INTERNATIONAL INTEGRITY AGENCY PRIVACY POLICY

WHO ARE THE ITIA AND WHAT DO WE DO?

The International Tennis Integrity Agency Ltd ("ITIA", "we", "us", “our”) is the dedicated anti- corruption unit for professional tennis and is charged with enforcing the sport's zero tolerance policy towards gambling related corruption world-wide.

The ITIA is a private limited company based in Roehampton, London and is operationally independent from the sport of tennis. The ITIA’s members are: ATP Tour, Inc. ("ATP"); the International Tennis Federation ("ITF"); the Women's Tennis Association ("WTA"); and the Board (being Australian Open, Roland-Garros, US Open and, in the case of Wimbledon, a joint Committee of Management consisting of AELTC) (the "Grand Slam Board") (together, the “Governing Bodies”). The ITIA reports to the Tennis Integrity Supervisory Board (“TISB”), which comprises a senior representative from each of the Governing Bodies and the Grand Slam Board, together with five independent directors. The ITIA liaises with the TISB in respect of its day to day functioning.

This function was previously carried out by the Tennis Integrity Unit (“TIU”). The TIU has been subsumed within the ITIA (effective from 1 January 2021) but shall continue to operate only for the limited purpose of completing certain ongoing matters that commenced prior to 1 January 2021, primarily to investigate and prosecute active investigations and/or claims under the Tennis Anti- Corruption Program (“TACP”). All data previously held and used by the TIU has now transferred to the ITIA and will be used the same purposes, as set out herein. As well as the TISB, the TIU liaises (including by sharing personal data) with the Professional Tennis Integrity Officers (“PTIOs”) (who have been appointed by members of the TISB, although this role shall no longer exist in relation to new investigations commencing on or after 1 January 2021) in respect of its day to day functioning.

For the purposes of the General Data Protection Regulation (EU) 2016/679 or “GDPR”, the UK GDPR and the Data Protection Act 2018 (and all other laws that apply from time to time relating to the use your personal data), the ITIA is the “controller”, meaning that we are responsible for deciding how your personal data is used and more importantly, for keeping your data safe and only using it for legitimate reasons. We are committed to protecting your privacy and will take all steps necessary to comply with our legal obligations when collecting and using your personal data. This Privacy Policy explains how we fulfil this commitment, so please read this carefully.

1

WHAT THIS PRIVACY POLICY TELLS YOU

1. Who we collect personal data about; 2. What types of personal data you provide to us when using the www.itia.tennis website (the “Website”), when you use our app or when you otherwise directly interact with us on other occasions. We also explain what types of personal data the ITIA may collect from you or receive about you from third parties; 3. How and why we use this data and the reasons we are legally allowed to do so; 4. Who we share your data with; 5. How long we keep your data for and how we keep it secure; 6. Information in relation to overseas transfers of your data; 7. Links to third party websites 8. Your rights over your data and how you can exercise those rights; 9. Who our European representative is in relation to data protection matters in the European Economic Area and how to contact them; and 10. How to contact us if you have any issues or want to find out more.

When we refer to “personal data” in this Privacy Policy, this covers any information from which you can be personally identifiable (whether directly or indirectly). This might include things like your name, email, date of birth, address, phone numbers, online identifiers and device IDs, financial information, certain special categories of data (such as your religious beliefs, health related data, ethnicity, political opinions, sexual history etc.) and data relating to your criminal convictions and offences.

If we update our Privacy Policy, we will post any changes on our Website and through our app.

WHO DO WE COLLECT PERSONAL DATA ABOUT?

We collect personal data about “Covered Persons” and “Related Persons” (as defined in the TACP), including tennis players, people transmitting data to facilitate betting (‘courtsiders’), gamblers and other people in the tennis community, including tournament officials, coaches, physiotherapists, match supervisors, umpires, media representatives and other individuals who have obtained accreditation for the purposes of attending a professional tennis match or other competition organised, sanctioned or recognised by any of the Governing Bodies as a player guest or as tournament support provider (“Event”); individuals who are connected with a “Covered Person” in respect of whom there are reasonable grounds to suspect they have breached, are breaching, and/or intend to breach the TACP, including people placing bets or wagering on an Event; and persons who may pose a threat to the integrity of the sport of tennis and/or an Event, may have knowledge concerning the corruption of an Event, or may have solicited or intends to solicit an individual bound by the TACP.

