1. Scope and application
This Addendum will apply, if required by Data Protection Legislation (as defined below) and only to the extent that, in providing any Alibaba Cloud Services to You, Alibaba Cloud processes as a processor personal data contained in or generated in relation to Your Member Content (the “Data”).
This Addendum forms part of Your Membership Agreement and capitalised terms not defined herein will have the meaning given in the Membership Agreement. In the event and to the extent of a conflict between the other terms of the Membership Agreement including its Addenda or any other agreements between You and Alibaba Cloud regarding the Data and this Addendum, this Addendum will prevail.
In this Addendum:
“controller”, “data subject”, “personal data”, “process”, “processor” and “supervisory authority” each has the meaning given in the GDPR.
“Data Protection Legislation” means, as applicable: (i) GDPR, and in each case, any related national laws, legislation, rules or regulations, related to privacy and data protection (including legislation made under or in relation to (i)). For clarity, a reference to Data Protection Legislation, includes a reference to Data Protection Legislation as amended, modified, extended, re-enacted, consolidated or replaced from time to time.
“GDPR” means Regulation (EU) 2016/679.
“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914/EU of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (or any subsequent decisions) or as referred to in Article 46 GDPR.
3. Description of processing
For the purposes of this Addendum, You (the controller or processor) appoint Alibaba Cloud as Your processor to process the Data, for the duration of the Membership Agreement, for the purpose of providing the Alibaba Cloud Services to You (the “Permitted Purpose”).
4. Data processing
In processing the Data under this Agreement, Alibaba Cloud shall:
(a) only process the Data on Your documented instructions unless required otherwise by applicable law;
(b) ensure that all personnel authorised by Alibaba Cloud to process the Data are subject to suitable confidentiality obligations;
(c) implement and maintain appropriate technical and organisational measures as described at https://www.alibabacloud.com/trust-center, designed to protect the Data processed by Alibaba Cloud against a personal data breach affecting such Data arising from a breach of Alibaba Cloud’s security (a “Security Incident”). Alibaba Cloud may change those measures from time to time, but not so as to reduce the level of protection for Data. In the event of a confirmed Security Incident, Alibaba Cloud shall notify You without undue delay and shall provide reasonable information and cooperation to You so that You can fulfil any data breach reporting obligations You may have under (and in accordance with the timescales required by) applicable Data Protection Legislation. Alibaba Cloud shall further take any reasonably necessary measures and reasonably necessary actions to remedy or mitigate the effects of the Security Incident, and shall keep You informed of all material developments in connection with the Security Incident;
(d) be generally authorised to engage third party subcontractors to process the Data for the Permitted Purpose, provided that Alibaba Cloud (i) shall remain fully liable for any of its subcontractors; (ii) shall maintain an up-to-date list of such subcontractors here (accessible when You login to your Alibaba Cloud account), which it shall update with details of any change in such subcontractors at least 10 days’ before any such change; and (iii) shall impose data protection terms on any subcontractor it appoints to process any Data, that require it to protect such Data to at least the standard required by applicable Data Protection Legislation. You may object to Alibaba Cloud’s appointment or replacement of such a subcontractor before its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Alibaba Cloud will either not appoint or replace the relevant subcontractor or, if this is not possible, You may terminate the relevant Service and this Addendum to the extent it applies to that Service, but without prejudice to any fees or costs incurred by You for that Service before that termination and without prejudice to the Membership Agreement, any other Services provided to You, and any fees or costs in relation to those other Services;
(e) assist You to respond to data subjects’ requests to exercise their rights regarding any Data under applicable Data Protection Legislation by providing You with technical measures to enable You, to the extent consistent with the functionality of the Alibaba Cloud Services and Alibaba Cloud’s role as a processor, to access, rectify, erase, restrict or export Data directly (and You agree that, taking into account the nature of the processing, this paragraph reflects the extent to which it is possible for Alibaba Cloud to provide You with such assistance). If a data subject, supervisory authority or any other party directly approaches Alibaba Cloud with any request, query or complaint regarding any Data, Alibaba Cloud shall, promptly notify You accordingly or notify that person that they should approach You instead;
