

Data Processing Addendum


This Data Processing Addendum (this “DPA”) is entered into by and between the “Seller” and Whaleco Technology Limited (“Whaleco Ireland”) (each a “Party” and together the “Parties”). The Seller agrees to comply with the following terms in respect of the Processing of Whaleco Ireland Personal Data in the course of providing the Services to Whaleco Ireland.

本《数据处理附录》(以下简称“本附录”)由商家(以下简称“乙方”)和Whaleco Technology Limited(以下简称“甲方”)(甲方或乙方单称一方,合称共同订立。乙方同意在提供本附录所述的服务过程中遵守以下关于甲方个人数据处理的各项条款


1.              Definitions


For purposes of this DPA, the terms below have the meanings set forth below. 


(a)   Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.


(b)   Applicable Data Protection Laws means the privacy, data protection and data security laws and regulations applicable to either Party’s Processing of Personal Data under this DPA, including, without limitation, the General Data Protection Regulation 2016/679 (the “GDPR”), the UK GDPR, the Privacy and Electronic Communications Directive 2002/58/EC, the CCPA and VDCPA. 

适用的数据保护法是指适用于任何一方处理个人数据的任何司法管辖区的隐私、数据保护和数据安全法律和法规,包括但不限于《一般数据保护条例2016/679号法规》(以下称“GDPR”)、《隐私和电子通信指令2002/58/EC》、CCPA  VDCPA

(c)   Applicable European Law means any law of the EEA (or the law of one or more of the Member States of the EU), and (where applicable in respect of UK Data Subjects) any law of the UK, and (where applicable in respect of Swiss Data Subjects) any law of Switzerland, which is applicable to one or more of the Parties.


(d)   CCPA means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder.

CCPA是指经 2020年加州隐私权法案(“CPRA”)修订的 2018 年加州消费者隐私法案,以及根据该法案颁布的任何具有约束力的法规。

(e)   Whaleco Ireland Data means information provided or made available to Seller to perform the Services under this DPA.


(f)    Whaleco Ireland Personal Data means Whaleco Ireland Data that constitutes “Personal Data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws or information of a similar character regulated thereby, shared with the Seller to Process for and on behalf of Whaleco Ireland in the course of providing the Services to Whaleco Ireland under this DPA, as set out in Annex 4 (Description of Processing).


(g)   Data Subject Request means an actual or purported request, notice or complaint from (or on behalf of) a Data Subject exercising his or her rights under Applicable Data Protection Laws.


(h)   EEA means the European Economic Area.


(i)    EU means the European Union.


(j)    European Data Protection Change means any change in or interpretation of the Applicable Data Protection Laws (including any guidance by the European Commission, the European Data Protection Board, or ruling by the Court of Justice of the EU) that: (a) results in the SCCs ceasing to be a means to ensure adequate safeguards for the purposes of Applicable Data Protection Laws for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection; or (b) promulgates an alternative to the SCCs that enables the lawful transfer of Personal Data from the EU, the EEA, the UK or Switzerland (where applicable) to third countries.

欧洲数据保护法变更是指适用数据保护法(包括欧盟委员会、欧洲数据保护委员会的任何指导或欧盟法院的裁决)的任何变更或解释:(a) 导致标准合同条款在个人数据传输至无法确保充分数据保护水平的第三国数据处理者时,不再是一种充分保障适用数据保护法的方式; (b) 颁布标准合同条款的替代方案,使个人数据能够从欧盟、欧洲经济区、英国或瑞士(如适用)合法传输到第三国。

(k)   Information Security Incident means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, acquisition of, or access to, Whaleco Ireland Personal Data transmitted, stored or otherwise Processed by Seller or Seller Subprocessors. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Whaleco Ireland Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.


(l)    Seller Subprocessors means Affiliates or third parties that Seller engages to Process Whaleco Ireland Personal Data in relation to the Services.


(m) Regulator means any independent public authority, including any regulator or supervisory authority, established under the laws of any applicable jurisdiction responsible for the monitoring and application of Applicable Data Protection Laws.


(n)   Regulator Correspondence means any correspondence or communication received from a Regulator relating to Whaleco Ireland Personal Data.


(o)   Security Measures has the meaning given in Section 4(a) (Seller’s Security Measures) of this DPA.

安全措施具有本附录第 4(a) 条款(商家的安全措施)中约定的含义。

(p)   Services means the product customization services and online instant communication services undertaken by the Seller arising from this DPA.


