tencent cloud

To the extent that there is any conflict between this Data Processing and Security Addendum(“DPSA”) and the Terms of Service (and any documents or policies incorporated by reference therein, save for this DPSA), this DPSA will prevail.

1. Definitions

Except to the extent defined below, capitalized terms shall have the meaning given to them in the Terms of Service.

“Administrative Information” refers to personal information that Organisation provides to Tencent Cloud to set up and manage Organisation’s account and the Services, and any personal information generated in connection with Organisation’s use of the Services;

“Applicable Law” means any of the following, in any jurisdiction, to the extent that it applies to a party:

1. any statute, directive, order, enactment, regulation, bylaw, ordinance or subordinate legislation in force from time to time;
2. the common law and the law of equity;
3. any binding court order, judgment or decree;
4. any applicable industry code, policy or standard enforceable by law; and
5. any applicable direction, statement of practice, policy, rule or order that is set out by a competent regulatory authority that is binding on the parties;

“Content” refers to any data, including Personal Data, that Organisation submits, uploads, transmits or displays while using the Services;

“Controller” refers to a person who either alone or jointly in common with one or more other persons controls the collection, holding, processing or use of Personal Data, including as applicable any “business” as that term is defined by the CCPA;

“Controller-Processor Transfer Clauses” means:

1. in the case of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, as amended, updated or replaced from time to time; and
2. in the case of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to data processors established in third countries set out in the Commission Decision the Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor), as amended, updated or replaced from time to time;
which are both hereby incorporated and form part of this DPSA, and:
1. if applicable, for the purposes of Annex I.A. of the Controller-Processor Transfer Clauses, the Organisation is the Controller and Tencent is the Processor and the name, address, contact person’s details and relevant activities for each of them is set out in Appendix 1 (Processing Details);
2. for the purposes of Annex I of the Controller-Processor Transfer Clauses, the parties and processing details set out in Appendix 1 (Processing Details) shall apply;
3. for the purposes of Annex II of the Controller-Processor Transfer Clauses, the technical and organisational security measures set out in Appendix 2 (Technical and Organisational Security Measures) shall apply; and
4. for the purposes of the Controller-Processor Transfer Clauses: (i) for Clause 9, Option 2 (General Written Authorization) is deemed to be selected and the notice period specified in clause 8.2 of this DPSA shall apply; (ii) for Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) for Clause 13 and Annex I.C, the competent Supervisory Authority shall be the supervisory authority of the EU member state where: (a) the Organisation is established in the EEA, or if not applicable; (b) where the Organisation’s representative is established in the EEA, or if not applicable; (c) where the Data Subjects whose Personal Data is transferred under this DPSA are located in the EEA; (iv) for Clause 17, Option 2 is deemed to be selected and to the extent required the governing law shall be as separately agreed between the parties; and (v) for the purposes of Clause 18, the competent courts shall be the competent courts of the EU member state where (a) the Organisation is established in the EEA, or if not applicable; (b) the Organisation’s representative is established in the EEA, or if not applicable; (iii) the Data Subjects whose Personal Data is transferred under this DPSA are located in the EEA.

“Data Breach” refers to any misuse, interference with, loss of, improper, unauthorized, unlawful access to, use of, modification or disclosure of Content that is Processed by Tencent in connection with the Terms of Service;

“Data Protection Laws” refers to the data protection law(s) applicable in respect of the collection, storage, processing, transfer, disclosure, and use of any Content in connection with the Services, including (without limitation) the U.S. Privacy Laws, the e-Privacy Directive, the e-Privacy Regulation (once it takes effect), the GDPR and the UK GDPR, in addition to any law which implements the e-Privacy Directive, the e-Privacy Regulation (once it takes effect), the GDPR and the UK GDPR (which for the avoidance of doubt is the UK Data Protection Act 2018), in each case as amended, consolidated, re-enacted or replaced from time to time;

“Data Subject” has the meaning given to that term or other analogous term (such as ‘consumer’ in the case of the CCPA) in Data Protection Laws;

“e-Privacy Directive” refers to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector;

“e-Privacy Regulation” refers to Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)

“EEA” refers to the European Economic Area;

