Exhibit 10.15

Platform and Technology Services agreement

1

This Agreement is made and entered as of January 1, 2021 (the “Effective Date”) by and between:

1. CODERE ONLINE MANAGEMENT SERVICES LTD., a company incorporated under the laws of Malta with registration number C88406 and, having its registered address at Level 3 (Suite no. 2265), Tower Business Centre, Tower Street, Swatar BKR 4013, Malta (hereinafter, the “Company”).

AND;

2. CODERE APUESTAS ESPAÑA S.L.U, a Company incorporated and registered in in the Public Property and Commerce Registry of Madrid volume 29357, sheet 79, section 8, page M-528758, entry 1^s, and with its registered office at Alcobendas Av. Bruselas 26 Alcobendas (Madrid) Spain., (hereinafter referred to as the “CAES”).

3. CODERE NEWCO S.A.U., a Company incorporated and registered in in the Public Property and Commerce Registry of Madrid volume 34399, sheet 192, page M-618784, NIF no. A87172003, and with its registered office at Alcobendas Av. Bruselas 26 Alcobendas (Madrid) Spain (hereinafter referred to as the “NEWCO” or “PARENT”).

(CAES and NEWCO both hereinafter also referred to jointly as the “Provider”. The Company and the Provider also shall be referred to individually as “Party” or collectively as “Parties”)

WHEREAS

I. The Company is part of an international group, the “Codere Group”, that engages in the gaming and gambling industry in a number of jurisdictions. The Company has obtained a valid B2B gaming license from the Malta Gaming Authority (License no. MGA/B2B/611/2108) (the “License”).

II. The Company is the manager of the Online Gaming Platform and provides casino and sport betting management services to other Codere Group companies.

III. The Provider, also companies of the Codere Group, seek to provide the Company with platform and technology services for its online casino and online Sport Betting Business, as described in this Agreement, and as further detailed in Schedule A attached hereto (hereinafter jointly referred to also as the “Services”).

IV. The Company wishes to engage the Services described in this Agreement.

2

THEREFORE, in consideration of the mutual obligations and undertakings contained herein, and subject to the terms hereinafter set forth, the Parties hereto agree as follows:

1. PURPOSE AND DEFINITIONS

1.1. In addition to the terms defined above and those terms defined in the text of this Agreement, the following capitalized terms shall have the following respective meanings for the purposes of this Agreement:

1.1.1. “Agreement” means this Services agreement including any supplementary agreements and any other appendices, schedules or amendments which may be attached hereto with the consent of both Parties.

1.1.2. “Codere Online” means Holdco and its direct and indirect Subsidiaries, including any Subsidiary of Holdco formed or acquired after the Effective Date.

1.1.3. “Holdco” means Codere Online Luxembourg, S.A.

1.1.4. “Discontinuation costs” means any costs incurred by the Provider directly linked to the termination of this Agreement by Company pursuant to Section 10.3 or discontinuation of certain Services as requested by the Company pursuant to Section 1.3, including but not limited to severance payments, third party break-up fees, loss of synergies and third party fees related to the service being discontinued until the Provider has the ability to discontinue.

1.1.5. “Governmental Authority” means any (i) international, national, multinational, federal, state, regional, municipal, local or other government, governmental or public department, central bank, court, tribunal, arbitral body, commission, board, bureau, agency or instrumentality, domestic or foreign (ii) self-regulatory organization or stock exchange, (iii) subdivision, agent, commission, board, or authority of any of the foregoing, or (iv) quasi-governmental or private body exercising any regulatory, expropriation or taxing authority under or for the account of any of the foregoing.

1.1.6. “Laws” means any and all applicable (i) laws, constitutions, treaties, statutes, codes, ordinances, principles of common law and equity, rules, regulations and municipal bylaws whether domestic, foreign or international, (ii) judicial, arbitral, administrative, ministerial, departmental and regulatory judgments, orders, writs, injunctions, decisions, and awards of any Governmental Authority, and (iii) policies, practices and guidelines of any Governmental Authority which, although not actually having the force of law, are considered by such Governmental Authority as requiring compliance as if having the force of law, and the term “applicable,” with respect to such Laws and in the context that refers to one or more Persons, means such Laws that apply to such Person or Persons or its or their business, undertaking, property or securities at the relevant time and that emanate from a Governmental Authority having jurisdiction over the Person or Persons or its or their business, undertaking, property or securities;

3

1.1.7. “Online Gaming Platform” means the software and hardware infrastructure constituting the main interface between Players and the online gaming and sport betting operator including but not limited to: (i) tools required to open or close the Player gaming account, to save and edit Player profile information, to take funds out of or put funds into the player gaming account, or to view details or a summary of Player account transactions; (ii) any technical element that shows Player relevant information on the integrated games offered, (iii) client software that Players must download and install on their system in order to interact with the Online Gaming Platform; (iv) tools that enable the operator to manage the user and gaming accounts of Players, to manage financial transactions, to report on game results, to activate or disable records and accounts and to establish all configurable parameters; (v) storage systems used to record and save the personal information of Players, information on all the transactions Players carry out and on the results of general events or sporting events, coefficients and other data relevant to the operation and management of gaming activities (Player database) and (vi) technical systems and instruments facilitating financial transactions between the Players and the gaming operator, which contains the means necessary to transfer funds from the payment method used by the Player to the operator, and back to the participant (payment gateway).

1.1.8. “Parent Group” means Parent and its affiliates (other than any member of Codere Online);

1.1.9. “Players” means the registered and authorized customers of a Codere Group company, that participate in any of the online gaming activities that the Codere Group company is entitled to offer and conduct.

1.1.10. “Services” has the meaning specified in Section 1.3 below and further detailed in Schedule A attached hereto.

1.1.11. “Spanish Inflation” means the annual change in the Spanish consumer price index as published by the Spanish Instituto Nacional de Estadística on January of every year.

1.1.12. “Sport Betting Business”: means the provision of sport betting services by the Company to other Codere Group companies.

1.1.13. “Trading” means in sports betting setting the pricing of a trade based in odds related to the different events the Company may offer to its customers, based mainly in statistics but also in an complete knowledge both of the market and competitors, and the most accurate and updated information. The margin of the Trading is a percentage calculated as follows: (amounts wagered – customer winnings) / amounts wagered.

4

1.2 Purpose. By virtue of the present Agreement, Provider, agrees to provide the Company with the Services, under the terms and subject to the conditions of this Agreement.

The Parties acknowledge and clarify that the Services detailed in this Agreement, including those reflected in Schedule A, are those agreed by the Parties only for the fiscal year 2021. Thereafter and during the Term of this Agreement the Parties should agree on an annual basis, up to ninety (90) days before the end of each calendar year, the type, nature, timetable, specifications, parameters or terms and conditions of future services to be provided by Provider to the Company in the subsequent year. In the event Company and Provider do not reach an agreement on the Services and expected costs reflected in the subsequent Annual Budget, the previous approved Annual Budget, adjusted by annualized Spanish Inflation, shall apply.

1.3 Company is entitled to, at any time and for any reason, amend the scope of the Services, including by discontinuing the provision of certain Services, by providing 60 days’ prior written notice to Providers.

1.4 The Parties also clarify that the Services shall be provided by Provider to the Company (which, in turn, provides services to other Codere Online entities) on an exclusive basis, except as provided in Section 10.2.6, and the Company, at is sole option and discretion, subject to the agreed notice periods, shall be entitled to decide during the Term which services, in whole or in part, if any, it will request from the Provider to provide from time to time. The Company shall not be under the obligation to request services from the Provider and it will be entitled at its sole discretion to retain the services of third parties for the provision of the Services, in whole or in part.

1.5 Notwithstanding section 1.4, and for clarity’s sake, Providers will have the right to, at all times, provide platform and technology services to other Parent Group companies in furtherance of its retail gaming activities or as otherwise agreed between Parent Group and Codere Online.

2. DATA PROTECTION

2.1. The personal data of the Parties’ representatives shall be processed, respectively, by the entities identified on the first page, which shall act independently, as the parties responsible for the processing thereof. Such data shall be processed in accordance with the rights and obligations set out in this Agreement, without taking automated decisions that could affect these representatives. Therefore, the legal basis of the processing is to fulfil and maintain the contractual relationship, with this purpose being strictly necessary to execute this Agreement. The data shall be kept during the term of the contractual relationship established herein and shall be processed only by the parties and by those third parties who are legally or contractually obliged to communicate them (as is the case of third party service providers who have been entrusted with any service related to the management or execution of the Agreement). The Parties’ representatives may, pursuant to the terms set forth by current law, exercise their rights of access, rectification and erasure of data, and establish restrictions on the processing of their personal data, object to the same or request the portability of their data by writing to each of the Parties at the addresses specified on the first page of this document. In the event they are not satisfied with the service received from the Parties after previously exercising any of the above rights, they may submit a complaint to the Spanish Data Protection Agency or any other competent authority. The parties’ representatives may contact the data protection officer of the the Parent Group by sending an email to dpo.codere@codere.com.

5

2.2. The personal data managed by the Company accessed and processed by CAES and NEWCO will be regulated by Schedule C.

3. SERVICES FEE AND PAYMENT

3.1. Services Fee. During the Term, in consideration to the Provider’s services and obligations hereto, Company agrees to pay, on a monthly basis, a fee to Provider (the “Fee”) equal to the costs of Services provided regarding online casino and online sport betting activity plus a mark-up, if applicable, equal to the minimum percentage allowed pursuant to transfer pricing requirements (5.02% as of the Effective Date) on such Services, as further detailed in Schedule A hereto.

3.2. The Parties agree that for purposes of Trading the Company at its sole discretion should be the only one to decide, define and instruct the Provider or its trading manager, which shall be the pricing and risk policy to apply at all times. The trading manager of the Provider may suggest any strategy that can benefit the Company in reaching its goals, however the Company shall be the only Party entitled to decide and instruct the Provider’s trading manager, which trading strategy to apply, including, without limitation, instructions with regards to promotions, bonuses, and risk management.

3.3. As consideration for the Services, the Company shall pay the Provider the Fees, as shall be agreed by the Parties on an annual basis (the “Annual Budget”). Notwithstanding, the budgeted Fees for calendar year 2021 are those detailed in Schedule A attached hereto, which the Parties shall be entitled to amend from time to time in writing.

3.4. Any increase or change of the Fees versus what was established in the Annual Budget shall be negotiated between the Parties in good faith and agreed in writing.

3.5. Steering and Budget Committee – For the Annual Budget, calculation of the monthly Fees and/or the supervision of the implementation of the Services, the Parties shall create a steering and budget committee (the “Steering Committee”), which shall comprised representatives of the Parties, and shall address during the Term, among others, the following matters:

3.5.1. Annual Budget negotiation, agreement, review and consumption monitoring;

3.5.2. High-level monitoring of major projects;

3.5.3. Infrastructure service monitoring and compliance with SLA;

3.5.4. Risk assessment and decision making regarding the Services.

3.6. The Provider shall invoice the Company for the Fees on a monthly basis for the Services rendered by the Provider during the preceding month, no later than the fifth (5) day of each month, which the Company shall review, confirm and approve the Services provided in the preceding month no later than by the tenth (10) of each calendar month.

6

3.7. The Company shall pay the Provider, by way of bank transfer, within thirty (30) days from the date of the invoice, the full amount of said invoice. Notwithstanding the foregoing, if Company disputes any item of the invoice in good faith, which must be in writing and no later than the tenth (10) day of the month following the month in which the services in a dispute were provided, it shall be entitled to withhold payment solely for the disputed item pending resolution of the dispute and not for the total invoice amount which shall be always paid in accordance with this clause.

3.8. The Fees, unless agreed otherwise in writing, shall be calculated and invoiced on a net basis and are exclusive of all taxes (gaming taxes, VAT, excise, withholdings or otherwise), customs fees, duties, or tariffs imposed on Company or Provider in connection with this Agreement (collectively, “Transaction Taxes”) which shall be paid by the Company at the rate prevailing at the same time as paying the Fees. If any Transaction Taxes are imposed on the transactions contemplated by this Agreement, then such amount shall be paid by the Company or as otherwise stated by Law. Provider shall ensure that all invoices issued distinguish between amounts invoiced for services and those involving know-how or technology.

3.9. For the avoidance of doubt, the Parties acknowledge that the Fees stipulated in this Agreement set out the only, final and complete consideration that Provider shall be entitled to receive for the Services and Provider shall not be entitled to any additional fees, costs, or expenses, except those as specifically provided in this Agreement, unless otherwise agreed by the Parties in advance and in writing.

3.10. Review. The Company has the right to have a representative review the accuracy of the calculation of the Fee, at its cost and expense, not more than once each calendar month and upon reasonable notice to Provider at the location that Provider keeps such records.

