附件：ZTRON具体场景示例

Addendum: ZTRON Specific Scenarios

我们建议您仔细阅读以下内容，了解您购买我们产品和接受我们服务时所需承担的数据安全责任：

WE RECOMMEND THAT YOU READ THE FOLLOWING CAREFULLY TO UNDERSTAND YOUR DATA SECURITY RESPONSIBILITIES WHEN PURCHASING OUR PRODUCTS AND ACCEPTING OUR SERVICES:

定义 Definitions

“数据控制者”指的是那些决定——不论是单独决定还是共同决定——个人数据处理目的与方式的自然人或法人、公共机构、代理机构或其他实体。

‘Data Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“数据处理者”指的是代表数据控制者而处理个人数据的自然人或法人、公共机构、代理机构或其他实体。

‘Data Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“数据主体”指的是通过个人数据能够直接或间接被识别的自然人。

‘Data Subject’ means a natural person who can be identified directly or indirectly through personal data

（1）仅购买和使用ZSM

该种场景下，数据处理的目的和方式由您决定，数据由您存储，华大既不是数据控制者，也不是数据处理者。

由于ZSM位于数据收集最前端，会直接收集数据主体的个人数据，您应当按照所适用的数据隐私相关的法律规定以及《隐私政策》、《ZTRON隐私及安全说明手册》、用户协议、销售协议、软件许可协议中的规定，获得数据主体明确授权，做好个人数据数据保护工作，并承担因错误或疏忽行为导致的数据安全责任。

(1) Purchase and use of only ZSM

In this scenario, the purpose and method of data processing are determined by you, and the data is stored by you. MGI is neither a Data Controller nor a Data Processor.

Since ZSM is at the forefront of data collection, it will directly collect personal data of data subjects. You should abide by the applicable data privacy regulations and the rules in “Privacy Policy”, “ZTRON Privacy and Security Manual”, “Terms of Use”, “Sales Agreement” and “Software License Agreement”, obtain explicit consent from the data subjects, complete the data protection requirements and assume the data security responsibility caused by your misconduct or negligence.

（2）仅购买和使用ZLIMS

该种场景下，华大既不是数据控制者，也不是数据处理者。数据处理的目的和方式由您决定，数据由您存储。您应当按照所适用的数据隐私相关的法律规定以及《隐私政策》、《ZTRON隐私及安全说明手册》、用户协议、销售协议、软件许可协议中的规定，获得数据主体明确授权，做好个人数据数据保护工作，并承担因错误或疏忽行为导致的数据安全责任。

(2) Purchase and use of only ZLIMS

In this scenario, MGI is neither a Data Controller nor a Data Processor. The purpose and method of data processing are determined by you, and the data is stored by you. You should abide by the applicable data privacy regulations and the rules in “Privacy Policy”, “ZTRON Privacy and Security Manual”, “Terms of Use”, “Sales Agreement” and “Software License Agreement”, obtain explicit consent from the data subjects, complete the data protection requirements and assume the data security responsibility caused by your misconduct or negligence.

（3）购买和使用 ZSM+ZLIMS

与仅购买ZSM和仅购买ZLIMS场景一致，在该场景中，华大既不是数据控制者，也不是数据处理者。您应当按照所适用的数据隐私相关的法律规定以及《隐私政策》、《ZTRON隐私及安全说明手册》、用户协议、销售协议、软件许可协议中的规定，获得数据主体明确授权，做好个人数据数据保护工作，并承担因错误或疏忽行为导致的数据安全责任。

(3) Purchase and use of ZSM+ZLIMS

Consistent with the scenarios of only purchasing ZSM and only purchasing ZLIMS, in this scenario, MGI is neither a Data Controller nor a Data Processor. You should abide by the applicable data privacy regulations and the rules in “Privacy Policy”, “ZTRON Privacy and Security Manual”, “Terms of Use”, “Sales Agreement” and “Software License Agreement”, obtain explicit consent from the data subjects, complete the data protection requirements and assume data security responsibility caused by your misconduct or negligence.

