Data Processing Addendum History Version
Print
Data Processing Addendum History Version
V1001 July 2023
This Huawei Cloud Data Processing Addendum ("DPA") forms a part of the Huawei Cloud agreement to which it is incorporated by reference (including reference in a URL), as updated from time to time, ("Agreement") between Huawei Cloud Contracting Party as defined in Section 15.4 of the Agreement (“Huawei Cloud”, “we”, “us” and “our”) and the entity you represent or you individually if you do not designate an entity in connection with the Account and Services (“Customer”, “you” or “your”).
All capitalized terms used in this DPA have the meanings given to them in Section 15 of this DPA or the meaning given to them in the Agreement.
1. ROLES OF THE PARTIES
1.1 Customer as a controller. If the Customer is a controller of that Customer Data under Applicable Data Protection Law:
1.1.1 the subject-matter and details of the processing are described in Section 2;
1.1.2 Huawei Cloud is a processor of that Customer Data under Applicable Data Protection Law;
1.1.3 each party will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the processing of that Customer Data.
1.2 Customer as a processor. If the Customer is a processor of that Customer Data under Applicable Data Protection Law, then Sections 1.1 – 1.1.3 apply and, in addition, the Customer:
1.2.1 warrants on an ongoing basis that the relevant controller has authorized: (i) the instructions from the relevant controller, (ii) the Customer’s appointment of Huawei Cloud as another processor, and (iii) Huawei Cloud’s engagement of Sub-Processors as described in Section 8;
1.2.2 will immediately forward to the relevant controller any notice that was provided by Huawei Cloud under this DPA;
1.2.3 may make available to the relevant controller any information made available by Huawei Cloud under this DPA.
1.3 Controller requests. During the term of this DPA, if Huawei Cloud receives a request or instruction from a third party purporting to be a controller of Customer Data, Huawei Cloud will advise the third party to contact the Customer.
2. DESCRIPTION OF PROCESSING
2.1 Subject-matter. The subject-matter of the processing is the provision of the Services to the Customer by Huawei Cloud.
2.2 Duration. The duration of the processing will be the term of the Agreement plus the period from the end of the term of the Agreement until the deletion of all Customer Data in accordance with this DPA.
2.3 Nature and purpose of the processing. The nature and purpose of the processing is computing, storage and other cloud services available on the Huawei Cloud network to ensure the Customer’s access to and use of the Services under the Agreement.
2.4 Types of personal data. The types of personal data are data relating to individuals about whom data is provided to Huawei Cloud via the Services by (or at the direction of) the Customer or by End Users.
2.5 Categories of data subjects. The categories of data subjects include individuals about whom data is provided to Huawei Cloud via the Services by (or at the direction of) the Customer or by End Users, in particular the Customer’s (i) employees, (ii) suppliers, (iii) End Users, (iv) clients.
3. LAWFULNESS OF PROCESSING
3.1 Lawfulness. Each Party will comply with Applicable Data Protection Law in relation to the performance of this DPA. Each Party will be able to demonstrate such compliance.
3.2 Information. Huawei Cloud will make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA.
3.3 Customer’s instructions. The parties agree that this DPA and the Agreement (including the Customer providing instructions via the configuration tools and APIs made available by Huawei Cloud for the Services via the Account) constitute the Customer’s documented instructions regarding Huawei Cloud’s processing of Customer Data (“Instructions”). Huawei Cloud will process Customer Data only in accordance with the Instructions.
3.4 Notification. Taking into account the nature of the processing, the Customer agrees that it is unlikely that Huawei Cloud can form an opinion on whether Instructions infringe Applicable Data Protection Law. However, if Huawei Cloud forms such an opinion, Huawei Cloud will immediately notify the Customer if, in Huawei Cloud’s opinion: (a) Applicable Data Protection Law prohibits Huawei Cloud from complying with the Instructions; (b) the Instructions do not comply with Applicable Data Protection Law; or (c) Huawei Cloud is otherwise unable to comply with the Instructions, in each case unless such notice is prohibited by Applicable Data Protection Law. This Section does not limit and is without prejudice to either party’s rights and obligations elsewhere in the Agreement.
3.5 Scope of Instructions. As a processor, Huawei Cloud will process Customer Data as necessary to provide, secure and monitor the Services, and will not collect, use, retain, access, share, sell, transfer, or otherwise process Customer Data for any purpose not related to providing such Services, for any purpose other than as set out in the Agreement, this DPA or otherwise required by Applicable Data Protection Law.
4. CONFIDENTIALITY
4.1 Personnel. Huawei Cloud will ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 Disclosure. Without prejudice to Sections 5 and 8 below, Huawei Cloud will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order by a competent public authority (such as a subpoena or court order). If Huawei Cloud is summoned by the competent public authorities to disclose Customer Data, Huawei Cloud will try to redirect such summons to the Customer. This may include providing the Customer’s basic contact information to the competent public authority. If Huawei Cloud is legally obliged to disclose Customer Data to a competent public authority, Huawei Cloud will provide, to the extent permitted by applicable laws, the Customer with reasonable notice of the order to allow the Customer to take necessary remedies, unless Huawei Cloud is legally prohibited from doing so.
5. SECURITY AND SECURITY ASSISTANCE
5.1 Security Measures. Huawei Cloud will implement and maintain the Security Measures. The Security Measures include measures to encrypt personal data; to help ensure the ongoing confidentiality, integrity, availability and resilience of Huawei Cloud’s systems and services; to help restore timely access to personal data following an incident; and to test effectiveness regularly. Huawei Cloud may update the Security Measures from time to time provided that such updates do not result in a material reduction of the security of the Services.
