Standard Contract for Outbound Transfer of Personal Information

个人信息出境标准合同

Capitalised terms used but not defined in this Contract (including the Annexes) shall have the meanings given to them in the separate agreement between the parties into which this Contract is incorporated (the "Agreement") and the corresponding data protection agreement (the "Data Protection Agreement").

本合同（包括附件）中使用但未定义的大写术语，其含义应以本合同所纳入的双方之间单独协议（"协议"）及相应的数据保护协议（"数据保护协议"）中的定义为准。

In order to ensure that the activities of the Personal Information Handler and Overseas Recipient meet the Personal Information protection standards under the Relevant Laws and Regulations of the People’s Republic of China and specify the Personal Information protection related rights and obligations of the Personal Information Handler and Overseas Recipient, the Parties have mutually agreed to enter into this Contract.

为了确保境外接收方处理个人信息的活动达到中华人民共和国相关法律法规规定的个人信息保护标准[JM1] [ZZL(A2] ，明确个人信息处理者和境外接收方个人信息保护的权利和义务，经双方协商一致，订立本合同。

Personal Information Handler: The relevant Dubai Holding group entity as specified in the Agreement and the Data Protection Agreement.

Address: As specified in the Agreement and the Data Protection Agreement in the party clauses.

Contact Method: Contact details are specified in the Agreement and the Data Protection Agreement.

Contact Person: As specified in the Agreement and the Data Protection Agreement.

Title: As specified in the Agreement and the Data Protection Agreement.

个人信息处理者：按照协议和数据保护协议中的约定。

地址：按照协议和数据保护协议中的缔约方条款的约定。

联系方式：按照协议和数据保护协议中的约定。

联系人：按照协议和数据保护协议中的约定。职务：按照协议和数据保护协议中的约定。

Overseas Recipient: Supplier(s) or the counterparty/ies to the Personal Information Handler as otherwise defined in the Agreement and the Data Protection Agreement.

Address: As specified in the Agreement and the Data Protection Agreement in the party clauses.

Contact Method: Contact details for the Overseas Recipient are specified in the Agreement and the Data Protection Agreement.

Contact Person: As specified in the Agreement and the Data Protection Agreement.

Title: As specified in the Agreement and the Data Protection Agreement.

境外接收方：按照协议和数据保护协议中另行定义的供应商或交易对方。

地址：按照协议和数据保护协议中的缔约方条款的约定。

联系方式：按照协议和数据保护协议中的约定。

联系人：按照协议和数据保护协议中的约定。职务：按照协议和数据保护协议中的约定。

The Personal Information Handler and Overseas Recipient will conduct the outbound transfer of Personal Information in accordance with this Contract. The Parties have entered into the Agreement and the Data Protection Agreement to govern the commercial[JM3] [ZZL(A4]  activities and data protection obligations related thereto.

个人信息处理者与境外接收方依据本合同约定开展个人信息出境活动。双方已订立协议和数据保护协议，以规范与此活动相关的商业行为和数据保护义务。

The main body of this Contract is formulated in accordance with the requirements of the Measures on the Standard Contract for Outbound Transfer of Personal Information, and any other contractual provisions, if any, as agreed between the Parties, can be specified in Annex II, which shall be deemed part of this Contract, if they do not conflict with the main body of this Contract.

本合同正文根据《个人信息出境标准合同办法》的要求拟定，在不与本合同正文内容相冲突的前提下，双方如有其他约定可在附录二中详述，附录构成本合同的组成部分。

‍

Article 1 Definitions

第一条 定义

In this Contract, unless otherwise provided herein:

在本合同中，除上下文另有规定外：

1. "Personal Information Handler" refers to an entity or individual in Personal Information processing activities that independently decides the purpose and method of the Personal Information processing activities and transfers Personal Information outside of the People's Republic of China.
   “个人信息处理者”是指在个人信息处理活动中自主决定处理目的、处理方式的，向中华人民共和国境外提供个人信息的组织、个人。
2. "Overseas Recipient" refers to an entity or individual outside of the People’s Republic of China that receives the Personal Information from Personal Information Handler.
   “境外接收方”是指在中华人民共和国境外自个人信息处理者处接收个人信息的组织、个人。
3. The Personal Information Handler or Overseas Recipient shall be referred to as the "Party", and collectively as the "Parties".
   个人信息处理者或者境外接收方单称“一方”，合称“双方”。
4. "Personal Information Subject" means the natural person identified or associated with the Personal Information.
   “个人信息主体”是指个人信息所识别或者关联的自然人。
5. "Personal Information" refers to all kinds of information, recorded electronically or otherwise, related to identified or identifiable natural persons, but excluding anonymized information.
   “个人信息”是指以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息，不包括匿名化处理后的信息。
6. "Sensitive Personal Information" refers to the Personal Information that, once leaked or illegally used, may damage the personal dignity or endanger the personal or property safety of a natural person, including biometric recognition, religious belief, specific identity, medical health, financial account, personal whereabouts, etc., and the Personal Information of minors under the age of 14.
   “敏感个人信息”是指一旦泄露或者非法使用，容易导致自然人的人格尊严受到侵害或者人身、财产安全受到危害的个人信息，包括生物识别、宗教信仰、特定身份、医疗健康、金融账户、行踪轨迹等信息，以及不满十四周岁未成年人的个人信息。
7. "Regulatory Authority" means the Cyberspace Administration of China of the People's Republic of China at or above the provincial level.
   “监管机构”是指中华人民共和国省级以上网信部门。
8. "Relevant Laws and Regulations" refer to the People’s Republic of China Cybersecurity Law, the People’s Republic of China Data Security Law, the People’s Republic of China Personal Information Protection Law, the People’s Republic of China Civil Code, the People’s Republic of China Civil Procedure Law, the Measures on the Standard Contract for Outbound Transfer of Personal Information, and other People’s Republic of China laws and regulations.
   “相关法律法规”是指《中华人民共和国网络安全法》《中华人民共和国数据安全法》《中华人民共和国个人信息保护法》《中华人民共和国民法典》《中华人民共和国民事诉讼法》《个人信息出境标准合同办法》等中华人民共和国法律法规。
9. The meaning of other undefined terms in this Contract shall be consistent with the meaning stipulated in the Relevant Laws and Regulations.
   本合同其他未定义术语的含义与相关法律法规规定的含义一致。

