Alibaba Supplier Code of Conduct on International Personal Data Protection

                                                                                                                                                             

                                                                                                                                                                       Effective as of February 19,2022

Introduction

 

Alibaba is committed to the highest standards of protection of personal data of our users, customers, business partners, employees and other individual whose personal data is Processed by Alibaba. Alibaba expects all our Suppliers engaged in providing products and services to Alibaba and our users and customers to have, or to make, a similar commitment. This Supplier Code of Conduct on International Personal Data Protection (the "Code") describes Alibaba’s expectations of how our Suppliers shall fulfill its obligation under laws other than those of Mainland China to protect the personal data during its cooperation with Alibaba.

 

Alibaba expect Suppliers and their directors, officers, employees, agents, representatives, and affiliates to comply with the requirements set forth in this Code. This Code is not intended to be an exhaustive list of all personal data compliance conduct requirements that Suppliers must follow.

 

The Suppliers must have controls, tools, and Processes in place that (a) ensure compliance with applicable laws, regulations (which only refer to laws and regulations other than those of Mainland China for the purpose of this Code), and the requirements set forth herein; (b) facilitate prompt discovery, investigation, disclosure, and remediation for violations of law, regulations, and the expectations set forth herein; and (c) train its directors, officers, employees, agents, representatives, and affiliates with respect to applicable laws, regulations, and the expectations set forth in herein.

 

As a corporate group with social responsibility, Alibaba is willing to work with Suppliers to implement Personal Data compliance requirements under Applicable Privacy Laws. When assessing the Suppliers’ compliance with this Code, Alibaba will adopt appropriate and proportional evaluation criteria for SME Suppliers with sufficient consideration of their business scale and compliance capability, so as to avoid unnecessary compliance burden for such Suppliers. Where Suppliers are short of awareness and understanding of Applicable Privacy Laws, Alibaba is willing to provide compliance training, guidelines, tools and other necessary assistance for Suppliers to gain better understanding and implement relevant Personal Data protection requirements.

 

This Code is only applicable to Suppliers’ Personal Data Processing activities that are subject to laws other than those of Mainland China. The expectations set forth in this Code are not intended to conflict with the terms and conditions of the Supplier’s contracts with Alibaba. If a contract requirement is more restrictive than this Code, the Supplier must comply with the more restrictive contract requirement.

 

 

 

Overview

 

This Code reflects Alibaba’s values and sets forth what Alibaba expects of our Suppliers with respect to the following topics:
















































1.       Definition:

 

1.1    Alibaba” shall mean Alibaba Group Holding Limited and its consolidated subsidiaries, including variable interest entities that are consolidated pursuant to United States generally accepted accounting principles.

 

1.2    “Personal Data” shall mean any information that relates to an identified or identifiable individual. Different pieces of information, the combination of which can lead to the identification of a particular person, also constitute Personal Data. In particular, Personal Data hereunder refers to all data that Processed by the Supplier for the purpose of providing service to or doing business with Alibaba upon mutual consent of the parties while such data is defined as personal data, personal information, privacy or any information of similar nature as provided by Applicable Privacy Laws.

 

1.3    Applicable Privacy Laws" shall mean any and all national, international, federal, state, regional and other privacy and data protection laws, except for those of Mainland China, that apply to the Processing of Personal Data.

 

1.4    “Data Subject shall mean an identified or identifiable individual.

 

1.5    “Processing/Process” shall means any operation or set of operations which is performed on the Personal Data, including but not limited to access, collection, retention, usage, disclosure, transmission, destruction and deletion.

 

2.       Supplier Obligation of Personal Data Protection

 

2.1    Compliance with Law

 

Alibaba requires the Supplier to protect Personal Data in compliance with all Applicable Privacy Laws world widely. Personal Data provided by Alibaba or by any party acting on behalf of Alibaba should only be Processed as permitted by relevant clauses under the Supplier agreement, membership agreement, user agreement, data Processing/protection/transferring/sharing agreement executed by and between Alibaba and the Supplier, privacy policy or any other documents  as formulated by Alibaba for the purpose of Personal Data protection.

