TikTok
TikTok Developer Data Sharing Agreement

These terms apply with effect from: Mar 5, 2024


1 SCOPE OF APPLICATION

1.1 These TikTok Developer Controller to Controller Data Terms (these "Terms") apply to the processing of Personal Data resulting from your access and use of TikTok Developer Services (“TikTok Developer Services Data”).

1.2 These Terms apply in addition to any other terms governing your use of the Developer Services, including the TikTok Developer Terms of Service ("Your Developer Agreement"), including any restrictions on use which apply to data you may receive from TikTok and which are set out in Your Developer Agreement.

1.3 If there is any conflict between these Terms and Your Developer Agreement, these Terms will take precedence to the extent of the conflict, but only in respect of the processing of TikTok Developer Services Data.

2 DEFINITIONS

2.1 In these Terms, the following terms shall have the following meanings:

“Applicable Data Protection Law” means any and all applicable privacy and data protection laws, rules, regulations, and guidance that apply to the processing of TikTok Developer Services Data.

Controller” means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Subject” means: (a) an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and (b) any person who falls within the scope of a "data subject" (or any materially similar or analogous concept or definition) under Applicable Data Protection Laws.

"European/UK DP Law" means: (a) the General Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) (the "EU GDPR"); (b) the EU e-Privacy Directive (EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector) (the “e-Privacy Directive”); (c) the retained version of the EU GDPR, as it forms parts of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (the "UK GDPR"); (d) all applicable national, state or secondary data protection laws made under, pursuant to or applied in conjunction with any of (a) to (c); and (e) Applicable Data Protection Laws of Switzerland, including the Federal Act on Data Protection of 19 June 1992 (SR 235.1; FADP) and the revised version of the Federal Act on Data Protection of 25 September 2020, once in force, including any further revisions or updates from time to time (Swiss Data Protection Law), in each case as may be amended, consolidated or superseded from time to time.

“Personal Data” means: (a) any information relating to a Data Subject; and (b) any information which falls within the scope of "personal data", "personal information" or "personally identifiable information" (or any materially similar or analogous concept or definition) under Applicable Data Protection Laws.

"Restricted Transfer" means: (a) where the EU GDPR applies to the processing of the Personal Data, a transfer of that Personal Data to a country or territory outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (b) where the UK GDPR applies to the processing of the Personal Data, a transfer of that Personal Data to a country or territory outside the United Kingdom which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (c) where Swiss Data Protection Laws apply to the processing of the Personal Data, a transfer of that Personal Data to a country or territory outside Switzerland which is not recognised under Swiss Data Protection Law as an adequate country or territory.

"Standard Contractual Clauses" means: (a) where the EU GDPR applies to the processing of the TikTok Developer Services Data, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs"); (b) where Swiss Data Protection Law applies to the processing of the TikTok Developer Services Data, the EU SCCs (“Swiss SCCs”); and (c) where the UK GDPR applies to the processing of the TikTok Developer Services Data, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0, in force 21 March 2022) issued by the UK Information Commissioner and laid before UK Parliament in accordance with section 119A of the UK Data Protection Act 2018 (the “UK SCC Addendum”) and the EU SCCs, as completed and amended in accordance with, as applicable (“UK SCCs”).

"TikTok" means TikTok Inc., except where the TikTok Developer Services Data is subject to TikTok European/UK DP Law, in which case "TikTok" means TikTok Information Technologies UK Limited, whose registered office is Kaleidoscope, 4, Lindsey Street, London, United Kingdom ("TikTok UK") and TikTok Technology Limited, whose registered office is at 10 Earlsfort Terrace, Dublin, D02 T380, Ireland ("TikTok Ireland") collectively, in their capacity as joint controllers.

"TikTok Developer Services" has the meaning given to that term in the TikTok Developer Terms of Service.

"European/UK Personal Data" means TikTok Developer Services Data to which European/UK DP Law applies.