“EEA/UK Personal Data” refers to Content which is Personal Data of a Data Subject that is located in the EEA or the UK;

“GDPR” refers to Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data;

“Jurisdiction-Specific Requirements” refers to the specific requirements for Processing Personal Data that apply in certain jurisdictions, as set out under clause 10 (Jurisdiction-Specific Requirements);

“Organisation”refers to the entity or legal person that has entered into the Terms of Service;

“Lawful Export Measure”means a method allowing for the lawful transfer of Personal Data from a data exporter to a data importer, as may be stipulated by Data Protection Laws or a Supervisory Authority from time to time, and which may include (depending upon the Applicable Laws) model transfer terms prescribed by Data Protection Laws; or prior registration, licensing or permission from a Supervisory Authority;

“Personal Data” has the meaning given to such term or other analogous term in Data Protection Laws that Tencent processes under the Agreement to provide the Services;

“Privacy Policy” refers to the policy located at Privacy Policy, as updated and notified to Organisation from time to time;

“Processing” has the meaning given to such term or other analogous term in Data Protection Laws, and “Process” and “Processed” shall be construed accordingly;

“Processor” refers to a person who Processes Personal Data on behalf of one or more Controller(s), including as applicable any “service provider” or “contractor” as that term is defined by the CCPA;

“Processor-Processor Transfer Clauses” means, as relevant, (i) in respect of transfers of Personal Data subject to the GDPR the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); or (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as in force and as amended, updated or replaced from time-to-time;

“Services” shall have the same meaning ascribed to it as in the Terms of Service;

“Sub-Processor” refers to any Tencent Affiliate or third party appointed from time to time by Tencent to Process Content on its behalf in accordance with clause 7.4;

“Supervisory Authority” refers to a regulatory authority having competent jurisdiction in respect of a Data Protection Law;

“Tencent”refers to the contracting entity performing or procuring the Services, as specified in the Terms of Service;

“Tencent Cloud Portal” refers to the dashboard made available to Organisation to facilitate management of the Services;

“Tencent Security Policy” refers to such reasonable and appropriate technical and organisational measures determined by Tencent from time to time, to protect Personal Data against unauthorized or accidental access, Processing, erasure, loss or use. Such measures will include the measures set out in the Controller-Processor Transfer Clauses (if applicable);

“Terms of Service” refers to the terms located at Terms of Service;

“Third Country” refers to (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the EEA, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; (ii) in relation to Personal Data transfers subject to the UK GDPR, any country outside the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time-to-time; and (iii) in relation to Personal Data transfers that are not subject to either the GDPR or UK GDPR, any country or territory other than those approved as providing adequate protection for Personal Data by the relevant competent authority of such jurisdiction from time to time;

“U.S. Privacy Laws” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act;

“UK” refers to the United Kingdom of Great Britain and Northern Ireland; and

“UK GDPR” means the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

2. Scope of this DPSA

This DPSA applies if you have entered into the Terms of Service for the supply of Services by Tencent. This DPSA applies to the Processing of Content. Personal Data that is Administrative Information is Processed in accordance with the Privacy Policy and this DPSA shall not apply to the Processing of Administrative Information.

3. Authorisation to Process Personal Data

3.1The parties acknowledge that in the performance of its obligations under the Terms of Service, Tencent may Process Personal Data in connection with Organisation’s storage of, access to and Processing of Content as part of providing the Services. The purpose of this DPSA is to set out the respective obligations of the parties in relation to such Processing.

3.2 Each party warrants to the other that it will comply with all Data Protection Laws applicable to it in relation to the Personal Data Processed in connection with the Services.

4. Controller and Processor

Tencent and Organisation agree that Organisation is the Controller and Tencent is the Processor in respect of Personal Data Processed under this DPSA.

5. Service Regions

5.1 Subject to clause 5.2, where Organisation has selected a Service Region for the Services, Tencent will Process Personal Data in that Service Region.

5.2 Organisation acknowledges and agrees that Tencent may, for operational, regulatory or other reasons, need to change its Processing locations from time to time, provided that any Processing of Personal Data in a place other than the Organisation’s preferred Service Region will be considered a “material change” addressed in accordance with the Terms of Service.