（4）购买和使用ZTRON+ZMART +ZLIMS

原则上，华大通常既不是数据控制者，也不是数据处理者。但是，当您对导出的数据产生疑问时，您可以书面请求华大，我们会基于您的授权，通过访问产品中的数据进行问题处理，处理过程中，可能会访问到数据主体的个人数据。仅有在此特定场景下，华大会在您的授权范围内进行数据处理，成为数据处理者。

另外，由于Zmart上存在第三方软件，如果您购买了第三方软件，还可能会涉及与第三方软件供应商数据传输、共享的问题，由此产生的相关数据安全风险应该由您或第三方自行承担，因此，我们建议您仔细阅读第三方软件提供的隐私政策和用户协议。另外您还应当以合理途径向数据主体披露该风险，并获得数据主体的合法授权。

华大有严格的供应商准入标准，如需了解，您可以点击本链接进行查阅。

(4) Purchase and use of ZTRON+ZMART +ZLIMS

In principle, MGI is neither a Data Controller nor a Data Processor. However, when you have questions about the exported data, you can make a written request to MGI. Based on your authorization, we will process the problem by accessing the data in the product. During the processing, we may access the personal data of data subjects. Only in this specific scenario, MGI will process data within the scope of your authorization and become a Data Processor.

In addition, due to the existence of third-party software on Zmart, if you purchase third-party software, you may be involved in data transmission and sharing with the third-party software supplier. The related data security risks arising therefrom should be voluntarily borne by you or the third party. Therefore, we recommend you to carefully read the privacy policy and user agreement provided by third-party software. In addition, you should further disclose the risk to the data subject and obtain their legal authorization in a reasonable manner.

MGI has strict supplier security standards. Please consult this link for further information.

（5）购买和使用ZTRON+ZMART+ZSM

在该场景下，原则上，华大通常既不是数据控制者，也不是数据处理者。

您的数据安全责任参见场景（1）“仅购买和使用ZSM”和场景（4）“购买和使用ZTRON+ZMART +ZLIMS”。

(5) Purchase and use of ZTRON+ZMART+ZSM

In this scenario, in principle, MGI is neither the Data Controller nor the Data Processor.

For additional details about your data security responsibilities, see scenario (1) “Purchase and use of only ZSM” and scenario (4) “Purchase and use of ZTRON+ZMART +ZLIMS”.

（6）购买和使用ZTRON+ZMART+ZSM+ZLIMS

在该场景下，原则上，华大通常既不是数据控制者，也不是数据处理者。

您的数据安全责任参见场景（1）“仅购买和使用ZSM”、场景（2）“仅购买和使用ZLIMS”和场景（4）“购买和使用ZTRON+ZMART +ZLIMS”。

(6) Purchase and use of ZTRON+ZMART+ZSM+ZLIMS

In this scenario, in principle, MGI is usually neither the Data Controller nor the Data Processor.

For additional details about your data security responsibilities, see scenario (1) “Purchase and use of only ZSM”, scenario (2) “Purchase and use of only ZLIMS” and scenario (4) “Purchase and use of ZTRON+ZMART +ZLIMS”.

（7）购买和使用ZTRON+ZMART+ZSM+MegaBOLT

在该场景下，原则上华大通常既不是数据控制者，也不是数据处理者。您应当按照所适用的数据隐私相关的法律法规以及《隐私政策》、《ZTRON隐私及安全说明手册》、用户协议、销售协议、软件许可协议中的规定，获得数据主体明确授权，做好个人数据数据保护工作，并承担因错误或疏忽行为导致的数据安全责任。

(7) Purchase and use of ZTRON+ZMART+ZSM+MegaBOLT

In this scenario, in principle, MGI is neither a Data Controller nor a Data Processor. You should abide by the applicable data privacy regulations and the rules in “Privacy Policy”, “ZTRON Privacy and Security Manual”, “Terms of Use”, “Sales Agreement” and “Software License Agreement”, obtain explicit consent from the data subjects, complete the data protection requirements and assume data security responsibility caused by your misconduct or negligence.

