1. HOW WE COLLECT AND USE YOUR PERSONAL DATA
We collect and process your Personal Data for the following reasons/purposes:
● Registering a DingTalk Account
○ Create a DingTalk Account: You must provide your mobile phone number or email address and a verification code to create a DingTalk account. If you do not provide such information, you will not be able to create an account to use DingTalk Services.
○ Complete Profile Information: You may add other optional information to your user account, such as a profile picture, nickname, email address, mobile phone number, work experience, education experience, DingTalk ID, gender, birthday, and region.
● Adding Contacts
You must provide certain Personal Data to add contacts. Depending on how you choose to add a contact, DingTalk will collect different types of personal information or obtain relevant device permissions:
○ Add by entering a mobile phone number, email address, or the contact’s DingTalk ID;
○ Add by scanning a QR code, in which case you need to authorize DingTalk to access your camera and/or photo gallery;
○ Add by providing contact information from your device’s address book, in which case you need to authorize DingTalk to access your contacts.
● Using Instant Messaging Features
○ One-to-one or Group Chat: When you use one-to-one or group chat features, we will collect and process the content of the messages you send (including text, voice, files, geolocation, etc., depending on the content you send to the other party) and the user's sending logs (including sending time, sender, receiver, etc.).
○ Audio/Video Calls, Conferences, Live Streaming: When you use audio/video calls, conferences, or live streaming features, to provide the service to you, we will process the following information from you: communication logs (user nickname in the meeting, user ID, meeting start and end time, meeting subject, meeting link), and network status data (Wi-Fi network quality). If you choose to use the meeting recording feature, we will store the corresponding recording files. The recording files will be saved by the meeting host, who can choose to share them with other participants or other relevant personnel.
● Using the Calendar Feature
If you use the Calendar feature to create schedules, subscribe to schedule information, or sync the calendar on DingTalk Services to your device’s local calendar, you need to provide your schedule information to us.
You can also authorize us to access your device’s local calendar to display schedules from your local calendar within DingTalk Services. If you do not grant us such authorization, we will be unable to display schedules from your local calendar in DingTalk Services, but this will not affect your ability to use other calendar-related features.
If you create (or create on behalf of a specific organization/institution/enterprise) a DingTalk organization (the “Organization”) or join a DingTalk Organization created by others, you will become an organization user (“Organization User”). After becoming an Organization User, you will be able to use the following features we provide for Organization Users. When using these features, you understand and agree that the creator of the Organization is the data controller (the “Controller”) of the Personal Data, and we, as a data processor (the “Processor”), are entrusted by the Controller to process your Personal Data on the Controller’s behalf. In this case, we will collect and process Personal Data in accordance with the Controller’s instructions:
● Creating a DingTalk Organization
○ Create a DingTalk Organization: To create a DingTalk Organization, you need to provide the organization’s name, region, industry, employee size, and the job position information of members within the Organization.
○ Invite Members to Join the DingTalk Organization: You need to provide members' personal information to invite them to join the Organization. Depending on the method you choose to invite members, you will need to provide different types of Personal Data. If you invite members by copying a link, sharing a QR code, or an organization ID, the invitees’ Personal Data is not required. If you add members by entering their mobile phone number or email address, you will need to import the invitees’ mobile phone number or email address. The invitee will receive an SMS or email sent by us and can join the Organization after giving consent.
○ Contact List Management: If you use the Contact List Management feature to set up the organizational structure (e.g., dividing the Organization into different departments, setting different roles for each department, assigning departments, and setting roles for members who join the Organization), you need to provide us with the identity information of the relevant employees. The specific fields can be set by the Organization’s administrator (typical fields may include employee ID, name, mobile phone number, department, occupation, employee number, direct supervisor, email address, extension number, office location, notes, onboarding date, and role).
● Using DingTalk for Online Collaboration
○ Docs Feature: If you use the Docs feature, including online document services such as logs, Word, Excel, whiteboards, mind maps, and AI sheets, we will collect and process the content of the documents, as well as logs of operations such as editing, modification, and deletion.
○ Wiki: If you use the Wiki feature to consolidate documents into the same knowledge base for easy access and management, you need to provide us with the content of the documents within the knowledge base and logs of operations such as editing, modification, and deletion.
○ DingTalk Projects (“Teambition”): If you use the Teambition feature to create tasks and assign them to specific users, you need to provide us with the project content, tasks under the project, and logs of operations such as editing, modification, and deletion.
○ Mail: DingTalk provides a mail feature that allows an Organization to purchase and use email addresses with the company's domain as a suffix and assign these email addresses to employees within the Organization. If you use this feature, we will process your email address, the content of sent and received emails, and related log information.
○ CorpPedia: If you use the CorpPedia feature to allow the Organization to set internal terms and explanations, enabling members to view the meaning of terms by clicking on phrases in chats and groups, you need to provide us with the content of the CorpPedia entries.
○ DingDrive: If you use the DingDrive feature to create documents or save files received in chats and groups, we need to process and store the content you choose to save to DingDrive, as well as log information for operations such as saving and deleting files.
● Using DingTalk for Human Resource Management
○ Onboarding/Offboarding Feature: If you use DingTalk to manage employee onboarding, transfers, offboarding, etc., you need to provide us with employees’ Personal Data, including their name, occupation, and contact information. The specific fields may be set by the Organization’s administrator.
○ Attendance Feature: If you use attendance features (including geolocation attendance, face-recognition attendance, etc.), you need to provide us with certain Personal Data depending on the attendance method. If you use face-recognition attendance, you need to provide us with facial feature information. If you use geolocation attendance, you need to provide us with location information. When you click “Clock In,” we will collect your location information at that specific moment. If you stop using the “Clock In” feature, we will no longer collect your geolocation data. Please note that we do not continuously track or collect your movement or trajectory information. If you use Wi-Fi attendance, you need to provide us with Wi-Fi information.
○ OKR Feature: If you use the OKR feature to set employee performance goals and evaluate their completion, you need to provide us with the relevant employees’ OKRs and performance results.
○ Payroll Management Feature: If you use the payroll management feature to manage the determination, adjustment, and payment of employee salaries, you need to provide us with the relevant employees’ salary information.
