To the extent that there is any conflict between this Data Privacy and Security Addendum (“DPSA”) and the Terms of Service (and any documents or policies incorporated by reference therein, save for the DPSA) (“Agreement”), this DPSA will prevail.
Unless stated otherwise the following terms will have the meanings ascribed to them below. Capitalized terms used in this DPSA but not defined below will have the meaning ascribed to them in the Agreement.
“Administrative Information” refers to personal information that Organisation provides to Tencent Cloud to set up and manage Organisation’s account and the services provided by Tencent Cloud, and any personal information generated in connection with Organisation’s use of the services provided by Tencent Cloud;
“Content” refers to any data, including personal information, that Organisation submits, uploads, transmits or displays using the services provided by Tencent Cloud;
“Controller” refers to a person who either alone or jointly in common with one or more other persons controls the collection, holding, processing or use of Personal Data;
“Controller-Processor Transfer Clauses” refers to the Standard Contractual Clauses (Controller to Processor) as set out in the Commission Decision of 5 February 2010 (C(2010) 593), as set out at below at (2) Controller-Processor Transfer Clauses;
“Data Breach” refers to any misuse, interference with, loss of, unauthorized access to, modification or disclosure of Personal Data that is Processed by Tencent in connection with Agreement;
“Data Protection Laws” refers to the data protection law(s) applicable in respect of the collection, storage, processing, transfer, disclosure, and use of any Personal Data which apply from time to time to the person or activity in the circumstances in question, including the Directive, the e-Privacy Directive and the GDPR;
“Data Subject” refers to any individual who is the subject of Personal Data;
“Directive” refers to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data;
e-Privacy Directive” refers to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector;
“EEA” refers to the European Economic Area;
“EU Personal Data” refers to Personal Data of a Data Subject that is located in the EEA;
“GDPR” refers to Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data;
“Jurisdiction-Specific Requirements” refers to the specific requirements for Processing Personal Data that apply in certain jurisdictions, as set out below at (1) Jurisdiction Specific Requirements;
“Organisation” refers to the entity that has agreed to the Terms of Service. For the purposes of this DPSA (including its attachments), a reference to “Organisation” shall, in the case of an agreement with an individual that is not acting on behalf of an Organisation, be deemed to be a reference to that individual;
“Personal Data” refers to any information relating to an identified or identifiable natural person, including ‘personal data’ and ‘personal information’ as those terms are defined in the Data Protection Laws;
“Processing” refers to performing any operation or set of operations on Personal Data, including any collection, use, storage or disclosure, or as otherwise defined in the relevant Data Protection Laws;
“Processor” refers to a person who Processes Personal Data on behalf of one or more Controller(s);
“Sub-Processor” refers to any Tencent Affiliate or third party appointed from time to time by Tencent to Process Personal Data on its behalf in accordance with clause 7.4;
“Supervisory Authority” refers to a regulatory authority having competent jurisdiction in respect of a Data Protection Law;
“Tencent Cloud” refers to the entity that supplies the services to the Organisation, as specified in the Terms of Service;“Tencent Cloud Portal” refers to the customer portal to which Organisation has access upon completion of the sign-up process for Tencent Cloud;
“Tencent Security Policy” refers to such reasonable and appropriate technical and organisational measures determined by Tencent from time to time, to protect Personal Data against unauthorized or accidental access, Processing, erasure, loss or use. Such measures will include the measures set out in the Controller-Processor Transfer Clauses (if applicable);
“Terms of Service” refers to the terms located at Terms of Service; and
“Third Countries” refers to all countries outside of the scope of the data protection laws of the European Economic Area (the “EEA”), excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of this Agreement include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
3.1 The parties acknowledge that in the performance of its obligations under the Agreement, Tencent may Process Personal Data in connection with Organisation's storage of, access to and Processing of Content as part of providing Tencent Cloud. The purpose of this DPSA is to set out the respective obligations of the parties in relation to such Processing.
3.2 Each party warrants to the other that it will comply with all Data Protection Laws applicable to it in relation to the Personal Data.
Tencent and Organisation acknowledge that Organisation is the Controller and Tencent is the Processor in respect of the Personal Data.
5.1 Subject to clause 5.2, where Organisation has selected a Service Region pursuant to the Agreement, Tencent will only Process the Personal Data in that Service Region.
5.2 Organisation acknowledges and agrees that Tencent may, for operational, regulatory or other reasons, need to change its Processing locations from time to time, provided that any Processing of Personal Data in a place other than the Organization's preferred Service Region will be considered a “material change” addressed in accordance with the Agreement.
5.3 Organisation acknowledges and agrees that the Tencent Contracting Entity listed in the Terms of Service might not be the entity in custody or control of Customer Data, including Personal Data, so that such data may be stored and processed in the chosen Service Region. If Organisation provides information that does not require the selection of a Service Region, such as account-related information, Tencent may process and store such information in any location.
6.1 To the extent that it Processes Personal Data on behalf of Organisation, Tencent will:
7.1 Organisation represents, warrants and undertakes to Tencent that throughout the Term that:
8.1 Tencent may authorize any Sub-Processor to Process the Personal Data on its behalf provided that, where (and to the extent) required by Data Protection Laws, Tencent enters into a written agreement with the Sub-Processor containing terms which are substantially the same as those contained in this DPSA. Organisation hereby grants Tencent general written authorisation to engage such Sub-Processors listed at the Tencent Cloud Third Parties, pagesubject to the requirements of this clause 8.
