1. Definitions and interpretation

1.1 In this TikTok Analytics Joint Controller Addendum (the "TikTok Analytics Addendum"), the following terms shall have the following meanings:

"Account Admin” means you or the person who administers content under your TikTok Account.

"Engagement Data" means data about user actions in relation to content (such as viewing, clicking on, or liking your content) and other types of interactions directly linked to TikTok Accounts.

"GDPR" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); and (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR");

"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

"TikTok" means TikTok Information Technologies UK Limited, whose registered office is 4 Lindsey Street, Barbican, London, EC1A 9HP, United Kingdom ("TikTok UK") or TikTok Technology Limited, whose registered office is at 10 Earlsfort Terrace, Dublin, D02 T380, Ireland ("TikTok Ireland") collectively, in their capacity as joint controllers.

"TikTok Account" means the account you have registered with TikTok and through which you create and share content.

"TikTok Analytics" means aggregated anonymous reporting about visitors' actions in relation to content under a TikTok Account, which is generated from processing Engagement Data.

1.2 The terms "personal data", "processing", "controller", "processor", "supervisory authority" and "data subject" in this TikTok Analytics Addendum have the meanings given to them in the GDPR.

1.3 For the avoidance of doubt, capitalised terms that are used but not defined in this TikTok Analytics Addendum shall have the meanings given to them in the TikTok Terms of Service.

2. Scope of this Addendum

2.1 You acknowledge and agree that this TikTok Analytics Addendum applies if: (i) we collect Engagement Data about how users interact with your TikTok Account to provide you with TikTok Analytics; (ii) that Engagement Data includes personal data that is subject to the GDPR; and (iii) you and TikTok jointly determine the means and purposes of the processing of the Engagement Data. For more information about the Engagement Data we may collect, please see Information about TikTok Analytics.

2.2 If you are an Account Admin, acting on behalf of a TikTok Account holder, you represent and warrant that you are authorised to enter into this TikTok Analytics Addendum on behalf of the TikTok Account holder and bind the TikTok Account holder to the terms in this TikTok Analytics Addendum.

2.3 You acknowledge and agree that this TikTok Analytics Addendum applies and shall be deemed incorporated into and part of the TikTok Terms of Service governing your use of the TikTok Account, such that non-compliance with this TikTok Analytics Addendum shall be deemed a breach of the TikTok Terms of Service.

3. Joint controllership responsibilities

3.1 You acknowledge and agree that: (i) TikTok Analytics are generated from Engagement Data, and that Engagement Data may include personal data; and (ii) you (and/or any third party for whom you are creating or administering content under a TikTok Account) determine the means and purposes of the processing of such Engagement Data jointly with TikTok by deciding to publish content and by making use of the TikTok Analytics for your own purposes.

3.2 Accordingly, you acknowledge and agree (on your own behalf, and on behalf of any third party for whom you are creating or administering content under a TikTok Account) that you and TikTok (together the "Parties") are joint controllers in accordance with Article 26 GDPR for the processing of Engagement Data used to generate TikTok Analytics.

3.3 Joint controllership pursuant to Section 2.2 is limited to: (i) the creation and collection of Engagement Data, and (ii) its aggregation into TikTok Analytics made available to Account Admins. Where TikTok or you engage in any other processing of personal data in connection with a TikTok Account or the content associated with it for which there is no joint determination of the purposes and means of such processing, TikTok and you shall remain separate and independent controllers.

3.4 TikTok's and your responsibilities for compliance with the obligations under the GDPR with regard to the processing of Engagement Data to generate TikTok Analytics are determined as follows:

• Art 6: Legal basis

TikTok's responsibility: TikTok will ensure it has a legal basis for the processing of Engagement Data to create TikTok Analytics, which shall be set out in the TikTok Privacy Policy (under the heading "Our Legal Bases and How We Process Your Information").

Your responsibility as Account Admin: Ensure that you also have a legal basis for the processing of Engagement Data.

• Arts 12, 13 and 14: Transparency

TikTok's responsibility: TikTok's publicly-available Privacy Policy describes the legal basis relied on and the types of personal data processed in connection with the generation TikTok Analytics.

Your responsibility as Account Admin: Disclose any information required by Articles 12, 13 and 14 GDPR. For example, if applicable and legally required, your own legal bases (e.g. the legitimate interests you pursue), the data controller(s) on your side and their contact details, and the contact details of any data protection officers (Article 13(1)(a-d) GDPR).

• Arts 15 – 21: Data subject rights

TikTok's responsibility: TikTok will enable data subjects to exercise their rights in respect of their personal data comprised within Engagement Data.

Art 26: Making available joint controller terms

TikTok's responsibility: TikTok will make the essence of this TikTok Analytics Addendum available to data subjects. This is currently done via the Information about TikTok Analytics.

• Art 32: Security

TikTok's responsibility: TikTok will implement appropriate technical and organisational security measures to protect Engagement Data processed to create TikTok Analytics. All employees of TikTok involved in the processing of Engagement Data used to create TikTok Analytics are bound by appropriate obligations to maintain the confidentiality of Engagement Data.

• Arts 33, 34: Personal Data Breaches

TikTok's responsibility: TikTok will comply with its obligations under the GDPR in respect of any personal data breach affecting the Engagement Data it processes.

3.5 You acknowledge and agree that TikTok decides in its sole discretion how to comply with its obligations under this TikTok Analytics Addendum and that only TikTok has the power to implement decisions about the processing of Engagement Data to create TikTok Analytics.

3.6 You acknowledge and agree that, where the EU GDPR applies, the lead supervisory authority for the joint processing is the Irish Data Protection Commission and, where the UK GDPR applies, the competent supervisory authority is the Information Commissioner's Office.

3.7 This TikTok Analytics Addendum does not grant you any right to request the disclosure of personal data (whether Engagement Data or otherwise) of TikTok users that is processed in connection with TikTok Analytics.

3.8 You can contact TikTok with any questions, issues or concerns about our processing of Engagement Data to create TikTok Analytics here. If TikTok needs to contact you in connection with your use of TikTok Analytics, we will contact you through the Inbox in your TikTok Account and/or the email address you provided to us when registering your TikTok Account. The Parties designate the communication channels referenced in the Information about TikTok Analytics or in any subsequent document as contact points for data subjects.

3.9 If data subjects exercise any rights under the GDPR with regard to the processing of Engagement Data or generation of TikTok Analytics against you, or you are contacted by a supervisory authority with regard to the processing of Engagement Data or generation of TikTok Analytics, each a "Request", you will forward all relevant information regarding any such Requests to us promptly and within a maximum of seven (7) calendar days using the contact details provided in clause 2.9 above. TikTok agrees to answer Requests from data subjects in accordance with our obligations under this TikTok Analytics Addendum. You agree to take all reasonable endeavours in a timely manner to cooperate with us in answering any such Request. You are not authorised to act or answer on TikTok's behalf.

3.10 For the avoidance of doubt, the collection of personal data by TikTok shall not constitute a Restricted Transfer. To the extent that TikTok transfers such personal data (including to its affiliates and processors) after it is collected and such transfer is a Restricted Transfer, then TikTok shall ensure that such transfer is in compliance with the requirements of Art. 44 et seqq. GDPR.