Version 1.3, June 2026
Between:
Holdsport.dk ApS(hereinafter referred to as "Holdsport")
And:
The club, group, or organization that uses the Holdsport ApS platform and that has digitally accepted the applicable terms and this Data Processing Agreement.
(hereinafter referred to as "the Club")
(hereinafter each individually referred to as a "Party" and jointly as "the Parties") have as of today entered into a Data Processing Agreement on the following terms and conditions:
1.1 "Personal data" and "processing" shall have the meaning set out in Article 4 of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR").
1.2 The Club determines the purpose for which, and the means by which, personal data under this agreement shall be processed, and is therefore the data controller, cf. Article 4(7) of the GDPR.
1.3 Holdsport processes data on behalf of the data controller, and Holdsport is therefore the data processor, cf. Article 4(8) of the GDPR.
2.1 The Club may use Holdsport's service to:
2.2 Information for use by the specified system will be collected from the Club and players, coaches, parents, and others.
2.3 No processing takes place of personal data concerning health information, criminal convictions, CPR numbers (unless the Club is legally obliged to do so) or offences.
2.4 Information is processed for the following categories of data subjects: players, coaches, parents or other associated persons, employees and possibly referees.
3.1 Holdsport primarily uses Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, for storage of its own data and software, including personal data. See also section 7 and Appendix 1 for supplementary information, as well as information on sub-processors, etc.
3.2 Holdsport may not transfer or process the personal data covered by this agreement in other countries outside the EU without the prior written approval of the Data Controller.
4.1 Holdsport undertakes to process personal data only on the basis of documented instructions from the Club, including with regard to the transfer of personal data to a third country or an international organization.
4.2 If Holdsport is obliged to transfer personal data to a third country or an international organization, Holdsport shall inform the Club of that obligation before the processing takes place, unless the law prohibits such notification on grounds of public interest.
4.3 Holdsport shall implement appropriate technical and organizational measures to ensure that all personal data available to or processed by Holdsport is processed in a manner that ensures adequate security of the personal data concerned, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, or any other processing of personal data in breach of the GDPR. These technical and organizational measures are set out in Appendix 1.
4.4 Holdsport ensures that persons authorized to process the personal data are subject to confidentiality, either by agreement or by law.
4.5 Holdsport shall notify the Club of any personal data breach without undue delay. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, cf. Article 4(12) of the GDPR.
4.6 Holdsport has established a procedure for continuous monitoring of all systems, implementation of alarms, and notification of the company's DPO, who is responsible for ensuring that all relevant technical actions are carried out and that all affected parties are informed in the event of a data breach. After more than 20 years of operation, Holdsport has to date not experienced any personal data breach.
4.7 Holdsport shall treat personal data processed by Holdsport on behalf of the Club as confidential. Holdsport may not disclose personal data provided to Holdsport by, for, or on behalf of the Club to any third party, unless consent has been obtained or another lawful basis exists.
4.8 Nothing in this agreement prevents either of the Parties from complying with a legal obligation imposed by public authorities or courts. However, both Parties shall, to the extent possible, discuss the appropriate response to any request from an authority or court for the disclosure of information.
5.1 Holdsport makes all necessary information available to the Club in electronic form in order to demonstrate compliance with the obligations of this agreement. This takes the form of the present Data Processing Agreement, the associated appendices, contractual documents between Holdsport and the Club, as well as information on our website.
5.2 Holdsport shall immediately notify the Club if, in Holdsport's opinion, an instruction from the Club infringes the GDPR.
5.3 Holdsport assists the Club with appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Club's obligation to respond to requests for the exercise of the data subject's rights.
5.4 Holdsport - taking into account the nature of the processing and the information available to Holdsport - assists the Club in ensuring compliance with obligations concerning:
5.4.1 security of processing,
5.4.2 notification of a personal data breach to the supervisory authority,
5.4.3 communication of a personal data breach to the data subject, and
5.4.4 data protection impact assessment.
5.5 Holdsport shall - where Article 30 of the GDPR applies - maintain a record of processing activities under its responsibility and, upon request, provide the Club with a copy thereof.
6.1 The Club has, in accordance with the GDPR, a general obligation to ensure that the technical and organizational measures are complied with, which includes technical and organizational measures carried out by a data processor. Holdsport has assessed the risks arising from Holdsport's processing of personal data under this agreement and has implemented appropriate measures, cf. section 5.3.
6.2 The Club declares that the personal data processed by Holdsport under this agreement may be processed by Holdsport. That is, the Club warrants that this is information for which the Club has obtained consent for processing, and that the consent covers subsequent processing at Holdsport. The Club indemnifies Holdsport from any liability in this connection.
6.3 For the sake of good order, it is noted that the Club, as data controller, must comply with the rules of the GDPR, which includes, among other things, entering into data processing agreements with its suppliers.
6.4 In order to ensure quick and accurate communication with, and support of, you as a user, we at Holdsport may use automated tools, including OpenAI's ChatGPT and related tools, to analyze and respond to inquiries from you and other users. We use the dialogue with all users as a basis for the development of these tools. The dialogue with you is anonymized. As a user, you consent to this use.