 

The Supplier shall comply with the provisions of Applicable Privacy Laws by only Processing relevant Personal Data for the business purposes as concerted with Alibaba and implementing all appropriate technical and organizational measures to protect such Personal Data.

 

2.2    Cooperation in Data Compliance Due Diligence

 

The Supplier shall cooperate with Alibaba in the Data Compliance Due Diligence procedure, so that Alibaba could assess the data compliance status of the Supplier, and formulate follow-up management measures based on the assessment results. Such Data Compliance Due Diligence should be completed before the Supplier settle in.

 

Data compliance information that should be provided by the Supplier in the above mentioned assessment includes but not limited to: full name of the Supplier, categories of Personal Data Processed and concerning Data Subjects, method and purpose of data Processing, whether cross-border transmission is involved, and security incidents records (if any).

 

2.3    Assisting in Responding to Requests from Data Subjects

 

The Supplier shall, in accordance with requirements of Applicable Privacy Laws, assists Alibaba in responding to Data Subject’s requests for exercising the Data Subject's rights with appropriate technical and organizational measures.

 

2.4    Management on Subcontractor

 

The Supplier shall properly maintain an information list reflecting its subcontracting of any Personal Data Processing. The list should document all basic information of the aforesaid subcontractors and any entrusted Personal Data Processing activities as carried out thereby. Supplier shall keep Alibaba updated of such list in a timely manner when changes occur.

 

Any subcontracting of Supplier’s Personal Data Processing in part or in whole to the subcontractors mentioned above shall be subject to prior written permission of Alibaba.

 

The Supplier shall have the following parties comply with the obligations regarding Personal Data protection and be fully responsible for any problems caused thereby:

a)the Supplier’s personnel;

b)any authorized person to represent the Supplier in Personal Data Processing; and

c)any subcontractor entrusted by the Supplier to Process Personal Data.

 

2.5    Alert on Security Incident

 

If a Supplier becomes aware of any incident that impacts or may impact the cybersecurity or the security of Personal Data of Alibaba, the Supplier must promptly contact Alibaba via the contact information set forth under Section 3 below, provide relevant necessary information to Alibaba and take actions to mitigate potential risks as soon as possible. The Supplier shall also assist Alibaba, to the extent reasonable and practicable, in handling any further investigation launched by Alibaba, regulatory bodies or any other affected third parties.

 

2.6    Cooperation in Personal Data Compliance Audit

 

The Supplier shall assist Alibaba in Personal Data related compliance audits to the extent reasonable and practicable, if such audits are mandated by Applicable Privacy Laws or requested by the regulatory bodies or Alibaba’s business partners.

 

Alibaba also reserves the right to assess the Supplier’s compliance with the provisions of Applicable Privacy Laws and the expectations set forth in this Code by conducting reasonable on-site audits at the Supplier’s facilities or reviewing related documentation and records.

 

2.7  Appropriate Personal Data Retention and Disposal


The Supplier shall establish data retention mechanism based on Applicable Privacy Laws, and define the importance of collected Personal Data, as well as corresponding secure retention measures, retention period, deletion or anonymization requirement and implementation method. Personal Data obtained by Supplier during service provision to Alibaba, its customers and users should be deleted or anonymized in accordance with Personal Data protection related clauses under any mutual agreements or the instructions as issued by Alibaba to the Supplier from time to time, provide that such clauses and instructions do not violate mandatory laws and regulations.

 

3.       Contact Information

 

PrivacyOperation@service.alibaba.com

Each Supplier is responsible for understanding and complying with this Code. If any Supplier may have concerns or questions regarding any matters discussed herein or other Personal Data compliance issues, please contact Alibaba by sending email to PrivacyOperation@service.alibaba.com.