This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy
Huawei is open and transparent to regulators, customers, and consumers in terms of personal data processing and end-to-end privacy protection methods. Information use policies should be transparent to users. Users should be able to appropriately control when and if they want to receive information based on their own individual needs.
The EU's General Data Protection Regulation (GDPR) came into force on May 25, 2018. The GDPR affects the ways in which GDPR-applicable companies collect and manage their customers' and employees' personal data. The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
As an ICT infrastructure and smart device provider, Huawei has always attached great importance to privacy protection and taken corresponding responsibilities solemnly. Huawei has incorporated privacy protection requirements into the processes of daily business activities.
Huawei complies with globally applicable privacy laws, including the GDPR. Huawei will ensure that relevant businesses comply with applicable GDPR requirements.
1. Huawei attaches great importance to privacy protection. To ensure effective implementation of privacy protection requirements, we adopt cross-department collaboration. The established Global Cyber Security and User Privacy Protection Committee (GSPC) is the highest management organization for corporate cyber security and user privacy protection. The Global Cyber Security & Privacy Officer (GSPO) is responsible to the CEO. All business units of Huawei have dedicated privacy-related roles and/or organizations. According to GDPR requirements, we have also appointed a Data Protection Officer (DPO) for the EU.
2. Huawei adopts the privacy protection approaches and practices recognized by the industry. To help business departments better identify and mitigate privacy risks in business activities, we have introduced the PIA approach several years ago to assess our products and services. In GDPR-applicable business scenarios, we (1) create a personal data inventory to maintain personal data processing records and (2) set up an emergency response mechanism for personal data breaches. Once a personal data breach occurs, Huawei will immediately set up an emergency team based on the response process. To protect user privacy to the maximum extent, we try our best to minimize the loss caused by personal data breaches and ensure that persons affected by data breaches are appropriately informed. In addition, we (3) have reviewed and optimized privacy protection requirements for personal data processing activities of suppliers subject to the GDPR, and incorporated compliance requirements into the Manage Supplier process.
3. Huawei regularly provides privacy compliance training to employees, and attaches great importance to improving the GDPR compliance awareness of employees to ensures that every employee and partner involved in the GDPR can accurately understand the legal principles of data protection based on their specific work and functions, and strictly implement the company's applicable systems and processes.
4. Huawei has continuously obtained international certifications and accreditations such as ISO 27001, CSA STAR, and ePrivacy Seal, demonstrating Huawei's compliance with recognized international standards in the industry.
5. To ensure compliance, our Internal Audit Dept has completed a comprehensive review of technologies and processes.
For Huawei, GDPR compliance is only part of Huawei's privacy protection. Privacy protection is not only a legal requirement, but also a social responsibility of Huawei as an ICT infrastructure and smart device provider. We will continuously improve and optimize our products and services to ensure security and privacy and reduce customer and user privacy protection risks.
Huawei will continuously demonstrate and elaborate on our privacy protection governance practices.
Protecting privacy is a regulatory requirement, and also the expression of Huawei's values as a company. Users should be able to appropriately control how their data is used. There must be a right set of capabilities and mechanisms to fully protect user private data.
Huawei has released and regularly reviews and updates its global privacy policy, Huawei General Privacy Protection Policy, which systematically elaborates on Huawei's privacy policy to ensure that Huawei complies with applicable laws and regulations on privacy and personal data protection in countries where it operates. Huawei also specifies the responsibilities of relevant departments in GDPR compliance.
Huawei complies with globally applicable privacy laws, including the GDPR. Huawei will ensure that relevant businesses comply with applicable GDPR requirements.
We use the privacy impact assessment (PIA) approach to assess and mitigate privacy risks in products and services. In the PIA process, we require each project team to fully assess whether the project involves personal data processing, determine the personal data inventory and data flow diagram, and identify the role of Huawei in data processing. If Huawei is a data controller and the data processing scenario is of a high risk, the project team must perform data protection impact assessment (DPIA), which is stricter than PIA, to assess the impact of privacy risks.
1.Fully assess whether personal data is involved in the project. PIA is not required for projects that do not involve personal data.
2.If personal data is involved, create a data inventory and data flow diagram.
3.Analyze the role of Huawei in data processing. If Huawei is a data controller, determine whether to perform DPIA. If Huawei is a data processor, determine whether to perform PIA. If Huawei is neither a data controller nor a data processor, comply with the Privacy Protection Guideline.
4.After performing DPIA or PIA, output a report.
Huawei has established an emergency response mechanism for personal data breaches. Once a personal data breach occurs, Huawei will immediately set up an emergency team based on the response process. To protect user privacy to the maximum extent, we try our best to minimize the loss caused by personal data breaches and ensure that persons affected by data breaches are appropriately informed.
Risk level (R) = Data processing context (DC) x Ease of identification (EI) + Circumstances of breach (CB). Detailed description is as follows:
The scores of all CB items are supplementary to DC and EI, and will be added to the final score. The following table lists detailed description of each item and provides some examples.
Data Breach Category Score Description Example A1 0.25 Personal data is leaked to some known incorrect receivers. (1) Emails containing personal data are sent to some known receivers who should not receive the emails. (2) Incorrect permission setting enables some users to access personal data of others. 0.5 Personal data is leaked to some unknown receivers. (1) Personal data is incorrectly uploaded to public web pages. (2) Incorrect configuration enables an arbitrary user to access all personal data on the website. A2 0.25 Personal data is changed and incorrectly or unlawfully used, affecting data subjects; however, the altered data can be restored. Some account passwords stored in the system are changed. As a result, the affected accounts cannot be normally logged in to within a specific period of time. However, the changed data can be restored. 0.5 Personal data is changed and incorrectly or unlawfully used, affecting data subjects. The changed data cannot be restored. Some account passwords stored in the system are changed, and the changed data cannot be restored. As a result, the affected accounts cannot be logged in to any more. A3 0.25 Personal data cannot be accessed, but the data can be restored. Due to the mal-operations of the maintenance personnel, the accounts of online service users are lost. However, the accounts can be re-created through other databases. 0.5 Personal data cannot be accessed or restored. The database of a forum is damaged, and all stored forum user activity records are lost. The lost data has no backup and cannot be re-provided by the users. A4 0.5 Personal data breaches are brought by malicious behavior that adversely affects enterprises or individuals. (1) Employees share customers' personal data on external websites. (2) Employees sell customers' personal data to third parties. (3) External hackers break into the corporate IT system and steal personal data.(2) According to risk rating, personal data breach events can be classified into the following levels:
Huawei Technologies Co., Ltd. provides you with a platform for requesting data subject rights. You can submit requests in any of the following ways:
1. Access Huawei's official website, click Read our privacy policy, find click here in chapter 4 to access the Personal Data Management Request page, and submit your request. URL:Personal Data Management Request>>
2. Access the Consumer official website, click Privacy at the bottom of the home page. On the Privacy page, click Privacy Statement. Huawei Consumer Business Privacy Statement is displayed. Click let us know in the first paragraph to submit your request. URL: Privacy Questions>>
3. Open the HiCare app on your mobile phone and click Privacy Issues to submit your request.