Join Free

©.EPEC. All Rights Reserved. ICP No. 16002489-1

Data Subject Personal Information User Agreement

Personal Information Protection Agreement

Data Subject Personal Information User Agreement

According to the EU General Data Protection Regulations (“GDPR”), EPEC E-Commerce Co., Ltd. (“EPEC” or “We”) recognize the importance of personal information or data as well as the importance of maintaining the confidentiality of personal information or data. In the light of this, the data subject ("Data Subject" or "You") specified under the GDPR agrees to enter into and abide by this data subject personal information user agreement ("this Agreement").

This Agreement applies to our collection, storage, transmission, analysis, use, disclosure and processing of individual’s personal information on the EPEC international business platform(https://global.epec.com/portal/)(“Platform”). This Agreement also applies to the use of our services and products via mobile devices or mobile applications.

The personal information of the data subject should not be uploaded by persons other than the data subject. After you have clicked the “Read All and Agree” button at the end of this Agreement, it is deemed that this Agreement has been agreed and become effective between you and EPEC, and you have agreed EPEC’s collection, storage, transmission, analysis, and processing of your personal information in accordance with this Agreement. EPEC shall have the right to claim liabilities against the relevant persons.

This Agreement will contain the following content:

A. PERSONAL INFORMATION COLLECTION SCOPE

B. PURPOSE OR USE OF PERSONAL INFORMATION

C. SHARING AND DISCLOSURE OF PERSONAL INFORMATION

D. SECURITY MEASURES FOR DATA SUBJECT’S INFORMATION

E. FUNDAMENTAL RIGHTS AS A DATA SUBJECT

F. REGARDING CROSS-BORDER TRANSMISSION

G. ABOUT MINORS

H. UPDATE OF THIS AGREEMENT

I. HOW TO CONTACT US

A. PERSONAL INFORMATION COLLECTION SCOPE

When we collect your personal information, we will collect it according to the “minimum” principle provided by GDPR. We only collect and store your personal information that is necessary for our platform business. We will not collect or store more personal information than necessary. At the same time, we will limit the persons who can access your personal information to a minimum range.

If companies, enterprises or entities in other forms by which data subjects are employed plans to be a member of the platform, these companies, enterprises or entities shall be collectively referred to as “Member Entity”, and you will open an account and file registration on the Platform on behalf of the Member Entity you are employed. In the process of opening an account and filing registration on the Platform, we may collect and store the your personal information including your name, work phone number, mobile phone number, email address, work address, etc.

When you view the content of the platform, we will automatically receive, store or record certain types of information, such as your browsing history and actions that you have taken on the Platform. Like many other websites, we use cookies. When your web browser or device access Platform, we will acquire and analyze certain types of information, such as your browsing habits.

If you contact our Platform's customer service, We may record your conversation with us and may collect additional information to verify your identity.

Since you are providing your personal information to Platform on behalf of your Member Entity, if you leave the Member Entity, please let us know and we will delete your personal information after conducting proper verification.

B. PURPOSE OR USE OF PERSONAL INFORMATION

We process your personal information for the purpose of:

1. Verifing your identity;

2. Keeping in contact with you and obtaining your consent on the relevant matters;

3. Processing the registration of you conducted for your Member Entity on the Platform, including providing you with the login ID of the Platform, and maintaining and managing the account you have opened;

4. Sharing your contact information with the Platform’s purchasing managers, suppliers and purchasers registered on the Platform to facilitate the transactions between the platform suppliers and the purchasers;

5. Evaluating the account security and transaction risk of the Member Entity, detecting and preventing fraud and other security incidents;

6. Transmitting, storing and processing your personal information abroad to the server deployed in China Mainland.

We may also use your personal information for purposes other than purposes listed above (such as archiving for the purpose of public interest, scientific or historical research, or statistics), or we may disclose such information according to the requirements of governmental authorities.

If your Member Entity actively cancels the account or makes such request, we will anonymize your personal information or delete your personal information as soon as possible in accordance with relevant laws and regulations.

