Personal information protection management norms
Effective date of this edition: December 14, 2021
I. Personal Information Protection Initiative
Taobao's open platform and partners in the merchant service market (hereinafter referred to as "partners") recognize that personal information protection is the cornerstone of the long-term and stable development of enterprises, and agree to follow the following principles to protect users' personal information rights and interests:
1. Deepen the awareness of personal security and implement the main responsibility of the enterprise: adhere to customer first, attach great importance to data security and the protection of users' personal information, firmly establish the awareness of personal information protection, actively implement the main responsibility of the enterprise, and effectively protect the legitimate rights and interests of consumers.
2. Protect the rights and interests of users and collect and use legally and compliantly: continuously strengthen the protection of users' rights and interests, establish a full-link risk management system for personal information protection, and ensure the legal and compliant collection and use of personal information.
3. Strict compliance audit and standardization of application design and development: Strictly implement the requirements of relevant regulatory departments, practice the management idea of protecting users' personal information from the source, carry out special investigation and governance in application design, development and other aspects, and actively participate in creating a clear cyberspace.
4. Strengthen technical means and improve personal protection capabilities: adhere to continuous investment facing the future, strengthen the application of security technology, strengthen privacy technology innovation such as differential privacy and multi-party secure computing, and constantly improve personal information protection capabilities.
5. Strengthen system construction and improve the personal security management system: consolidate the internal data governance mechanism of the enterprise, strengthen the construction and implementation of the personal information protection system, and promote the construction of professional talents, products and tools for personal information protection.
6. Respond to users' concerns and improve the complaint feedback mechanism: always listen to users' voices, provide customers with unimped complaint feedback channels, respond to user concerns in a timely manner, and constantly improve the customer experience.
7. Strengthen communication and cooperation and actively participate in industry self-discipline: Under the guidance of the government, strengthen communication and cooperation with industry enterprises, partners and customers, actively explore various ways to solve industry problems through industry self-discipline, and better create value for society.
Once a partner is found to have violated the rules, the platform has the right to take all measures, including termination of cooperation, in accordance with these specifications and relevant platform rules, and reserves the right to pursue legal liability.
II. Definitions
1. Personal information: all kinds of information recorded electronically or otherwise related to identified or identifiable natural persons, excluding information after anonymization.
2. Sensitive personal information: once leaked or illegally used, it is easy to cause the human dignity of natural persons to be violated or the safety of people and their personal and property is endangered, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts and other information, and has not been completed under the age of 14. Personal information of Nian.
3. Processing of personal information: any operation or a series of operations on personal information, including the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.
4. Express consent: The subject of personal information voluntarily makes a paper or electronic statement through written, oral and other means, or makes affirmative actions independently to make a clear authorization for the specific processing of his personal information.
5. De-identification: refers to the process of personal information processed so that a specific natural person cannot be identified without the help of additional information.
6. Anonymization: refers to the process in which personal information cannot be identified and cannot be recovered after processing.
7. Taobao open platform: refers to the service platform (domain name taobao.com) that provides some software and supporting materials based on the opening of various e-commerce businesses on Taobao platform. Service providers develop applications through these software and support materials to serve themselves or other users of Taobao platform.
8. Merchant service market: refers to Alibaba's one-stop merchant service platform (domain name taobao.com), which systematically provides merchants with tool software, online store services, information tutorials and other seller value-added services.
9. Platform: Under this specification, Taobao open platform and merchant service market are specifically referred to.
10. Platform operator: Under this specification, Zhejiang Taobao Network Co., Ltd. and Taobao (China) Software Co., Ltd., the operators of Taobao open platform/merchant service market are specifically referred to.
III. Personal Information Protection Norms
Partners should ensure that the processing of personal information involved in the process of providing users with products and services must meet the relevant requirements of the laws and regulations of the People's Republic of China (such as the Personal Information Protection Law of the People's Republic of China and the Data Security Law). At the same time, partners should refer to relevant national standards (such as the GB/T-35273-2020 for the Security of Information Security Technology and Personal Information) to standardize the processing of personal information and protect the legitimate rights and interests of users and the public interests to the greatest extent.
In order to meet the personal information protection and data security supervision requirements of the regulatory agencies of the People's Republic of China, Zhejiang Taobao Network Co., Ltd. and Taobao (China) Software Co., Ltd., service providers of Taobao open platform/merchant service market, have formulated and implemented privacy protection policies and data security protection measures. Partners should formulate and implement relevant privacy protection policies and data security protection measures that are not less rigorous than platform operators.
(1) Processing users' personal information
1. In order to provide users with products and services, partners shall follow the principles of legality, legitimacy, necessity and integrity, and shall not process personal information through misinformation, fraud, coercion, etc.
2. Partners should follow the principles of openness and transparency, disclose the rules for the processing of personal information, and clearly state the purpose, method and scope of processing. The function of collecting or using personal information of the product or service shall not be concealed.
3. Partners should ensure the quality of personal information in processing personal information and avoid adverse effects on personal rights and interests due to inaccuracy and incomplete personal information.
4. Partners can only process personal information for the purpose necessary to fulfill their contractual obligations under the corresponding user agreement. Partnerships can only collect sensitive personal information if there is a specific purpose and sufficient necessity, strict protection measures are taken and the user's individual consent is obtained. Partners shall not use users' personal information for any purpose that is illegal or contrary to public order and good customs.
5. If it is necessary to provide users with products and services and really needs to use users' personal information beyond the original authorization, the partner shall obtain another legal basis for processing users' personal information.
6. If it involves the processing of personal information of a minor under the age of 14, the consent of the parents or other guardians of the minor shall be obtained, and special rules for the processing of personal information shall be formulated.
