Compliance

Huawei complies with globally applicable privacy laws, including the GDPR. Huawei will ensure that relevant businesses comply with applicable GDPR requirements.

Privacy Impact Assessment (PIA)

We use the privacy impact assessment (PIA) approach to assess and mitigate privacy risks in products and services. In the PIA process, we require each project team to fully assess whether the project involves personal data processing, determine the personal data inventory and data flow diagram, and identify the role of Huawei in data processing. If Huawei is a data controller and the data processing scenario is of a high risk, the project team must perform data protection impact assessment (DPIA), which is stricter than PIA, to assess the impact of privacy risks.

1.Fully assess whether personal data is involved in the project. PIA is not required for projects that do not involve personal data.

2.If personal data is involved, create a data inventory and data flow diagram.

3.Analyze the role of Huawei in data processing. If Huawei is a data controller, determine whether to perform DPIA. If Huawei is a data processor, determine whether to perform PIA. If Huawei is neither a data controller nor a data processor, comply with the Privacy Protection Guideline.

4.After performing DPIA or PIA, output a report.

Data Breach Handling Process

Huawei has established an emergency response mechanism for personal data breaches. Once a personal data breach occurs, Huawei will immediately set up an emergency team based on the response process. To protect user privacy to the maximum extent, we try our best to minimize the loss caused by personal data breaches and ensure that persons affected by data breaches are appropriately informed.

(1) Formula for assessing personal data breach severity

Risk level (R) = Data processing context (DC) x Ease of identification (EI) + Circumstances of breach (CB). Detailed description is as follows:

• Data processing context (DC): Data is divided into non-sensitive personal data (basic score: 1 point) and sensitive personal data (basic score: 2 points).
  1) If a large amount of personal data that belongs to one data subject is leaked or the personal special features are obvious, the score can increase accordingly (no more than 4 points).
• Ease of Identification (EI): Data is divided into ciphertext data (basic score: 1 point) and plaintext data (basic score: 2 points) based on how easy it will be to identify the data subject using the leaked personal data.
  1) If the strongest and secure crypto algorithms are used to encrypt personal data and the key is kept confidential so that the personal data involved in the breach cannot be restored to plaintext data, the item scores 0.25 points.
  2) If the leaked plaintext data or cracked ciphertext data can hardly be used to identify a data subject, this score can be reduced accordingly (no less than 0.25 points).
• Circumstances of breach (CB):
  A1 Loss of confidentiality: personal data breaches brought by incorrect permission configuration
  A2 Loss of integrity: personal data being tampered with or replaced, affecting data subjects' interests
  A3 Loss of availability: personal data unable to be normally accessed, damaging data subjects' interests
  A4 Personal data breaches brought by malicious behavior

The scores of all CB items are supplementary to DC and EI, and will be added to the final score. The following table lists detailed description of each item and provides some examples.

Data Breach Category Score Description Example A1 0.25 Personal data is leaked to some known incorrect receivers. (1) Emails containing personal data are sent to some known receivers who should not receive the emails. (2) Incorrect permission setting enables some users to access personal data of others. 0.5 Personal data is leaked to some unknown receivers. (1) Personal data is incorrectly uploaded to public web pages. (2) Incorrect configuration enables an arbitrary user to access all personal data on the website. A2 0.25 Personal data is changed and incorrectly or unlawfully used, affecting data subjects; however, the altered data can be restored. Some account passwords stored in the system are changed. As a result, the affected accounts cannot be normally logged in to within a specific period of time. However, the changed data can be restored. 0.5 Personal data is changed and incorrectly or unlawfully used, affecting data subjects. The changed data cannot be restored. Some account passwords stored in the system are changed, and the changed data cannot be restored. As a result, the affected accounts cannot be logged in to any more. A3 0.25 Personal data cannot be accessed, but the data can be restored. Due to the mal-operations of the maintenance personnel, the accounts of online service users are lost. However, the accounts can be re-created through other databases. 0.5 Personal data cannot be accessed or restored. The database of a forum is damaged, and all stored forum user activity records are lost. The lost data has no backup and cannot be re-provided by the users. A4 0.5 Personal data breaches are brought by malicious behavior that adversely affects enterprises or individuals. (1) Employees share customers' personal data on external websites. (2) Employees sell customers' personal data to third parties. (3) External hackers break into the corporate IT system and steal personal data.

(2) According to risk rating, personal data breach events can be classified into the following levels:

Data Subject Rights Requests

Huawei Technologies Co., Ltd. provides you with a platform for requesting data subject rights. You can submit requests in any of the following ways:

1. Access Huawei's official website, click Read our privacy policy, find click here in chapter 4 to access the Personal Data Management Request page, and submit your request. URL:Personal Data Management Request>>

2. Access the Consumer official website, click Privacy at the bottom of the home page. On the Privacy page, click Privacy Statement. Huawei Consumer Business Privacy Statement is displayed. Click let us know in the first paragraph to submit your request. URL: Privacy Questions>>

3. Open the HiCare app on your mobile phone and click Privacy Issues to submit your request.