(f) If Alibaba Cloud believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, promptly inform You and provide reasonable cooperation to You (at Your expense) in connection with any data protection impact assessment that You may be required under applicable Data Protection Legislation to undertake for Your use of Alibaba Cloud Services;
(g) at Your choice, delete or return all Data in Alibaba Cloud’s possession or control following the termination of the Membership Agreement. This requirement shall not apply to the extent that Alibaba Cloud is required or permitted by applicable law to retain some or all of the Data, or Data archived on back-up systems, in which event Alibaba Cloud shall securely isolate and protect such Data from any further processing except to the extent required by such law until deletion is possible; and
(h) use independent qualified third party security professionals and auditors, at Alibaba Cloud’s selection and expense, to (at appropriate regular intervals) verify the adequacy of its security measures, including the security of the data centers from which Alibaba Cloud provides the Alibaba Cloud Services, and generating audit reports and certifications thereof (“Report and Certification”). You acknowledge that Alibaba Cloud is regularly audited against many industry-recognised standards by independent third party auditors as described at https://www.alibabacloud.com/trust-center. Upon Your written request, and subject to Your execution of a non-disclosure agreement covering the Report and Certification (and verification that you are not a competitor of Alibaba Cloud), Alibaba Cloud will make available to you a summary copy of the Report and Certification demonstrating Alibaba Cloud’s compliance with the obligations set forth in this Addendum.
If the Standard Contractual Clauses apply to You, then You agree to exercise Your audit right by instructing Alibaba Cloud to execute the audit as described in this section. If You desire to change this instruction, then You have the right to do so as set forth in the Standard Contractual Clauses which change shall be requested in writing (for clarity, nothing in the foregoing shall require Alibaba Cloud to make available any data, material or information of any of Alibaba Cloud’s other customers).
5. Your responsibilities
(a) To comply with your obligations under all applicable Data Protection Legislation in relation to Your use of Alibaba Cloud Services for processing any personal data comprised within the Data.
(b) That this Addendum, the Membership Agreement, Your other applicable agreements with Alibaba Cloud and Your configuration and use of the Alibaba Cloud Services will together comprise Your complete and final documented instructions to Alibaba Cloud on the processing of Data.
(c) That You shall not give Alibaba Cloud as Your processor any instructions, nor shall You use the Alibaba Cloud Services in any way, that in any such case could infringe any Applicable Data Protection Legislation or could cause Alibaba Cloud or any of its affiliates to infringe any Applicable Data Protection Legislation.
6. International transfers
If the processing of Data involves transfers out of the EEA, Alibaba Cloud will take such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Legislation. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with applicable Data Protection Legislation, or to a recipient that has executed Standard Contractual Clauses together with any supplementary measures that may be necessary.
(a) For clarity, the total aggregate liability of Alibaba Cloud and all its affiliates, employees, agents, affiliates, representatives or anyone acting on its behalf together, arising from or in connection with the Membership Agreement and/or this Addendum or any matter arising therefrom shall not exceed the maximum liability of Alibaba Cloud as limited by the paragraph following Clause 11.5 of the Membership Agreement.
(b) Alibaba Cloud may modify the terms of this Addendum, for example to comply with applicable law or to implement any standard contractual clauses adopted by the European Commission or a supervisory authority under Article 28 of the GDPR, but it will not do so in a way that would reduce the protections required to be afforded to You under Article 28 of the GDPR. If it does so, it an amended and restated version on the Alibaba Cloud Platform, providing at least 15 days prior written notice of any material amendments to the Addendum to You (which may be posted on the Alibaba Cloud Platform or displayed in your Alibaba Cloud account). By continuing to use the relevant products or services after the receipt of written notification of such changes by Alibaba Cloud, you agree to be bound by the amended and restated Addendum.