Data Processing Addendum

Data Processing Addendum

This Huawei Cloud Data Processing Addendum ("DPA") forms a part of the Huawei Cloud agreement to which it is incorporated by reference (including reference in a URL), as updated from time to time, ("Agreement") between Sparkoo Technologies Ireland Co., Limited (“Huawei Cloud”, “we”, “us” and “our”) and the entity you represent or you individually if you don’t designate an entity in connection with the Account and Services (“Customer”, “you” or “your”).

All capitalized terms used in this DPA have the meanings given to them in Section 16 of this DPA or the meaning given to them in the Agreement.

1. ROLES OF THE PARTIES

1.1 Customer as a controller. If the Customer is a controller of that Customer Data under Applicable Privacy Law:

1.1.1 the subject-matter and details of the processing are described in Section 2;

1.1.2 Huawei Cloud is a processor of that Customer Data under Applicable Privacy Law;

1.1.3 each party will comply with the obligations applicable to it under Applicable Privacy Law with respect to the processing of that Customer Data.

1.2 Customer as a processor. If the Customer is a processor of that Customer Data under Applicable Privacy Law, then Sections 1.1.1 – 1.1.3 apply and, in addition, the Customer:

1.2.1 warrants on an ongoing basis that the relevant controller has authorized: (i) the Instructions, (ii) the Customer’s appointment of Huawei Cloud as another processor, and (iii) Huawei Cloud’s engagement of Sub-Processors as described in Section 9;

1.2.2 will immediately forward to the relevant controller any notice that was provided by Huawei Cloud under this DPA or that refers to any SCCs;

1.2.3 may make available to the relevant controller any information made available by Huawei Cloud under this DPA.

1.3 Controller requests. During the term of this DPA, if Huawei Cloud receives a request or instruction from a third party purporting to be a controller of Customer Data, Huawei Cloud will advise the third party to contact the Customer.

2. DESCRIPTION OF PROCESSING

2.1 Subject-matter. The subject-matter of the processing is the provision of the Services to the Customer by Huawei Cloud.

2.2 Duration. The duration of the processing will be the term of the Agreement plus the period from the end of the term of the Agreement until the deletion of all Customer Data in accordance with this DPA.

2.3 Nature and purpose of the processing. The nature and purpose of the processing is computing, storage and other cloud services available on the Huawei Cloud network to ensure the Customer’s access to and use of the Services under the Agreement.

2.4 Types of personal data. The types of personal data are data relating to individuals about whom data is provided to Huawei Cloud via the Services by (or at the direction of) the Customer or by End Users.

2.5 Categories of data subjects. The categories of data subjects include individuals about whom data is provided to Huawei Cloud via the Services by (or at the direction of) the Customer or by End Users, in particular the Customer’s (i) employees, (ii) suppliers, (iii) End Users, (iv) clients.

3. LAWFULNESS OF PROCESSING

3.1 Lawfulness. Each Party will comply with Applicable Privacy Laws in relation to the performance of this DPA. Each Party will be able to demonstrate such compliance.

3.2 Information. Huawei Cloud will make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA.

3.3 Customer’s instructions. The parties agree that this DPA and the Agreement (including the Customer providing instructions via the configuration tools and APIs made available by Huawei Cloud for the Services via the Account) constitute the Customer’s documented instructions regarding Huawei Cloud’s processing of Customer Data (“Instructions”). Huawei Cloud will process Customer Data only in accordance with the Instructions.

3.4 Notification. Taking into account the nature of the processing, the Customer agrees that it is unlikely that Huawei Cloud can form an opinion on whether Instructions infringe Applicable Privacy Law. However, if Huawei Cloud forms such an opinion, Huawei Cloud will immediately notify the Customer if, in Huawei Cloud’s opinion: (a) Applicable Privacy Law prohibits Huawei Cloud from complying with the Instructions; (b) the Instructions do not comply with Applicable Privacy Law; or (c) Huawei Cloud is otherwise unable to comply with the Instructions, in each case unless such notice is prohibited by Applicable Privacy Law. This Section does not limit either party’s rights or obligations elsewhere in the Agreement.

3.5 Scope of Instructions. As a processor, Huawei Cloud will process Customer Data as necessary to provide, secure and monitor the Services, and will not collect, use, retain, access, share, sell, transfer, or otherwise process Customer Data for any purpose not related to providing such Services, for any purpose other than as set out in the Agreement, this DPA or otherwise required by Applicable Privacy Law.