○ Recruitment Feature: If you use the recruitment feature to manage the recruitment process, you need to provide us with candidates’ resume information.
● Using DingTalk for Business Process Management
○ OA Approval Feature: If you use the OA Approval feature to manage internal approval processes, you need to provide us with the content uploaded during the approval process.
○ YiDA Feature (“YiDA”): If you use the YiDA feature to set up personalized approval processes for the Organization, you need to provide us with the content uploaded during the approval process.
● Using DingTalk's Group Features
○ General Group: If you use the group feature to create a General Group, you need to provide us with the documents, multimedia files, conversations, and other related messaging information that you upload, enter, post, transmit, and share. The General Group you create is owned by you and does not belong to any Organization. You can add any contact as a member of the General Group, and leaving an Organization will not affect your continued use of the General Group.
○ External Group: If you use the group feature to create an External Group for external collaboration between Organization members and external partners, you understand and agree that your Organization is the controller of the Personal Data, and we process the following Personal Data on behalf of the Organization: documents, multimedia files, conversation content, and other related messaging information that you upload, enter, post, transmit, and share in the collaboration functions of the External Group. The External Group is owned by the Organization, and the creator/administrator of the External Group can add members from both inside and outside the Organization. If a group member leaves their current Organization, they will automatically be removed from the External Group.
○ Internal Group: If you use the group feature to create an Internal Group for internal communication and collaboration purposes within the Organization, you understand and agree that your Organization is the controller of the Personal Data, and we process the following Personal Data on behalf of the Organization: documents, multimedia files, conversation content, and other related messaging information that you upload, enter, post, transmit, and share in the collaboration functions of the group. The Internal Group is owned by the Organization, and the creator/administrator of the Internal Group can only add members from within the Organization. If an Internal Group member resigns from their current Organization, they will automatically be removed from the Internal Group.
● DingTalk Open Platform
○ Organization-Built Application Services: Organizations may use the data interfaces and development documents we provide to develop their own applications and use them within the Organization. The Personal Data collected and used by such self-built applications is determined by the developers according to the application's functions and features.
○ Services Provided by Third-Party SaaS Applications and Mini-Programs: Third-party independent software vendors (“ISVs”) can utilize our interfaces, specifications, etc., to develop and list third-party applications. Organizations can search for, install, and use these third-party services from the SaaS application and mini-program market. When you use such third-party services, the ISV will collect and process your Personal Data. Please be sure to read and agree to the privacy policies and other statements provided by the third party.
Cookies: DingTalk Services use cookies or similar technologies that collect information about your use of the services, such as the applications used, sites visited, and how you interact with content provided through the services. Please see the “Cookies and Similar Technologies” section for more details.
System Permissions: To ensure the functionality and the safe and stable operation of DingTalk Services, we may request or use relevant operating system permissions. Before DingTalk requests and uses any permissions, your operating system will ask you to grant them through methods such as pop-up prompts. You can decide whether to grant the relevant permissions based on your actual needs. As our products are upgraded, the types and purposes of permissions we request and use may change. We will adjust the list of permissions in line with these changes to ensure you are kept informed of the permissions we request and use in a timely manner.
Providing certain Personal Data to us may be a statutory or contractual requirement, or a requirement necessary to enter into or perform a contract. If this is the case, we will inform you of this separately and explain the possible consequences if you fail to provide such Personal Data. In other cases, the provision of requested Personal Data is optional, but refusing to provide it may affect your ability to use certain services, as this information is a necessary condition for providing the relevant features.
2. SHARING, TRANSFERRING AND DISCLOSING PERSONAL DATA
Unless we have obtained your consent, we will not share or sell your Personal Data to any third party. Depending on your location and the product features you use, we may share your Personal Data with our affiliates so that we can provide our services to you. You can obtain the identity and contact details of our affiliates with whom we share your Personal Data by contacting us using the details in the “CONTACT US” section below. We will not share, transfer, or disclose your Personal Data to any non-affiliated third parties, unless for the following reasons:
● Legal Requirements: We will share Personal Data if access, use, preservation, or disclosure of the information is required by applicable laws, regulations, legal proceedings, or law enforcement requests.
● External Third-Party Data Processing: To improve DingTalk Services or to provide you with a better experience with your consent, we may share your Personal Data with third-party service providers (in particular, website hosting, backend service providers, analytics service providers), contractors, and other third parties, and use such data in accordance with this Privacy Policy. Please note that to ensure the stable operation and functional realization of DingTalk services, we may share your Personal Data with the following third parties:
Names or the Categories of the Third Party | Shared Information | Purpose of Sharing |
Mini-program, SaaS applications (applied and used by users / business Organizations) | Subject to what the page displays for authorization (e.g., icon, nickname, phone number) | To provide and access to third-party services |
Third-party SDKs | Depends on specific SDKs | To ensure the stable operation and function realization of DingTalk Services so that users can use more services and functions |
● Business Transfers: If DingTalk is involved in a reorganization, merger, acquisition, sale of assets, or liquidation, we will continue to ensure the confidentiality of your Personal Data and give affected users notice in advance if Personal Data is transferred or becomes subject to a different privacy policy.
● Interoperability with DingDing: DingTalk is interoperable with DingDing so that you can communicate with DingDing users. You may also be able to use certain features of DingDing in accordance with the applicable terms. When you interact with a DingDing user (and vice versa), or use any feature provided by DingDing, we will share your information with DingDing to the extent necessary to facilitate interoperability. When interoperating with DingDing users, you will be subject to the DingDing Privacy Policy and the DingDing Service Agreement.
3. MANAGING, MAINTAINING, OR UPDATING YOUR PERSONAL DATA
When using DingTalk Services, you can manage, review, and update your Personal Data via “Settings and Privacy - About DingTalk - Privacy” or contact us by sending an email to: dt_privacy@service.dingtalk.com. At the same time, you are responsible for the truthfulness, accuracy, legality, validity, and completeness of the information you provide, and for updating and maintaining your personal profile in a timely manner to ensure that the personal information you provide is true, accurate, and valid.
4. EXPORTING OR DELETING YOUR PERSONAL DATA
You can export a copy of the Personal Data you have provided to us. You can send your request to dt_privacy@service.dingtalk.com, and we will assist you in exporting your Personal Data in accordance with applicable law and your request.
