Data Processing Agreement
This data processing agreement is between Tencent International Service Pte. Ltd., an entity incorporated in Singapore and Tencent International Service Europe B.V., an entity incorporated in the Netherlands, as the processors (together, the “Tencent Processors”), and the user that has entered into the End User Service Agreement located [here] (“EUSA”)) who is located in the European Economic Area or the United Kingdom as the controller (the “User”) and incorporates the terms and conditions set out in the Schedules attached hereto (the “Agreement”).
Each User has appointed the Tencent Processors to provide videoconferencing and associated services to the User. As a result of its providing such services to the User in accordance with the EUSA, the Tencent Processors will store and process certain personal information of the User, in each case as described in further detail in Schedule 2 (Processing Details).
The Agreement is being put in place to ensure that the Tencent Processors processes personal data under each User’s control on the User’s instructions and in compliance with applicable data privacy laws.
The Parties to this Agreement hereby agree to be bound by the terms and conditions in the attached Schedules as applicable with effect from the date the User is deemed to have agreed to the terms of the EUSA (in accordance with the terms of such agreement) (the “Effective Date”).
This Agreement may be executed in any number of counterparts, each of which is an original and all of which evidence the same agreement between the parties.
(a) Each User wishes to appoint the Tencent Processors to Process Personal Data, as further described in Schedule 2 (Processing Details).
(b) This Agreement is being put in place to ensure that the Tencent Processors process each User’s Personal Data on User’s instructions and in compliance with the Applicable Data Protection Laws (as defined below).
“Applicable Data Protection Laws” means any law, regulation or other binding instrument (i) relating to the processing of Personal Data pursuant to this Agreement, including the GDPR, the e-Privacy Directive 2002/58/EC and the e-Privacy Regulation 2017/0003 (once it takes effect), and (ii) which implements the e-Privacy Directive, the GDPR or the e-Privacy Regulation (once it takes effect) (in each case as amended, consolidated, re-enacted or replaced from time to time);
“Data Subject” means the living individuals who are the subject of the Personal Data;
“GDPR” means, as applicable, the General Data Protection Regulation 2016/679 and the GDPR as amended and incorporated into UK law by the Data Protection Act 2018 and under the UK European Union (Withdrawal Act) 2018, to the extent in force;
“Model Clauses” means the standard contractual clauses for the transfer of Personal Data to data processors established in Third Countries set out in the Commission Decision of 5 February 2010 (C(2010) 593), as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016 and as amended, updated or replaced from time to time;
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Process”, “Processed” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Regulator” means the data protection supervisory authority which has jurisdiction over a User’s Processing of Personal Data; and
“Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”) or United Kingdom, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of this Agreement include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay.
This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of Singapore and and shall be deemed to have been made in Singapore, and each party hereby submits to the jurisdictions of the courts of Singapore.
The Processing activities shall consist of:
Processing for the purposes of performing the services described in the EUSA.
The Personal Data Processed by the Tencent Processors will be subject to the following basic Processing activities:
The Personal Data Processed by the Tencent Processors concern the following categories of Data Subjects:
Users of the WeCom platform and any individuals the subject of the data.
Categories of Data
The Personal Data Processed by the Tencent Processors includes the following categories of data:
Personal Data transmitted by the users of the WeCom platform (for example, by setting up a Company User or Individual User account, by video or audio transmission, or by sharing information on WeCom). These include:
· Workspace documents and files;
· Meetings data;
· Approval records data;
· External contacts data;
· Audio and video data;
· Live broadcast data;
· Client function communication data;
· Chat contents;
· Backend Managemnet Statistics for Company User data;
· Company forum data; and
· Calendar data.
Special Categories of Data (if appropriate)
The Personal Data Processed by the Tencent Processors concern the following special categories of data:
Any special category of data that is contained in the Personal Data.
(a) standards for data categorisation and classification;
(b) a set of authentication and access control capabilities at the physical, network, system and application levels; and
(c) a mechanism for detecting big data-based abnormal behaviour.
4. Incident management. Operate active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.
5. Compliance with standards. Compliance with the following standards:
(a) Information security management system – ISO 27001:2013.
(b) IT service management – ISO/IEC 20000-1:2011.
(c) Quality management system – ISO/IEC 9001:2015.
(d) IT Service Management System – ISO/IEC 27018:2014.
(e) CSA Security, Trust & Assurance Registry (STAR).
© 1998 - 2020 Tencent Inc. All Rights Reserved