Global Data Protection Exhibit
This Data Privacy and Security Exhibit ("Data Protection Exhibit") forms part of the Temu Seller Services Agreement entered into between Whaleco Inc. (“Temu”) and the seller using Temu Platform (as defined in the Agreement) (“Seller”) (each a "Party" and together the "Parties") (Temu Seller Services Agreement together with the Data Protection Exhibit, collectively referred to as the "Agreement"), under which the Seller agrees to undertake various activities in connection with its sales and promotions on the Temu Platform (the "Services").
For the purposes of this Data Protection Exhibit, and except where indicated otherwise, the term “Temu” shall include Temu and/or its Affiliates, if and to the extent Seller processes Personal Data in connection with this Agreement for which any such Affiliate qualifies as the data controller or a data processor acting on behalf of Temu or an Affiliate. All capitalised terms that are not expressly defined in this Data Protection Exhibit will have the meanings given to them in the Agreement.
For the purposes of providing the Services to Temu and/or its Affiliates, Seller may have access to, or be provided with, Personal Data that is subject to Data Protection Laws and in relation to which Temu is subject to certain obligations. This Data Protection Exhibit assists Temu in complying with its obligations when providing or allowing access to Personal Data by Seller.
In consideration of the mutual promises set out in this Data Protection Exhibit, Parties agree as follows:
1. Definitions
1.1 For the purposes of this Data Protection Exhibit:
“Affiliate” means, in relation to an entity, another entity from time to time Controlling, Controlled by, or under common Control with that entity. For the purposes of this definition, "Control" means, with regard to an entity, the legal, beneficial or equitable ownership, directly or indirectly, of 50% or more of the capital stock (or other ownership interest, if not a corporation) of such entity ordinarily having voting rights, or the equivalent rights under contract, to control management decisions with regard to relevant subjects, and "Controlled" and "Controlling" will have corresponding meanings.
“C-to-C Transfer Clauses” means Sections I, II, III and IV (as applicable) in so far as they relate to Module One (Controller-to-Controller) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
"C-to-P Transfer Clauses" means the Sections I, II, III and IV (as applicable) in so far as they relate to Module Two (Controller-to-Processor) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
"Data Protection Laws" means all laws and regulations that apply to the processing of Personal Data under the Agreement as amended from time to time, including, but not limited to, the GDPR, the Data Protection Act 2018, any successor thereto, and any applicable laws and regulations of the United Kingdom (“UK”), United States and its states, Switzerland, Japan, Korea, European Union and its member states.
“Data Subject Request” means an actual or purported request, notice, or complaint from (or on behalf of) a data subject exercising his or her rights under Data Protection Laws.
“P-to-C Transfer Clauses” means Sections I, II, III and IV (as applicable) in so far as they relate to Module Four (Processor-to-Controller) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“P-to-P Transfer Clauses” means Sections I, II, III and IV (as applicable) in so far as they relate to Module Three (Processor-to-Processor) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
"Personal Data" means any information relating to an identified or identifiable natural person or household. “Personal Data” shall include analogous terms under Data Protection Laws.
“Regulator” means any independent public authority, including any regulator or supervisory authority, established under the laws of any applicable jurisdiction responsible for the monitoring and application of Data Protection Laws.
“Regulator Correspondence” means any correspondence or communication received from a Regulator relating to Personal Data.
“Third-Party Request” means a written request from any third party for the disclosure of Personal Data, where compliance with such a request is required or purported to be required by applicable law or regulation.
"special categories of data", "process/processing", "controller", "processor", "data subject" and "supervisory authority" shall have the same meaning as in the GDPR, and shall include analogous terms under Data Protection Laws.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) including as implemented or adopted under the laws of the United Kingdom.
"subprocessor" means any processor engaged by the Seller or by any other subprocessor of the Seller, which agrees to receive from the Seller, or from any other subprocessor of the Seller, Personal Data exclusively with the intention for processing activities to be carried out on behalf of Temu and in accordance with its instructions, the terms of this Data Protection Exhibit and the terms of the written subcontract.
“Transfer Clauses” means either the C-to-C Transfer Clauses, the C-to-P Transfer Clauses, the P-to-C Transfer Clauses, or the P-to-P Transfer Clauses, as the case may be.
1.2 In this Data Protection Exhibit:
(a) a reference to a Clause, Schedule or Appendix is, unless stated otherwise, a reference to a Clause, Schedule or Appendix to this Data Protection Exhibit; and
(b) unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
2. Details of the processing activities
2.1 Seller agrees that:
(a) Temu may provide Personal Data to Seller for processing pursuant to this Agreement; and
(b) In relation to the Personal Data, the Temu entity that is Party to the Agreement shall be the controller or processor acting on behalf of a Temu Affiliate that is a controller, and Seller shall be the processor or subprocessor, respectively, of the Personal Data processed by Seller under this Agreement.
2.2 The subject-matter of the data processing is the provision of the Services and the processing will be carried out for the duration of the Agreement. Appendix 1 of the Data Protection Exhibit, as applicable, sets out the nature and purpose of the processing, the types of Personal Data that Seller processes, and the categories of data subjects whose Personal Data is processed. Notwithstanding any contrary provision in this Data Protection Exhibit, Temu shall be permitted to make amendments to the details of processing provided in Appendix 1 on written notice to Seller.