You can also delete the Personal Data you have provided. In most cases, you can directly delete it using the deletion functions we provide. If there is any content you cannot delete, you can contact us at dt_privacy@service.dingtalk.com. In some cases, we retain data for limited periods when it needs to be kept for legitimate business or legal purposes, or when it needs to be protected from accidental or malicious deletion. Please understand that there may be a delay between when you delete certain content and when copies are deleted from our active and backup systems.
5. TERMINATION OF YOUR ACCOUNT
You can terminate your DingTalk account as follows:
● Organization User Termination: When your administrator decides to terminate the use of our services, we will delete (or anonymize) any Organization-controlled data related to you and retain your DingTalk account as an individual user. If you decide to further terminate the DingTalk account you hold as an individual user, we will anonymize or delete your Personal Data in accordance with applicable laws and regulations. If you are an administrator, you can log in to the latest version of the DingTalk app, go to “Me - Settings - My Organization”, select the organization you wish to terminate, and then click “More - Disband Organization” to disband the DingTalk organization.
● Individual User Termination: If you are an individual user, you can log in to the latest version of the DingTalk app and go to “Me - Settings - Security Center - Account settings - Delete DingTalk Account” to terminate your personal DingTalk account. Please note that after you terminate your DingTalk account, we will stop providing DingTalk Services to you and will delete (or anonymize) your Personal Data as required by applicable law. Please carefully consider the impact before you terminate your account.
6. COOKIES AND SIMILAR TECHNOLOGIES
To provide you with more convenient and personalized services, and to ensure the security and functional integrity of our services, we may use Cookies and other similar technologies (such as local storage, Web Beacons/pixel tags) to collect and store your relevant information and online preferences when you access and use DingTalk Services.
Our main purposes for using these technologies include:
Ensuring Service Security and Efficient Operation: Maintaining your session state (Session) to ensure the continuity of your operations within the service (e.g., staying logged in, remembering shopping cart contents); supporting single sign-on (SSO) functionality to allow you to switch seamlessly between different services.
Statistical Analysis and Service Improvement: Collecting information on how visitors use our website or services (e.g., frequency of visits) so that we can understand service usage and continuously improve product features and user experience.
About Cookies and Local Storage:
l Cookie: A Cookie is a very small text document sent to your browser by a website you visit and stored on your device, usually containing an anonymous unique identifier. When you revisit the website, your browser sends it back to the website server.
l Local Storage (e.g., HTML5 Local Storage, Flash Cookies): This is another way to store data on your device, similar to Cookies, which can be used to save your activity and preference information.
Your Choices and Control:
By accessing and using DingTalk Services, you consent to our storage and use of the above-mentioned Cookies and other similar technologies on your device.
You have the right to withdraw your consent and manage these technologies at any time. You can manage, refuse, or clear all or part of the stored Cookies or local storage data at any time through your browser settings (e.g., Chrome, Safari, Firefox). Please note: If you choose to disable or clear Cookies, you may need to manually adjust your user settings each time you visit, and some service features that rely on Cookies may not function properly (e.g., you may not be able to stay logged in, or some personalized services will become invalid).
7. DATA PROTECTION
● Security Measures
The security and confidentiality of your Personal Data are very important to us. We will implement commercially reasonable technical and organizational safeguards in accordance with industry standards to protect your Personal Data from unauthorized or unlawful access, use, loss, or damage.
The measures we adopt include: administrative measures (e.g., developing and publishing data protection policies, appointing a dedicated data protection team, providing security and privacy training for employees, and conducting regular data security audits), technical measures (e.g., SSL encryption, HTTPS protocol, access management, and firewalls), and physical measures (e.g., video surveillance).
Please understand that no data transmission over the Internet or any wireless network can be guaranteed to be absolutely secure. For the protection of your data security, we recommend that you do not disclose your personal data, such as your account, password, or other confidential data, during your use of DingTalk Services.
● Cross-Border Data Transfer
Our servers are located in Singapore. Singapore has a comprehensive legal framework for personal information protection, capable of providing strong protection for personal information. Furthermore, Singapore is a member economy of the APEC Cross-Border Privacy Rules (CBPR) system, committed to establishing high-standard regional data flow rules.
As DingTalk is a global platform, to continuously provide you with global services and fulfill our contractual obligations related to DingTalk Services, your personal information may need to be processed and stored outside your country/region. This international data transfer is necessary for us to provide our services. Regardless of where your personal information is processed, we will ensure that your data security reaches a level of protection at least equivalent to that required by the laws of your country/region. We provide adequate safeguards through the following mechanisms:
Legal and Framework Compliance: We will ensure that this Privacy Policy complies with the legal framework requirements for data transfer and, in accordance with applicable data protection laws (e.g., adopting Standard Contractual Clauses when necessary), establish and adopt mechanisms to ensure that the data recipient can provide adequate and appropriate protection.
Unified Protection Standards: We will adopt the same protection measures described in this Privacy Policy to process your personal information, ensuring consistency worldwide.
Regulatory Cooperation and Complaint Handling: If we receive a complaint from you regarding data transfer that cannot be resolved directly, we will cooperate with the appropriate regulatory authorities to handle it.
Immediate Termination of Safeguards: Once these safeguards are violated or we (or the data recipient) can no longer fulfill the safeguard obligations, we will stop the transfer and processing of the relevant personal information.
Through these strict legal and technical safeguards, we are committed to maximizing the security of your personal information in international data flows.
8. CHILDREN’S PERSONAL DATA PROCESSING POLICY
We do not knowingly collect or solicit Personal Data from minors under the age of 16 (or the minimum age required by the laws of your country/region to use DingTalk Services). If you are a minor and below the minimum age required in your country/region to use DingTalk Services, you must obtain prior consent from your parents/legal guardians before using DingTalk Services. If we become aware that a minor has provided us with Personal Data without prior consent, we will delete such data from our servers. You can contact us by sending an email to dt_privacy@service.dingtalk.com.