‍

Article 2 Obligations of the Personal Information Handler

第二条 个人信息处理者的义务

The Personal Information Handler shall perform the following obligations:

个人信息处理者应当履行下列义务：

1. Process Personal Information in accordance with the Relevant Laws and Regulations, and limit the Personal Information to be transferred abroad to the minimum scope required for the purpose of processing.
   按照相关法律法规规定处理个人信息，向境外提供的个人信息仅限于实现处理目的所需的最小范围。
2. Inform the Personal Information Subject of the name and contact information of Overseas Recipient, the purpose and method of processing, type of Personal Information and retention periods as specified in Annex I – Description of the Outbound Transfer of Personal Information, the methods and procedures for Personal Information Subject to exercise his/her rights, and etc.; in case of an outbound transfer of Sensitive Personal Information, inform the Personal Information Subject of the necessity of the outbound transfer of Sensitive Personal Information and the impact on the rights and interests of the Personal Information Subject; provided in each case that such obligation can be exempted by the laws and administrative regulations.
   向个人信息主体告知境外接收方的名称或者姓名、联系方式、附录一“个人信息出境说明”中处理目的、处理方式、个人信息的种类、保存期限，以及行使个人信息主体权利的方式和程序等事项。向境外提供敏感个人信息的，还应当向个人信息主体告知提供敏感个
   人信息的必要性以及对个人权益的影响。但是法律、行政法规规定不需要告知的除外。
3. Obtain a separate consent of Personal Information Subject if the Personal Information is transferred abroad based on the consent of the individual; or, if the Personal Information of a minor under the age of 14 is involved, obtain a separate consent of the minor’s parents or other guardians. The consent shall be in a written form if so required by the laws and administrative regulations.
   基于个人同意向境外提供个人信息的，应当取得个人信息主体的单独同意。涉及不满十四周岁未成年人个人信息的，应当取得未成年人的父母或者其他监护人的单独同意。法律、行政法规规定应当取得书面同意的，应当取得书面同意。
4. Inform Personal Information Subject that Personal Information Handler and Overseas Recipient have agreed that the Personal Information Subject will be a third-party beneficiary under this Contract, and if the Personal Information Subject does not expressly object within 30 days, the Personal Information Subject shall be entitled to the rights of a third-party beneficiary in accordance with this Contract.
   向个人信息主体告知其与境外接收方通过本合同约定个人信息主体为第三方受益人，如个人信息主体未在30日内明确拒绝，则可以依据本合同享有第三方受益人的权利。
5. Make reasonable efforts to ensure that Overseas Recipient takes the following technical and managerial measures (comprehensively considering potential Personal Information security risks that may arise from the purpose of Personal Information processing, the type, scale, scope and sensitivity of the Personal Information, the volume and frequency of the Personal Information transfer, the Personal Information transmission, the period of retention by Overseas Recipient, and etc.) to perform its obligations under this Contract:
   The technical and managerial measures shall be as set out in the technical and organisational security measures published on Dubai Holding's Privacy Centre (accessible via Dubai Holding's Privacy Centre as provided under Annex II), as supplemented by any additional measures specified in the Data Protection Agreement and the Agreement. Such measures include but are not limited to encryption, anonymization, de-identification, and access control measures.
   The Overseas Recipient will also implement and maintain technical and organisational measures that are at least equivalent to those published on Dubai Holding's Privacy Centre and as set out in the Agreement and Data Protection Agreement.
   尽合理地努力确保境外接收方采取如下技术和管理措施（综合考虑个人信息处理目的、个人信息的种类、规模、范围及敏感程度、传输的数量和频率、个人信息传输及境外接收方的保存期限等可能带来的个人信息安全风险），以履行本合同约定的义务：
   技术和管理措施应按照迪拜控股隐私中心发布的技术和组织安全措施（通过迪拜控股隐私中心访问）执行，并由数据保护协议和协议中规定的任何其他措施作为补充。该等措施包括但不限于加密、匿名化、去标识化和访问控制等措施。境外接收方还应当实施和维护至少与迪拜控股隐私中心发布的以及协议和数据保护协议中规定的同等技术和组织措施。境外接收方还应当实施和维护至少与迪拜控股隐私中心发布的以及协议和数据保护协议中规定的同等技术和组织措施。
6. Provide copies of the relevant laws and technical standards to Overseas Recipient upon the request of Overseas Recipient.
   根据境外接收方的要求向境外接收方提供相关法律规定和技术标准的副本。
7. Respond to inquiries from the Regulatory Authority about Overseas Recipient’s processing activities.
   答复监管机构关于境外接收方的个人信息处理活动的询问。
8. Conduct a Personal Information protection impact assessment on the proposed transfer of Personal Information to Overseas Recipient in accordance with the Relevant Laws and Regulations. The assessment shall focus on the following matters:
   按照相关法律法规对拟向境外接收方提供个人信息的活动开展个人信息保护影响评估。重点评估以下内容：
   i. The legality, legitimacy, and necessity of the purpose, scope, and method of Personal Information processing by the Personal Information Handler and Overseas Recipient;
   个人信息处理者和境外接收方处理个人信息的目的、范围、方式等的合法性、正当性、必要性。
   ii. The scale, scope, type, and sensitivity of Personal Information to be transferred abroad, and the risks to Personal Information rights and interests that may arise from the cross-border transfer of Personal Information;
   出境个人信息的规模、范围、种类、敏感程度，个人信息出境可能对个人信息权益带来的风险。
   iii. The obligations to be undertaken by Overseas Recipient, and whether the management and technical measures and capabilities for performance of the obligations can ensure the security of the Personal Information to be transferred abroad;
   境外接收方承诺承担的义务，以及履行义务的管理和技术措施、能力等能否保障出境个人信息的安全。
   ivThe risks of the Personal Information being tampered with, destroyed, leaked, lost or illegally used after its transfer abroad, and whether the channels for safeguarding the Personal Information rights and interests are smooth;
   个人信息出境后遭到篡改、破坏、泄露、丢失、非法利用等的风险，个人信息权益维护的渠道是否通畅等。
   v. The impact of the Personal Information protection policies and regulations of the country or region where Overseas Recipient is located on the performance of this Contract; and
   按照本合同第四条评估当地个人信息保护政策和法规对合同履行的影响。
   vi. Other matters that may affect the security of outbound transfer of Personal Information.
   其他可能影响个人信息出境安全的事项。
   The Personal Information protection impact assessment report shall be kept for at least three years.
   保存个人信息保护影响评估报告至少3年。
9. Provide a copy of this Contract to Personal Information Subject upon the request of Personal Information Subject. If trade secrets or confidential business information are involved, the relevant contents of the copy of this Contract can be handled appropriately to the extent not affecting Personal Information Subject’s understanding of this Contract.
   根据个人信息主体的要求向个人信息主体提供本合同的副本。如涉及商业秘密或者保密商务信息，在不影响个人信息主体理解的前提下，可对本合同副本相关内容进行适当处理。
10. Assume the burden of proof on the performance of obligations under this Contract.
    对本合同义务的履行承担举证责任。
11. In accordance with the Relevant Laws and Regulations, provide the Regulatory Authority with all the information under Article 3(11), including all the compliance audit results.
    根据相关法律法规要求，向监管机构提供本合同第三条第十一项所述的信息，包括所有合规审计结果。