2

We may also collect information about other individuals who have directly interacted with us as part of an investigation (e.g. witnesses), people who have downloaded a copy of the TACP or who otherwise browse or use our Website or app and business contacts of the ITIA.

WHAT PERSONAL DATA DO WE COLLECT AND HOW?

Data which you provide directly to us:

You may provide personal data directly to us:

• When you sign-up to, access and use the Tennis Integrity Protection Programme (“TIPP”), which personal data may include your name, date of birth, nationality, email address, password, WTA, ITF or ATP player portal log-in details and International Player Identification Number (“IPIN”). • When you download a copy of the TACP, which personal data shall be your name and email address. • In the context of an anti-corruption investigation where we may request personal data from you, including (but not limited to) telephone records, bank details and credit card transactions. We will also obtain other personal data about you from a recorded interview with you. • If you communicate directly with us, whether that is by email, phone, the Website, our app or if you send us a letter. • If you make a complaint or grievance to the ITIA. • When you attend an education workshop, conference or seminar organised by the ITIA, which personal data may include registration information such as your name, address and other contact information.

Data which the ITIA collects itself or receives from third parties:

The ITIA collects and receives personal data about you through various different methods and third party sources including, without limitation:

• Where you are subject to an investigation, we may extract information from your devices. • We may collect personal data from 'open source' media (e.g. Facebook, Twitter etc.) relating to players and other individuals of interest in the context of investigating alleged corruption. • Player information that is publicly available from Governing Body websites, for example player photographs and statistics. • Information about players' match performance, physical fitness and ability, which we may receive from tournament officials, open source information, tournament physiotherapists/doctors. • We may receive by email or other forms of communication, personal data relating to individuals who are the subject of an allegation of corruption, including from anonymous sources.

3

• Betting operators and betting regulators may share account and/or other personal data relating to gamblers exhibiting unusual or suspicious behaviour. • The International Betting Integrity Association (“IBIA”) (formerly the European Sports Security Association) may send us limited personal data relating to players who have been involved in a suspicious match. • The TIU may provide us with data relating to previous investigations and/or prosecutions, including where this is relevant to a new investigation, prosecution or an appeal against a sanction. • The ITF and/or ATP may provide us with scorecard/match related data (which includes certain personal data relating to players, Match Supervisors and Chair Umpires) to enable us to verify a betting alert receiving from a betting operator, betting regulator or IBIA. • Match Supervisors (and/or other tournament accredited personnel, including Chair Umpires) may provide names/contact details of players and match-related information requested by the ITIA, including information relating to: (i) the scorecard; (ii) any potentially significant acts such as injuries/illness; (iii) a break in play; (iv) the names of a player's medical team; and (v) details of any treatment provided. • The ITIA is provided with access to Governing Body portals through which it may access names and contact information of Match Supervisors and Chair Umpires and various personal data relating to players. • The ITF provides the ITIA with access to its database, to enable the ITIA to obtain various player data, including name, contact details, IPIN account information, IP address and device information, passport details and details of associated persons (such as friends, family and agent). • Tournament Officials provide the ITIA with various player data relevant to that particular tournament and photographs and other personal data relating to courtsiders. • Players and officials may provide the ITIA with personal data relating to individuals who have set up bogus social network pages in the name of a particular player, or who send abusive/threatening messages to a player or make a corrupt approach. • Tournament broadcasters may provide us with match recordings where relevant to our investigation. • The Governing Bodies may provide us with courtsider information, including name, date of birth, aliases, contact details and photographs and videos of their activity, any reasons for their exclusion from tournament grounds and information about their presence at a particular match. • Witnesses may reveal personal data about individuals who are subject to a corruption investigation. • Tournaments provide us with names/contact details of accredited persons and/or their behaviour/activities at a particular tournament, which may be used for the purpose of registering such individuals for TIPP. • Governing Bodies may provide us with copies of players' disciplinary records. • When you attend a conference or seminar organised by one of the Governing Bodies or another third party, we may receive registration information such as your name, address and other contact information.

4

• We may obtain business contact details through our interactions and dealings with various businesses and organisations.

Data collected through cookies/other tracking technologies:

We may collect the following types of information from you when you use our Website or our app (using Cookies or other tracking technologies):

• Usage – information about how you browse, including time spent on page, click-throughs, download errors • Technical – IP address, browser type, hardware type, network and software identifiers, device information, operating system and system configuration

This information may identify you, either directly, or indirectly when combined with other information.

