在点击“我已阅读以上协议,立即签署”本协议之前,请您仔细阅读本协议的全部内容,如果您有疑问,请向天猫国际客服人员进行询问。您点击“我已阅读以上协议,立即签署”,即意味着您已充分理解本协议所有条款的含义及后果(特别是与您约定免除或限制责任的条款,法律适用和管辖条款以及其他粗体标识的重要条款),并同意与淘宝中国控股有限公司(以下简称,“甲方”或“数据处理者”)以数据电文形式订立本协议并接受本协议约束。

Before you click "I have read and agreed to the Agreement," please read all the content in this Agreement carefully. If you have any questions, please consult the customer service of Tmall Global. By clicking " I have read and agreed to the Agreement" you have read and fully understand the meanings and consequences of all the terms in this Agreement (in particular the terms that you agree with us on exemption or restriction of liabilities, governing laws, and jurisdiction, and other important terms marked in bold ), and you agree to enter into this Agreement in the form of the data message with Taobao China Holding Limited (hereinafter "Party A" or the "data processor") and be bound by this Agreement.

 

天猫国际

数据出境协议

Tmall Global Agreement

on Outbound Data Transfer

 

本协议由境外商家(下称“乙方”或“境外接收方”)及淘宝中国控股有限公司(下称“甲方”或“数据处理者”)共同缔结。

This Agreement is entered into by and between overseas merchants  (hereinafter "Party B" or the "overseas recipient") and Taobao China Holding Limited (hereinafter "Party A" or the "data processor").

甲方和乙方中的任何一方以下应称为“一方”,合称“双方”。

Party A and Party B are individually referred to as a "Party" and collectively as the "Parties."

 

 

鉴于:

WHEREAS,

(1)双方通过在线点击确认方式签署了《天猫国际商户服务协议》(以下简称“原协议”);

The Parties have signed the Tmall Global Merchant Service Agreement (hereinafter the "Original Agreement") by online click-through;

(2)甲方基于满足用户购买商品或服务、完成售后服务等目的,需要将中国境内收集的数据传输、存储至乙方,或给乙方开放访问或调用数据等权限。

Party A needs to transmit or store the data collected within the territory of the People's Republic of China to Party B or authorize Party B to access or recall the data for the purpose of satisfying users' demands on purchasing goods or services or completing after-sales services.

为了确保乙方处理中国境内出境数据的活动达到中国相关法律法规规定的数据保护标准,明确双方数据保护和数据安全的义务和责任,经协商一致,在原协议的基础上,就中国境内数据出境,达成以下补充协议(以下简称“本协议”)。

NOW, THEREFORE, in order to ensure that Party B's activities in processing outbound data generated within the territory of China are compliant with the data protection standards provided in relevant laws and regulations of China and clarify the obligations and responsibilities for data protection and data security of the Parties, the Parties, after consultation, hereby enter into the following supplemental agreement (hereinafter the "Agreement") with respect to the outbound transfer of data on the basis of the Original Agreement.

 

第一条     定义

Definitions

协议,除下文有规外:

In this Agreement, unless otherwise specified:

(一)“数据”与《中华人民共和国数据安全法》规定含义同。如无特别声明,本协议所称“数据”亦包括“个人信息”和“敏感个人信息”。

"data" shall have the same meaning as in the Data Security Law of the People's Republic of China. Unless otherwise stated, the "data" in this Agreement also includes "personal information" and "sensitive personal information".

(二)“数据出境”与《数据出境安全评估办法》《数据出境安全评估申报指南》所规定的含义相同。

"outbound data transfer" shall have the same meaning as in the Measures on Security Assessment of the Outbound Data Transfer and the Guidelines for the Application for Security Assessment for Outbound Data Transfer.

(三)“个人信息”和“敏感个人信息”与《中华人民共和国个人信息保护法》所规定的含义相同。

"personal information" and "sensitive personal information" shall have the same meaning as in the Personal Information Protection Law of the People's Republic of China.

(四)“个人信息主体”是指个人信息所标识或者关联的自然人。

"personal information subject" means the natural person identified or associated with the personal information;

(五)“数据处理者”是指在数据处理活动中自主决定处理目的和处理方式的个人和组织。如无特别声明,本协议所称“数据处理者”亦包括《中华人民共和国个人信息保护法》所定义的“个人信息处理者”。

"data processor" means the individual or organization that determines processing purposes and methods independently during data processing activities. Unless otherwise stated, the "data processor" in this Agreement also includes the "personal information processor" defined in the Personal Information Protection Law of the People's Republic of China.

(六)“境接收方”是位于中人民和国境并自数据处理者处接收数据的组或个

"overseas recipient" means the organization or individual located outside the People's Republic of China that receives data from the data processor.

(七)“监”是中华民共国省以上网

"supervisory authority" means provincial or above cyberspace administration of the People's Republic of China.

(八)“相关法律法规”是指《中华人民共和国民法典》《中华人民共和国网络安全法》《中华人民共和国数据安全法》《中华人民共和国个人信息保护法》《数据出境安全评估办法》等法律法规和部门规章,以及对前述法律法规和部门规章作出修订、修改或补充的法律法规和部门规章,包括取代原法律法规和部门规章的后续法律法规和部门规章。

"relevant laws and regulations" refer to the laws, regulations, and departmental rules such as the Civil Code of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and the Measures on Security Assessment of Outbound Data Transfers, as well as their revisions, amendments, and supplemental laws, regulations and department rules, including those that supersede the prior ones.