‍

Article 3 Obligations of Overseas Recipient

第三条 境外接收方的义务

Overseas Recipient shall perform the following obligations:

境外接收方应当履行下列义务：

1. Process the Personal Information in accordance with Annex I – Description of the Outbound Transfer of Personal Information. If Overseas Recipient processes the Personal Information in a manner that is beyond the purpose and method of Personal Information processing and/or the type of Personal Information as agreed, a separate consent of Personal Information Subject shall be obtained if the Personal Information is transferred abroad based on the consent of the individual; if the Personal Information of a minor under the age of 14 is involved, a separate consent of the minor’s parents or other guardians shall be obtained.
   按照附录一“个人信息出境说明”所列约定处理个人信息。如超出约定的处理目的、处理方式和处理的个人信息种类，基于个人同意处理个人信息的，应当事先取得个人信息主体的单独同意；涉及不满十四周岁未成年人个人信息的，应当取得未成年人的父母或者其他监护人的单独同意。
2. If entrusted by Personal Information Handler to process Personal Information, process the Personal Information in accordance with the agreement with Personal Information Handler and not process the Personal Information in a manner that is beyond the purpose or method of the Personal Information processing as agreed with Personal Information Handler.
   受个人信息处理者委托处理个人信息的，应当按照与个人信息处理者的约定处理个人信息，不得超出与个人信息处理者约定的处理目的、处理方式等处理个人信息。
3. Provide a copy of this Contract to Personal Information Subject upon the request of Personal Information Subject. If trade secrets or confidential business information are involved, the relevant contents of the copy of this Contract can be handled appropriately to the extent not affecting the Personal Information Subject’s understanding of this Contract.
   根据个人信息主体的要求向个人信息主体提供本合同的副本。如涉及商业秘密或者保密商务信息，在不影响个人信息主体理解的前提下，可对本合同副本相关内容进行适当处理。
4. Process the Personal Information in a manner that has the least impact on the rights and interests of Personal Information Subject.
   采取对个人权益影响最小的方式处理个人信息。
5. Ensure that the retention period of Personal Information is the minimum period necessary for achieving the Purpose of Personal Information processing. Delete the Personal Information (including all back-up copies) upon expiry of the retention period. Where Overseas Recipient is entrusted by Personal Information Handler to process Personal Information and the entrustment agreement does not take effect, becomes null and void, or is cancelled or terminated, the Personal Information being processed shall be returned to Personal Information Handler or shall be deleted, and a written statement shall be provided to Personal Information Handler. If it is technically difficult to delete the Personal Information, all processing of the Personal Information shall be ceased, other than storing the Personal Information and taking necessary security measures.
   个人信息的保存期限为实现处理目的所必要的最短时间，保存期限届满的，应当删除个人信息（包括所有备份）。受个人信息处理者委托处理个人信息，委托合同未生效、无效、被撤销或者终止的，应当将个人信息返还个人信息处理者或者予以删除，并向个人信息处理者提供书面说明。删除个人信息从技术上难以实现的，应当停止除存储和采取必要的安全保护措施之外的处理。
6. Secure the handling of Personal Information in the following manner:
   按下列方式保障个人信息处理安全：
   i. Take technical and managerial measures including but not limited to those listed in Article 2(5) of this Contract and as published on Dubai Holding's Privacy Centre referred in Annex II, and conduct periodic inspections to ensure the security of Personal Information; and
   ‍采取包括但不限于本合同第二条第五项以及迪拜控股隐私中心发布的（见附录二）技术和管理措施，并定期进行检查，确保个人信息安全。
   ii. Ensure that the personnel authorized to process Personal Information perform their confidentiality obligations, and establish access controls based on the minimum authorization principle.
   确保授权处理个人信息的人员履行保密义务，并建立最小授权的访问控制权限。
7. In the event that Personal Information is or may be tampered with, destroyed, leaked, lost, illegally used, provided or accessed without authorization, Overseas Recipient shall:
   如处理的个人信息发生或者可能发生篡改、破坏、泄露、丢失、非法利用、未经授权提供或者访问，应当开展下列工作：
   i. Promptly take appropriate remedial measures to mitigate the adverse impact on the Personal Information Subject;
   及时采取适当补救措施，减轻对个人信息主体造成的不利影响。
   ii. Immediately notify the Personal Information Handler and report to the Regulatory Authority of the People's Republic of China as required by Relevant Laws and Regulations. The notification contains the following contents:
   立即通知个人信息处理者，并根据相关法律法规要求报告监管机构。通知应当包含下列事项：
   a. The type of Personal Information being or likely to be tampered with, destroyed, leaked, lost, illegally used, provided or accessed without authorization, the reasons and potential harm of such incident;
   发生或者可能发生篡改、破坏、泄露、丢失、非法利用、未经授权提供或者访问的个人信息种类、原因和可能造成的危害。
   b.The remedial measures that have been taken;
   已采取的补救措施。
   c. The measures that can be taken by Personal Information Subject to mitigate the harm;
   个人信息主体可以采取的减轻危害的措施。
   d.the contact information of the person or team responsible for handling the relevant incident.
   负责处理相关情况的负责人或者负责团队的联系方式。
   iii. Where the Relevant Laws and Regulations require a notification to Personal Information Subject, the contents of the notice shall include those under Article 3(7)(ii) above; if Overseas Recipient is entrusted by Personal Information Handler to process Personal Information, the notice shall be sent by Personal Information Handler to Personal Information Subject;
   相关法律法规要求通知个人信息主体的，通知的内容包含本项第2目的事项。受个人信息处理者委托处理个人信息的，由个人信息处理者通知个人信息主体。
   iv. Record and archive all the circumstances related to the occurrence or likely occurrence of tampering, destruction, leakage, loss, illegal use, unauthorized provision or access, including all remedial measures taken.
   记录并留存所有与发生或者可能发生篡改、破坏、泄露、丢失、非法利用、未经授权提供或者访问有关的情况，包括采取的所有补救措施。