4. REPRESENTATIONS AND WARRANTIES OF THE PROVIDER.

Provider represents and warrants: (i) that it has the power, capacity and authority to enter into this Agreement; (ii) that the Services will be performed with reasonable skill and care, (iii) during the Term, Provider shall use commercially reasonable efforts to correct any failure of the support to operate in substantial conformity with the functionality and specifications included in Schedule B; (iii) the execution and delivery of this Agreement by it and the performance by it of its obligations hereunder do not and will not contravene, breach or result in any default under its governing instruments, or under any mortgage, lease, agreement or other legally binding instrument, permit or applicable Law to which it is a party or by which any of its properties or assets may be bound, except for any such contravention, breach or default which would not have a material adverse effect on the business, assets, financial condition or results of operations of the Provider; (iv) no authorization, consent or approval, or filing with or notice to any Person is required in connection with the execution, delivery or performance by it of this Agreement; and (v) this Agreement constitutes a valid and legally binding obligation, enforceable against it in accordance with its terms, subject to: (i) applicable bankruptcy, insolvency, moratorium, fraudulent conveyance, reorganization and other Laws of general application limiting the enforcement of creditors’ rights and remedies generally; and (ii) general principles of equity, including standards of materiality, good faith, fair dealing and reasonableness, equitable defenses and limits as to the availability of equitable remedies, whether such principles are considered in a proceeding at law or in equity.

7

5. REPRESENTATIONS AND WARRANTIES OF THE COMPANY.

Company represents and warrants that: (i) it has the power, capacity and authority to enter into this Agreement; (ii) the execution and delivery of this Agreement by it and the performance by it of its obligations hereunder do not and will not contravene, breach or result in any default under its governing instruments, or under any mortgage, lease, agreement or other legally binding instrument, permit or applicable Law to which it is a party or by which any of its properties or assets may be bound, except for any such contravention, breach or default which would not have a material adverse effect on the business, assets, financial condition or results of operations of the Company; (iii) no authorization, consent or approval, or filing with or notice to any Person is required in connection with the execution, delivery or performance by it of this Agreement; and (iv) this Agreement constitutes a valid and legally binding obligation, enforceable against it in accordance with its terms, subject to: (i) applicable bankruptcy, insolvency, moratorium, fraudulent conveyance, reorganization and other Laws of general application limiting the enforcement of creditors’ rights and remedies generally; and (ii) general principles of equity, including standards of materiality, good faith, fair dealing and reasonableness, equitable defenses and limits as to the availability of equitable remedies, whether such principles are considered in a proceeding at law or in equity.

6. INDEMNITY

6.1. Without limiting any Party’s other rights and remedies under the Law, each Party shall indemnify and hold harmless the other Party and its directors, officers, employees and other representatives upon written demand, from and against any losses, claims, damages, expenses (including reasonable legal costs and expenses and any VAT thereon) and liabilities to which such Party may become subject, insofar as such losses, claims, damages, expenses or liabilities (or actions in respect thereof) arise out of, relate to, or are based upon any claim brought by a third party relating to a breach of a Party’s and/or its corresponding Parent companies, warranties or undertakings under this Agreement. An indemnifying Party will pay or reimburse the indemnified Party for such losses, claims, damages, liabilities and expenses as they are incurred, subject to the submission of documentation evidencing such Party damages. Each Party shall notify the other promptly if it becomes aware that it is, or is reasonably likely to become, a party to any legal action which relates to a Party warranties or undertaking in this Agreement.

6.2. The indemnifying Party shall pay all reasonable legal fees and expenses (including any VAT thereon) of the indemnified Party in the investigation or defence of such claims or actions; provided, however, that the indemnifying Party shall not be obliged to pay legal expenses and fees to more than one law firm in connection with the defence of similar claims arising out of the same alleged acts or omissions giving rise to such claims, notwithstanding that such actions or claims are alleged or brought by one or more parties against the an indemnified Party.

8

6.3. The indemnity provided in this Section 6 shall survive the completion of Services rendered under, or any termination or purported termination of, this Agreement.

7. LIMITATION OF LIABILITY

7.1. Provider’s (and any company within Parent Group) maximum aggregate liability to Company or to any third party for all liability arising under or in connection with this Agreement howsoever arising (including by way of contract and/or under and indemnity and or in tort (including negligence)) shall be limited to an amount equivalent to the Fees paid to Provider in the preceding nine (9) months.

7.2. In no event shall Provider be liable hereunder for any (i) indirect, incidental, special or consequential damages of any kind; (ii) loss of business, profits, revenue, contracts or anticipated savings; or (iii) loss or damage arising from loss, damage or corruption of any data.

7.3. Nothing in this Agreement shall limit or exclude the liability of a party to the other party in respect of fraud, wilful misconduct or gross negligence or any other liability which cannot by way of law be limited or excluded.

8. CONFIDENTIALITY

8.1. Definition. The Parties agree that “Confidential Information” means any information which is proprietary and confidential in nature or that is treated as being confidential by a Party or by any of its affiliates and that is furnished by or on behalf of such a Party or any of its affiliates (collectively, the “Disclosing Party”) to the other Party or to any of its affiliates (collectively, the “Receiving Party”), whether such information is or has been conveyed verbally or in written or other tangible form, and whether such information is acquired directly or indirectly such as in the course of discussions or other investigations by the Receiving Party, including, but not limited to, trade secrets and technical, financial or business information, data, ideas, concepts or know-how that is considered and treated as being confidential by the Disclosing Party.

8.2. No Disclosure. The Receiving Party agrees to hold all Confidential Information of the Disclosing Party in confidence and not to use such Confidential Information other than during the Term as expressly permitted by this Agreement or as required by the regulatory authorities. The Receiving Party will not copy or otherwise reproduce or disclose any Confidential Information of the Disclosing Party, without the prior written consent of the Disclosing Party, other than for disclosures to those employees, agents, subcontractors or representatives of the Receiving Party who have a need to know such Confidential Information for the purposes of carrying out their obligations under this Agreement or other than for disclosures to the Regulatory Authorities as required pursuant to their rules and regulations Each Receiving Party will take such measures as it would reasonably be expected to take for the protection of its own confidential information and to protect the Confidential Information from unauthorized copying, disclosure or use.

9

8.3. Exclusions. No obligation of confidence under this Agreement shall extend to information that is:

(a) Publicly available through no act or omission by the Receiving Party;

(b) independently developed by the Receiving Party using individuals who have had no contact with the Disclosing Party’s confidential information; or

(c) required to be disclosed by government or court order or other legal process, provided that notice is promptly given to the party whose confidential information is to be so disclosed so that such party may seek a protective order and/or engage in other efforts to minimize the required disclosure. The Parties shall cooperate in seeking the protective order and engaging in such other efforts.

9. INTELLECTUAL PROPERTY

9.1. Company hereby acknowledges and agrees that Provider owns and is duly licensed to use any and all right, title and interest in the existing Platform and/or the software embedded to date thereof and Provider shall own and retain such title and interest at all times in the existing Platform (“Existing Platform IP”). Company irrevocably assigns to Provider, and shall procure an identical assignment from any end users, all right, title, and interest in so far as they relate to the Existing Platform IP and/or the software embedded thereof. Company shall not, directly or indirectly, attempt to invalidate for any reason whatsoever, or assert, or assist the assertion by others, that the rights, title or interest in the Existing Platform IP belong to the Company or any third party other than Provider.

9.2. Without prejudice the general aforesaid in Section 9.1 above, Provider hereby acknowledges and agrees that it has been required and/or it may be required during the Term of this Agreement to develop and/or perform certain modifications, enhancements, adaptations, translations or other changes of, or additions to the Platform and/or any software embedded thereof (even if developed by Company or any third party on its behalf) for the business of the Company, among others, based on ideas, suggestions, specifications, demands and/or proposals by Company, its end users, or any other third party (hereinafter referred to as: “Derivative Works”).

9.3. Provider acknowledges and agrees that the development of such Derivative Works for the Company shall be developed and made on a “works for hire” basis, and that the Parties will separately agree the scope, budget, timeline, ownership, and all other terms and conditions related to any such Derivative Works.

9.4. Notwithstanding the above, any development of Derivative Works by the Provider shall be for the exclusive use of Company and Codere Online so long as it is deployed in furtherance of regulated online gaming activities, whereas Parent Group shall have the right to use any development of Derivative Works by Provider (as well as any platform and technology services, as provided in Section 1.5) in furtherance of its retail gaming activities.

10

10. TERM AND TERMINATION

10.1. Term. The term of this Agreement shall commence and be deemed effective on the Effective Date and shall continue, unless earlier terminated as provided herein, for a five (5) year period (the “Initial Term”). Thereafter, the Initial Term shall automatically renew for successive twelve (12) month periods (each referred as the “Extended Term”), unless either Party hereto provides written notice of non-renewal at least ninety (90) days prior to the then expiration or termination of such Term (the Initial Term and Extended Term shall be referred jointly as the “Term”).

10.2. Termination.

10.2.1. Notwithstanding the foregoing, either Party may terminate the Agreement as follows:

(a) If either Party defaults in the performance or observance of any material term, condition or agreement contained in this Agreement in a manner that results in material harm to the other Party and such default continues for a period of thirty (30) days after written notice thereof specifying such default and requesting that the same be remedied in such thirty (30)-day period; or

(b) If the other the Party makes a general assignment for the benefit of its creditors, institutes proceedings to be adjudicated voluntarily bankrupt, consents to the filing of a petition of bankruptcy against it, is adjudicated by a court of competent jurisdiction as being bankrupt or insolvent, seeks reorganization under any bankruptcy law or consents to the filing of a petition seeking such reorganization or has a decree entered against it by a court of competent jurisdiction appointing a receiver liquidator, trustee or assignee in bankruptcy or in insolvency

10.2.2. Without prejudice to the above, on or after the three (3) year anniversary of the Effective Date, the Company shall be entitled to terminate this Agreement at any time and for any reason upon ninety (90) days prior written notice to the Provider.

10.2.3. Company may terminate this Agreement pursuant to Section 8 of Schedule B.

10.2.4. Any termination by the Company is subject to payment by Company to the Provider of its Discontinuation Costs as provided in section 10.3 below, except in the event such termination by the Company is due to the Provider’s breach of its obligations under this Agreement. In such event, the Provider shall not be entitled to Discontinuation Costs from Company.

11

10.2.5. Without prejudice to the above, the Provider may terminate this Agreement as follows:

(a) any Person or group of related Persons or Persons acting in concert with each other, other than Holdco, Parent and/or one or more of Parent’s future or current Affiliates, successors, assigns or any entity acquiring all or substantially all the assets and businesses of Parent whether by operation of law or otherwise, is or, as a result of any transaction, or series of related transactions (including a merger, consolidation or sale of shares), becomes, the beneficial owner of more than fifty percent (50)% of the share capital of Holdco or the Company; and

(b) If Codere Online sells, transfers, conveys or completes other disposition, whether in one transaction or a series of related transactions, of all or substantially all of the assets of (including shares owned by) Codere Online, on a consolidated basis, to any Person or group of related Persons or Persons acting in concert with each other, other than within the Parent Group.

10.2.6. If the Company amends the scope of the Services by reducing the amount of fees related to Services to be provided below 50% of the 2021 Annual Budget, Provider has the right to either (i) terminate this Agreement upon a six (6) months prior written notice to the Company; or (ii) continue to provide the Services pursuant to the terms of this Agreement except that the Services shall be provided on a non-exclusive basis.

10.2.7. Notwithstanding anything provided in this Agreement it is clarified and agreed that the Provider shall not be entitled for any reason other than as established in 10.2.1, 10.2.5 and 10.2.6 to terminate this Agreement during the Initial Term.

10.2.8. In any event of termination by the Provider, except as provided in Section 10.2.1, such termination shall enter into effect six (6) months from such notice of termination. Within such 6 months period, Provider undertakes to assist the Company to migrate all data and systems related thereto, to the then Company’s alternative platform of its choice, at is sole discretion.

10.3. Discontinuation Costs. Should the Company terminate this Agreement, or amend the scope of the Services by discontinuing certain Services, the Company shall reimburse to the Provider for all Discontinuation Costs, which will be calculated in good faith by the Provider and agreed between the Parties. Within thirty (30) days from the termination date, the Provider shall invoice the Company for these agreed Discontinuation Costs to be paid by the Provider. The Company shall pay said invoice within forty-five (45) days from the invoice date.

12

10.4. Review. The Company has the right to have a representative to review the accuracy of the calculation of the Discontinuation Costs (the “Calculation”), at its cost and expense, at the location that Provider keeps such records.

10.4.1. In the event that the Company does not agree with the Calculation, it shall furnish the Provider with the calculation of the Discontinuation Costs it considers to be accurate. If the Provider does not agree with the Company’s calculation, the calculation of the Discontinuation Costs shall be determined by an independent third party (the “Expert”) mutually selected by the Company and the Providers within ten (10) Business Days of written notice by Provider to Company of the inability to agree on the Calculation.

10.4.2. If Provider and the Company are unable to agree on the appointment of the Expert, Provider will appoint one of the “Big Four” accounting firms, other than Provider’s or the Company’s statutory auditors, to act as the Expert. The Expert shall calculate the Discontinuation Costs within thirty (30) days of its engagement, and such determination shall be conclusive and binding upon the Company and Provider. The party whose calculation of the Discontinuation Costs was farthest from the Discontinuation Costs calculated by the Expert shall bear the fees and expenses of the Expert, including any expenses incurred by Provider and the Company in presenting evidence to the Expert. If the determination by the Expert is equidistant between the calculation of the Company and Provider, or is no more than five percent (5%) more or less than such equidistant amount, the fees and expenses of the Expert shall be borne equally by the Company and Provider and each of the Company and Provider shall bear the cost of their own out-of-pocket expenses.

