WeSurvey
Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the WeSurvey Terms of Service (https://wesurvey.com/xy/agreement.html) (“Agreement”) entered into between Tencent Cloud International Pte. Ltd. (“Tencent”) and you (“Client”) that incorporates this DPA by reference.

This DPA applies to processing of personal data carried out by Tencent in connection with its services (“Services”) provided to the Client pursuant to the Agreement.

In the event of any conflict or inconsistency between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail. Save as specifically modified and amended in this DPA, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern these terms.

In the event of any conflict or inconsistency between the provisions of the Standard Contractual Clauses (as defined below) and any other term of this DPA, the Standard Contractual Clauses will prevail in relation to any EU, UK or Swiss personal data (as defined below).

THE PARTIES HEREBY MUTUALLY AGREE AS FOLLOWS:

• 1. Definitions and Interpretation

• 1.1 In this DPA the following words and phrases shall have the following meanings, unless inconsistent with the context or as otherwise specified:

• "Data Protection Legislation" means the GDPR, the UK GDPR, Directive 2002/58/EC and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them , and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities;

• “EU personal data” means the processing of personal data to which data protection legislation of the European Union, or of a Member State of the European Union or European Economic Area, was applicable prior to its processing by Tencent;

• “FADP” means the Swiss Federal Act on Data Protection;

• “GDPR” means, in each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679; and (ii) UK GDPR;

• “Protected Area” means:

• • i. in the case of EU personal data, the members states of the European Union and the European Economic Area and any country, territory, sector or international organisation in respect of which an adequacy decision under Art.45 GDPR is in force;

  • ii. in the case of UK personal data, the United Kingdom and any country, territory, sector or international organisation in respect of which an adequacy decision under United Kingdom adequacy regulations is in force; and

  • iii. in the case of Swiss personal data, any country, territory, sector or international organisation which is recognised as adequate under the laws of Switzerland;

• “Relevant Law” means:

• • i. in the case of EU personal data, any legislation of the European Union, or of a Member State of the European Union or European Economic Area;

  • ii. in the case of UK personal data, any legislation of any part of the United Kingdom; and

  • iii. in the case of Swiss personal data, any legislation of Switzerland;

• “Security Breach” means any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that Tencent processes in the course of providing the Services;

• “Standard Contractual Clauses” mean:

• • i. in respect of EU personal data, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, including the text from module two of such clauses and not including any clauses marked as optional (“EU Standard Contractual Clauses”);

  • ii. in respect of Swiss personal data, the EU Standard Contractual Clauses, provided that any references in the clauses to the GDPR shall refer to the FADP; the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the clauses, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner and the clauses shall also protect the data of legal persons until the entry into force of the revised FADP;

  • iii. in respect of UK personal data the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 and in force since 21 March 2022 but, as permitted by clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the addendum so that:

  • • i. the details of the parties in table 1 shall be as set out in Schedule 3 (with no requirement for signature)

    • ii. for the purposes of table 2, the addendum shall be appended to the EU Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as noted above) and Clause 3.2(a)below selects the option and timescales for clause 9; and

    • iii. the appendix information listed in table 3 is set out in Schedule 3;

• “Swiss personal data” means personal data to which the FADP was applicable prior to its processing by Tencent;

• “UK GDPR” means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);

• “UK personal data” means the processing of personal data to which data protection laws of the United Kingdom were applicable prior to its processing by Tencent; and

• “controller”, “processor”, “data subject”, “personal data”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the Data Protection Legislation.

• 2. Data Protection

• 2.1 For the purpose of this DPA, the parties agree the provisions of this Clause 2 shall apply to the personal data Tencent processes in the course of providing the Services. The parties agree that the Client is the controller and Tencent is the processor in relation to the personal data that Tencent processes in the course of providing the Services.

• 2.2 The subject-matter of the data processing is the performance of the Services. The obligations and rights of the Client are as set out in this DPA. Schedule 1 of this DPA sets out the nature, duration and purpose of the processing, the types of personal data Tencent processes and the categories of data subjects whose personal data is processed.

• 2.3 Client represents, warrants and undertakes that it has satisfied, obtained, and will maintain during the term of the Agreement, all appropriate legitimate grounds, rights and consents required by under the Data Protection Legislation for the processing of any personal data described in Schedule 1 by:

• • (a) Client for receiving the Services, including to the extent Client integrates the Services into the Client’s own products or services; and

  • (b) Tencent for providing the Services.

• To the extent such legitimate ground relied on is consent, Client shall ensure all prior, freely given, specific, informed, explicit and unambiguous consent are obtained from the relevant data subjects in accordance with Data Protection Legislation.