2.3 The Parties agree to comply with this Data Protection Exhibit and their respective obligations under Data Protection Laws in respect of the Personal Data. This Data Protection Exhibit is in addition to, and does not relieve, remove or replace, a Party's obligations or rights under Data Protection Laws.
3. Obligations of the Seller
3.1 The Seller agrees and warrants:
(a) to process Personal Data only:
(i) on behalf of Temu and in accordance with its documented instructions (including with regard to transfers of Personal Data to a third country or international organisations), unless otherwise required by Data Protection Laws to which the Seller is subject. This Data Protection Exhibit is a complete expression of such instructions as at the date of this Data Protection Exhibit. If Temu has additional instructions (“Additional Instructions'') after the date of this Data Protection Exhibit, Temu will inform Seller of such Additional Instructions. All Additional Instructions will be binding on Seller. By entering into the Agreement, Temu instructs Seller to process Personal Data in accordance with this Data Protection Exhibit and to perform its other obligations and exercise its rights under the Agreement in accordance with this Data Protection Exhibit;
(ii) for the purpose of carrying out the Services or as otherwise instructed by Temu, and not for the Seller's own purposes; and
(iii) in compliance with this Data Protection Exhibit.
(b) that if it is legally required to process Personal Data otherwise than as instructed by Temu, it shall notify Temu before such processing occurs, unless the law requiring such processing prohibits the Seller from providing such notification to Temu on an important ground of public interest, in which case it shall notify Temu as soon as that law permits it to do so.
(c) not to assume any responsibility for determining the purposes for which and the manner in which Personal Data is processed.
(d) that it has no reason to believe that any legislation applicable to it prevents it from fulfilling either the instructions received from Temu or its obligations under this Data Protection Exhibit; provided, however, that Seller shall promptly inform Temu if Seller believes that (i) an instruction of Temu regarding the processing of Personal Data infringes on Data Protection Law, or (ii) Seller can no longer comply with Data Protection Law with respect to its processing of Personal Data, in which case Temu may take all reasonable and appropriate steps to prevent, stop, or remediate any unauthorized processing of Personal Data.
(e) that it has implemented and will maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access and, in particular, where the processing involves the transmission of data over a network, against all other unlawful forms of processing. Having regard to the state of the art and cost of their implementation, the Seller agrees that such measures shall be in accordance with best industry practice and shall ensure a level of security appropriate to the risks represented by the processing and the nature of Personal Data to be protected and will at a minimum include those measures described in Appendix 2 (the “Security Measures”). Seller may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Personal Data.
(f) that it will treat all Personal Data as confidential information and not disclose such confidential information without Temu’s prior written consent except:
(i) to those subprocessors listed in Annex 4 to this Data Protection Exhibit;
(ii) to those of its personnel who need to know the confidential information in order to carry out the Services; and
(iii) where it is required by a court to disclose Personal Data, or there is a statutory obligation to do so, but only to the minimum extent necessary to comply with such court order or statutory obligation.
(g) to take reasonable steps to ensure that its personnel who have access to the Personal Data:
(i) are reliable;
(ii) are both (i) informed of the confidential nature of the Personal Data and obliged to keep such Personal Data confidential and (ii) either subject to appropriate confidentiality obligations or are under an appropriate statutory obligation of confidentiality; and
(iii) are aware of and comply with the Seller´s duties and their personal duties and obligations under this Data Protection Exhibit.
(h) that it will promptly notify Temu about:
(i) any instruction which, in its opinion, infringes Data Protection Laws;
(ii) any complaint, communication or request received directly by the Seller or a subprocessor from a data subject and pertaining to their personal data, without responding to that request unless it has been otherwise authorised to do so by Temu; and
(iii) any change in legislation applicable to the Seller or a subprocessor which is likely to have a substantial adverse effect on the warranties and obligations in this Data Protection Exhibit.
(i) that it will notify Temu immediately, but no later than twenty-four (24) hours, after Seller becomes aware of any actual or suspected security breach, unauthorised access, misappropriation, loss, damage or other compromise of the security, confidentiality, or integrity of Personal Data processed by Seller or a subprocessor ("Security Incident"). Any such notification by Seller to Temu of a Security Incident will contain the following information to the extent that Seller has details regarding the same: (i) a description of the nature of the Security Incident (including, where possible, the categories and approximate number of both the data subjects and the data records concerned); (ii) the details of a contact point where more information concerning the Security Incident can be obtained; and (iii) its likely consequences and the measures taken or proposed to be taken to address the Security Incident, including to mitigate its possible adverse effects. Temu agrees that Seller may provide the foregoing information in phases, without undue delay, as it becomes available. Seller will, to the extent reasonably necessary, cooperate and assist with Temu’s investigation of the Security Incident, including any relevant notifications to Regulators and affected data subjects, and will take commercially reasonable steps to remediate the cause to the extent the remediation is within Seller’s control.
(j) that upon discovery of any Security Incident, it shall:
(i) immediately take action to prevent any further Security Incident; and
(ii) provide Temu with full and prompt cooperation and assistance in relation to any notifications that Temu is required to make as a result of the Security Incident.
