To the extent that there is any conflict between this Data Processing and Security Addendum(“DPSA”) and the Terms of Service (and any documents or policies incorporated by reference therein, save for this DPSA), this DPSA will prevail.
Except to the extent defined below, capitalized terms shall have the meaning given to them in the Terms of Service.
“Administrative Information” refers to personal information that Organisation provides to Tencent Cloud to set up and manage Organisation’s account and the Services, and any personal information generated in connection with Organisation’s use of the Services;
“Applicable Law” means any of the following, in any jurisdiction, to the extent that it applies to a party:
“Content” refers to any data, including Personal Data, that Organisation submits, uploads, transmits or displays while using the Services;
“Controller” refers to a person who either alone or jointly in common with one or more other persons controls the collection, holding, processing or use of Personal Data, including as applicable any “business” as that term is defined by the CCPA;
“Controller-Processor Transfer Clauses” means:
“Data Breach” refers to any misuse, interference with, loss of, improper, unauthorized, unlawful access to, use of, modification or disclosure of Content that is Processed by Tencent in connection with the Terms of Service;
“Data Protection Laws” refers to the data protection law(s) applicable in respect of the collection, storage, processing, transfer, disclosure, and use of any Content in connection with the Services, including (without limitation) the U.S. Privacy Laws, the e-Privacy Directive, the e-Privacy Regulation (once it takes effect), the GDPR and the UK GDPR, in addition to any law which implements the e-Privacy Directive, the e-Privacy Regulation (once it takes effect), the GDPR and the UK GDPR (which for the avoidance of doubt is the UK Data Protection Act 2018), in each case as amended, consolidated, re-enacted or replaced from time to time;
“Data Subject” has the meaning given to that term or other analogous term (such as ‘consumer’ in the case of the CCPA) in Data Protection Laws;
“e-Privacy Directive” refers to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector;
“e-Privacy Regulation” refers to Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)
“EEA” refers to the European Economic Area;
“EEA/UK Personal Data” refers to Content which is Personal Data of a Data Subject that is located in the EEA or the UK;
“GDPR” refers to Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data;
“Jurisdiction-Specific Requirements” refers to the specific requirements for Processing Personal Data that apply in certain jurisdictions, as set out under clause 10 (Jurisdiction-Specific Requirements);
“Organisation”refers to the entity or legal person that has entered into the Terms of Service;
“Lawful Export Measure”means a method allowing for the lawful transfer of Personal Data from a data exporter to a data importer, as may be stipulated by Data Protection Laws or a Supervisory Authority from time to time, and which may include (depending upon the Applicable Laws) model transfer terms prescribed by Data Protection Laws; or prior registration, licensing or permission from a Supervisory Authority;
“Personal Data” has the meaning given to such term or other analogous term in Data Protection Laws that Tencent processes under the Agreement to provide the Services;
“Processing” has the meaning given to such term or other analogous term in Data Protection Laws, and “Process” and “Processed” shall be construed accordingly;
“Processor” refers to a person who Processes Personal Data on behalf of one or more Controller(s), including as applicable any “service provider” or “contractor” as that term is defined by the CCPA;
“Processor-Processor Transfer Clauses” means, as relevant, (i) in respect of transfers of Personal Data subject to the GDPR the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); or (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as in force and as amended, updated or replaced from time-to-time;
“Services” shall have the same meaning ascribed to it as in the Terms of Service;
“Sub-Processor” refers to any Tencent Affiliate or third party appointed from time to time by Tencent to Process Content on its behalf in accordance with clause 7.4;
“Supervisory Authority” refers to a regulatory authority having competent jurisdiction in respect of a Data Protection Law;
“Tencent”refers to the contracting entity performing or procuring the Services, as specified in the Terms of Service;
“Tencent Cloud Portal” refers to the dashboard made available to Organisation to facilitate management of the Services;
“Tencent Security Policy” refers to such reasonable and appropriate technical and organisational measures determined by Tencent from time to time, to protect Personal Data against unauthorized or accidental access, Processing, erasure, loss or use. Such measures will include the measures set out in the Controller-Processor Transfer Clauses (if applicable);
“Terms of Service” refers to the terms located at Terms of Service;
“Third Country” refers to (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the EEA, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; (ii) in relation to Personal Data transfers subject to the UK GDPR, any country outside the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time-to-time; and (iii) in relation to Personal Data transfers that are not subject to either the GDPR or UK GDPR, any country or territory other than those approved as providing adequate protection for Personal Data by the relevant competent authority of such jurisdiction from time to time;
“U.S. Privacy Laws” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act;
“UK” refers to the United Kingdom of Great Britain and Northern Ireland; and
“UK GDPR” means the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
3.1The parties acknowledge that in the performance of its obligations under the Terms of Service, Tencent may Process Personal Data in connection with Organisation’s storage of, access to and Processing of Content as part of providing the Services. The purpose of this DPSA is to set out the respective obligations of the parties in relation to such Processing.