8. Overseas Recipient may provide Personal Information to a third party located outside of the People’s Republic of China only if all of the following requirements are met:
   同时符合下列条件的，方可向中华人民共和国境外的第三方提供个人信息：
   i. It is indeed necessary for business purposes;
   确有业务需要。
   ii. Unless otherwise provided under the laws and administrative regulations, Personal Information Subject has been informed of the name and contact information of the third party, and the purpose and method of Personal Information processing, the type of Personal Information, retention periods, and the methods and procedures for Personal Information Subject to exercise his/her rights; if Sensitive Personal Information will be transferred to such third party, Personal Information Subject shall also be informed of the necessity for the outbound transfer of Sensitive Personal Information and the impact on the rights and interests of Personal Information Subject;
   已告知个人信息主体该第三方的名称或者姓名、联系方式、处理目的、处理方式、个人信息种类、保存期限以及行使个人信息主体权利的方式和程序等事项。向第三方提供敏感个人信息的，还应当向个人信息主体告知提供敏感个人信息的必要性以及对个人权益的影响。但是法律、行政法规规定不需要告知的除外。
   iii. If the processing of Personal Information is based on the consent of Personal Information Subject, a separate consent of Personal Information Subject shall be obtained; or, if the Personal Information of a minor under the age of 14 is involved, a separate consent of the minor’s parents or other guardians shall be obtained. The consent shall be in a written form if so required by laws and administrative regulations;
   基于个人同意处理个人信息的，应当取得个人信息主体的单独同意。涉及不满十四周岁未成年人个人信息的，应当取得未成年人的父母或者其他监护人的单独同意。法律、行政法规规定应当取得书面同意的，应当取得书面同意。
   iv. It has entered into a written agreement with the third party to ensure that the processing of Personal Information by the third party meets the standards for protection of Personal Information required by the Relevant Laws and Regulations, and Overseas Recipient will be liable for the infringement of Personal Information Subject’s rights due to the provision of Personal Information to such third party;
   与第三方达成书面协议，确保第三方的个人信息处理活动达到中华人民共和国相关法律法规规定的个人信息保护标准，并承担因向中华人民共和国境外的第三方提供个人信息而侵害个人信息主体享有权利的法律责任。
   v. It will provide a copy of the above-mentioned agreement with the third party to Personal Information Subject upon the request of Personal Information Subject. If trade secrets or confidential business information are involved, the relevant contents of the copy of such agreement can be handled appropriately to the extent not affecting Personal Information Subject’s understanding of such agreement.
   根据个人信息主体的要求向个人信息主体提供该书面协议的副本。如涉及商业秘密或者保密商务信息，在不影响个人信息主体理解的前提下，可对该书面协议相关内容进行适当处理。
9. If Overseas Recipient is entrusted by Personal Information Handler to process Personal Information, and Overseas Recipient intends to sub-contract the processing to a third party, Overseas Recipient shall obtain the consent of Personal Information Handler in advance, ensure that the sub-contractor will not process Personal Information in a manner that is beyond the purpose and method of the processing as specified in Annex I – Description of the Outbound Transfer of Personal Information, and monitor the Personal Information processing activities of the third party.
   受个人信息处理者委托处理个人信息，转委托第三方处理的，应当事先征得个人信息处理者同意，要求该第三方不得超出本合同附录一“个人信息出境说明”中约定的处理目的、处理方式等处理个人信息，并对该第三方的个人信息处理活动进行监督。
10. When making use of Personal Information for automated decision-making, Overseas Recipient shall ensure the transparency of decision-making and fair and impartial results, and shall not carry out unreasonable or differentiated treatment of Personal Information Subject in terms of transaction conditions, such as transaction price. Where automated decision-making is used for information pushing and/or commercial marketing to Personal Information Subject, Overseas Recipient shall also provide Personal Information Subject with options that are not tailored to personal characteristics, or provide a convenient method for Personal Information Subject to opt out.
    利用个人信息进行自动化决策的，应当保证决策的透明度和结果公平、公正，不得对个人信息主体在交易价格等交易条件上实行不合理的差别待遇。通过自动化决策方式向个人信息主体进行信息推送、商业营销的，应当同时提供不针对其个人特征的选项，或者向个人信息主体提供便捷的拒绝方式。
11. Overseas Recipient shall undertake to provide Personal Information Handler with all necessary information required to comply with the obligations under this Contract, shall allow Personal Information Handler to review the necessary data documents and files, or shall allow Personal Information Handler to conduct a compliance audit of the processing activities under this Contract and shall provide facilitation for the compliance audit conducted by the Personal Information Handler.
    承诺向个人信息处理者提供已遵守本合同义务所需的必要信息，允许个人信息处理者对必要数据文件和文档进行查阅，或者对本合同涵盖的处理活动进行合规审计，并为个人信息处理者开展合规审计提供便利。
12. Overseas Recipient shall maintain an objective record of the Personal Information processing activities, keep such records for at least 3 years and provide the relevant records and documents to the Regulatory Authority directly or through Personal Information Handler in accordance with the Relevant Laws and Regulations.
    对开展的个人信息处理活动进行客观记录，保存记录至少3年，并按照相关法律法规要求直接或者通过个人信息处理者向监管机构提供相关记录文件。
13. Overseas Recipient agrees to accept the supervision and regulation by the Regulatory Authority during the course of its supervision of the implementation of this Contract, including but not limited to responding to inquiries, and cooperating with inspections, by the Regulatory Authority, abiding by the actions taken or decisions made by the Regulatory Authority, and providing written evidence that necessary actions have been taken, etc.
    同意在监督本合同实施的相关程序中接受监管机构的监督管理，包括但不限于答复监管机构询问、配合监管机构检查、服从监管机构采取的措施或者作出的决定、提供已采取必要行动的书面证明等。

