WeCom

Data Processing Agreement

This data processing agreement is between Tencent International Service Pte. Ltd., an entity incorporated in Singapore and Tencent International Service Europe B.V., an entity incorporated in the Netherlands, as the processors (together, the “Tencent Processors”), and the user that has entered into the End User Service Agreement located [here] (“EUSA”)) who is located in the European Economic Area or the United Kingdom as the controller (the “User”) and incorporates the terms and conditions set out in the Schedules attached hereto (the “Agreement”).

Each User has appointed the Tencent Processors to provide videoconferencing and associated services to the User. As a result of its providing such services to the User in accordance with the EUSA, the Tencent Processors will store and process certain personal information of the User, in each case as described in further detail in Schedule 2 (Processing Details).

The Agreement is being put in place to ensure that the Tencent Processors processes personal data under each User’s control on the User’s instructions and in compliance with applicable data privacy laws.

The Parties to this Agreement hereby agree to be bound by the terms and conditions in the attached Schedules as applicable with effect from the date the User is deemed to have agreed to the terms of the EUSA (in accordance with the terms of such agreement) (the “Effective Date”).

This Agreement may be executed in any number of counterparts, each of which is an original and all of which evidence the same agreement between the parties.

Please note that this Data Processing Agreement only applies to Personal Data for which the Tencent Processors are the processors as described in the Privacy Policy located [here]. For Personal Data processed where the Tencent Processors are the controllers, please review the relevant parts of the Privacy Policy.

Schedule 1
STANDARD TERMS FOR PROCESSING

BACKGROUND:

(a)            Each User wishes to appoint the Tencent Processors to Process Personal Data, as further described in Schedule 2 (Processing Details).

(b)            This Agreement is being put in place to ensure that the Tencent Processors process each User’s Personal Data on User’s instructions and in compliance with the Applicable Data Protection Laws (as defined below).

1.              Definitions

1.1           For the purposes of this Agreement, the following expressions bear the following meanings unless the context otherwise requires:

“Applicable Data Protection Laws” means any law, regulation or other binding instrument (i) relating to the processing of Personal Data pursuant to this Agreement, including the GDPR, the e-Privacy Directive 2002/58/EC and the e-Privacy Regulation 2017/0003 (once it takes effect), and (ii) which implements the e-Privacy Directive, the GDPR or the e-Privacy Regulation (once it takes effect) (in each case as amended, consolidated, re-enacted or replaced from time to time);

“Data Subject” means the living individuals who are the subject of the Personal Data;

“GDPR” means, as applicable, the General Data Protection Regulation 2016/679 and the GDPR as amended and incorporated into UK law by the Data Protection Act 2018 and under the UK European Union (Withdrawal Act) 2018, to the extent in force;

“Model Clauses” means the standard contractual clauses for the transfer of Personal Data to data processors established in Third Countries set out in the Commission Decision of 5 February 2010 (C(2010) 593), as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016 and as amended, updated or replaced from time to time;

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Process”, “Processed” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Regulator” means the data protection supervisory authority which has jurisdiction over a User’s Processing of Personal Data; and

“Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”) or United Kingdom, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of this Agreement include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay.

2.              Conditions of Processing

2.1           This Agreement governs the terms under which the Tencent Processors are required to Process Personal Data on behalf of the User(s).

3.              Tencent Processors’ Obligations

3.1           To the extent the Tencent Processors Process Personal Data on behalf of the User, they shall:

3.1.1       Process the Personal Data only on documented instructions from the User, including with regard to transfers of Personal Data to Third Countries or an international organisation, unless required to Process such Personal Data by applicable law to which the Tencent Processors are subject; and in such a case, the Tencent Processors shall inform the User of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;

3.1.2       ensure that its personnel authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

3.1.3       implement appropriate technical and organisational security measures taking to ensure a level of security appropriate to the risk as set out in Schedule 3 to this Agreement;

3.1.4       taking into account the nature of the Processing, assist the User by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the User’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Applicable Data Protection Laws;

3.1.5       promptly notify the User (including further information about the breach provided in phases promptly as more details become available) in writing upon becoming aware of any improper, unauthorized, or unlawful access to, use of, or disclosure of, or any other event which affects the availability, integrity or confidentiality of Personal Data which is Processed by the Tencent Processors under or in connection with this Agreement.

3.1.6       assist the User in ensuring compliance with the obligations to (i) implement appropriate technical and organisational security measures; (ii)  notify (if required) Personal Data breaches to Regulators and/or individuals; and (iii) conduct data protection impact assessments and, if required, prior consultation with Regulators;

3.1.7       ensure that all Personal Data Processed on behalf of the User will be stored and processed for the duration of the meeting only and solely to facilitate the User’s communications during the meeting, following which the Tencent Processors will delete the Personal Data;

3.1.8       make available to the User all information necessary to demonstrate compliance with the obligations laid down in this clause 3, and allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User. 