(九)本协议其未定术语含义与相法律规规的含义持一

Terms not defined in this Agreement shall have the same meaning as in relevant laws and regulations.

第二条     数据处理者的义务

Obligations of the Data Processor

数据处理者在此陈述、保证、承诺如下:

The data processor represents, warrants, and undertakes as follows:

(一)出境的数据系按照相关法律法规进行收集、使用等处理;出境数据如涉及重要数据和个人信息的,范围仅限于实现处理目的所需的最小范围。

It will process outbound data, including collection and use of such data, in accordance with relevant laws and regulations. If the outbound data involves important data and personal information, the using scope of such data will be limited to what is necessary in relation to the purpose of processing.

(二)中国境内消费者通过天猫国际平台采购跨境商品,数据处理者以接口传输及后台提供的方式,向境外接收方提供订单信息、用户收件信息(包括收货地址、姓名、手机号码)、收货人身份证影印件用于发货、清关,数据出境行为系履行合同义务所必要,数据出境范围符合为实现相关业务功能的最小必要原则。

When Chinese consumer purchases the cross-border products through Tmall Global Platform, data processor will provide the order information, consumer’s receiving information (including the address, name, mobile phone number) and photocopy of consignee's ID card to overseas recipient for shipment and customs clearance. The outbound transfer of data is necessary for performing the contractual obligations. The scope of outbound data transfer conforms to the minimum necessary principle for the realization of relevant business functions.

(三)涉及个人信息出境的,已按照法律法规要求向个人信息主体告知并取得其单独同意,但相关法律法规规定不需要取得个人单独同意的除外;涉及敏感个人信息出境的,已向个人信息主体告知传输敏感个人信息的必要性及对个人的影响;涉及不满十四周岁未成年人个人信息出境的,已取得未成年人的父母或者其他监护人的同意;法律、行政法规规定应当取得书面同意的,已取得书面同意,相关法律法规规定无需取得书面同意的除外。

Where outbound transfer of personal information is involved, the data processor has informed the personal information subject and obtained the separate consent of the personal information subject in accordance with the requirements of laws and regulations, unless otherwise permitted by relevant laws and regulations. Where outbound transfer of sensitive personal information is involved, the data processor has informed the personal information subject of the necessity of transmission of sensitive personal information and the impact on individuals. Where outbound transfer of personal information of minors under the age of 14 is involved, the data processor has obtained the consent of the minor's parents or other guardians. Where the laws and administrative regulations stipulate that written consent is necessary, the written consent has been obtained, unless otherwise permitted by the relevant laws and regulations.

(四)已向个人信息主体告知其与境外接收方通过本协议约定个人信息主体为第三方受益人,如果个人信息主体未在三十天内明确拒绝,则可以依据该协议享有第三方受益人的权利。

It has informed the personal information subject that the personal information subject is the third-party beneficiary according to this Agreement the overseas recipient and it agreed in; if the personal information subject does not explicitly refuse it within thirty days, the personal information subject may enjoy the third-party beneficiary rights according to this Agreement.

(五)已尽合理的努力确保境外接收方能够履行本协议规定的义务并采取加密、匿名化、去标识化、访问控制等技术和管理措施。

It has made reasonable efforts, including encryption, anonymization, de-identification, access control, and other technical and organizational measures, to ensure the overseas recipient can perform its obligations under this Agreement.

(六)经境外接收方要求,向境外接收方提供相关法律规定和技术标准的副本。

At the overseas recipient's request, it will make a copy of relevant laws and regulations and technical standards available to the overseas recipient.

(七)将答复来自监管机构关于境外接收方的数据处理活动的询问,但双方均同意由境外接收方作出答复的除外;在此情况下,若境外接收方在要求答复的期限内未答复,数据处理者仍将根据其合理掌握的信息在合理期限内作出答复。

It will reply to the inquiries of the supervisory authority about the overseas recipient's data processing activities, unless the Parties agree that the overseas recipient shall reply to such inquiries. In this case, if the overseas recipient fails to reply to an inquiry within the specified period, the data processor shall reply to such inquiries within a reasonable period based on the information reasonably available to it.

(八)已经按照相关法律法规开展了个人信息保护影响或数据出境风险评估(合称“评估”)。评估已考虑:

It has carried out the assessment on personal information protection impact or the risk of outbound data transfer in accordance with relevant laws and regulations. The following factors have been considered in the assessment:

1.双方处理数据方式的合性、当性必要

Whether the purposes, scope, and means of data processing of the Parties are legitimate, justified, and necessary;

2.数据数量围、类型程度,以及对个信息益、数据处理者权益带的风

The quantity, scope, categories, and sensitivity of the outbound data, as well as the risks to rights and interests of personal information and data processor;

3.接收承诺担的任义履行任义的管和技措施能力能否障出境数据全;

Whether the responsibilities and obligations that the overseas recipient has promised to bear as well as its technical and organizational measures and capabilities to fulfill such responsibilities and obligations can ensure the security of outbound data;

4.数据境后毁、篡改等的维护个信息益的道是通畅

Whether the channels for individuals to safeguard their personal information rights and interests are smooth when the outbound data is breached, damaged, tampered with, or abused.

5.协议四条估当地数据保护政法规对守本协议条可能成的响;

The possible impact of local data protection policies and regulations assessed according to Article 4 herein on the performance of this Agreement;

6.能影数据出安全事项。

Other matters that may have an impact on the security of outbound data transfers.

存评估报告至少3年。

The assessment report shall be retained for at least three years.