(q)   Standard Contractual Clauses (“SCCs”) means Module 2 (Controller to Processor) (“EEA C2P SCCs”) and Module 3 (Processor to Processor) (“EEA P2P SCCs”) of the SCCs for the transfer of personal data to third countries set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (together the “EEA SCCs) and (ii) the UK Addendum. Specifically, the EEA SCCs shall be interpreted as follows:

标准合同条款SCCs),指欧盟委员会发布的针对将个人数据转移至第三国的(EU2021/914号执行决定中的第2模块(控制者对处理者)(EEA C2P SCCs),和第3模块(处理者对处理者)(EEA P2P SCCs)(共同称为“EEA SCCs”);以及(ii)英国附录。具体而言,EEA SCCs应解释为以下内容:

                           (i)            clause 7 (Docking clause) of the EEA SCCs shall apply;

EEA SCCs7条(对接条款)适用;

                          (ii)            for the purposes of clause 9 (Use of sub-processors) of the EEA C2P SCCs, option 2 (General Written Authorisation) applies and the relevant time period is 30 calendar days;

EEA C2P SCCs 9条(子处理者的适用)而言,适用选项2(一般书面授权),相关时间期限为30个自然日;

                        (iii)            for the purposes of clause 9 (Use of sub-processors) of the EEA P2P SCCs, option 2 (General Written Authorisation) applies and the relevant time period is 60 calendar days;

EEA P2P SCCs9条(子处理者的适用)而言,适用选项2(一般书面授权),相关时间期限为60个自然日;

                        (iv)            the independent dispute resolution option in clause 11 (Redress) of the EEA SCCs does not apply;

EEA SCCs11条(补救)中的独立争议解决方案不适用;

                         (v)            for the purposes of clause 15(1)(c) (Obligations of the data importer in case of access by public authorities) of the EEA SCCs, the Seller must provide the Whaleco Ireland with the requisite information relating to any Third Party Request received by Seller at monthly intervals.

出于EEA SCC15(1)(c)条(公共机构访问时数据接收方的义务)的目的,乙方必须每月甲方提供一次收到的与任何第三方请求相关的必要信息。

                        (vi)            for the purposes of clause 17 (Governing law) of the EEA SCCs, the chosen option is option 1 and the chosen law is the law of Ireland;

EEA SCCs17(管辖法律)而言,所选选项为选项1,所选法律为爱尔兰法律;

                       (vii)            for the purposes of clause 18(b) (Choice of forum and jurisdiction) of the EEA SSCs, the chosen courts are courts of Ireland;

EEA SSCs18b)条(法院和管辖权的选择)而言,选定的法院为爱尔兰法院;

                      (viii)            the Appendix shall be completed as follows:


(A)  Whaleco Ireland shall be the Controller and data exporter and Seller shall be the Processor and data importer for the purposes of Annex I.A to the EEA SCCs. The contact information for each shall be as follows:

EEA SCCs附件I.A而言,甲方应为数据的控制方和披露方,乙方应为处理者和数据接收方,各自的联系信息如下:

(a)   Address of Whaleco Ireland, contact person’s name, position and contact details: Address: 25 St Stephen’s Green, Dublin 2;


(b)   Address of Seller and Seller’s contact person’s name, position and contact details: [as provided and updated by sellers from time to time ];


(B)  The contents of Annex 4 (Description of Processing) shall form Annex I.B to the EEA SCCs;

附件4(处理活动的详细信息)的内容应构成EEA SCCs的附件I.B

(C)  The competent supervisory authority shall be the Irish Data Protection Commission for the purposes of Annex I.C to the EEA SCCs; and

EEA SCCs附件I.C而言,主管监管机构应为爱尔兰数据保护委员会;和

(D)  The contents of Annex 2 (Security Measures) shall form Annex II to the EEA SCCs.

附件2(安全措施)的内容应构成EEA SCCs的附件二

(r)    Third Party Request means a written request from any third party for the disclosure of Whaleco Ireland Personal Data, where compliance with such a request is required or purported to be required by applicable law or regulation.


(s)   UK means the United Kingdom.