4. CONFIDENTIALITY

4.1 Personnel. Huawei Cloud will ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Disclosure. Without prejudice to Sections 3.5 above and 9 below, Huawei Cloud will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order by a competent public authority (such as a subpoena or court order). If Huawei Cloud is summoned by the competent public authorities to disclose Customer Data, Huawei Cloud will try to redirect such summons to the Customer. This may include providing the Customer’s basic contact information to the competent public authority. If Huawei Cloud is legally obliged to disclose Customer Data to a competent public authority, Huawei Cloud will provide the Customer with reasonable notice of the order to allow the Customer to take necessary remedies, unless Huawei Cloud is legally prohibited from doing so.

5. SECURITY AND SECURITY ASSITANCE

5.1 Security Measures. Huawei Cloud will implement and maintain the Security Measures. The Security Measures include measures to encrypt personal data; to help ensure the ongoing confidentiality, integrity, availability and resilience of Huawei Cloud’s systems and services; to help restore timely access to personal data following an incident; and to test effectiveness regularly. Huawei Cloud may update the Security Measures from time to time provided that such updates do not result in a material reduction of the security of the Services.

5.2 Access to Customer Data. Huawei Cloud will (a) authorize its employees, contractors and Sub-Processors to access Customer Data only as strictly necessary to comply with Instructions; and (b) take appropriate steps to ensure that its employees, contractors and Sub-Processors comply with the Security Measures to the extent applicable to their scope of performance.

5.3 Additional Security Controls. Huawei Cloud will make Additional Security Controls available to: (a) allow the Customer to take steps to secure Customer Data; and (b) provide the Customer with information about securing, accessing and using Customer Data.

5.4 Security Assistance. Huawei Cloud will assist the Customer in ensuring compliance with its obligations pursuant to Articles 32 to 34 of the GDPR, taking into account the nature of the processing of Customer Data and the information available to Huawei Cloud, by:

5.4.1 implementing and maintaining the Security Measures in accordance with Sections 5.1 and 5.2 and SCHEDULE 1;

5.4.2 making Additional Security Controls available to the Customer in accordance with Section 5.3;

5.4.3 complying with the terms of Section 6;

5.4.4 providing the Customer with additional reasonable cooperation and assistance, at the Customer’s request, if subsections 5.4.1 - 5.4.3 above are insufficient for the Customer (or the relevant controller) to comply with such obligations. Any reasonable costs incurred by Huawei Cloud in complying with this Section will be borne solely by the Customer.

5.5 Customer’s Security Responsibilities. Without prejudice to Huawei Cloud’s obligations under Sections 5.1 - 5.4, Section 6 and elsewhere in the DPA or the Agreement, the Customer is responsible for its use of the Services and its storage of any copies of Customer Data outside Huawei Cloud’s or Sub-Processors’ systems, including:

5.5.1 using the Services and Additional Security Controls to ensure a level of security appropriate to the risk to the Customer Data;

5.5.2 securing the Account authentication credentials, systems and devices the Customer uses to access the Services; and

5.5.3 backing up its Customer Data as appropriate.

6. PERSONAL DATA BREACH

6.1 Notification. Huawei Cloud will notify the Customer without undue delay after becoming aware of a personal data breach. Such notification(s) will be delivered using the contact information provided by the Customer by any means Huawei Cloud selects, including but not limited to email, SMS, etc. It is the Customer’s sole responsibility to ensure that the Customer’s administrators/personnel maintain accurate contact information in the Account at all times.

6.2 Assistance. In case of a personal data breach, Huawei Cloud will assist the Customer in ensuring compliance with the obligations pursuant to Article 33 and/or Article 34 of the GDPR, taking into account the nature of the processing and the information available to Huawei Cloud.

7. AUDITS

7.1 Huawei Cloud Audits. Huawei Cloud uses external auditors to verify the adequacy of its security measures, including the security of the physical data centres from which Huawei Cloud provides the Services. These audits meet the following conditions: (a) they are in line with the ISO 27001, ISO27701, ISO 27017, ISO27018, ISO 29151, ISO27799, ISO27034, ISO 22301, ISO/IEC 20000-1, CSA STAR gold certification, BS 10012 or other alternative standards that are substantially equivalent to those listed;  (b) they are done by independent third party auditors – specialized in the field of security and privacy at Huawei Cloud’s selection and expense; (c) they are done annually, at minimum, and (d)  the findings from an audit are summarized in an audit report, which constitutes Huawei Cloud’s Confidential Information. Upon the Customer’s written request, based on an appropriate non-disclosure agreement, Huawei Cloud will provide the Customer with a copy of such report. This should be used by the Customer to reasonably verify Huawei Cloud’s compliance with its obligations under this DPA.