（8）购买和使用ZTRON+ZMART+ZLIMS+MegaBOLT

在该场景下，原则上华大通常既不是数据控制者，也不是数据处理者。

您的数据安全责任参见场景（4）“购买和使用ZTRON+ZMART +ZLIMS”和场景（7）“购买和使用ZTRON+ZMART+ZSM+MegaBOLT”。

(8) Purchase and use of ZTRON+ZMART+ZLIMS+MegaBOLT

In this scenario, in principle, MGI is usually neither the Data Controller nor the Data Processor.

For additional details about your data security responsibilities, see scenario (4) “Purchase and use of ZTRON+ZMART+ZLIMS” and scenario (7) “Purchase and use of ZTRON+ZMART+ZSM+MegaBOLT”.

（9）购买和使用ZTRON+ZMART+ZSM+ZLIMS+MegaBOLT

在该场景下，原则上华大通常既不是数据控制者，也不是数据处理者。

您的数据安全责任参见场景（2）“仅购买和使用ZLIMS”和场景（7）“购买和使用ZTRON+ZMART+ZSM+MegaBOLT”。

(9) Purchase and use of ZTRON+ZMART+ZSM+ZLIMS+MegaBOLT

In this scenario, in principle, MGI is neither the Data Controller nor the Data Processor.

For additional details about your data security responsibilities, see scenario (2) “Purchase and use of only ZLIMS” and scenario (7) “Purchase and use of ZTRON+ZMART+ZSM+MegaBOLT”.

（10）仅购买和使用MegaBOLT

（10）Purchase and use of only MegaBOLT

（11）软硬件运维（购买的所有软硬件产品均可能涉及该场景）

在需要进行软硬件运维时，您或您的授权用户可以向华大发送书面请求，经华大书面确认后，才会进行软硬件运维工作。在该场景下，华大可能会接触到个人数据，成为数据的处理者。前述的所有软硬件产品，都可能涉及该场景。

华大承诺严格遵守所适用的国内外数据安全保护法规，并已通过技术手段将个人数据和运维信息分开存储。此外，华大已通过技术手段进行权限区分（管理员和普通用户分开）。华大承诺在非必要情形下，原则上不接触个人数据。

由于硬件维保（如硬件更换等）是由第三方硬件供应商提供的，我们已与硬件供应商明确约定相关的数据安全保护义务，并安排签署安全供应商协议，以符合华大内部的数据安全标准。特别是涉及存储设备更换时，我们要求第三方硬件供应商需要确认原设备中的数据，您或您的授权用户已另行备份且清除完毕才能进行更换。

我们的供应商已经作出安全承诺，华大也一直督促供应商履行数据安全承诺，对于因硬件供应商运维问题导致的数据泄露事故，应由该供应商自行承担。

(11) Software and hardware operation and maintenance (all software and hardware products purchased may be involved in this scenario)

When operation and maintenance of software and hardware are required, you or your authorized user can send a written request to MGI, and the software and hardware operation and maintenance will only be carried out after written confirmation from MGI. In this scenario, MGI may have access to personal data and become a Data Processor. All the aforementioned software and hardware products may be involved in this scenario.

MGI is committed to strict compliance with applicable domestic and foreign data security protection laws and regulations, and has used technical means to separately store personal data and operation and maintenance information. In addition, MGI has used technical means to distinguish permissions (administrators and regular users are separated). MGI undertakes to, in principle, not handle personal data in non-essential circumstances.

As hardware maintenance (such as hardware replacement, etc.) is provided by third-party hardware suppliers, we have clear agreements with hardware suppliers on the relevant data security protection obligations and have arranged for them to sign a security supplier agreement to comply with MGI’s internal data safety standard. Particularly, in matters involving the replacement of storage devices, we require third-party hardware suppliers to confirm that the data in the original device has been backed up and cleared by you or your authorized users before replacing the device.

Our suppliers have already made security commitments, and MGI has been urging suppliers to fulfill their data security commitments. Data breach accidents caused by hardware suppliers’ operation and maintenance issues should be borne by the suppliers.