Prior Notification | Choice and Consent | Data Minimization
-
Prior Notification
If we need to collect your personal data as you interact with Huawei Cloud, before collecting any data, we will inform you about the types of data we collect, the purposes, how we process your data, and the data retention period, as stated in our Privacy Statement.
For cloud services that involve personal data processing, Huawei Cloud provides a list of the personal data it needs to collect and process and states the purposes, scopes, and methods of data processing in the user documentation, helping you evaluate regulatory compliance risks and the adequacy of the data protection measures in place. You can configure your own user privacy notifications for certain cloud services based on relevant compliance requirements.
-
Choice and Consent
HUAWEI CLOUD collects personal data only under purposes agreed by you, or under legitimate purposes such as contract fulfillment.
As stated in our Privacy Statement, you allow change the scope of the personal data that you allow us to collect and withdraw your consent. However, your decision to withdraw consent or authorization will not affect the lawfulness of processing based on consent before its withdrawal.
You can contact us to exercise your rights as the data subject. For details, see section "How to Contact Huawei Cloud" in our Privacy Statement.
-
Data Minimization
We take appropriate measures to ensure we only collect data that is necessary for us to provide services to you.
Privacy by Design (PbD) for Personal Data Collection
Prior Notification | Choice and Consent | Data Minimization
If we need to collect your personal data as you interact with Huawei Cloud, before collecting any data, we will inform you about the types of data we collect, the purposes, how we process your data, and the data retention period, as stated in our Privacy Statement.
For cloud services that involve personal data processing, Huawei Cloud provides a list of the personal data it needs to collect and process and states the purposes, scopes, and methods of data processing in the user documentation, helping you evaluate regulatory compliance risks and the adequacy of the data protection measures in place. You can configure your own user privacy notifications for certain cloud services based on relevant compliance requirements.
HUAWEI CLOUD collects personal data only under purposes agreed by you, or under legitimate purposes such as contract fulfillment.
As stated in our Privacy Statement, you allow change the scope of the personal data that you allow us to collect and withdraw your consent. However, your decision to withdraw consent or authorization will not affect the lawfulness of processing based on consent before its withdrawal.
You can contact us to exercise your rights as the data subject. For details, see section "How to Contact Huawei Cloud" in our Privacy Statement.
We take appropriate measures to ensure we only collect data that is necessary for us to provide services to you.
Access Control | Encryption in Transit and at Rest | Storage Limitation | Log Audit
-
Access Control
Access control and permission management are basic methods of data protection.
Huawei Cloud implements stringent access control policies for personal data stored on its platform. To ensure personal data security, Huawei Cloud centrally manages personal data access, authentication, authorization, storage, and audit.
A hierarchical, fine-grained permission control system is implemented, whereby different permissions are assigned to personnel of different levels, ensuring all personnel with access to personal data are granted only the permissions necessary to fulfil assigned roles and responsibilities. All cloud services are required to integrate Identity and Access Management (IAM) and verify user identities and permissions before allowing access.
-
Encryption in Transit and at Rest
Huawei Cloud uses cryptographic techniques to ensure the confidentiality of personal data, whether they are in transit or at rest, and employs proven protection mechanisms to fend off malicious attacks on servers that store personal data.
1) Encryption of data at rest:
By default, cloud services encrypt customers' sensitive or personal data (if any) and all data transmitted over untrusted networks. Some cloud services allow customers to configure whether and how to encrypt data. For example, Elastic Volume Service (EVS), Object Storage Service (OBS), Image Management Service (IMS), and Relational Database Service (RDS) all provide server-side encryption, where highly secure algorithms are used to encrypt data at rest.
Huawei Cloud also provides encryption management services, such as Data Encryption Workshop (DEW), which you can use to easily manage data encryption.
2) Encryption of data in transit:
Huawei Cloud services are made publicly available via standard RESTful APIs, and all data in transit is encrypted using Transport Layer Security (TLS).
When you provide web services over the Internet, you can use the certificate management service that Huawei Cloud provides in partnership with the world's most trusted certificate authorities (CAs). By configuring certificates for your websites, you can implement trusted user authentication and secure transmission through encryption protocols.
If your workloads are deployed in a hybrid cloud structure across national borders, you can use Huawei Cloud's Virtual Private Network (VPN) and Direct Connect to enable interconnection and secure data transmission across different countries and territories.
-
Storage Limitation
We will retain your personal data for as long as needed to fulfill the purposes stated in our Privacy Statement, unless the retention period needs to be extended as required by relevant laws and regulations. The retention period may vary depending on the data processing purpose and related services.
Generally, after you withdraw your consent or cancel your account, Huawei Cloud will continue to retain your personal data until the retention period ends, in accordance with applicable laws and regulations or service agreements. When the retention period ends and no laws or regulations require us to continue processing your personal data, we will delete your personal data or anonymize it according to applicable laws and regulations.