7. Partners shall not use user personal information authorized through platform functions for all purposes beyond the scope of user authorization (including but not limited to system automation decision-making), and shall not entrust others to process the above personal information.
(2) Disclosure of users' personal information
1. Partners shall not disclose users' personal information to third parties in any form except in the following circumstances:
(1) Obtain the user's separate consent;
(2) Disclosure must be made in accordance with laws and regulations or regulatory requirements.
2. If the information recipient needs to transmit the received information across borders, it must comply with relevant laws and regulations or the requirements of the regulatory department and complete the necessary evaluation procedures.
(3) Information security
1. Partners should properly keep the account number, password and key used on the platform and related APP codes.
2. Partners shall take technical means and management measures in accordance with the requirements of laws and regulations, national standards, self-discipline guidelines and platform management norms to ensure that users' personal information is fully secure and avoid processing users' personal information without a legal basis.
3. The transmission and storage of user information must be encrypted or de-identified, and the key must be safely stored.
4. Partners should clarify the person in charge and department responsible for personal information protection and information security, and systematically carry out personal information protection and information security management.
5. Partners shall regularly (at least once a year) conduct self-inspection of their own information security management, including but not limited to: information system security status, implementation of relevant information security requirements and measures, security plans, etc., and conduct security assessments. If the information security situation does not meet the relevant requirements, the partnership shall formulate and implement a rectification plan.
6. Partners shall take special measures to ensure access only for staff who must access user personal information for legitimate purposes, and regularly provide security education and training for practitioners.
7. Partners shall not use any way to crawl the data of any platform under the platform operator and its affiliates.
8. Partners shall not use reflection to find, track, associate, mine, obtain or use user information to engage in behaviors unrelated to the products or services provided by partners.
9. After detecting abnormal conditions or data leakage caused by partners' applications or systems, the open platform has the right to cooperate with its affiliates to protect the relevant interfaces and other capabilities provided by the open platform, including but not limited to blocking by temporarily closing, limiting traffic, limiting frequency, etc. Partners are obligated to cooperate with emergency security processing (including but not limited to suspending data interface services, etc.) and relevant investigations, and delete relevant user information in a timely manner as required.
10. Partners should record complete logging of their data processing behavior, and provide audit capacity and regular audit accordingly.
11. Partners should regularly evaluate the impact of personal information protection and store it for more than 3 years.
(4) Users' personal information rights
1. Partners shall protect the user's right to know and decide, and provide users with channels for consulting, copying, transferring, correcting, supplementing, deleting information and withdrawing consent. If personal information is processed on the basis of personal consent, the individual has the right to withdraw his consent. Partners shall not refuse to provide products or services on the grounds that individuals do not agree to process their personal information or withdraw their consent.
2. According to the user's request, the partner shall correct and supplement personal information in a timely manner after verification.
3. If the following conditions are met, the partner shall take the initiative to delete the user's personal information; if the user requests to delete, the personal information shall be deleted in time:
(1) The partner handles personal information in violation of laws and administrative regulations or in violation of agreements;
(2) The processing purpose declared by the partner to the user has been achieved, cannot be achieved, or is no longer necessary to achieve the processing purpose;
(3) The partner stops providing products or services to users, or the necessary storage period has expired;
(4) The user withdraws the consent;
(5) Other circumstances stipulated by laws and administrative regulations.
4. Upon termination of cooperation, the partner shall delete the user's personal information obtained in a timely manner, unless otherwise obtained with the user's express consent or other sufficient legal basis.
IV. Evaluation audit
1. The platform operator and its affiliates have the right to evaluate and audit the information security management and control effect of partners.
2. The platform operator and its affiliates have the right to entrust independent third-party institutions (e.g. accounting firms, law firms, etc.) to carry out the above evaluation and audit, and partners shall cooperate on the following matters:
(1) Partners shall cooperate in providing facilities, equipment, systems, policies or processes related to the processing of information received.
(2) Partners should cooperate to open up relevant workplaces and arrange interviews with relevant personnel.
3. Based on the requirements of the evaluation and audit, partners shall amend or improve the relevant information processing facilities, equipment, systems, policies or processes, etc. within the specified time.
4. Before the platform operator or its affiliates make evaluation and audit requirements, the partner shall be given a reasonable advance notice period. At the same time, evaluation and audit should be carried out under the premise of legal compliance, and should not affect the policy operation or legitimate rights and interests of partners.
5. The platform operator or its affiliates have the right to terminate cooperation with partners with higher risks.
V. Data violations
1. Partners should establish a full-link data security protection system to strictly prevent the risk of data leakage.
2. When knowing or suspecting that any of the following situations occurs, the partner shall immediately take all necessary emergency remedial measures and immediately notify the platform operator or its affiliates in accordance with other business, safety norms and relevant commercial cooperation agreements of the platform:
(1) Any violation of these specifications and other business and security specifications of the platform;
(2) Circumstances in which the regulatory agency or the affected user shall be notified/disclosed in accordance with the requirements of applicable laws and regulations of the People's Republic of China.
3. At the same time, if the platform operator or its affiliates find that the partner has data violations (such as personal information leakage, tampering or loss), corresponding measures will be taken in accordance with other business, security norms and relevant commercial cooperation agreements of the platform, and each party shall bear its own Data security and other responsibilities required by laws and regulations.
VI. Liability
1. Partners should ensure that user authorization is traceable and retain reasonable evidence related to user authorization.
2. Regulators may make inspection requirements for partners and platform operators or their affiliates in accordance with applicable laws and regulations. In the process, partners shall provide necessary assistance, such as providing user authorization certification materials.
3. The partner shall be liable for compensation if the platform operator or its affiliates have been fined or suffered other related losses (such as goodwill loss) due to the violation or breach of contract by the partner
Comments
Post a Comment