‍

Article 4 Impact of Personal Information Protection Policies and Regulations in Overseas Recipient’s Country or Region on the Performance of Contract

第四条 境外接收方所在国家或者地区个人信息保护政策和法规

对合同履行的影响

1. The Parties warrant that they have exercised reasonable care when entering into this Contract and are not aware of Personal Information protection polices and regulations in Overseas Recipient’s country or region (including any requirements on providing Personal Information or authorizing public authorities to access Personal Information) that would impact Overseas Recipient’s performance of its obligations under this Contract.
   双方应当保证在本合同订立时已尽到合理注意义务，未发现境外接收方所在国家或者地区的个人信息保护政策和法规（包括任何提供个人信息的要求或者授权公共机关访问个人信息的规定）影响境外接收方履行本合同约定的义务。
2. The Parties represent that, when making the warranties under Article 4(1), they have conducted an assessment in light of the following circumstances:
   双方声明，在作出本条第一项的保证时，已经结合下列情形进行评估：
   i. The specific circumstances of the outbound transfer, including the purpose of Personal Information processing, the type, scale, scope and sensitivity of the Personal Information, the volume and frequency of the Personal Information transfer, the Personal Information transmission , the period of retention by Overseas Recipient, the previous experience of Overseas Recipient with respect to similar outbound transfer and processing of Personal Information, whether any Personal Information security incident has occurred to Overseas Recipient and whether such incident was timely and effectively handled, whether Overseas Recipient has received any request to provide Personal Information to the public authorities of the country or region where it is located and how Overseas Recipient responded to such request;
   出境的具体情况，包括个人信息处理目的、传输个人信息的种类、规模、范围及敏感程度、传输的规模和频率、个人信息传输及境外接收方的保存期限、境外接收方此前类似的个人信息跨境传输和处理相关经验、境外接收方是否曾发生个人信息安全相关事件及是否进行了及时有效地处置、境外接收方是否曾收到其所在国家或者地区公共机关要求其提供个人信息的请求及境外接收方应对的情况。
   ii. The Personal Information protection policies and regulations of the country or region where Overseas Recipient is located, including the following factors:
   境外接收方所在国家或者地区的个人信息保护政策和法规，包括下列要素：
   a. The currently effective Personal Information protection laws, regulations and generally applicable standards of the country or region;
   该国家或者地区现行的个人信息保护法律法规及普遍适用的标准。
   b.The regional or global Personal Information protection organizations that the country or region accedes to, and binding international commitments made by the country or region; and
   该国家或者地区加入的区域性或者全球性的个人信息保护方面的组织，以及所作出的具有约束力的国际承诺。
   c. The mechanisms for Personal Information protection implemented in the country or region, e.g. whether the supervision and enforcement authorities and relevant judicial authorities are capable of protecting Personal Information.
   该国家或者地区落实个人信息保护的机制，如是否具备个人信息保护的监督执法机构和相关司法机构等。
   iii. Overseas Recipient’s security management rules and technical capabilities.
   境外接收方安全管理制度和技术手段保障能力。
3. Overseas Recipient warrants that it has used its best efforts to provide the Personal Information Handler with the necessary relevant information for the assessment under Article 4(2).
   境外接收方保证，在根据本条第二项进行评估时，已尽最大努力为个人信息处理者提供了必要的相关信息。
4. The Parties shall keep a record of the process and results of the assessment carried out under Article 4(2).
   双方应当记录根据本条第二项进行评估的过程和结果。
5. Where Overseas Recipient is unable to perform this Contract due to any change in the Personal Information protection policies and regulations of the country or region where Overseas Recipient is located (including an amendment to laws in such country or region, or imposition of mandatory measures), Overseas Recipient shall notify Personal Information Handler immediately after becoming aware of such change.
   因境外接收方所在国家或者地区的个人信息保护政策和法规发生变化（包括境外接收方所在国家或者地区更改法律，或者采取强制性措施）导致境外接收方无法履行本合同的，境外接收方应当在知道该变化后立即通知个人信息处理者。
6. If Overseas Recipient is requested by a governmental authority or judicial authority in the country or region where Overseas Recipient is located to provide Personal Information under this Contract, it shall promptly notify Personal Information Handler.
   境外接收方接到所在国家或者地区的政府部门、司法机构关于提供本合同项下的个人信息要求的，应当立即通知个人信息处理者。

‍

Article 5 Rights of Personal Information Subject

第五条 个人信息主体的权利

The Parties agree that Personal Information Subject shall be entitled to the following rights as a third-party beneficiary under this Contract:

