全部产品
Search
文档中心

:Data Processing Addendum

更新时间:Nov 20, 2023

1. Scope and application

This Addendum will apply, if required by Data Protection Legislation (as defined below) and only to the extent that, in providing any Alibaba Cloud Services to You, Alibaba Cloud processes as a processor personal data contained in or generated in relation to Your Member Content (the “Data”).

This Addendum forms part of Alibaba Cloud International Website Membership Agreement or other equivalent agreement between You and Alibaba Cloud in relation to Your use of Alibaba Cloud Services (the “Agreement”), and capitalised terms not defined herein will have the meaning given in the Agreement. In the event and to the extent of a conflict between the other terms of the Agreement including its Addenda or any other agreements between You and Alibaba Cloud regarding the Data and this Addendum, this Addendum will prevail.

2. Definitions

In this Addendum:

“controller”, “data subject”, “process”, “processor” and “supervisory authority” each has the meaning given in GDPR, or the equivalent term under applicable Data Protection Legislation.

“Data Protection Legislation” means, as applicable: all laws and regulations applicable to and binding on the processing of Data by You and/or Alibaba Cloud, including but not limited to (i) GDPR, (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the “UK GDPR”), and in each case, any related national laws, legislation, rules or regulations, related to privacy and data protection (including legislation made under or in relation to (i), (ii)). For clarity, a reference to Data Protection Legislation, includes a reference to Data Protection Legislation as amended, modified, extended, re-enacted, consolidated or replaced from time to time.

“GDPR” means Regulation (EU) 2016/679.

“personal data” means personal data, personal information, personally identifiable information or other equivalent term (each as defined in Data Protection Legislation).

“Restricted Transfer” means (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country, territory or organisation outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country, territory or organisation which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

“Standard Contractual Clauses” means (i) where the Data is protected by the GDPR, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914/EU of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) and (ii) where the Data is protected by the UK GDPR, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).A copy of the Standard Contractual Clauses can be obtained at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc,or by contacting us at intlcompliance@service.aliyun.com.

3. Description of processing

For the purposes of this Addendum, You (the controller or processor) appoint Alibaba Cloud as Your processor to process the Data, for the duration of the Agreement, solely for the purpose of providing the Alibaba Cloud Services to You (the “Permitted Purpose”).

4. Data processing

In processing the Data under the Agreement, Alibaba Cloud shall, to the extent such Data is in Alibaba Cloud’s possession or under its control:

(a) only process the Data on Your documented instructions unless required otherwise by applicable law;

(b) ensure that all personnel authorised by Alibaba Cloud to process the Data are subject to suitable confidentiality obligations;

(c) implement and maintain appropriate technical and organisational measures (including access control), or otherwise making reasonable security arrangements, as described at https://www.alibabacloud.com/trust-center, designed to: (i) protect the Data processed by Alibaba Cloud against unauthorized or accidental access, processing, erasure, loss or use of the Data arising from a breach of Alibaba Cloud’s security (a “Security Incident”); Alibaba Cloud may change those measures from time to time, but not so as to reduce the level of protection for Data below the mandatory minimum required under Data Protection Legislation (as applicable). In the event of a confirmed Security Incident, to the extent required under Data Protection Legislation: (1) Alibaba Cloud shall notify You without undue delay and shall provide reasonable information and cooperation to You so that You can fulfil any data breach reporting obligations You may have under (and in accordance with the timelines required by) applicable Data Protection Legislation; and (2) Alibaba Cloud shall further take any reasonably necessary measures and reasonably necessary actions to remedy or mitigate the effects of the Security Incident, and shall keep You informed of all material developments in connection with the Security Incident. Security Incident shall be deemed to include a “personal data breach” or equivalent terms defined under the applicable Data Protection Legislation;

(d) hereby be granted Your general authorisation to engage third party subcontractors to process the Data for the Permitted Purpose, provided that Alibaba Cloud (i) (subject to your compliance with Clause 5 below) shall remain fully liable for any of its subcontractors; (ii) shall maintain an up-to-date list of such subcontractors here(accessible when You login to Your Alibaba Cloud account), which it shall update with details of any change in such subcontractors at least 10 working days before any such change; and (iii) shall impose data protection terms on any subcontractor it appoints to process any Data, that require it to protect such Data to at least the standard required by applicable Data Protection Legislation, or the provisions of this Addendum, whichever is more protective. You may object to Alibaba Cloud’s appointment or replacement of such a subcontractor before its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Alibaba Cloud will either not appoint or replace the relevant subcontractor or, if this is not possible, You may terminate the relevant Service and this Addendum to the extent it applies to that Service, but without prejudice to any fees or costs incurred by You for that Service before that termination and without prejudice to the Agreement, any other Services provided to You, and any fees or costs in relation to those other Services;