(k) taking into account the nature of the processing of Personal Data, to provide Temu with assistance reasonably necessary for Temu to perform its obligations under Data Protection Laws to fulfil Data Subject Requests with respect to Personal Data in Seller’s possession or control;
(l) that if Seller receives a Data Subject Request, it shall (i) promptly notify Temu; and (ii) advise the data subject to submit the request to Temu, and Temu will be responsible for responding to any such request. Seller will not respond to a Data Subject Request without Temu’s prior authorization, unless legally compelled to do so. If Seller is required to respond to such a Data Subject Request, Seller will promptly notify Temu and provide Temu with a copy of the request, unless legally prohibited from doing so.
(m) that, where applicable and upon Temu’s request, Seller will provide Temu with reasonable cooperation and assistance needed to fulfil Temu’s obligation under Data Protection Laws to carry out a data protection impact assessment related to Temu’s processing of Personal Data relating to the Agreement. Seller will provide reasonable assistance to Temu in the cooperation or prior consultation with the Regulator, to the extent required under Data Protection Laws.
(n) to appoint, and identify to Temu, an individual to support Temu in monitoring compliance with this Data Protection Exhibit, and to make available to Temu upon request all information and evidence necessary to demonstrate that the Seller is complying with its obligations under this Data Protection Exhibit and, where applicable, GDPR Article 28.
(o) at the request of Temu, to submit its data processing facilities, and procure that the data processing facilities of any subprocessor that is subcontracted pursuant to Clause 3.1(p) and relevant to the Security Incident above are submitted, for audits and inspections of the processing activities covered by this Data Protection Exhibit, or by any written agreement with the subprocessor (as applicable), which shall be carried out by Temu or any independent or impartial inspection agents or auditors selected by Temu and not reasonably objected to by the Seller. Such audits shall be conducted in accordance with the provisions of Section 10 of this Data Protection Exhibit.
(p) that it shall not subcontract any of its processing operations under this Data Protection Exhibit unless
(i) The Seller has Temu’s general authorisation for the engagement of sub-processor(s) from an agreed list. The Seller shall specifically inform Temu in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving Temu sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The Seller shall provide Temu with the information necessary to enable Temu to exercise its right to object; and
(ii) the subprocessor is subject to a written agreement which imposes the same obligations on that subprocessor as are imposed on the Seller under this Data Protection Exhibit. This does not preclude Seller and the subprocessor from adding clauses on business-related issues where required as long as they do not contradict the Agreement or this Data Protection Exhibit.
(q) upon request, to promptly send a copy of any agreement it concludes with a subprocessor relating to Personal Data to Temu.
(r) to process Personal Data in compliance with and subject to the same level of protection as required under Data Protection Law.
(s) to ensure that Personal Data received pursuant to the Agreement is segregated from all other Personal Data Processed by the Seller.
(t) that Seller shall not:
(i) sell any Personal Data;
(ii) retain, use, share or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services under the Agreement;
(iii) use Personal Data for profiling, targeting, analytics or data harvesting;
(iv) do anything to cause Temu to be in breach of Data Protection Laws; or
(v) combine Personal Data received pursuant to this Agreement with Personal Data (i) received from or on behalf of another person, or (ii) collected from Seller’s own interaction with any data subject to whom such Personal Data pertains, except as and to the extent necessary as a part of Seller’s provision of the Services under the Agreement.
(u) that Seller shall promptly notify Temu upon receipt of any Regulator Correspondence or Third-Party Request relating to Personal Data, unless Seller is prohibited from so notifying Temu by applicable law. Seller will not disclose any Personal Data in response to such Regulator Correspondence or Third-Party Request without first consulting with, and obtaining, Temu’s prior written authorization, unless legally compelled to do so, in which case Seller will use reasonable endeavors to: (i) challenge or narrow such request to the greatest extent reasonably possible under law, including by litigation; and (ii) advise Temu in advance of such disclosure and in any event as soon as practicable thereafter.
(v) to comply with any relevant policies and procedures notified to them by Temu from time to time, as may be reasonable and appropriate.
4. Subprocessors
4.1 Subject to the other provisions of the Agreement, and subject to Seller’s compliance with any procedures in place from time to time in relation to the appointment of subprocessors, Temu authorizes the engagement of subprocessors set out in Annex 4 to this Data Protection Exhibit.
4.2 Information about current subprocessors, including their functions and locations, is available in Annex 4 to this Data Protection Exhibit.
4.3 Seller shall comply with any procedures in place from time to time in relation to the appointment of subprocessors. When engaging any subprocessor, Seller will enter into a written contract with such subprocessor containing data protection obligations not less protective than those imposed on Seller by this Data Protection Exhibit with respect to Personal Data to the extent applicable to the nature of the services provided by such subprocessor. Seller shall be liable for all obligations subcontracted to, and all acts and omissions of, the subprocessor.
4.4 When Seller engages any new subprocessor, other than those listed in Annex 4 to this Data Protection Exhibit, after the effective date of the Agreement, Seller will notify Temu in writing of the proposed engagement (including the name and location of the relevant subprocessor and the activities it will perform) at least 30 (thirty) days in advance. If Temu objects to such engagement in a written notice to Seller within 30 (thirty) days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, such proposed new subprocessor shall not be permitted to process Personal Data.