10.5. Obligations upon Termination.

10.5.1. Upon termination of this Agreement, each Party shall return or destroy all of the other Party’s Confidential Information in its possession or control.

10.5.2. In the event of termination, the Company shall pay Provider any fees that are due up to the date of termination, without limitation to either Party’s other rights or remedies hereunder, at law, or in equity.

10.6. Survival Upon Termination

10.6.1. If this Agreement is terminated pursuant to this Section 10, such termination will be without any further liability or obligation of any party hereto, except as provided in Section 1 (Purpose and Definitions), Section 6 (Indemnity), Section 7 (Limitation of Liability), Section 7 (Confidentiality), Section 9.3 (Intellectual Property), Section 10.3 (Discontinuation Costs), Section 10.5 (Obligations upon Termination), Section 11.4 (Governing Law and Jurisdiction), and Section 11.8 (Preservation of Remedies) hereof.

13

11. GENERAL PROVISIONS

11.1. Entire Agreement. This Agreement constitutes the entire agreement between the Parties with respect to the Services all prior agreements, understandings, negotiations and discussions, whether oral or written, between the Parties with respect thereto.

11.2. Waiver. No waiver by any Party of the breach of any of the covenants, conditions and provisions herein shall be effective or binding upon such Party unless expressed in writing.

11.3. Notices. Unless otherwise specified herein, all notices, consents, and approvals must be in writing and delivered personally or sent by overnight or certified mail, postage prepaid, or sent electronically (fax or e-mail) with the means to confirm or verify receipt, to the address of the recipient designated herein, to the attention of the undersigned, or such other address or addressee as the recipient has given the sender in writing.

If to Provider:
CO NAME:	Codere Apuestas España S.L.U and Codere Newco S.A.
ADDRESS:	Avenida Bruselas 26
	28108 Alcobendas (Madrid) España
PERSON:	Angel Corzo Uceda
EMAIL:	angel.corzo@codere.com
If to the Company:
CO NAME:	Codere Online Management Services Limited
ADDRESS:	Level 3 (Suite no. 2265), Tower Business Centre, Tower Street,
	Swatar BKR 4013, Malta
PERSON:	COO Moshe Edree/ CFO Gonzalo de Osma Bucero
EMAIL:	moshe.edree@codere.com / gonzalo.deosma@gmail.com

11.4. Governing Law and Jurisdiction: This Agreement shall be governed by and construed in accordance with the internal laws of the Kingdom of Spain (Derecho común español). This Agreement, and any disputes arising out of or in connection with it, its subject matter, existence, negotiation, validity, termination or enforceability (including non-contractual disputes or claims) and including all matters of constructions, interpretation, validity and performance will in all respects be finally settled by the Courts of the City of Madrid.

11.5. Assignment. This Agreement shall be binding on and inure for the benefit of the successors and permitted assignees of the Parties.

This Agreement shall not be assigned by either Party without the prior written consent of the other Party, except (i) in the case of assignment to a Person that is such Party’s successor by merger, consolidation or purchase of assets, in which case the successor shall be bound under this Agreement and by the terms of the assignment in the same manner as such Party is bound under this Agreement, or (iii) to an Affiliate of such Party, in which case the Affiliate or assignee shall be bound under this Agreement and by the terms of the assignment in the same manner as such Party is bound under this Agreement. of assets, in which case the successor shall be bound under this Agreement and by the terms of the assignment in the same manner as such Services Recipient is bound under this Agreement.

14

Any purported assignment of this Agreement in violation of this Section 11.5 shall be null and void.

11.6. Counterparts. This Agreement may be signed in counterparts and each of such counterparts will constitute an original document and such counterparts, taken together, will constitute one and the same instrument.

11.7. Amendments. The Parties agree that this Agreement cannot be altered, amended or modified, except in writing which is signed by an authorized representative of both Parties.

11.8. Preservation of Remedies: Termination of this Agreement is without prejudice to the rights of either party with regard to a breach by the other party of this Agreement, or any obligation surviving termination or expiration of this Agreement. Full legal remedies remain available for any such breach or continuing obligation, including the right to recover damages or to secure other appropriate relief.

11.9. Invalidity of Provisions: Each of the provisions contained in this Agreement is distinct and severable and a declaration of invalidity or unenforceability of any such provision or part thereof by a court of competent jurisdiction will not affect the validity or enforceability of any other provision hereof. To the extent permitted by applicable Law, the parties hereto waive any provision of Law which renders any provision of this Agreement invalid or unenforceable in any respect. The parties hereto will engage in good faith negotiations to replace any provision which is declared invalid or unenforceable with a valid and enforceable provision, the economic effect of which comes as close as possible to that of the invalid or unenforceable provision which it replaces.

11.10. Entire Agreement: This Agreement constitutes the entire agreement between the parties hereto pertaining to the subject matter of this Agreement. There are no warranties, conditions, or representations (including any that may be implied by statute) and there are no agreements in connection with such subject matter except as specifically set forth or referred to in this Agreement. No reliance is placed on any warranty, representation, opinion, advice or assertion of fact made either prior to, contemporaneous with, or after entering into this Agreement, by any party to this Agreement or its directors, officers, employees or agents, to any other party to this Agreement or its directors, officers, employees or agents, except to the extent that the same has been reduced to writing and included as a term of this Agreement, and none of the parties to this Agreement has been induced to enter into this Agreement by reason of any such warranty, representation, opinion, advice or assertion of fact. Accordingly, there will be no liability, either in tort or in contract, assessed in relation to any such warranty, representation, opinion, advice or assertion of fact, except to the extent contemplated above.

11.11. Further Assurances: Each of the parties hereto will promptly do, make, execute or deliver, or cause to be done, made, executed or delivered, all such further acts, documents and things as the other party hereto may reasonably require from time to time for the purpose of giving effect to this Agreement and will use reasonable efforts and take all such steps as may be reasonably within its power to implement to their full extent the provisions of this Agreement.

11.12. Enurement: This Agreement will enure to the benefit of and be binding upon the parties hereto and their respective successors and permitted assigns.

15

IN WITNESS WHEREOF, the Parties have duly signed and executed this Agreement as of the date first above written.

(1) PROVIDER:

/s/ Angel Corzo Uceda
By:	Codere Apuestas España S.L.U.
Name:	Angel Corzo Uceda
Title:	Director
(2) PROVIDER:
/s/ Vicente Di Loreto
By:	Codere Newco S.A.U
Name:	Vicente Di Loreto
Title:	Authorised Signatory
(3) THE COMPANY:
/s/ Moshe Edree
By:	Codere Online Management Services LTD
Name:	Moshe Edree
Title:	Director
/s/ Gonzalo de Osma Bucero
By:	Codere Online Management Services LTD
Name:	Gonzalo de Osma Bucero
Title:	Director

16

Schedule A

Platform Services and Prices for 2021

Service Provider:	The services will be provided indistinctly by CAES and/or CNEW
Customer:	OMSE

Figures in EUR		Type of invoicing	Budget 2021
Services provided	Service Description	Re-invoicing of personnel cost	Fixed	Variable	Sub-Total	Mark-up	Total
General Costs	Leasing of the building proportional part, travel expenses, training, office supplies, cost of external auditors of the companies.	-	16,561	21,338	37,899	No	37,899
Personnel (Codere Internal)	Maintenance, evolution of the applications, infrastructures and security services for the online platform carried out by internal Parent Group teams.	Cost of the fully dedicated teams to Codere Online and the effective allocation of mixed teams (providing services to Online and Retail).	1,525,181	-	1,525,181	Yes	1,601,745
Customer Support Services Personnel Costs	Customer support service provided by internal Parent Group team to Codere Online	Cost of the fully dedicated teams to Codere Online and the effective allocation of mixed teams (providing services to online and retail).	486,517	-	486,517	Yes	510,940
Internal Trading Personnel	Parent Group’s trading & risk team is responsible for building, publishing, and managing the sports betting offering.	Cost of the fully dedicated teams to Codere Online and the effective allocation of mixed teams providing services to online and retail.	1,431,133	-	1,431,133	Yes	1,502,976

17

Technical Assistance and Technology Services	Maintenance and evolution of the applications and features for the Online Gaming Platform carried out by external teams.	External professional services (third parties) contracted by Parent Group for maintenance and evolution of the Online Gaming Platform.	476,881	623,079	1,099,960	Yes	1,155,178
IT Operations Services	Maintenance, improvements and operation of the infrastructures and communications systems on which the Online Gaming Platform is based.	External professional services (third parties) contracted by Parent Group for maintenance and evolution of the Online Gaming Platform.	23,975	395,380	419,355	Yes	440,407
Security & Cybersecurity Services	Security and cybersecurity services that are needed for the Online Gaming Platform.	External professional services (third parties) contracted by Codere Group for maintenance and evolution of the Online Gaming Platform.	69,123	68,424	137,547	Yes	144,452
Systems	Hardware both acquired, leased or contracted as SaaS or Cloud format such us CPDs, storage and servers.	Re-invoicing of electronic products and services.	1,924	597,584	599,508	No	599,508
Communications	Cost telephone / Internet lines, switches, network electronics, navigation management (Proxy), firewalls, International WAN, VPNs among other.	Re-invoicing of electronic products and services.	228,648	29,090	257,738	No	257,738
Equipment	IT equipment renewal (computers, telephones, screens, etc.)	Upon request and only focused for the team located in Alcobendas.		1,056	1,056	No	1,056

18

Software License	Software licenses in SaaS or purchase mode: 1) Base infrastructure software (server operating systems) 2) Application software (Dynamics, SharePoint) 3) Security software (Antivirus), 4) Workstation software (Office 365)	Re-invoicing of services and electronic products purchases.	99,383	111,767	211,150	No	211,150
Trading	Feed providers that are not billing Codere Online directly such as: - Sportradar (Fixed) - Betradar (variable)	Re-invoicing of services provided.	7,888	169,001	176,889	No	176,889
Total				4,367,214	2,016,719	6,383,933	6,639,938

Budget 2021
Other		Type of invoicing	Fixed	Variable	Sub-Total	Mark-up	Total
Other services not included / or on demand projects.	Services or development projects not included above may be requested by Codere Online.	Both parties will negotiate and mutually agree on specific budgeted projects.	TBD	TBD	TBD	Yes	TBD

19

Schedule B

Services and Service Level Agreement

This Service Level Agreement (this: “SLA”) is made and signed as of the same date as the Agreement (as defined above)

1. Maintenance and Support Services

1.1. This Schedule B shall enter into force 30 days following the signing of the Agreement.

1.2. The account manager or a suitable representative of Provider shall meet (either by way of telephone conference or in person) on a regular basis with the suitable representative of Company.

1.3. Technical support personnel shall be available to Company to provide maintenance and support services and answer technical questions in relation to, and assist Company to correctly utilize, the Licensed Software on a 24 hours per day, 7 days per week basis, such availability to be by way of telephone or by email request to member of Provider ‘s technical support team.

1.4. Provider agrees to cooperate faithfully without reservation with Company and its personnel providing access to the necessary system information and assistance for the full prompt performance of the service level agreement evaluation.

2. Definitions

In addition to the definitions set out in the main body of the Agreement which apply in this Schedule B, the following definitions shall apply:

2.1. “Availability” means, in each calendar month during the Term (prorated where applicable), the following calculation: (Actual Availability ÷ Available Minutes) x 100, where:

● “Available Minutes” means the total number of minutes in the relevant calendar month (for example, 44,640 in a thirty one (31) day month) less the Exclusions Events set forth in Section 7 below;

● “Unavailability” means the total number of minutes in the relevant calendar month, measured from the time that the Company reports an incident concerning Availability, where the Licensed Software is completely unavailable to end users due to a Priority A Defect; and

● “Actual Availability” means Available Minutes minus Unavailability in a calendar month.

2.2. “Back Office Systems” means facilities whereby Company can obtain access for the purpose of Company’s monitoring its End Users’ activity for the purpose of customer service, management and reconciliation.

2.3. “Defect Correction” means either a bug fix, work-around, patch, or other modification or addition that brings the Licensed Software into conformity with the Documentation and applicable specifications.

2.4. “Emergency Maintenance” means any maintenance work (not being Planned Maintenance) which Provider reasonably determines is urgently required, and which could not be carried out as Planned Maintenance.

2.5. “Planned Maintenance” means routine upgrades, repairs, maintenance, replacements, regulatory inspections or other work on any systems, hardware or software used in connection with the provision and operation of the Licensed Software which Provider reasonably deems to be necessary; and which activity necessitates such Licensed Software to be unavailable for use or suffer a degradation of its usability, utility or functionality, provided that Provider has given prior notice of such activity to Company in accordance with the terms of this Schedule.

20

2.6. “Priority A Defect” means a defect that renders Licensed Software inoperative or causes a complete failure of the Licensed Software in such a way that the Licensed Software is completely not available for all End Users. For example: no casino games can be accessed by any End Users.

2.7. “Priority B Defect” means a defect that substantially degrades the operation, function or performance of the Licensed Software, in such way that all ‘back office’ features are completely inoperative or no progressive jackpot games can be accessed by any End Users.