(t)    UK Addendum means the International Data Transfer Addendum to the EEA SCCs (version B.1.0) issued by the UK Information Commissioner’s Office in accordance with section 119A of the UK Data Protection Act 2018 which came into force on 21 March 2021, on the basis that:


                             (i)         Table 1 and Table 3 of the UK Addendum are deemed to have been completed with the corresponding details stipulated in this DPA for EEA SCCs,

英国附录的表1和表3被视为已完成,并包含本 DPA 中针对 EEA SCCs 规定的相应详细信息,

                            (ii)         for the purposes of Table 1 of the UK Addendum: (a) the "Start Date" is the effective date of this DPA; and (b) the official company registration number (where applicable) of the Seller is [as provided and updated by sellers from time to time ] and the official company registration number of Whaleco Ireland is 723548;

就英国附录表1而言:(a)开始日期是本 DPA 的生效日期;(b) 乙方的正式公司注册号(如适用)【以商家提供或更新为准】,甲方的正式公司注册号为 [723548]

                           (iii)         for the purposes of Table 2 of the UK Addendum, (1) the version of the "Approved EU SCCs" is the EEA SCCs; and (2) the choices regarding clause 7 (Docking clause), clause 9 (Use of sub-processors), clause 11 (Redress), and clause 15 (Obligations of the data importer in case of access by public authorities) (as stipulated in this DPA for the EEA SCCs) are applicable; and

就英国附录表2而言,(1)批准的欧盟 SCCs的版本是 EEA SCCs (2) DPA中针对EEA SCCs规定的第7条(对接条款)、第9条(子处理者的使用)和第11条(补救)的选择适用;以及

                          (iv)         "Exporter" is deemed to have been chosen for the purposes of Table 4 of the UK Addendum.


(u)   UK GDPR means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the EU (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

英国GDPR 是指根据《2018 年欧盟(退出)法案》第 3 节,并经《2019 年数据保护、隐私和电子通信(修订等)(欧盟退出)法规》修订,构成英格兰和威尔士、苏格兰和北爱尔兰法律一部分的 GDPR

(v)   VDCPA means Virginia Consumer Data Protection Act (2021; effective Jan. 1, 2023), and any binding regulations promulgated thereunder.


(w)  The terms “Controller”“Data Subject”, “Personal Data”“Processing”  (“Process” and “Processed” construed accordingly), “Processor”, “Special Categories of Personal Data” and “Sub-Processor” shall have the meanings given to them under Applicable Data Protection Laws.


(x)   References to Articles of the GDPR in this DPA are to articles of the GDPR and/or UK GDPR (as applicable) unless otherwise stated.


2.     Duration and Scope of DPA


(a)    Whaleco Ireland Personal Data is defined in Section 1 above.


(b)    The Parties agree that for the purposes of the Applicable Data Protection Laws, Whaleco Ireland is the Controller of Whaleco Ireland Personal Data and Seller is a Processor of Whaleco Ireland in relation to the Whaleco Ireland Personal Data that Seller Processes in the course of providing the Services to Whaleco Ireland, as set out in Annex 4 (Description of Processing).


(c)     The Parties agree to comply with this DPA and their respective obligations under Applicable Data Protection Laws in respect of the Whaleco Ireland Personal Data. This DPA is in addition to, and does not relieve, remove or replace, a Party's obligations or rights under the Applicable Data Protection Laws.


(d)    This DPA will remain in effect for so long as Seller Processes Whaleco Ireland Personal Data for the Services. Upon termination of this DPA, Seller shall, at Whaleco Ireland’s request, delete or return (as directed by Whaleco Ireland) all Whaleco Ireland Personal Data in Seller’s possession and delete existing copies of Whaleco Ireland Personal Data. The Seller shall demonstrate to the satisfaction of Whaleco Ireland that it has taken such measures, unless (in each case) Applicable European Law prevents it from returning or destroying all or part of the Whaleco Ireland Personal Data (in which case, the terms of this DPA will continue to apply to such Whaleco Ireland Personal Data).

只要乙方为服务的目的处理甲方个人数据,本附录将一直有效。在本附录终止时,乙方应根据甲方的要求,删除或返还(按照甲方的指示)乙方拥有的所有甲方个人数据,并删除甲方个人数据的现有副本。 乙方应向甲方证明其已采取令甲方认可的此类措施,除非(在这种情况下)适用的欧洲法律禁止其归还或销毁全部或部分甲方个人数据(在这种情况下,本附录条款将继续适用于此类甲方个人数据)。

(e)   Processing of Personal Data subject to the CCPA with respect to which Whaleco Ireland is a Business or Service Seller (as defined in CCPA) shall be subject to Annex 1 (California Annex) and Annex 2 (Security Measures) to this DPA.