5. Jurisdiction-Specific Provisions; Transfer Clauses
5.1 The Parties will comply with the provisions of Appendix 3 to this Data Protection Exhibit, to the extent required by Data Protection Laws. In the event of any conflict between any applicable provisions of Appendix 3 and the Data Protection Exhibit, the applicable provisions in Appendix 3 will prevail. In the event that Data Protection Laws require additional or different terms to be executed between the Parties, Temu may, by providing notice to Seller, amend Appendix 3 where such amendments are reasonably necessary to address the requirements of Data Protection Laws. Upon receipt of notice under this Section 5.1, Seller shall have thirty (30) days to submit to Temu a written objection to the proposed amendment on reasonable grounds, otherwise the proposed amendment shall be deemed effective between the Parties.
5.2 Subject to Section 5.1, in the event that the Transfer Clauses in Appendix 3 are amended, replaced, or repealed by the European Commission, the United Kingdom, or under Data Protection Law, the Parties shall work together in good faith to enter into an updated version of the Transfer Clauses (to the extent required), or negotiate in good faith a solution to enable a transfer of Personal Data to be conducted in compliance with Data Protection Law.
5.3 The Transfer Clauses will not apply to transfers of Personal Data where Seller has adopted an alternative recognized compliance mechanism for the lawful transfer of such Personal Data, such as the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, or the UK Extension to the EU-U.S. Data Privacy Framework, as applicable and to the extent valid (“Data Privacy Framework”). Where Seller has a valid certification to the applicable Data Privacy Framework, the Parties agree that such transfer will be made in reliance on the Data Privacy Framework and that Seller will process Personal Data in compliance with the Data Privacy Framework principles.
5.4 Temu shall be entitled, at no cost to itself, to suspend, or require Seller to suspend, any transfers of Personal Data which do not comply or which cease to comply with the provisions of this Section 5.
5.5 Seller warrants and undertakes that it shall not transfer, nor allow its subprocessors to transfer, Personal Data outside of the Seller’s jurisdiction, unless it has specific authorization from Temu to do so. For transfers of Personal Data under the Agreement by Seller or its subprocessors to other countries that do not ensure an adequate level of data protection within the meaning of Data Protection Laws (which, for the avoidance of doubt, may include transfers from the European Economic Area to the UK), Seller acknowledges and agrees that Seller has implemented, and will implement, all transfer mechanisms required to comply with Data Protection Laws and shall ensure such compliance by its subprocessors, including entering into, or procuring that such subprocessors enter into, the P-to-P Transfer Clauses.
5.6 Seller will provide Temu reasonable support to enable Temu’s compliance with the requirements imposed on international transfers of Personal Data. Seller will, upon Temu’s request, provide information to Temu that is reasonably necessary for Temu to complete a transfer impact assessment ("TIA") to the extent required under Data Protection Laws.
6. Indemnity
6.1 The Seller agrees to indemnify and keep indemnified and defend at its own expense Temu against all costs, claims, damages or expenses incurred by Temu or for which Temu may become liable due to any failure by the Seller or its employees or agents to comply with any of its obligations under this Data Protection Exhibit.
7. Allocation of costs
7.1 Each Party shall perform its obligations under this Data Protection Exhibit at its own cost.
8. Governing Law
8.1 The governing law of this Data Protection Exhibit shall be the law set forth in the Agreement, except that the governing law for the purposes of Clause 17 of the Transfer Clauses shall be as set forth in Appendix 3.
9. Term and termination of the Services
9.1 The Parties agree that Personal Data will be processed by the Seller for the duration of the Services under the Agreement.
9.2 Temu is entitled to suspend and/or terminate the Agreement in so far as it relates to Personal Data by giving notice to the Seller if:
(a) the Seller commits any material breach of this Agreement; and
(b) Temu gives notices to the Seller to remedy the breach (or to the extent that the breach is not capable of remedy, to give compensation for it) and the Seller fails to do so within twenty-eight days of the notice.
9.3 In the event that Temu is entitled to exercise its termination rights under Clauses 14(f) or 16 of the Transfer Clauses, it shall also be entitled to terminate the Agreement.
9.4 The parties agree that upon termination of the Services, the Seller and all subprocessors shall, at the choice of Temu, return or delete all Personal Data and the copies thereof to Temu, and certify to Temu that it or they have done so, unless Data Protection Laws to which the Seller or a subprocessor are subject prevent the Seller or subprocessor from doing so. In such a case, the Seller warrants that it will continue to ensure compliance with this Data Protection Exhibit and the Transfer Clauses (as applicable) and will only process the Personal Data to the extent and for as long as required under that Data Protection Law, and will guarantee the return and/or deletion of the Personal Data as requested by Temu when the legal obligation to not return or delete the information is no longer in effect.
9.5 Upon request of Temu, the Seller will submit its data processing facilities for an audit of the measures referred to in Clause 9.4.
9.6 Notwithstanding termination of this Data Protection Exhibit, the provisions of Clauses 3 and 5 shall survive the termination of this Data Protection Exhibit and shall continue in full force and effect until all the Personal Data is returned or deleted in accordance with Clause 9.4.
10. Audits
10.1 Temu may audit Seller’s compliance with its obligations under this Data Protection Exhibit up to once per year and on such other occasions as may be required by Data Protection Laws.
10.2 Seller will contribute to such audits by providing Temu with the information and assistance reasonably necessary to conduct the audit. Seller agrees and acknowledges that a third party may be used to conduct (in whole or in part) such audits.
10.3 Nothing in this Section 10 shall require Seller to breach any duties of confidentiality.
10.4 Without prejudice to any other provision of this Data Protection Exhibit, if the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Temu’s audit request and Seller has confirmed that there have been no known material changes in the controls audited since the date of such report, Seller shall provide such reports to Temu.