3.2 Each party warrants to the other that it will comply with all Data Protection Laws applicable to it in relation to the Personal Data Processed in connection with the Services.
Tencent and Organisation agree that Organisation is the Controller and Tencent is the Processor in respect of Personal Data Processed under this DPSA.
5.1 Subject to clause 5.2, where Organisation has selected a Service Region for the Services, Tencent will Process Personal Data in that Service Region.
5.2 Organisation acknowledges and agrees that Tencent may, for operational, regulatory or other reasons, need to change its Processing locations from time to time, provided that any Processing of Personal Data in a place other than the Organisation’s preferred Service Region will be considered a “material change” addressed in accordance with the Terms of Service.
5.3 Organisation acknowledges and agrees that Tencent has appointed and may appoint one or more of its Affiliates or Sub-processors to Process Personal Data in a particular Service Region.
6.1 To the extent that it Processes Personal Data on behalf of Organisation, Tencent will:
6.2 Tencent shall notify Organisation if, in its opinion, an instruction of Organisation infringes the Data Protection Laws.
6.3 To the extent Tencent Processes Personal Data in a Third Country that is not subject to the GDPR or UK GDPR (in which case clauses 10.1 to 10.6 shall apply) and is acting as a data importer, Tencent shall, to the extent required by Data Protection Laws, ensure that the transfer of Personal Data is carried out using a Lawful Export Measure. To the extent such Lawful Export Measure requires:
7.1 Organisation represents, warrants and undertakes to Tencent that throughout the Term that:
7.2 Organisation agrees that it will indemnify and hold harmless Tencent on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Tencent arising directly or indirectly from a breach of this clause 7.
7.3 Where Tencent faces an actual or potential claim arising out of or related to any breach of Data Protection Laws relating to Personal Data processed pursuant to this DPSA, Organisation will promptly provide all materials and information reasonably requested by Tencent that is relevant to the defense of such claim.
7.4 If Organisation becomes aware of any actual or suspected Data Breach relating to the Terms of Service or this DPSA, Organisation shall:
8.1 Tencent may authorize any Sub-Processor to Process the Personal Data on its behalf provided that, where (and to the extent) required by Data Protection Laws, Tencent enters into a written agreement with the Sub-Processor containing terms which are substantially the same as those contained in this DPSA. Organisation hereby grants Tencent general written authorisation to engage such Sub-Processors listed at Third Party Information to Process Personal Data on its behalf, subject to the requirements of this clause 8.
8.2 Tencent shall, to the extent its processing of the Personal Data is subject to Data Protection Laws that require such notification, inform Organisation by email (and via the Tencent Cloud Portal) of any intended changes concerning the addition or replacement of the Sub-Processors. In such a case, Organisation will have fourteen (14) days from the date of receipt of the notice to approve or reject the change. In the event of no response from Organisation, the Sub-Processor will be deemed accepted. If Organisation rejects the replacement sub-processor, Tencent may terminate the Terms of Service with immediate effect on written notice to Organisation.
8.3 In the event that Tencent engages a Sub-Processor for carrying out specific Processing activities on behalf of Organisation, where that Sub-Processor fails to fulfill its data protection obligations, Tencent will remain fully liable under the Data Protection Laws to Organisation for the performance of that Sub-Processor’s obligations.
The following Modules shall apply and be incorporated by reference into this DPSA if you use the specific Feature (as defined in each relevant Module).
1.Tencent Push Notification Service.
3.Web Application Firewall.
4.Game Multimedia Engine.
9.Cloud Object Storage.
10.Cloud Native Database TDSQL-C.
11.Tencent Cloud Elastic Microservice.
12.TencentDB for CTSDB.
15.TencentDB for Tendis.
16.Database Management Center.
17.Tencent Cloud Weiling.
