Data Protection Addendum For Mainland China
Last updated: 6th Feb, 2023
This Privacy and Data Protection Addendum For Mainland China (“Chinese DPA”) supplements the Terms of Service available at https://gameanalytics.com/terms/, and any other agreements (“Agreement”) as updated from time to time between you, either an individual or a legal entity that you represent as an authorized employee or agent (“Partner”), and GameAnalytics Ltd (“GA”) for GA’s products and services (“Service(s)”). This Chinese DPA is an agreement incorporated into and form part of the Agreement. This Chinese DPA shall be effective since the effective date of the Agreement, and survive termination or expiry of the Agreement. To the extent there are any prior agreements with regard to the subject matter of this Chinese DPA, this Chinese DPA supersedes and replaces such prior agreements. In case of any conflict between a provision of this Chinese DPA and the Agreement, as it relates to Personal Information, the provision of this Chinese DPA shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or the Data Protection Laws.
This Chinese DPA applies when GA collects or processes Personal Information which is transferred or made available by Partner and which is protected or otherwise regulated by Data Protection Laws. The parties hereby agree to comply with the following provisions.
1.1. “Affiliates” means with respect to a Party, all entities which, directly or indirectly, control, are being controlled by, or are under common control with such Party.
1.2 “Child” or “Children” means child or children younger than 14 years old.
1.3 “Data Protection Rules” means any applicable laws, regulatory policy, national standard, industry standard of the mainland areas of the People’s Republic of China (for the sole purpose of this Chinese DPA, the Hong Kong S.A.R of People’s Republic of China, Macao S.A.R. of People’s Republic of China, and Taiwan areas of People’s Republic of China are not included) and/or any applicable policy of any platform that is engaged in providing service for GA and Partner with respect to the processing of Personal Data which GA or Partner is subject to, including but not limited to any law or regulation, regulatory policy, national standard, industry standard, policy pursuant to the Agreement that is similar, equivalent to, successors to, or that are intended to or implement the laws or regulations.
1.4 “Data Subject” means the individual to whom Personal Information is related to.
1.5 “Entrusted Handler” means an organization or individual who is entrusted by a Personal Information Handler to process Personal Information strictly in accordance with the Persona Information Handler’s instructions regarding the purpose and method of the processing.
1.6 Privacy Requirements means any applicable Data Protection Rules, any industry standard, rule or guideline of GA.
1.8 “Personal Data” or “Personal Information” means information relating to an identified or identifiable Individual, anonymous data (as defined in Data Protection Rules) is excluded from the scope of Personal Data.
1.9 “Personal Information Handler” means an organization or individual who autonomously decides the purpose and method of processing in the Personal Information processing activities; it has the same meaning as “个人信息处理者” defined in Data Protection Rules.
1.10 “process” or “processing” “process” or “processing” includes collection, storage, use, process, transmit, making available, disclose to the public, erasure, etc.
1.11 “Service(s)” means Services provided by GA and/or its Affiliates to Partner according to the Agreement.
1.12 “User” means end users who visits or uses Partner’s Product (including mobile application).
2. Compliance with Privacy Requirements
Each party confirms that it has complied, and will continue to comply with the applicable obligations related to personal data protection as set out by Privacy Requirements.
3. Processing by Partner
3.2 Partner acknowledges and agrees that GA’s SDK has the function to process Personal Data, and agrees that the processing of Personal Data by GA’s SDK is for the necessity of providing Services.
3.5 Upon request of GA, Partner shall provide GA with all the records of consents of Users. Partner understands and agrees that GA’s requirement for Partner to provide Users’ consents records does not relieve Partner’s legal liability arising out of making available the Personal Data to GA by Partner, nor does it constitute or lead to GA’s legal liability arising out of making available Personal Data to GA by Partner.
3.6 If Partner’s Product target to the Users or some Users who are defined as Children, GA will not provide Services to such Product and such Child User, and in this circumstance, Partner is not allowed to transfer or make available any Child User’s Personal Data to GA, unless Partner has complied with the following requirements:
3.6.1 Partner has obtained prior consent of GA;
3.6.2 Partner warrants that it shall comply with any Privacy Requirement related to Personal Data protection of Children and minors. If Partner may transfer or make available Personal Data of Child User who are under the age of 14 to GA, Partner warrants that is has taken related measures and has obtained valid and explicit consents from its parents or any other authorized guardian (including the ways, manners and procedures shall be legal), and make reasonable effort to confirm that such consents are provided from parents or any other authorized guardian, to the extent for Partner and GA to process the Personal Data of Child User pursuant to this Chinese DPA and the Agreement.
3.6.3 Partner shall comply with any other provision directed by GA.
3.7 Due to the restriction of the current status of technology and the business mode, it is difficult for GA to actively identify Child User’s Personal Data. If Partner realizes any processing of Child User’s Personal Data by GA without GA’s acknowledgement or without any verifiable consent of parent or guardian, Partner shall notify GA in a timely manner. GA will try its best effort to delete such Personal Data. If GA realizes the above-mentioned situation by itself, GA will also delete the Personal Data in a timely manner, except for any retention as required by laws and regulations.