C. SHARING AND DISCLOSURE OF PERSONAL INFORMATION

We may share your personal information with the Platform's suppliers, purchasers, Platform purchasing managers, affiliates of EPEC within the Sinopec Group (the range of Sinopec Group is subject to EPEC’s interpretation) and agents engaged by EPEC, so that we can provide intermediary services and facilitate transactions for the Member Entity in a more effective way.

The above mentioned agents include, but are not limited to, business consulting companies, big data analytics companies. These agents will process your personal information on behalf of EPEC and also under the supervision of EPEC, and they will not use your personal information for the purposes other than those provided this Agreement.

Your personal information may be posted on the platform's website along with the information about your Member Entity. Meanwhile, it is not impossible that in the future, we may share the web-links of the products displayed on the Platform with other platforms and forward the specific needs of your Member Entity to other platforms. By then, the relevant persons may browse or be linked to the products displayed on the Platform by viewing other platforms’ website, or they may be forwarded the specific needs of Member Entity, and in this way, such relevant persons may be able to view your personal information.

When we believe it is necessary to comply with applicable laws to safeguard your or our legal rights, we may also share your personal information with our professional advisors, relevant judicial authorities, insurance companies, government departments or regulatory institutions.

In order to maximize the security of your personal information, we will reach an agreement with the above mentioned suppliers, purchasers, platform purchasing managers, affiliates of EPEC, and agents engaegd by EPEC, causing these persons to promise not to share or disclose your personal information to any other unauthorized persons.

If you select "Remember Username" when logging in, the platform will use cookies to store the current login account, so that you can log in more conveniently next time. After successfully logging in, the cookie will store your account name and code to facilitate your use of the online customer service function. The platform also uses cookies to store your search history so that you can conduct a more convenient search next time. (The last two functions only exist in EPEC’s Chinese websites). All information that cookies store is not sensitive information, and you can delete or disable cookies by re-setting your browser.

D. SECURITY MEASURES FOR DATA SUBJECT’s INFORMATION

We have taken reasonable and practical security measures to protect the personal information you provide, preventing your personal information from unauthorized access, public disclosure, unauthorized use, unauthorized modification, being damaged or loss. For example, We will anonymize your personal information as much as we can when collecting, storing, transmitting, analyzing, and processing data; will encrypt your personal information to improve the security of your personal information; will use trustful protection mechanisms to prevent your personal information from being maliciously attacked. We will use access control mechanisms to try to ensure that only authorized person can have access to your personal information. We will conduct security and privacy protection training courses to enhance our employees’ understanding and enforceability of protecting personal information.

At the same time, to ensure the security of personal information, we will regularly evaluate the collection, transmission, storage, analysis or other security measures in relation to processing your personal data.

We will only retain your personal information for the period within the purposes provided in this Agreement or for the period required by the law, unless extending such period is permitted by you or by the law.

At the time of the transaction, you may inevitably give your personal information to the counterparty or potential counterparties, such as contact information or contact address. Please protect your personal information and provide it to others only when necessary. If you find that your personal information, especially your account or password, has been leaked, please contact us immediately so that we can take proper actions. At the same time, please use a complicated password to ensure that the account you open on behalf of the Member Entity is safe.

In the event of a personal information security incident, we will, in accordance with the regulations of GDPR, notify the regulatory authority or you about: the basic facts and possible impact of the security incident, measures we have taken or will take, our advice that you can take to prevent or reduce the risk, and remedies for your personal information security incident, etc. We will inform you about updates of the security incident by email, letter, telephone call, notification, etc. When it is difficult to inform each data subject, we will issue a notice in a reasonable and effective manner such as a notification on the first page of our website.

E. FUNDAMENTAL RIGHTS AS A DATA SUBJECT

According to the GDPR regulations, as a data subject, you have the fundamental rights including but not limited to the following ones.

1. Access your personal information

You have the right to access your personal information, unless there is exception provided by laws and regulations. You can access your personal information in the following ways.

Account Information - If you wish to access or edit personal information in your account, or information you have provided on behalf of your Member Entity, you can do so by logging into your account and using the “Account Management” function.

Search information - you can request your browsing or search history record.

Provide a copy of the information - you can ask us to provide you a copy of your personal information or data that is being processed.

If you are unable to access such personal information through the above methods, you can contact us at any time through the "Contact Us" window of the platform. We will respond to your request in time.