3 SECURITY OF TIKTOK DEVELOPER SERVICES DATA

3.1 You shall:

(a) comply with Applicable Data Protection Law at all times when processing TikTok Developer Services Data;

(b) process the TikTok Developer Services Data only for the limited purpose(s) of enabling and using TikTok Developer Services, including the Login Kit, Video Kit, Embed Videos, Green Screen Kit, and Display API, unless required otherwise by applicable law. If you cannot adhere to this restriction for whatever reason, you will promptly inform TikTok and TikTok is entitled to suspend the processing of TikTok Developer Services Data;

(c) ensure that persons authorised to process the TikTok Developer Services Data have contractually committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(d) implement technical and organisational security measures to protect the TikTok Developer Services Data you process in accordance with Applicable Data Protection Law;

(e) promptly carry out any actions which are reasonably necessary for TikTok to comply with its obligations under Applicable Data Protection Law, including but not limited to cooperate with TikTok as necessary to fulfil the exercise of Data Subjects' rights laid down in Applicable Data Protection Law (regardless of whether any such rights are exercised against TikTok or you);

(f) notify TikTok without undue delay in the event of i) any regulatory investigations/enquiry and proceeding against you with respect to your processing of TikTok Developer Services Data or ii) any request for disclosure of TikTok Developer Services Data by a regulator, government agency, or law enforcement authority, unless otherwise prohibited by applicable law to preserve the confidentiality of an investigation;

(g) immediately inform us if you become aware that the laws applicable to you will have a substantial adverse affect on your ability to protect TikTok Developer Services in accordance with these Terms; and

(h) if you wish to appoint a third party to process TikTok Developer Services Data, ensure that the third party complies with Applicable Data Protection Law and the requirements of these Terms.

3.2 TikTok reserves the right to monitor your compliance with these Terms and you agree, upon TikTok’s request, to (without undue delay) provide TikTok with reasonable and truthful documentary evidence of your compliance with these Terms.

4 UNITED STATES

4.1 This Section 4 applies whenever TikTok Developer Services Data relates to Data Subjects located in the United States ("US Personal Data").

4.2 You agree that you shall not sell or disclose the US Personal Data for cross-context behavioral advertising, unless the user intentionally interacts with you or otherwise intentionally directs TikTok to disclose US Personal Data to you. "Sell" and "cross-context behavioral advertising" have the meanings given to such terms, with respect to the US Personal Data, under the California Consumer Privacy Act, Cal. Civ. Code§ 1798.100 et seq.

4.3 You agree to provide the same level of privacy protection with respect to US Personal Data as is required of TikTok under Applicable Data Protection Law.

4.4 You agree to ensure that US Personal Data is only disclosed to TikTok via the TikTok Developer Services upon obtaining consent from the user to the extent required under Applicable Data Protection Law and that you provide all notices and consumer rights to the user as required of you under Applicable Data Protection Law.

4.5 You grant TikTok the right to take reasonable and appropriate steps to ensure that your use of US Personal Data is consistent with TikTok’s obligations under Applicable Data Protection Law.

4.6 You agree to immediately inform us if you determine that you can no longer meet your obligations under Applicable Data Protection Law with respect to US Personal Data.

4.7 You grant TikTok the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of US Personal Data.

5 EEA/UK/SWITZERLAND

5.1 If you process European/UK Personal Data the additional terms in this Section 5 shall apply.

5.2 You are an independent controller under European/UK DP Law of European/UK Personal Data you receive pursuant to Your Developer Agreement. You acknowledge and agree that you will not be deemed a Joint Controller of such European/UK Personal Data with TikTok.

5.3 Each of TikTok and you will (a) individually determine the purposes and means of its processing of European/UK Personal Data; (b) comply with the obligations applicable to it under European/UK DP Law with respect to the processing of European/UK Personal Data including: (i) by providing transparency to Data Subjects about such transfer and processing; (ii) having a lawful basis for such transfer or processing; and (iii) responding in accordance with European/UK DP Law to any assertion of data subject rights made against it.

5.4 Nothing in Section 5.3 shall modify any restrictions applicable to either party’s rights to use or otherwise process European/UK Personal Data under Your Developer Agreement.

5.5 If your receipt of European/UK Personal Data via the TikTok Developer Services is a Restricted Transfer, then you and TikTok hereby agree that the Standard Contractual Clauses are incorporated into these Terms with detail deemed to be completed as follows:

(a) in relation to European/UK Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

(i) Module One will apply;

(ii) in Clause 7, the optional docking Clause will not apply;

(iii) in Clause 11, the optional language will not apply;

(iv) for the purposes of Clause 13(a) and Annex I (C), the Irish Data Protection Commission shall act as the competent supervisory authority;

(v) in Clause 17, Option 1 will apply and the EU SCCs will be governed by law of Ireland;

(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;

(vii) Annex I (A and B) of the EU SCCs shall be deemed completed with the information set out in Annex I to these Terms, except that the exporter is TikTok Ireland only (and not TikTok UK); and

(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to these Terms.