10.5 The audit must be conducted during regular business hours of Seller and shall be subject to Seller’s reasonable safety and security policies.
10.6 Temu will notify Seller of any non-compliance discovered during the course of an audit and provide Seller with any audit reports generated in connection with any audit under this Section 10, unless prohibited by Data Protection Laws.
10.7 Without prejudice to any right of Seller to recover costs, damages or expenses relating to non-compliance, each Party shall meet its own costs arising from any audits or inspections carried out under this Section 10.
10.8 Notwithstanding the foregoing, if Seller requests an audit due to a Security Incident or reasonably suspected breach of Data Protection Laws or as required by a Regulator, Temu (or its representative) may perform such audit more than once annually, without the foregoing restrictions and any such audit shall be at Seller’s sole cost and expense.
11. Miscellaneous
11.1 In the event of inconsistencies between the provisions of this Data Protection Exhibit and other agreements (including the Agreement) between the Parties, the provisions of this Data Protection Exhibit shall prevail with regard to the Parties' data protection obligations relating to Personal Data. In cases of doubt, this Data Protection Exhibit shall prevail, in particular, where it cannot be clearly established whether a clause relates to a Party's data protection obligations.
11.2 Seller acknowledges and agrees that any Temu Affiliate acting as a data controller may enforce any of Temu’s rights or Seller’s obligations under this Data Protection Exhibit to the extent such Temu Affiliate reasonably deems necessary to comply with its obligations under Data Protection Laws.
11.3 Should any provision or condition of this Data Protection Exhibit be held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of this Data Protection Exhibit shall remain valid. Such an invalidity, unlawfulness or unenforceability shall have no effect on the other provisions and conditions of this Data Protection Exhibit to the maximum extent permitted by law. The provision or condition affected shall be construed either:
(a) to be amended in such a way that ensures its validity, lawfulness and enforceability while preserving the Parties' intentions; or if that is not possible
(b) as if the invalid, unlawful or unenforceable part had never been contained in this Data Protection Exhibit.
11.4 Except as stated in Section 5.1, any amendments to this Data Protection Exhibit shall be in writing duly signed by authorised representatives of the Parties hereto.
11.5 Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the Parties acknowledge and agree that Seller’s access to Personal Data does not constitute part of the consideration exchanged by the Parties in respect of the Agreement.
11.6 Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Seller to Temu under this Data Protection Exhibit may be given:
(a) in accordance with any notice clause of the Agreement;
(b) to Temu’s primary points of contact with Seller; or
(c) to any email provided by Temu for the purpose of providing it with Services-related communications or alerts.
11.7 In the event of changes to Data Protection Laws, Seller will take, and will ensure its subprocessors take, such measures as required under Data Protection Laws to continue facilitating the lawful processing of Personal Data pursuant to the Agreement, this Data Protection Exhibit, and Data Protection Laws.
11.8 Notwithstanding anything to the contrary in the Agreement, Seller’s liability arising from this Data Protection Exhibit shall not be subject to any exclusions or limitations on liability that may be provided for elsewhere in the Agreement.
11.9 Seller will defend Temu from and against any claims, demands, suits, causes of action, proceedings, investigations or inquiries (“Claims”), and indemnify and hold Temu harmless from all losses, liabilities, damages, costs and expenses (including reasonable legal fees and fees related to any investigation or regulatory proceeding) (“Losses”) to the extent that the Claims or Losses arise out of, are in connection with, or relate to: (i) any breach by Seller of this Data Protection Exhibit; and/or (ii) Seller’s violation of any Data Protection Laws.
Appendix 1
Details of Processing Activities
This Appendix 1 forms part of the Data Protection Exhibit and also serves as Annex I to the Transfer Clauses, as applicable.
A. LIST OF PARTIES
Temu
Role (controller/processor): Temu
Seller
Role (processor): Seller
Which Party is the data exporter: [The data exporter is the entity that discloses data to the other entity, the data importer.]
Data exporter: Temu
Data importer: Seller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customer.
Categories of personal data transferred
Name; Address; Contact details; Order information; Communication data; Product reviews; The return or refund reasons.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
continuous basis.
Nature of the processing
Receiving data, including accessing; Using data to perform the Services; Sharing data, including disclosure; Erasing data, including destruction and deletion.
Purpose(s) of the data transfer and further processing
For the purpose of facilitating the delivery services, product customization services and online instant communication services undertaken by the Seller under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement and operative time of this Data Protection Exhibit.
C. COMPETENT SUPERVISORY AUTHORITY (where required by Data Protection Laws)
The supervisory authority of the EU Member State where the data exporter is established or has appointed an EU representative. If there is no qualifying EU Member State, the Parties elect the supervisory authority of Ireland.
Appendix 2
Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data
This Appendix 2 forms part of the Data Protection Exhibit and also serves as Annex II to the Transfer Clauses, to the extent applicable.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
1. Organisational management and dedicated staff responsible for the development, implementation and maintenance of the Provider’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the Provider’s organisation, monitoring and maintaining compliance with the Provider’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls which include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e., the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Provider’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the Provider’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
7. Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorised physical access, (ii) manage, monitor and log movement of persons into and out of the Provider’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Provider’s possession.
9. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Provider’s technology and information assets.
10. Incident management procedures are designed to allow the Provider to investigate, respond to, mitigate and notify of events related to the Provider’s technology and information assets.
11. Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
12. Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
Appendix 3
Jurisdiction-Specific Provisions
The terms below shall have the following meanings ascribed to them for the purposes of this Appendix 3:
“Data Exporter” means the Party transferring Personal Data outside of a country or, where there is no such transfer, the data controller; and
“Data Importer” means the Party receiving Personal Data subject to direct or onward transfer or, where there is no such transfer, the data processor.
I. European Economic Area
A. The terms below shall have the following meanings ascribed to them for the purposes of this Section I:
(a) “Europe” means the European Economic Area;
(b) “European Data Protection Laws” means any applicable laws of Europe that relate to the processing of Personal Data under this Agreement.
(c) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016.
B. To the extent that any Data Exporter transfers Personal Data subject to European Data Protection Laws, either directly or via onward transfer, to a Data Importer located in a country that does not ensure an adequate level of protection within the meaning of European Data Protection Laws, the Parties agree to the Transfer Clauses in accordance with the following:
(a) if the Data Exporter acts as a controller of Personal Data to be exported and the Data Importer acts as a processor of that Personal Data, the Data Exporter and Data Importer shall comply with the terms of the C-to-P Transfer Clauses, which are hereby incorporated into this Data Protection Exhibit by reference;
(b) if the Data Exporter is the processor of Personal Data to be exported and the Data Importer acts as a processor in respect of that Personal Data from time to time, the Data Exporter and Data Importer shall comply with the terms of the P-to-P Transfer Clauses, which are hereby incorporated into this Data Protection Exhibit by reference.
C. For the purposes of C-to-P Transfer Clauses or P-to-P Transfer Clauses, as the case may be, the following additional provisions shall apply:
(a) the names and addresses of those Data Exporter(s) and Data Importer(s) shall be considered to be incorporated into the Transfer Clauses;
(c) The Parties’ execution of this Data Protection Exhibit shall be considered as signature to the Transfer Clauses.
(d) Clause 7 (Docking Clause) shall apply.
(e) For purposes of the C-to-P Transfer Clauses, Option 2 under paragraph (a) of Clause 9 (Use of sub-processors) shall apply and “[Specify time period]” be replaced with “thirty (30) calendar days”.
(f) For purposes of the P-to-P Transfer Clauses, Option 2 under paragraph (a) of Clause 9 (Use of sub-processors) shall apply and “[Specify time period]” be replaced with “sixty (60) calendar days”.
(g) The option under Clause 11 (Redress) shall not apply.
(h) For the purposes of paragraph (a) of Clause 13 (Supervision), the Data Exporter shall be considered as established in an EU Member State.
(i) For the purposes of Clause 15(1)(c) (Obligations of the data importer in case of access by public authorities), Seller must provide the Customer with the requisite information relating to any Third-Party Request received by Seller at monthly intervals.
(j) The governing law for the purposes of Clause 17 (Governing law) shall be the law of Ireland.
(k) The courts under Clause 18 (Choice of forum and jurisdiction) shall be the courts of Ireland.
(l) The contents of Appendix 1 shall form Annex I to the Transfer Clauses.
(m) The Irish Data Protection Commission shall act as competent supervisory authority for the purposes of Annex I.C of the Transfer Clauses (Competent Supervisory Authority).
(n) The contents of Appendix 2 shall form Annex II of the Transfer Clauses (Technical and organisational measures including technical and organisational measures to ensure the security of the data).
II. Japan
A. The following provisions apply to all processing and transfers of Personal Data subject to Data Protection Laws of Japan.
B. For the avoidance of doubt, “Data Protection Laws” includes the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended) (“APPI”).
C. Data Importer shall not process Personal Data for purposes other than those specified in Appendix 1, or as otherwise agreed by the Data Exporter and Data Importer (for the purpose of this section, the “Utilization Purposes”) without the prior written consent of the Data Exporter. Data Exporter represents that it has notified all applicable data subjects of the Utilization Purposes to the extent required by Data Protection Laws.
D. Data Importer and Data Exporter agree that Data Exporter shall collect all consents from data subjects required by Data Protection Laws, including without limitation for (1) the collection of any “Special Care-Required Personal Information” (as defined by Data Protection Laws) and (2) any disclosures of Personal Data made by Data Exporter to third parties, subject to Clause G below.
E. The Data Importer shall keep the Personal Data accurate and up-to-date within the scope necessary to achieve the Utilization Purposes, and shall delete any Personal Data that becomes unnecessary to achieve a Utilization Purpose or other legitimate business purpose. For the avoidance of doubt, it is not necessary to delete Personal Data where applicable laws require the Data Importer to retain it.
F. The Data Importer shall have in place appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, leakage, alteration, and unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
G. The Data Importer shall exercise the necessary and appropriate control and supervision over its officers, employees, and vendors to securely manage the Personal Data received.
H. The Data Importer shall not disclose Personal Data to any third party except: (i) where such disclosure, transfer or access is mandated by applicable law; or (ii) where Data Exporter consents to the disclosure of Personal Data to the third party; or (iii) as permitted in Clause H, below. In the event that Data Importer discloses Personal Data to a third party, Data Importer shall impose contractual obligations upon the third party that are no less restrictive than the terms set forth in this Data Protection Exhibit.
