|Terms of policy|
|Data Processing Agreement|
WETEST DATA PROCESSING ADDENDUM
1.1 For the purposes of this Addendum, the following expressions bear the following meanings unless the context otherwise requires:
"Applicable Data Protection Laws" means the e-Privacy Directive, the GDPR and the e-Privacy Regulation (once it takes effect) and any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument of the Data Controller’s Member State or the United Kingdom which implements any one of them or which relates to the Processing of Personal Data (in each case as amended, consolidated, re-enacted or replaced from time to time);
"Data Subject", "Personal Data", "Process", "Processed" or "Processing" shall each have the meaning as set out in the GDPR;
"e-Privacy Directive" means Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;
"e-Privacy Regulation" means Regulation 2017/003 of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications;
"GDPR" means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
"Privacy Shield" means the EU-US and Swiss-US Privacy Shield Frameworks as designed by the US Department of Commerce and approved by the European Commission and Swiss Administration (respectively) to as having adequate protection under the GDPR and the Swiss 235.1 Federal Act of 19 June 1992 on Data Protection (respectively);
"Regulator" means the data protection supervisory authority which has jurisdiction over a Data Controller’s Processing of Personal Data; and
"Third Countries" means all countries outside of the scope of the data protection laws of the European Economic Area (" EEA ") or United Kingdom, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of this Addendum include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay.
2.1 The customer of WeTest (the“ Data Controller ”)wishes to appoint Sixjoy Hong Kong Limited (the“ Data Processor ”)(collectively“ the Parties ”), to Process Personal Data, as further described in Schedule 1 (Processing Details), for the purpose of performing the WeTest Terms of Service (the“ Agreement ”).
3. Data Processor's Obligations
3.1 To the extent the Data Processor Processes Personal Data on behalf of the Data Controller, it shall:
3.1.1 Process the Personal Data only on documented instructions from the Data Controller, including with regard to transfers of Personal Data to Third Countries or an international organisation, unless required to Process such Personal Data by Union or Member State law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
3.1.2 ensure that its personnel authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.1.3 implement appropriate technical and organisational security measures, including, as appropriate, (i) the pseudonymisation of Personal Data; (ii) ensuring the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) restoring the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing;
3.1.4 taking into account the nature of the Processing, assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Applicable Data Protection Laws;
3.1.5 promptly notify the Data Controller (including further information about the breach provided in phases promptly as more details become available) in writing upon becoming aware of any improper, unauthorized, or unlawful access to, use of, or disclosure of, or any other event which affects the availability, integrity or confidentiality of Personal Data which is Processed by Data Processor under or in connection with this Addendum. The Data Processor shall be obliged to provide the Data Controller with all information necessary for the compliance with the Data Controller’s obligations pursuant to Applicable Data Protection Laws;
3.1.6 assist the Data Controller in ensuring compliance with the obligations to (i) implement appropriate technical and organisational security measures; (ii) notify (if required) Personal Data breaches to Regulators and/or individuals; and (iii) conduct data protection impact assessments and, if required, prior consultation with Regulators;
3.1.7 at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of services relating to Processing, and delete existing copies of the Personal Data unless Union or Member State law requires storage of the Personal Data;
3.1.8 make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this clause 3 and Applicable Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
3.2 The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction of the Data Controller infringes the Applicable Data Protection Laws.
4. Changes in Applicable Data Protection Laws
4.1 The Data Processor shall take all steps reasonably requested by the Data Controller to ensure that the Data Controller's Personal Data is processed in compliance with the GDPR, including (i) any guidance on the interpretation of its provisions once it takes effect; or (ii) if changes to the membership status of a country in the European Union or the European Economic Area require modification to this Addendum, the Data Processor will negotiate such modifications in good faith.
5. International Transfers
The Data Processor will not process data in, or transfer Personal Data to an affiliate in, a Third Country unless the Data Processor (or its affiliate (as applicable) which will be processing the Personal Data in such Third Country) complies with the data importer's obligations set out in the Standard Contractual Clauses (Controller to Processor) as set out in the Commission Decision of 5 February 2010 (C(2010) 593) and as amended, updated or replaced from time to time (“Model Clauses”) which are hereby incorporated into and form part of this Addendum (and Schedule 1 (Processing Details) shall apply for the purposes of Appendix 1 to the Model Clauses, and Schedule 2 (Technical and Organisation Security Measures) will apply for the purposes of Appendix 2 to the Model Clauses) and the Data Controller(s) will comply with the Data Exporter's obligations in such Clauses.