• 2.4 When Tencent processes personal data as set out in Schedule 1 of this DPA in the course of providing the Services, Tencent will:

• • (a) by appropriate technical and organisational measures and in so far as is possible, in fulfilling the Client’s obligations to respond to requests from data subjects exercising their rights; and

  • (b) notify the Client immediately if, in Tencent opinion, an instruction for the processing of personal data given by the Client infringes applicable Data Protection Legislation, it being acknowledged that Tencent shall not be obliged to undertake additional work to determine if Client's instructions are compliant.

• 2.5 Tencent shall ensure that personnel required to access the personal data are subject to a binding duty of confidentiality in respect of such personal data.
• 2.6 Tencent shall assist the Client, always taking into account the nature of the processing:

• • (a) by appropriate technical and organisational measures and in so far as is possible, in fulfilling the Client’s obligations to respond to requests from data subjects exercising their rights; and

  • (b) in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the information available to Tencent.

• Tencent may charge a reasonable fee for any such assistance, save where assistance was required directly as a result of Tencent's own acts or omissions, in which case such assistance will be at the Tencent's expense.

• 2.7 Tencent shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected (these include the requirements set out in Schedule 2 of this DPA).
• 2.8 In the event of a suspected Security Breach, Tencent will:

• • (a) take action immediately to investigate the suspected Security Breach and to identify, prevent and mitigate the effects of the suspected Security Breach and to remedy the Security Breach;

  • (b) notify the Client without undue delay.

• 2.9Tencent shall not give access to or transfer any personal data to any third party (including any affiliates, group companies or sub-contractors) without the prior written consent of Client. Client acknowledges and agrees that Tencent may authorize any sub-processor to process personal data on its behalf provided that, where (and to the extent) required by Data Protection Laws, Tencent enters into a written agreement with the sub-processor containing terms which are substantially the same as those contained in this DPA. Client hereby grants Tencent general written authorisation to engage such sub-processors listed at this link: Third Party Information (https://www.tencentcloud.com/document/product/1033/32281) to process personal data on its behalf, subject to the requirements of Clauses 2.10 to 2.12.
• 2.10Tencent shall include in any contract with the third party provisions in favour of Client which are the same as those in these Clauses 2.4 to 2.13, and as are required by applicable Data Protection Legislation.
• 2.11To the extent its processing of personal data is subject to Data Protection Legislation that requires such notification, Tencent shall inform Client by email of any intended changes concerning the addition or replacement of the sub-processors. In such a case, Client will have fourteen (14) days from the date of receipt of the notice to approve or reject the change. In the event of no response from Client, the sub-processor will be deemed accepted. If Client rejects the replacement sub-processor, Tencent may terminate the Agreement with immediate effect on written notice to Client.
• 2.12In the event that Tencent engages a sub-processor for carrying out specific processing activities on behalf of Client, where that sub-processor fails to fulfil its data protection obligations, Tencent will remain fully liable under the Data Protection Legislation to Client for the performance of that sub-processor’s obligations.
• 2.13Tencent will make available to the Client all information which the Client reasonably requests to allow the Client to demonstrate that the obligations set out in Article 28 of the GDPR relating to the appointment of processors have been met. Tencent will allow the Client and its respective auditors to conduct audits or inspections during the term of the Agreement and provide all reasonable assistance in order to assist Client in exercising its audit rights under this Clause 2.13, provided always that:

• • (a) such audit shall be at Client’s expense, and only after the parties come to an agreement on the scope of the audit in accordance with the applicable Data Protection Legislation. Alternatively, Tencent may arrange for a qualified and independent auditor to conduct an assessment of Tencent’s compliance of the obligations under these Clauses [2.4 to 2.13] in which case Tencent shall provide a report of such assessment to Client upon reasonable request;

  • (b) if Client’s request for information or access relates to a sub-processor, or information held by a sub-processor which Tencent cannot provide to Client itself, Tencent will promptly submit a request for additional information in writing to the relevant sub-processor(s). Client acknowledges that access to the sub-processor's premises or to information about the sub-processor's previous independent audit reports is subject to agreement from the relevant sub-processor, and that Tencent cannot guarantee access to that sub-processor's premises or audit information at any particular time, or at all; and

  • (c) the purposes of an audit pursuant to this Clause 2.13 include verifying that Tencent and its sub-processors are processing personal data in accordance with the obligations under these Clauses [2.4 to 2.13].

• 2.14At the end of the Services, upon Client's request, Tencent shall securely destroy or return such personal data to Client and delete existing copies unless applicable laws require storage of such personal data.