2.8. “Priority C Defect” means a Defect that causes only a minor impact on the End User’s use of Licensed Software and which is not a Priority A Defect or a Priority B Defect.

2.9. “Maximum Response Time” means Provider ‘s response time to Company’s notification as set forth in Section 3

2.10. “Maximum Recovering Time” or “MRT” means Provider ‘s maximum recovery time as set forth in Section 4.

2.11. “Notification” means notification by either party of a defect by telephone and email to the contact for each party nominated in the escalation procedure document which forms part of the documentation.

2.12. “Bet Placement Time” means the time between a bet placement request reaches the method “DoPlaceBet” and the time that method responds.

2.13. “Average Bet Placement Time” means the average Bet Placement Time of all successfully processed bet placement attempts during a defined interval.

2.14. “System Performance” is measured by the “Average Bet Placement Time” for each full hour starting each day at 00:00:00 (e.g. 03:00:00 to 03:59:59).

2.15. “Prime Time” list of days and hours of the month in which sporting events are held with great impact on bets placement. The list of prime-time days and hours will be provided by Provider one week before the start of the month of its application.

3. Service Levels

3.1. Provider shall use its reasonable commercial efforts to correct any defect reported by Company in accordance with the applicable priority levels and Maximum Response Time:

3.1.1. in the event of Priority A Defect, Provider shall respond to the Notification by Company within 1 (one) hour, commence verification of the Defect immediately thereafter and, upon verification, shall initiate work to provide Company with a Defect Correction. In the Update that shall follow such Priority A Defect Correction event, Company shall provide Provider with updates on the status of the Priority A Defect Correction;

3.1.2. in the event of Priority B Defect, Provider shall respond to the Notification by Company within 1 (one) hour and shall provide a Defect Correction;

3.1.3. in the event of Priority C Defect, Provider shall provide a Defect Correction in the next Upgrade.

21

4. Credits

Level of Priority	MRT		Credits earned by Company for each failure to adhere to Service Levels
	Prime Time	Rest	Prime Time	Rest
A	2 elapsed hours from notification to Provider	4 elapsed hours from notification to Provider	(The average monthly License Fees received by Provider  for the preceding 3 calendar months / 732 hours) *2.64* the number of hours exceeding the MRT	(The average monthly License Fees received by Provider for the preceding 3 calendar months / 732 hours) *0.33* the number of hours exceeding the MRT
B	4 elapsed hours from notification to Provider	8 elapsed hours from notification to Provider	(The average monthly License Fees received by Provider  for the preceding 3 calendar months / 732 hours) *1.20* the number of hours exceeding the MRT	(The average monthly License Fees received by Provider  for the preceding 3 calendar months / 732 hours) *0.15* the number of hours exceeding the MRT
C			No credits	No credits

For clarification: 732 hours=average monthly days of 30.5 per calendar month * 24 hours

4.1. Subject always to the provisions of Sections 5 and 6 below, the Credits shall be off-set against any future Fees otherwise due under Schedule A.

4.2. Provider ‘s entire liability in respect of any failure on its part to observe the Maximum Response Time or the Maximum Recovery Time (as the case may be) shall be payment of the above Credits pursuant to this Schedule.

4.3. The maximum credit payable to Company in any given calendar year shall be capped at the average monthly License Fees Provider received for the period of the 3 calendar months preceding to the Credit event.

4.4. System Performance

	Average Bet Placement (during a full hour interval)	Credits (% of monthly Company Fee) per full hour interval
		Prime Time	Rest
Sports bet placement	> 8 seconds	(The average monthly License Fees received by Provider  for the preceding 3 calendar months / 732 hours) *1.2	(The average monthly License Fees received by Provider  for the preceding 3 calendar months / 732 hours) *0.15
Slot & Casino bet placement	> 1 seconds	(The average monthly License Fees received by Provider  for the preceding 3 calendar months / 732 hours) *1.2	(The average monthly License Fees received by Provider  for the preceding 3 calendar months / 732 hours) *0.15

If the Average Bet Placement Time (during a full hour interval) is greater than 12 seconds (“Bet Latency”), then the Licensed Software shall be deemed unavailable for the purpose of this Service Level Agreement for the duration of the Bet Latency.

Service credits will be due for each interval as outlined in the table above excluding any interval that is also considered a Priority A or B Defect.

Service credits due to System Performance do not imply that the System was not available at that time.

22

4.5. System Availability

	Monthly Licensed Software Availability		Discount to be applied on the invoice for the respective calendar month in which the Availability Levels triggered the discount (% of monthly License Fee)
	<	>=
Level 1	100,00%	99,50%	0%
Level 2	99,50%	99,00%	3%
Level 3	99,00%	98,00%	10%
Level 4	98,00%	97,00%	15%
Level 5	97,00%	95,00%	20%
Level 6	95,00%	90,00%	30%
Level 7	90,00%	80,00%	40%
Level 8	80,00%	70,00%	50%
Level 9	70,00%	0,00%	100%

4.6. To the extent that Company, acting in good faith and having sufficient evidence that Company is entitled to any Credits under this Section 4, Company will provide Provider with a written proposal of due Credits for each month by the end of the third business day of the immediately following month. If such written proposal was not provided by Company to Provider within 3 business days (or from when Provider provides the required system management information if later) no penalties are due. If the proposal was sent, Provider will set up a meeting for further discussions, in which case no Credits will be due until the Parties reach a written agreement in connection therewith.

5. Updates and Maintenance

5.1. Provider shall communicate through email at least twenty-four (24) hours in advance of any Planned Maintenance. In the event that Emergency Maintenance is necessary, Provider will use its best efforts to communicate prior notice to Company.

5.2. Provider shall use commercially reasonable efforts to limit Planned Maintenance that will affect the availability of the Products to End Users.

5.3. Company will give Provider at least forty-eight (48) hours’ notice by email to the respective account manager or customer relations representative of patches, system upgrades and updates to their own infrastructure, where such works are likely to have an impact on Provider .

6. Customer Services

6.1. Within its services the Provider shall assist and provide Customer Services to the Company’s end users, among others, in the following areas:

6.1.1. Provision of information regarding the use of the Platform and/or Omnichanel services

6.1.2. Payment methods and procedures, both on deposits and withdrawals;

6.1.3. Promotions information;

6.1.4. Verification of documents or compliance procedures;

6.1.5. Procedures and assistance in opening, closing or freezing an end user account;

6.1.6. General assistance in incidents that araise on the operation of the Platform

23

6.2. For the evaluation of the efficacy of the Customer Services the following indicators shall be applied:

KPI	Target accomplished	Accomplished partially	Target unachieved
Call Abandonment  Rate (per market)	<7%	8%-10%	>10%
Chat Abandonment  Rate (per market)	<10%	11%-15%	>15%
% of calls answered in less than 30 seconds (per market)	>80%	80%-75%	<75%
% of chats answered in less than 2 minutes (per market)	>80%	80%-75%	<75%
% of emails answered in less than 48 hours (per market)	>80%	80%-75%	<75%
Email response time	from 4  to 24 hours
Perceived service quality index (calls/per market)	>8	8-7	<7
Perceived service quality index (chats/per market)	>7	7-6	<6
Data
Average waiting time (calls/ per market)	< 45s	46s-90s	>90s
Average wating time (chat/per market)	< 30s	30s-60s	>60s
Average Handle time (calls/ per market)	< 4:45	4:46-5:30	>5:30
Average Handle time (chats/ per market)	< 10:00	10:01-10:30	>10:30

Call abandonment Rate =	No of inbound calls when customers hung up before their calls get answered	X100
	No. Of inbound calls made by customers

Chat abandonment Rate =	No of chats abandoned before the chats get answered	X100
	No of inbound chats open by customers

Perceived service quality index (calls/per market) = Average of customers ratings after the call. Call Switchboard rating tool. Perceived service quality index (chats/per market) = Average of customers ratings after the chat. Chat rating tool.

7. Exclusions

No Service Levels and/or Credits shall apply to any failure of Provider to comply with the Service Level, or to any Defect of any priority, caused, in whole or part, by any of the following exclusion events:

7.1. any decreased availability or scheduled downtime due to Planned and/or Emergency Maintenance;

7.2. a failure of third-party equipment, hardware and/or software;

24

7.3. a failure in local access facilities connecting Company to the network;

7.4. force majeure events;

7.5. any act or omission of Company or any of Company’s third parties (including but not limited to, Company’s agents, contractors or vendors), including, but not limited to (i) failing to provide Provider with the adequate access, information and cooperation required in connection with the provision of the Licensed Software; (ii) failing to take any reasonable remedial action in relation to the Licensed Software as recommended in writing by Provider (or any of its agents, contractors or vendors), or otherwise preventing Provider from doing so, or (iii) any act or omission which causes Provider to be unable to meet any of the service level provisions (including but not limited to deliberate or willful acts or omissions which are purposed to fail Provider from meeting its obligations under the Agreement);

7.6. fraud events (by Company and/or any third party engaged by Company), except if it is motivated by a vulnerability in the Provider platform;

7.7. Company’s negligence or willful misconduct; or

7.8. Any DDOS (denial-of-service) attack.

8. Termination for breach of the Service Levels

Company may terminate the Agreement by giving Provider thirty (30) days’ prior written notice if Availability of the Licensed Software is below 80% in any three (3) consecutive calendar months.

25

SCHEDULE C

The Parties agree to incorporate the following Data Processing Agreement, which shall regulate any of the services covered by this Schedule that involve the processing of personal data and which shall be governed by the following,

STIPULATIONS

CODERE ONLINE MANAGEMENT SERVICES LIMITED, hereinafter, the DATA PROCESSOR, with its own functions, rights and obligations, and CODERE APUESTAS ESPAÑA S.L. and CODERE NEWCO S.A., hereinafter, the DATA SUBPROCESSORS -or DATA SUBPROCESSOR-, with its own functions, rights and obligations.

RESOLVE THAT

I. Whereas DATA SUBPROCESSORS, by providing to DATA PROCESSOR the services established in SCHEDULE A (hereinafter the “Services”), may access and process certain personal data owned by DATA CONTROLLER on behalf of DATA PROCESSOR’s instructions.

II. Whereas, in order to comply with the regulation about personal data and to Regulation (EU) 2016/769 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, “GDPR”), the Parties sign this Data Processing Agreement (hereinafter, “Schedule”), which includes the following:

TERMS AND CONDITIONS

DEFINITIONS

- “Controller” or “Data Controller”: means the natural or legal person, public authority, organisation, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data;

- “Data Protection Laws and Regulations”: means all applicable laws and regulations of the European Union, the European Economic Area and/or the relevant implementing law of any such member state, in particular the data protection legislation of the countries where the Data Controller is established to conduct the business to which the Services are related, and with respect to any other country, any applicable data protection or data privacy legislation;

- “Data Subject”: means an identified or identifiable person to whom the Personal Data relate;

- “Documentation”: means all and any user guides and operating or other similar manuals and/or documentation, provided in hard copy or soft copy, necessary to enable the Data Controller to make full and proper use of the System or the Service;

- “Personal Data”: means any information relating to an identified or identifiable natural person (as defined under Regulation (EU) 2016/679 of the European Parliament and of the Council, as replaced from time to time, also known as Personal Identifiable Information under other legislations). This includes information that can be linked, directly or indirectly, to a natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or using all means which can reasonably be used by the Data Controller or a Third Party to identify a natural person (e.g. one or more factors specific to his physical, physiological, mental, economic, cultural or social identity);

26

- “Processing of Personal Data”: means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

- “Processor” or “Data Processor”: means the natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller and according to its written instructions;

- “Subprocessor” or “Data Subprocessor”: means the natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Processor and according to its written instructions;

- “System”: means the electronic information systems comprising any one or more of hardware, equipment, software, peripherals and communications networks owned, controlled, operated and/or used by the Provider to supply the Services. It shall not apply to any hardware, equipment, software, peripherals and communications networks owned by the Client, even in case where the intellectual property of the software licence running on it belongs to the Provider;

1. PURPOSE.

The purpose of this SCHEDULE is to define the conditions under which DATA SUBPROCESSOR will conduct the processing of personal data for the provision of the service contracted by DATA PROCESSOR, in accordance with the data protection legislation and Article 28 of the GDPR and related articles.

The processing shall be carried out on personal data owned by the DATA CONTROLLER or held by the latter (hereinafter “personal data”) in accordance with APPENDIX I, in order to provide the services agreed between the PROCESSOR and SUBPROCESSOR.

2. OBLIGATIONS OF THE DATA SUBPROCESSORS.

The DATA SUBPROCESSOR shall carry out the processing of personal data resulting from the provision of the contracted service, in accordance with the following obligations:

● It shall be limited to carrying out the necessary actions to provide DATA PROCESSOR with the contracted Service, in accordance with the provisions of this Agreement.

In particular, it undertakes to carry out the processing of personal data in accordance with the instructions which, at any time, it receives from the DATA PROCESSOR or directly from DATA CONTROLLER, as well as with the provisions of the rules applicable to personal data protection, even when it comes to transfers of personal data to a third country or to an International Organization, unless it is obliged to do so by virtue of the European Union or Member State Laws applicable to the DATA PROCESSOR or to the DATA CONTROLER. In such cases, DATA SUBPROCESSOR shall inform DATA PROCESSOR of such legal requirement prior to the processing.