甲方若作为企业或服务提供方(见 CCPA 中的定义),则处理受CCPA约束的个人数据时应遵守本附录附件1(加利福尼亚附件)和附件2(安全措施)的规定。

(f)    The Parties acknowledge and agree that Annex 4 (Description of Processing) to this DPA is an accurate description of the Processing carried out under this DPA.  Whaleco Ireland shall be permitted to make amendments to Annex 4 (Description of Processing) regarding the nature, duration, purpose, types, and categories related to the Processing of Whaleco Ireland Personal Data on written notice to Seller.


3.     Whaleco Ireland Instructions


(a)   Seller will Process Whaleco Ireland Personal Data only in accordance with Whaleco Ireland’s documented instructions to Seller, including with regard to transfers of Personal Data to a third country or international organisations (unless required to do so by Applicable European Law to which Seller is subject; in such a case, Seller shall inform Whaleco Ireland of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). This DPA is a complete expression of such instructions as at the date of this DPA. If Whaleco Ireland has additional instructions (“Additional Instructions'') after the date of this DPA, Whaleco Ireland will inform Seller of such Additional Instructions. All Additional Instructions will be binding on Seller. By entering into this DPA, Whaleco Ireland instructs Seller to Process Whaleco Ireland Personal Data in accordance with this DPA and to perform its other obligations and exercise its rights in accordance with this DPA. Seller will inform Whaleco Ireland immediately in writing if in its opinion there is a conflict between Whaleco Ireland’s instructions and Applicable Data Protection Laws.


(b)   Seller will not disclose Whaleco Ireland Personal Data to any third party (including for back-up purposes) apart from the Seller Subprocessors authorised by Whaleco Ireland under this DPA at Annex 3 (List of Seller Subprocessors), unless previously agreed between the Parties put down in writing, or required by Applicable European Law to which Seller is subject. In such a case, Seller will inform Whaleco Ireland of that legal requirement before Processing, unless that Applicable European Law prohibits such information on important grounds of public interest.


4.     Security


(a)   Seller Security Measures. Seller will implement and maintain appropriate technical and organisational measures to protect Whaleco Ireland Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Whaleco Ireland Personal Data including, at a minimum, the measures described in Annex 2 (Security Measures) (the “Security Measures”). Seller may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Whaleco Ireland Personal Data.


(b)   Security Compliance by Seller Staff. Seller shall require that its personnel who are authorised to access Whaleco Ireland Personal Data are subject to appropriate confidentiality obligations or are under an appropriate statutory obligation of confidentiality.


(c)   Information Security Incidents. Seller will notify Whaleco Ireland without undue delay, but no later than twenty-four (24) hours, of any Information Security Incident of which Seller becomes aware or suspects. Any such notification by Seller to Whaleco Ireland of an Information Security Incident will contain the following information to the extent that Seller has details of same: (i) a description of the nature of the Information Security Incident (including, where possible, the categories and approximate number of both the Data Subjects and the data records concerned); (ii) the details of a contact point where more information concerning the Information Security Incident can be obtained; and (iii) its likely consequences and the measures taken or proposed to be taken to address the Information Security Incident, including to mitigate its possible adverse effects. Whaleco Ireland agrees that Seller may provide the foregoing information in phases, without undue delay, as it becomes available. Seller will, to the extent reasonably necessary, cooperate and assist with Whaleco Ireland’s investigation of the Information Security Incident, including any relevant notifications to Regulators and affected Data Subjects, and will take commercially reasonable steps to remediate the cause to the extent the remediation is within Seller’s control.


5.     Data Subject Requests


(a)   Seller’s Data Subject Request Assistance. Seller will (taking into account the nature of the Processing of Whaleco Ireland Personal Data) provide Whaleco Ireland with assistance reasonably necessary for Whaleco Ireland to perform its obligations under Applicable Data Protection Laws to fulfil Data Subject Requests with respect to Whaleco Ireland Personal Data in Seller’s possession or control.


(b)   Whaleco Ireland’s Responsibility for Data Subject Requests. If Seller receives a Data Subject Request, Seller will (i) promptly notify Whaleco Ireland; and (ii) advise the Data Subject to submit the request to Whaleco Ireland, and Whaleco Ireland will be responsible for responding to any such request. Seller will not respond to a Data Subject Request without Whaleco Ireland’s prior authorisation, unless legally compelled to do so. If Seller is required to respond to such a Data Subject Request, Seller will promptly notify Whaleco Ireland and provide Whaleco Ireland with a copy of the request, unless legally prohibited from doing so.