• 3.Standard Contractual Clauses

• 3.1Tencent shall not, and shall ensure that none of its affiliates or contractors, transfer, access or use EU, Swiss or UK personal data outside of the Protected Area without Client’s prior authorisation. Client agrees to authorise the transfers set out at Schedule 3 of this DPA and Tencent and Client agree to comply with the obligations set out in the Standard Contractual Clauses as though they were set out in full in this DPA, with Client as the ‘data exporter’ and Tencent as the ‘data importer’. The parties signature and dating of the DPA shall be deemed to be the signature and dating of the Standard Contractual Clauses and with the Annexes and/ or Appendices to the Standard Contractual Clauses being as set out in Schedule 3 to this DPA.
• 3.2For the purposes of the EU Standard Contractual Clauses, the following shall apply:

• • (a) Clause 9 option 2: general written authorisation for sub-processors and the parties agree that the time period for the data importer to inform the data exporter in writing of any intended changes to the agreed list of sub-processors shall be fourteen (14) days;

  • (b) Clause 17 (Governing law): the clauses shall be governed by the laws of the Netherlands;

  • (c) Clause 18 (Choice of forum and jurisdiction) the courts of the Netherlands shall have jurisdiction.

• 3.3In the event that a relevant European Commission decision or other valid adequacy method under applicable Data Protection Legislation on which the Client has relied in authorising the data transfer is held to be invalid, or that any supervisory authority requires transfers of personal data made pursuant to such decision to be suspended, then the parties agree to discuss in good faith and facilitate use of an alternative transfer mechanism.

• 4.Termination

• 4.1This DPA shall otherwise continue in full force and effect until expiry or termination of the Agreement
• 4.2Termination of this DPA shall not affect the accrued rights, remedies, obligations or liabilities of the parties existing at termination.
• 4.3Any provision of this DPA that expressly or by implication is intended to come into or continue in force on or after termination of this DPA shall remain in full force and effect.

SCHEDULE 1
DATA PROCESSING INFORMATION

Nature and purpose of processing operations

The personal data will be processed as follows:

For the provision of survey platform and related online services by Tencent to the Client and other purposes related or incidental thereto.

Categories of data subject

The personal data concern the following categories of data subjects:

Respondent, individual who receives a survey, form or questionnaire created by the Client and provided on the survey platform powered by Tencent.

Categories of data

The personal data concern the following categories of data:

• Survey Response Data, information provided by Respondent through responding to a survey, filling out a form, submitting an application to the Client using survey platform powered by Tencent.

Duration of Processing

The personal data shall be processed for the term of the Agreement or for such longer or shorter period as Tencent provides data processing services under the Agreement.

SCHEDULE 2
TECHNICAL AND ORGANISATIONAL MEASURES

Data security. Tencent adopts the following measures to protect Client’s data against unauthorised access:

• - standards for data categorisation and classification;

• - a set of authentication and access control capabilities at the physical, network, system and application levels; and

• - a mechanism for detecting big data-based abnormal behaviour.

Network security. Tencent implements stringent rules on internal network isolation to achieve access control and border protection for internal networks (including office networks, development networks, testing networks and production networks) by way of physical and logical isolation.

Physical and environmental security. Stringent infrastructure and environment access controls have been implemented for Tencent’s data centers based on relevant regional security requirements. An access control matrix is established, based on the types of data center personnel and their respective access privileges, to ensure effective management and control of access and operations by data center personnel.

Incident management. Tencent operates active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.

Compliance with standards. We comply with the standards listed in our Compliance Center page (https://www.tencentcloud.com/services/compliance), and as updated from time to time.

SCHEDULE 3
ANNEXES TO THE EU SCCS AND APPENDICES TO THE UK SCCS

Annex I/ Appendix 1:

A: LIST OF PARTIES

Data exporter(s):

• Name: The Client

• Address: As detailed in the communications between us from time to time.

• Contact person’s name, position and contact details: As detailed in the communications between us from time to time.

• Activities relevant to the data transferred under these Clauses: Receipt of the Services

• Role (controller/processor): Controller

Data importer(s):

• Name: Tencent

• Address: 10 Anson Road, #21-07, International Plaza, Singapore 079903

• Contact person’s name, position and contact details: Terry Gao, Data Protection Officer, dpo_wesurvey@tencent.com

• Activities relevant to the data transferred under these Clauses: Provision of the Services

• Role (controller/processor): Processor

B: DESCRIPTION OF TRANSFER

MODULE TWO: CONTROLLER TO PROCESSOR