(九)根据个人信息主体要求向个人信息主体提供本协议的副本保护商秘密其他密信受保的知产权容等需的围内供副本之前本协议相适当遮,但诺向人信主体供有摘要助其解协议内

At the personal information subject's request, it will provide a copy of this Agreement to the personal information subject. To the extent necessary to protect business secrets or other confidential information, such as protected intellectual properties, the data processor may redact part of the text of the Agreement prior to sharing a copy, but will provide a meaningful summary where the personal information subject would otherwise not be able to understand its content.

)承证明协议务已行的证责

It will bear the burden of proof to demonstrate that the obligations under this Agreement have been fulfilled.

(十一相关律法要求监管构提第三(十款所述的信息,包括所有审计结果。

It will provide the information, including all the audit results, stated in Article 3(10) to the supervisory authority in accordance with relevant laws and regulations.

第三条     境外接收的义务

Obligations of the Overseas Recipient

境外接收方在此陈述、保证、承诺如下:

The overseas recipient represents, warrants, and undertakes as follows:

(一)按照本协议约定处理数据,除非取得数据处理者与个人信息主体的事先同意。

It will process the data pursuant to the provisions of this Agreement unless it has obtained the data processor and personal information subject's prior consent.

(二)根据个人信息主体要求向个人信息主体提供本协议的副本。在为保护商业秘密或其他机密信息(例如受保护的知识产权内容等)所必需的范围内,可以在提供副本之前对本协议相关内容进行适当遮蔽,但承诺向个人信息主体提供有效摘要以助其理解协议内容。

At the personal information subject's request, it will make a copy of the Agreement available to the personal information subject. To the extent necessary to protect business secrets or other confidential information, such as protected intellectual properties, the overseas recipient may redact part of the text of the Agreement prior to sharing a copy, but will provide a meaningful summary where the personal information subject would otherwise not be able to understand its content.

(三)出境数据范围仅限于实现处理目的所需的最小范围。

It will ensure that the data is limited to what is necessary in relation to the purpose(s) of processing.

(四)存储数据的期限为实现处理目的所必要的最短时间;超出上述存储期限后,对数据(包括所有备份)进行删除或匿名化处理,除非取得个人信息主体和数据处理者关于存储期限的单独同意或授权。受数据处理者委托处理数据时,在删除或匿名化后,向数据处理者提供相关审计报告。

It will retain the data for no longer than necessary for the purpose for which it is processed. It will delete or anonymize the data and all back-ups when the aforesaid retention period is exceeded unless it has obtained the separate consent or authorization of the personal information subject and data processor. When the overseas recipient is entrusted by the data processor in data processing, the overseas recipient will provide relevant audit reports to the data processor after the data has been deleted or anonymized.

(五)按以下方式保障数据处理安全:

It will put in place the following measures to ensure the security of data processing:

1.采取有效的技术和管理措施,以确保数据安全,包括防止数据遭到意外或非法破坏、丢失、篡改、未经授权提供或访问(以下简称数据泄露)。为了履行这一义务,采取第二条第(四)款中规定的技术和管理措施。进行定期检查,以确保这些措施持续维持适当的安全水平;

It will implement appropriate technical and organizational measures to ensure the security of the data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (hereinafter "data breach"). In complying with its obligations under this paragraph, the overseas recipient will at least implement the technical and organizational measures specified in Article 2(4). It will carry out regular checks to ensure that these measures continue to provide an appropriate level of security;

2.确保授权处理数据的人员履行保密义务,并建立最小授权的访问控制策略,使前述人员只能访问职责所需的最小必要的数据,且仅具备完成职责所需的最少的数据操作权限。

It will ensure that persons authorized to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and establish a minimum authorization access control strategy so that the aforementioned personnel can only access the data to the extent necessary for their duties and only have the minimum data operation authority required to complete the duties.

(六)如果发生了数据泄露,将:

In the event of a data breach, it will:

1.及时采取适当补救措施,以减轻对个人信息主体、数据处理者造成的不利影响;

Take appropriate remedies in a timely manner to mitigate its adverse effects on the personal information subject and data processor;

2.按照本协议第七条履行通知和记录义务。

Perform notification and recording obligations in accordance with Article 7 of this Agreement

(七)不将数据提供给位于中华人民共和国境外的第三方,除非同时符合以下要求:

It will not disclose the data to a third party located outside the People's Republic of China unless all of the following requirements are satisfied:

1.确有业务需要提供数据;

There is a genuine business need to provide data;

2. 已告知数据处理者和个人信息主体(如涉及个人信息)该第三方的名称或者姓名、联系方式、处理目的、处理方式、数据的种类以及个人依据所适用的法律向境外接收方行使权利的方式和程序等事项;

The name and contact information of the third party, processing purposes, processing methods, data types and ways and procedures for individuals to invoke their rights to overseas recipient in accordance with applicable laws have been informed to the personal information subject (if personal information is involved) and data processor;

3.已取得数据处理者的授权,涉及个人信息的,还需按照法律法规要求向个人信息主体告知并取得其单独同意,但相关法律法规规定不需要取得个人单独同意的除外;涉及敏感个人信息的,已向个人信息主体告知传输敏感个人信息的必要性及对个人的影响;涉及不满十四周岁未成年人个人信息的,已取得未成年人的父母或者其他监护人的同意;法律、行政法规规定应当取得书面同意的,已取得书面同意,相关法律法规规定无需取得书面同意的除外;在难以告知或者难以取得个人信息主体单独同意时,及时告知数据处理者,并请求数据处理者协助其告知个人信息主体或者取得个人信息主体单独同意;

