Ant Group's platform rules on protecting personal information

Published on: November 2, 2021

Effective date: November 16, 2021

Ant Technology Group Co., Ltd. and its subsidiaries (hereinafter collectively referred to as "Ant Group" or "We") have been committed to protecting personal information. Our financial institutions, suppliers and other third parties (hereinafter collectively referred to as "partners") may process personal information in the course of conducting business.

We and our partners agree that personal information protection is the cornerstone of long-term stable development of enterprises. In accordance with the provisions of Article 58 of the Law of the People's Republic of China on the Protection of Personal Information, and based on the principles of openness, fairness and impartiality, we hereby formulate these rules for our partners to abide by and protect the rights and interests of personal information with us.

1、 Main concepts and definitions

one Personal information: All kinds of information related to identified or identifiable natural persons recorded electronically or in other ways do not include information after anonymization.

two Sensitive personal information: Personal information that, once disclosed or illegally used, is likely to cause the human dignity of a natural person to be violated or the safety of person and property to be jeopardized, including biometrics, religious belief, specific identity, medical health, financial accounts, whereabouts and other information, as well as personal information of minors under the age of 14.

three Personal financial information It refers to personal information obtained, processed and preserved by financial institutions through business or other channels, including personal identity information, property information, account information, identification information, credit information, financial transaction information, lending information and other information reflecting certain situations of specific individuals.

three Personal information processing: Any activity or a series of activities on personal information, such as collection, storage, use, processing, transmission, provision, disclosure, deletion and other activities of personal information.

four . De identification: The process by which personal information is processed so that it cannot identify a specific natural person without additional information. De identification is based on the individual, retains the individual granularity, and replaces the identification of personal information with technical means such as pseudonym, encryption, hash function, etc.

five Anonymization: The process by which personal information cannot be identified and recovered after being processed. The information obtained after anonymization of personal information is not personal information.

2、 Personal information protection norms and obligations

The partner promises to process personal information in strict accordance with the requirements of laws and regulations and the agreement with users in the process of providing products and services, so as to protect the legitimate rights and interests of users and social public interests to the greatest extent. Our partners promise to comply with the following personal information protection norms and obligations:

one . Personal information shall be handled in accordance with the principles of legality, legitimacy, necessity and integrity, and it is strictly prohibited to handle personal information through misleading, fraud, coercion, etc Forcing users to perform unreasonable "package authorization".

two . The processing of personal information has a clear and reasonable purpose, and should be directly related to the processing purpose, in a way that has the least impact on personal rights and interests. The collection of personal information shall be limited to the minimum scope for the purpose of processing, and shall not be excessive.

three . Personal information processing should follow the principle of minimum necessity, only deal with the minimum amount and type of personal information directly related to the realization of the business functions of products or services, and control the reasonable collection frequency necessary for the business. Personal information unrelated to the products and/or services provided should not be collected, nor should personal information be collected more frequently. At the same time, the period for storing personal information should also follow the principle of minimum necessity. After the purpose is achieved, personal information should be deleted or anonymized in a timely manner.

four . Personal information processing rules shall be disclosed in a clear, understandable and reasonable manner, including the scope, purpose and method of processing personal information, and a display interface that is easy to access, view and save shall be provided. When the personal information processing rules change, they should be updated in a timely manner and notified to the personal information subject in an appropriate way.

five . Personal information processing should ensure the quality of personal information, respond to the right of correction of personal information subject in a timely manner, and avoid adverse effects on personal rights and interests due to inaccurate and incomplete personal information.

six They shall be responsible for their personal information processing activities. For personal information collected or processed actively, if it causes damage to the legitimate rights and interests of the personal information subject in personal information processing activities, it will bear corresponding responsibilities.

seven The handling of personal information should have the security capability matching the security risks faced, and take sufficient management measures and technical means to protect the confidentiality, integrity and availability of personal information.

eight . It should ensure the realization of the rights of the personal information subject, and establish a convenient application acceptance and processing mechanism for individuals to exercise their rights. Partners shall provide personal information subjects with methods that can query, copy, correct, supplement and delete their personal information, and withdraw authorization consent, cancel accounts, complain, restrict or refuse processing rights, explain rights, information portability rights, personal information exercise rights of the deceased as close relatives, etc. The method for the personal information subject to exercise its rights shall be described in the privacy policy, and the reasons shall be stated if the request for individual exercise of rights is rejected.

nine The accountability system for the performance of personal information protection management should be established, that is, the company, as a personal information processor, should implement the accountability system for the performance of the responsibilities and obligations undertaken by organizations at all levels within its business scope.

ten Boycott the black industry chain. Do not collect information obtained through illegal channels, and resolutely eliminate any transactions and exchanges with the black industrial chain of personal information.

eleven Advocate self-discipline in the industry. To jointly explore the best practices of personal information protection that can be popularized, copied and integrated with the world, and drive and help the overall level of the industry to improve.

twelve Accept social supervision. We will earnestly fulfill our commitments and actively accept the supervision of all sectors of society.

Ant Group has formulated and implemented privacy protection policies and data security protection measures, and partners promise to take and maintain protection measures for personal information at a level no lower than Ant Group.

3、 Evaluation audit

one Ant Group has the right to evaluate and audit the partner's personal information security management and control effect.

two Ant Group has the right to conduct the above assessment and audit by itself or by entrusting an independent third party (such as an accounting firm, a law firm, etc.), and the partners promise to cooperate on the following matters:

(a) Provide facilities, equipment, systems, policies or processes related to received information processing;

(b) Open relevant workplaces and arrange relevant personnel to receive interviews.

three Based on the requirements from the evaluation and audit, the partners promise to revise or improve the relevant information processing facilities, equipment, systems, policies or processes within the specified time.

four Before Ant Group puts forward evaluation and audit requirements, it will give partners a reasonable advance notice period. At the same time, the evaluation and audit will be carried out on the premise of legality and compliance, and should not affect the normal operation or legitimate rights and interests of partners.

4、 Notification

one Our partners promise that they will immediately take all necessary emergency remedial measures when they know or suspect any of the following situations, and immediately notify Ant Group in the manner agreed in the relevant cooperation agreement:

(1) Any violation of these Rules;

(2) According to applicable laws and regulations, the situation that should be notified and reported to the regulatory authority or disclosed to the affected users.

two If Ant Group finds that the partner has personal information security incidents (such as personal information leakage, tampering and loss), it will take corresponding measures according to the relevant cooperation agreement, and each party will bear its own data security responsibility and other responsibilities required by laws and regulations.

5、 Others

one The regulatory authority may put forward inspection requirements for the partners and Ant Group according to applicable laws and regulations. In this process, the partners should provide necessary assistance, such as providing certification materials for user authorization.

two . For violations of laws Partners who handle personal information according to administrative regulations, Ant Group will take corresponding measures as appropriate; In serious cases, we will make a decision to terminate cooperation and stop providing platform access or services.

three If Ant Group is subject to regulatory fines or other related losses (such as loss of goodwill) due to the partner's illegal or default behavior, the partner shall be liable for compensation.

For information on how Ant Group protects personal information, see Ant Group Privacy Policy