WETEST DATA PROCESSING ADDENDUM
1. Definitions
1.1 For the purposes of this Addendum, the following expressions bear the following meanings unless the
context otherwise requires:
"Applicable Data Protection Laws" means (a) the General Data Protection Regulation 2016/679 (the
"GDPR"); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data
Protection Act 2018 ("DPA"), the UK General Data Protection Regulation as defined by the DPA as
amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit)
Regulations 2019 (together with the DPA, the "UK GDPR"), and the Privacy and Electronic
Communications Regulations 2003; and (d) any relevant law, statute, declaration, decree, directive,
legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any
of the above or which otherwise relates to data protection, privacy or the use of personal data, in each
case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from
time to time;
"Controller to Processor Clauses" means (i) in respect of transfers of Personal Data subject to the
GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in
Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor); and
(ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer
Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information
Commissioner, in each case as amended, updated or replaced from time to time;
"Data Processing Clauses" means the standard contractual clauses between controllers and processors
set out in Commission Decision 2021/915 of 4 June 2021, or any equivalent clauses issued by the relevant
competent authority of the UK, in each case as amended, updated or replaced from time to time;
"Data Subject" shall have the meaning given in the relevant Applicable Data Protection Laws;
"Effective Date" shall be the date on which the Data Controller accepts the Agreement as part of
obtaining the WeTest services;
"Personal Data" means all Personal Data (as defined by the relevant Applicable Data Protection Laws)
that is subject to the relevant Applicable Data Protection Laws from time to time;
"Process", "Processed" or "Processing" has the meaning given in the relevant Applicable
Data Protection Laws ;
"Processor to Processor Clauses" means, as relevant, (i) in respect of transfers of Personal Data
subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries
set out in Commission Decision 2021/914 of 4 June 2021 specifically including Module 3 (Processor to
Processor); (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data
Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK
Information Commissioner, in each case as amended, updated or replaced from time to time ;
"Regulator" means the data protection supervisory authority which has jurisdiction over a Data
Controller's Processing of Personal Data; and
"Third Country" means (i) in relation to Personal Data transfers subject to the GDPR, any country
outside of the scope of the data protection laws of the European Economic Area, excluding countries approved
as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in
relation to Personal Data transfers subject to the UK GDPR, any country outside of the scope of the data
protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data
by the relevant competent authority of the UK from time to time.
2. Background
2.1 The customer of WeTest which acts as data controller (as determined under the Applicable Data Protection
Laws) (the "Data Controller") wishes to appoint Top Range Mobile Limited (the
"Data Processor") (collectively "the Parties"), to Process Personal Data, as further described
in Schedule 1 (Processing Details), for the purpose of performing the WeTest Terms of Service, or such terms
and conditions as agreed between the relevant customer and Top Range Mobile Limited (the
"Agreement").
2.2 This Addendum is being put in place to ensure that Data Processor processes each Data Controller's
Personal Data on the Data Controller's instructions and in compliance with the Applicable Data Protection
Laws (as defined below).
3. Conditions of Processing
3.1 This Addendum governs the terms under which Data Processor is required to Process Personal Data on
behalf of the Data Controller.
3.2 This Addendum shall commence on the Effective Date. Termination of this Addendum shall be governed by
the Agreement.