6.     Restrictions on Use


(a)   Whaleco Ireland Personal Data shall only be Processed by the Seller for the specific purpose of providing the Services under this DPA.


(b)   Seller shall ensure that Whaleco Ireland Personal Data is segregated from all other Personal Data Processed by the Seller.


(c)   Seller shall not:


(i)           sell any Whaleco Ireland Personal Data;


(ii)          retain, use, share or disclose any Whaleco Ireland Personal Data for any purpose other than for the specific purpose of providing the Services under this DPA;


(iii)         use Whaleco Ireland Personal Data for profiling, targeting, analytics or data harvesting;


(iv)         do anything to cause the Whaleco Ireland to be in breach of Applicable Data Protection Laws; or


(v)          combine Whaleco Ireland Personal Data received pursuant to this DPA with Personal Data (i) received from or on behalf of another person, or (ii) collected from Seller’s own interaction with any Data Subject to whom such Personal Data pertains, except as and to the extent necessary as a part of Seller’s provision of the Services under this DPA.


(d)   Seller hereby certifies that it understands its obligations under this Section 6 and will comply with them.


7.     Cooperation with Whaleco Ireland


(a)    Data Protection Impact Assessment. Where applicable and upon Whaleco Ireland’s request, Seller will provide Whaleco Ireland with reasonable cooperation and assistance needed to fulfil Whaleco Ireland’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Whaleco Ireland’s Processing of Personal Data relating to this DPA. Seller will provide reasonable assistance to Whaleco Ireland in the cooperation or prior consultation with the Regulator, to the extent required under Applicable Data Protection Laws.


(b)    Regulator Correspondence and Third Party Requests. Seller shall promptly notify Whaleco Ireland on receipt of any Regulator Correspondence or Third Party Request relating to the Whaleco Ireland Personal Data, unless Seller is prohibited from so notifying Whaleco Ireland by applicable law. Seller will not disclose any Whaleco Ireland Personal Data in response to such Regulator Correspondence or Third Party Request without first consulting with, and obtaining, Whaleco Ireland’s prior written authorisation, unless legally compelled to do so, in which case Seller will use reasonable endeavours to (i) challenge or narrow such request to the greatest extent reasonably possible under law, including by litigation; and (ii) advise Whaleco Ireland in advance of such disclosure and in any event as soon as practicable thereafter.


(c)    Seller shall make available to Whaleco Ireland all information necessary for Whaleco Ireland to demonstrate compliance with the obligations laid down in Article 28 GDPR.  

乙方应向甲方提供甲方所需的所有信息,以证明其遵守 GDPR  28 条规定的义务。

(d)    Seller shall comply with any relevant policies and procedures notified to them by Whaleco Ireland from time to time, as may be reasonable and appropriate.


8.     Seller Subprocessors


(a)   Consent to Seller Subprocessor Engagement. Subject to the Seller’s compliance with any procedures in place from time to time in relation to the appointment of Seller Subprocessors, Whaleco Ireland authorises the engagement of Seller Subprocessors set out in Annex 3 (List of Seller Subprocessors) of this DPA.


(b)   Information about Seller Subprocessors. Information about current Seller Subprocessors, including their functions and locations, is available in Annex 3 (List of Seller Subprocessors) of this DPA.

有关乙方分处理商的信息。有关当前乙方分处理商的信息,包括其职能和地点,请参阅本附录的附件 3乙方分处理商列表)。

(c)   Requirements for Seller Subprocessor Engagement. Seller shall comply with any procedures in place from time to time in relation to the appointment of Seller Subprocessors. When engaging any Seller Subprocessor, Seller will enter into a written contract with such Seller Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Whaleco Ireland Personal Data to the extent applicable to the nature of the services provided by such Seller Subprocessor. Seller shall be liable for all obligations subcontracted to, and all acts and omissions of, the Seller Subprocessor.


(d)   Opportunity to Object to Seller Subprocessor Changes. When Seller engages any new Seller Subprocessor, other than those listed at Annex 3 (List of Seller Subprocessors) of this DPA, after the effective date of this DPA, Seller will notify Whaleco Ireland in writing of the proposed engagement (including the name and location of the relevant Seller Subprocessor and the activities it will perform) at least 30 days in advance. If Whaleco Ireland objects to such engagement in a written notice to Seller within 30 days after being informed of the engagement on reasonable grounds relating to the protection of Whaleco Ireland Personal Data, such proposed new Seller Subprocessor shall not be permitted to Process Whaleco Ireland Personal Data.