The overseas recipient has been authorized by the data processor. Therefore, where personal information is involved, the overseas recipient has informed the personal information subject and obtained the separate consent of the personal information subject in accordance with the requirements of laws and regulations, unless otherwise permitted by relevant laws and regulations. Where sensitive personal information is involved, the overseas recipient has informed the personal information subject of the necessity of transmission of sensitive personal information and the impact on individuals. Where the personal information of minors under the age of 14 is involved, the overseas recipient has obtained the consent of the minor's parents or other guardians. Where the laws and administrative regulations stipulate that written consent is necessary, the written consent has been obtained, unless otherwise permitted by the relevant laws and regulations. Where it is difficult to inform or obtain the separate consent of the personal information subject, inform the data processor in a timely manner and request the data processor to assist it in informing the personal information subject or obtaining the separate consent of the personal information subject;

4.与第三方达成书面协议,以保障第三方对数据的保护水平不低于中华人民共和国相关法律法规规定的数据保护标准和安全标准,并承担因再提供而可能导致对个人信息主体、数据处理者造成损害的连带责任;

The overseas recipient reaches a written agreement with a third party to ensure the same level of data protection as under the data protection standards and security standards stipulated by the relevant laws and regulations of the People's Republic of China, and bear joint liability for damage to the personal information subject and data processor due to re-provision;

5.向数据处理者提供与第三方达成的书面协议副本。

A copy of the agreement signed with the third party is provided to the data processor.

(八)利用个人信息进行自动化决策,保证决策的透明度和结果公平、公正,不对个人在交易价格等交易条件上实行不合理的差别待遇。通过自动化决策方式向个人进行信息推送、商业营销,同时提供不针对其个人特征的选项,或者提供便捷的拒绝方式。

Where personal information is used for automated decision-making, it will ensure the transparency of such decision-making and fairness and impartiality of the results, and may not apply unreasonable differential treatment to individuals in terms of transaction prices and other transaction conditions. Information push and commercial marketing to individuals based on automated decision-making will be simultaneously accompanied by options not specific to their personal characteristics or with convenient means for individuals to refuse.

(九)承诺向数据处理者提供所有必要的信息,用以证明遵守本协议中规定的义务,允许数据处理者对数据文件和文档进行查阅,或对本协议涵盖的处理活动进行审计。在决定进行查阅或审计时,为数据处理者自行开展或者委托第三方开展的审计提供便利,并按数据处理者的要求向其提供所持有的数据保护、网络安全方面的资质认证情况。

It will make available to the data processor all information necessary to demonstrate compliance with its obligations set out in this Agreement and allow for reviews of data files and documents or audits of the processing activities covered by this Agreement. In deciding on a review or audit, the overseas recipient will facilitate the audit conducted by the data processor or entrusted to a third party, and, at the request of the data processor, provide the data processor with the data protection and network security certifications held by the overseas recipient.

(十)对开展的出境处理活动进行客观记录,保存记录至少3年;按相关法律法规要求直接或通过数据处理者向监管机构提供相关记录文件。

It will objectively document the outbound processing activities it carried out and keep a record thereof for at least three years, and will make such documentation available to the supervisory authority directly or through the data processor in accordance with the requirements of relevant laws and regulations.

(十一)同意在监督本协议实施的相关程序中接受监管机构的监督管理,包括但不限于答复监管机构询问,配合监管机构检查,服从监管机构采取的措施或作出的决定,并提供已采取必要行动的书面证明。

It agrees to accept the supervision and management of the supervisory authority in the relevant procedures for supervising the implementation of the Agreement, including but not limited to replying to the inquiries of the supervisory authority, cooperating with the inspection of the supervisory authority, complying with the measures or decisions taken or made by the supervisory authority, and providing written proof that necessary actions have been taken.

(十二)境外接收方在实际控制权或者经营范围发生实质性变化,或者所在国家、地区数据安全保护政策法规和网络安全环境发生变化以及发生其他不可抗力情形导致难以保障数据安全时,应在前述变化发生时或境外接收方应当知道前述变化发生时,立即通知数据处理者,并立即采取删除/去标识化/匿名化/访问控制等技术和管理措施保障出境数据的安全,确保数据处理者与个人信息主体的合法权益免于收到损害。

Where there is a substantial change in the overseas recipient's actual control or business scope, or the data security protection policies, regulations or network security environment of the country or region where it is located changes, or other force majeure circumstances make it difficult to ensure data security, the overseas recipient will immediately notify the data processor after the aforementioned changes occur or when the overseas recipient should become aware of the changes, and it will immediately take deletion/de-identification/anonymization/access control and other technical and organizational measures to ensure the security of the outbound data and protect the legitimate rights and interests of the data processor and personal information subject.

第四条     当地数据保护政策法规对遵守本协议条款的影响

Impact of Local Data Protection Policies and Regulations on Compliance of This Agreement

(一)双方在此保证,经过合理努力仍不知晓境外接收方所在国家或者地区的数据保护政策法规(包括任何提供数据的要求或授权公共机关访问数据的规定),会阻止境外接收方履行本协议规定的义务。

The Parties warrant that they will prevent the overseas recipient from performing its obligations under the Agreement if, after reasonable efforts, they still lack knowledge about the data protection policies and regulations (including any requirements to provide the data or to authorize public authorities to access the data) of the country or region where the overseas recipient is located.