双方约定个人信息主体作为本合同第三方受益人享有以下权利：

1. Personal Information Subject, in accordance with the Relevant Laws and Regulations, has the right to be informed and the right to make decisions concerning the processing of his/her Personal Information, has the right to restrict or refuse the processing of his/her Personal Information by others, has the right to review, duplicate, correct, supplement or delete his/her Personal Information, and has the right to request others to explain the rules for the processing of his/her Personal Information.
   个人信息主体依据相关法律法规，对其个人信息的处理享有知情权、决定权，有权限制或者拒绝他人对其个人信息进行处理，有权要求查阅、复制、更正、补充、删除其个人信息，有权要求对其个人信息处理规则进行解释说明。
2. When Personal Information Subject requests to exercise the above-mentioned rights regarding his/her Personal Information that has been transferred abroad, Personal Information Subject may request the Personal Information Handler or directly request Overseas Recipient to take appropriate measures to realize such rights. If the Personal Information Handler is unable to realize those rights, it shall notify Overseas Recipient and request Overseas Recipient to assist.
   当个人信息主体要求对已经出境的个人信息行使上述权利时，个人信息主体可以请求个人信息处理者采取适当措施实现，或者直接向境外接收方提出请求。个人信息处理者无法实现的，应当通知并要求境外接收方协助实现。
3. Overseas Recipient shall, in accordance with the Personal Information Handler’s notice or Personal Information Subject’s request, cause the realization of the rights to which Personal Information Subject is entitled s within a reasonable time period and in accordance with the Relevant Laws and Regulations.
   Overseas Recipient shall inform Personal Information Subject of the relevant information in a conspicuous, true, accurate and complete manner, and in clear and understandable language.
   境外接收方应当按照个人信息处理者的通知，或者根据个人信息主体的请求，在合理期限内实现个人信息主体依照相关法律法规所享有的权利。
   境外接收方应当以显著的方式、清晰易懂的语言真实、准确、完整地告知个人信息主体相关信息。
4. If Overseas Recipient refuses Personal Information Subject’s request, it shall inform Personal Information Subject of the reasons for the refusal, and how Personal Information Subject can raise complaints to the Regulatory Authority and seek judicial remedies.
   境外接收方拒绝个人信息主体的请求的，应当告知个人信息主体其拒绝的原因，以及个人信息主体向相关监管机构提出投诉和寻求司法救济的途径。
5. The Personal Information Subject, as a third-party beneficiary of this Contract, has the right to claim and demand the performance of the following provisions under this Contract in relation to the rights of the Personal Information Subject from either of the Personal Information Handler and Overseas Recipient:
   个人信息主体作为本合同第三方受益人有权根据本合同条款向个人信息处理者和境外接收方的一方或者双方主张并要求履行本合同项下与个人信息主体权利相关的下列条款：
   i. Article 2, except for Articles 2(5), 2(6), 2(7) and 2(11);
   第二条，但第二条第五项、第六项、第七项、第十一项除外。
   ii. Article 3, except for Articles 3(7)(ii) and 3(7)(iv), 3(9), 3(11), 3(12) and 3(13);
   第三条，但第三条第七项第2目和第4目、第九项、第十一项、第十二项、第十三项除外。
   iii. Article 4, except for Articles 4(5) and 4(6);
   第四条，但第四条第五项、第六项除外。
   iv. Article 5;
   第五条。
   v. Article 6;
   第六条。
   vi. Article 8(2) and 8(3); and
   第八条第二项、第三项。
   vii. Article 9(5).
   第九条第五项。

The provisions agreed above shall not affect the rights and interests of Personal Information Subject under the People’s Republic of China Personal Information Protection Law.

上述约定不影响个人信息主体依据《中华人民共和国个人信息保护法》享有的权益。

‍

Article 6 Remedies

第六条 救济

1. Overseas Recipient shall identify a contact person who is authorized to respond to inquiries or complaints concerning the processing of Personal Information, and shall promptly handle such inquiries or complaints raised by Personal Information Subject. Overseas Recipient shall notify the Personal Information Handler of the contact information of such contact person and shall, by separate notice or announcement on its website in an easy-to-understand manner, inform Personal Information Subject of the contact information of such contact person. Specifically:
   The contact person[JM5] [ZZL(A6]  and contact details for privacy inquiries shall be as specified in the Agreement and the Data Protection Agreement, or as otherwise notified by the Overseas Recipient to the Personal Information Handler.
   境外接收方应当确定一个联系人，授权其答复有关个人信息处理的询问或者投诉，并应当及时处理个人信息主体的询问或者投诉。境外接收方应当将联系人信息告知个人信息处理者，并以简洁易懂的方式，通过单独通知或者在其网站公告，告知个人信息主体该联系人信息，具体为：
   联系人及联系方式：按照协议和数据保护协议中的约定，或境外接收方另行通知个人信息处理者的联系方式。
2. If a dispute arises between a Party and Personal Information Subject with respect to the performance of this Contract, such Party shall notify the other Party and the Parties shall cooperate to resolve the dispute in a timely manner.
   一方因履行本合同与个人信息主体发生争议的，应当通知另一方，双方应当合作解决争议。
3. If the dispute cannot be resolved through friendly corporation and Personal Information Subject exercises the rights as a third-party beneficiary in accordance with Article 6(2), Overseas Recipient shall accept that Personal Information Subject may choose from of the following:
   争议未能友好解决，个人信息主体根据第五条行使第三方受益人的权利的，境外接收方接受个人信息主体通过下列形式维护权利：
   i. Making a complaint to the Regulatory Authority,
   向监管机构投诉。
   ii. Bringing a lawsuit to the court specified under Article 6(5).
   向本条第五项约定的法院提起诉讼。
4. The Parties agree that when Personal Information Subject exercises the rights as a third-party beneficiary with respect to a dispute under this Contract, if Personal Information Subject chooses to apply the Relevant Laws and Regulations of the People’s Republic of China, such choice shall prevail.
   双方同意个人信息主体就本合同争议行使第三方受益人权利，个人信息主体选择适用中华人民共和国相关法律法规的，从其选择。
5. The Parties agree that when Personal Information Subject exercises the rights as a third-party beneficiary with respect to a dispute under this Contract, Personal Information Subject may file a lawsuit with a competent court in accordance with the People’s Republic of China Civil Procedure Law.
   双方同意个人信息主体就本合同争议行使第三方受益人权利的，个人信息主体可以依据《中华人民共和国民事诉讼法》向有管辖权的人民法院提起诉讼。
6. The Parties agrees that the choices made by Personal Information Subject to safeguard his/her rights is without prejudice to Personal Information Subject’s rights to seek remedies in accordance with other laws and regulations.
   双方同意个人信息主体所作的维权选择不会减损个人信息主体根据其他法律法规寻求救济的权利。