For more information on the above, please read our Cookies Policy.

SPECIAL CATEGORIES OF DATA / CRIMINAL CONVICTIONS AND OFFENCES DATA

Certain information which we collect and use are categorised as “special categories of personal data” or “personal data relating to criminal convictions and offences”. These categories of data are seen as being more sensitive and are therefore afforded greater levels of protection. This includes information revealing an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric or health data, data about an individual’s sexual life or sexual orientation and data relating to criminal convictions and offences. We may collect and use some or all of this data as part of our anti-corruption investigations. We will only collect and use this data where we have a legal basis for doing so, as set out in the table below.

WHAT DO WE USE YOUR DATA FOR AND HOW ARE WE LEGALLY ALLOWED TO DO SO?

Purpose Legal ground(s) To prevent or detect corruption and/or other Personal Data – necessary for the legitimate breaches of the TACP – our primary function is to interests pursued by the ITIA (being to achieve prevent and detect corruption in professional the ITIA’s core purpose of preventing/tackling tennis. On such basis, we process the majority of corruption in tennis) personal data in connection with such purpose Special Categories of Personal Data and Criminal Convictions and Offences related Data – necessary for reasons of substantial public interest (to maintain and uphold standards of behaviour in sport)

To operate the 'no credentials' list of individuals Same as above who are subject to exclusion from tournaments

5

sanctioned or recognised by the Governing Bodies

In connection with the detection or prevention of Same as above crime or the apprehension or prosecution of In addition, in relation to the processing of offenders Special Categories of Personal Data and Criminal Convictions and Offences related Data, this is also necessary for the establishment, exercise or defence of legal claims or preventing or detecting unlawful acts

To administer TIPP Necessary for the legitimate interests pursued by the ITIA (being to achieve the ITIA’s core purpose of preventing/tackling corruption in tennis)

To defend the legal rights, property and/or safety Personal Data – necessary for the legitimate of the ITIA or others interests pursued by the ITIA (being to achieve the ITIA’s core purpose of preventing/tackling corruption in tennis or to detect and prevent criminal activity or the infringement of other legal rights) Special Categories of Personal Data and Criminal Convictions and Offences related Data – necessary for reasons of substantial public interest (to maintain and uphold standards of behaviour in sport or preventing or detecting unlawful acts), necessary for the establishment, exercise or defence of legal claims

To communicate with you generally (e.g. dealing Personal Data – necessary for our legitimate with your inquiries, comments and requests) interests (to ensure that we effectively deal with your inquiries, comments and requests) Special Categories of Personal Data and Criminal Convictions and Offences related Data – necessary for reasons of substantial public interest (to maintain and uphold standards of behaviour in sport or preventing or detecting unlawful acts), necessary for the establishment, exercise or defence of legal claims

To deal with your complaint or grievance Personal Data – necessary for the legitimate interests pursued by the ITIA (being to

6

investigate your complaint or grievance) Necessary to comply with a legal obligation Special Categories of Personal Data and Criminal Convictions and Offences related Data – necessary for reasons of substantial public interest (to maintain and uphold standards of behaviour in sport or preventing or detecting unlawful acts), necessary for the establishment, exercise or defence of legal claims

Investigate bogus social network page or Personal Data – necessary for the legitimate threatening/abusive messages interests pursued by the ITIA (being to protect players from threats and actual harm) Necessary to comply with a legal obligation Special Categories of Personal Data and Criminal Convictions and Offences related Data – necessary for reasons of substantial public interest (to maintain and uphold standards of behaviour in sport or preventing or detecting unlawful acts), necessary for the establishment, exercise or defence of legal claims

To register you for a conference or educational Performance of a contract with you seminar Enable you to download a copy of the TACP Performance of a contract with you Notify you of changes to our Privacy Policy and/or Performance of a contract with you Cookies Policy Necessary to comply with a legal obligation Administer our Website and our app, including Performance of a contract with you trouble shooting, testing and analysis and to Necessary for our legitimate interests (to ensure enable you to participate in interactive features of that our Website and app fully functional and our Website and the app operating in the most effective way for you)

Improve and personalise your experience of our Performance of a contract with you Website and app Necessary for our legitimate interests (to ensure that our Website and app operate in the most effective way for you)

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

7

DO WE SHARE YOUR PERSONAL DATA WITH THIRD PARTIES?