5.3 Organisation acknowledges and agrees that Tencent has appointed and may appoint one or more of its Affiliates or Sub-processors to Process Personal Data in a particular Service Region.

6. Tencent's Obligations

6.1 To the extent that it Processes Personal Data on behalf of Organisation, Tencent will:

1. Process the Personal Data only for the limited and specified purpose of performing the Services, in accordance with the Organisation’s written instructions (which shall include the terms of this DPSA and any instructions provided via the Organisation’s administrative console), and the Tencent Security Policy, and notify Organisation promptly if it is unable to comply with this DPSA or any of its terms;
2. return or (at the written request of Organisation) securely destroy all Personal Data in its possession (including all back-up copies), unless it is prohibited from doing so by Applicable Laws;
3. promptly notify the Organisation, upon becoming aware, of:
1. any court order or other legal process or any request or demand by any Supervisory Authority, regulator, official or other government ministry, authority or agent to obtain or access any Personal Data, unless such notification is prohibited by Applicable Law;
2. Data Breach;
3. any material complaint, communication or request relating to Tencent’s obligations under the Data Protection Laws; and
4. any instruction received from the Organisation in relation to the Personal Data, which in the discretion of Tencent may breach any Applicable Law, including any Data Protection Law, of the appropriate jurisdiction;
4. ensure that the Personal Data is accessible only to the duly authorized persons engaged by Tencent and, subject to clause 8, accessible only to its Sub-Processors and the personnel of such Sub-Processors who are duly authorized and who need to have access to the Personal Data in order to perform Tencent’s obligations under the Terms of Service;
5. ensure that the personnel engaged and duly authorized by it to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and ensure that the same obligations for data protection under this DPSA and the Organisation’s instructions are complied with by such persons, taking into account the nature of the Processing;
6. comply with any applicable Jurisdiction-Specific Requirements; and
7. where the laws of the relevant jurisdiction require it:
1. implement appropriate technical and organisational security measures insofar as is practicable, for the purpose of providing reasonable assistance to the Organisation for the latter to comply with its obligations, including, as appropriate and applicable in the relevant jurisdiction: (i) the pseudonymisation or de-identification of Personal Data; (ii) ensuring the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) restoring the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing;
2. taking into account the nature of the Processing, assist Organisation by appropriate technical and organisational measures, insofar as this is practicable, for the fulfilment of Organisation’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Data Protection Laws;
3. assist Organisation in ensuring compliance with the obligations to: (i) implement appropriate technical and organisational security measures; (ii) notify (if required) Data Breaches to Supervisory Authorities, the relevant Data Subjects, and other persons required under such Data Protection Laws, in cases where such notification and reporting is required under the relevant Data Protection Laws; and (iii) conduct data protection impact assessments and, if required, prior consultation with Supervisory Authorities; and
4. promptly notify Organisation in writing upon becoming aware of any improper, unauthorized, or unlawful access to, use of, or disclosure of, Personal Data which is Processed by Tencent under or in connection with this DPSA. Tencent shall be obliged to provide Organisation with all information reasonably necessary for the compliance with Organisation’s obligations pursuant to Data Protection Laws.

6.2 Tencent shall notify Organisation if, in its opinion, an instruction of Organisation infringes the Data Protection Laws.

6.3 To the extent Tencent Processes Personal Data in a Third Country that is not subject to the GDPR or UK GDPR (in which case clauses ‎10.1 to ‎10.6 shall apply) and is acting as a data importer, Tencent shall, to the extent required by Data Protection Laws, ensure that the transfer of Personal Data is carried out using a Lawful Export Measure. To the extent such Lawful Export Measure requires:

1. a contract imposing appropriate safeguards on the transfer and processing of such Personal Data (which is not otherwise satisfied by this DPSA);
2. a description of the Processing of Personal Data contemplated under this DPSA; and
3. a description of technical and organisational measures to be implemented by the data importer,

the parties agree that the Controller-Processer Transfer Clauses, the description of Processing activities set out in Appendix 1 (Processing Details), and the description of technical and organisational measures set out in Appendix 2 (Technical and Organisational Security Measures), shall apply mutatis mutandis for the benefit of such transfer, and in relation to any onward transfer of the Personal Data by that data importer to another person, the other person shall comply with the same importer obligations.