2. Correct or supplement your personal information

You have the right to ask us to make corrections or supplements when you discover that the personal information we collect, store, transmit, analyze or process about you is inaccurate. You can make request to correct or supplement your personal information through the “Contact Us” window.

3. Delete your personal information

You can require us to delete of all or part of your personal information through the “Contact Us” window. For example, in the following situations, you can require us to delete personal information:

(1) If processing your personal information is in violation of laws and regulations;

(2) If we collect and use your personal information without obtaining your explicit consent;

(3) If processing your personal information is in material breach of agreement with you;

(4) If you or your Member Entity no longer use our products or services, or you or your Member Entity voluntarily cancel the account, or you have left your Member Entity;

If we respond to your request, we will simultaneously try our best to notify the entities that obtained your personal information from us, and request such entities to delete your personal information in a timely manner, unless laws and regulations provide otherwise, or these entities obtain your separate authorization.

4. Change or withdraw your consent

EPEC’s act of collecting, storing, transmitting, analyzing or processing your personal information on the Platform is based on your consent. Nevertheless, you can request changes or withdrawals of your consent at any time through the “Contact Us” window.

When you withdraw your consent, we will no longer store, transmit, analyze or process the corresponding personal information. However, your decision to withdraw your consent will not affect the processing of personal information that has been completed based on your prior consent.

5. Appeal your claims to the regulatory authorities

You have the right to appeal to the relevant data regulation authorities.

6. Restrict or limit our processing

You have the right to refuse or restrict our collection, storage, transmission, analysis or other processing acts of your personal information at any time. For example, you have the right to ask us not to process your personal information in the following circumstances:

(1) If you believe that your personal information we collect, store, transmit, analyze or process is inaccurate-we will verify the accuracy of your personal information within a certain period of time;

(2) We act illegally in processing your personal information;

(3) It is no necessary any more for us to process personal information according to the provisions of this Agreement.

7. Carry your personal information to other data processor

You have the right to request that the personal information you provide to us be transferred to other entities.

You can copy your personal information that you provide to us.

8. Cancel the account

Since your registration of the account on the Platform is on behalf of your Member Entity, you will be able to submit the account cancellation application on the “Cancel Account” page of the platform if you are explicitly authorized by your Member Entity to do so (EPEC will verify whether the Member Entity has authorized you to cancel the account).

After canceling the account, we will stop providing products or services for you and your Member Entity, and will delete your personal information or anonymize your personal information according to laws and regulations.

9. Limit the automatic decision making conducted by our information system

In operating some of the functions of the Platform, we may provide services to the Member Entity solely using automatic mechanism ("automatic mechanism") such as automatic information systems and algorithms. If you believe that such automatic mechanism significantly affect your legal rights, you may contact us and require explanation. We will give you reasonable explanations to the extent that our explanation will not violate public interests and legitimate rights and interests of EPEC and other related persons.

10. Require our response to your request

To guarantee information security, you may need to prove your identity by giving us written request or in some other necessary ways. Thus, we may first verify your identity and then process your request. We will respond to your request as soon as possible. If you are not satisfied, you can also initiate a complaint to the Platform customer service.

Generally, we do not charge a fee for your reasonable requests, but we might charge a certain fee for the repeated requests or those that exceed the reasonable scope to cover our costs. We may reject requests that are unreasonably repetitive, will require excessive technical means (for example, requests that need to develop new systems or need to fundamentally change existing practices), bring risks to the legal rights of others, or are obviously unrealistic.

In the following situations, according to laws and regulations, we may not be able to respond to your request:

(1) Your request is related to national security and national defense security;

(2) Your request is related to public safety, public health, and significant public interests;

(3) Your request is relevant to criminal investigations, prosecutions, trials and execution of judgments;

(4) There is sufficient evidence that you are in subjective malice or abuse your rights;

(5) Responding to your request will result in serious damage to your or other’s legitimate rights;

(6) Satisfying your request will infringe trade secrets.