4. Data Processor's Obligations
4.1 To the extent the Data Processor Processes Personal Data on behalf of the Data Controller, it shall:
4.1.1 Process the Personal Data only on behalf of the Data Controller and in accordance with, and for the
purposes set out in the documented instructions received from the Data Controller, including with regard to
transfers of Personal Data to Third Countries or an international organization, unless required to Process
such Personal Data by Union or Member State law to which the Data Processor is subject; in such a case, the
Data Processor shall inform the Data Controller of that legal requirement before Processing, unless that law
prohibits such information on important grounds of public interest;
4.1.2 ensure that its personnel authorized to Process the Personal Data have committed themselves to
confidentiality or are under an appropriate statutory obligation of confidentiality;
4.1.3 implement appropriate technical and organizational security measures to ensure a level of security
appropriate to the risk, taking into account the state of the art, the costs of implementation and the
nature, scope, context and purpose of the Processing, including as set out in Schedule 2 and, as
appropriate, (i) the pseudonymization of Personal Data; (ii) ensuring the ongoing confidentiality,
integrity, availability and resilience of Processing systems and services; (iii) restoring the availability
and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv)
regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures;
4.1.4 taking into account the nature of the Processing, reasonably assist the Data Controller by appropriate
technical and organizational measures, insofar as this is possible, for the fulfilment of the Data
Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in the
Applicable Data Protection Laws;
4.1.5 without undue delay notify the Data Controller (including further information about the breach
provided in phases promptly as more details become available) in writing upon becoming aware of any
improper, unauthorized, or unlawful access to, use of, or disclosure of, or any other event which affects
the availability, integrity or confidentiality of Personal Data which is Processed by Data Processor under
or in connection with this Addendum. The Data Processor shall be obliged to provide the Data Controller with
all information necessary for the compliance with the Data Controller's obligations pursuant to Applicable
Data Protection Laws;
4.1.6 provide reasonable assistance to the Data Controller in ensuring compliance with the obligations to
(i) allow a Data Subject to exercise their rights under the Applicable Data Protection Law in respect of
Personal Data Processed by Data Processor on behalf of any Data Controller (such as rights to rectification,
erasure, blocking, access their personal data, objection, restriction of processing, data portability, and
the right not to be subject to automated decision making); (ii) implement appropriate technical and
organizational security measures; (iii) notify (if required) Personal Data breaches to Regulators and/or
individuals; (iv) deal or comply with any assessment, enquiry, notice or investigation by a Regulator; and
(iv) conduct mandatory data protection impact assessments and, if required, prior consultation with
Regulators;
4.1.7 at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller
after the end of the provision of services relating to Processing, and delete existing copies of the
Personal Data unless Union or Member State law requires storage of the Personal Data; and
4.1.8 from time to time and on request from the Data Controller, make available to the Data Controller such
information as is reasonably necessary to demonstrate compliance with the obligations laid down in this
Clause 4 and Applicable Data Protection Laws, and reasonably allow for and contribute to audits, including
inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
4.2 The Data Processor shall promptly inform the Data Controller if, in the Data Processor's opinion, an
instruction of the Data Controller infringes the Applicable Data Protection Laws.
5. Changes in Applicable Data Protection Laws
5.1 The parties agree in good faith to modifications to this Addendum if changes are required for Data
Processor to continue to process the Personal Data as contemplated by this Addendum in compliance with the
Applicable Data Protection Laws or to address the legal interpretation of the Applicable Data Protection
Laws, including (i) to comply with the GDPR or any national legislation implementing it, or the UK General
Data Protection Regulation or the DPA, and any guidance on the interpretation of any of their respective
provisions; (ii) the Controller to Processor Clauses or the Processor to Processor Clauses or any other
mechanisms or findings of adequacy are invalidated or amended, or (iii) if changes to the membership status
of a country in the European Union or the European Economic Area require such modification.
6. International Transfers
6.1 To the extent the Data Processor Processes Personal Data in a Third Country, and it is acting as data
importer, the Data Processor shall comply with the data importer's obligations set out in the Controller to
Processor Clauses, which are hereby incorporated into and form part of this Addendum; the Data Controller
will comply with the data exporter's obligations in such Controller to Processor Clauses; and:
6.1.1 for the purposes of Annex I or Part 1 (as relevant) of such Controller to Processor Clauses, the
parties and processing details set out in Schedule 1 (Processing Details) shall apply, and the Start Date is
the Effective Date;
6.1.2 if applicable, for the purposes of Part 1 of such Controller to Processor Clauses, the relevant
Addendum EU SCCs (as such term is defined in the applicable Controller to Processor Clauses) are the
standard contractual clauses for the transfer of Personal Data to third countries set out in Commission
Decision 2021/914 of 4 June 2021 (Module 2) as incorporated into this Addendum by virtue of this Clause
6.1.2;
6.1.3 for the purposes of Annex II or Part 1 (as relevant) of such Controller to Processor Clauses, the
technical and organizational security measures set out in Clause 4.1.3 and Schedule 2 (Technical and
Organization Security Measures) shall apply; and
6.1.4 if applicable, for the purposes of: (i) Clause 9 of such Controller to Processor Clauses, Option 2
("General written authorization") is deemed to be selected and the notice period specified in Clause 7.1
shall apply; (ii) Clause 11(a) of such Controller to Processor Clauses, the optional wording in relation to
independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent
supervisory authority shall be the relevant Regulator of the Data Controller; (iv) Clause 17, Option 1 is
deemed to be selected and the governing law shall be Dutch law; (v) Clause 18, the competent courts shall be
the Dutch courts; (vi) Part 1 of such Controller to Processor Clauses, the Data Processor as Importer may
terminate the Controller to Processor Clauses pursuant to Section 19 of such Controller to Processor
Clauses.
