Huawei Cloud Data Processing Terms

Huawei Cloud Data Processing Terms

These Huawei Cloud Data Processing Terms ("Data Processing Terms") forms a part of the Huawei Cloud related agreements, with which it is incorporated by reference (including reference in a URL) (“Agreement”), in particular the Cloud Marketplace Seller Agreement (“Marketplace Agreement”) or the Huawei Cloud Partner Network Certification Agreement (“HCPN Agreement”), as updated from time to time, between Sparkoo Technologies Ireland Co., Limited (“Huawei Cloud”, “we”, “us” and “our”) and the entity you represent, or you individually if you don’t designate an entity in connection with the Account and Services provided by us (“you”).

All capitalised terms used in these Data Processing Terms have the meanings given to them in the Agreement, as well as in Section 7 of these Data Processing Terms.

1. Personal Data processed by us. We handle your Personal Data, Personal Data of your personnel and representatives and any other Personal Data we receive from you or otherwise collect during the performance of the Agreement as their independent controller, in accordance with our Privacy Statement.

2. Personal Data Processed by you. You represent and warrant that all Personal Data you collect from or about the Customer or End Users (and their personnel and representatives) (“Data Subjects”) in connection with the performance of the Agreement, which includes Personal Data we share with you, will be collected, used, disclosed and/or otherwise processed: (a) in compliance with all Applicable Data Protection Law, and (b) that you will handle, use, and process such Personal Data only for the purpose for which it is collected and provided, and (c) in accordance with your privacy policy/statement provided to Data Subjects, and (d) other applicable documents (such as cybersecurity and data protection and privacy protection policies and/or procedures sufficient to ensure compliance with Applicable Data Protection Law; and Huawei Cloud’s cybersecurity and data protection and privacy policies and procedures as issued and updated from time to time). You acknowledge and agree that you will be solely responsible for the above-described processing of Personal Data and for any loss and liability if you violate any Appliable Data Protection Law, and will indemnify and hold Huawei Cloud and its Affiliates harmless from and against any losses, costs damages, penalties and liabilities arising out of or in connection with such violation.

3. Personal Data Provided by you. If you provide any Personal Data to Huawei Cloud, you represent and warrant: (a) the sharing of Personal Data with Huawei Cloud complies with all Applicable Data Protection Law and your privacy policy/statement provided to the Data Subject, (b) in accordance with the Applicable Data Protection Law (in particular on the basis of a legitimate interest or, if applicable and necessary, consents that you obtained) it is lawful for you to share such Personal Data with Huawei Cloud, and to use and process such Personal Data by Huawei Cloud for the purposes described in the Privacy Statement in connection with the performance of the Agreement; and (c) you are in compliance with Huawei Cloud’s privacy standards, policies, and statements as issued and updated from time to time. As reasonably requested, you will provide evidence of the above and assist Huawei Cloud in responding to any inquiry regarding such Personal Data.

4. Role. Except for situations where Huawei Cloud processes Personal Data on your behalf, Huawei Cloud is an independent controller for Personal Data processed for Huawei Cloud’s own purposes, and you are an independent controller for Personal Data processed for your own purposes. To avoid any doubt, in connection with the performance of the Agreement you and Huawei Cloud hereby clarify and agree that you and Huawei Cloud are not joint controllers, as defined in the Applicable Data Protection Law, of the Personal Data that each independently processes.

5. Processing of Personal Data on your behalf. If Huawei Cloud provides you with Services which require that we process Personal Data on your behalf we shall:

a. process Personal Data only on your written instructions, unless required to do so by European Union law or the law of the Member State to which Huawei Cloud is subject. In such a case, Huawei Cloud shall inform you of that legal requirement before processing, unless the law prohibits this on important grounds of public interest;

b. take all technical and organizational measures as required by Article 32 of the GDPR;

c. assist you, as may be reasonably required, in order for you to comply with your obligation to respond to a request received from data subjects pursuant to the GDPR;

d. notify you immediately of any request received from an individual without responding to that request, unless Huawei Cloud has been authorized in writing by you to do so;

e. have your general authorization for the engagement of sub-processors from an agreed list. Huawei Cloud shall inform you by updating the agreed list, within reasonable time, in advance, of any intended changes of that list through the addition or replacement of sub-processors, by updating the agreed list of sub-processors, thereby giving you 7 days to be able to object to such changes prior to the engagement of the sub-processor(s) concerned;

f. upon termination of this Agreement, at your option, either return the Personal Data to you or delete the Personal Data;

g. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

h. assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to Huawei Cloud;

i. upon your written request and with restrictions on disclosing the information, Huawei Cloud will make available to you documents, e.g. third party reports/ certifications and/or other equivalent documents, to demonstrate Huawei Cloud’s compliance with the obligations herein, which is deemed to have satisfied your request for exercising the right to conduct an audit or inspection;

j. inform you if, in our opinion, an instruction infringes the Applicable Data Protection Law.