(二)双方在此声明,在提供第四条第(一)款中的保证时,已经考虑了以下要素:

The Parties declare that in providing the warranty in Article 4(1), they have taken account of the following elements:

1.出境的具体情况,包括涉及传输的数据的类型、数量、范围及敏感程度、传输的规模和频率、数据传输及境外接收方保存的期限、数据处理目的、境外接收方此前类似的数据跨境传输和处理相关经验、境外接收方是否曾发生数据安全相关事件及是否进行了及时有效地处置、境外接收方是否曾收到其所在国家或者地区公共机关要求其提供数据的请求及境外接收方应对的情况;

The specific circumstances of the transfer, including the type, quantity, scope, and sensitivity of the data involved in transfers, the scale and frequency of transfers, the data transfer period and the overseas recipient's retention period, the purpose of data processing, the overseas recipient's experience in outbound data transfer and processing, whether the overseas recipient had data security incidents and whether such incidents were handled in a timely and effective manner, and whether the overseas recipient received any request from the public authority of the country or region where it is located for the data and how the overseas recipient responded to such request;

2.境外接收方所在国家或者地区的数据保护政策法规,包括以下要素:

The data protection policies and regulations of the country or region where the overseas recipient is located, including the following elements:

1)该国家或地区现行的数据保护法律法规及普遍适用的标准情况;

The current data protection laws, regulations, and generally applicable standards in the country or region;

2)该国家或地区加入的区域或全球性的数据保护方面的组织,以及所做出的具有约束力的国际承诺;

Regional or global data protection organizations the country or region has joined and binding international commitments made;

3)该国家或地区落实数据保护的机制,如是否具备数据保护的监督执法机构和相关司法机构等。

The data protection mechanism implemented in the country or region, such as whether it has a supervisory and enforcement authority or relevant judicial authority for data protection.

3.境外接收方安全管理制度和技术手段保障能力。

The security management system and technical safeguard capabilities of the overseas recipient.

(三)境外接收方保证,在根据第四条第(二)款进行评估时,已尽最大努力为数据处理者提供了必要的相关信息。

The overseas recipient warrants that, in carrying out the assessment under Article 4(2), it has made its best efforts to provide the data processor with necessary relevant information.

(四)双方应记录根据第四条第(二)款进行的评估过程和结果。

The Parties shall document the process and results of the assessment under Article 4 (2).

(五)因境外接收方所在国家或地区的数据保护政策法规发生变化(包括境外接收方所在国家或地区更改法律,或者采取强制性措施)导致境外接收方无法履行本协议的,境外接收方应在知道前述变化后立即通知数据处理者。

If the overseas recipient is unable to perform the Agreement following a change in the data protection policies and regulations of the country or region where the overseas recipient is located (including a change in the laws or a mandatory measure in the country or region where the overseas recipient is located), the overseas recipient shall notify the data processor promptly after it becomes aware of the aforementioned changes.

第五条     个人信息主体的权利

Rights of the Personal Information Subject

双方承诺,按照相关法律法规赋予个人信息主体作为第三方受益人执行本协议中双方关于个人信息保护义务的权利。

The Parties undertake to grant the personal information subject as the third-party beneficiary, the right to implement the obligations of both Parties regarding the protection of personal information in the Agreement in accordance with relevant laws and regulations.

(一)个人信息主体依据相关法律法规,拥有知情权、决定权、限制或拒绝他人对其个人信息进行处理的权利、查阅权、复制权、更正与补充的权利、删除权,以及要求对其个人信息处理规则进行解释说明的权利。

In accordance with relevant laws and regulations, the personal information subject has the right to be informed, the right to make decisions, and the right to restrict or refuse the processing of their personal information by others. The personal information subject also has the right to consult and duplicate their personal information, the right to request the rectification or supplementation of the personal information, the right to request the deletion of the personal information, and the right to request an interpretation of the personal information processing rules.

(二)当个人信息主体要求对已经出境的个人信息行使上述权利时,个人信息主体可以请求数据处理者采取适当措施实现,或直接向境外接收方提出请求。数据处理者无法实现的,应当通知并要求境外接收方协助实现。

When the personal information subject requests to invoke the above-mentioned rights over the personal information that has been transferred to another country or region, the personal information subject may request the data processor to take appropriate measures to realize the rights of the personal information subject or directly make a request to the overseas recipient. Where the data processor cannot realize the rights, it shall notify and request the assistance of the overseas recipient.

(三)境外接收方应当按照数据处理者的通知,或根据个人信息主体的请求,在合理时限内实现个人信息主体依照相关法律法规行使的权利。

The overseas recipient shall, in accordance with the notice of the data processor or at the request of the personal information subject, realize the rights invoked by the personal information subject in accordance with relevant laws and regulations within a reasonable time limit.

境外接收方应当以显著方式、清晰易懂的语言真实、准确、完整地告知个人信息主体相关信息。

The overseas recipient shall truthfully, accurately, and fully inform the personal information subject about the relevant information in an easy-to-notice manner and in clear and easy-to-understand language.

(四)如个人信息主体提出过多或不合理要求,尤其是具有重复性的要求,境外接收方可在考虑到要求获准的执行和操作成本后,可以收取合理的费用,或拒绝按其要求行事。

Where requests from the personal information subject are excessive or unreasonable, in particular the repetitive requests, the overseas recipient may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.

(五)如境外接收方拟拒绝个人信息主体的请求,应告知个人信息主体其拒绝的原因,以及个人信息主体向相关监管机构提出投诉、寻求司法救济的途径。如个人信息主体因第五条第(四)项向相关监管机构投诉或寻求司法救济后导致数据处理者承担赔偿责任的,境外接收方同意向数据处理者全额补偿该等损失。

If the overseas recipient intends to refuse the request of the personal information subject, it shall inform the personal information subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress. If the personal information subject complains to the relevant regulatory authorities or seeks judicial relief due to Article 5, (4) caused the data processor being liable for compensation, the overseas recipient agrees to compensate the data processor in full for such losses.