-
Log Audit
Traceability is a basic principle of Huawei Cloud's personal data protection, and logging is a basic feature of all Huawei Cloud services. You can use the logging function of the Huawei Cloud services you use or use Cloud Trace Service (CTS) together with this logging function to collect enough data for log auditing in accordance with relevant regulatory compliance requirements.
Huawei Cloud regularly reviews and audits logs to check the necessity and legal compliance of all personal data-related operations.
Secure Use, Retention, and Disposal of Personal Data
Access Control | Encryption in Transit and at Rest | Storage Limitation | Log Audit
Access control and permission management are basic methods of data protection.
Huawei Cloud implements stringent access control policies for personal data stored on its platform. To ensure personal data security, Huawei Cloud centrally manages personal data access, authentication, authorization, storage, and audit.
A hierarchical, fine-grained permission control system is implemented, whereby different permissions are assigned to personnel of different levels, ensuring all personnel with access to personal data are granted only the permissions necessary to fulfil assigned roles and responsibilities. All cloud services are required to integrate Identity and Access Management (IAM) and verify user identities and permissions before allowing access.
Huawei Cloud uses cryptographic techniques to ensure the confidentiality of personal data, whether they are in transit or at rest, and employs proven protection mechanisms to fend off malicious attacks on servers that store personal data.
1) Encryption of data at rest:
By default, cloud services encrypt customers' sensitive or personal data (if any) and all data transmitted over untrusted networks. Some cloud services allow customers to configure whether and how to encrypt data. For example, Elastic Volume Service (EVS), Object Storage Service (OBS), Image Management Service (IMS), and Relational Database Service (RDS) all provide server-side encryption, where highly secure algorithms are used to encrypt data at rest.
Huawei Cloud also provides encryption management services, such as Data Encryption Workshop (DEW), which you can use to easily manage data encryption.
2) Encryption of data in transit:
Huawei Cloud services are made publicly available via standard RESTful APIs, and all data in transit is encrypted using Transport Layer Security (TLS).
When you provide web services over the Internet, you can use the certificate management service that Huawei Cloud provides in partnership with the world's most trusted certificate authorities (CAs). By configuring certificates for your websites, you can implement trusted user authentication and secure transmission through encryption protocols.
If your workloads are deployed in a hybrid cloud structure across national borders, you can use Huawei Cloud's Virtual Private Network (VPN) and Direct Connect to enable interconnection and secure data transmission across different countries and territories.
We will retain your personal data for as long as needed to fulfill the purposes stated in our Privacy Statement, unless the retention period needs to be extended as required by relevant laws and regulations. The retention period may vary depending on the data processing purpose and related services.
Generally, after you withdraw your consent or cancel your account, Huawei Cloud will continue to retain your personal data until the retention period ends, in accordance with applicable laws and regulations or service agreements. When the retention period ends and no laws or regulations require us to continue processing your personal data, we will delete your personal data or anonymize it according to applicable laws and regulations.
Traceability is a basic principle of Huawei Cloud's personal data protection, and logging is a basic feature of all Huawei Cloud services. You can use the logging function of the Huawei Cloud services you use or use Cloud Trace Service (CTS) together with this logging function to collect enough data for log auditing in accordance with relevant regulatory compliance requirements.
Huawei Cloud regularly reviews and audits logs to check the necessity and legal compliance of all personal data-related operations.
Lawful Disclosure of Personal Data
-
Lawful Disclosure of Personal Data
Huawei Cloud may subcontract data processing to a service provider via a data processing agreement. In this case, Huawei Cloud will conduct due diligence and carefully assess the provider's data protection capabilities. We will stipulate the service provider's data protection obligations and requirements as a processor/subprocessor according to applicable laws and regulations in the data processing agreement, ensuring that the data processor fulfills their obligations. For other situations where Huawei Cloud may disclose data to third parties as required by applicable laws and regulations, see our Privacy Statement .
Disclosure to Third Parties
Lawful Disclosure of Personal Data
Huawei Cloud may subcontract data processing to a service provider via a data processing agreement. In this case, Huawei Cloud will conduct due diligence and carefully assess the provider's data protection capabilities. We will stipulate the service provider's data protection obligations and requirements as a processor/subprocessor according to applicable laws and regulations in the data processing agreement, ensuring that the data processor fulfills their obligations. For other situations where Huawei Cloud may disclose data to third parties as required by applicable laws and regulations, see our Privacy Statement .