7.2 Customer Audits. If the Customer’s requirements to assess Huawei Cloud and its sub-processors’ compliance with applicable regulations are not fully satisfied by the means described in Section 7.1, the Customer may exercise its audit rights or empower a third-party to do so on its behalf. In order to exercise this right, the Customer will notify Huawei Cloud by written notice at least 30 days in advance of the intended commencement of any audit. If Huawei Cloud declines to comply with Customer audits or inspections as provided for under applicable Data Protection regulations, the Customer is entitled to terminate this DPA and the Agreement. Any reasonable costs incurred by Huawei Cloud in complying with this Section will be borne solely by the Customer. 'Reasonable costs' are defined as those costs that are necessary and appropriate for the completion of the audit process. This includes administrative burdens, such as efforts in providing (redacted) copies of reports and documents to the Customer that are not publicly available. If the Standard Contractual Clauses apply, nothing in this Section 7.2 varies or modifies the Standard Contractual Clauses or affects any Supervisory Authority’s or data subject’s rights under the Standard Contractual Clauses.

8. OTHER ASSISTANCE

8.1 Compliance. In addition to the assistance obligations under Section 5.4 above, Huawei Cloud will assist the Customer in ensuring compliance with its obligations pursuant to Articles 35 and 36 of the GDPR, taking into account the nature of the processing of Customer Data and the information available to Huawei Cloud.

8.2 Data subject rights. Huawei Cloud, taking into account the nature of the processing, will assist the Customer in fulfilling its obligations to respond to data subjects’ requests to exercise their rights as laid down in Chapter III GDPR. Huawei Cloud offers the Customer, via the functionalities of the Account, the possibility to take actions necessary to respond to any data subject request related to Customer Data. The assistance required under the GDPR from Huawei Cloud is exhausted by offering the functionalities of the Account, and because Huawei Cloud will forward data subjects’ requests received to the Customer.

8.3 Data subject requests. Huawei Cloud, using commercially reasonable efforts, will promptly forward to the Customer any request it has received from a data subject. If customer want to exercise the privacy rights, or wish to raise or consult Huawei Cloud on data subject request  please visit our Personal Data Management Request (Data Subject Right Portal). Huawei Cloud will not respond to the request itself unless instructed to do so by the Customer. Any reasonable costs incurred by Huawei Cloud in complying with this Section will be borne solely by the Customer.

8.4 If customer wish to raise or consult Huawei Cloud on any privacy issues, including update the RoPA, DPIA, etc., please visit Huawei Cloud Personal Data Management Request.

9. SUB-PROCESSING

9.1 General authorisation. The Customer agrees that Huawei Cloud may engage Sub-Processors for carrying out specific processing activities on behalf of the Customer from the Sub-Processors List, valid and complete as of the day of conclusion of the Agreement.

9.2 Changes to the Sub-Processors List. Huawei Cloud will make available to the Customer information of any intended changes to the Sub-Processors List including the identity and the general location of the Sub-Processor, at least 30 days in advance by updating the Sub-Processors List and sending notice to the Customer.

9.3 Objection to changes. The Customer has a right to object to changes to the Sub-Processors List within 30 days, in which case the Customer may move the relevant Customer Data to another region, terminate the Agreement, or cease using the relevant Service so that the objected Sub-Processor is not engaged in the processing of that Customer Data. The Customer’s right to object is without prejudice to any rights and/or obligations of the Customer under the Agreement, in particular as regards payments.

9.4 Obligations regarding Sub-Processors. Where Huawei Cloud engages a Sub-Processor as set out in Sections 9.1 or 9.2 Huawei Cloud will:

9.4.1 ensure via a written contract that:

9.4.1.1 the Sub-Processor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA); and

9.4.1.2 the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR, if applicable) are imposed on the Sub-Processor; and

9.4.2 remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-Processor.