F. REGARDING CROSS-BORDER TRANSMISSION

For the purpose of processing your personal information as described in Article 2 of this Agreement, as the server of the platform is deployed in China Mainland, your personal information will be transmitted beyond EU and stored on the Platform’s servers located in China Mainland. At present, China Mainland is not a third country or territory that the European Commission has specified as being countries or territory that are able to provide adequate level of protection. At the same time, EPEC has not taken the following safeguard measures under the GDPR.

1. Executing legally binding and enforceable documents between government departments or agencies;

2. Executing binding corporate rules;

3. Executing standard data protection clauses adopted by the Commission in accordance with the its examination procedure;

4. Executing codes of conduct designated by EPEC’s sector associations, supervisory authorities or by other institutions conferring binding and enforceable commitments, which have been approved and publicized by the European Commission;

5. Acquiring an approved certification mechanism or data protection seals and marks given by EU member states, regulation institutions, the European Data Protection Council and the European Commission;

6. Executing standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the its examination procedure.

Therefore, under this Agreement, our transmission of your personal information across beyond EU to a server located in China Mainland is based on your explicit consent after you have understanding the above risks. However, we will use as many as possible technical means to ensure the safety of your personal information, and prevent them from being damaged and leaked during cross-border transmission.

G. ABOUT MINORS

Minors may not create an account without the consent of a parent or guardian. If you are a minor, we advise you to ask your parent or guardian to read this agreement carefully and then, with the consent of your parent or guardian, use our services or provide us information.

As for our collection for minors’ personal information requiring the consent of their parent or guardian, we will only store, use, share, transfer or disclose information to the extent that our processing activities are permitted by law, are authorized by parental or guardian's explicit consent, or are for the aim of protection of minors.

H. UPDATE OF THIS AGREEMENT

You agree that EPEC may update the contents of this Agreement to the extent that the updated content is in the line with GDPR regulations. We will not restrict your rights under the GDPR before we obtain your consent. We will post updates to this Agreement on a designated web page or through a pop-up window. If you do not agree the updates, you may exercise your rights under the GDPR e.g. requesting us to delete your personal information or restrict the use of your personal information, or withdrawing your consent.

The updates referred to in this Agreement include but are not limited to:

1. Changes we make to this Agreement in accordance with requirements of applicable laws and regulations;

2. Changes regarding the service model of the Platform e.g. changes as to the purpose of processing personal information, the type of personal information processed, and the way in which personal information is processed;

3. Major changes of EPEC’s controller, such as changes in owners caused by mergers and acquisitions, etc.;

4. Changes regarding the main objects of sharing, disclosure, or transmission of your personal information;

5. Significant changes regarding your rights or manners to exercise your rights in relation to our processing of your personal information;

6. Changes regarding our departments in charge of personal information security issue, its contact information, and your complaint channels.

I. HOW TO CONTACT US

You can contact us or the data protection officer by clicking the "Contact Us" button of the Platform’s website. We will respond to your request as soon as possible.

Personal Information Protection Agreement

(For EPEC International Business Platform members)

Party A: EPEC E-Commerce Co., Ltd.

Address: Unit 1903-1905, 19th Floor, Building 1, No. 16 Chaowai Street, Chaoyang District, Beijing

Legal representative: Gao Wenhui

Uniform Social Credit Code:91110105MA0012QY1F

Party B: Persons that have completed the registration as a member on the EPEC International Business Platform (https://global.epec.com/portal/) ("Platform"), or persons that are in the registration process to become a member of the Platform. The foregoing “member” includes without limitation, for example, suppliers (sellers) and purchasers (buyers) that have registered as a member or are in the registration process as a member on the Platform.

Whereas:

1. Party A is the entity that operates the EPEC International Business Platform (https://global.epec.com/portal/) (" Platform "). One of Party A's businesses is to provide inquiry, source search services, transaction facilitating, and intermediary services for suppliers and purchasers registered on the platform.

2. The supplier/purchaser on Party A's Platform must provide the following information if register as Platform’s member: their contact individuals’ real name, work phone number, mobile phone number, email address, work address, etc., and this information is hereinafter referred to as "personal information". The above-mentioned individuals who provide personal information are collectively referred to as "data subject(s)". Party A transmits the collected personal information and stored it on the server in China Mainland.