拒绝乙方分处理商变更的可能。在本附录生效后,当乙方聘用任何新的处理商(本附录附件3-乙方分处理商列表中列明的分处理商除外),应至少提前30书面通知甲方拟聘用的分处理商(包括相关分处理商的名称和位置及其将执行的活动)。如果甲方在收到通知后 30天内因与甲方个人数据保护相关的合理理由以书面通知形式向乙方提出异议,则此类新分处理商不得参与处理甲方个人数据。

9.     Audits


(a)   Reviews and Audits of Compliance. Whaleco Ireland may audit Seller’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Protection Laws.


(b)   Seller will contribute to such audits by providing Whaleco Ireland with the information and assistance reasonably necessary to conduct the audit. Seller agrees and acknowledges that a third party may be used to conduct (in whole or in part) such audits. 


(c)   Nothing in this Section 9 shall require Seller to breach any duties of confidentiality.


(d)   Without prejudice to any other provision of this DPA, if the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Whaleco Ireland’s audit request and Seller has confirmed there have been no known material changes in the controls audited since the date of such report, Seller shall provide such reports to Whaleco Ireland. 

在不影响本附录任何其他条款的情况下,甲方提出审计请求后十二 (12) 个月内如果在 SOC 2 Type 2ISONIST 或由合格的第三方审核员执行的类似审核报告中阐述了所请求审核中要评估的控制或措施,并且乙方已确认自该报告之日起审计的控制措施没有发生已知的重大变化,乙方应向甲方提供此类报告。

(e)   The audit must be conducted during regular business hours of Seller and shall be subject to Seller’s reasonable safety and security policies. 


(f)    Whaleco Ireland will notify Seller of any non-compliance discovered during the course of an audit and provide Seller with any audit reports generated in connection with any audit under this Section 9, unless prohibited by Applicable Data Protection Laws.


(g)   Without prejudice to any right of Whaleco Ireland to recover costs, damages or expenses relating to non-compliance, each Party shall meet its own costs arising from any audits or inspections carried out under this Section 9. 


(h)   Notwithstanding the foregoing, if Whaleco Ireland requests an audit due to an Information Security Incident or reasonably suspected breach of Applicable Data Protection Laws or as required by a Regulator, Whaleco Ireland (or its representative) may perform such audit more than once annually, without the foregoing restrictions and any such audit shall be at Seller’s sole cost and expense.


10.  Transfers of Whaleco Ireland Personal Data


a)    Transfer Mechanisms between Whaleco Ireland and Seller. The Parties acknowledge and agree that Seller may be located in, and intend to Process Whaleco Ireland Personal Data under this DPA in, jurisdictions outside of the EU, the EEA, the UK and/or Switzerland, and that such jurisdictions may not be recognised as providing an adequate level of protection for Personal Data within the meaning of Applicable Data Protection Laws (i.e. via an adequacy determination of the European Commission or the UK Secretary of State as applicable). Therefore, for transfers by Whaleco Ireland under this DPA of EU, EEA, UK or Swiss Whaleco Ireland Personal Data to Seller in jurisdictions which do not ensure an adequate level of data protection, the SCCs shall apply as follows:

甲方和乙方之间的传输机制双方认可并同意,乙方可能位于欧盟、欧洲经济区、英国和/或瑞士以外的司法管辖区,并有意按照本附录处理甲方个人数据,并且此类司法管辖区可能不被视为提供适用数据保护法含义内的对个人数据的充分保护水平(即通过欧盟委员会或英国国务大臣(如适用)的充分性确定)。 因此,对于甲方根据本附录将欧盟、欧洲经济区、英国或瑞士个人数据传输至无法确保充分数据保护水平的司法管辖区的乙方的情况,标准合同条款应按如下规定适用:

                                  i.         the EEA C2P SCCs shall apply to transfers of EU and EEA Whaleco Ireland Personal Data where Whaleco Ireland acts as Controller of and data exporter of Whaleco Ireland Personal Data and Seller acts as Processor and data importer of Whaleco Ireland Personal Data; and