7. Organisation’s Obligations

7.1 Organisation represents, warrants and undertakes to Tencent that throughout the Term that:

1. the Personal Data under this DPSA has been and will be collected in accordance with the Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the Personal Data to Tencent;
2. all instructions from Organisation to Tencent will comply with the Data Protection Laws; and
3. the Personal Data has been and will be Processed in accordance with the Data Protection Laws, including with respect to the transfer of the Personal Data to Tencent.

7.2 Organisation agrees that it will indemnify and hold harmless Tencent on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Tencent arising directly or indirectly from a breach of this clause 7.

7.3 Where Tencent faces an actual or potential claim arising out of or related to any breach of Data Protection Laws relating to Personal Data processed pursuant to this DPSA, Organisation will promptly provide all materials and information reasonably requested by Tencent that is relevant to the defense of such claim.

7.4 If Organisation becomes aware of any actual or suspected Data Breach relating to the Terms of Service or this DPSA, Organisation shall:

1. take reasonable steps to carry out, within 30 days, an assessment to determine whether the Data Breach is notifiable under the Data Protection Laws and promptly notify Tencent in writing of the results of the assessment;
2. if Organisation notifies Tencent that it considers the Data Breach to be notifiable under the Data Protection Laws:
1. Organisation shall prepare a draft of any notification statements in respect of the Data Breach required under the Data Protection Laws (“Notification Statements”) and provide the draft Notification Statements to Tencent for approval prior to disclosure to the applicable data protection regulators, Data Subjects or any other person;
2. Tencent shall provide Organisation with notice in writing:
• of any changes that Tencent reasonably requires to the draft Notification Statement and Organisation shall incorporate all such changes into the draft Notification Statement; or
• that Tencent approves the draft Notification Statement; and
3. following Tencent’s approval of a draft Notification Statement, Organisation must provide a copy of the approved Notification Statement to the relevant Supervisory Authority, Data Subjects and any other person as required under the Data Protection Laws.

8. Appointment of Sub-Processors

8.1 Tencent may authorize any Sub-Processor to Process the Personal Data on its behalf provided that, where (and to the extent) required by Data Protection Laws, Tencent enters into a written agreement with the Sub-Processor containing terms which are substantially the same as those contained in this DPSA. Organisation hereby grants Tencent general written authorisation to engage such Sub-Processors listed at Third Party Information to Process Personal Data on its behalf, subject to the requirements of this clause 8.

8.2 Tencent shall, to the extent its processing of the Personal Data is subject to Data Protection Laws that require such notification, inform Organisation by email (and via the Tencent Cloud Portal) of any intended changes concerning the addition or replacement of the Sub-Processors. In such a case, Organisation will have fourteen (14) days from the date of receipt of the notice to approve or reject the change. In the event of no response from Organisation, the Sub-Processor will be deemed accepted. If Organisation rejects the replacement sub-processor, Tencent may terminate the Terms of Service with immediate effect on written notice to Organisation.

8.3 In the event that Tencent engages a Sub-Processor for carrying out specific Processing activities on behalf of Organisation, where that Sub-Processor fails to fulfill its data protection obligations, Tencent will remain fully liable under the Data Protection Laws to Organisation for the performance of that Sub-Processor’s obligations.