(e) assist You to respond to data subjects’ requests to exercise their rights regarding any Data under applicable Data Protection Legislation by providing You with technical measures to enable You, to the extent consistent with the functionality of the Alibaba Cloud Services and Alibaba Cloud’s role as a processor, to access, rectify, erase, restrict or export Data directly (and You agree that, taking into account the nature of the processing, this paragraph reflects the extent to which it is possible for Alibaba Cloud to provide You with such assistance). If a data subject, supervisory authority or any other party directly approaches Alibaba Cloud with any request, query or complaint regarding any Data, Alibaba Cloud shall, promptly notify You accordingly or notify that person that they should approach You instead;

(f) if Alibaba Cloud believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, promptly inform You and provide reasonable cooperation to You (at Your expense) in connection with any data protection impact assessment and/or prior consultation that You may be required under applicable Data Protection Legislation to undertake for Your use of Alibaba Cloud Services;

(g) at Your choice, delete or return all Data in Alibaba Cloud’s possession or control following the termination of the Agreement. This requirement shall not apply to the extent that Alibaba Cloud is required or permitted by applicable law to retain some or all of the Data, or Data archived on back-up systems, in which event Alibaba Cloud shall securely isolate and protect such Data from any further processing except: (i) to the extent required by such law until deletion is possible; or (ii) where such Data ceases to contain personal data; and

(h) use independent qualified third party security professionals and auditors, at Alibaba Cloud’s selection and expense, to (at appropriate regular intervals) verify the adequacy of its security measures, including the security of the data centers from which Alibaba Cloud provides the Alibaba Cloud Services, and generating audit reports and certifications thereof (“Report and Certification”). You agree and acknowledge that Alibaba Cloud is regularly audited against many industry-recognised standards by independent third-party auditors as described at https://www.alibabacloud.com/trust-center. Upon Your written request (to the extent such right is specifically provided under Data Protection Legislation), and subject to Your execution of a non-disclosure agreement covering the Report and Certification (and verification that You are not a competitor of Alibaba Cloud), Alibaba Cloud will make available to You a summary copy of the Report and Certification demonstrating Alibaba Cloud’s compliance with the obligations set forth in this Addendum.

(i) abstain from implementing policies or taking actions that may diminish the protection of Data in a manner inconsistent with Data Protection Legislation.

If You were granted an audit right such as by Standard Contractual Clauses, or by applicable Data Protection Legislation, then You agree to exercise Your audit right by instructing Alibaba Cloud to execute the audit as described in this clause. If You desire to change this instruction, then You have the right to do so by requesting in writing, or as set forth in the Standard Contractual Clauses which change shall also be requested in writing (for clarity, nothing in the foregoing shall require Alibaba Cloud to make available any data, material or information of any of Alibaba Cloud’s other customers).

For the avoidance of doubt, nothing herein obliges Alibaba Cloud to disclose any information that is subject to any right, privilege or immunity conferred, or obligation (including without limitation in connection with Alibaba Cloud’s performance of any contractual obligation) or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information.

5. Your responsibilities

You agree:

(a) to comply with your obligations under all applicable Data Protection Legislation in relation to Your: (i) use of Alibaba Cloud Services for processing of any personal data comprised within the Data; and (ii) appointment of us as Your processor to process the Data as contemplated under this Addendum;

(b) that this Addendum, the Agreement, Your other applicable agreements with Alibaba Cloud and Your configuration and use of the Alibaba Cloud Services will together comprise Your complete and final documented instructions to Alibaba Cloud on the processing of Data; and

(c) that You shall not give Alibaba Cloud as Your processor any instructions, nor shall You use the Alibaba Cloud Services in any way, that in any such case could infringe any Applicable Data Protection Legislation or could cause Alibaba Cloud or any of its affiliates to infringe any Applicable Data Protection Legislation. Without prejudice to the generality of the foregoing, you agree and acknowledge that where You disclose personal data to Alibaba Cloud, you shall have: (i) obtained or procured all necessary consents where required under applicable law from the relevant data subject(s) for the disclosure of such data subject(s)’s personal data to Alibaba Cloud for Alibaba Cloud's collection, use and/or disclosure for the Permitted Purpose (without prejudice to any other lawful basis for such handling of personal data by Alibaba Cloud), and that such consents have not been withdrawn; or (ii) to the extent consent is not required under applicable law, you have secured all necessary legal bases under Data Protection Legislation for disclosing personal data to Alibaba Cloud for Alibaba Cloud’s handling of the personal data for the Permitted Purpose as contemplated under this Addendum.