第六条     个人信息主体的救济

Redress for the Personal Information Subject

(一)境外接收方应在组织内部确定一个联系人,授权其答复有关出境处理的询问或投诉,并应及时处理个人信息主体的任何询问或投诉。境外接收方应将联系人信息告知数据处理者,并以简单易懂的方式,通过单独通知或通过网站公告的方式,告知个人信息主体该联系人信息,具体为乙方在入驻天猫国际网站时提供的联系人及邮箱地址。上述信息发生变更的,境外接收方应在变更时通知数据处理者,并单独通知或通过网站公告的方式告知个人信息主体。

The overseas recipient shall determine a contact person within the organization and authorize it to reply to inquiries or complaints about outbound data processing, and shall promptly deal with any inquiries or complaints from the personal information subject. The overseas recipient shall inform the data processor of the information about the contact person, and inform the personal information subject of the information about the contact person (specifically, the contact person and its email address provided by Party B when registering on Tmall Global) through individual notice or its website announcement in a simple and easy-to-understand way. If the above information is changed, the overseas recipient shall notify the data processor at the time of the change, and notify the personal information subject separately or through the website announcement.

(二)双方同意,如个人信息主体与其中一方在遵守本协议方面发生争议,应互相通知对方有关情况,并合作以及时解决争议。

The Parties agree that in case of a dispute between a personal information subject and one of the Parties as regards compliance with this Agreement, the Parties shall keep each other informed about such disputes and cooperate in resolving them in a timely fashion.

(三)如争议未能友好解决,而个人信息主体根据第五条第(二)款规定行使第三方受益人的权利,境外接收方接受个人信息主体的下列维权主张:

Where the dispute cannot be resolved amicably and the personal information subject invokes a third-party beneficiary right pursuant to Article 5(2), the overseas recipient shall accept the claim of the personal information subject to:

1.向监管机构提出投诉;

lodge a complaint with the supervisory authority;

2.向第十条第(四)款中规定的法院提起诉讼。

refer the dispute to the competent courts within the meaning of Article 10(4).

(四)境外接收方同意有关个人信息主体及数据处理者就本协议争议的解决依据为中华人民共和国相关法律法规。

The overseas recipient agrees that in case the personal information subject or data processor has a dispute relating to this Agreement, relevant laws and regulations of the People's Republic of China shall govern.

(五)境外接收方同意个人信息主体所作的维权选择不会减损个人信息主体根据其他法律法规寻求救济的实体性或程序性权利。

The overseas recipient agrees that the enforcement choice made by the personal information subject will not prejudice his substantive and procedural rights to seek remedies in accordance with other laws and regulations.

第七条     出境数据风险的应急处置

Emergency Response to Outbound Data-Related Risks

(一)出境数据遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等风险(以下简称“风险”)时,境外接收方应在知道或应当知道前述风险时立即通知数据处理者,并在72小时内开展有效的应急处置措施,避免数据处理者面临舆情和声誉风险,并确保数据处理者的损失自风险发现之时起不再继续扩大。

Where outbound data is tampered with, destroyed, breached, lost, transferred, illegally obtained or illegally used (hereinafter each "risk"), the overseas recipient shall immediately notify the data processor when it becomes aware or should become aware of the above risks and take effective emergency response measures within 72 hours to prevent the data processor from facing public opinion and reputation risks and ensure that the losses of the data processor do not continue to expand from the time the risk is discovered.

(二)境外接收方发送给数据处理者的通知应包括以下内容:

The notification sent by the overseas recipient to the data processor shall contain:

1)产生风险的原因;

reasons why the risk occurred;

2)泄露或受影响的数据类型和可能造成的危害;

categories of data breached or affected and its likely consequences;

3)已采取的补救措施;

remedial measures taken;

4)用户个人和数据处理者可以采取的减轻危害的措施;

measures that the user and data processor may take to mitigate the harm;

5)负责应急处置的负责人或负责团队的联系方式。

contact details of the person or team responsible for emergency response.

(三)境外接收方应依据当地法律规定通知受影响的个人信息主体。如风险涉及中国境内个人信息主体的,境外接收方依据中国法律法规要求通知中国境内个人信息主体,并向中国境内个人信息主体告知应急处置联系人、联系方式和处置期限。

The overseas recipient shall notify the affected personal information subject in accordance with local laws. If the risk involves a personal information subject located in the territory of China, the overseas recipient shall notify the personal information subject in accordance with the requirements of Chinese laws and regulations, and inform the personal information subject located in the territory of China of the contact person for emergency response, contact details, and response period.

(四)境外接收方应完整记录风险事实、应急处置过程、网络日志等涉及应急处置的全部记录,并在应急处置完成后将记录副本提供给数据处理者。境外接收方的记录原件应至少保存3年。

The overseas recipient shall thoroughly document risk facts, emergency response process, network log, etc. and other matters relating to emergency response, and provide a copy of the documentation to the data processor after the emergency response is completed. The original documentation of the overseas recipient shall be kept for at least three years.

第八条     协议解除

Termination of This Agreement

(一)如果境外接收方违反本协议规定的义务,则数据处理者可以暂停向境外接收方传输数据,直到违约行为被更正或协议被解除。

In the event that the overseas recipient is in breach of its obligations under this Agreement, the data processor may suspend the transfer of data to the overseas recipient until the breach is corrected or the Agreement is terminated.