(b) in relation to European/UK Personal Data the processing of which is within the scope of Swiss Data Protection Laws, the Swiss SCCs (based upon the EU SCCs as completed in accordance with Clause 5.5 of these Terms) will apply completed and amended as follows:

(i) the exporter is TikTok Ireland only (and not TikTok UK);

(ii) references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by the Swiss Federal Act on Data Protection of 19 June 1992 and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of Swiss Data Protection Laws;

(iii) references to Regulation (EU) 2018/1725 are removed;

(iv) references to the “Union”, “EU”, “EU Member State” and “Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs, and accordingly data subjects in Switzerland with their place of habitual residence in Switzerland may also bring legal proceedings before the competent courts in Switzerland;

(v) clause 13(a) and Part C of Annex II of the EU SCCs are not used; the “competent supervisory authority” is the Federal Data Protection and Information Commissioner; and

(vi) the Swiss SCCs also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as “personal data” under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity. references to ‘personal data’ extends to data of legal entities until the entry into force of the revised version of the Swiss Federal Act on Data Protection of 25 September 2020.

(c) in relation to EU Personal Data the processing of which is protected by the UK GDPR, the UK SCCs will apply completed as follows:

(i) Table 1 of the UK SCC Addendum is deemed to have been completed with the details set out in Annex I to these Terms, except that the exporter is TikTok UK only (and not TikTok Ireland);

(ii) the first box in Table 2 of the UK SCC Addendum is deemed to have been ticked and the EU SCCs as completed in accordance with Clause 5.5 of these Terms are deemed to have been identified in Table 2 as the "version of the Approved EU SCCs which these Terms is appended to, detailed below, including the Appendix Information";

(iii) for the purposes of Table 3 of the UK SCC Addendum:

1. Annex I of Appendix 2 of the EU SCCs (as completed in accordance with Clause 5.5 of these Terms) is deemed to have been identified as Annex 1A and Annex 1B of the UK SCC Addendum; and

2. Annex II of Appendix 2 of the EU SCCs (as completed in accordance with Clause 5.5 of these Terms) is deemed to have been identified as Annex II of the UK SCC Addendum.

3. “Exporter” is deemed to have been chosen for the purposes of Table 4 of the UK SCC Addendum, and

4. Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses shall apply.

(d) You must implement all supplementary measures as are necessary to ensure the EU/UK Personal Data remains protected to a standard that is materially equivalent with Applicable Data Protection Law.

(e) If the parties’ compliance with European/UK DP Law requirements relating to international transfers of TikTok European/UK Data is affected by circumstances outside of the parties’ control, including if the Standard Contractual Clauses or any other legal instrument for international transfers of EU/UK Personal Data is invalidated, amended or replaced, then the parties will work together in good faith to reasonably resolve such non-compliance.

5.6 Subject to Sections 5.7 and 5.9, if you become aware that any law enforcement, regulatory, judicial or governmental authority (an "Authority") wishes to obtain access to or a copy of some or all of the TikTok European/UK Data, whether on a voluntary or a mandatory basis, then you shall: (i) immediately notify TikTok of such Authority's request; (ii) inform the Authority that such requests should be made to TikTok (as the original controller) in writing; and (iii) not provide the Authority with such European/UK Personal Data unless and until authorised by TikTok.

5.7 In the event you are legally prohibited from complying with Section 5.6, you shall use reasonable efforts to challenge such prohibition.

5.8 If you make a disclosure of European/UK Personal Data to an Authority (whether with TikTok’s authorisation or due to a mandatory legal compulsion) you shall do so only to the extent legally required.

5.9 Sections 5.6 and 5.7 shall not apply in the event that you have a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, you shall notify TikTok as soon as possible following such Authority's access and provide TikTok with full details of the same, unless and to the extent legally prohibited from doing so.

5.10 You shall not knowingly disclose European/UK Personal Data in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.

6 BRAZIL

6.1 If you process Brazilian Personal Data the additional terms in this Section 6 shall applies. All terms defined in this DSA shall have the same meaning when used in this section or otherwise as defined by the Brazilian General Data Protection Law ("LGPD") and any applicable regulation.

6.2 You are an independent controller in relation to the Brazilian Personal Data you receive pursuant to these Terms. You shall take all necessary measures to demonstrate compliance with the obligations laid down in the LGPD.

6.3 Each of TikTok and you will (a) individually determine the purposes and means of its processing of Brazilian Personal Data; (b) comply with the obligations applicable to it under LGPD with respect to the processing of Brazilian Personal Data including: (i) by providing transparency to data subjects about such transfer and processing; (ii) having a lawful basis for such transfer or processing; and (iii) responding in accordance with LGPD to any assertion of data subject rights made against it.

