMITED TO, TORT, CONTRACT, STRICT PRODUCT LIABILITY AND NEGLIGENCE) ARISING OUT OF OR IN CONNECTION WITH YOUR PARTICIPATION AS A WPN MEMBER, OR IN ANY OTHER WIZARDS’ PROGRAM INCLUDING, BUT NOT LIMITED TO, DAMAGE TO PROPERTY AND, TO THE EXTENT PERMITTED BY APPLICABLE LAW, DAMAGES FOR PERSONAL INJURY, EVEN IF WIZARDS, ITS LICENSORS AND SUPPLIERS, AND EACH OF ITS RESPECTIVE AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES AND AGENTS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSS. THE TOTAL AGGREGATE LIABILITY OF WIZARDS, ITS LICENSORS AND SUPPLIERS, AND EACH OF ITS RESPECTIVE AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES AND AGENTS TO YOU OR ANY THIRD PARTY IS LIMITED TO $100.00 (USD). YOU AGREE TO WAIVE ANY RIGHT TO EQUITABLE RELIEF INCLUDING, BUT NOT LIMITED TO, INJUNCTIVE RELIEF AGAINST WIZARDS, ITS LICENSORS AND SUPPLIERS, AND EACH OF ITS RESPECTIVE AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES AND AGENTS TO ENFORCE THE TERMS HEREOF; HOWEVER, THE FOREGOING WILL NOT PRECLUDE WIZARDS FROM SEEKING ANY INJUNCTIVE RELIEF. THIS LIMITATION APPLIES TO ALL CAUSES OF ACTION OR CLAIMS IN THE AGGREGATE FOR ANY REASON. SOME JURISDICTIONS DO NOT ALLOW THE FOREGOING LIMITATIONS OF LIABILITY; AS SUCH THEY MAY NOT APPLY TO YOU IN PART OF IN THEIR ENTIRETY.
19. Indemnification. YOU AGREE TO DEFEND, INDEMNIFY AND HOLD WIZARDS, ITS PARENT COMPANY, SUBSIDIARIES, AFFILIATES, CURRENT AND PAST OFFICERS, AGENTS AND EMPLOYEES HARMLESS FROM ANY CLAIM, ACTION, SUIT, DEMAND, OR DAMAGES INCLUDING, BUT NOT LIMITED TO, REASONABLE ATTORNEYS' FEES, ASSERTED BY ANY THIRD PARTY OR STAFF ARISING IN CONNECTION WITH YOUR PARTICIPATION AS A WPN MEMBER, OR IN ANY OTHER WIZARDS’ PROGRAM INCLUDING, BUT NOT LIMITED TO, FRAUD, WAGE OR EMPLOYMENT CLAIMS, NEGLIGENCE, INJURY OR DEATH, OR RIGHT OF PUBLICITY. You will cooperate as fully as reasonably required in the defense of any claim. Wizards reserves the right, at its own expense, to assume the exclusive defense and control of any matter otherwise subject to indemnification by you and you WILL not in any event settle any matter without the written consent of Wizards.
20. Privacy Notice. In addition to the disclosures contained in these WPN Terms, please refer to our WPN Privacy Policy for information on how Wizards collects, stores, uses and discloses your information.
21. General.
(a) Language; Interpretation. These WPN Terms and all related documents will be interpreted in English. The headings of sections or paragraphs are for convenience only and not intended to restrict or affect interpretation.
(b) Equitable Remedies. You agree that Wizards would be irreparably damaged if these WPN Terms were not specifically enforced. Therefore, you agree that Wizards will, in addition to any other remedy it may have under these WPN Terms, at law or in equity, be entitled without bond, other security, or proof of damages, to appropriate equitable remedies with respect to breaches of these WPN Terms.
