Personal Information Processing Standards
These Personal Information Processing Standards (“Standards”) apply to all Alipay Overseas Commercial Cooperative Partners (“Partners”) which set out the key responsibilities for managing personal information of users when Alipay Services is being provided.
All Partners must ensure that it complies with these Standards.
1. Personal Information Protection Proposal
The Partners hereby confirm that the protection of Personal Information is the cornerstone of the long-term and steady development of a company, and agree to conform to the following principles in order to protect the rights and interests of Personal Information of users:
1) Respect for the User’s Right to Know. The Partners shall clearly inform users about the purpose, method, scope and usage of collecting and using their Personal Information with plain and understandable language. Without prior authorization, the Partners shall not collect any information of users.
2) Respect for the User’s Right of Control. The Partners shall not force users to accept any unreasonable “bundling of authorizations” and shall provide users with means to access to, rectify and delete their Personal Information.
3) Respect for User Authorization and Strengthening of Self-Constraint. The Partners shall strictly follow the scope of authorization as agreed with users, and shall not collect and provide information that is irrelevant to products or services.
4) Ensure the Safety of User Information. The Partners shall adopt adequate and effective technological means and management measures and screen third parties entrusted to process Personal Information in order to prevent any leakage, damages or losses of Personal Information.
5) Ensure the Safety and Credibility of Products and Services. The Partners shall not install any hidden functions in their products and services in order to conduct any operations without the users’ knowledge and shall promptly take remedial measures upon discovery of any security defects or flaws.
6) Boycott the Black Industry Chain. The Partners shall not collect any information obtained through any illegal channels and shall absolutely eliminate any transactions and connections with the black industry chain for Personal Information.
7) Advocate Industry Self-discipline. The Partners shall jointly explore best practices for protecting Personal Information which can be promoted, replicated and can be integrated with international practices, and can motivate and assist in boosting the overall level of the industry.
8) Accept Societal Supervision. The Partners shall implement their corporate commitments in earnest, actively cooperate with supervisory inspections initiated by the regulators and proactively accept societal supervision.
Upon discovery of any acts of violations carried out by a Partner, Alipay shall have the right to take relevant measures in accordance with these Standards hereunder, including terminating the cooperation and reserving the right to pursue any legal liabilities
2. Definitions
1) Personal Information means: any information in electronic or other format that can be used to identify a natural person or to reflect any acts information of a specified natural person, whether alone with or in combination with other information or any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, the identification number, location data, the online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2) Personal Sensitive Information includes: the Personal Information that if leaked, illegally provided or misused may endanger a natural person’s personal or financial safety, or will likely cause injury or discriminatory treatment to a natural person’s personal reputation, bodily and mental health; the Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data or biometric identification data processed for the purpose of uniquely identifying a natural person; data concerning health or data concerning a natural person’s sexual life or sexual orientation. For example, identification document number, the bank account, property information, transaction or order information, bill information, credit report information, biometric identifying information, communications records, location information, trajectories, residence information, health and physiological information, etc.
3) Process, processed or processing means any operation or set of operations which is carried out on Personal Information, such as accessing, collecting, recording, organizing, structuralizing, storing, adjusting or altering, researching, consulting, using, disclosing, disseminating or otherwise making available to others, copying, amending, adapting for or combing, destroying, erasing, etc.
4) Express Consent refers to any freely given, specific, informed and unambiguous indication of the natural person’s wishes by which he or she, by a written statement or by a clear affirmative action, signifies his/her consent to the processing of Personal Information relating to him or her. Affirmative actions include the user affirmatively ticking a box or clicking “consent”, etc.
The aforementioned definitions are intended to apply to all Partners, but Alipay shall have sole discretion to permit modifications of these definitions, all or in part, for example, if such definitions are in conflict with any applicable laws or regulations, or need to be adjusted to fit any specific circumstances relating to a merchant or their products and services.
3. Personal Information Protection Standards
The Partners shall ensure that the processing of Personal Information involved in the course of providing users with products and services shall accord with relevant requirements of applicable laws and regulations. Meanwhile the Partners shall standardize their actions in connection with the processing of Personal Information with reference to relevant national or industry standards, and shall provide the maximum level of protection to the legitimate rights and interests of users and the public interest.
1) Collection of Users’ Personal Information
(a) The Partners shall comply with the principles of legality, propriety and necessity and shall collect the minimum amount of Personal Information that is adequate for processing, and there must be a legitimate basis or user consent must have been obtained for the collection and processing of user Personal Information.
(b) The Partners may not collect information that is irrelevant to the provision of products or services can be collected; cause a user to provide Personal Information by means of fraud, inducement or coercion; or conceal functions that collect Personal Information within its products or services.
(c) When collecting Personal Sensitive Information, the Partners shall have a legitimate basis for collecting and processing such information, or they shall have, with the user’s knowledge, obtained user authorization by Express Consent.
2) Use of Personal Information of Users
(a) The Partners shall use the Personal Information of users solely for the purpose of performing their contractual obligations under corresponding user agreements, and shall not exceed the scope of authorization as agreed by the users. The Partners may not use Personal Information of users for any purpose that is illegal or in violation of any public orders and social ethics.
(b) In the event that it is necessary to use the Personal Information of users beyond the agreed scope of authorization in order to provide products and services to the users, the Partners shall otherwise obtain lawful authorization from the users.
(c) Without prior authorization from Alipay, no user Personal Information obtained through Alipay can be used [directly or indirectly] in automated decision making process of a system (e.g. determining personal credit and loan limit based on user profiles or use of user profiles in the interview-screening process).