9. SCOPE OF APPLICATION
This Privacy Policy applies to all DingTalk Services. To better enrich your experience, DingTalk Services may also contain links to other websites or services not operated or controlled by us (including our affiliates), which may include payment services. You can choose whether to access such content or links, or whether to use the products or services of third parties. However, we cannot control the products or services provided by third parties. We cannot control any Personal Data processed by third parties. By providing these links, we do not imply that we endorse or have reviewed these third-party services. Personal data protection issues related to your use of any third-party services are not governed by this Privacy Policy. We strongly advise you to review the privacy policies of the specific websites for the products or services provided by third parties.
If certain terms in this Privacy Policy conflict with legal and regulatory requirements, then to the extent permitted by law, those terms will be replaced by terms that are consistent with their original intent, and the remaining terms will remain in effect.
10. YOUR RIGHTS RELATED TO YOUR PERSONAL DATA
You are entitled to the following rights:
a) The right to access your Personal Data;
b) The right to data portability;
c) The right to correction if your Personal Data is incomplete or inaccurate (you are responsible for the truthfulness, accuracy, legality, validity, and completeness of the information you provide, and for updating and maintaining your Personal Data in a timely manner to ensure its truthfulness, accuracy, and validity);
d) The right to deletion or restriction of processing of your Personal Data as permitted by law (in some cases, we retain data for limited periods when it needs to be kept for legitimate business or legal purposes or to be protected from accidental or malicious deletion);
e) The right to object, within the scope permitted by law, to our processing of your Personal Data. For example, if we process your data for direct marketing purposes;
f) The right to withdraw your consent. Withdrawing consent will not affect the lawfulness of the processing of your Personal Data prior to the withdrawal;
g) The right to terminate your DingTalk account, the method of which depends on your DingTalk account type. After termination, we will stop providing DingTalk Services to you and will delete or anonymize your Personal Data as required by applicable law.
The exercise of the above rights is free of charge. You can contact us through “DingTalk Customer Service” or by email. If a request is unfounded or manifestly excessive (especially due to its repetitive nature), we will charge a reasonable fee or refuse to comply with the request. Before we fulfill your rights request, we may ask you to provide your identity information to help us confirm your identity.
We will respond to your rights requests as timely as possible, in principle within one month of receiving the request. Depending on the complexity and number of requests, this period can be extended by another two months. We will notify you of such an extension within one month of receiving the request. Applicable privacy legislation may allow or require us to refuse your request. If we cannot fulfill your request, we will inform you of the reason, subject to any legal or regulatory restrictions.
Please understand that these rights are not absolute and may be limited in certain situations. For example, if we can demonstrate that we have a legal basis for processing your data, if providing you with information would disclose the personal data of others, or if applicable law prohibits us from disclosing such information. In some cases, this may mean that we have the right to retain data even if you withdraw your consent.
11. MARKETING
We may send you marketing and promotional materials. If required by applicable laws and regulations, we will obtain your prior consent before providing you with marketing materials or information. You may withdraw your consent at any time (this will not affect the processing of your Personal Data prior to the withdrawal). If you wish to stop receiving marketing materials, etc., you can contact us at any time.
12. DATA RETENTION
We will retain your Personal Data for the time necessary to fulfill the purposes described herein. The specific retention period will be determined based on the following criteria:
A. The period necessary to fulfill the purpose of transaction-related services and to maintain corresponding transaction and business records to respond to your inquiries or complaints;
B. The period necessary to ensure the security and quality of the services we provide to you;
C. The existence of a legal or regulatory requirement to retain the data for a specific period;
D. Whether you have agreed to a longer retention period;
E. The need to resolve disputes and enforce agreements.
Where applicable, we will delete your Personal Data upon receiving your deletion request, unless we are legally obligated to retain the data. We reserve the right to delete your Personal Data at any time without prior notice. In such cases, we are not liable for any compensation that may arise from the deletion of your Personal Data. If you would like to know more about the specific retention periods applied to your Personal Data, please contact us at dt_privacy@service.dingtalk.com.
13. PRIVACY POLICY UPDATES
We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update our Privacy Policy, we will take appropriate measures to inform you (e.g., through system messages, by posting the amended Privacy Policy in “Settings and Privacy - About DingTalk - Privacy”, or by other means), and depending on the significance of the changes we make and as required by applicable law, we will decide whether to seek your consent for the updated content. You can access the latest Privacy Policy via “Settings and Privacy - About DingTalk - Privacy”.
14. CONTACT US
If you have any questions about this Privacy Policy or wish to contact us for any reason related to our processing of Personal Data, please contact us via “DingTalk App - Me - Help - Customer Service - DingTalk Assistant” or by sending an email to: dt_privacy@service.dingtalk.com.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
ANNEX I. SPECIFIC TERMS FOR THE EUROPEAN ECONOMIC AREA
If you are a DingTalk user located in the European Economic Area (“EEA”), the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede.
1. LEGAL BASIS OF GDPR FOR PROCESSING YOUR PERSONAL DATA
We process your Personal Data for the following purposes and based on the following legal grounds:
· On the basis of our legitimate interests for example when required by us to conduct our business, in particular:
○ use your information to identify you and provide you with a consistent service experience throughout DingTalk Services;
○ use your information to respond to any comments or complaints you may send us;
○ use your information to help us maintain, improve and optimize DingTalk Services;
○ use data to provide personalized display services;
○ use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation); and
○ notify you about changes to DingTalk Services, where applicable.
· On the basis of your consent:
○ providing you with information relating to DingTalk Services or promotional materials that may be of interest to you, or other communications;
○ place cookies and use similar technologies in accordance with the “COOKIES AND SIMILAR TECHNOLOGIES” section of the Privacy Policy and the information provided to you when those technologies are used; and
○ on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.
· As this might be necessary for compliance with a legal obligation that is applicable to us, such as:
○ in response to requests by government or law enforcement authorities conducting an investigation, or to comply with the requirements imposed by applicable law or any court order.
Aggregated Personal Data refers to data that has been carefully de-identified and anonymized to ensure that it cannot be linked back to any specific individual. We may aggregate Personal Data or collect aggregated data from our users, which is essential for enhancing the functionality and performance of DingTalk Services. This enables us to analyze user behavior, improve features, develop new products and services, conduct research, and other similar purposes. We use this data to gain insights into overall usage patterns and trends, helping us make data-driven decisions to enhance the user experience. In some cases, we may also choose to share or publish this aggregated data.