6.1 The Data Controller hereby grants the Data Processor general written authorisation to engage the sub-processors set out [here] subject to the requirements of this clause 6, and on the condition that the Data Processor shall inform the Data Controller in writing of any intended changes concerning the addition or replacement of the sub-processors. The Data Controller will have 14 days from the date of receipt of the notice to approve or reject the change. In the event of no response from the Data Controller, the sub-processor will be deemed accepted. If the Data Controller rejects the replacement sub-processor, the Data Processor may terminate the Agreement with immediate effect on written notice to the Data Controller.
6.2 In the event that the Data Processor engages a sub-processor for carrying out specific Processing activities on behalf of the Data Controller, where that sub-processor fails to fulfil its obligations, the Data Processor shall remain fully liable under the Applicable Data Protection Laws to the Data Controller for the performance of that sub-processor's obligations.
7. Data Controller's Obligations
7.1 Data Controller warrants that: (i) the legislation applicable to it does not prevent Data Processor from fulfilling the instructions received from the Data Controller(s) and performing Data Processor’s obligations under this Addendum; and (ii) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to Data Processor and enable the Processing of the Personal Data by the Data Processor as set out in this Addendum.
7.2 Data Controller agrees that it will jointly and severally together with any other Data Controller, indemnify and hold harmless Data Processor on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Data Processor arising directly or indirectly from a breach of this Clause 7.
8. Law and Jurisdiction
This Addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the jurisdiction stipulated for this purpose in the Agreement. Any disputes in connection with the binding provisions of this Addendum shall be resolved in accordance with the applicable dispute resolution provision in the Agreement.
The Personal Data Processed by Data Processor will be subject to the following basic Processing activities:
Account creation and registration, confirmation of identity for the use of services, administration of product and customer support services, operation and facilitation of the service (including maintaining transaction history), optimization of the service (including specifying users country and the corresponding language version), ensuring and maintaining the security of the service, and improving the operation of the service (including solving crashes and optimizing compatibility).
The Personal Data Processed by Data Processor will be Processed for the following duration:
For the duration of the Agreement
The Personal Data Processed by Data Processor concern the following categories of Data Subjects:
The Data Controller’s employees
Categories of Data
The Personal Data Processed by Data Processor includes the following categories of data:
Registration information, payment management information, social media log in information, customer service information, WeCom information, testing information, quota management information, game installation package information, performance and analytics information
Special Categories of Data (if appropriate)
The Personal Data Processed by Data Processor concern the following special categories of data:
TECHNICAL AND ORGANISATION SECURITY MEASURES
Data Processor shall implement a comprehensive privacy and security programme for the purpose of protecting content. This programme includes the following:
a. Data security. Data Processor shall design and implement the following measures to protect customer's data against unauthorised access:
i.standards for data categorization and classification;
ii.a set of authentication and access control capabilities at the physical, network, system and application levels; and
iii.a mechanism for detecting big data-based abnormal behaviour.
b. Network security. Data Processor shall design and implement stringent rules on internal network isolation to achieve access control and border protection for internal networks (including office networks, development networks, testing networks and production networks) by way of physical and logical isolation.
c. Physical and environmental security. Data Processor shall implement stringent infrastructure and environment access controls for Data Processor’s infrastructure based on relevant regional security requirements. Sub-processor shall implement an access control matrix, based on the types of personnel and their respective access privileges, to ensure effective management and control of access and operations by personnel.
d. Incident management. Data Processor shall operate active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.
LIST OF APPROVED SUB-PROCESSORS
|Tencent Technology (Shanghai) Company Limited||Data processing|
|Tencent Japan GK||Data center services and infrastructure|
|Aceville Pte Limited||Data center services and infrastructure|
|Tencent Cloud LLC||Data center services and infrastructure|
|Harvest Sharp Limited||Payment services|