3.10 Partner shall provide Users with easy-to-operate mechanisms to access, correct, delete their Personal Data, revoke or change their authorization and consent, and cancel their personal accounts, etc., to ensure that Users can realize their personal data rights in accordance with Privacy Requirements.
3.11 Partner guarantees that the retention of the relevant Personal Data (including the retention of the relevant Personal Data by GA as an Entrusted Handler of Partner) provided to GA (or allowed to be collected by GA) does not exceed the legally necessary storage period which is necessary for Partner to process such Personal Data, nor does it exceed the legally necessary storage period which is necessary for providing Services based on such Personal Data.
3.12 Partner guarantees that it will not steal or obtain Personal Data in other illegal ways, or illegally sell or illegally provide Personal Data to any third party (including GA). Partner will not disclose, tamper with, or destroy Personal Data it collected.
3.13 GA will from time to time update the SDK due to the upgrade and optimization of the SDK and the Products, improvement of safety performance, legal and regulatory requirement, etc. Different version of SDK may collect different types of data. In order to ensure the cooperation between both parties legal and compliant, and to practically fulfill the obligation to protect Users’ Personal Data, Partner shall ensure that it has upgraded the GA SDK to the officially most updated version so as to avoid any illegal issue arising out of using the SDK old version and any risk of being fined by the regulatory authority by Partner or GA. GA will inform Partner in effective ways such as notifications, station letters, announcements, etc., after the GA SDK is upgraded. Partner shall pay close attention to it and update the SDK version as soon as possible.
3.14 If any Personal Information processing activities for the purpose of providing Services is or is deemed a cross border transfer of Personal Information under Data Protection Rules, Partner as a Personal Information Handler shall comply with any and all cross border transfer obligations thereunder, including without limitation submitting for an “outbound data transfer security assessment”, executing standard contract clauses, and etc.
4. GA’s Processing
4.2 Upon the revocation, rescind, invalidation, termination or expiry of the Agreement or this Chinese DPA, GA and/or its Affiliates shall return to Partner or delete all the Personal Information the processing of which is for the purpose of providing Services.
4.3 Without the consent of Partner, GA and/or its Affiliates shall not engage any sub-Entrusted-Handler. For the purpose of providing Services, Partner hereby consents that GA will use the technical services provided by AWS, GCP, and Imply, including data storage and retrieve.
5. Limitation of Access
Each party will limit access to Personal Information to those personnel who require such access only as necessary to fulfill such party’s obligation under the Agreement. Each party is responsible to make sure that all relevant personnel of such party adhere to this Chinese DPA.
6. Information Security
Each party will maintain appropriate administrative, physical, organizational and technical safeguards aimed at maintaining an appropriate level of security, confidentiality and integrity of the Personal Information, in accordance with applicable Data Protection Laws, and official guidelines as provided by the competent authorities and good industry practice. Each party undertakes to regularly monitor compliance with these safeguards and will not materially decrease the overall security controls during the term of the Agreement.
The parties shall, on request, provide each other with all reasonable and timely assistance (at their own expense) and co-operation to enable the other party to comply with its obligations under the Data Protection Laws, including in order to enable the other party to respond to (if required by Data Protection Rules): (a) any request from a Data Subject or a Child Data Subject’s legal guardian (if any) to exercise any of its rights under Data Protection Law; (b) any other correspondence, enquiry or complaint received from a Data Subject, a Child Data Subject’s legal guardian (if any), regulator or other third party in connection with the processing of the Personal Information (“Correspondence”). GA shall make commercially reasonable effort to promptly inform Partner if it receives any Correspondence or becomes aware of a data breach.
Partner will make available all information necessary, including records of consents referred to in Section 4 as above under this Chinese DPA, to demonstrate Partner’s compliance with this Chinese DPA and will permit and contribute to any data audits reasonably required by GA upon GA’s prior written request and advanced notice.
The parties will indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss (including but without limitation reasonable attorney fee, arbitration cost or litigation cost, investigation cost) which they cause each other as a result of their breach of any of the provisions of this Chinese DPA. Any limitation of liability specified in the Agreement will not be applicable to this Chinese DPA.
10. Governing Law and Dispute Resolution
The governing law and dispute resolution specified in Article 16.1 of the Terms of Service will also apply to this Chinese DPA.
11.1. Any alteration or modification of this Chinese DPA is not valid unless made in writing and executed by duly authorized personnel of both parties.
11.2. Invalidation of one or more of the provisions under this Chinese DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.
11.3. Partner acknowledges that GA and/or its Affiliates may disclose this Chinese DPA and any relevant privacy provisions in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the applicable law. Such disclosure will not constitute a breach of GA’s confidentiality obligation under the Agreement.