9.MODULES

The following Modules shall apply and be incorporated by reference into this DPSA if you use the specific Feature (as defined in each relevant Module).
1.Tencent Push Notification Service.
2.Anti-Cheat Expert.
3.Web Application Firewall.
4.Game Multimedia Engine.
5.Anti-DDoS Pro.
6.Face Recognition.
7.StreamLive.
8.StreamPackage.
9.Cloud Object Storage.
10.Cloud Native Database TDSQL-C.
11.Tencent Cloud Elastic Microservice.
12.TencentDB for CTSDB.
13.Private DNS.
14.Database Audit.
15.TencentDB for Tendis.
16.Database Management Center.
17.Tencent Cloud Weiling.
18.Event Bridge.
19.TencentCloud Lighthouse.
20.Instant Messaging.
21.Edge Computing Machine.
22.Data Security Center.
23.Tencent Cloud TI Platform.
24.Cloud Data Warehouse.
25.Vulnerability Scan Service.
26.IoT Hub.
27.CODING Code Repositories.
28.CODING Project Management.
29.CODING Test Management.
30.CODING Continuous Integration.
31.CODING Artifact Repositories.
32.CODING Continuous Deployment.
33.Tencent Distributed Message Queue.
34.Risk Control Engine.
35.TencentCloud EdgeOne.
36.eKYC.
37.Tencent Managed Service for Prometheus.
38.Video on Demand.
39.Tencent Cloud Automation Tools.
40.Cloud Streaming Services.
41.HTTPDNS.
42.Text To Speech.
43.Automatic Speech Recognition.
44.Tencent Effect SDK.
45.TencentCloud Managed Service for Grafana.
46.Tencent Real-Time Communication.
47.Real User Monitoring.
48.Customer Identity and Access Management.
49.Penetration Test Service.
50.Cloud Application Rendering.
51.Captcha.
52.OCR.
53.Tencent Machine Translation.
54.Video Moderation System.
55.Audio Moderation System.
56.Image Moderation System.
57.Text Moderation System.
58.Tencent Cloud Mesh.
59.Cloud Data Warehouse for PostgreSQL.
60.Data Lake Compute.
61.Tencent Cloud Firewall.
62.Tencent Ecard.
63.User Generated Short Video SDK.
64.Application Performance Management.
65.BM Cloud Physical Machine.
66.Key Management Service.
67.App Flow.
68.Low-code Interactive Classroom.
69.Tencent Container Security Service.
70.Cloud Automated Testing.
71.Cloud Log Service.
72.Tencent Interactive Whiteboard.
73.Bastion Host.
74.Cloud Workload Protection Platform.

10.Jurisdiction-specific Requirements

EEA and UK

10.1 Organisation acknowledges and agrees that Tencent may, or may appoint an Affiliate or third party Sub-Processor (in accordance with clause 8) to Process the Organisation’s EEA/UK Personal Data in a Third Country, provided that it ensures that such Processing takes place in accordance with the requirements of applicable Data Protection Laws.

10.2 To the extent that Tencent Processes EEA/UK Personal Data in a Third Country and is acting as a data importer, Tencent shall comply with the data importer’s obligations and Organisation shall comply with the data exporter’s obligations as set out in the Controller-Processor Transfer Clauses, which are hereby incorporated into and form part of this DPSA as set out in Appendix 1 (Processing Details) (and Appendix 3 where UK GDPR applies), with the Processing details that comprise Annex 1 to the Controller-Processor Transfer Clauses being those set out in Appendix 1 (Processing Details), and the technical and organisational measures that comprise Annex 2 to the Controller-Processer Transfer Clauses set out in Appendix 2 (Technical and Organisational Security Measures).

10.3 To the extent of any conflict between the Controller-Processor Transfer Clauses and any other term of this DPSA, the Controller-Processor Transfer Clauses will prevail in relation to any EEA/UK Personal Data.

10.4 For the purposes of the Controller-Processor Transfer Clauses, the following additional provisions will apply:

1. the parties agree to observe the Controller-Processor Transfer Clauses without modification;
2. the names and addresses of Organisation and Tencent will be considered to be incorporated into the Controller-Processor Transfer Clauses and for the purposes of the Controller-Processor Transfer Clauses;
3. Organisation is the data exporter and Tencent, or Tencent’s applicable Affiliate, is the data importer as defined in the Controller-Processor Transfer Clauses; and
4. each party’s signature to this DPSA will be considered a signature to the terms contained in the Controller-Processor Transfer Clauses.

10.5 If so required by the laws or regulatory procedures of any jurisdiction, the parties will execute or re-execute the clauses contained in the Controller-Processor Transfer Clauses as a separate document setting out the proposed transfers of Personal Data in such manner as may be required.