If DATA SUBPROCESSOR considers that any of the instructions breaches the GDPR or any other data protection provision in the territory of the European Union or that has previously been declared by the European Union as a country with an adequate level of protection, DATA SUBPROCESSOR shall immediately inform DATA PROCESSOR.

27

● The DATA SUBPROCESSOR undertakes not to conduct any further processing on personal data, or apply or use the data for any purpose other than to provide the services referred to in the Agreement.

● It shall provide the necessary training in the protection of personal data of persons authorized to handle personal data.

● The DATA SUBPROCESSOR shall keep a written record of all processing activities carried out by and on behalf of DATA PROCESSOR, containing:

o The name and contact data of the DATA PROCESSOR and the DATA SUBPROCESSOR and, as applicable, of the representatives of the DATA PROCESSOR and the DATA SUBPROCESSOR, and, if necessary, of the data protection officer.

o The description of the categories of the processed personal data.

o Transfers of personal data to other countries or international organizations, as the case may be, including the name of the country or international organization and documentation containing the appropriate guarantees.

o A general description of the technical and organizational security measures in relation to:

§ The pseudonymisation and encryption of personal data.

§ The capacity to guarantee permanent confidentiality, integrity, availability and resilience of the processing systems and services.

§ The capacity to rapidly restore the availability and access to personal data in the event of a physical or technical incident.

§ The regular checking, assessment and valuation process regarding the efficacy of the technical and organizational measures to guarantee security during processing.

● The DATA SUBPROCESSOR undertakes to keep, under its control and custody, the personal data provided by DATA PROCESSOR to which it has access to provide the Service and not to disclose, transfer, or otherwise communicate the data to third parties, even for conservation purposes, except with the express authorization of the DATA PROCESSOR, in the legally admissible cases.

● It shall support DATA PROCESSOR or DATA CONTROLLER in carrying out impact assessments concerning data protection and prior consultations for the competent Control Authorities, where appropriate, on all or any of the processing deriving from the provision of the service.

● It shall make available to DATA PROCESSOR or DATA CONTROLLER all information necessary to demonstrate compliance with its obligations, as well as to enable and actively assist in the conduct of audits or inspections carried out by DATA PROCESSOR, DATA CONTROLLER or other auditor authorized by the latter, as detailed in Clause 5.

● Inform in writing and prior to the start of the Service to the PROCESSOR of all the implications in relation to the processing of personal data that may arise from the execution and development of the services contracted

● Upon request of the DATA PROCESSOR, the DATA SUBPROCESSOR shall provide, by way of illustration only and not limitation, the following information/documentation:

o The certificates, duly updated, referred to in Article 42 of the GDPR and obtained by the DATA SUBPROCESSOR.

28

o The information related to the adherence of the DATA SUBPROCESSOR to Codes of Conduct.

o The certificates and standards that, regarding information security, the DATA SUBPROCESSOR has obtained.

o The internal or external audit reports on data protection and/or information security carried out by the DATA SUBPROCESSOR.

o The protocols, policies, manuals and procedures that regulate the data processing by the DATA SUBPROCESSOR.

o If applicable, a list specifying the controls and indicators implemented in the information systems used by the DATA SUBPROCESSOR.

● When necessary, it shall designate a data protection officer and communicate the name and contact data of that person to the DATA PROCESSOR.

3. PERSONAL DATA SECURITY.

The DATA SUBPROCESSOR will implement the security measures and mechanisms set out in Article 32 of the GDPR to:

- Guarantee the permanent confidentiality, integrity, availability and permanent resilience of processing systems and services.

- Rapidly restore availability and access to personal data quickly, in the event of physical or technical incidents.

- Regularly verify, assess and evaluate, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the security of processing.

- Pseudonymize and encrypt personal data, as required.

To this end, the DATA SUBPROCESSOR undertakes to implement at least the security measures described in APPENDIX 2 of this Agreement, without prejudice to any additional measures deemed necessary to comply with the provisions of art.32 GDPR.

4. Compliance verification measures

Audit request

For the purposes of checking the level of compliance by the DATA SUBPROCESSOR with the terms set forth in the applicable legislation and in this Agreement, the DATA PROCESSOR may request the performing of audits, alone or through an independent auditor authorised by the DATA SUBPROCESSOR.

Audit notification

The DATA PROCESSOR shall notify the DATA SUBPROCESSOR through any channel of its wish to perform such audits at least five (5) working days before the planned audit date.

Information requests

The DATA PROCESSOR may ask the DATA SUBPROCESSOR for the necessary information to evaluate its level of compliance, and, in particular, evidence of compliance with the provisions of the legislation applicable to the present Agreement.

29

By way of example, and without limit, at the request of the DATA PROCESSOR, the DATA SUBPROCESSOR shall provide the following information/documentation:

● The duly-updated certificates set out in Article 42 of the GDPR, in the event of obtaining such certificates, and submission of the audit reports it is obliged to present in accordance with said certificates.

● In the event that the DATA SUBPROCESSOR has declared its adherence to Codes of Conduct, the data related to its adhesion.

● Certificates and standards held by the DATA SUBPROCESSOR in relation to information security.

● Internal or external audit reports prepared by the DATA SUBPROCESSOR regarding data protection and/or information security.

● Protocols, policies, manuals and procedures regulating the data processing activities of the DATA SUBPROCESSOR.

● A list specifying the controls and indicators implemented in the information systems used by the DATA SUBPROCESSOR.

Duty to cooperate

The DATA SUBPROCESSOR shall cooperate diligently and facilitate access to and the obtaining of the necessary information in response to the needs of the DATA PROCESSOR. The evidence and documentation obtained during the audit shall be stored in a repository owned by the DATA SUBPROCESSOR to guarantee the non-disclosure and security of the information, in keeping with the present state of technology.

Audit result

If, as a consequence of the audit, the DATA PROCESSOR detects any breach, pursuant to applicable law and the terms of the present Agreement, it may, at its sole discretion and depending on the gravity of the breach:

● Request the DATA SUBPROCESSOR to remedy the detected breach immediately by preparing a correction plan which shall be implemented within a certain time not exceeding one month, and the DATA SUBPROCESSOR shall provide the DATA PROCESSOR with evidence accrediting the resolution thereof.

● Proceed to the early termination of the Services Agreement. In this case, the DATA SUBPROCESSOR shall return to the DATA PROCESSOR the proportional part of the amounts received for all services not effectively provided.

5. DATA LOCATION

The DATA SUBPROCESSOR shall guarantee the DATA PROCESSOR the ability to choose the place where the personal data processed in connection with the provision of the service will be stored, and specifically, shall guarantee the choice of Data Processing Centers located within the European Economic Area (hereinafter EEA).

Alternatively, the DATA SUBPROCESSOR may offer the DATA PROCESSOR who at its sole discretion may accept or reject it, the possibility of locating the data in Data Processing Centers located outside the European Economic Area (“EEA”), on the basis of the signature of standard data protection clauses adopted by the European Commission on international transfers, or the adoption of other appropriate guarantees provided for in the applicable regulations.

Finally, the DATA SUBPROCESSOR shall assume the obligation to inform at all times the DATA PROCESSOR of the transfers of personal data that may be destined to countries located outside the EEA in connection with the provision of the contracted service.

30

6. DATA BREACHES NOTIFICATIONS

The DATA SUBPROCESSOR shall notify DATA PROCESSOR, without undue delay and, in any case, before the maximum deadline of twenty-four (24) hours, of any breaches to the security of the personal data in its possession of which it is aware, including all relevant information for documenting and reporting the incident.

Pursuant to the aforementioned, the DATA SUBPROCESSOR shall provide at least the following information:

a) Description of the nature of the personal data security breach, including the categories and the approximate number of parties concerned, and the categories and approximate number of personal data records affected.

b) The name and contact details of its Data Protection Officer and/or Legal Representative who can provide more information.

c) Description of the possible consequences of a personal data security breach.

d) Description of measures taken or proposals to remedy the personal data security breach, including, where appropriate, measures taken to mitigate possible negative effects.

If it is not possible to provide information simultaneously, and to the extent that it is not provided, the information will be made available gradually without undue delay.

7. ADHERENCE TO CODES OF CONDUCT OR CERTIFICATION MECHANISM.

In case the DATA SUBPROCESSOR has joined Certification Mechanisms (e.g. ISO, LEET, etc.), which demonstrate the existence of sufficient safeguards to ensure the security of the information processed and the rights of the data subjects, the DATA PROCESSOR will attach the supporting documentation to this document as an appendix.

8. INTERNATIONAL DATA TRANSFERS.

Pursuant to this Agreement, Personal Data may be transferred outside the European Economic Area, subject to the obligations and safeguards set forth in the GDPR, for the correct development of the service. This International transfer will be count on one of the following guarantees:

a) The country of destination has an adequacy decision from the European Commission.

b) Standard Contractual Clauses, from the European Commission or a Control Authority.

c) Binding Corporate Rules, approved by a supervisory authority.

d) Authorization by a supervisory authority.

The Parties, unless another guarantee is used to legitimize the transfer, expressly agree to accept, complete in accordance with the service and sign the Standard Contractual Clauses, adopted by the Commission Decision of 5th February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, attached in APPENDIX V to this Agreement. The signature of the standard contractual clauses is instructed by the DATA CONTROLLER, who authorizes and entrusts the DATA PROCESSOR to regularize the transfer with the DATA SUBPROCESSOR.

It will be the responsibility of the DATA PROCESSOR to assess whether the level of protection required by the GDPR is respected in the destination country, in order to determine whether the safeguards can be met in practice. In the event that the DATA PROCESSOR considers that the country of destination fails to provide the necessary safeguards, the Parties will apply the additional measures set out in APPENDIX IV to ensure an equivalent level of protection as required by the GDPR. The DATA PROCESSOR may contact the DATA SUBPROCESSOR to jointly analyses the legislation of the destination country and verify that it does not undermine the additional measures.

31

9. CONFIDENTIALITY OBLIGATION.

The obligation of secrecy and confidentiality resulting from this Schedule obliges the DATA SUBPROCESSOR, during its period of validity, and extended, depending on the type of information processed, throughout the maximum terms provided for in current legislation that may apply.

The DATA SUBPROCESSOR shall ensure that persons authorized to process personal data are committed, expressly and in writing, to comply with confidentiality and to comply with the relevant security measures, which DATA PROCESSOR shall report appropriately. The DATA SUBPROCESSOR shall provide DATA PROCESSOR or DATA CONTROLLER with the documentation certifying compliance with this obligation.

Authorized persons mean any individual or legal entity with access to the data processed irrespective of the contractual relationship binding him/her with DATA SUBPROCESSOR.

10. INFORMATION OBLIGATION.

If the DATA SUBPROCESSOR obtains personal data on behalf of the DATA PROCESSOR, the DATA SUBPROCESSOR shall process the data in accordance with the instructions of the DATA PROCESSOR, in accordance with the drafting and format indicated by the latter.

11. OBLIGATION TO RETURN OR DESTROY DATA

Once the provision of the Service object of the Service Agreement has been completed, the DATA SUBPROCESSOR undertakes to return to the DATA PROCESSOR or to the person determined by the latter any information containing personal data that has been transmitted by the DATA PROCESSOR to the DATA SUBPROCESSOR in connection with the provision of the Service, as well as to deliver any other personal data that the DATA PROCESSOR has had to collect as a consequence of the rendering of the contracted Services and, if applicable, the records of the consents obtained.

The return shall imply the delivery or making available of the processed data in a format of common use and in such a way that, once its return is completed, the TREATMENT CONTROLLER does not have any dependence on the systems or tools of the TREATMENT CONTROLLER. Likewise, the return shall imply the delivery or making available of the original media, which in turn were delivered or made available by the TREATMENT CONTROLLER on the occasion of the provision of the Service, in which personal data are stored or contained.

Once the return process has been completed, the DATA SUBPROCESSOR shall proceed to the destruction of the data existing in the computer equipment and other media used by him/her for which he/she shall apply the appropriate physical and logical measures to ensure that the data incorporated in the different media are unrecoverable.

Notwithstanding the provisions of the preceding paragraph, the DATA SUBPROCESSOR may keep the data and information processed, duly blocked, in the event that liabilities may arise from its relationship with the DATA PROCESSOR. Once the statute of limitations period for the actions that motivated the conservation of the data has elapsed, the DATA SUBPROCESSOR shall proceed to their destruction in the aforementioned manner.

32

12. SUBCONTRACTING

For the purpose of the provision of the service, the DATA PROCESSOR authorises the DATA SUBPROCESSOR to subcontract the Companies listed in APPENDIX III.

In the event that the DATA SUBPROCESSOR wishes to subcontract other Companies in the future, it must communicate in writing to the DATA PROCESSOR, clearly and unequivocally identifying the subcontracting company, its contact details and, in the case of an international transfer, the legal basis for such a transfer. Prior to any processing activity by these other companies, the DATA PROCESSOR will have a period of 15 days to reject the subcontracting, and in this case the DATA SUBPROCESSOR will have to desist from its intention to subcontract the service or propose a new subcontractor, and in the event of lack of agreement, will be entitled to terminate the contract between the parties. Once the period of 15 days has expired without the DATA PROCESSOR having expressed opposition, it will be understood that the DATA PROCESSOR has accepted the notified subcontractor.