3. Platform’s purchasing manager identified by Party A ("Purchasing Manager") is responsible for reviewing and collecting product information uploaded by suppliers/purchasers or the needs of suppliers / purchasers. The Purchasing Manager is also responsible for providing inquiry services, source search services, transactions facilitating and intermediary services, translation services, etc. on behalf of Party A.

4. Party B may receive the above personal information forwarded by Party A or Purchasing Manager who aims to make a deal between the suppliers and the purchasers.

In the light of the above, if Party B clicks the "Agree" button at the bottom of this "Personal Information Protection Agreement", Party B shall be deemed to agree to the entire contents of this "Personal Information Protection Agreement" (" this Agreement ") and shall be deemed voluntarily to be bound by this Agreement.

Article 1 Party B’s Promises

1. Unless Party A expressly authorizes in writing, Party B can only use personal information for: contacting the data subject based upon the personal information forwarded by Party A or purchase manager.

2. Without the express consent of Party A, Party B shall not transfer, share or disclose personal information, and shall not use personal information for purposes other than the purpose set out in the clause 1 above.

3. Party B shall take appropriate measures such as encrypting, anonymizing to ensure the security of personal information, and keep the personal information undisclosed, integral, and not being lost or stolen.

4. Party B shall be equipped with a system for preventing intrusion and personal information leakage; at the same time, Party B shall have the ability to recover personal information data when personal information is lost or damaged.

5. Party B shall regularly evaluate and improve its own systems and measures for protecting personal information security.

6. If Party A or the purchasing manager requires so, Party B shall use or process personal information on Sinopec's internal system or Sinopec's server, and shall not download personal information to Party B's local server.

Article 2 Liability for breach of this agreement

Party B understands that the purpose of this agreement is to assist Party A in complying with the relevant provisions of the EU General Data Protection Regulations (“GDPR”). Any violation of this Agreement by Party B (including but not limited to the disclosure, loss or damage of personal information caused by Party B), may result in Party A being punished by relevant EU regulatory authorities, being subject to claims of related entities, suffering goodwill damages and losing interests that Party B would have attained. Therefore, both parties agree that if Party B breaches this Agreement, Party A has the right to request Party B to compensate Party A for direct and indirect losses, including but not limited to the penalties conferred by relevant EU regulatory authorities, the claims of raised by related entities, the damages regarding loss of goodwill and any lost interests that Party B would have attained.

Article 3 Dispute Resolution

Any dispute arising from this Agreement, both parties agree to resolve the dispute according to the following dispute resolution provisions.

1. All disputes arising from the signing and performing this Agreement, including but not limited to liability for breach of contract, validity of the agreement and termination and cancellation of the agreement, shall be settled through friendly negotiation between the two parties. If the negotiation fails, the parties agree to resolve the dispute by the following means:

2. If Party B is not an internal unit within the Sinopec Group (whether Party B is a Sinopec Group’s internal unit shall be subject to the sole determination of Party A), both parties agree to submit the dispute to China International Economic and Trade Arbitration Commission (“CIETAC”) for arbitration, according to the CIETAC’s arbitration rules that are in force when the arbitration application is submitted. The applicable and governing law shall be the laws of P.R.C. (excluding the laws of Hong Kong, Macau and Taiwan). The arbitral award is final and binding on both parties. The place of arbitration shall be Beijing.

3. If Party B is an internal unit within the Sinopec Group (whether Party B is a Sinopec Group’s internal unit shall be subject to the sole determination of Party A), both parties agree to submit the dispute to Sinopec's internal dispute mediation committee for mediation.

Article 4 Miscellaneous

1. If GDPR’s provisions change, Party A may modify the terms of this Agreement according to the changes of GDPR provisions, and notify party B about the modified terms of this agreement. If party B does not expressly refuse such modification in writing within 7 days after receiving Party A’s notification about the modification, Party B is deemed as accepting the modified terms of this agreement.

2. The notice under this Agreement will be published on Platform’s website or in the form of a pop-up window on the Platform’s website or other forms at Party A’s option e.g. serving an notice, and the date of publication shall be deemed to be the date of Party B’s receipt of such notice.

Article 5 Effective Date

This agreement shall be executed and effective immediately after Party B clicks the "Agree" button below. This Agreement shall be binding on both parties.