In addition, from time to time, we may share or publish aggregated data like general user statistics with third parties. We collect this data through DingTalk Services, through cookies, and through other means described in this Privacy Policy. We will maintain and use de-identified data in anonymous or de-identified form, and we will not attempt to re-identify the data, unless required by law.
We are committed to adhering to relevant privacy and data protection regulations and our Privacy Policy in all our data aggregation activities. If you have any questions or concerns regarding data aggregation, please read our full Privacy Policy for more details on how we handle and safeguard your Personal Data. Your privacy and security are our top priorities.
2. TRANSFER OF PERSONAL DATA OUTSIDE OF THE EEA
In situations where we transfer your Personal Data outside the EEA to a third country which may not be subject to an adequacy decision by the EU Commission (GDPR Art. 45) or considered adequate as determined by applicable data protection laws, we will take steps to ensure that your Personal Data continues to receive a standard of protection that is at least comparable to that provided under the applicable laws by using the European Commission-approved Standard Contractual Clauses (GDPR Art. 46), a vendor’s Processor Binding Corporate Rules (GDPR Art. 47) or by relying on other data transfer mechanisms available under applicable data protection laws, and further (organisational / contractual / technical) supplementary measures necessary to ensure the effectiveness of the transfer mechanisms.
A copy of the relevant mechanism can be obtained for your review on request via the contact details displayed in the “CONTACT INFORMATION” section of this Annex.
3. CONTACT INFORMATION
If you have any questions about this Privacy Notice or would like to contact us for any reason related to our processing of personal data, please reach out to our Data Protection Officer:
By email: dt_privacy@service.dingtalk.com;
By phone: 400-111-6555;
By mail: 51 Bras Basah Road #03-06, Lazada One; Singapore 18955 Singapore [Attention: Data Protection Officer DingTalk].
We have appointed Alibaba (Netherlands) B.V. as our representative in the EU. You may contact them by sending email to: dingtalk.legalcounsel@service.dingtalk.com.
ANNEX II. SPECIFIC TERMS FOR CALIFORNIA PRIVACY DISCLOSURES
If you are a California resident, the following additional privacy disclosures under the California Consumer Privacy Act of 2018 (“CCPA”) and other California laws may be applicable to you and allow you to exercise your rights regarding your Personal Data. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede.
1. INTRODUCTION
If the CCPA is applicable, you have the right to know and understand how we collect, use, disclose, and share your Personal Data, to access your information, to request that we delete specific information, to exercise your rights to opt-out, and also not be discriminated against when exercising your privacy rights granted under the CCPA.
2. CATEGORIES OF INFORMATION WE MAY COLLECT
We or the Organization collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly, or indirectly, with a particular consumer, household, or device (“Personal Data”). We or the Organization may have collected the following categories of Personal Data from users within the last twelve (12) months:
A. Identifiers, specifically include: DingTalk ID, email address.
B. Personal Data categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), specifically include: name, cell phone number.
C. Protected classification characteristics under California or federal law, specifically include: Gender, Birthday.
D. Internet or other electronic network activity information, such as the usage data we receive when you access or use DingTalk Services, specifically include: logs of audio and video communications relevant to Chat.
E. Sensory data, specifically includes: content of audio and video communications.
F. Professional or employment-related information, specifically includes: Work Experience, identity information of relevant employees (typical fields may include department, occupation, employee number, whether supervisor or not, direct supervisor, onboarding date, Organization), OKR and performance results of employees, resume information of candidates.
G. Inferences that can be drawn from any of the above categories, including your preferences and characteristics.
We obtain the categories of Personal Data listed above from the following categories of sources:
· Information and data directly provided by you on DingTalk Services.
· Information and data indirectly from you through DingTalk Services.
Personal Data does not include:
· Publicly available information from government records.
· Deidentified or aggregated consumer information.
· Information excluded from the CCPA’s scope, like health or medical information covered by the Health Insurance Portability and Accountability Act (“HIPAA”), clinical trial data, or other qualifying research data; and Personal Data covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”) and the Driver’s Privacy Protection Act (“DPPA”).
To better understand how we collect your information, please review the general terms of the Privacy Policy.
3. PERSONAL DATA WE MAY USE OR DISCLOSE
We may use, disclose, or sell (if authorized) the Personal Data we collect for one or more of the following business purposes:
· To provide you with DingTalk Services or otherwise fulfil or meet the reason for which you provided the information.
· To provide you with support and to respond to your inquiries, including investigating user-reported issues and addressing your concerns.
· To provide, support, personalize, improve, analyze, and develop DingTalk Services for user experience and operational stability.
· To personalize user experience and to deliver content and products and service offerings relevant to your interests.
· To notify you about changes to our services or this policy, where applicable.
· To carry out our obligations and enforce our rights arising from any contracts entered into between you and us.
· To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
· To help maintain the safety, security, and integrity of DingTalk Services, our databases and other technology assets, and business.
· To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about our users is among the assets transferred.
· As described to you when collecting your Personal Data or as otherwise set forth in the CCPA.
To better understand how we use and disclose your information, please review the general terms of the Privacy Policy presented above.
4. PERSONAL DATA THAT WE MAY SHARE
We may share your Personal Data by disclosing it to third parties for business purposes. We only make these business purpose disclosures under written contracts that describe the specific business purposes, require the recipient to keep the Personal Data confidential, and prohibit using the disclosed information for any purpose except performing the obligations under the contract.
As stated in the general terms of the Privacy Policy, we do not sell your Personal Data unless we obtain your consent. We do not knowingly collect Personal Data from individuals under age 16; and therefore, our Personal Data sales do not include information about individuals we know are under age 16.
In the preceding twelve (12) months, DingTalk has shared the following categories of Personal Data to the following categories of third parties:
Personal Data Category | Category of Third-Party Recipients | Sales |
Business Purpose Disclosures | ||
Subject to what the page displays for authorization (e.g., icon, nickname, phone number) | Mini-program, SaaS applications (applied and used by users / business Organizations) | N/A |
Depends on specific SDKs | Third-party SDKs | N/A |
To better understand how we share your information, please review the general terms of the Privacy Policy presented above.