We may share personal data with third parties, including but not limited to:

• Betting operators and regulators to ascertain whether individuals subject to the TACP have betting accounts and to obtain further information where required in connection with an investigation, which may include individuals subject to the TACP and any individual who may pose a threat to the integrity of the sport of tennis. • Law Enforcement Agencies and Regulators in connection with the prevention or detection of crime or the apprehension or prosecution of offenders. • Governing Bodies and/or Governing Body lawyers for the following purposes: (i) in connection with any investigation into a breach of the TACP; (ii) for onward transmission to various tournaments in connection with protecting the intellectual property rights (i.e. the scorecard data) of the Governing Bodies at a particular event; (iii) to report on whether a player has registered for/completed TIPP; (iv) to report on whether a player or covered person has attended an education workshop, conference or seminar; and/or (v) for accreditation purposes (in the context of the non-credentials list). • United Kingdom's Gambling Commission and other betting regulators in the event of an actual or suspected gambling offence under applicable laws. • Grand Slam Board for accreditation purposes. • PTIOs in connection with certain ongoing anti-corruption matters which commenced prior to 1 January 2021 and TISB in connection with our investigations. • Our service providers and suppliers who provide services to us or on our behalf (e.g. legal advisors and the ITIA’s European Representative as detailed below, translation and transcriber service providers, forensic service providers, IT providers, website and app hosting company etc.). • Other bodies in connection with specific data sharing activities consistent with the role of the ITIA from time to time (e.g. Olympic committees).

We also may share your information in response to subpoenas, court orders, or other legal process; to establish or exercise our legal rights; to defend against legal claims; as otherwise required by law; when we believe it is appropriate to investigate, prevent, or take action regarding illegal or suspected illegal activities otherwise than in the context of the TACP; and to protect and defend the rights, property, or safety of ITIA and others. If we are organised or restructured to another organisation, we may transfer personal data we hold to that organisation.

If we share personal data with third parties, we will ensure that access is limited on a strictly need to know basis and is subject to suitable obligations relating to confidentiality and security (and in each case, there are suitable contractual provisions in place to cover our respective data protection obligations).

8

HOW LONG DO WE KEEP YOUR DATA FOR?

We will store your personal data securely in accordance with our obligations under data protection laws and will regularly review the purposes for which we are retaining your data. We will cleanse data periodically to the extent it is (or part of it is) no longer relevant for the legitimate purposes for which it was originally collected.

Please be aware that the maximum period for which we may retain your data aligns with the limitation period for bringing an action under TACP. Where your data is not relevant for TACP investigations (e.g. business contact information) we will retain this data for as long as we are actively engaged with you (i.e. where you or your company is providing a service to the ITIA) or for such longer period as may be required by law.

HOW WE KEEP YOUR DATA SECURE?

Given the highly sensitive nature of certain of the data which we process, we have implemented appropriate security and organisation measures to protect against the unauthorised use of, access to, disclosure and loss of data. We also make sure that third parties who need to handle your data are subject to robust confidentiality and security standards.

Despite the security measures we implement, please be aware that the transmission of data via the internet is not completely secure. As such, we cannot guarantee that information transmitted to us via the internet will be completely secure and any transmission is at your own risk.

OVERSEAS TRANSFERS OF YOUR DATA

The European Economic Area or “EEA” is deemed to have good standards when it comes to data privacy. As such, we limit the occasions when we need to transfer your personal data outside of the EEA. These may cover, without limitation, the follow situations which are linked to a ITIA anti- corruption investigation or accreditation purposes:

• As part of the ITIA’s communications with foreign betting operators or foreign betting regulators in relation to suspicious betting activity, to determine whether individuals subject to the TACP have betting accounts and to obtain further information where required, which may include individuals subject to the TACP and any individual who may pose a threat to the integrity of the sport of tennis. • To facilitate the exchange of information with the Grand Slam Board (two members of which are located outside of the EEA, in the US and Australia) as part of an investigation or in connection with the ‘no credentials’ list. We may also be required to share data with the ATP and WTA in connection with other tournaments for the same purposes, and/or with PTIOs in connection with any appeals regarding decisions whether to include certain individuals on the ‘no credentials’ list.

9

• We may be required to transfer your personal data to law enforcement agencies, regulatory bodies, lawyers, Europol and Interpol as part of a ITIA investigation, legal claim or criminal matter, and certain of these may be located outside of the EEA. • As part of our investigations, ITIA investigators may handle certain of your personal data outside of the EEA (i.e. when they work on an investigation whilst based in a country outside of the EEA), to the extent that this is not deemed to be “in transit”.

