Cross-Border Data Compliance Commitment Letter
Party A (Platform): Shenzhen Shangyuyoudan Internet Information Technology Co., Ltd. (3Eeye Platform)
Party B (Seller): ____________________
Unified Social Credit Code: ____________________
Execution Date: ____________________
I. Data Collection and Usage Compliance
1. Principle of Legality
- Party B shall collect only data directly related to cross-border transactions (e.g., order details, logistics tracking numbers) and explicitly disclose the purpose, scope, and usage methods to buyers through the Platform’s Privacy Policy prior to collection.
- Collection of sensitive personal information (e.g., political views, religious beliefs, biometric data) is prohibited unless separate written consent from buyers is obtained and a Data Protection Impact Assessment (DPIA) is completed.
2. Data Minimization
- Party B shall retain buyer data no longer than necessary to complete transactions and fulfill after-sales obligations (default: 2 years). Data exceeding this period must be permanently deleted or anonymized.
II. Data Security Measures
1. Technical Safeguards
- Data transmission shall use SSL/TLS 1.3 encryption protocols; storage shall adopt AES-256 encryption.
- Party B shall deploy firewalls, intrusion detection systems (IDS), and submit quarterly vulnerability scan reports.
2. Access Control
- Role-Based Access Control (RBAC) shall be implemented, with buyer data accessible only to authorized personnel. Operational logs shall be retained for 6 months.
- Cross-border data transfers require prior approval via China’s "Data Export Security Self-Assessment" system.
III. Cross-Border Data Transfer Compliance
1. Legal Compliance
- For EU data transfers, Party B shall ensure recipients sign Standard Contractual Clauses (SCCs) or qualify under adequacy decisions.
- For US data transfers, recipients must participate in the Trans-Atlantic Data Privacy Framework (or equivalent).
2. Filing and Reporting
- Cross-border transfers involving personal information of over 1 million individuals or 100,000 sensitive data records require filing with China’s Cyberspace Administration.
IV. Protection of Data Subject Rights
1. Rights Response
- Party B shall process buyer requests (access, rectification, deletion) within 7 working days via the Platform’s ticketing system.
- For data portability requests (GDPR Article 20), Party B shall provide structured, machine-readable formats (e.g., CSV, JSON).
V. Security Incidents and Emergency Response
1. Incident Notification
- Party B shall submit a breach report (scope, remediation, contingency plans) via the Platform’s Security Center within 24 hours of discovery.
- For EU-impacting breaches, regulatory authorities (e.g., Irish DPC) must be notified within 72 hours.
VI. Liability for Breach
1. Penalty Standards
- Unlawful data collection/transfer: Penalty of 10% of transaction value or no less than RMB 500,000.
- If the Platform incurs fines/litigation costs due to Party B’s data breach, Party B shall bear full liability.
2. Account Sanctions
- Three cumulative violations or one major violation (e.g., transferring data to Iran) may result in permanent account suspension and referral to law enforcement.
VII. Supplementary Provisions
1. Governing Law
- This Commitment Letter is governed by Chinese law. Cross-border disputes may be submitted to the Hong Kong International Arbitration Centre (HKIAC).
2. Dynamic Updates
- The Platform may update compliance requirements per regulations (e.g., Data Export Security Assessment Measures). Party B shall sign supplementary agreements within 30 days.
Party B Signature: __________________________
(Company Seal)
Legal Representative’s Signature: ____________________
Date: ____________________