Prior to outsourcing, in the case of subcontracting that involves international data transfers to a country outside of European Economic Area (EEA), unless the transfer is made to a country declared to have an adequate level of protection by the European Commission, it will be the DATA PROCESSOR’s responsibility to assess whether the level of protection required by the GDPR is respected in the third country, in order to determine whether the safeguards can be met in practice, such as the Standard Contractual Clauses or Binding Corporate Rules. In the event that the DATA PROCESSOR considers that the destination country does not meet the appropriate safeguards, the DATA SUBPROCESSOR and the subsequent DATA SUBPROCESSOR shall implement additional measures as set out in APPENDIX IV to ensure an equivalent level of protection stipulated in the GDPR. The DATA SUBPROCESSOR may contact the subsequent DATA SUBPROCESSOR to analyse the legislation of its country and check that it does not affect these additional measures. If the result of the evaluation of the measures is negative and the transferred data do not have a level of protection substantially equivalent to that guaranteed in the European Economic Area, the DATA PROCESSOR may disallow the subcontracting.

In the event that the DATA PROCESSOR authorizes the subcontracting, and except for the use of other guarantees to legitimize the transfer, the DATA PROCESSOR entrusts the DATA SUBPROCESSOR with the formalization, on behalf of the DATA CONTROLLER, of the Standard Contractual Clauses, adopted by the Commission Decision of 5th February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, with the subsequent DATA SUBPROCESSOR, regulating the International Data Transfers necessary for the proper performance of the obligations set forth in this Agreement entered into between the DATA PROCESSOR and the DATA SUBPROCESSOR. The DATA PROCESSOR guarantees that has the mandate from the DATA CONTROLLER to regularize international transfers by means of Standard Contractual Clauses. This mandate will apply to the DATA SUBPROCESSOR carrying out international transfers outside the EEA.

In the event of authorization, the subcontracting Company, which also has the status of DATA SUBPROCESSOR, is also obliged to comply with the obligations set forth in this Agreement for DATA SUBPROCESSOR and the instructions which DATA PROCESSOR has set out for DATA SUBPROCESSOR of the provision of the Service. The DATA SUBPROCESSOR is responsible for contracting with its subsequent Subcontractor under Article 28 of the GDPR, so that the new DATA SUBPROCESSOR is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements that the latter has in the proper processing of the personal data of DATA PROCESSOR and to guarantee the rights of the persons concerned.

In the case of non-compliance by the Subcontractor of DATA SUBPROCESSOR, DATA SUBPROCESSOR shall remain fully accountable before DATA PROCESSOR in all matters relating to fulfilling the obligations.

33

13. RIGHTS OF THE DATA SUBJECTS ON PERSONAL DATA

If an individual owning personal data exercises the rights on data protection before DATA SUBPROCESSOR, DATA SUBPROCESSOR shall work with DATA PROCESSOR or DATA CONTROLLER to address the exercise of the rights of the persons concerned: Rights of access, rectification, suppression, objection, restriction of processing, data portability and not to be subject to automated individual decision-making.

In this respect, DATA SUBPROCESSOR shall immediately transfer the application to DATA PROCESSOR and, without further delay, within three (3) working days of its receipt, to enable DATA PROCESSOR to duly resolve such request. Likewise, it must provide the DATA PROCESSOR with all the information required for the appropriate resolution of the application and implement the changes that may be necessary as a result of the exercise of rights by the concerned party within the legally established periods.

14. OBLIGATIONS OF DATA PROCESSOR

The DATA PROCESSOR is responsible for the following obligations:

● It shall specify the obligations and guarantees that the DATA SUBPROCESSOR shall implement in order to comply with the data protection regulation and DATA CONTROLLER’s requirements.

● It shall allow DATA SUBPROCESSOR the personal data subject to processing in accordance with the GDPR. In this regard, DATA PROCESSOR declares to have informed, and if necessary, to have obtained the consent of DATA CONTROLLER to carry out the present subcontracting.

● It shall carry out the analysis of risks that may result from the processing activity to be subject to control and, on the basis of such analysis, to indicate to the DATA SUBPROCESSOR the technical and organizational measures to be implemented for the provision of the service subject to processing.

● It shall carry out, if necessary, an impact assessment on the protection of personal data from the processing operations to be carried out by DATA SUBPROCESSOR.

● If necessary, it shall consult the appropriate Supervisory Authorities, where appropriate.

● It shall ensure, in advance and throughout the processing, compliance with the GDPR by DATA SUBPROCESSOR.

● It shall oversee data processing carried out by DATA SUBPROCESSOR, including the performance of inspections and audits.

15. LIABILITIES

The DATA SUBPROCESSOR agrees to fulfil the obligations established in this Agreement and in the applicable legislation, in connection with this SCHEDULE.

The DATA SUBPROCESSOR undertakes to keep the DATA PROCESSOR harmless, assuming all liability in relation to any claim, penalty, cost, loss, third party damage or liability incurred by the DATA PROCESSOR arising directly or indirectly from the failure of the DATA SUBPROCESSOR (or its subcontractors) to comply with the obligations set forth in this Schedule and in the regulations in force, in relation to the present processing assignment.

34

Based on the foregoing, the DATA PROCESSOR shall be entitled to charge the resulting amounts to the DATA SUBPROCESSOR, and may proceed to collect them by offsetting the invoices issued by the DATA SUBPROCESSOR against the DATA PROCESSOR for the provision of the service.

Pursuant to the terms of Article 28.10 GDPR and other applicable data protection legislation, if the DATA SUBPROCESSOR breaches the terms of the GDPR by determining the purposes and means of the processing, it shall be considered to be a controller with respect to such processing.

16. ENTIRE AGREEMENT AND MODIFICATIONS.

This Agreement and the appendixes attached thereto constitute the entire and complete agreement between the Parties in relation to the object thereof and supersedes all previous or contemporaneous agreements and negotiations in relation thereto.

This Agreement shall only be modified by means of a written document signed by both Parties.

17. APPLICABLE LAW AND JURISDICTION.

This Agreement shall be governed by and interpreted in accordance with Spanish law.

For the resolution of any issues and controversies that may arise in relation to this Agreement, the Parties submit to the jurisdiction of the Courts and Tribunals in the city of Alcobendas -Spain-, waiving their own jurisdiction that may correspond to them by law.

and with the intention of entering into this agreement, the Parties sign this document in duplicate in the place and on the date specified above.

35

APPENDIX I: PERSONAL DATA SUBJECT TO PROCESSING

CODERE APUESTAS ESPAÑA S.L.

PURPOSE	To provide de services specified in Schedule A
PROCESSING TO BE CARRIED OUT	●    Collection ●    Registry ●    Structuring ●    Conservation ●    Consultation ●    Communication by transmission ●    Destruction ●    Conservation
PURPOSE OF PROCESSING	●    Customer, accounting, fiscal and administrative management ●    Advertising and commercial prospecting ●    Security and control of access to buildings ●    Statistical, historical or scientific statistics
DATA TYPE	●    Identification data ●    Personal characteristics ●    Commercial information ●    Transactions in goods or services
DATA OWNERS	●    Employees ●    Customers and users ●    Suppliers

36

CODERE NEWCO S.A.

PURPOSE	To provide de services specified in Schedule A
PROCESSING TO BE CARRIED OUT	●    Collection ●    Registry ●    Structuring ●    Conservation ●    Consultation ●    Communication by transmission ●    Destruction ●    Conservation
PURPOSE OF PROCESSING	●    Customer, accounting, fiscal and administrative management ●    Advertising and commercial prospecting ●    Security and control of access to buildings ●    Statistical, historical or scientific statistics
DATA TYPE	●    Identification data ●    Personal characteristics ●    Commercial information ●    Transactions in goods or services
DATA OWNERS	●    Employees ●    Customers and users ●    Suppliers

37

APPENDIX II: SECURITY MEASURES

1.1. It is Parent Group´s policy that the following information security practices are established, managed, and maintained by any vendor that has access to Company’s information assets, without exception.

Definitions regarding Information Security requirements

2.1. “Agent” means anyone who, through an agency or contractual relationship, has the authority to view, host, store, process, transmit, print, endorse or destroy Company’s Information assets.

2.2. “Contract” means the contract between Provider and Company, to which this document is attached.

2.3. “Client” is defined as the Company entity involved in the Agreement to which this document is attached.

2.4. “Company Information Assets” are information assets owned or controlled by Company, including without limitation, all information and data provided by Company to the Supplier in any form (excluding any information categorized as public use or that Company provides written permission for disclosure).

2.5. “Information security” is defined as protection against the loss of confidentiality, integrity and availability of information assets.

2.6. “Breach of information security” is defined as an unauthorized act that does not comply with or violates Company’s information security measures set forth in this Annex regarding Company’s information assets. It also covers the unauthorized use or disclosure of, or unauthorized access or acquisition of, Company’s information assets.

2.7. “Information security program” is defined as the collection of policies, standards, procedures and controls, taken together and implemented by Company or the Supplier, designed to protect the confidentiality, integrity and availability of information assets.

2.8. “Information security vulnerability” is defined as a weakness in information security controls that could be exploited to gain unauthorized access to Company’s information assets.

2.9. “Physical Security” or “Physically Guaranteed” is defined as the protection of information in printed form against loss, unauthorized acquisition, access or disclosure during production, storage, distribution, use or destruction. It also covers the protection of hardware, infrastructure and information technology facilities, as well as the energy or environmental control utilities used in data processing operations to protect against damage, destruction or misuse of information assets.

2.10. “Supplier” is defined as any third party that sees, hosts, stores, processes, transmits, prints, backs up or destroys any Company information asset. It includes all parties, including Agents that Provider may hire to store, transmit, process or destroy any Parent Group´s information asset acting on behalf of Provider.

Government

3.1. The contract must detail at least the object, scope, development, support and termination of the service that Provider provides to Company.

3.2. Whether or not to allow the supplier to exploit Company’s image, information and experience for the promotion of its products and/or services, or for any other purpose, clearly establishing the agreed bases and conditions.

38

Organization’s roles and responsibilities

4.1. Provider´s organization roles and responsibilities must include a chief information security officer, or a comparable role assigned to one of Provider´s managers or senior management to be responsible for the establishment, administration, and maintenance of an information security program. The information security program must include, at least, the practices described in this Annex or the equivalent of those practices described in this Annex.

Non-Disclosure of Company Information Assets

5.1. Provider ytech acknowledges that unauthorized release or misuse of information assets may cause damage to Company’s and Provider´s reputation. Provider will not, and will cause its employees and Agents involved in providing services to the Company not, take any action or omission that may result in unauthorized release or misuse of Company’s information assets. Any suspicion or act of breach of information experienced by Provider with Company’s information assets must be reported in writing by Provider to Company within twenty-four (24) hours of its detection and within the time limit specified by the laws and regulations applicable to the notification of security breaches.

Information Security Framework and Right to Audit

6.1. Provider´s information security program should conform to an international standard such as “Code of Practice for Information Security Management” (ISO/IEC 27002) or Cybersecurity Framework (NIST). In addition to the standards listed here, Provider´s information security program must include the practices described in this Annex Provider ´s information security program must be reviewed annually or if there is a material change in business practices that may involve a change in the established security policy.

6.2. Provider must have a Security Regulatory Framework, which must include a penalty code for when breached, thus affecting services offered to Company.

6.3. Provider will grant Company, or a third party on Company’s behalf, permission to conduct an audit or assessment of Company´s compliance with the requirements of the Information Security Program. Clauses should be established to regulate:

6.3.1. The execution of future security reviews by Company, or a third party on behalf of Company, with the ability to perform reviews discretionary manner, without restrictions and without the need for prior notice. For this purpose, Provider will provide the necessary tools, users, privileges and access

6.3.2. The delivery to Company of documentation resulting from audits carried out by the supplier or by third parties.

6.4. Company may carry out audits and reviews as it deems appropriate, at its sole discretion. for the following aspects, without limiting the verification of others that may be considered necessary:

6.4.1. Provider´s Business Continuity Plan (BCP) and Provider´s Disaster Recovery Plan (DRP) pertaining to or affecting the Company service, including the BCP procedures as well as the results of tests performed, prior to entry into production and at least annually, and after any contingency or natural disaster.

6.4.2. Legislative, normative and regulatory compliance applicable within the scope of the service.

6.4.3. Risk management process.

6.4.4. Incident and change management process.

6.4.5. Security testing (SDLC, vulnerabilities or penetration tests).

6.4.6. Security guidelines for the bastioning of systems.

39

6.4.7. Audits or forensic analysis of systems, databases and operating systems that host Company’s critical applications, in a discretionary manner, without restrictions and without the need for prior notice. For this purpose, Provider will provide the necessary tools, users, privileges and access.

6.5. Provider agrees to cooperate faithfully without reservation with Company and its personnel, and any third party duly involved in accordance with the audit to act on its behalf, providing the necessary and reasonable information and assistance for the full and prompt performance of the audit. In the event that an auditor exceeds the limits of the evaluation, Provider shall notify Company of this fact.