5. YOUR RIGHTS AND CHOICES
Right to Know and Data Portability
The CCPA provides California residents specific rights to know about our collection and use of their Personal Data over the past twelve (12) months (the “right to know”). Once we receive your request and confirm your identity, we will disclose to you:
· The categories of Personal Data we collected about you.
· The categories of sources for the Personal Data we collected about you.
· Our business or commercial purpose for collecting or selling (if applicable) that Personal Data.
· The categories of third parties with whom we share that Personal Data.
· If we sold or disclosed (if applicable) your Personal Data for a business purpose, we will provide two separate lists that:
○ identify the Personal Data categories that each category of recipient purchased in connection with sales of your Personal Data; and
○ identify the Personal Data categories that each category of recipient obtained in connection with disclosures of your Personal Data for a business purpose.
· The specific pieces of Personal Data we collected about you (also called a data portability request).
Right to Delete
The CCPA provides California residents specific rights to delete their Personal Data that we collected from them and retained, subject to certain exceptions (the “right to delete”). We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
· Provide the service that you requested from DingTalk Services, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
· Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
· Debug DingTalk Services to identify and repair errors that impair existing intended functionality.
· Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
· Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
· Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
· Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
· Comply with a legal obligation.
Once we receive your request and confirm your identity, we will delete or de-identify Personal Data and direct our service providers to take similar action unless subject to one of these exceptions above.
How to Exercise the Rights to Know or Delete
To exercise your rights to know or delete described above, please submit a request via the contact details displayed in the “CONTACT US” section.
Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your Personal Data.
You may only submit a request to know twice within a 12-month period. Your request to know or delete must:
· Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized representative, which may include: your identification information, a signed permission authorizing the representative to submit the request on your behalf, and any other information permitted or recommended by the CCPA and applicable regulations.
· Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you.
We will only use Personal Data provided in the request to verify the requestor's identity or authority to make the request.
Response Timing and Format regarding Requests to Know or Delete
We will confirm receipt of your request within fifteen (15) business days. If you do not receive confirmation within the fifteen (15) business days timeframe, please contact us via the contact details displayed in the “CONTACT US” section.
We endeavour to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing. We may deliver our written response by email.
Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded, or as otherwise permitted by the CCPA. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Personal Data Sales Opt-Out Rights
Under the CCPA, consumers have the right to direct us to not sell their Personal Data at any time (the “right to opt-out”). As stated in the general terms of our Privacy Policy, we do not sell your Personal Data of consumers unless we obtain consent for the sale. Consumers who opt-in to Personal Data sales may opt-out of future sales at any time.
To exercise your right to opt-out provided under CCPA, you (or your authorized representative) may submit a request to us via the contact information provided in the “CONTACT US” section.
We will only use Personal Data provided in an opt-out request to review and comply with the request.
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
· Deny you goods or services.
· Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
· Provide you a different level or quality of goods or services.
· Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.
Other California Privacy Rights
· Shine the Light Law Disclosure.
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits Users of DingTalk Services that are California residents to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes. To make such a request, please refer to the “CONTACT US” section.
· “Do Not Track” Disclosure.
We do not monitor, recognize, or honor any opt-out or do not track mechanisms, including general web browser “Do Not Track” settings and/or signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personal identifiable data about an individual consumer's online activities over time and across third-party websites or online services.
When you use the DingTalk Services, certain third parties may use automatic information collection technologies to collect information about you or your device. The information they collect may be associated with your Personal Data or they may collect information, including Personal Data, about your online activities over time and across different websites and other online services websites. We do not control these third parties' tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.
· Eraser Law Disclosure for Minor Users.
If you are a user under the age of 18, California Business and Professions Code Section 22581 allows you to request and obtain removal of content or information you have publicly posted. You can send a request to remove any content or information you posted on DingTalk Services via the contact information provided in the “CONTACT US” section. Please notice that the removal does not ensure the complete or comprehensive removal of your posted content or information in certain circumstances.
ANNEX III. SPECIFIC TERMS FOR HONG KONG SAR
If you are a DingTalk user located in Hong Kong SAR (“Hong Kong”), the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede. For these Terms, the term “Personal Data” is used as it is defined in the Personal Data (Privacy) Ordinance.
DIRECT MARKETING
DingTalk may use your Personal Data for marketing and promotional purposes, including:
· For sending or showing updates on the latest news, offers, and promotions in connection with DingTalk Services.
· For sending or showing joint marketing offers about DingTalk Services, rewards, privileges programmes, promotional offers and related services, and invitations to events.
DingTalk may also use Personal Data to analyse its customers’ preferences and market trends and derive insights, which DingTalk may use to tailor the types of products and offers that DingTalk presents to you. This may involve DingTalk combining Personal Data that DingTalk holds about your use of DingTalk Services with information that DingTalk has collected about your usage. DingTalk may also combine information that DingTalk has collected about you with information that DingTalk has collected about other customers in order to derive these insights and establish market trends. DingTalk may provide these insights to third party partners for their marketing and promotional purposes.
DingTalk may communicate marketing, promotions, and research invitations to you by email or system message or via online banner advertisement and, as appropriate and where required, DingTalk will ask you for your consent, or otherwise provide you with the opportunity to choose not to receive marketing, at the time DingTalk collects your Personal Data.
You have the right to ask DingTalk not to process your Personal Data for direct marketing purposes. You can exercise this right to prevent such processing by indicating that you do not consent to direct marketing at the point at which DingTalk collects your Personal Data. DingTalk will also provide an option to unsubscribe or opt out of further communication on any direct marketing communication sent to you. You may also opt out by contacting DingTalk with the contact information provided in the “CONTACT US” section.
If you choose to unsubscribe or opt out of marketing communication, DingTalk will still send you communications about any of the services and products that DingTalk provides to you, including administrative updates and account summaries.
ANNEX IV. SPECIFIC TERMS FOR INDONESIA
If you are a DingTalk user located in Indonesia, the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede. For these Terms, the term “Personal Data” is used as it is defined in the Indonesia Personal Data Protection Law (Law No.27 of 2022 concerning Personal Data Protection, the “PDP Law”).