6. Transfer of Personal Data to third countries. If you are located outside the European Economic Area or an Adequate Country, and we share Data Subjects’ data with you, the SCCs with Huawei Cloud are concluded by reference with the options and optional modules selected as follows:

a. All Sections: Module ONE (Transfer controller to controller) where the Clause or its part is mandatory

1)Section IV, Clause 17: OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

2)Section IV, Clause 18(b): The Parties agree that those shall be the courts of Ireland.

b. All Sections: Module FOUR (Transfer processor to controller), where the Clause or its part is mandatory

1)Section III, Clause 14 and Clause 15: Applicable where Huawei Cloud combines the Personal Data received from you with Personal Data collected by Huawei Clouds in the EEA.

2)Section IV, Clause 17: These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

3)Section IV, Clause 18: Any dispute arising from these Clauses shall be resolved by the courts of Ireland.

c. For the purpose of the SCC, Huawei Cloud will be the data exporter and you are the data importer.

d. Annex I and Annex II to the Data Processing Terms will form part of the SCCs respectively as its Annexes I and II for Module ONE and Annex I for Module FOUR.

7. Definitions. All capitalised terms used in these Data Protection Terms and not defined in the Agreement shall have the following meaning:

a. “Adequate Country” a country recognized by the European Commission as ensuring an adequate level of personal data protection.

b. “Applicable Data Protection Law” means any statutes, regulations, orders, regulatory requirements, bylaws, ordinances, rules, subordinate legislation and other similar legal instruments in force from time to time relating to data protection, data security, privacy, and/or the collection, use, disclosure and/or processing of Personal Data, including but not limited to the GDPR and local implementation of the ePrivacy Directive.

c. “GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

d. “Personal Data” means any information relating to an identified or an identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

e. “Services means services provided by Huawei Cloud, in particular the Marketplace and / or Huawei Cloud Partner Network, HCPN Program, HCPN Resource.

f. “SCC” means the standard contractual clauses for the transfer of personal data to third countries pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

g. “Privacy Statement” means the Huawei Cloud Privacy Statement located at https://www.huaweicloud.com/eu/declaration/sa_prp.html as may be updated by us from time to time.

 

 

Capitalized terms used but not defined in these Annexes have the meanings given to them in the Huawei Cloud Data Processing Terms.

ANNEX I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

1. Name: Huawei Cloud

Address: As specified in the Agreement.

Contact person’s name, position and contact details: The contact details of the data exporter are specified in the Agreement.

Activities relevant to the data transferred under these Clauses: Provision of Services in accordance with the Agreement.

Signature and date: The Parties agree that the execution of the Agreement by the data importer and the data exporter will constitute the execution of these Clauses by both Parties.

Role (controller/processor): Controller for Module ONE and processor for Module FOUR.

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

1. Name: You

Address: As specified in the Agreement.

Contact person’s name, position and contact details: The contact details of the data exporter are specified in the Agreement

Activities relevant to the data transferred under these Clauses: Provision of Services in accordance with the Agreement.

Signature and date: The Parties agree that the execution of the Agreement by the data importer and the data exporter will constitute the execution of these Clauses by both Parties.

Role (controller/processor): Controller for both Module ONE and Module FOUR.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Data Subjects

Categories of personal data transferred

The categories of personal data transferred are data relating to Data Subjects, including identification data, contact data.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Not applicable.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Personal Data may be transferred on a continuous basis until they are deleted in accordance with the terms of the Agreement.

Nature of the processing

The nature and purpose of the processing is related to provision of the Services under the Agreement.

Purpose(s) of the data transfer and further processing

The nature and purpose of the processing is related to provision of the Services under the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The data importer will retain Personal Data for the term of the Agreement, the period necessary to provide Services, and for the period specified under relevant laws applicable to data importer.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The above description of subject matter, nature and duration of the processing shall apply.

C. COMPETENT SUPERVISORY AUTHORITY (APPLICABLE TO MODULE ONE)

Identify the competent supervisory authority/ies in accordance with Clause 13

Irish Data Protection Commissioner.

 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Huawei Cloud

(1)   Uses a range of technologies such as cryptographic technologies to ensure the confidentiality of data in transmission, and implements trusted protection mechanisms to protect data and data storage servers from attacks.

(2)   Deploys access control mechanisms to ensure that only authorized personnel can access Personal Data, controls the number of authorized personnel and implements hierarchical permission management on them based on service requirements and personnel levels.

(3)   Strictly selects business partners and service providers and incorporate personal data protection requirements into commercial contracts, audits, and appraisal activities.

(4)   Holds security and privacy protection training courses, tests, and publicity activities to raise employees' personal data protection awareness.

(5)   Uses a range of technologies such as access control system, CCTV system and infrared system to ensure the physical security of the data centres covering data centre campus, building, facility system and cabinet unit.

(6)   Clearly defines and assigns cyber security roles and responsibilities, and implements separation of duties (SOD) based on risk assessment to reduce risks.

(7)  Implements appropriate O&M security management and technical measures, including identity authentication and access control, change and event management, vulnerability management, and configuration management, to ensure that O&M meets its security requirements.

(8)   Develops vulnerability management policies, evaluation standards, and management processes to manage security vulnerabilities throughout the lifecycle. In addition, HUAWEI CLOUD regularly runs vulnerability scanning programs to detect potential security vulnerabilities and promptly take countermeasures.

(9)   Engages qualified independent third-party organizations to perform security audits every year. HUAWEI CLOUD may update the security certifications or audit reports at any time.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

Updated: September 17, 2022