21.Edge Computing Machine.
22.Data Security Center.
23.Tencent Cloud TI Platform.
24.Cloud Data Warehouse.
25.Vulnerability Scan Service.
27.CODING Code Repositories.
28.CODING Project Management.
29.CODING Test Management.
30.CODING Continuous Integration.
31.CODING Artifact Repositories.
32.CODING Continuous Deployment.
33.Tencent Distributed Message Queue.
34.Risk Control Engine.
37.Tencent Managed Service for Prometheus.
38.Video on Demand.
39.Tencent Cloud Automation Tools.
40.Cloud Streaming Services.
42.Text To Speech.
43.Automatic Speech Recognition.
44.Tencent Effect SDK.
45.TencentCloud Managed Service for Grafana.
46.Tencent Real-Time Communication.
47.Real User Monitoring.
48.Customer Identity and Access Management.
49.Penetration Test Service.
50.Cloud Application Rendering.
53.Tencent Machine Translation.
54.Video Moderation System.
55.Audio Moderation System.
56.Image Moderation System.
57.Text Moderation System.
58.Tencent Cloud Mesh.
59.Cloud Data Warehouse for PostgreSQL.
60.Data Lake Compute.
61.Tencent Cloud Firewall.
63.User Generated Short Video SDK.
64.Application Performance Management.
65.BM Cloud Physical Machine.
66.Key Management Service.
68.Low-code Interactive Classroom.
69.Tencent Container Security Service.
70.Cloud Automated Testing.
71.Cloud Log Service.
72.Tencent Interactive Whiteboard.
74.Cloud Workload Protection Platform.
10.1 Organisation acknowledges and agrees that Tencent may, or may appoint an Affiliate or third party Sub-Processor (in accordance with clause 8) to Process the Organisation’s EEA/UK Personal Data in a Third Country, provided that it ensures that such Processing takes place in accordance with the requirements of applicable Data Protection Laws.
10.2 To the extent that Tencent Processes EEA/UK Personal Data in a Third Country and is acting as a data importer, Tencent shall comply with the data importer’s obligations and Organisation shall comply with the data exporter’s obligations as set out in the Controller-Processor Transfer Clauses, which are hereby incorporated into and form part of this DPSA as set out in Appendix 1 (Processing Details) (and Appendix 3 where UK GDPR applies), with the Processing details that comprise Annex 1 to the Controller-Processor Transfer Clauses being those set out in Appendix 1 (Processing Details), and the technical and organisational measures that comprise Annex 2 to the Controller-Processer Transfer Clauses set out in Appendix 2 (Technical and Organisational Security Measures).
10.3 To the extent of any conflict between the Controller-Processor Transfer Clauses and any other term of this DPSA, the Controller-Processor Transfer Clauses will prevail in relation to any EEA/UK Personal Data.
10.4 For the purposes of the Controller-Processor Transfer Clauses, the following additional provisions will apply:
10.5 If so required by the laws or regulatory procedures of any jurisdiction, the parties will execute or re-execute the clauses contained in the Controller-Processor Transfer Clauses as a separate document setting out the proposed transfers of Personal Data in such manner as may be required.
10.6 Organisation acknowledges and agrees that Tencent may appoint an Affiliate or third-party Sub-Processor (in accordance with clause 8) to Process the Organisation’s EEA/UK Personal Data in a Third Country, in which case: (i) Tencent shall execute Processor-Processor Transfer Clauses, if applicable and available with any relevant Sub-Processor it appoints on behalf of the Organisation; or (ii) if Processor-Processor Transfer Clauses are not applicable and available, the Organisation grants Tencent a mandate to execute the relevant Controller-Processor Transfer Clauses with the Processing details set out in Appendix 1 (Processing Details) (and Appendix 3 where UK GDPR applies) and the technical and organisational measures set out in Appendix 2 (Technical and Organisational Security Measures) applying for the purposes of Appendix 1 and Appendix 2 of the Processor-Processor Transfer Clauses respectively with any relevant Sub-Processor it appoints on behalf of the Organisation.
10.7 If and to the extent that the Tencent Security Policy is insufficient to meet the applicable requirements under Korean privacy laws and regulations, Tencent will take additional measures from time to time to comply with such requirements (as applicable to an overseas transferee of Personal Data), including:
10.8 Tencent will:
10.9 Tencent will compensate Organisation and any relevant Data Subjects for any and all damages, liabilities, costs and expenses arising out of any breach of Tencent’s obligations under this DPSA or under Korean data protection laws.