Region-based Service Provisioning | Cross-border Data Transfer Based on Agreements or Consent
-
Region-based Service Provisioning
In order to provide the Services to you, we may store your personal data in countries/regions where Huawei Cloud, Huawei Cloud’s affiliate companies, or Huawei Cloud’s service providers or subcontractors are located. This means your personal data may be transferred to countries or regions outside the places where you are located or where we collect your personal data, and be accessed and stored in those jurisdictions.
These regions may have different or no data protection laws. In such cases, Huawei Cloud will ensure your personal data receives equivalent or higher protection after the transfer in accordance with applicable laws and regulations. For example, Huawei Cloud will ask for your consent or anonymize your personal data before any cross-border transfer.
The Huawei Cloud website includes information about the availability of Huawei Cloud's global infrastructure and service catalog in each region. You need to select the right region when signing up for Huawei Cloud services.
-
Cross-border Data Transfer Based on Agreements or Consent
Huawei Cloud has data centers in many countries and regions around the world. If data needs to be transferred across borders for reasons such as operations and maintenance or technical support, the transfer will be conducted in a manner that strictly complies with local laws and regulations and subjected to stringent internal reviews. For example, cross-border data transfer is allowed only after a data transfer agreement is signed or the data subject's explicit consent is obtained. This ensures personal data is processed lawfully, fairly, and transparently.
Cross-border Data Transfer
Region-based Service Provisioning | Cross-border Data Transfer Based on Agreements or Consent
In order to provide the Services to you, we may store your personal data in countries/regions where Huawei Cloud, Huawei Cloud’s affiliate companies, or Huawei Cloud’s service providers or subcontractors are located. This means your personal data may be transferred to countries or regions outside the places where you are located or where we collect your personal data, and be accessed and stored in those jurisdictions.
These regions may have different or no data protection laws. In such cases, Huawei Cloud will ensure your personal data receives equivalent or higher protection after the transfer in accordance with applicable laws and regulations. For example, Huawei Cloud will ask for your consent or anonymize your personal data before any cross-border transfer.
The Huawei Cloud website includes information about the availability of Huawei Cloud's global infrastructure and service catalog in each region. You need to select the right region when signing up for Huawei Cloud services.
Huawei Cloud has data centers in many countries and regions around the world. If data needs to be transferred across borders for reasons such as operations and maintenance or technical support, the transfer will be conducted in a manner that strictly complies with local laws and regulations and subjected to stringent internal reviews. For example, cross-border data transfer is allowed only after a data transfer agreement is signed or the data subject's explicit consent is obtained. This ensures personal data is processed lawfully, fairly, and transparently.
Response to Data Subject Requests (DSR) | Prompt Reporting of and Response to Personal Data Breaches and Security Incidents
-
Fast DSR Response
According to applicable laws and regulations in many countries and regions where Huawei Cloud operates, data subjects have the right to request the data controller to allow them to access, correct, and delete their personal data.
Huawei Cloud provides convenient DSR channels and has a professional DSR response team. Upon receiving a DSR, the team handles the request within the specified time and promptly sends the result back to the data subject. You can submit a DSR to us through the Personal Data Management Request page on the Huawei Cloud website.
-
Prompt Reporting of and Response to Personal Data Breaches and Security Incidents
To ensure prompt response to security incidents such as personal data breaches, damage, or loss, Huawei Cloud has developed comprehensive regulations and rules that specify how to classify and grade security incidents and vulnerabilities as well as the standard response procedures.
Huawei Cloud has an emergency response team for security incidents. Guided by preset regulations and standard procedures, they work with other teams and departments to handle loss prevention, problem diagnosis, and remediation.
Huawei Cloud also has a professional data protection team that informs customers about personal data breaches in compliance with applicable laws and regulations and executes emergency response and recovery plans to alleviate the impact of such incidents.
Protection of Data Subject Rights
Response to Data Subject Requests (DSR) | Prompt Reporting of and Response to Personal Data Breaches and Security Incidents
According to applicable laws and regulations in many countries and regions where Huawei Cloud operates, data subjects have the right to request the data controller to allow them to access, correct, and delete their personal data.
Huawei Cloud provides convenient DSR channels and has a professional DSR response team. Upon receiving a DSR, the team handles the request within the specified time and promptly sends the result back to the data subject. You can submit a DSR to us through the Personal Data Management Request page on the Huawei Cloud website.
To ensure prompt response to security incidents such as personal data breaches, damage, or loss, Huawei Cloud has developed comprehensive regulations and rules that specify how to classify and grade security incidents and vulnerabilities as well as the standard response procedures.
Huawei Cloud has an emergency response team for security incidents. Guided by preset regulations and standard procedures, they work with other teams and departments to handle loss prevention, problem diagnosis, and remediation.
Huawei Cloud also has a professional data protection team that informs customers about personal data breaches in compliance with applicable laws and regulations and executes emergency response and recovery plans to alleviate the impact of such incidents.