6.6. If the findings of the audit are considered by Company to be incompatible with the provision of the service, the entity reserves the right to terminate the contractual relationship unilaterally and at no cost to the entity.

General Information Security Requirements

7.1. Provider must provide a totally separate environment for Company, isolated from other customers/suppliers.

7.2. Provider ensures that there is adequate separation of duties for all work functions and roles performed by its employees and suppliers to ensure that no individual, within or outside of Provider´s organization, has conflicting obligations that could endanger Company’s information assets.

7.3. Assets are not disclosed in any way to anyone without a legitimate business need and without prior written authorization from Company.

7.4. It is prohibited to store any kind of information with real data owned by Company on removable user storage devices (Pendrive, hard disk, etc.) or workstations of Provider, unless expressly authorized by Company.

7.5. Access to all Company information assets must:

7.5.1. Provider must manage all administrators access with a Privileged Access Management (PAM).

7.5.2. Each access must be recorded and must be sent to Company’s SIEM

7.5.3. Adhere to the principle of minimum privilege, ensuring that only the minimum level of access necessary for a given position is granted to employees of Provider and its suppliers;

7.5.4. Restricting access to only authorized personnel who have a valid business need that justifies such access.

7.6. The IT services used to view, host, store, process, transmit, print, backup or destroy Company information assets comply with the principle of “minimum privilege”, ensuring that only the minimum level of access necessary to perform the processing is granted to these IT services.

7.7. Confidentiality clauses are defined, with the security requirements that the service provider guarantees as established by the Company Regulatory Body, included in the Entity’s contractual agreement.

7.8. Provider retains all system records which store confidential information for a mutually agreed period of time and allows reasonable access to such records by Company.

7.9. Provider assumes as part of the service the correction of the vulnerabilities that are detected, as well as the implementation of solutions to them.

7.10. Non-Company hardware and software must not allow connection or interaction with the Company company network without:

7.10.1. A risk assessment with the necessary scope, including identification of existing and compensatory controls based on the requirements within this Annex;

7.10.2. Verification of the implementation of the controls identified in the risk assessment;

7.10.3. Obtained Company Security Officer approvals.

40

7.11. Users of the Supplier must not be permitted to install their own personal software on Company Information Assets.

7.12. Company’s sensitive information may not be copied onto databases, laptops, portable memory units and other similar devices. If there is a request from Company, industry standard encryption technology must be used which fully protects the storage and transmission capabilities of these devices against unauthorised access.

Human Resources Management

8.1. The following administrative requirements must be implemented by Provider at the time Company’s information assets are stored, processed, transmitted or destroyed; except as required for compliance, litigation or legal or regulatory purposes.

8.2. Provider must follow a documented method or procedure governing the creation, suspension, cancellation, modification and deletion of user accounts for its employees.

8.3. During employment or during contract:

8.3.1. Provider must include information security requirements within job descriptions or other written documentation for Provider´s employees whose job roles will have access to Company’s information assets;

8.3.2. Provider maintains an information security awareness and training program for its employees to ensure that employees are aware of their responsibility to protect and maintain the confidentiality and security of Company’s information assets.

Network security

9.1. Company may end any network or other remote connection with Provider at any time without notice if such connection is suspected or confirmed to be unsafe.

9.2. Company’s information assets must not exist on any computer or device that is directly exposed to Internet or any other network other than Provider´s, unless authorized in writing by Company.

9.3. Provider will establish and maintain appropriate controls for its interfaces and electronic connections between its own systems and those of others (“Remote Connections”) using industry standard practices.

9.4. The devices meet the following requirements to protect against asset compromise:

9.4.1. The devices employ an anti-virus and file integrity checking system with:

a. A method to update antivirus definition information so it is always up-to-date;

b. Enable real-time antivirus scanning of system activity, including all files and memory;

c. Weekly antivirus scanning of all files and directories;

9.4.2. Devices must use up-to-date system software, including, but not limited to, updated system software patches and security updates.

41

9.5. Provider´s networks must have firewalls deployed at the network perimeter to deny incoming network traffic and only allow appropriate access outside the network to Internet and other Provider´s applications and systems that display, host, store, process, transmit, print, backup or destroy Company’s information assets must be logically segregated from other systems on Provider´s internal network by using an appropriate firewall or proxy-based architecture or similar, which will disallow unauthorized connections inside and outside Company’s information assets.

9.6. Wireless network access points must be configured to ensure that only authorized Provider´s devices can establish a connection to Provider´s internal network where Company information assets are displayed, hosted, stored, processed, transmitted, printed, backed up or destroyed. In addition, established wireless network connections must use industry best practices for encryption and other appropriate safeguards designed to protect against unauthorized access and use.

Classification and management of information assets

10.1. Provider classifies and monitors its information assets to indicate ownership, custody and degree of sensitivity consistent with Company’s information asset classification to ensure that Company’s information assets receive an appropriate level of protection from Provider. Provider’s information asset classification repository inventory must be maintained and updated. The recommended classifications are the following:

10.1.1. Non-Confidential Business Data (Internal Use) and Public Information Assets (Public).

a. “Non-confidential business data” means all information assets that Company determines are not sensitive or confidential as defined below;

b. “Public Information” refers to all Information assets that are publicly sourced or provided by Company to the general public; Examples include periodicals, public newsletters, published company information, published press releases, etc.

10.1.2. Company proprietary and confidential information assets (confidential)

a. “Confidential” or “Company proprietary” refers to information assets that are internal to Company, although they may be shared with Provider under the terms of the Agreement, and are not considered by Company to be public information; examples of this type of asset (not limited to) are non-public financial information, marketing plans, passwords and encryption keys, personal customer information (such as personally identifiable information, personal financial information or personal protected health information), product designs, customer records and correspondence, and other information or data which, if disclosed without proper authorization, could result in competitive disadvantage or responsibility or loss to Company.

10.2. For records that comply with legal retention requirements, retention periods must be established, and properly maintained, by the Supplier. In addition, Company may provide specific retention requirements that the Provider will apply, including, but not limited to, retention for litigation, legal or regulatory purposes.

10.3. The destruction of Company’s information assets must be carried out in accordance with the Supplier’s records management program. Before a workstation or server is reused, decommissioned or returned to the leasing Supplier, destruction methodologies must be performed in a secure manner so that the information cannot be read or recreated after deletion. The Provider is encouraged to comply with guidelines provided by the National Association for Information Destruction (NAID), which can be found at http://www.naidonline.org. The Supplier must also consider the impact of the disposal on the environment.

Physical security

11.1. Access to Company´s confidential information assets is controlled to protect the confidentiality, integrity and availability of Company confidential information assets with appropriate administrative, logical and physical safeguards, including, but not limited to:

11.1.1. Locking of access doors to the Provider’s offices and data processing centers;

42

11.1.2. Secure storage devices;

11.1.3. Secure destruction of information assets, in a timely manner.

11.2. Physical entry to Provider premises must be controlled in such a way that unauthorized entry is prevented, detected and reported to the appropriate Provider personnel immediately. All points of entry and exit must be secured, recorded and monitored to ensure that only authorized personnel can enter Provider ‘s buildings and secure areas.

11.3. When Provider uses ID cards or similar tokens for its employees and Agents, there must be a documented process, along with supporting procedures, to ensure that lost credentials and tokens are disabled immediately upon notification of loss.

11.4. When an employee of Provider or other Agent terminates his employment or contractual relationship, procedures must be in place to ensure that identification credentials are immediately disabled.

11.5. All Company´s information assets, in the possession of Provider, must be physically secured in an access-controlled area, in a locked room, or in a secure storage container or filing cabinet.

11.6. Company’s Information assets may not be moved or removed from Supplier’s premises without the written consent of Company and the written authorization of Supplier’s management.

11.7. The printing of information with real data owned by Company that has not been previously authorized by the Cybersecurity Directorate is not allowed under any circumstances.

11.8. All Company’s information assets, together with the Supplier’s information assets used to provide services to Company, must be protected to minimize the risk of physical and environmental threats that could compromise the confidentiality, integrity and availability of the information assets.

11.9. Physical access to computer or electronic device sessions must be secured when a user who is actively connected to the session is not physically present to monitor the activity and display of information assets displayed in that session. Examples of physical controls include, but are not limited to:

11.10. Using screen savers that block the screen and keyboard access after a short period of inactivity;

11.11. Manual keyboard lock;

11.12. Physically securing the office where the computer is located;

11.13. Placing the monitor away from an unauthorized display.

Background information

12.1. Adequate backup facilities must be provided to support the recovery of Company´s information assets in accordance with Company’s disaster recovery requirements and records retention schedules. Minimum requirements include:

12.1.1. Mediums containing backup copies of Company’s proprietary and confidential information assets must be encrypted using industry standard methods to hide these information assets from unauthorized access;

12.1.2. The back-up storage medium used to store Company’s information assets must be a type determined by the Supplier to be appropriate for the confidentiality and retention requirements of the data it will contain;

12.1.3. As it is essential that the back-up storage mediums are machine-readable if they are to be used for restoration and recovery operations, random tests of the restoration process should be carried out periodically;

43

12.1.4. Backups of Company´s information assets, together with complete and accurate records of the backups, must be stored in a physically protected off-site location as a measure of protection against total loss of information assets in the event of a system failure or disaster;

12.1.5. Company´s information assets must be backed up in line with disaster recovery requirements. This backup program includes at least weekly full backups, daily incremental backups, quarter-end backups, and year-end backups;

12.1.6. No more than one (1) full and incremental backup of the subsequent six (6) days may be stored at the Supplier’s production facility at any one time. All copies not in this range must be outsourced.

System event logging, monitoring and reporting

13.1. Provider´s computer and network systems used to provide services to Company must record significant events including, but not limited to, the following:

13.1.1. Unauthorized attempts to access the information assets of network customers or a supplier must be captured and recorded securely to assist and ensure error management and forensic needs;

13.1.2. Records must be configured or protected in such a way that they cannot be viewed or altered by anyone without authorization, including those with administrative privileges, unless such access is also recorded in an inviolable manner;

13.1.3. Records of failed network connection attempts and unsuccessful access to Information Assets must be reviewed regularly to detect and act appropriately on anomalous and suspicious system access attempts;

13.1.4. The firewall and IDS / IPS records are monitored in real time. Server logs are reviewed as needed in case of investigation;

13.1.5. When suspicious or unusual activity is detected during a review of the above records, it should be reported as directed by approved event control procedures aligned with Information Security Incident Response plans.

13.1.6. System, operating system and Database records where Company customer information is stored must be activated,

13.1.7. All logs must be sent to Company for consolidation and correlation in SIEM.

13.1.8. The information must be stored for at least 10 years.

Logical access

The service must employ at least the following requirements:

14.1. Provider manages (authorization, modification and/or deletion) the access permissions only to that information and resources needed for the provision of the service. The authorizations of any person to the information processes must be immediately cancelled when they do not require the authorizations for their professional performance and/or their contractual relationship ends.

14.2. Any management of privileged users must be authorized by Company.

14.3. Provider must manage all administrators access with a Privileged Access Management (PAM). All accesses must be recorded.

14.4. Provider protects privileged access by using technological solutions and/or by activating the use of two-factor authentication.

44

14.5. Provider ensures that its users use the user ID and password in a personal and non-transferable manner. The use of the user ID and password by persons other than those to whom they have been assigned is expressly prohibited.

14.6. Provider keeps a record of access to its systems, detailing at least: User identification (unambiguous and personalized by name, surname and ID), Date and time of access, Information accessed or requested, Type of access, and whether it has been authorized or denied.

14.7. The password settings for each user account are configured using the following minimum settings:

14.7.1. A minimum of eight (8) characters in length and containing at least three (3) of the following four (4) types of characters:

a. capital letters;

b. lowercase;

c. numeric characters;

d. special characters (for example, $, @, Etc.).

14.7.2. The expiry of the password is set as follows:

a. Configured to automatically require password changes, at most every thirty (30) days, for user accounts and any system accounts where the setting does not impact the processing of productive information.

b. If the automatic expiration of a system account could cause the risk of production process interruption, password changes can happen manually with the following alternative controls in place:

I. The system account is assigned a single owner who is ultimately responsible for the disposition and use of the account and password;

II. The system account is configured with advanced complex password creation rules (for example extended password length, hashing algorithms, etc.);

III. The system account is limited as much as possible to allow connection of capabilities only to computers and/or services required;

IV. The system account is manually changed to the staff rotation at the earliest available time so as not to affect processing;

V. The system account complies with all other requirements of this Annex.

14.8. The text of the network password is stored in an encrypted format in the user identity database and is unreadable during transmission and storage.

14.9. Passwords are changed immediately if they are found to be revealed or discovered by unauthorized parties.

14.10. Provider´s systems are configured, if technically possible, to disable user sessions after a reasonable period of inactivity, based on business risk.

45

Database / Systems Security

15.1. Provider must have a technological solution for the protection of information at the database level or must activate database auditing in order to audit all access.

15.2. Provider must apply database-level obfuscation techniques to protect all Company data in non-productive environments,

15.3. Provider may implement additional and/or stronger logical access safeguards at its discretion, provided that such additional controls do not neutralize or deny the effectiveness of existing controls for Company’s information assets.

15.4. Provider has an appropriate logical architecture in its applications, which restricts access to the backend of the applications and databases, which are not published on the Internet and have some additional security measures.