(二)出现下列情形之一的,数据处理者有权无责任解除本协议,并在必要时通知监管机构:

The data processor is entitled to terminate this Agreement without incurring liability, and, if necessary, notify the supervisory authority, where:

1)数据处理者根据第八条第(一)款的规定暂停向境外接收方传输数据的时间超过一个月;

the data processor has suspended the transfer of data to the overseas recipient pursuant to Article 8(1) for more than one month.

2)境外接收方遵守本协议将违反其所在国家的法律规定;

the overseas recipient's compliance with this Agreement will violate the laws and regulations of the country where it is located;

3)境外接收方严重或持续违反本协议规定的义务;

the overseas recipient is in substantial or persistent breach of its obligations under this Agreement;

4)根据境外接收方的主管法院或监管机构作出的不能上诉的终局性决定,境外接收方违反了本协议的规定;

the overseas recipient violates the provisions of this Agreement in accordance with the final and unappealable decision made by the competent court or supervisory authority of the overseas recipient;

5)境外接收方破产、解散或清算:无论是以个人或组织名义提出的有关境外接收方依法解散的请求未在法定期限内被驳回;境外接收方作出解散决定;境外接收方被指定破产管理人;境外接收方自行开展破产、解散或清算程序;境外接收方在其国家或地区出现类似情况;

the overseas recipient is bankrupt, dissolved, or liquidated: (i) the request for the legal dissolution of the overseas recipient, whether in the name of an individual or organization, is not rejected within the legal time limit; (ii) the overseas recipient makes a decision on dissolution; (iii) the overseas recipient is appointed as an insolvency administrator; (iv) the overseas recipient carries out bankruptcy, dissolution, or liquidation procedures on its own; (v) the overseas recipient encounters similar situations in the country or region where it is located;

 

在前述第(1)、(2)或(4)项的情况下,境外接收方也可以解除本协议。

The overseas recipient is also entitled to terminate this Agreement in the case of (1), (2), or (4) above.

(三)如果监管机构按照相关法律法规作出数据出境相关的决定,例如数据出境安全评估等导致本协议无法执行的,则任何一方均可解除本协议。

If the supervisory authority makes a decision relating to the outbound data in accordance with relevant laws and regulations, such as a decision on the security assessment of outbound data, which renders this Agreement unenforceable, either Party may terminate this Agreement.

(四)经双方同意解除协议,并不免除双方在数据处理过程中的数据保护义务。

The termination of this Agreement by mutual consent shall not exempt both Parties from their data protection obligations in the process of data processing.

(五)协议解除时,境外接收方应及时返还、销毁或匿名化处理其根据本协议所接收到的数据,并提供已经销毁或者匿名化处理的审计报告。

When this Agreement is terminated, the overseas recipient shall promptly return, destroy, or anonymize the data it has received under this Agreement and provide an audit report certifying that the data has been destroyed or anonymized.

第九条     违约责任

Liability for Breach of This Agreement

(一)双方应就其因违反本协议而给对方造成的任何损失向另一方承担责任。

Each Party shall be liable to the other Party for any losses caused to the other party by them as a result of any breach of this Agreement.

(二)双方之间的责任限于非违约方所遭受的损失。

The liability between both Parties is limited to the losses suffered by the non-breaching Party.

(三)任何一方因违反本协议而侵害个人信息主体作为第三方受益人而享有的权利,应当对个人信息主体承担责任。

Each Party shall be liable to the personal information subject, and the personal information subject shall be entitled to receive compensation, for any damages that the Party causes the personal information subject by breaching the third-party beneficiary rights under this Agreement.

(四)数据处理者和境外接收方对因共同违反本协议而对个人信息主体造成损害的,数据处理者和境外接收方应对个人信息主体承担连带责任。

Where the data processor and the overseas recipient are responsible for any damage caused to the personal information subject as a result of a joint breach of this Agreement, the data processor and the overseas recipient shall be jointly and severally liable for the personal information subject.

(五)双方同意,如果一方(赔偿方)因另一方(被追偿方)对违反本协议的行为对个人信息主体承担连带责任且赔偿方承担的连带责任超过其应承担的责任份额,则赔偿方有权向被追偿方追偿。

The Parties agree that if one Party (hereinafter the "Indemnifying Party") is held jointly and severally liable to the personal information subject for the breach of this Agreement by the other Party (hereinafter the "Indemnified Party") and the joint and several liability of the Indemnifying Party exceeds its proportionate share of liability, the Indemnifying Party shall be entitled to claim back from the Indemnified Party that part of the compensation.

(六)双方同意,若数据处理者因境外接收方违反本协议或境外接收方拒绝个人信息主体的权利请求给个人信息主体造成的损害先行向个人信息主体承担赔偿责任,其有权向境外接收方追偿。

The Parties agree that if the data processor is liable to indemnify the personal information subject for damages caused by the overseas recipient’s breach of this Agreement or the  refusal of the personal information subject's rights request from the personal information subject, it shall be entitled to recover the compensation from the overseas recipient.

(七)境外接收方违反本协议第三条、第五条、第六条的约定时,应在违约行为发生时立即通知数据处理者,并于72小时内采取有效补救措施避免对数据处理者造成任何形式的损失。境外接收方发送给数据处理者的通知应包括以下内容:

Where the overseas recipient violates the Articles 3, 5, and 6 of this Agreement, it shall immediately notify the data processor when the breach occurs and take effective remedial measures within 72 hours to avoid any form of loss to the data processor. The notification sent by the overseas recipient to the data processor shall contain:

1)违反数据安全保护义务的原因;

reasons for the breach of the data security protection obligations;

2)受影响的数据类型和可能造成的危害;

categories of data affected and its likely consequences;

3)已采取的补救措施;

remedial measures taken;

4)用户个人和数据处理者可以采取的减轻危害的措施;

measures that the user and data processor may take to mitigate the harm;

5)负责实施补救措施的负责人或负责团队的联系方式。

contact details of the person or team responsible for taking remedial measures.