Where we do transfer your personal data outside of the EEA, we make sure that your data is still treated fairly and lawfully in all respects (including making sure we have a legal ground for sending your data outside the EEA and putting in place all necessary safeguards for such arrangement). To the extent we are not sharing data with a country that is deemed by the European Commission to have adequate data protection standards, we will usually put in place standard model contractual clauses to govern that data sharing, in accordance with data protection laws.

Where relevant, you will have the right to see a copy of any safeguards we put in place for international transfers of your data. Please contact us if you would like to find out more.

LINKS TO THIRD PARTY WEBSITES

Our Website may contain links to enable you to visit other websites easily (including the ATP, ITF and WTA websites/portals). However, once you have used these links to leave our Website we do not have any control over these third party websites and are not responsible for the protection and privacy of any information which you provide whilst visiting such websites. Your use of these third party sites are not governed by this Privacy Policy. You should exercise caution and examine the privacy policies and terms of use applicable to the websites in question.

YOUR RIGHTS

In certain situations, you are entitled to:

• access a copy of your personal data; • correct or update your personal data; • erase your personal data; • object to the processing of your personal data where we are relying on a legitimate interest (as set out in the above table); • restrict the processing of your personal data; • request the transfer of your personal data to a third party; or • where you have provided your consent to certain of our processing activities, in certain circumstances, you may withdraw your consent at any time (but please note that we may continue to process such personal data if we have legitimate legal grounds for doing so).

If you want to exercise any of these rights, please contact us. You don’t have to pay a fee to exercise your rights, unless your request is clearly unfounded, repetitive or excessive (in which case we can

10

charge a reasonable fee). Alternatively, we may refuse to comply with your request in these circumstances. Where your request is legitimate, we will always respond within one month (unless there is a legal reason to take longer, such as where your request is particularly complex). We may also need you to confirm your identity before we proceed with your request if it is not clear to us who is making the request.

In addition to the above, you may get in touch with the ICO (Information Commissioner’s Office) if you are concerned about the way in which we are handling your personal data, or if you are an EEA individual and/or your concerns relate to us processing personal data regarding activities that you undertake/have undertaken within the EEA you may raise your concerns with the national data protection supervisory authority in the EEA Member State in which you are based.

EUROPEAN REPRESENTATIVE

In relation to all personal data processing activities undertaken by the ITIA that relate to individuals in the EEA and/or the activities of individuals in the EEA, the ITIA's European Representative is DataRep and can be contacted at:

[email protected] • using online webform at www.datarep.com/itiatennis • Mailing your enquiry to DataRep at the most convenient of the addresses below:

Please address any enquiries to ‘DataRep’ and not to the ITIA directly; communications addressed to the ITIA directly will likely not be received. Please do however ensure that the correspondence refers to the ITIA.

Country Address Austria DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria Belgium DataRep, Place de L'Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium Bulgaria DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria Croatia DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia Cyprus DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus Czech Republic DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic Denmark DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark Estonia DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia Finland DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland France DataRep, 72 rue de Lessard, Rouen, 76100, France Germany DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany

11

Greece DataRep, 24 Lagoumitzi str, Athens, 17671, Greece Hungary DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary Iceland DataRep, Kalkofnsvegur 2, 101 Reykjavík, Iceland Ireland DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland Italy DataRep, BPM 335368, Via Roma 12, 10073 , Ciriè TO, Italy Latvia DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia Liechtenstein DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria Lithuania DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania Luxembourg DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg Malta DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta Netherlands DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands Norway DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway Poland DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland Portugal DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal Romania DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania Slovakia DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia Slovenia DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia Spain DataRep, BPM 335368, Avd. Castilla La Mancha Nº 70-1 (Nave A), 45270, Mocejon-Toledo, Spain Sweden DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE - 211 46, Sweden

HOW TO CONTACT US

If you have any requests concerning your personal data or any queries with regard to this Privacy Policy or our privacy practices more generally please either contact DataRep where relevant, using the contact details shown above, or in other cases please contact us at:

Email: [email protected]

Please write to us at: FAO Data Protection Officer, International Tennis Integrity Agency Ltd, Bank Lane, Roehampton, London, SW15 5XZ, United Kingdom

Telephone: +44 208 392 4762

LAST UPDATED: JANUARY 2021

12