10.6 Organisation acknowledges and agrees that Tencent may appoint an Affiliate or third-party Sub-Processor (in accordance with clause 8) to Process the Organisation’s EEA/UK Personal Data in a Third Country, in which case: (i) Tencent shall execute Processor-Processor Transfer Clauses, if applicable and available with any relevant Sub-Processor it appoints on behalf of the Organisation; or (ii) if Processor-Processor Transfer Clauses are not applicable and available, the Organisation grants Tencent a mandate to execute the relevant Controller-Processor Transfer Clauses with the Processing details set out in Appendix 1 (Processing Details) (and Appendix 3 where UK GDPR applies) and the technical and organisational measures set out in Appendix 2 (Technical and Organisational Security Measures) applying for the purposes of Appendix 1 and Appendix 2 of the Processor-Processor Transfer Clauses respectively with any relevant Sub-Processor it appoints on behalf of the Organisation.

South Korea

10.7 If and to the extent that the Tencent Security Policy is insufficient to meet the applicable requirements under Korean privacy laws and regulations, Tencent will take additional measures from time to time to comply with such requirements (as applicable to an overseas transferee of Personal Data), including:

1. Articles 28 and 63 of the Act on the Promotion of Utilisation of Information and Communications Networks and the Protection of Information (the “ICT Networks Act”);
2. Articles 15 and 67 of the Enforcement Decree promulgated under the ICT Networks Act;
3. the Guidelines for Technical and Administrative Measures for the Protection of Personal Information (issued by the Korea Communications Commission);
4. Article 29 of the Personal Information Protection Act (the “PIPA”);
5. Article 30 of the Enforcement Decree promulgated under the PIPA; and
6. the Guidelines for Security Measures for the Safety of Personal Information (issued by the Ministry of Interior and Safety), as the foregoing may be amended and/or supplemented from time to time.

10.8 Tencent will:

1. use the Personal Data only for the purpose of and within the scope of entrusted work;
2. agree to be subject to the training and supervision by Organisation of Tencent’s handling of the Personal Data; and
3. agree to be subject to the supervision and audit by relevant regulatory authorities.

10.9 Tencent will compensate Organisation and any relevant Data Subjects for any and all damages, liabilities, costs and expenses arising out of any breach of Tencent’s obligations under this DPSA or under Korean data protection laws.

U.S. Privacy Laws

10.10 To the extent required by applicable U.S. Privacy Laws, and upon reasonable written request or notice:

1. The Organisation may take reasonable and appropriate steps to ensure that Tencent uses the Personal Data in a manner consistent with the Organisation’s obligations under the applicable U.S. Privacy Laws;
2. To the extent Organisation reasonably believe Tencent is using Personal Data in violation of applicable U.S. Privacy Laws, the Organisation may take reasonable and appropriate steps to stop and remediate such unauthorized use;
3. Tencent shall make available to the Organisation information in Tencent’s possession that is necessary to demonstrate Tencent’s compliance with its obligations under the U.S. Privacy Laws.
4. Tencent shall allow and cooperate with reasonable annual assessments by the Organisation, or the Organisation’s designated auditor, at Organisation’s expense and only after the parties come to an agreement on the scope of the assessment, of Tencent’s compliance with its obligations under the applicable U.S. Privacy Laws. Alternatively, Tencent may arrange for a qualified and independent auditor to conduct an assessment of Tencent’s policies and technical and organizational measures in support of its obligations under the applicable U.S. Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Tencent shall provide a report of such assessment to the Organisation upon reasonable request.

10.11 The Parties shall, taking into account the context of the Processing, implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement such measures. To the extent required by applicable U.S. Privacy Laws, Tencent shall provide the same level of privacy protection as is required by such laws.

10.12 Tencent is prohibited from:

1. Selling and Sharing the Personal Data;
2. retaining, using or disclosing the Personal Data for any purpose other than for the specific purpose of performing the Services;
3. retaining, using or disclosing the Personal Data outside of the direct business relationship between Tencent the Organisation; and
4. combining the Personal Data received from, or on behalf of, the Organisation with any Personal Data that may be collected from Tencent’s separate interactions with the individual(s) to whom the Personal Data relates or from any other sources, except to the extent permitted by U.S. Privacy Laws. For the purposes of this U.S. Privacy Law section, “Sell”, “Share” and other analogous term shall have the meanings given to them in the U.S. Privacy Laws.