EEA C2P标准合同条款应适用于欧盟和欧洲经济区个人数据的传输,其中甲方作为甲方个人数据的数据的控制者和披露方,乙方作为甲方个人数据的处理者和数据接收方 以及

                                ii.         the UK Addendum shall apply to transfers of UK Whaleco Ireland Personal Data where Whaleco Ireland acts as Controller and data exporter of Whaleco Ireland Personal Data and Seller acts as Processor and data importer of Whaleco Ireland Personal Data.


b)    Swiss data protection law. To the extent that the data protection and privacy laws and regulations of Switzerland (“Swiss Data Protection Laws”) apply to a transfer of Whaleco Ireland Personal Data, the Parties agree that the EEA SCCs are amended so that, with respect (only) to such transfer (and without limiting or affecting the application of the EEA SCCs otherwise):


(i) general and specific references in the EEA SCCs to Regulation (EU) 2016/679 or “that Regulation” or EU or Member State law have the same meaning as the equivalent reference in Swiss Data Protection Laws;

EEA标准合同条款中对法规(EU) 2016/679该法规、欧盟或成员国法律的一般和具体引用与瑞士数据保护法中的等效引用具有相同的含义;

(ii) the term “Member State” will not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with clause 18.c of the EEA SCCs;


(iii) the details of the transfers are those specified in Annex I.A to the EEA SCCs where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer;


(iv) the SCCs also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as “personal data” under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity; and


(v) the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority for the purposes of clause 13 of the EEA SCCs.

瑞士联邦数据保护和信息专员是符合EEA 标准合同条款13条的主管监管机构。

c)     The Parties agree that the SCCs are hereby incorporated by reference and will be deemed to have been executed by the Parties. To the extent that there is any conflict between the terms of this DPA and the terms of the SCCs, the SCCs shall govern.


d)    Internal Seller Transfer Mechanisms. The Seller warrants and undertakes that it shall not transfer, nor allow for Seller Subprocessors to transfer, Whaleco Ireland Personal Data outside of the Seller’s jurisdiction, unless it has specific authorisation from Whaleco Ireland to do so. For transfers of Whaleco Ireland Personal Data under this DPA by the Seller or Seller Subprocessors to other countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws (which for the avoidance of doubt may include transfers from the EEA to the UK), Seller acknowledges and agrees that Seller has implemented, and will implement, all transfer mechanisms required to comply with Applicable Data Protection Laws and shall ensure such compliance by Seller Subprocessors, including entering into, or procuring that such Seller Subprocessors enter into, the EEA P2P SCCs.

乙方内部提供者传输机制。乙方保证并承诺,除非获得甲方的具体授权,否则其不会将甲方个人数据传输至乙方管辖范围之外,也不会允许乙方分处理者将甲方个人数据传输至乙方管辖范围之外。对于乙方或乙方分处理者在本附录项下将甲方个人数据传输到无法确保适用数据保护法意义上的充分数据保护水平的其他国家/地区(为免生疑问,可能包括从欧洲经济区转移到英国),乙方承认并同意其已实施并将实施所有需要遵守适用数据保护法的传输机制,并应确保乙方分处理者遵守该等规定,包括签订或促使此类分处理者签订EEA P2P SCCs

e)    Seller will provide Whaleco Ireland with reasonable support to enable Whaleco Ireland’s compliance with the requirements imposed on international transfers of Whaleco Ireland Personal Data. Seller will, upon Whaleco Ireland’s request, provide information to Whaleco Ireland which is reasonably necessary for Whaleco Ireland to complete a transfer impact assessment ("TIA") to the extent required under Applicable Data Protection Laws.


11.  Miscellaneous


(a)    Any notices required or permitted to be given by Seller to Whaleco Ireland under this DPA may be given (a) to Whaleco Technology Limited, First Floor, 25 St, Stephens Green, Dublin 2, Ireland, and such notices shall be deemed given when received by Whaleco Ireland by letter delivered by nationally recognized overnight delivery service or first-class postage prepaid mail at the above address; (b) to Seller’s primary points of contact with Whaleco Ireland; or (c) to any email provided by Whaleco Ireland for the purpose of providing it with Service-related communications or alerts.