(d) that You shall be responsible for the correctness of the Data and ensuring that it is kept up-to-date and shall handle any requests or complaints raised by data subjects.

6. International transfers

6.1 You decide where to store Data (“Selected Region”). If the processing of Data involves a transfer outside Selected Region, Alibaba Cloud will take such measures as are necessary as a processor to ensure the transfer is in compliance with applicable Data Protection Legislation.

6.2 To the extent that the transfer of Data from You to Alibaba Cloud constitutes a Restricted Transfer, You agree that the Standard Contractual Clauses will be deemed entered into (and incorporated by reference into this Addendum) between You (as data exporter) and Alibaba Cloud (as data importer) as follows:

6.2.1 In relation to Data that is protected by the GDPR, the EU SCCs will apply completed as follows:

(a) If and to the extent You are a controller of such Data Module Two will apply, and if and to the extent You are a processor of such Data Module Three will apply, in each case as follows:

(i) in Clause 7, the optional docking clause will apply (provided that any new party to the EU SCCs shall be subject to Alibaba Cloud's prior written agreement);

(ii) in Clause 9, Option 2 will apply, and the time period for prior notice of subcontractor changes shall be as set out in Clause 4(d) of this Addendum.

(iii) in Clause 11, the optional language will not apply;

(iv) in Clause 17, Option 1 will apply and the EU SCCs will be governed by Dutch law;

(v) in Clause 18(b) disputes shall be resolved before the courts of the Netherlands;

(vi) Annex I of the EU SCCs shall be deemed completed with the information set out in this Addendum and/or in the Appendix 1 to this Addendum, and the competent supervisory authority under Part C of Annex I shall be determined in accordance with Clause 13 of the EU SCCs;

(vii) Annex II of the EU SCCs shall be deemed completed with the information set out in the document linked to in Clause 4(c) of this Addendum;

(b) The following clarifications shall apply to the EU SCCs:

(i) You may exercise Your right of audit under the EU SCCs as set out in and subject to the requirements, of Clause 4(h) of this Addendum;

(ii) Alibaba Cloud may appoint subcontractors as set out in and subject to the requirements of Clause 4(d) of this Addendum and You may exercise Your right to reject to subcontractors under the EU SCCs in the manner set out in Clause 4(d) of this Addendum;

(iii) Clause 4(g) shall apply in relation to the deletion or return of transferred Data on any termination of the Agreement;

(iv) For the avoidance of doubt, in light of the nature of the Alibaba Cloud Services You are solely responsible for the accuracy of the Data and the legality of its collection by You, and Alibaba Cloud is not obliged to check any transferred Data for accuracy;

(c) You will pay Alibaba Cloud fees at its then standard professional services rates and also reimburse Alibaba Cloud for its reasonable costs reasonably incurred in dealing with any inquiries from You relating to any transferred Data and/or for providing You with any assistance requested by You under the EU SCCs, including without limitation for notifying or otherwise assisting You with data subject requests or responses to data subjects, and cooperation with You to erase or rectify any transferred Data.

6.2.2 In relation to Data protected by the UK GDPR, the UK Addendum will apply completed as follows:

(a) the EU SCCs, completed as set above in clause 6.2.1 shall apply and shall be modified by the UK Addendum (completed as set out in sub-clause (b) below): and

(b) Tables 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs, completed as set out above, and the options “Exporter” and “Importer” shall be deemed checked in table 4. The start date of the UK Addendum (as set out in table 1) shall be the date of this Addendum.

6.2.3. In relation to Data that is subject to jurisdictions outside the scope of the GDPR and UK GDPR, to the extent that such jurisdiction permits the use of EU SCCs (subject to modifications to align with respective Data Protection Law) then the provisions under the EU SCCs shall apply with necessary modifications to align with the respective Data Protection Legislation of the relevant jurisdiction.

6.3 With respect to onward transfers with subcontractors, Alibaba Cloud shall only participate in such onward transfer (including a Restricted Transfer) of Data where the onward transfer is made in full compliance with Data Protection Legislation.