I. In the case where Data Importers entrust the handling of the Personal Data to a third party pursuant to Clause H above, they shall exercise necessary and appropriate control and supervision over the entrustees to ensure the safety of such Personal Data, as stated in Clause G above, and they shall require the entrustees comply with obligations equivalent to the obligations of the Data Importers under this Data Protection Exhibit, including the obligations in this section. The Data Importers shall be responsible for any breach by the entrustees (and any subsequent entrustee) of the obligations above. For clarity, Clause H shall apply to all third-party entrustees and subsequent third-party entrustees.
J. To the extent required by the APPI, upon request of the data subject, each Data Importer shall correct, add, or delete certain Personal Data if the data subject can show the contents of the Personal Data are incorrect. Each Data Importer shall promptly inform the data subject if it has corrected, added, or deleted Personal Data, or if it has determined it does not have to do so.
K. To the extent required by the APPI, upon request of the data subject, each Data Importer shall disclose the information on the Personal Data stipulated under the APPI, including (i) the contents of the retained Personal Data; (ii) the name of the Data Importer; (iii) the Utilization Purposes; (iv) the procedures for responding to a request for the Personal Data; and (v) the contact information data subjects should use to make claims regarding the handling of the Personal Data. Each Data Importer shall promptly inform the data subject if it has determined it does not have to provide requested information on the contents and/or the Utilization Purposes of the Personal Data.
L. To the extent required by the APPI, each Data Importer shall delete or stop utilizing the Personal Data if the data subject can show that the Data Importer is using or has used such Personal Data outside of the designated Utilization Purposes or if was acquired by improper means; provided, however, that it is not required where it would be unreasonably expensive or unreasonably difficult to do so and where alternative action which would protect the data subject’s interests can be taken. Each Data Importer shall promptly inform the data subject if it has deleted or stopped utilizing the Personal Data, or if it has determined it does not have to do so.
M. To the extent required by the APPI, each Data Importer shall stop providing Personal Data to a third party, if the Data Importer has provided it to a third party in violation of the restrictions related to the provisions of the Personal Data to a third party under the APPI; provided, however, that it is not required where it would be unreasonably expensive or unreasonably difficult to do so and where alternative action which would protect the data subject’s interests can be taken. Each Data Importer shall promptly inform the data subject if it has stopped providing the Personal Data, or if it has determined it does not have to do so.
N. If a Data Importer knows or should know that any Personal Data has been or is likely to be leaked, disclosed, accessed, destroyed, altered, lost, used without authorization, or otherwise handled in any way not permitted under this Data Protection Exhibit, regardless of whether or not the Data Importer is liable for such incidents, the Data Importer shall immediately inform the Data Exporter of the same in writing, and shall take any appropriate measures to prevent such incident from occurring, expanding, and recurring.
III. Korea
A. The following provisions apply to all processing and transfers of Personal Data subject to applicable laws in Korea. When processing Personal Data provided by or on behalf of Data Exporter:
(a) The scope, classification, purposes and details of the processing of the Personal Data shall be as described in Appendix 1, or as otherwise agreed by the Date Data Exporter and Data Importer.
(b) Data Importer shall limit access to Personal Data to those personnel who reasonably require such access for the purposes of the processing, and Data Importer shall establish and maintain safeguards as per Clause 3.1(e) of this Data Protection Exhibit, including: (i) internal procedures for secure handling of Personal Data; (ii) measures to prevent illegal access to Personal Data; (iii) measures to prevent falsification of alteration of access logs; (iv) measures to securely store and transmit Personal Data (including use of encryption technology and secure server); and (v) installation of intrusion detection software (vi) the installation and regular updating of antivirus software for monitoring for and responding to intrusions by computer viruses, spyware or other malicious programs; (vii) the establishment and operation of access control procedures with respect to physical storage locations; and (viii) other measures for the protection of Personal Data that may be required under relevant rules and regulations of Korean Data Protection Law from time to time (as applicable to an overseas transferee of Personal Data).
(c) Notwithstanding anything in this Data Protection Exhibit to the contrary, to the extent Data Importer discloses or transfers Personal Data to a third-party service provider, Data Importer shall inform Data Exporter reasonably in advance of such disclosure or transfer. Upon Data Exporter’s request, Data Importer shall provide the following information: (a) the processing activities to be subcontracted; (b) the identity of the third party service provider; and (c) any changes to (a) and (b).
(d) Notwithstanding anything in this Data Protection Exhibit to the contrary, Data Importer shall not disclose or transfer to any person or entity any Personal Data unless it obtains prior consent to transfer from relevant data subjects or otherwise does so in accordance with applicable provisions of Korean Data Protection Law.
(e) Data Importer shall establish and implement appropriate procedures for (i) the handling of complaints regarding invasions of privacy and (ii) the resolution of any disputes with data subjects.
(f) Data Importer shall be subject to (i) training and supervision by the Data Exporter with respect to the Data Importer’s handling of the Personal Data, and (ii) supervision and audit by relevant supervisory authorities.
IV. Switzerland
A. For the purposes of this Section V, the term “Swiss Data Protection Laws” means Switzerland’s Federal Act on Data Protection of June 19, 1992, the Ordinance to the Federal Act on Data Protection, and the Ordinance on Data Protection Certification, and all Swiss laws relating to the processing, privacy, protection, or use of Personal Data.