乙方根据本附录要求或许可向甲方发出的任何通知均可 (a) 发送给Whaleco Technology Limited, 地址是【First Floor, 25 St, Stephens Green, Dublin 2, Ireland】,并且当甲方通过公认的隔夜递送服务或一级邮资预付邮件在上述地址收到该等通知时,该等通知应视为已送达; (b) 发至乙方于甲方的主要联系地点(c)发给乙方与甲方的主要联系人; (c) 发至甲方为了向其提供与服务相关的通信或提醒而提供的任何电子邮件地址。

(b)    In the event of changes to Applicable Data Protection Laws, Seller will take, and will ensure Seller Subprocessors take, such measures as required under Applicable Data Protection Laws to continue facilitating the lawful Processing of Whaleco Ireland Personal Data pursuant to this DPA and Applicable Data Protection Laws.


(c)     The Seller’s liability arising from this DPA shall not be subject to any exclusions or limitations on liability.


(d)     Seller will defend Whaleco Ireland from and against any claims, demands, suits, causes of action, proceedings, investigations or inquiries (“Claims”), and indemnify and hold Whaleco Ireland harmless from all losses, liabilities, damages, costs and expenses (including reasonable legal fees and fees related to any investigation or regulatory proceeding) (“Losses”) to the extent the Claims or Losses arise out of, are in connection with, or relate to: (i) any breach by Seller of this DPA; and/or (ii) Seller’s violation of any Applicable Data Protection Laws.

如果索赔或损失是由以下原因引起、与之相关或涉及:(i) 乙方任何违反本附录; / (ii)乙方违反任何适用数据保护法的行为,乙方应保障甲方免受任何索赔、要求、诉讼、诉因、程序、调查或询问(简称索赔),赔偿并确保甲方免受所有损失、责任、损害、成本和支出(包括合理的法律费用和与任何调查或监管程序相关的费用)(简称损失)。

(e)     In case of discrepancies between the English and Chinese versions, the English version shall prevail.





Annex 1 to DPA

California Annex




Annex 2 to DPA

Security Measures


1.                Organisational management and dedicated staff responsible for the development, implementation and maintenance of the Seller’s information security program.


2.                Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the Seller’s organisation, monitoring and maintaining compliance with the Seller’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.


3.                Data security controls which include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e., the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).


4.                Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).


5.                Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Seller’s passwords that are assigned to its employees:  (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the Seller’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.


6.                System audit or event logging and related monitoring procedures to proactively record user access and system activity.


7.                Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorised physical access, (ii) manage, monitor and log movement of persons into and out of the Seller’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.


8.                Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Seller’s possession.


9.                Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Seller’s technology and information assets.


10.             Incident management procedures are designed to allow the Seller to investigate, respond to, mitigate and notify of events related to the Seller’s technology and information assets.


11.             Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.


12.             Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.


13.             Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.



Annex 3 to DPA

List of Seller Subprocessors


Whaleco Ireland authorises the Seller to engage the following Seller Subprocessors for the purpose of providing the Services under this DPA:


Seller Subprocessor Name


Nature of Processing









Annex 4 to DPA


Details of Processing Activities


Data Subjects:


The Whaleco Ireland Personal Data processed / transferred concern the following categories of Data Subjects:

Temu users.



Categories of Personal Data:


The Whaleco Ireland Personal Data transferred and processed is:

Name and other non-sensitive Personal Data users may disclose during the Services.



Special categories of data:


The Whaleco Ireland Personal Data transferred may concern the following special categories of data:




The frequency of the transfer:


One-off for each instance of the Services.


Nature of the processing:


The Whaleco Ireland Personal Data transferred will be subject to the following basic processing activities/ processing operations (please specify):




Purpose(s) of the data transfer/ processing:


For the purpose of providing the Services as described in this DPA.


The duration of the processing and period for which the Whaleco Ireland Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:


For each instance of the Services, for the duration of such instance. Seller shall not store or share any Whaleco Ireland Personal Data and shall delete Whaleco Ireland Personal Data immediately after the use of such Whaleco Ireland Personal Data.





跨境电商卖家最常用的物流渠道 中国邮政速递物流-国际e邮宝

跨境电商卖家最常用的物流渠道 中国邮政速递物流-国际e邮宝

https://baijiahao.baidu.com/s?id=1589918251745172819https://www.pfcexpress.com/esb/ E速宝是我司与中国邮政合作新开发的一项全新经济型国际邮递产品。...




13个提升eBay店铺销量和访问量的个人经验cifnews君cifnews君跨境电商雨果网模范生,肩扛三道杠的红领巾?关注他21 人赞同了该文章James Beach,一个已经在eBay和亚马逊做了八年的卖家的“老司机”,主要销售翻新的电子...