6.4 In the event that any provision of this Addendum contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

6.5 Save as specifically provided under this Addendum, you agree and acknowledge that you are solely responsible to comply with Data Protection Legislation in respect of: (a) your transfer of Data from one jurisdiction to another; and/or (b) your instructions to Alibaba Cloud (as Your processor) to transfer Data from one jurisdiction to another. Without prejudice to the generality of the foregoing, you agree and acknowledge that you shall not instruct us nor cause us to transfer any personal data to any country or territory except in accordance with the requirements prescribed under Data Protection Legislation for such transfer, including without limitation in connection with Your obligation, as may be required under Data Protection Legislation, to ensure a standard of protection to Data so transferred that is comparable to the protection under Data Protection Legislation.

7. Miscellaneous

(a) For clarity, the total aggregate liability of Alibaba Cloud and all its affiliates, employees, agents, affiliates, representatives or anyone acting on its behalf together, arising from or in connection with the Agreement and/or this Addendum and/or the Standard Contractual Clauses or any matter arising therefrom shall not exceed the maximum liability of Alibaba Cloud as limited by the paragraph following Clause 11.5 of the Membership Agreement.

(b) Alibaba Cloud may modify the terms of this Addendum, for example to comply with Data Protection Legislation or to implement any standard contractual clauses adopted by the Information Commissioner's Office, or the European Commission, or a supervisory authority or other competent supervisory authorities under Data Protection Legislation, but it will not do so in a way that would reduce the protections required to be afforded to You below the mandatory minimum required under Data Protection Legislation (as applicable). If Alibaba Cloud modifies the terms of this Addendum, the Addendum will be an amended and restated version on the Alibaba Cloud Platform, and Alibaba Cloud will provide at least 15 days prior written notice of any material amendments to the Addendum to You (which may be posted on the Alibaba Cloud Platform or displayed in Your Alibaba Cloud account). By continuing to use the relevant products or services after the receipt of written notification of such changes by Alibaba Cloud, You agree to be bound by the amended and restated Addendum.

Appendix 1

A. LIST OF PARTIES

Data exporter(s):

1.

Name:

The entity identified as “Customer” in the Membership Agreement.

Address:

The address for Customer associated with its Alibaba Cloud account or as otherwise specified in this Data Processing Addendum or the Membership Agreement.

Contact person’s name, position and contact details:

The contact details associated with Customer’s account, or as otherwise specified in this Data Processing Addendum or the Membership Agreement.

Activities relevant to the data transferred under these Clauses:

The activities specified in Sections 3 and 4 of this Data Processing Addendum.

Signature and date:

Please see signature and date to the Membership Agreement.

Role (controller/processor):

Controller or processor, as set out in this Data Processing Addendum

Data importer(s):

1.

Name:

“Alibaba Cloud” as identified in the Membership Agreement.

Address:

The address for Alibaba Cloud specified in the Membership Agreement.

Contact person’s name, position and contact details:

The contact details for Alibaba Cloud specified in the Addendum or the Membership Agreement.

Activities relevant to the data transferred under these Clauses:

The activities specified in Sections 3 and 4 of this Data Processing Addendum.

Signature and date:

Please see signature and date to the Membership Agreement.

Role (controller/processor):

Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

The data subjects may include Your customers, employees, supplier and end-users.

Categories of personal data transferred:

Capitalised terms not defined herein will have the meaning given in Your Membership Agreement with Alibaba Cloud. The personal data includes any information, content, material and data in electronic format as may be contained in or generated in relation to Member Content.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

You may upload special categories of personal data to Your Alibaba Cloud Services at Your sole choice, which could include (depending on Your choice) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, and/or personal data relating to criminal convictions and offences or related security measures. Before uploading any sensitive data, You are obliged to assess and confirm that the technical and organizational measures taken by Alibaba Cloud are sufficient for the sensitive data that You choose to upload.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Data may be transferred on an occasional or continuous basis solely for the purposes of providing You with the Services and as otherwise set out in the Agreement.

Nature of the processing:

The personal data will be processed and transferred for the purposes of providing You with the Services and as otherwise set out in the Agreement.

Purpose(s) of the data transfer and further processing:

The personal data will be processed and transferred for the purposes of providing You with the Services and as otherwise set out in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Data will be processed and transferred for the duration of the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

The above shall apply to such transfers to sub-processors.

C. COMPETENT SUPERVISORY AUTHORITY

Competent supervisory authority: For the purposes of the EU GDPR, the competent supervisory authority shall be construed in accordance with Clause 13 of the EU SCCs; for the purposes of the UK GDPR, the competent supervisory authority shall be the UK Information Commissioner's Office.