(c) Severability; No Waiver. If any provision of these WPN Terms is found to be invalid or unenforceable by any court having competent jurisdiction, then that provision will be deemed severable from these and will not affect the validity and enforceability of any remaining provisions. The failure to enforce any of the provisions of these WPN Terms, or to exercise any rights or remedies under these WPN Terms, will not be construed as a waiver of Wizards' right to assert or rely upon any such provisions, rights, or remedies in that or any other future instance.
(d) Modification. These WPN Terms may be amended, altered or modified at any time and for any reason by Wizards in its sole discretion with no prior notice. If any future changes to these WPN Terms are unacceptable to you or cause you to no longer be in compliance with these WPN Terms, please cancel your WPN Membership. Your continued participation in the WPN means you accept any and all such changes.
(e) No Assignment. These WPN Terms and the rights granted herein are personal to you, and may not be assigned, even where you transfer or lease your business or a branch of your business. Wizards may transfer or assign these WPN Terms, in whole or in part, to third parties of its choosing.
(f) Force Majeure. Wizards will not be liable for any delay or failure to perform resulting from causes outside our reasonable control including, but not limited to, any failure to perform hereunder due to unforeseen circumstances or causes such as acts of God, war, the zombie apocalypse, acts of civil or military authorities, Plan 9, robot uprisings, Phyrexian incursions, fire, floods, accidents, Eldrazi awakenings, strikes, riots, or for shortages of transportation, fuel, Mana, energy, labor or materials.
(g) Governing Law; Venue and Jurisdiction; Time Limit to Bring Claims. These WPN Terms and your participation in the WPN will be governed by laws of the State of Washington, United States, without regard to its conflict of laws principles. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. You consent to the exclusive jurisdiction and venue of the U.S. District Court of the Western District of Washington for any claims arising out of or relating to these WPN Terms and your participation in the WPN. In no event will any claim, action or proceeding by you related to or arising from these WPN Terms or your participation in the WPN or any other interaction you may have with Wizards, be instituted more than one (1) year after the cause of action arose.
(h) Class Action Waiver. YOU AGREE THAT ANY PROCEEDINGS TO RESOLVE OR LITIGATE ANY DISPUTE, WHETHER IN COURT OR OTHERWISE, WILL BE CONDUCTED SOLELY ON AN INDIVIDUAL BASIS, AND THAT YOU WILL NOT SEEK TO HAVE ANY DISPUTE HEARD AS A CLASS ACTION, A REPRESENTATIVE ACTION, A COLLECTIVE ACTION, A PRIVATE ATTORNEY-GENERAL ACTION, OR IN ANY PROCEEDING IN WHICH YOU ACT, OR PROPOSE TO ACT, IN A REPRESENTATIVE CAPACITY. YOU AGREE THAT NO PROCEEDING WILL BE JOINED, CONSOLIDATED, OR COMBINED WITH ANOTHER PROCEEDING WITHOUT THE PRIOR WRITTEN CONSENT OF YOU, WIZARDS, AND ALL PARTIES TO ANY SUCH PROCEEDING.
(i) Notices. All notices given by you or required under these WPN Terms will be in writing and addressed to: Wizards of the Coast, ATTN: Retail Support, P.O. Box 707, Renton, Washington 98057-0707.
COMMON QUESTIONS
Find answers to your questions about the WPN.
Have a Question?
Data Transfer Addendum
This Data Transfer Addendum (“Addendum”) is made and entered into by and between Wizards of the Coast LLC (“Wizards”) and the WPN Member. This Addendum includes the standard contractual clauses attached in Annex 1 and supplements the Wizards Play Network Terms and Conditions available at https://wpn.wizards.com/terms-and-conditions, (as updated from time to time) between Wizards and the WPN Member (“WPN Terms”).
Annex 1
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
The entity identified as “Member” in the Agremeent
(the “data exporter”)
and
Wizards of the Coast, LLC (15395 SE 30th Pl Suite 300 Bellevue, WA 98007)
(the “data importer”)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer[1]
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
Data exporter
The data exporter is the entity identified as “Member.”.