8.2 Tencent shall, to the extent the Personal Data Processed is EU Personal Data or where the laws of any other jurisdiction require such notification, inform Organisation by email (and via the Tencent Cloud Portal) of any intended changes concerning the addition or replacement of the Sub-Processors. In such a case, Organisation will have fourteen (14) days from the date of receipt of the notice to approve or reject the change. In the event of no response from Organisation, the Sub-Processor will be deemed accepted. If Organisation rejects the replacement sub-processor, Tencent may terminate the Agreement with immediate effect on written notice to Organisation.
8.3 In the event that Tencent engages a Sub-Processor for carrying out specific Processing activities on behalf of Organisation, where that Sub-Processor fails to fulfill its data protection obligations, Tencent will remain fully liable under the Data Protection Laws to Organisation for the performance of that Sub-Processor's obligations.
For DPSA, we add the following section before “Jurisdiction-specific Requirements”:
The following Modules shall apply and be incorporated by reference into this DPSA if you use the specific Feature (as defined in each relevant Module).
1.Tencent Push Notification Service.
3.Mobile Tencent Protect.
4.Web Application Firewall.
1.1 Tencent agrees that it will not Process EU Personal Data in a Third Country except where Tencent complies with the data importer’s obligations set out in the Controller-Processor Transfer Clauses.
1.2 To the extent of any conflict between the Controller-Processor Transfer Clauses and the rest of this DPSA, the Controller-Processor Transfer Clauses will prevail in relation to any EU Personal Data.
1.3 For the purposes of the Controller-Processor Transfer Clauses, the following additional provisions will apply:
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection:
Name of the data exporting organisation: This is the Organisation that has entered into the Agreement, or if the Agreement is entered into with an individual that is not acting on behalf of an Organisation, that individual.
(the “data exporter”)
Name of the data importing organisation: The contracting entity specified in section 1.2 of the Terms of Service.
(the “data importer”)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
3.1 The data subject can enforce against the data exporter this Clause, Clauses 4(b) to 4(i), Clauses 5(a) to 5(e) and 5(g) to 5(j), Clauses 6.1 and 6.2, Clause 7, Clause 8.2 and Clauses 9 to 12 as third-party beneficiary.
3.2 The data subject can enforce against the data importer this Clause, Clauses 5(a) to 5(e) and 5(g), Clause 6, Clause 7, Clause 8.2 and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3.3 The data subject can enforce against the sub-processor this Clause, Clauses 5(a) to 5(e) and 5(g), Clause 6, Clause 7, Clause 8.2 and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor will be limited to its own processing operations under the Clauses.
3.4 The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
The data exporter agrees and warrants:
The data importer agrees and warrants:
6.1 The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
6.2 If a data subject is not able to bring a claim for compensation in accordance with Clause 6.1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
6.3 If a data subject is not able to bring a claim against the data exporter or the data importer referred to in Clauses 6.1 and 6.2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor will be limited to its own processing operations under the Clauses.
7.1 The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
8.1 The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
8.2 The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
8.3 The data importer will promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to Clause 8.2. In such a case the data exporter will be entitled to take the measures foreseen in Clause 5(b).
The Clauses will be governed by the law of the Member State in which the data exporter is established.
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.
11.1 The data importer will not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it will do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer will remain fully liable to the data exporter for the performance of the sub-processor's obligations under such agreement.
11.2 The prior written contract between the data importer and the sub-processor will also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in Clause 6.1 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor will be limited to its own processing operations under the Clauses.
11.3 The provisions relating to data protection aspects for sub-processing of the contract referred to in Clause 11.1 will be governed by the law of the Member State in which the data exporter is established.
11.4 The data exporter will keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which will be updated at least once a year. The list will be available to the data exporter's data protection supervisory authority.
12.1 The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor will, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or will destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
12.2 The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in Clause 12.1.
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is the Organisation as defined in the Agreement, or if the Agreement is entered into by an individual that is not acting on behalf of an Organisation, that individual.
The data exporter has engaged the data importer to provide online services as described in the Agreement.
The data importer is Tencent, as defined in the Agreement, a leading provider of Internet value added services. The data importer has been engaged by the data exporter to provide certain online services as described in the Agreement.
Categories of data
The personal data transferred concern the following categories of data (please specify):
The Content uploaded by the Data Exporter, or as notified by Data Exporter to Data Importer from time to time.
Special categories of data
The personal data transferred concern the following special categories of data (please specify):
The Content uploaded by the Data Exporter, or as notified by Data Exporter to Data Importer from time to time.
The personal data transferred will be subject to the following basic processing activities (please specify):
The Data Importer will process the personal data in support of the activities carried out by the Data Exporter. In particular, the Data Importer's processing activities carried out under the instructions and on behalf of the Data Exporter include: data hosting, data back-up, communications, data analytics, statistics, analysis, IT system administration, order fulfilment, support services, employee management services, processing order payments, delivery of marketing communications, promotions and surveys, operations, software maintenance and hosting, information technology services including desktop and network management, system monitoring, application and program development, archiving, disaster management and data restoring.
We have implemented a comprehensive privacy and security programme for the purpose of protecting your content. This program includes the following: