This data sharing appendix (this “DSA”) is entered into not only by the parties to the agreement in which this appendix is incorporated (the "Agreement") but also by TikTok Pte. Ltd., 1 Raffles Quay, #26-10, South Tower, Singapore 048583 ("TikTok Singapore"), TikTok Technology Limited, of 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, ("TikTok Ireland") and TikTok Information Technologies UK Limited, of c/o WeWork, 125 Kingsway, London, WC2B 6NH, England, ("TikTok UK"). Together, TikTok Inc, TikTok Singapore, TikTok Ireland and TikTok UK are referred to in this DSA as "TikTok Group").
Introduction:
(A) As a technology company with an extensive global reach, TikTok Group is committed to ensuring the safety and security of Personal Data in particular when shared with business partners.
(B) The purpose of this DSA is to ensure that TikTok Group has in place a lawful mechanism and appropriate safeguards to permit and protect any transfers of data with business partners.
(C) To ensure compliance with Applicable Data Protection Laws, this DSA sets out the data protection terms that will apply when TikTok Group shares Personal Data with Researcher under the Agreement.
Particulars:
The following sets out a summary of the data being shared under this DSA, and its basis for sharing:
- The researcher is a Controller under GDPR
- The researcher is a Third Party under The California Consumer Privacy Act (“CCPA”) (Cal. Civ. Code § 1798.100 et. seq.),
- The researcher is a Controller under Colorado Privacy Act (“CPA”) (Colo. Rev. Stat. Ann. § 6-1-1201 et. seq.), Connecticut Data Privacy Act (“CTDPA”) (Conn. Public Act No. 22-15), Utah Consumer Privacy Act (“UCPA”) (Utah Code Ann.§ 13-61-101 et. seq.), Virginia Consumer Data Protection Act (“VCDPA”) (VA. Code Ann. § 59-1-571 et. seq.).
TERMS
1.1 In this DSA, the following terms shall have the following meanings:
- “Applicable Data Protection Law” means any and all applicable privacy and data protection laws that apply to the Processing of the Personal Data in question.
- “Data Subject” means: (a) an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and (b) any person who falls within the scope of a "data subject" (or any materially similar or analogous concept or definition) under Applicable Data Protection Laws.
- “Effective Date” means the date on which this DSA takes effect, being the date of this DSA.
- “Minimum Security Measures" means the technical and organisational security measures with which Researcher must comply, as set out in Schedule C
- “Personal Data” means (a) any information relating to a Data Subject; and (b) any information which falls within the scope of "personal data", "personal information" or "personally identifiable information" (or any materially similar or analogous concept or definition) under Applicable Data Protection Laws. The Personal Data that is transferred pursuant to this DSA shall be as set out in the Agreement.
- “Processing” (and “Process” and “Processed”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
1.2 In this DSA, (a) references to a statutory provision include any subordinate legislation made from time to time under that provision; (b) references to this DSA include the Schedules; (c) headings shall be ignored for the purposes of interpreting this DSA; (d) if a word or phrase is defined, its other grammatical forms have a corresponding meaning; and (e) the words “include”, “includes” and “including” and any succeeding words shall be construed without limitation to the generality of any preceding words or concepts.
1.3 If there is any inconsistency between this DSA and the main part of the Agreement, this DSA shall take precedence. If there is any inconsistency between the Terms and the Schedules to this DSA, the Schedules shall take precedence.
2.1 TikTok Group shall comply with Applicable Data Protection Law at all times when transferring Personal Data to Researcher. This shall include, if and to the extent required by Applicable Data Protection Law, entering into such supplemental data transfer terms with Researcher as may be required by Applicable Data Protection Law (and, in the event of any conflict between any such supplemental data transfer terms and this DSA, those supplemental data transfer terms shall prevail).