(d) Personal Sensitive Information (e.g. identification certificate number, mobile phone number, bank card number, email address, address, license plate number) of a user that is directly identifiable when the Partner provides its products and services shall be presented after such sensitive information has been pseudonomized in order to reduce risks of Personal Information leakage when such information is displayed.
3) Disclosure of User Personal Information
(a) The Partners shall not disclose any Personal Information or Personal Sensitive Information of users to any third party in any way without prior authorization, except under the following circumstances:
a. Where the user’s consent has been obtained;
b. Where disclosure is permitted in accordance with applicable laws and regulations or regulatory requirements.
(b) The Partners shall not entrust the processing if user Personal Information to others unless Express Consent has been obtained from the users or if there is other legitimate basis; in that case, the Partners shall ensure that the entrusted party shall comply with equivalent requirements for the protection of information and privacy and shall undertake the corresponding responsibilities for user information security.
(c) If it is necessary for the Partners to provide the Personal Information collected and generated in the course of their operations offshore, the Partners shall take all necessary measures and follow relevant requirements in order to ensure the cross-border transmission complies with applicable laws and regulations.
4) Information Security Protection
(a) The Partners shall safeguard their own accounts, passwords and secret keys used on the Alipay platform.
(b) The Partners shall adopt technological means and management measures in accordance with applicable laws, regulations, national or industry standards and self-discipline rules or other applicable requirements in order to ensure that the users’ Personal Information receive sufficient security protection and to prevent information processing without legitimate basis or user consent.
(c) The transmission of user information must be processed with encryption.
(d) The Partners shall specify the person in charge of and the department responsible for information security and manage tasks relating to information security in a systematic manner.
(e) The Partners shall periodically (at least once a year) conduct self-inspections of their information security management. The scope of the self-inspection shall include but not be limited to: the security of information systems, the implementation of relevant information security requirements and measures. The Partners shall develop and implement a rectification scheme if the information security conditions fail to meet relevant requirements.
(f) The Partners shall take special measures to ensure that only personnel that are required to access user Personal Information for legitimate purposes are granted such access rights.
(g) The Partners shall not provide any users with any proxy authentication credentials that will enable them to automatically login to any platform under Ant Financial Group (the parent company of Alipay).
(h) The Partners shall not engage in data crawling of any platform under Ant Financial Group (the parent company of Alipay) in any manner.
(i) The Partners shall not engage in any acts that are irrelevant to their products or services by reflection searching, tracking, linking, mining, obtaining or using user information.
(j) Upon detecting any abnormal situation or data leakage in a Partner’s interface, Alipay shall have the right to protect the relevant interface, including but not limited to blocking the interface by means of temporary closure, flow restraint, frequency restraint or others. The Partners are obliged to cooperate with relevant Alipay teams to conduct any emergency security processing (including but not limited to suspension of data access) and relevant investigations, and promptly delete relevant user information according to Alipay requirements.
5) Users’ Right of Access, Correction and Deletion
(a) The Partners shall provide users with channels for information query, correction and deletion and for revocation of authorizations.
(b) The Partners shall promptly correct Personal Information according to the users’ requirements.
(c) The Partners shall promptly delete Personal Information as required by users under the following circumstances:
a. The collection and use Personal Information by the Partner is in violation of applicable laws, regulations or agreements with users;
b. The disclosure of Personal Information by the Partner to a third party is in violation of applicable laws, regulations or agreements with users, and upon being required to do so by a user, the Partner shall immediately stop the disclosure and notify the third party to delete the information in a timely manner.
c. The disclosure of Personal Information to the public by the Partner is in violation of applicable laws, regulations or agreements with users and upon being required to do so by a user, the Partner shall immediately stop such disclosure to the public and notify the information recipient to delete the relevant information.
(d) The Partners shall promptly delete User Personal Information obtained through Alipay once the cooperation is terminated, unless the processing of such User Personal Information is otherwise permitted by relevant law or is with the Express Consent of Users.
4. Assessment and Audit
1) Alipay has the right to assess and audit the information security management of Partners and the results of their management control.
2) Alipay has the right to entrust independent third party organizations (for example, accounting firms and law firms) to conduct the aforementioned assessment and audit, and the Partners shall cooperate with Alipay as follows:
(a) The Partners shall cooperate to provide facilities, equipment, systems, policies or procedures in connection with processing of received information.
(b) The Partners shall cooperate to open up relevant work premises and arrange relevant personnel for interviews.
3) The Partners shall rectify or improve the relevant information processing facilities, equipment, systems, policies or procedures within the specified time limit in accordance with the requirements resulting from the assessment and audit.
4) Alipay shall provide Partners with a reasonable advance notice period before imposing any assessment and audit requirements. Meanwhile, the assessment and audit shall be conducted in compliance with applicable laws and regulations and shall not affect the normal operations or the legitimate rights and interests of the Partners.
5) Alipay shall bear relevant expenses in the event that no material defects in connection with the processing of users’ Personal Information are found in the assessment and audit mentioned above; and in the opposite case, the Partners shall bear relevant expenses as well as expenses for rectification and improvement that are subsequently incurred.
6) Alipay shall have the right to terminate cooperation with Partners that pose greater risks.
5. Data Violations
1) The Partners shall take all necessary emergency and remedial measures and immediately notify Alipay by the means provided in commercial cooperation agreements upon learning of or suspecting the occurrence of any of the following situations:
(a) any violation of these standards;
(b) any situation that should be reported to regulators or disclosed to affected users pursuant to applicable laws and regulations.
2) Meanwhile, Alipay will take corresponding measures in accordance with relevant commercial cooperation agreement upon discovery of any data violation by a Partner.
Alipay and the Partners shall respectively assume their data security responsibilities and other responsibilities required by laws and regulations in situations where they are joint controllers of Personal Information.
Updated on April 30, 2019