7.1 The Club grants Holdsport a general authorization to make use of sub-processors. Holdsport shall notify the Club of any planned changes concerning sub-processors with at least 30 days' notice, thereby giving the Club the opportunity to object to such changes.
7.2 A list of sub-processors is set out in Appendix 1.
7.3 In addition to this, Holdsport uses a number of payment services, e.g., MobilePay, Stripe, Altapay, and others. The relevant and necessary information required to complete payments resides with the respective services in accordance with the terms and rules applicable thereto, and Holdsport does not store copies of this information beyond what is necessary to safeguard the payer's rights, e.g., access to a team or a payment activity.
8.1 This agreement is in force for as long as Holdsport processes personal data on behalf of the Club.
8.2 Upon rescission or termination of this agreement, Holdsport shall, at the Club's request, destroy all such information. The foregoing does not apply, however, if legislation grants a right or imposes an obligation to retain the data.
9.1 This agreement is governed by Danish law.
9.2 Any dispute arising out of or in connection with this agreement, including disputes regarding existence, validity or termination, shall be decided by the District Court of Aarhus (Byretten i Aarhus) if the dispute cannot be resolved through negotiation.
| Data Processor | HOLDSPORT.DK ApS, CVR-nr. 33765509, Filmbyen 23, 3., 8000 Aarhus C |
| Service | Holdsport / SportMember — club administration platform (web, app and API) |
| Document type | Appendix to the Data Processing Agreement — documentation of security measures pursuant to the General Data Protection Regulation (GDPR) Art. 32 |
| Version | 1.3 |
| Date | 2026-06-30 |
This document describes the technical and organizational security measures (Technical and Organizational Measures, TOMs) that Holdsport, as data processor, has implemented to protect personal data processed on behalf of the data controller (the club/customer).
This document constitutes the documentation made available under the Data Processing Agreement and GDPR Art. 28(3)(h), and may be used as the basis for the data controller's supervision/audit (see section 10).
The description reflects the operating environment as of the date of this document. The measures are continuously developed; material changes are reflected in a new version of this document.
Categories of personal data
Holdsport processes, among other things, name, contact details (email, telephone, address), age/gender as well as activity and payment data for the club's members, coaches, parents, and others. No special categories of personal data concerning health, criminal offences or violations are processed, and as a rule no CPR numbers (unless the club is legally obliged to do so).
Encryption in transit
Encryption at rest
User authentication
Administrative and operational access
Organizational and physical access
Backup
Redundancy
Holdsport uses the following sub-processors:
| Sub-processor | Function | Processing location | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Server and infrastructure hosting | Germany (EU) | Within the EU/EEA |
| Amazon Web Services (AWS) | Storage of encrypted database backups | Ireland (EU) | Within the EU/EEA |
| AppSignal B.V. | Performance and error monitoring (backend) | The Netherlands (EU) | Within the EU/EEA |
| Elastic Email | Sending of system and transactional emails | The provider's European servers (EU — Ireland, France and Poland) | Within the EU/EEA |
| Honeybadger | Error monitoring (backend) | USA — AWS us-east-1 (Northern Virginia) | SCCs via Honeybadger's data processing agreement |
| Sentry | Error monitoring (mobile app) | USA — Sentry's US region, Iowa (Google Cloud us-central1) | SCCs via Sentry's data processing agreement |
| Meta Platforms (Facebook) | Facebook login and app event data from the mobile app (Facebook SDK) | USA — Meta Platforms, Inc. (EU entity: Meta Platforms Ireland) | EU-US Data Privacy Framework (Meta self-certified) + SCCs |
Note: The monitoring services (error/performance) primarily process technical diagnostic and operational data, but may in error situations contain limited personally identifiable information. For sub-processors outside the EU/EEA, a transfer mechanism (e.g., the European Commission's Standard Contractual Clauses, SCCs) is ensured via the relevant provider's data processing agreement (see International transfers below).
International transfers (third-country transfers)
Personal data is, as a rule, processed and stored within the EU/EEA (cf. section 6 and the table above). The following sub-processors may process limited information in the USA: Honeybadger (error monitoring) at AWS us-east-1 (Northern Virginia), Sentry (error monitoring) in Iowa (Google Cloud us-central1), and Meta/Facebook (Facebook login and app events from the mobile app). Transfers take place on the following basis:
As supplementary measures, Holdsport is working to (i) minimize the personal data sent to these services — including opting out of IP/PII collection in the mobile app (Sentry) and filtering out personally identifiable fields (e.g., name, email, telephone, address, CPR and account information) in error reports (Honeybadger) — and (ii) move both services to EU regions, after which the transfer to third countries will cease.
In the event of a personal data breach, Holdsport notifies the data controller without undue delay in accordance with the Data Processing Agreement, so that the data controller can fulfil its obligations under GDPR Art. 33–34.
Holdsport has established a procedure for continuous monitoring of all systems with alerting and internal notification of Holdsport's DPO, who is responsible for ensuring that relevant technical actions are carried out and that affected parties are informed in the event of a breach.