10.10 To the extent required by applicable U.S. Privacy Laws, and upon reasonable written request or notice:
10.11 The Parties shall, taking into account the context of the Processing, implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement such measures. To the extent required by applicable U.S. Privacy Laws, Tencent shall provide the same level of privacy protection as is required by such laws.
10.12 Tencent is prohibited from:
10.13 The appointment of Tencent as Processor, as well as the appointment of sub-processors where (and to the extent) permitted in this DPSA, shall be notified by the Organisation to the local data protection office (GPDP - Gabinete para a Protecção de Dados Pessoais).
10.14 Tencent shall have the right to reasonably request the Organisation provide evidence of compliance with an instruction under the relevant the Macau data protection laws, including such notification under section 10.1 above.
10.15 Organisation shall expressly inform Tencent, in writing, in case of processing of sensitive data, as defined in article 7 of the Macau Data Protection Law (Law n. 8/2005), and shall ensure compliance with the particular requirements provided for under Macau data protection law for the processing of such data.
The data exporter is the Organisation as defined in the Terms of Service. The address of the data exporter is as defined in the Terms of Service.
The contact person’s name, position and contact details of the data exporter is as defined in the Terms of Service.
The data exporter has engaged the data importer to provide online services as described in the Terms of Service.
The data exporter is the controller.
The data importer is Tencent, as defined in the Terms of Service. The address of the data importer is as defined in the Terms of Service.
The contact person’s name, position and contact details of the data importer is as defined in the Terms of Service.
The data importer has been engaged by the data exporter to provide certain online services as described in the Terms of Service.
The data importer is the processor.
Categories of data subjects whose personal data is transferred
Data Subjects whose Personal Data is controlled or made available by Organisation as Content.
Categories of personal data transferred
The Content uploaded by Organisation, or as notified by Organisation to Tencent from time to time.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The Content uploaded by the Organisation, or as notified by Organisation to Tencent from time to time.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of the processing.
Tencent will process the personal data in support of the Services performed for Organisation.
Purpose(s) of the data transfer and further processing
Transfer and processing necessary to allow Tencent to perform the Services and its obligations under the Terms of Service.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Terms of Service.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Autoriteit Persoonsgegevens (the Netherlands).
We have implemented a comprehensive privacy and security programme for the purpose of protecting your content. This program includes the following:
Data security. We have designed and implemented the following measures to protect customer’s data against unauthorized access:
standards for data categorisation and classification;
a set of authentication and access control capabilities at the physical, network, system and application levels; and
a mechanism for detecting big data-based abnormal behaviour.
Network security. We implement stringent rules on internal network isolation to achieve access control and border protection for internal networks (including office networks, development networks, testing networks and production networks) by way of physical and logical isolation.
Physical and environmental security. Stringent infrastructure and environment access controls have been implemented for Tencent Cloud’s data centers based on relevant regional security requirements. An access control matrix is established, based on the types of data center personnel and their respective access privileges, to ensure effective management and control of access and operations by data center personnel.
Incident management. We operate active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.
Compliance with standards. We comply with the standards listed in our Compliance Center page, and as updated from time to time.
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
TABLE 1: PARTIES
|Start date||See effective date of the DPSA|
|The Parties||Exporter (who sends the Restricted Transfer)||Importer (who receives the Restricted Transfer)|
|Parties’ details||See Appendix 1 to the DPSA|
|Key Contact||See Appendix 1 to the DPSA|
TABLE 2: SELECTED SCCS, MODULES AND SELECTED CLAUSES
|Addendum EU SCCs||The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module 2)|
TABLE 3: APPENDIX INFORMATION
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
|Annex 1A: List of Parties: See Appendix 1 of the DPSA|
|Annex 1B: Description of Transfer: See Appendix 1 of the DPSA|
|Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Appendix 2 of the DPSA|
|Annex III: List of Sub processors (Modules 2 and 3 only): See Section 8 of the DPSA|
TABLE 4: ENDING THIS ADDENDUM WHEN THE APPROVED ADDENDUM CHANGES
|Ending this Addendum
when the Approved Addendum changes
|Which Parties may end this Addendum as set out in Section 19:
|Mandatory Clauses||Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.|