‍

Article 7 Termination of the Contract

第七条 合同解除

1. If Overseas Recipient breaches the obligations under this Contract, or if the Overseas Recipient is unable to fulfil this Contract due to changes in the personal information protection policies and regulations of the country or region where the it is located (including an amendment to laws in such country or region, or imposition of mandatory measures), the Personal Information Handler may suspend the provision of Personal Information to Overseas Recipient until the breach is rectified or the Contract is terminated.
   境外接收方违反本合同约定的义务，或者境外接收方所在国家或者地区的个人信息保护政策和法规发生变化（包括境外接收方所在国家或者地区更改法律，或者采取强制性措施）导致境外接收方无法履行本合同的，个人信息处理者可以暂停向境外接收方提供个人信息，直到违约行为被改正或者合同被解除。
2. Under any of the following circumstances, the Personal Information Handler shall be entitled to terminate this Contract and notify the Regulatory Authority where necessary:
   有下列情形之一的，个人信息处理者有权解除本合同，并在必要时通知监管机构：
   i. The Personal Information Handler has suspended the provision of Personal Information to Overseas Recipient in accordance with Article 7(1) for more than one month;
   个人信息处理者根据本条第一项的规定暂停向境外接收方提供个人信息的时间超过1个月。
   ii. Overseas Recipient’s compliance with this Contract will violate the laws and regulations of its own country or region;
   境外接收方遵守本合同将违反其所在国家或者地区的法律规定。
   iii. Overseas Recipient seriously or continuously breaches the obligations under this Contract;
   境外接收方严重或者持续违反本合同约定的义务。
   iv. Overseas Recipient or the Personal Information Handler has been determined to have breached this Contract pursuant to a final decision of a competent court or the regulatory body supervising Overseas Recipient; or
   根据境外接收方的主管法院或者监管机构作出的终局决定，境外接收方或者个人信息处理者违反了本合同约定的义务。
   Overseas Recipient may also terminate this Contract in case of sub-paragraph (i), (ii) or (iv) of above.
   在本项第1目、第2目、第4目的情况下，境外接收方可以解除本合同。
3. This Contract may be terminated upon mutual agreement by the Parties, provided that such termination shall not exempt the Parties from the obligations of protecting Personal Information during the processing of the Personal Information.
   经双方同意解除本合同的，合同解除不免除其在个人信息处理过程中的个人信息保护义务。
4. If the Contract is terminated, Overseas Recipient shall promptly return or delete the Personal Information (including all back-up copies) received hereunder and provide Personal Information Handler with a written statement. If it is technically difficult to delete the Personal Information, other than storing and taking necessary security protection measures, all processing of the Personal Information shall be ceased.
   合同解除时，境外接收方应当及时返还或者删除其根据本合同所接收到的个人信息（包括所有备份），并向个人信息处理者提供书面说明。删除个人信息从技术上难以实现的，应当停止除存储和采取必要的安全保护措施之外的处理。

Article 8 Liability for Breach of the Contract

第八条 违约责任

1. Each Party shall be liable for any damages as a result of its breach of this Contract suffered by the other Party.
   双方应就其违反本合同而给对方造成的损失承担责任。
2. Each Party shall bear civil liabilities to Personal Information Subject if its breach of this Contract infringes on the rights of Personal Information Subject, without prejudice to the administrative, criminal or other legal liabilities that shall be assumed by Personal Information Handler under the Relevant Laws and Regulations.
   任何一方因违反本合同而侵害个人信息主体享有的权利，应当对个人信息主体承担民事法律责任，且不影响相关法律法规规定个人信息处理者应当承担的行政、刑事等法律责任。
3. If the Parties shall assume joint and several liabilities in accordance with the law, Personal Information Subject shall have the right to request each Party or both of the Parties to assume liabilities. When the liability assumed by one Party exceeds the liability such Party shall be assumed, such Party shall have the right to claim against the other Party accordingly.
   双方依法承担连带责任的，个人信息主体有权请求任何一方或者双方承担责任。一方承担的责任超过其应当承担的责任份额时，有权向另一方追偿。

‍

Article 9 Miscellaneous

第九条 其他

1. If this Contract conflicts with any other legal documents between the Parties, this Contract shall prevail.|
   如本合同与双方订立的任何其他法律文件发生冲突，本合同的条款优先适用。
2. The formation, validity, performance and interpretation of this Contract and any dispute between the Parties arising from this Contract shall be governed by the Relevant Laws and Regulations.
   本合同的成立、效力、履行、解释、因本合同引起的双方间的任何争议，适用中华人民共和国相关法律法规。
3. All notices shall be promptly transmitted or sent by e-mails, cable, telex, facsimile (a confirmation copy shall be sent by airmail), or registered airmails to the addresses of the[JM7] [ZZL(A8]  Parties as specified in the Agreement and the Data Protection Agreement, or such other addresses designated by a written notice. The notice under this Contract sent by registered airmail shall be deemed to have been received 15 days after its postmark-date, and 15 working days after it is sent via e-mail, cable, telex or facsimile.
   发出的通知应当以电子邮件、电报、电传、传真（以航空信件寄送确认副本）或者航空挂号信发往协议和数据保护协议中约定的地址，或者书面通知取代该地址的其它地址。如以航空挂号信寄出本合同项下的通知，在邮戳日期后的15天应当视为收讫；如以电子邮件、电报、电传或者传真发出，在发出以后的15个工作日应当视为收讫。
4. For any dispute arising from this Contract between the Parties, and any claim by either Party against the other for recovery of payment for the infringement on Personal Information Subject, the Parties shall resolve such dispute or claim through negotiation; if such negotiation fails, either Party may adopt any of the following methods to resolve the dispute (check the box for the chosen arbitration institution if the Parties choose arbitration):[JM9] [ZZL(A10]
   双方因本合同产生的争议以及任何一方因先行赔偿个人信息主体损害赔偿责任而向另一方的追偿，双方应当协商解决；协商解决不成的，任何一方可以采取下列第__种方式加以解决（如选择仲裁，请勾选仲裁机构）：
   i. Arbitration. The dispute shall be submitted to:
   仲裁。将该争议提交
    China International Economic and Trade Arbitration Commission
   中国国际经济贸易仲裁委员会
    China Maritime Arbitration Commission
   中国海事仲裁委员会
    Beijing Arbitration Commission (Beijing International Arbitration Centre)
   北京仲裁委员会（北京国际仲裁中心）
    Shanghai International Arbitration Center
   上海国际仲裁中心
    Other arbitration institutions that are members of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards [Dubai International Arbitration Centre]
    其他《承认及执行外国仲裁裁决公约》成员的仲裁机构______
   The arbitration shall be conducted in [Dubai, United Arab Emirates] in accordance with its arbitration rules then in force.
   按其届时有效的仲裁规则在（仲裁地点） 进行仲裁；
   ii. Litigation. The dispute shall be submitted to a competent People’s Republic of China people’s court in accordance with law.
   诉讼。依法向中华人民共和国有管辖权的人民法院提起诉讼。
5. This Contract shall be interpreted in accordance with the Relevant Laws and Regulations and shall not be interpreted in a manner inconsistent with the rights and obligations set forth in the Relevant Laws and Regulations.
   本合同应当按照相关法律法规的规定进行解释，不得以与相关法律法规规定的权利、义务相抵触的方式解释本合同。
6. This Contract shall be executed in 2 originals, and each Party shall hold 1 original respectively, and all of which shall have equal legal effect. This Contract is deemed signed upon execution of the Agreement or the Data Protection Agreement, whichever is later.
   本合同正本一式2份，双方各戙1份，其法律效力相同。本合同视为在签署协议或数据保护协议（以较晚者为准）时签署。