3.1.9       In the event that the information provided in accordance with Clause 3.1.8 above is insufficient to reasonably demonstrate compliance, the Tencent Processors shall permit an industry standard audit to be conducted by an independent third party auditor chosen by the User on reasonable notice to audit the Tencent Processors’ compliance with its obligations under this Agreement. Such audits shall (i) be at the User’s cost; (ii) be conducted between 9am-5pm on business days (excluding, for the avoidance of doubt, weekends and public holidays); (iii) not be conducted by any competitor of the Tencent Processors; (iv) not interfere with the Tencent Processors’ day-to-day business; and (v) shall, to the extent an inspection is required, be limited to an inspection of the Tencent Processors’ Processing facilities in order to review compliance with this Agreement.

3.2           Where the Tencent Processors process, access, and/or store Personal Data in any Third Country, the Tencent Processors shall comply with the data importer’s obligations set out in the Model Clauses, which are hereby incorporated into and form part of this Agreement (with the processing details set out in Schedule 2 (Processing Details) and the technical and organisational security measures set out in Schedule 3 (Technical and Organisation Security Measures) applying for the purposes of Appendix 1 and Appendix 2, respectively) (the “Clauses”), and the User(s) will comply with the Data Exporter’s obligations in such Clauses.

4.              User’s Obligations

4.1           The User agrees that the documented instructions described in 3.1.1 are as set out in this Agreement, the EUSA and in the Privacy Policy where the Personal Data Processed by the Tencent Processors on behalf of the User is described

4.2           Each User warrants that: (i) the legislation applicable to it does not prevent the Tencent Processors from fulfilling the instructions received from the User(s) and performing the Tencent Processors’ obligations under this Agreement; and (ii) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to enable the Processing of the Personal Data by the Tencent Processors as set out in this Agreement and as envisaged by any services agreement in place between the parties.

4.3           Each User agrees that it will indemnify and hold harmless the Tencent Processors on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by the Tencent Processors arising directly or indirectly from a breach of this Clause 4.

5.              Subcontracting

5.1           The User hereby grants the Tencent Processors general written authorisation to engage the sub-processors listed by the Tencent Processors in the Privacy Policy from time to time subject to the requirements of this Clause 5. If the User does not agree to a sub-processor,  the Tencent Processors may terminate the Agreement with immediate effect on written notice to the User.

5.2           In the event that the Tencent Processors engage a sub-processor for carrying out specific Processing activities on behalf of the User, where that sub-processor fails to fulfil its obligations,  the Tencent Processors shall remain fully liable under the Applicable Data Protection Laws to the User for the performance of that sub-processor’s obligations.

6.              Law and Jurisdiction

This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of Singapore and and shall be deemed to have been made in Singapore, and each party hereby submits to the jurisdictions of the courts of Singapore.

Schedule 2
Processing Details

Processing Operations

The Processing activities shall consist of:

Processing for the purposes of performing the services described in the EUSA.

The Personal Data Processed by the Tencent Processors will be subject to the following basic Processing activities:

Processing as described in the Privacy Policy in the section describing the Processing of Personal Data by the Tencent Processors on the User’s behalf.

Data Subjects

The Personal Data Processed by the Tencent Processors concern the following categories of Data Subjects:

Users of the WeCom platform and any individuals the subject of the data.

Categories of Data

The Personal Data Processed by the Tencent Processors includes the following categories of data:

Personal Data transmitted by the users of the WeCom platform (for example, by setting up a Company User or Individual User account, by video or audio transmission, or by sharing information on WeCom). These include:

·       Workspace documents and files;

·       Meetings data;

·       Approval records data;

·       External contacts data;

·       Audio and video data;

·       Live broadcast data;

·       Client function communication data;

·       Chat contents;

·       Backend Managemnet Statistics for Company User data;

·       Company forum data; and

·       Calendar data.

Special Categories of Data (if appropriate)

The Personal Data Processed by  the Tencent Processors concern the following special categories of data:

Any special category of data that is contained in the Personal Data.

Schedule 3
Technical and Organisation Security Measures

1.              Data security. Implement: 

(a)            standards for data categorisation and classification;

(b)            a set of authentication and access control capabilities at the physical, network, system and application levels; and

(c)            a mechanism for detecting big data-based abnormal behaviour.

2.              Network security. Implement stringent rules on internal network isolation to achieve access control and border protection for internal networks (including office networks, development networks, testing networks and production networks) by way of physical and logical isolation.

3.              Physical and environmental security. Stringent infrastructure and environment access controls for data access based on relevant regional security requirements.  An access control matrix to be established, based on the types of personnel and their respective access privileges, to ensure effective management and control of access and operations personnel.

4.              Incident management. Operate active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.

5.              Compliance with standards. Compliance with the following standards:

(a)            Information security management system – ISO 27001:2013.

(b)            IT service management – ISO/IEC 20000-1:2011.

(c)            Quality management system – ISO/IEC 9001:2015.

(d)            IT Service Management System – ISO/IEC 27018:2014.

(e)            CSA Security, Trust & Assurance Registry (STAR).