6.4 Nothing in this section shall modify any restrictions applicable to either party’s rights to use or otherwise process Brazilian Personal Data under Your Developer Agreement.

6.5 Brazilian Personal Data may be transferred to, and processed in, countries other than Brazil. You will take appropriate safeguards to require that Brazilian Personal Data will remain protected in accordance with the LGPD. These include implementing the Standard Contractual Clauses or other transfer mechanisms provided by the LGPD for international transfers of personal data between the parties. In the event that You are located in countries other than Brazil, You shall: (a) maintain organizational, personal, physical, and technological security control measures for the handling of Personal Information, the standards of which shall not fall below the standards designated by TikTok; and (b) conduct necessary and appropriate supervision of employees, such as education or training of employees handling Personal Data.

7 MODIFICATION AND TERMINATION

7.1 We may modify these Terms at any time. Other than changes required by law, we will provide you with 30 days' notice of any material changes to these Terms (for example by email or to your account). However, it remains your sole responsibility to review these Terms from time to time to view any such changes. The updated Terms will be effective (i) for changes required by law, immediately as of the time of posting, or (ii) for other material changes, following the relevant 30 days’ notice; or (iii) such later date where and as specified in the updated terms. Your continued access or use of the TikTok Developer Services Data after the modifications have become effective will be deemed your acceptance of the modified terms. You may discontinue your use of TikTok Developer Services Data at any time.

7.2 We may modify, suspend or terminate your access to, or discontinue the availability of, any of the TikTok Developer Services Data at any time, including, without limitation, where we determine or suspect that you have breached these Terms.

8 GENERAL

8.1 If any portion of these Terms are found to be unenforceable, the remaining portion will remain in full force and effect. The unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained in these Terms.

8.2 These Terms may be enforced by you, TikTok, TikTok UK, TikTok Ireland and the TikTok or ByteDance entity with whom you contract with under Your Developer Agreement, no other person shall have any right to enforce these Terms.

8.3 If TikTok fails to enforce any portion of these Terms, it will not be considered a waiver. Any amendment to or waiver of these Terms requested by you must be made in writing and signed by TikTok.

8.4 The governing law and jurisdiction for these Terms shall be the same governing law and jurisdiction that applies to Your Developer Agreement.

Annex I to these Terms

A.

Data exporter:

Name and Address: As applicable, TikTok Information Technologies UK Limited, whose registered office is Kaleidoscope, 4, Lindsey Street, London, United Kingdom ("TikTok UK") and/or TikTok Technology Limited, whose registered office is at 10 Earlsfort Terrace, Dublin, D02 T380, Ireland ("TikTok Ireland").

Contact person’s name, position and contact details: Questions in connection with these Standard Contractual Clauses can be submitted at  https://www.tiktok.com/legal/report/privacy

Activities relevant to the data transferred under the Controller-to-Controller SCCs: The TikTok Developer Services provided by TikTok to you pursuant to Your Developer Agreement.

Role: Independent Controller

Data Importer:

Name and Address: As set out in your TikTok Developer Account.

Contact person’s name, position and contact details: As set out in your TikTok Developer Account.

Activities relevant to the data transferred under the Controller-to-Controller SCCs: The TikTok Developer Services provided by TikTok to you pursuant to Your Developer Agreement.

Role: Independent Controller

B.

Data Subjects: Individuals who have a TikTok user account on the TikTok platform

Personal Data: Avatar, display name, email address, phone number, likes counts, follower count, account type, additional profile information (such as bio description), music tab information, public videos by TikTok user.

Sensitive Data transferred: N/A. You shall not process any sensitive data or special categories of data.

Frequency of transfer: Continuous, throughout the provision of the TikTok Developer Services to you.

Nature of processing: Transfer to and receipt by you of TikTok Developer Services Data, subject always to the restrictions set out in Your Developer Agreement.

Purpose(s) of the data transfer and further processing: For you to process the TikTok Developer Services Data only for the limited purpose(s) of enabling and using TikTok Developer Services, including the Login Kit, Video Kit, Embed Videos, Green Screen Kit, and Display API, unless required otherwise by applicable law.

Retention Period: Personal Data will not be kept for longer than necessary, subject always to the terms and restrictions in Your Developer Agreement and applicable law.

Subprocessing information: Access of TikTok Developer Services Data by third parties is subject to the restrictions in Your Developer Agreement.

Annex II to these Terms

You agree to implement appropriate technical and organisational measures to ensure the security of the TikTok Developer Services Data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. At a minimum such measures, shall include all measures set out in Your Developer Agreement.