Macau

10.13 The appointment of Tencent as Processor, as well as the appointment of sub-processors where (and to the extent) permitted in this DPSA, shall be notified by the Organisation to the local data protection office (GPDP - Gabinete para a Protecção de Dados Pessoais).

10.14 Tencent shall have the right to reasonably request the Organisation provide evidence of compliance with an instruction under the relevant the Macau data protection laws, including such notification under section 10.1 above.

10.15 Organisation shall expressly inform Tencent, in writing, in case of processing of sensitive data, as defined in article 7 of the Macau Data Protection Law (Law n. 8/2005), and shall ensure compliance with the particular requirements provided for under Macau data protection law for the processing of such data.

Appendix 1

Processing details

A.List of parties

Data exporter

The data exporter is the Organisation as defined in the Terms of Service. The address of the data exporter is as defined in the Terms of Service.

The contact person’s name, position and contact details of the data exporter is as defined in the Terms of Service.

The data exporter has engaged the data importer to provide online services as described in the Terms of Service.

The data exporter is the controller.

Data importer

The data importer is Tencent, as defined in the Terms of Service. The address of the data importer is as defined in the Terms of Service.

The contact person’s name, position and contact details of the data importer is as defined in the Terms of Service.

The data importer has been engaged by the data exporter to provide certain online services as described in the Terms of Service.

The data importer is the processor.

B. Description of transfer

Categories of data subjects whose personal data is transferred

Data Subjects whose Personal Data is controlled or made available by Organisation as Content.

Categories of personal data transferred
The Content uploaded by Organisation, or as notified by Organisation to Tencent from time to time.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The Content uploaded by the Organisation, or as notified by Organisation to Tencent from time to time.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous.

Nature of the processing.
Tencent will process the personal data in support of the Services performed for Organisation.

Purpose(s) of the data transfer and further processing
Transfer and processing necessary to allow Tencent to perform the Services and its obligations under the Terms of Service.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Terms of Service.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As above.

C. COMPETENT SUPERVISORY AUTHORITY

Autoriteit Persoonsgegevens (the Netherlands).

Appendix 2

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

We have implemented a comprehensive privacy and security programme for the purpose of protecting your content. This program includes the following:

Data security. We have designed and implemented the following measures to protect customer’s data against unauthorized access:

standards for data categorisation and classification;

a set of authentication and access control capabilities at the physical, network, system and application levels; and

a mechanism for detecting big data-based abnormal behaviour.

Network security. We implement stringent rules on internal network isolation to achieve access control and border protection for internal networks (including office networks, development networks, testing networks and production networks) by way of physical and logical isolation.

Physical and environmental security. Stringent infrastructure and environment access controls have been implemented for Tencent Cloud’s data centers based on relevant regional security requirements. An access control matrix is established, based on the types of data center personnel and their respective access privileges, to ensure effective management and control of access and operations by data center personnel.

Incident management. We operate active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.

Compliance with standards. We comply with the standards listed in our Compliance Center page, and as updated from time to time.

Appendix 3

INTERNATIONAL DATA TRANSFER ADDENDUM TO THE EU COMMISSION STANDARD CONTRACTUAL CLAUSES

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

PART 1: TABLES

TABLE 1: PARTIES

Start date	See effective date of the DPSA
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	See Appendix 1 to the DPSA
Key Contact	See Appendix 1 to the DPSA

TABLE 2: SELECTED SCCS, MODULES AND SELECTED CLAUSES

Addendum EU SCCs

The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module 2)

TABLE 3: APPENDIX INFORMATION
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Appendix 1 of the DPSA

Annex 1B: Description of Transfer: See Appendix 1 of the DPSA

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Appendix 2 of the DPSA

Annex III: List of Sub processors (Modules 2 and 3 only): See Section 8 of the DPSA

TABLE 4: ENDING THIS ADDENDUM WHEN THE APPROVED ADDENDUM CHANGES

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 19: Importer

PART 2: MANDATORY CLAUSES

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.