10. DATA TRANSFERS

10.1 Data storage and processing facilities. The region in which Customer Data will be processed can only be specified by the Customer. In EU region, Huawei cloud data centers are located in Ireland - Dublin, the team of the operation and maintenance services, customer services and support services is located in Budapest – Hungary (as may be updated by Huawei Cloud from time to time). If customer choose EU region, all the customer data will be stored in Ireland-Dublin.

In Non-EU region, Huawei cloud data centers are located in the Sub-Processors List. If customer choose Non-EU region, all the customer data will be stored in the Customer’s selected Non-EU region located in the Sub-Processors List.

10.2 Transfers to Third Countries. Where a Customer wishes to process personal data in a Non-EU region, this can only be achieved at the direction and specification of the Customer by means of a written instruction from customer to Huawei Cloud.

Any transfer of the Customer Data from the Customer’s selected region(s) can be done by Huawei Cloud only if: (a) this is necessary to provide the Services requested by the Customer, in particular to investigate a security incident or violation of the Agreement, or (b) as necessary to comply with applicable laws and regulations or a binding order issued by a court or competent public authority.

Where transfers to a third-country outside of the EEA may take place at the behest of a customer by means of written Cloud Service Agreement, this will only be done on the basis appropriate safeguards as set out in the GDPR, in particular the signature the Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 and the implementation of sufficient technical and organizational measures.

The selection of appropriate Clauses shall be determined based on the role of the Customer in the context of the corresponding personal data processing.

10.2.1 Where the customer acts a Data Controller located in EU engaging Huawei Cloud (specifically the Irish entity named above) as a Processor, the Controller-to-Processor (C2P) SCCs (Module 2) shall apply.

10.2.2 Where the customer acts a Data Processor engaging Huawei Cloud (specifically the Irish entity named above) as a Data Sub-Processor, the Processor-to-Processor (P2P) SCCs (Module 3) shall apply.

10.2.3 Where Huawei Cloud is data processor, will apply Processor-to Controller (P2C) SCCs (Module 4) to all such transfers from Huawei Cloud to the Customer as controller located in a Third Country.

10.3 Transfers to Adequate Countries. The parties acknowledge that Applicable Privacy Law does not require Standard Contractual Clauses in order for Customer Data to be processed in or transferred to an Adequate Country.

11. RETURN OR DELETION OF PERSONAL DATA

11.1 Return or Deletion of Personal Data. Via the functionalities of the Account, Huawei Cloud will provide the Customer with the ability to delete Customer Data in its entirety at any time, subject to the terms of the Agreement, unless the Applicable Privacy Law requires storage of the Customer Data. Huawei Cloud will delete Customer Data if required by the Customer, or the Customer closes its Account, or as otherwise described in the Agreement (e.g., upon termination of an extended and/or retention period).

11.2 Deletion authorization. The Customer instructs Huawei Cloud to delete all Customer Data as set out in Section 11.1.

12. DOCUMENTATION

12.1 Processing records. Huawei Cloud will keep appropriate documentation of its processing activities as required by the Applicable Privacy Law. To the extent the Applicable Privacy Law requires Huawei Cloud to collect and maintain records of certain information relating to the Customer, the Customer will use the controls and functionalities provided by Huawei Cloud to supply such information and keep it accurate and up-to-date. Huawei Cloud may make any such information available to the Supervisory Authorities if required by the Applicable Privacy Law.

13. ENTIRE AGREEMENT

This DPA incorporates SCCs (Module 4) by reference. This DPA also incorporates SCHEDULE 1 Security Measures, attached hereto.

14. HIERARCHY

Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the Parties, including the Agreement and this DPA, this DPA prevails. If there is a conflict between this DPA and the SCCs (Module 4), the SCCs prevail.

15. GOVERNING LAW AND JURISDICTION

In consideration of the mutual obligations in this DPA, the Parties agree that this DPA is subject to the governing law and jurisdiction set out in the Agreement.

16. DEFINITIONS

Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:

Additional Security Controls” means security resources, features, functionality and/or controls that the Customer may use at its option and/or as it determines, including encryption, logging and monitoring, identity and access management, security scanning, and firewalls.

Adequate Country” means (a) for data processed subject to the GDPR – the members states of the EEA or a country or territory that is the subject of an adequacy decision issued by the European Commission under Article 45(1) of the GDPR; (b) for data processed subject to the FDPA – Switzerland, or a country or territory that (i) is included in the list of states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the FDPA, (c) for data processed subject to other Applicable Privacy Law – countries or territories considered as assuring adequate protection in line with such law.