因境外接收方怠于履行上述通知义务,或未能及时采取补救措施造成数据处理者损失扩大的,境外接收方应全额补偿数据处理者的损失。

If the overseas recipient neglects the above notification obligations or fails to take remedial measures in a timely fashion, the overseas recipient shall fully compensate the data processor for the losses arising therefrom.

第十条     其他

Miscellaneous Provisions

(一)如果本协议在达成或签订时与协议双方已存在的任何其他协议发生冲突,本协议的条款优先适用。

In the event that any conflict between this Agreement and any other existing agreement when this Agreement is concluded or signed, the terms of this Agreement shall prevail.

(二)本协议适用于中华人民共和国相关法律法规。

This Agreement shall be governed by relevant laws and regulations of the People's Republic of China.

(三)通知:双方按照《天猫国际商户服务协议》约定的通知方式向另一方发送通知。

Notification: Each Party shall send notifications to the other Party through the notification method agreed in the Tmall Global Merchant Service Agreement.

(四)个人信息主体作为第三方受益人向数据处理者或境外接收方提起诉讼的,应当根据《中华人民共和国民事诉讼法》的规定确定管辖。

Where the personal information subject, as the third-party beneficiary, brings legal proceedings against the data processor or the overseas recipient, the jurisdiction shall be determined in accordance with the provisions of the Civil Procedure Law of the People's Republic of China.

(五)数据处理者和境外接收方对于双方因协议产生的纠纷以及任何一方因先行赔偿个人信息主体损害赔偿责任而向另一方的追偿,应由双方协商解决;协商解决不成的,任何一方可以采取以下方式加以解决:凡因本协议引起的或与本协议有关的任何争议,均应将该争议提交中国国际经济贸易仲裁委员会依据其所适用的仲裁规则在杭州进行仲裁,仲裁员人数为三(3)名,仲裁语言为中文。仲裁裁决是终局的,对双方均具有约束力。

Any dispute arising from this Agreement and any claim sought by a Party against the other Party for prior indemnification of damages liable for the personal information subject shall be resolved through negotiation between the Parties; if the dispute cannot be resolved through negotiation, either Party can resolve the dispute in the following manner: Any dispute arising from or in connection with this agreement shall be submitted to China International Economic and Trade Arbitration Commission (CIETAC) for arbitration in Hangzhou in accordance with its rules of arbitration. There shall be three (3) arbitrators, and the language of arbitration shall be Chinese. The arbitral award is final and binding upon both parties.  

(六)本协议应按照相关法律法规的规定进行解释,不得以与相关法律法规规定的权利、义务相抵触的方式解释本协议。

This Agreement shall be interpreted in accordance with the provisions of relevant laws and regulations and shall not be interpreted in a manner that conflicts with the rights and obligations stipulated in relevant laws and regulations.

(七)双方同意,数据处理者应当遵守中华人民共和国相关法律法规之要求开展数据出境活动。若数据处理者依法需要申报数据出境安全评估,则本协议须在数据处理者通过数据出境安全评估后生效。若数据处理者依法需要申报数据出境安全评估,则本协议的继续履行情况将受到数据出境安全评估结果的影响:若数据处理者通过数据出境安全评估,则双方按照本协议继续履行;若数据处理者未能通过数据出境安全评估,则数据处理者应当及时将评估结果告知境外接收方,且数据处理者有权根据评估结果选择以下任意一种处理方式,而无需因此向境外接收方承担任何责任:(1)与境外接收方协商中止本协议的履行,直至数据处理者符合中华人民共和国相关法律法规之要求能够开展本协议相关的数据出境活动;(2)解除本协议。

The Parties agree that the data processor shall carry out outbound data transfer activities in compliance with the requirements of the relevant laws and regulations of the People's Republic of China. If the data processor is required to declare a security assessment of the outbound data transfer in accordance with the law, this Agreement shall take effect after the data processor passes the assessment. If the data processor is required to declare a security assessment of the outbound data transfer in accordance with the law, the continued performance of this Agreement will be affected by the results of the assessment. If the data processor passes the assessment, the parties will continue to perform in accordance with this Agreement. If the data processor fails to pass the assessment, the data processor shall promptly inform the overseas recipient about the assessment results, and the data processor has the right to choose any of the following processing methods based on the assessment results, without any liability to the overseas recipient: (1) Negotiate with the overseas recipient to suspend the performance of this Agreement until the data processor meets the requirements of relevant The People's Republic of China laws and regulations to carry out the outbound data transfer activities related to this Agreement; (2) Terminate this Agreement.

(八)语言。 本协议以中文和英文书就。中文版和英文版不一致的,则以中文版为准。

Language. This Agreement shall be written in Chinese and English. In case of inconsistency between the two language versions, the Chinese version shall prevail.

        (九)本协议自境外接收方点击签署之日起生效,有效期叁年。但本协议约定的关于接收数据的处理、安全保障等相关义务,并不因协议到期而终止。

    This Agreement shall take effect from the date of signature by the overseas recipient and shall be valid for three years. However,the obligations stipulated in this agreement regarding the processing and security of received dada shall not be terminated due to the ecpiration of the agreement.