Data importer
The data importer is Wizards of the Coast LLC.
Data subjects
Data subjects include the data exporter’s employees, customers, end-users, and players.
Categories of data
The personal data relating to individuals which is processed by the data importer through the data exporter’s use of its services. The data exporter determines the types of data per each service used.
Processing operations
The personal data transferred will be subject to the processing activities required for performance of the services by data importer pursuant to the WPN Terms.
Appendix 2 to the Standard Contractual Clauses
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
A. Data importer shall implement appropriate technical and organizational measures to protect personal data against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction, including the policies, and procedures and internal controls set forth in this Appendix 2.
B. More specifically, data importer’s technical and organizational measures shall include:
Access Control of Processing Areas
Data importer shall implement appropriate measures to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the personal data are processed or used, including:
- establishing security areas and physical controls;
- protection and restriction of access paths;
- establishing access authorizations for employees and third parties;
- access to the data center where personal data are hosted is logged, monitored, and tracked; and
- the data center where personal data are hosted is secured by a security alarm system, and other appropriate security measures.
Access Control to Data Processing Systems
Data importer shall implement appropriate measures to prevent data processing systems where personal data are processed and used from being used by unauthorized persons, including:
- use of industry standard encryption technologies;
- automatic temporary lock-out of user terminal if left idle, identification and password required to reopen;
- automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and
- access to data content is logged, monitored, and tracked.
Access Control to Use Specific Areas of Data Processing Systems
Data importer shall implement appropriate measures to help ensure that the persons entitled to use data processing system where personal data are processed and used are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including:
- employee policies and training in respect of each employee’s access rights to the personal data;
- allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;
- monitoring capability in respect of individuals who delete, add or modify the personal data;
- release of data only to authorized persons, including allocation of differentiated access rights and roles;
- use of industry standard encryption technologies; and
- control of files, controlled and documented destruction of data.
Availability Control
Data importer shall implement appropriate measures to help ensure that personal data are protected from accidental destruction or loss, including:
- infrastructure redundancy; and
- backup is stored at an alternative site and available for restore in case of failure of the primary system
Transmission Control
Data importer shall implement appropriate measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including:
- use of industry standard firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels;
- providing user alert upon incomplete transfer of data (end to end check); and
- data transmissions are logged, monitored and tracked.
Input Control
Data importer shall implement appropriate input control measures, including:
- an authorization policy for the input, reading, alteration and deletion of data;
- authentication of the authorized personnel;
- protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data;
- utilization of unique authentication credentials or codes (passwords) and/oror 2 factor authentication;
- providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked;
- automatic log-off of user ID's that have not been used for a substantial period of time;
- proof established within data importer’s organization of the input authorization; and
- electronic recording of entries.
Separation of Processing for different Purposes
Data importer shall implement appropriate measures to help ensure that data collected for different purposes can be processed separately, including:
- access to data is separated through application security for the appropriate users;
- modules within the data importer’s data base separate which data is used for which purpose, i.e. by functionality and function;
- at the database level, data is stored in different normalized tables, separated per module, per controller or function they support; and
- interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.
Documentation
Data importer will keep documentation of technical and organizational measures in case of audits and for the conservation of evidence. Data importer shall implement appropriate measures to help ensure that its employees, agents, and subprocessors are aware of and comply with the technical and organizational measures set forth in this Appendix 2.
Monitoring
Data importer shall implement appropriate measures to monitor access restrictions to data importer’s system administrators and to help ensure that they act in accordance with instructions received. This is accomplished by various measures including:
- individual appointment of system administrators;
- adoption of measures to register system administrators' access logs to the infrastructure and keep them secure;
- audits of system administrators’ activity to assess compliance with assigned tasks and applicable laws; and
- keeping an updated list with system administrators’ identification details (e.g. name, surname, function or organizational area) and tasks assigned.
[1] Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.