Personal Information Handler: The relevant Dubai Holding group entity as specified in the Agreement and the Data Protection Agreement.

个人信息处理者：按照协议和数据保护协议中的约定。

Date: The parties agree that execution of the Agreement or the Data Protection Agreement, whichever later, shall constitute execution of this Contract by both parties.

日期：双方同意，签署协议或数据保护协议（以较晚者为准）即构成双方对本合同的签署。

Overseas Recipient: Supplier(s) or the counterparty/ies as otherwise defined in the Agreement and the Data Protection Agreement.

境外接收方：按照协议和数据保护协议中另行定义的供应商或交易对方。

Date: The parties agree that execution of the Agreement or the Data Protection Agreement, whichever later, shall constitute execution of this Contract by both parties.

日期：双方同意，签署协议或数据保护协议（以较晚者为准）即构成双方对本合同的签署。

Annex I – Description of the Outbound Transfer of Personal Information

附录一 个人信息出境说明

The details of the outbound transfer of Personal Information under this Contract are as follows:

根据本合同向境外提供个人信息的详情约定如下：

1. Purpose of processing: As specified in the Data Protection Agreement.
   处理目的：按照数据保护协议中的约定。
2. Method of processing: As specified in the Data Protection Agreement.
   处理方式：按照数据保护协议中的约定。
3. The scale of Personal Information to be transferred abroad: As specified in the Data Protection Agreement.
   出境个人信息的规模：按照数据保护协议中的约定。
4. Type of Personal Information to be transferred abroad (see the types in the Information Security Technologies - Personal Information Security Specifications (GB/T 35273) and relevant standards): As specified in the Data Protection Agreement.
   出境个人信息种类（参考GB/T 35273《信息安全技术个人信息安全规范》和相关标准）：按照数据保护协议中的约定。
5. Type of Sensitive Personal Information to be transferred abroad (if applicable, see the types in the Information Security Technologies - Personal Information Security Specifications of GB/T 35273 and relevant standards): As specified in the Data Protection Agreement.
   出境敏感个人信息种类（如适用，参考GB/T 35273《信息安全技术个人信息安全规范》和相关标准）：按照数据保护协议中的约定。
6. Overseas Recipient transfers Personal Information only to the following third parties outside[JM11] [ZZL(A12]  the People’s Republic of China (if applicable): As identified in the Data Protection Agreement.
   境外接收方只向以下中华人民共和国境外第三方提供个人信息（如适用）：按照数据保护协议中的约定。
7. Method of transfer: As specified in the Data Protection Agreement.
   传输方式：按照数据保护协议中的约定。
8. Retention period after the cross-border transfer: The Overseas Recipient will retain the transferred Personal Information in accordance with the terms of the Data Protection Agreement. Upon the termination of the Data Protection Agreement, the transferred Personal Information will either be securely deleted by the Overseas Recipient or returned to the Personal Information Handler, which shall be determined by the Personal Information Handler.
   出境后保存期限：境外接收方将按照数据保护协议的条款保留转移的个人信息。数据保护协议终止后，转移的个人信息将由境外接收方安全删除或返还给个人信息处理者，由个人信息处理者决定。
9. Storage location after the cross-border transfer: As specified in the Data Protection Agreement.
   出境后保存地点：按照数据保护协议中的约定。
10. Other matters (if applicable):
    其他事项（视情况填写）：

Annex II – Other Terms Agreed Upon by the Parties

附录二 双方约定的其他条款（如需要）

Any additional terms agreed between the Parties in relation to this Contract are as set out in the Agreement and the Data Protection Agreement. The technical and organisational security measures applicable to this Contract are as published on Dubai Holding's Privacy Centre (accessible via Dubai Holding's Privacy Centre). To the extent that the Agreement or the Data Protection Agreement contains provisions relating to the security measures, processing instructions, sub-processing, or other matters relevant to this Contract, such provisions are hereby incorporated by reference into this Annex II.

双方就本合同达成的任何其他条款均按照协议和数据保护协议中的约定执行。适用于本合同的技术和组织安全措施按照迪拜控股隐私中心发布的内容执行（通过迪拜控股隐私中心访问）。在协议或数据保护协议包含与本合同相关的安全措施、处理指令、转委托或其他事项的条款的范围内，该等条款在此并入本附录二。

[JM1]To be valid must the Chinese always be included?

[ZZL(A2]Chinese version can be kept only as internal or external reference.

[JM3]What happens if there is also a separate data processing agreement as well, do we list it here

[ZZL(A4]This SCCs will be as part of the DPA, so no need to refer back to it.

[JM5]Can this be English and privacyoffcie@jumeirah.com

[ZZL(A6]Yes.

[JM7]Can this be amended to refer to the address in main contract to avoid filling each one?

Yes, as long as  [ZZL(A8]this SCCs will be part of the DPA (if any) along with the main contract.

[JM9]Can we agree on standard response

[ZZL(A10]Added.

[JM11]Can we discuss this

[ZZL(A12]Added.