15.5. Provider has an encrypted backup of all databases containing Company´s information and related to the service provided.

15.6. All accesses must be recorded.

Software development

16.1. Application and system development should follow a defined and documented Software Development Life Cycle methodology (“SDLC”) that includes a preliminary review of information security requirements to ensure at least the following:

16.1.1. Vulnerability testing must be performed to ensure that common security weaknesses are detected and corrected before they are implemented.

16.1.2. There must be separate physical or logical divisions separating the development, testing, certification, and production environments;

16.1.3. The use of data within non-production environments must comply with at least the following:

a. No tests of any kind will be made with real data. For testing purposes, data extracted from production environments that have been previously processed and made anonymous by Company must be used, so that it is not possible to identify persons, services or any other sensitive data.

b. If Company´s information assets are used, the same controls must exist as in the production environment;

c. Handling and destruction of sensitive data must be treated with the same level of confidentiality as if it were production;

16.1.4. Web-based applications exposed to the Internet must ensure that vulnerability testing is performed to ensure that the most common vulnerability weaknesses based on industry best practices are identified and remedied to prevent them from being exploited in a way that could lead to the unauthorized access or disclosure of Company Information Assets;

16.2. All software developed by Provider to support Company´s service:

16.2.1. Is developed in accordance with acceptable industry safety standards (e.g. OWASP, SANS, NIST);

16.2.2. Does not contain undocumented features;

16.2.3. Does not contain hidden mechanisms that could be used to compromise any information asset;

46

16.2.4. Shall not compromise, require modification, or undo controls previously implemented within the operating system or support critical systems with which one interacts.

16.3. In the event that risk mitigation and/or new functionalities are agreed with the supplier through additional developments, such agreement must be included in the contract.

Management of technical vulnerabilities

17. Provider agrees to correct technical vulnerabilities in accordance with the SLA out in Annex III.- Service Level Agreements.

Response to Information Security Incidents and notification of security breaches

Provider must establish and maintain a documented information security incident response program that includes:

18.1. Any Provider information security breach involved in any of Company’s Information assets must be reported to the Client at the time of detection. Thereafter, Provider, at its own cost and expense must:

18.1.1. Communicate without delay to Company all details of the information security breach, in accordance with Annex III. - Service Level Agreement;

18.1.2. Take immediate action to remedy the security information gap in accordance with applicable privacy laws and regulations;

18.1.3. Cooperate with Company to determine: (1) whether to communicate to individuals, regulators, law enforcement agencies, data protection agencies, or others as required by law or regulation, or at Company’s discretion; and (2) the content of such communication or any remediation that may be offered to the persons concerned, and the nature and scope of such remediation.

18.1.4. Use its best efforts to prevent a recurrence of such Information Security breach;

18.1.5. Assist and cooperate fully with Company in Company’s investigation of the information security breach, as well as the collaboration of Provider´s employees, contractors, subcontractors or third parties related to the Provider´s Information Security breach;

18.1.6. Cooperate with Company in any litigation or formal action against third parties considered necessary by Company to protect its rights and the rights of its customers and users;

18.1.7. Nothing herein shall prevent Company from taking any action required by law, including notifying appropriate law enforcement agencies.

Business Continuity

19.1. Company may require, when it deems it appropriate, to Provider the Business Continuity Plan (hereinafter referred to as BCP) in which the service provided to Company is contemplated and the security of the information owned by Company that Provider deals with for the provision of the service is guaranteed. In this case, the Provider must guarantee the required levels of availability. It is Provider´s responsibility to test and update the PCN regularly. Both the PCN and the result of the execution of the tests associated to the PCN, must be sent to Company.

19.2. The Business Continuity Recovery Objective Point (“RPO”) and the Recovery Time Objective (“RTO”) are discussed and agreed with Company and are proportionate to the performance of the Agreement. This is done to ensure the resilience of Provider and the subsequent commitments to do so meet Company’s business requirements. These are set out in Annex III - Service Level Agreement.

19.3. Supplier or agent must maintain a documented Business Continuity and Disaster Recovery Plan (BCP/DRP), which, at a minimum, must:

19.3.1. Govern and define the objectives and actions required during a BCP/DRP event;

19.3.2. Have copies of documentation on disaster recovery and business continuity procedures available to the Client outside the office where the Supplier’s activity takes place, so that the Client has access to this information after a disaster;

47

19.3.3. Define and document the business continuity processes and procedures that enable the Supplier to carry out the necessary actions to maintain critical business functions after a disaster;

19.3.4. Define and document information asset recovery procedures that enable Supplier to recover Client information assets in a consistent way with business continuity requirements (RPO and RTO);

19.3.5. Give priority to the recovery of the activity on the basis of a documented inventory of the Client’s information assets in accordance with what has been established and agreed (RPO and RTO);

19.3.6. Define and document a formal communication plan that notifies any invocation of the BCP/DRP affecting Client´s information assets within twenty-four (24) hours of its occurrence or activation.

Encryption

20.1. Provider must use industry standard encryption algorithms and key length to protect the confidentiality and integrity of Company´s sensitive data.

20.2. Provider will protect encryption keys from loss or unauthorized access/use.

Cyber Policy

21.1. Provider must have a cyber - policy that can cover damage generated by a cyber-incident.

48

APPENDIX III: PROVIDERS

CODERE APUESTAS ESPAÑA S.L.

Company name and tax identification of the provider¹ Subcontracted service ² Provider´s location ³ Guarantee required by the GDPR in case of international data transfer ⁴

CODERE NEWCO S.A.

Company name and tax identification of the provider Subcontracted service Provider´s location Guarantee required by the GDPR in case of international data transfer

¹ Any provider subcontracted by the DATA SUBPROCESSOR who may have access to the personal data under the responsability of CODERE should be included.

² Service subcontracted by the DATA SUBPROCESSOR that may involve access to personal data under the responsability of CODERE.

³ If data processing is carried out at a different location from the provider's location, please indicate. For example, Cloud services at Microsoft, hosting services at AWS.

⁴ Applicable only when the provider is located outside the European Economic Area. e.g. standard contract clauses, binding contract rules, adequacy decision

49

APPENDIX IV

ADDITIONAL MEASURES TO ENSURE AN ADEQUATE LEVEL OF PROTECTION IN CASE OF TRANSFER OF DATA TO COUNTRIES WITHOUT AN ADEQUACY DECISION BY THE EUROPEAN COMMISSION

1. Technical Measures:

a. For those services that do not require access to readable personal data (e.g. data storage service for back-ups), proceed to the encryption or pseudo-anonymization of personal data before transfer to the third country. The key for the decryption of the information will be stored by the Data Exporter.

b. Proceed to the encryption or pseudo-anonymization of the personal data, prior to its transfer to the third country. The key for the decryption of the information will be stored by the Data Importer, ensuring the adoption of technical and organizational measures to prevent unauthorized access.

2. Organizational Measures

a. Update the Exporter’s register of international transfers in order to identify all cross-border data flows, reviewing the appropriate safeguards adopted in each case.

b. Minimize the volume of personal data transferred outside the EEA or transfer only the data necessary to carry out the service.

c. Request from the Importer transparency reports or summaries regarding governmental requests for access to data and the type of response provided, to the extent that publication is permitted by local law. In the event that the supplier is unable to provide the detailed information, it should use best efforts to share statistical or aggregated information.

d. Conduct regular compliance checks and audits to demonstrate proper compliance with the principles of data minimization and proportionality in the context of international data transfers.

e. Properly document the prior analysis of each international transfer of personal data taking into consideration among others: definition of local regulations that allow local authorities to access the personal data transferred; definition of the type of data and categories of data subjects concerned; analysis of the questionnaire sent to the Importer prior to the transfer and the proposal of the measures provided by the Importer to protect personal data imported from the EEA from disproportionate access by local authorities.

3. Contractual measures:

a. Question, whenever possible, the scope and justification of any request or requirement for information from local authorities that could compromise the confidentiality of imported personal data, requesting the suspension of access until the resolution of their objection.

b. To invoke clause 5 of the Standard Contractual Clauses (2010/87/EU) or the analogous clause in the BCRs before the exporter of personal data, informing about the impossibility of duly complying with its obligations, providing all the information allowed under local regulations.

c. Depending on the circumstances, make the transfer conditional on the adoption of appropriate technical measures, collaborating with the Exporter of the processing of personal data in the design and implementation of such measures.

d. The Importer’s commitment not to intentionally create backdoors or similar architecture in order to facilitate access to imported personal data by the authorities; not to intentionally create or modify its business processes in order to facilitate access to imported personal data by the authorities; and to inform about the obligations imposed by local regulations to create backdoors or facilitate access to imported personal data or to provide the key for its decryption.

e. Strengthen the Exporter’s auditing power, in order to verify whether the personal data under its responsibility could have been accessed by public authorities.

f. Incorporate the obligation of the importer to actively monitor any regulatory development that may determine the impossibility of providing the level of protection essentially equivalent to the European level and to invoke, within 48 hours, clause 5 of the Standard Contractual Clauses (2010/87/EU) or the analogous clause in the BCRs before the exporter of personal data, informing about the impossibility of duly complying with its obligations, as a consequence of such regulatory change.

g. Obligation to assist the data subject in exercising his or her rights in the local jurisdiction through ad hoc redress mechanisms and legal advice.

h. In any case, provisions allowing for the suspension or termination of transfers at the request of the exporter with the assumption by the importer of the damages caused to the exporter as a consequence of such suspension.

50

APPENDIX V

REGULARIZATION OF THE INTERNATIONAL DATA TRANSFER BY STANDARD CONTRACTUAL CLAUSES

In relation to this Standard Contractual Clause, it is stated that the DATA PROCESSOR has express authorization from the DATA CONTROLLER to carry out the formalization of this clause on its behalf.

Due to the Standard Contractual Clauses signed between DATA PROCESSOR and the DATA SUBPROCESSOR corresponds to the established by the COMMISSION DECISION of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries, in accordance with Directive 95/46/EC of the European Parliament and of the Council, and given that REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) renders that Directive null and void:

● Decisions adopted by the Commission pursuant to Article 25(6) of Directive 95/46/EC shall remain in force until they are amended, replaced or repealed by a decision of the COMMISSION adopted pursuant to Article 45(3) or (5) GDPR.

● The Standard Contractual Clause shall be interpreted on the basis of the provisions of the regulations in force; REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 .

● In application of Article 45(9) GDPR, the DATA PROCESSOR and the DATA SUBPROCESSOR undertake to subscribe to and adopt the updates of the Standard Contractual Clauses that the COMMISSION may publish from now on, provided that they would imply the repeal or termination of validity of the Standard Contractual Clauses adopted by the COMMISSION DECISION of February 5, 2010, or that any of the parties so requires.

STANDARD CONTRACTUAL CLAUSES

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

The entity exporting the data is identified in the Preamble of this contract as the Data Procesor, entrusted by the Data Controller.

(the data exporter)

And

The entity importing the data is identified in the Preamble of this contract as the Data SubProcessor.

(the data importer)

each a ‘party’; together ‘the parties’,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

51

Clause 1 Definitions

For the purposes of the Clauses:

a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

b) ‘the data exporter’ means the controller who transfers the personal data;

c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2. Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3. Third-party beneficiary clause

a) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

b) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

c) The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

d) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

52

Clause 4. Obligations of the data exporter

The data exporter agrees and warrants:

a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

e) that it will ensure compliance with the security measures;

f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension

h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5. Obligations of the data importer

The data importer agrees and warrants:

a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

53

c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

d) that it will promptly notify the data exporter about:

a. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

b. any accidental or unauthorised access; and

c. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent

i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6. Liability

a) The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

b) If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

c) If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

54

Clause 7. Mediation and jurisdiction

a) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

a. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority

b. to refer the dispute to the courts in the Member State in which the data exporter is established.

b) The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8. Cooperation with supervisory authorities

a) The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

b) The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law

c) The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9. Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely Spain

Clause 10. Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

d) The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses (3). Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

e) The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

f) The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely Spain

g) The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

55

Clause 12. Obligation after the termination of personal data-processing services

a) The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

b) The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Signatures appended to the body of this contract

On behalf of the data importer:

Signatures appended to the body of this contract

56

Annex 1. to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Parties:

Data exporter is described in the Preamble of this Agreement as DATA PROCESSOR

Data Importer is described in the Preamble of this Agreement as DATA SUBPROCESSOR

Data subjects:

The personal data transferred refers to the categories of data subjects identified in Appendix 1 of this Agreement. Categories of data

The personal data transferred concern the following categories of data:

The personal data transferred refers to the categories of data identified in Appendix 1 of this Agreement, including special categories of data, if applicable.

Processing operations:

The personal data transferred shall be subject to the basic processing operations described in Appendix 1 of the present Contract

On behalf of the data exporter:

Signatures appended to the body of this contract

On behalf of the data importer:

Signatures appended to the body of this contract

Annex 2.to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The Data Importer shall implement the security measures described in Appendix 2 of this Agreement to ensure the continued confidentiality, integrity, availability and resiliency of the processing systems and services.

On behalf of the data exporter:

Signatures appended to the body of this contract

On behalf of the data importer:

Signatures appended to the body of this contract

57