B. To the extent any Data Exporter transfers Personal Data subject to Swiss Data Protection Laws, either directly or via onward transfer, to a Data Importer located in a country that does not ensure an adequate level of protection within the meaning of Swiss Data Protection Laws, the Parties agree to the Transfer Clauses in accordance with Section I of this Appendix 3 as supplemented by Clause C of this Section V.
C. The following additional provisions shall apply so that the Transfer Clauses are suitable for providing an adequate level of protection for such transfer under Swiss Data Protection Laws:
(a) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
(b) “Revised FADP” means the revised version of the Federal Act of Data Protection (“FADP”) of 25 September 2020, which is scheduled to come into force on 1 January 2023.
(c) The term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
(d) The Transfer Clauses also protect the data of legal entities until the entry into force of the Revised FADP.
(e) The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.
V. United Kingdom
A. The terms below shall have the following meanings ascribed to them for the purposes of this Section:
(a) “UK” means the United Kingdom.
(b) “UK Data Protection Laws” means the UK GDPR, Data Protection Act of 2018, and all UK laws relating to the processing, privacy, protection, or use of Personal Data.
(c) “UK GDPR” means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
B. To the extent any Data Exporter transfers Personal Data subject to UK Data Protection Laws, either directly or via onward transfer, to a Data Importer located in a country that does not ensure an adequate level of protection within the meaning of UK Data Protection Laws, the Parties agree to the Transfer Clauses in accordance with Section I of this Appendix 3 as supplemented by Clause C of this Section VI.
C. The following additional provisions shall apply so that the Transfer Clauses are suitable for providing an adequate level of protection for such transfer under UK Data Protection Laws:
(a) Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses ("Approved Addendum") shall apply.
(b) The information required by Part 1 of the Approved Addendum is set out in Appendix 1 of this Data Protection Exhibit.
(c) With respect to Section 19 of the Approved Addendum, in the event the Approved Addendum changes, neither Party may end the Approved Addendum except as provided for in the Approved Addendum or the Agreement.
VI. United States
A. The following provisions apply to the provision of Personal Data from one Party (“Disclosing Party”) to another Party (“Recipient”) that is subject to Data Protection Laws of the United States (which includes the laws of any state of the United States, including without limitation the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”), each as amended or supplemented from time to time) (“US Personal Information”).
B. To the extent the Disclosing Party discloses Deidentified data (as that term is defined under Data Protection Laws) originally derived from US Personal Information to Recipient, or to the extent Recipient creates Deidentified data from US Personal Information received from or on behalf of the Disclosing Party, Recipient shall:
(a) adopt reasonable measures to prevent such Deidentified data from being used to infer information about, or otherwise being associated with, a particular natural person or, where required by Data Protection Laws, a household;
(b) publicly commit to maintain and use such Deidentified data in a deidentified form and to not attempt to re-identify the Deidentified data, except that Recipient may attempt to re-identify the data solely for the purpose of determining whether its deidentification processes satisfy the requirements of Data Protection Laws, as applicable; and
(c) contractually obligate any recipients of the Deidentified data, including sub-processors, contractors, and other third parties, to comply with the provisions of this Section.
C. Where the Disclosing Party acts as a Business (as that with respect to US Personal Information subject to the CCPA (“California Personal Information”) and Recipient acts as a Service Provider of such US Personal Information (as the terms “Business” and “Service Provider” are defined under CCPA):
(a) Recipient agrees that it processes California Personal Information as a Service Provider when providing the Services;
(b) Recipient acknowledges that the Disclosing Party is disclosing California Personal Information in connection with the Agreement only for the limited and specific purposes of receiving the Services;
(c) Recipient shall (a) retain, use, disclose, or otherwise process California Personal Information solely on behalf of the Disclosing Party for the specific purpose of providing the Services or as otherwise required by law; (b) process California Personal Information at all times in compliance with the CCPA and the Agreement; and (3) provide the same level of privacy protection as is required by the CCPA;
(d) Recipient shall not: (a) retain, use, disclose, or otherwise process California Personal Information except as necessary to provide the Services or as otherwise required by law; (b) sell or share California Personal Information (as “sell” and “share” are defined under CCPA); (c) process California Personal Information in any manner outside of the direct business relationship between Disclosing Party and Recipient; or (d) combine any California Personal Information with Personal Information that it receives from or on behalf of any other third party or its interactions with Consumers (as “Consumers” is defined under CCPA), provided that Recipient may so combine California Personal Information for a Business Purpose (as defined under CCPA) if directed to do so by the Disclosing Party or as otherwise expressly permitted by the CCPA;
(e) Recipient agrees to cooperate with any reasonable and appropriate audits, inspections, or other steps that the Disclosing Party deems reasonably necessary to confirm that Recipient processes California Personal Information in a manner consistent with the Disclosing Party’s obligations under the CCPA;
(f) Disclosing Party may, upon reasonable notice to Recipient, take all reasonable and appropriate steps to prevent, stop, or remediate any unauthorized processing of California Personal Information; and
(g) Recipient agrees to immediately notify Disclosing Party in writing if it can no longer comply with the CCPA or its obligations under this Agreement.
Appendix 4
List of Subprocessors
Temu authorizes Seller to engage the subprocessors for the purpose of providing the Services under the Agreement. For the avoidance of doubt, the list of subprocessors will be provided by the Seller through electronic means approved by Temu.