“Applicable Privacy Law” means, as applicable: (a) the GDPR; and/or (b) the FDPA and/or (c) the Serbian DP Law, and / or, (d) the Ukrainian DP Law, and other data protection or privacy laws in force in the member states of the EEA and/or Switzerland, Serbia or Ukraine, and any legislation and/or regulation which amends, replaces, re-enacts or consolidates any of them, relating to the processing of Customer Data under this DPA and the Agreement.

“Customer Data” means personal data contained in Your Content.

EEA” means the European Economic Area.

“End User”means any person the Customer allows to access and use the Services and/or Your Content.

FDPA” means the Swiss Federal Data Protection Act of 19 June 1992 and the new Swiss Act on Federal Data Protection of 25 September 2020.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). A reference to the particular GDPR provisions also relates to the respective provisions of Applicable Privacy Law that provide for substantially similar rights or obligations in the respective provisions of the GDPR.

SCCs” or “Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to third countries adopted by the European Commission implementing decision (EU) 2021/914 of 4 June 2021.

SCCs (Module 2)” means the terms of the Standard Contractual Clauses Module Three: Transfer controllor to processor, available at: 

https://www.huaweicloud.com/eu/declaration/dpa-scc-cp.html.

SCCs (Module 3)” means the terms of the Standard Contractual Clauses Module Three: Transfer processor to processor, available at: https://www.huaweicloud.com/eu/declaration/dpa-scc-pp.html.

SCCs (Module 4)” means the terms of the Standard Contractual Clauses Module Four: Transfer processor to controller, available at: https://www.huaweicloud.com/eu/declaration/dpa_scc_pc.html.

Security Measures” means technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in SCHEDULE 1 to this DPA.

Serbian DP Law” means the Serbian Law on Personal Data Protection (“Official Gazette of the Republic of Serbia”, No. 87/2018)/

Sub-Processor” means a third party engaged by Huawei Cloud and authorized as another processor to have logical access to and process Customer Data in order to provide parts of the Services.

Sub-Processors List” means a list of approved Sub-Processors available at: https://www.huaweicloud.com/eu/declaration/dpa_spl.html. Huawei Cloud will only provide services from some or all of the Sub- Processors specified by the customers.

Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the GDPR; and/or (b) the “Commissioner” as defined in the FDPA.

Third Country” means a country that is not an Adequate Country.

“Ukrainian DP Law” means the Law of Ukraine on Personal Data Protection as of 1 June 2010 No. 2297-VI (as amended) and subordinate legislation adopted thereunder.

“Your Content” means Your Content as defined in the Agreement.

In addition, the terms “personal data”, “personal data breach”, “data subject”, “processing”, “controller” and “processor” have the meanings given to them in the Applicable Privacy Law.

 

SCHEDULE 1 – SECURITY MEASURES

Huawei Cloud:

  1. uses a range of technologies, such as cryptographic technologies, to ensure the confidentiality of data in transmission, and implements trusted protection mechanisms to protect data and data storage servers from attacks.
  2. deploys access control mechanisms to ensure that only authorized personnel can access personal data, controls the number of authorized personnel, and implements hierarchical permission management on them based on service requirements and personnel levels.
  3. strictly selects business partners and service providers and incorporates personal data protection requirements into commercial contracts, audits, and appraisal activities.
  4. holds security and privacy protection training courses, tests, and publicity activities to raise employees' personal data protection awareness.
  5. uses a range of technologies such as an access control system, CCTV system and infrared system to ensure the physical security of the data centers covering the data center campus, building, facility system and cabinet unit.
  6. clearly defines and assigns cyber security roles and responsibilities, and implements separation of duties (SOD) based on a risk assessment to reduce risks.
  7. implements appropriate O&M security management and technical measures, including identity authentication and access control, change and event management, vulnerability management, and configuration management, to ensure that O&M meets its security requirements.
  8. develops vulnerability management policies, evaluation standards, and management processes to manage security vulnerabilities throughout the lifecycle. In addition, HUAWEI CLOUD regularly runs vulnerability scanning programs to detect potential security vulnerabilities and promptly take countermeasures.
  9. engages qualified independent third-party organizations to perform security audits every year. HUAWEI CLOUD may update the security certifications or audit reports at any time.

 

Updated: January 24, 2024

 

You can see what is updated in Data Processing Addendum History Version.