6.2 The Data Controller acknowledges and agrees that Data Processor may appoint an affiliate or third party
subcontractor to Process the Data Controller's Personal Data in a Third Country, in which case the Data
Processor shall execute the Processor to Processor Clauses with any relevant subcontractor (including
affiliates) it appoints on behalf of the Data Controller.
7. Sub-Processing
7.1 The Data Controller hereby grants the Data Processor general written authorization to engage the
sub-processors set out [at the end of this Addendum] subject to the requirements
of this Clause 7, and on the condition that the Data Processor shall inform the Data Controller with seven
(7) business days' prior written notice of any intended changes concerning the addition or replacement of
the sub-processors, during which the Data Controller object against the change. In the event of no response
from the Data Controller, the Data Processor may proceed with the addition or replacement. If the Data
Controller rejects the replacement sub-processor, the Data Processor may terminate the Agreement with
immediate effect on written notice to the Data Controller.
7.2 In the event that the Data Processor engages a sub-processor for carrying out specific Processing
activities on behalf of the Data Controller, (i) the Data Processor shall ensure that it has a written
agreement in place with such sub-processor which contains obligations on the sub-processor which are no less
onerous on the relevant sub-processor than the obligations on the Data Processor under this Addendum, and
(ii) where that sub-processor fails to fulfil its obligations, the Data Processor shall remain fully liable
under the Applicable Data Protection Laws to the Data Controller for the performance of that sub-processor's
obligations.
8. Data Controller's Obligations
8.1 Data Controller warrants that: (i) the legislation applicable to it does not prevent Data Processor from
fulfilling the instructions received from the Data Controller and performing Data Processor's obligations
under this Addendum; and (ii) it has complied and continues to comply with the Applicable Data Protection
Laws, in particular that it has obtained any necessary consents or given any necessary notices, and
otherwise has a legitimate ground to disclose the data to Data Processor and enable the Processing of the
Personal Data by the Data Processor as set out in this Addendum and as envisaged by the Agreement.
8.2 Data Controller agrees that it will jointly and severally together with any other Data Controller,
indemnify and hold harmless Data Processor on demand from and against all claims, liabilities, costs,
expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all
interest, penalties and legal and other professional costs and expenses) incurred by Data Processor arising
directly or indirectly from a breach of this Clause 8.
9. Consequences of Termination
9.1 Upon termination of this Addendum in accordance with Clause 3.2, the Data Processor shall, at the choice
of the Data Controller:
9.1.1 return to the Data Controller all of the Personal Data and any copies thereof which it is Processing
or has Processed upon behalf of that Data Controller; or
9.1.2 destroy all Personal Data it has Processed on behalf of the Data Controller after the end of the
provision of services relating to the Processing, and destroy all copies of the Personal Data unless any
Applicable Data Protection Law requires storage of such Personal Data; and
9.1.3 in each case cease Processing Personal Data on behalf of the Data Controller.
10. Law and Jurisdiction
This Addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or in
connection with it or its subject matter or formation shall be governed by and construed in all respects in
accordance with the laws of the jurisdiction stipulated for this purpose in the Agreement. Any disputes in
connection with the binding provisions of this Addendum shall be resolved in accordance with the applicable
dispute resolution provision in the Agreement.