1. AGE, PARENTAL, AND GUARDIAN CONSENT
By using DingTalk Services, you represent that you are at least 21 years of age or married or not under guardianship. If you are below 21 years old and you are not married, or under guardianship:
· You must obtain approval from your parents or legal guardians; and
· Your parents or legal guardians are responsible for
○ all your actions in connection with your use of DingTalk Services;
○ your compliance with this Privacy Policy; and
○ ensuring that your use of DingTalk Services will not, in any event, result in any violation of applicable laws and regulations relating to child protection.
If you do not have consent from your parents or legal guardians, you must cease using the DingTalk Services.
2. YOUR PERSONAL DATA RIGHTS
You have the right to access, update, correct, and request the erasure or disposal of Personal Data stored on DingTalk’s servers from time to time in accordance with applicable data privacy laws and regulations in Indonesia. Please note that by requesting us to erase and dispose of your Personal Data, you may not be able to use some of the features and functionality of DingTalk Services.
You may withdraw your consent to DingTalk’s disclosure of Personal Data to third parties. Upon your request, we will cease to display, publish, transmit, disseminate, and/or open access to your Personal Data to third parties. Please note that by withdrawing your consent to the disclosure and/or collection of your Personal Data, we may not be able to fulfill your requests, and you may not be able to use some of the features and functionality of DingTalk Services.
If you wish to make such requests, please contact us by contact information provided in the “CONTACT US” section.
3. DATA RETENTION
We retain your Personal Data for as long as necessary to provide you with DingTalk Services. When your Personal Data is no longer needed to provide DingTalk Services to you, we retain it only for as long as we have a legitimate business reason to do so. However, there are instances where we may retain this data for an extended duration to comply with legal obligations or where it is essential for the establishment, exercise, or defence of legal claims.
4. DATA BREACH NOTIFICATION
In the event we fail to maintain the confidentiality of your Personal Data, we will notify you through the contact information provided by you or via DingTalk, to the extent required by applicable data privacy laws and regulations in Indonesia.
5. CROSS-BORDER DATA TRANSFER
We may transfer your Personal Data to a controller and/or processor outside the jurisdiction of the Republic of Indonesia per following conditions:
· When the country where the controller of personal data and/or processor of personal data receiving the transfer of personal data has a level of personal data protection that is at least equivalent to that stipulated in the PDP Law;
· When there are adequate and binding personal data protection measures; or
· When we obtain your consent for the transfer.
ANNEX V. SPECIFIC TERMS FOR THAILAND
If you are a DingTalk user located in Thailand, the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede. For these Terms, the term “Personal Data” is used as it is defined in the Thailand Personal Data Protection Act 2019.
1. YOUR PERSONAL DATA RIGHTS
In accordance with the applicable data privacy laws and regulations in Thailand, you have the following rights:
· You may withdraw your consent to the processing of your Personal Data (only when the legal basis for DingTalk’s processing is consent). Please be aware that if consent is required for the processing of your Personal Data, we may not be able to provide the expected service without it.
· You may request access to, correction of, cessation of any automated processing or profiling (if applicable), discontinuation, restriction of the use or provision of, and/or erasure of your Personal Data.
· You may request us to provide your Personal Data, stored by us in a machine-readable format, to you or a third party.
If you wish to make such requests, please contact us by contact information provided in the “CONTACT US” section.
When you make a reasonable request, and when DingTalk cannot waive such request on the basis of a statutory obligation, DingTalk will process your request within no more than 30 days from the date of receipt of such request.
2. TRANSFER YOUR PERSONAL DATA TO A FOREIGN COUNTRY
We may send or transfer your Personal Data to a foreign country or international organization in the following circumstances:
· Where the destination country or international organization that receives such Personal Data have adequate data protection standard, and the transfer is carried out in accordance with the rules for the protection of Personal Data as prescribed by the Personal Data Protection Committee of Thailand;
· Where it is for compliance with the law;
· Where we have obtained your consent;
· Where it is necessary for the performance of a contract to which the you are a party, or in order to take steps at your request prior to entering into a contract;
· Where it is for compliance with a contract between DingTalk and other individuals or juristic persons for your interests;
· Where it is to prevent or suppress a danger to the life, body, or health of you or other individuals, when you are incapable of giving the consent at such time;
· Where it is necessary for carrying out the activities in relation to substantial public interest.
ANNEX VI. SPECIFIC TERMS FOR PHILIPPINES
If you are a DingTalk user located in Philippines, the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede. For these Terms, the term “Personal Data” is used as it is defined in the Philippine Data Privacy Act of 2012.
1. CRITERIA FOR LAWFUL PROCESSING OF PERSONAL DATA
The processing of Personal Data shall be permitted only if not otherwise prohibited by applicable laws, and when at least one of the following conditions exists:
· You have given your consent.
· The processing of Personal Data is necessary and is related to the fulfillment of a contract with you or in order to take steps at the request of you prior to entering into a contract;
· The processing is necessary for compliance with a legal obligation to which we are subject to;
· The processing is necessary to protect your vitally important interests (including life and health);
· The processing is necessary to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of Personal Data for the fulfillment of its mandate; or
· The processing is necessary for the purposes of the legitimate interests of us or a third party or parties to whom the Personal Data is disclosed, except where such interests are overridden by fundamental rights and freedoms of you which require protection under the Philippine Constitution.
2. YOUR RIGHT AS A DATA SUBJECT
You have the right to:
· Be informed, before processing of your Personal Data, whether your Personal Data shall be, are being or have been processed;
· Reasonable access to, upon request, the following
○ contents of your Personal Data that we process;
○ sources from which we collected your Personal Data;
○ names and addresses of recipients of the Personal Data (if any);
○ methods we utilize to process your Personal Data;
○ reasons for the disclosure of the Personal Data to any third parties (if any);
○ information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect you (if any); and
○ date when your Personal Data were last accessed and modified.
· Suspend, withdraw or order the blocking, removal or destruction of your Personal Data, upon discovery and substantial proof that the Personal Data are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected;
· Dispute the inaccuracy or error in the Personal Data and have it corrected, unless the request is vexatious or otherwise unreasonable;
· Obtain a copy of data undergoing processing in an electronic or structured format that is commonly used, but only where your Personal Data is processed by electronic means and in a structured and commonly used format.