3.1 Researcher shall:
(a) comply with Applicable Data Protection Law at all times when Processing the Personal Data that is transferred by TikTok Group, including providing the same level of privacy protection required of TikTok Group under Applicable Data Protection Law;
(b) Process the Personal Data only for the purpose(s) for which it was transferred by TikTok Group described in Schedule B of this DSA, unless required otherwise by Applicable Data Protection Law. If Researcher cannot do so for whatever reason, it will promptly inform TikTok Group and TikTok Group is entitled to suspend the transfer of Personal Data;
(c) ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(d) implement technical and organisational security measures to protect the Personal Data it receives in accordance with Applicable Data Protection Law. Such measures shall, at a minimum, include the Minimum Security Measures;
(e) grant TikTok Group the right to take reasonable and appropriate steps to ensure that Researcher uses the Personal Data in a manner consistent with TikTok Group's obligations under Applicable Data Protection Law and promptly carry out any actions which are reasonably necessary for TikTok Group to comply with its obligations under Applicable Data Protection Law, including but not limited to cooperate with TikTok Group as necessary to fulfil the exercise of Data Subjects' rights laid down in Applicable Data Protection Law (regardless of whether any such rights are exercised against TikTok Group or Researcher);
(f) grant TikTok Group the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of the Personal Data.
(g) notify TikTok Group without undue delay, and in any event within 24 hours, in the event of a Security Incident affecting Personal Data Processed by Researcher, such notification to include all known details relating to the Security Incident;
(h) on written request from TikTok Group from time to time, make available to TikTok Group (and any competent data protection authority) all information necessary to demonstrate compliance with Applicable Data Protection Law;
(i) notify TikTok Group without undue delay in the event of i) any regulatory investigations/enquiry against Researcher with respect to the Personal Data or ii) any request for disclosure of Personal Data by a regulator, government agency, or law enforcement authority unless otherwise prohibited by Applicable Data Protection Law to preserve the confidentiality of an investigation;
(j) notify TikTok Group without any undue delay if Researcher makes a determination that it can no longer meet its obligations under Applicable Data Protection Law.
(k) not i) transfer the Personal Data to any other person without the prior written consent of TikTok Group which may involve further contractual commitments or ii) sell or share the Personal Data for cross-context behavioral advertising; and
(l) immediately inform TikTok Group if it becomes aware that the laws applicable to Researcher will have a substantial adverse effect on Researcher's ability to protect the Personal Data in accordance with this DSA.
4.1 Schedule A (Specific Jurisdictional Provisions) contains one or more sub-schedules that set out specific local law requirements that may apply to transfers under this DSA from, to or within specific jurisdictions.
4.2 Where and to the extent that any of the local law requirements set out in the sub-schedules to Schedule A apply, TikTok Group and/or Researcher (as applicable) must comply with them, and such local law requirements shall prevail over the provisions set out in the body of this DSA if and to the extent any conflict arises (unless the provisions set out in the body of this DSA are more protective of the Personal Data, in which event those provisions shall continue to apply).
5.1 This DSA shall enter into effect on the Effective Date and continue indefinitely unless and until terminated in accordance with its terms.
5.2 In the event that Researcher is in breach of its obligations under this DSA, then TikTok Group may temporarily suspend the transfer of Personal Data to Researcher until the breach is repaired or this DSA is terminated.
5.3 This DSA shall terminate automatically upon termination of the Agreement.
5.4 Upon termination or expiry of the Agreement or after the end of provision of the services under the Agreement, Researcher shall, at TikTok Group's option and within 30 days’ of termination/expiry of the Agreement or receipt of notice from TikTok Group , either:
i) return all relevant Personal Data in Researcher’s (or its subcontractors) possession to TikTok Group including but not limited to derivative copies and aggregated data; or
ii) delete and stop Processing all of the relevant Personal Data in Researcher’s (or its subcontractors) possession including but not limited to derivative copies and aggregated data.
Notwithstanding anything to the contrary, Researcher shall be solely responsible and have unlimited liability for any breach, violation, or negligence on its (or its subcontractors’) behalf of the requirements listed in this clause.
5.5 The following clauses, and provisions referred to by such clauses, shall survive termination or expiry of this DSA together with any other provisions which by their nature or are expressed to survive expiry or termination or are intended or required to give effect to the expiration or termination of this DSA: this clause 5.5, clause 1, clause 3.1 (c), and clause 6.
6.1 Researcher shall indemnify and keep indemnified TikTok Group and its affiliates in respect of all costs (including legal costs), claims, demands, actions, settlements, ex-gratia payments, compensation, fines, charges, procedures, expenses, losses and damages suffered or incurred by, awarded against or agreed to be paid by, TikTok Group and its affiliates arising from or in connection with any actual or alleged breach by Researcher of its obligations under this DSA or Applicable Data Protection Law.
6.2 Researcher's liability for the indemnity provided in this Clause 6, shall not be limited or excluded (including by any provision in the Agreement).
7.1 Researcher acknowledges and agrees that this DSA is signed to ensure compliance with Applicable Data Protection Laws and that by executing it neither TikTok Ireland nor TikTok UK accept any obligation or liability under the Agreement.
7.2 This DSA shall be governed by the laws and shall have non-exclusive jurisdiction for disputes as set out in the Agreement (as if the relevant provision were set out here with all necessary changes) save where and to the extent otherwise required by Applicable Data Protection Law in respect of any Personal Data shared under this DSA.
7.3 Any notice given under this DSA (a “Notice”) shall be in writing. A Notice may be sent by first class post (and air mail if overseas) or by email. Unless there is evidence that it was received earlier, a Notice is deemed given: (a) if sent by post (except airmail) two business days after posting it; (b) if sent by airmail, six business days after posting it; and (c) if sent by email, one business day after sending it (regardless of any out of office receipt notice that may be received from the recipient).
7.4 Failure by any party to enforce its rights under this DSA shall not be taken as or deemed to be a waiver of such right.
7.5 Neither party may assign or transfer any of its rights or obligations under this DSA without the prior written consent of the other party, such consent not to be unreasonably withheld.
7.6 The parties agree that this DSA (together with the Agreement) sets out the entire agreement between them with respect to its subject matter. The parties also acknowledge that they have not been induced to enter into this DSA by any representation, warranty or undertaking not expressly incorporated into it, provided that neither party is attempting to exclude any liability for fraudulent statements (including fraudulent pre-contractual misrepresentations on which the other party can be shown to have relied).
7.7 This DSA may not be released, discharged, supplemented, interpreted, amended, varied or modified in any manner except in writing and signed by a duly authorized representative of each party.
7.8 This DSA may be entered into in any number of counterparts, all of which taken together shall constitute one and the same instrument.
7.9 This DSA shall be governed by the laws and shall have non-exclusive jurisdiction for disputes as set out in the Agreement (as if the relevant provision were set out here with all necessary changes) save where and to the extent otherwise required by Applicable Data Protection Law in respect of any Personal Data shared under this DSA.
SCHEDULE A
SPECIFIC JURISDICTIONAL PROVISIONS
This Schedule A (Specific Jurisdictional Provisions) sets out specific local law requirements that may apply to TikTok Group in respect of any transfer of Personal Data from, to or within specific jurisdictions. If there is any conflict between the provisions of this Schedule A and the body of this DSA, Clause 4.2 of this DSA shall apply to resolve such conflict.
SCHEDULE A–1: EEA /UK
PART A–1.1: EEA/UK – DEFINITIONS
“Controller” means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
“Europe” means (i) the European Economic Area ("EEA") as constituted at the time of a relevant transfer and which, as at the Effective Date, is comprised of the 27 Member States of the European Union, together with the three countries within the European Free Trade Association, namely Norway, Iceland and Liechtenstein and (ii) the UK;
“EU GDPR” means the General Data Protection Regulation of the European Union (Regulation 2016/679 of 27 April 2016);“European Data Protection Legislation” means: (i) the EU GDPR; (ii) any applicable national/federal or state/provincial legislation implementing the GDPR in a member state of the EEA; (iii) the GDPR as incorporated into UK law pursuant to s.3 of the European Union (Withdrawal Act) 2018 (as amended, the "UK GDPR"); and (iv) any other applicable data protection or national/federal or state/provincial privacy legislation in force in a member state of the EEA or the UK, including where applicable, statues, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by any supervisory authority or any other applicable authorities in a member state of the EEA or the UK;
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;
"Standard Contractual Clauses" means (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").
PART A-1.2: EEA/UK CONTROLLER TO CONTROLLER
4.1 in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(a) Module One will apply;
(b) in Clause 7, the optional docking Clause will apply;
(c) Clause 11, the optional language will not apply;
(d) in Clause 17 (Option 1), the EU SCCs will be governed by the law of Ireland;
(e) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(f) in Annex I: with the information set out in Schedule B to this DSA;
(g) Annex II: with the technical and organisational security measures as set out in Schedule C of this DSA.
4.2 in relation to Personal Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
(a) For so long as it is lawfully permitted to rely on the Standard Contractual Clauses for the transfer of Personal Data to Controllers set out in the European Commission's Decision 2004/915/EC of 27 December 2004 (“Prior C2C SCCs”) for transfers of Personal Data from the United Kingdom, the Prior C2C SCCs shall apply between the transferring Data Exporter and the Data Importer on the following basis:
(i) TikTok Group shall be the “Data Exporter” and Researcher shall be the “Data Importer”;
(ii) Annex B: with the information set out in Schedule B to this DSA;
(iii) in Clause II(h)(iii) of the Prior C2C SCCs, the words “option (iii)” to be inserted after the words “Data importer to indicate which option it selects:”, and the words “initials deemed inserted” to be inserted after the words “Initials of data importer:”, at Clause II(h)(iii) of the Prior C2C SCCs; and
(iv) the optional illustrative indemnification Clause will not apply.
(b) Where sub-clause 4.2(a) above does not apply, but TikTok Group and Researcher are lawfully permitted to rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:
(A) The EU SCCs, completed as set out above in clause 4.2(a) of this Agreement shall also apply to transfers of such Personal Data, subject to sub-clause (B) below;
(B) The UK Addendum shall be deemed executed between TikTok Group and Researcher, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data.
(c) If neither sub-clause 4.2(a) nor sub-clause 4.2(b) applies, then TikTok Group and Researcher shall cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by the UK GDPR without undue delay.
PART A-1.3: EEA/UK SUPPLEMENTARY PROVISIONS
Schedule B
Data Processing Description
A. LIST OF PARTIES
Data exporter(s):
1 | Name: | TikTok Group as set out on the front page of this DSA |
Address: | See the front page of this DSA | |
Contact person’s name, position and contact details: | Kathryn Grant, Outreach Partnership Management, <transparency@tiktok.com> | |
Activities relevant to the data transferred under these Clauses: | Research by the Researcher within the scope set out in the [Research Application] | |
Signature and Date: | The date the Agreement is entered into |
Data importer(s):
1 | Name: | See [Research Application] |
Address: | See [Research Application] | |
Contact person’s name, position and contact details: | See [Research Application] | |
Activities relevant to the data transferred under these Clauses: | Research by the Researcher within the scope set out in the [Research Application] | |
Signature and Date: | The date the Agreement is entered into |
В. DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Personal Data is transferred: | TikTok users who are 18 years old or above with public accounts. |
Categories of Personal Data transferred: | The data sets detailed in the [Research Application] |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | None. |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | As set out in the [Research Application]. |
Nature and purpose(s) of the Processing: | Processing for the purpose of research conducted by the Researcher within the scope set out in the [Research Application]. |
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: | As set out in the [Research Application]. |
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs) | Ireland's Data Protection Commission |
SCHEDULE C
MINIMUM SECURITY MEASURES
These Minimum Security Measures may be changed from time to time by TikTok Group (acting reasonably) providing Researcher with a replacement. They are to be implemented by Researcher in relation to any Personal Data transferred under this DSA and supplement any other security measures and commitments required of Researcher under the Agreement. Researcher will document, implement and maintain an information security program that meets the standards of best industry practice to protect such Personal Data, which will include:
I. System Entry Control
Establishing, maintaining, monitoring, and using appropriate technical, physical, administrative, and organisational safeguards consistent with the highest industry standards to secure against a Security Incident including, at a minimum:
(a) Secure user authentication protocols and system access control;
(b) Use of mature and appropriate physical security, current malware, antivirus, and security software that includes e-mail filtering and malware detection;
(c) Use of proper network protection measures;
(d) During idle times, Researcher-issued equipment (e.g., Researcher-issued laptops) are automatically locked;
(e) Encourage use of complex passwords;
(f) Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above requires appropriate authorisation;
(g) IT access privileges are reviewed regularly by appropriate personnel;
(h) Network monitoring services in place 24 x 7 x 365 to detect unauthorised activities;
(i) Vulnerability scanning and remediation in place;
(j) Penetration testing as appropriate;
(k) Encryption protocols applied as necessary under various circumstances.
II. Physical Access Controls
Researcher shall take, among others, the appropriate security measures in order to establish the identity of the authorised persons and prevent unauthorised access to Researcher's premises and facilities in which the data are Processed.
III. Data Access Control
Researcher shall take technical and organisational measures in order to prevent unauthorised activities in the data Processing systems outside the scope of any granted authorisations including, at a minimum:
(a) User and administrator access to the network a role-based access rights model. Authorization model grants access rights to data only on a “need to know” basis;
(b) Administration of user rights through system administrators;
(c) Number of administrators is reduced to the absolute minimum;
(d) Perform internal audits as required to assess high risk processes, technologies, and people;
(e) Prohibit each employee from disclosing the Personal Data to any unauthorised third party or using the Personal Data in an unauthorised manner.
(f) Where encryption of data is used, proper key lifecycle management practices are in place.
IV. Data Transfer Control
Researcher shall take technical and organisational measures in order to ensure that Personal Data cannot be read, copied, altered, or removed by unauthorised persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where Personal Data are or have been transmitted by data transmission equipment including, at a minimum:
(a) Remote access (including during remote maintenance or service procedures) to the IT systems are to be via VPN tunnels, where appropriate, or other secure, encrypted connections;
(b) Encryption protocols applied as necessary under various circumstances;
(c) Data storage devices and paper documents are locked away when not in use (e.g., clean desk policy);
(d) Appropriate destruction and disposal of documents;
(e) Physical destruction processes in place to industry standards;
(f) Secure communication session established via TLS or similar protocols across core applications/services;
(g) Encrypted certificates utilised for authentication between core web client and core web server.
V. Input Control
Researcher shall take appropriate technical and organisational measures in order to ensure that it is subsequently possible to verify and establish via log files whether and by whom Personal Data have been entered into data Processing systems, altered, or removed.
VI. Framework Control
Researcher shall take technical and organisational measures in order to ensure that any Personal Data transferred under this DSA can only be Processed for the purposes specified in the DSA including, at a minimum:
(a) Clear and binding internal policies contain formalised instructions for data Processing procedures;
(b) Clearly articulated contractual protections in place as appropriate in underlying contracts;
(c) Regular staff training on the proper use of the computer security system, the security backup and disaster recovery procedures, and the importance of security to ensure compliance with contractual arrangements and maintain awareness regarding data protection requirements;
(d) Secure destruction processes in place to industry standards;
(e) Periodic access reviews that monitor employee access controls;
(f) Researcher's corporate network is separated from its user services network by means of complex segregation devices.
VII. Availability Control
Researcher shall take technical and organisational measures in order to protect the data from accidental destruction or loss including, at a minimum:
(a) Appliances for the monitoring of temperature and humidity in data centers;
(b) Fire/smoke detectors and fire extinguishers or fire suppression system in data centers;
(c) Use of mature and appropriate anti-virus software that includes e-mail filtering and malware detection;
(d) Data recovery measures and emergency plan in place and regularly tested;
(e) Implementation of mature and appropriate backup methods including physical separation of the backup data and storage of data stored in a redundant archive;
(f) Use a combination of full, differential, and cumulative backups to ensure data integrity and timely restoration for core data, as appropriate;
(g) To ensure an uninterrupted supply of power to the system, redundant power supply units are built into the systems wherever possible;
(h) Integrity of stored data regularly verified using checksums;
(i) Processes in place to move data traffic away from affected area to uncompromised area in case of failure;
(j) Preventative maintenance is performed to ensure continued operability of equipment.
(k) Appropriate Denial of Service and Distributed Denial of Service technology in place to defend against network and systems based resource starvation attacks.