PROCESSING DETAILS
A. LIST OF PARTIES
Data controller(s)/ exporter(s): The customer of WeTest which is deemed to be a data controller under
the Applicable Data Protection Laws and has accepted the Agreement as part of obtaining the WeTest services.
Details are as provided by the relevant customer.
Activities relevant to the data transferred under these Clauses: provision of Personal Data collected from
Data Subjects for Processing to facilitate the services provided under the Agreement.
Role (controller/processor): Controller
Data processor/ importer(s):
Name: Top Range Mobile Limited
Address: 29/F., Three Pacific Place, No. 1 Queen's Road East, Wanchai, Hong Kong
Contact person's name, position and contact details: DPO_WeTest@wetest.net
Activities relevant to the data transferred under these Clauses: provision of the services as further set
out in the Agreement.
Role (controller/processor): Processor
B. PROCESSING DETAILS/ DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is processed/ transferred
The Data Controller's employees and end users/customers.
The Data Controller's employees and end users/customers.
Categories of personal data processed/ transferred
Registration information, payment management information, social media log in information, customer service information, WeChat Work information, testing information, quota management information, game installation package information, performance and analytics information
Registration information, payment management information, social media log in information, customer service information, WeChat Work information, testing information, quota management information, game installation package information, performance and analytics information
Sensitive data processed/ transferred (if applicable) and applied restrictions or safeguards that fully
take into consideration the nature of the data and the risks involved, such as for instance strict
purpose limitation, access restrictions (including access only for staff having followed specialised
training), keeping a record of access to the data, restrictions for onward transfers or additional
security measures.
Not applicable.
Not applicable.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous
basis).
Continuous, in accordance with the requirements of providing the services under the Agreement.
Continuous, in accordance with the requirements of providing the services under the Agreement.
Nature of the processing
Account creation and registration, confirmation of identity for the use of services, administration of product and customer support services, operation and facilitation of the service (including maintaining transaction history), optimization of the service (including specifying users country and the corresponding language version), ensuring and maintaining the security of the service, and improving the operation of the service (including solving crashes and optimizing compatibility).
Account creation and registration, confirmation of identity for the use of services, administration of product and customer support services, operation and facilitation of the service (including maintaining transaction history), optimization of the service (including specifying users country and the corresponding language version), ensuring and maintaining the security of the service, and improving the operation of the service (including solving crashes and optimizing compatibility).
Purpose(s) of the data processing/ data transfer and further processing
To enable the provision of services in accordance with the Agreement.
To enable the provision of services in accordance with the Agreement.
Duration of the processing/ the period for which the personal data will be retained, or, if that is not
possible, the criteria used to determine that period
For the duration of the Agreement.
For the duration of the Agreement.
For processing by/ transfers to (sub-) processors, also specify subject matter, nature and duration of
the processing
As above.
As above.
SCHEDULE 2
TECHNICAL AND ORGANIZATION SECURITY MEASURES
The Data Processor shall implement a comprehensive privacy and security program for the purpose of
protecting content. This program includes the following:
- Data security. The Data Processor shall design and implement the following measures to protect customer's data against unauthorized access:
- standards for data categorization and classification;
- a set of authentication and access control capabilities at the physical, network, system and application levels; and
- a mechanism for detecting big data-based abnormal behavior.
- Network security. The Data Processor shall design and implement stringent rules on internal network isolation to achieve access control and border protection for internal networks (including office networks, development networks, testing networks and production networks) by way of physical and logical isolation.
- Physical and environmental security. The Data Processor shall implement stringent infrastructure and environment access controls have been implemented for Data Processor's infrastructure based on relevant regional security requirements. Sub-processor shall implement an access control matrix is, based on the types of personnel and their respective access privileges, to ensure effective management and control of access and operations by personnel.
- Incident management. The Data Processor shall operate active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.
LIST OF APPROVED SUB-PROCESSORS
| Subcontractors | Services provided |
|---|---|
| Tencent Technology (Shanghai) Company Limited | Data processing |
| Tencent Japan GK | Data center services and infrastructure |
| Aceville Pte Limited | Data center services and infrastructure |
| Tencent Cloud LLC | Data center services and infrastructure |
| Harvest Sharp Limited | Payment services |