If you wish to make requests to exercise your data subject right, please contact us by contact information provided in the “CONTACT US” section.
ANNEX VII. SPECIFIC TERMS FOR MALAYSIA
If you are a DingTalk user located in Malaysia, the following terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these terms and the general terms of the Privacy Policy, these terms shall supersede. For these Terms, the term “Personal Data” is used as it is defined in the Malaysia Personal Data Protection Act 2010.
1. LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA
We may process your Personal Data in the following circumstances:
· If you have given your consent to the processing of your Personal Data; or
· If the processing is necessary
○ for the performance of a contract to which the data subject is a party;
○ for the taking of steps at the request of the data subject with a view to entering into a contract;
○ for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;
○ in order to protect the vital interests of the data subject;
○ for the administration of justice; or
○ for the exercise of any functions conferred on any person by or under any law.
2. YOUR DATA SUBJECT RIGHTS
You are entitled to:
· Make a data access request in writing to DingTalk, upon payment of a prescribed fee,
○ for information of your Personal Data that is being processed by or on behalf of DingTalk; and
○ to have communicated to you a copy of your Personal Data in an intelligible form.
· Make a data correction request in writing to DingTalk that DingTalk makes the necessary correction to your Personal Data, if your personal data being held by DingTalks is inaccurate, incomplete, misleading or not up-to-date;
· Withdraw your consent to the processing of Personal Data by notice in writing, in respect of which you are the data subject;
· Require DingTalk at any time by notice in writing to DingTalk at the end of such period as is reasonable in the circumstances to
○ cease processing your Personal Data; or
○ not begin the Personal Data processing,
Where
○ the processing is causing or is likely to cause substantial damage or distress to you or another person,
○ and the damage or distress is or would be unwarranted.
· Require DingTalk by notice in writing to a data user at the end of such period as is reasonable in the circumstances to cease or not to begin processing your Personal Data for purposes of direct marketing.
If you wish to make requests to exercise your data subject right, please contact us by contact information provided in the “CONTACT US” section.
3. TRANSFER OF YOUR PERSONAL DATA TO PLACES OUTSIDE MALAYSIA
We may transfer your Personal Data to a place outside Malaysia if
· Such place is specified by Malaysia’s Digital Minister, by notification published in the Gazette;
· You have given your consent to the transfer;
· The transfer is necessary for the performance of a contract between you and DingTalk;
· The transfer is necessary for the conclusion or performance of a contract between DingTalk and a third party which—
○ is entered into at your request; or
○ is in your interests;
· The transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
· We have reasonable grounds for believing that in all circumstances of the case—
○ the transfer is for the avoidance or mitigation of adverse action against you;
○ it is not practicable to obtain you consent in writing to that transfer; and
○ if it was practicable to obtain such consent, you would have given your consent;
· DingTalk has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of the Malaysia Personal Data Protection Act 2010;
· The transfer is necessary in order to protect your vital interests; or
· The transfer is necessary as being in the public interest in circumstances as determined by Malaysia’s Digital Minister.
ANNEX VIII. SPECIFIC TERMS FOR BRAZIL
If you are a DingTalk User located in Brazil, the following Terms will apply to the processing of your Personal Data in addition to our Privacy Policy presented above. In the event of any conflict between these Terms and the general terms of the Privacy Policy, these terms shall supersede.
These Terms applies to all Users located in Brazil (Users are referred to below, simply as “you”, “your”, “yours”), according to the Lei Geral de Proteção de Dados (the “LGPD”), and for these Terms, the term “Personal Data” is used as it is defined in the LGPD.
1. LEGAL BASIS OF LGPD FOR PROCESSING YOUR PERSONAL DATA
We can process your Personal Data solely if we have a legal basis for such processing. Legal bases are as follows:
· With your consent;
· For compliance with a legal or regulatory obligation by us;
· By the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments;
· For carrying out studies by research entities, ensuring, whenever possible, the anonymization of Personal Data;
· When necessary for the execution of a contract or preliminary procedures related to a contract of which you are a party, at the request of the data subject;
· For the regular exercise of rights in judicial, administrative or arbitration procedures;
· For the protection of life or physical safety of you or a third party;
· To protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities;
· When necessary to fulfill the legitimate interests of us or a third party, except when the your fundamental rights and liberties which require Personal Data protection prevail; or
· For the protection of credit.
2. YOUR DATA SUBJECT RIGHTS
You have the right to:
· Obtain confirmation of the existence of processing activities on your Personal Data;
· Access to your Personal Data;
· Have incomplete, inaccurate or outdated Personal Data corrected;
· Obtain the anonymization, blocking or elimination of your unnecessary or excessive Personal Data, or of Personal Data that is not being processed in compliance with the LGPD;
· Obtain, upon your express request, the portability of your Personal Data to another service or product provider, provided that our commercial and industrial secrets are protected;
· Delete your Personal Data being processed if the processing was based upon your consent;
· Obtain information about public and private entities with which we have shared your Personal Data with;
· Obtain information about the possibility of denying consent and the consequences of such denial;
· Revoke your consent at any time;
· Submit a complaint related to your Personal Data with data protection authorities or with consumer protection bodies.
If you wish to make requests to exercise your data subject right, please contact us by contact information provided in the “CONTACT US” section.
3. INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA
We are allowed to transfer your Personal Data outside of the Brazilian territory in the following cases:
· When the transfer is to countries or international organizations that provide a level of protection of Personal Data that is adequate to the LGPD;
· When we offer and prove guarantees of compliance with the principles, your data subject rights and the regime of data protection provided in the LGPD, in the form of:
○ specific contractual clauses for a given transfer;
○ standard contractual clauses;
○ binding corporate rules;
○ regularly issued stamps, certificates and codes of conduct;
· When the transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;
· When the transfer is necessary to protect the life or physical safety of you or of a third party;
· When the national authority authorizes the transfer;
· When the transfer results in a commitment undertaken through international cooperation;
· When the transfer is necessary for the execution of a public policy or legal attribution of public service;
· When you have given your specific, unambiguous and informed consent for the transfer; or
· When the transfer is necessary for compliance with a legal or regulatory obligation, the carrying out of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative, or arbitration procedures.