5.2 Access to Customer Data. Huawei Cloud will (a) authorize its employees, contractors and Sub-Processors to access Customer Data only as strictly necessary to comply with Instructions; and (b) take appropriate steps to ensure that its employees, contractors and Sub-Processors comply with the Security Measures to the extent applicable to their scope of performance.
5.3 Additional Security Controls. Huawei Cloud will make Additional Security Controls available to: (a) allow the Customer to take steps to secure Customer Data; and (b) provide the Customer with information about securing, accessing and using Customer Data.
5.4 Security Assistance. Huawei Cloud will assist the Customer in ensuring compliance with its obligations pursuant to the Applicable Data Protection Law, taking into account the nature of the processing of Customer Data and the information available to Huawei Cloud, by:
5.4.1 implementing and maintaining the Security Measures in accordance with Sections 5.1 and 5.2 and SCHEDULE 1;
5.4.2 making Additional Security Controls available to the Customer in accordance with Section 5.3;
5.4.3 complying with the terms of Section 6;
5.4.4 providing the Customer with additional reasonable cooperation and assistance, at the Customer’s request, if subsections 4.1 - 5.4.3 above are insufficient for the Customer (or the relevant controller) to comply with such obligations. Any reasonable costs incurred by Huawei Cloud in complying with this Section will be borne solely by the Customer.
5.5 Customer’s Security Responsibilities. Without prejudice to Huawei Cloud’s obligations under Sections 1 - 5.4, Section 6 and elsewhere in the DPA or the Agreement, the Customer is responsible for its use of the Services and its storage of any copies of Customer Data outside Huawei Cloud’s or Sub-Processors’ systems, including:
5.5.1 using the Services and Additional Security Controls to ensure a level of security appropriate to the risk to the Customer Data;
5.5.2 securing the Account authentication credentials, systems and devices the Customer uses to access the Services; and
5.5.3 backing up its Customer Data as appropriate.
6. PERSONAL DATA BREACH
6.1 Notification. Huawei Cloud will notify the Customer without undue delay after becoming aware of a personal data breach. Such notification(s) will be delivered using the contact information provided by the Customer by any means Huawei Cloud selects, including but not limited to email and SMS. It is the Customer’s sole responsibility to ensure that the Customer’s administrators/personnel maintain accurate contact information in the Account at all times.
6.2 Assistance. In case of a personal data breach, Huawei Cloud will assist the Customer in ensuring compliance with the obligations pursuant to the Applicable Data Protection Law, taking into account the nature of the processing and the information available to Huawei Cloud.
7. OTHER ASSISTANCE
7.1 Compliance. In addition to the assistance obligations under Section 5 above, Huawei Cloud will assist the Customer in ensuring compliance with its obligations pursuant to the Applicable Data Protection Law, taking into account the nature of the processing of Customer Data and the information available to Huawei Cloud.
7.2 Data subject rights. Huawei Cloud, taking into account the nature of the processing, will assist the Customer in fulfilling its obligations to respond to data subjects’ requests to exercise their rights as laid down in the Applicable Data Protection Law. Huawei Cloud offers the Customer, via the functionalities of the Account, the possibility to take actions necessary to respond to any data subject request related to Customer Data. The assistance required under the Applicable Data Protection Law (if applicable) from Huawei Cloud is satisfied by offering the functionalities of the Account, and because Huawei Cloud will forward data subjects’ requests received to the Customer.
7.3 Data subject requests. Huawei Cloud, using commercially reasonable efforts, will promptly forward to the Customer any request it has received from a data subject. Huawei Cloud will not respond to the request itself unless instructed to do so by the Customer. Any reasonable costs incurred by Huawei Cloud in complying with this Section will be borne solely by the Customer.
8. SUB-PROCESSING
8.1 General authorization. The Customer agrees that Huawei Cloud may engage Sub-Processors for carrying out specific processing activities on behalf of the Customer from the Sub-Processors List, valid and complete as of the day of conclusion of the Agreement. Sub-processors relevant to an individual Customer will depend on the Huawei Cloud Region the Customer selects and the particular Huawei Cloud services that the Customer uses.
8.2 Changes to the Sub-Processors List. Huawei Cloud will make available to the Customer information of any intended changes to the Sub-Processors List including the identity and the general location of the Sub-Processor in advance by updating the Sub-Processors List and sending notice to the Customer.
8.3 Objection to changes. The Customer has a right to object to changes to the Sub-Processors List within 30 days, in which case the Customer may move the relevant Customer Data to another region, terminate the Agreement, or cease using the relevant Service so that the objected Sub-Processor is not engaged in the processing of that Customer Data. The Customer’s right to object is without prejudice to any rights and/or obligations of the Customer under the Agreement, in particular as regards payments.
8.4 Obligations regarding Sub-Processors. Where Huawei Cloud engages a Sub-Processor as set out in Sections 1 or 8.2, Huawei Cloud will:
8.4.1 ensure via a written contract that:
8.4.1.1 the Sub-Processor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA); and
8.4.1.2 the data protection obligations described in this DPA (as referred to in the Applicable Data Protection Law, if applicable) are imposed on the Sub-Processor; and
8.4.2 remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-Processor.
9. DATA TRANSFERS
9.1 Data storage and processing facilities. Customer Data may be processed in any country in which Huawei Cloud or its Sub-Processors maintain facilities. You can see the regions/countries in which Huawei Cloud data centers are located at: https://www.huaweicloud.com/intl/en-us/declaration-sg/dpa_ie.html (as may be updated by Huawei Cloud from time to time).
9.2 Data location selection. The region in which Customer Data will be processed can be specified by the Customer. Any transfer of the Customer Data from the Customer’s selected region(s) can be done by Huawei Cloud only if: (a) this is necessary to provide the Services requested by the Customer, in particular to investigate a security incident or violation of the Agreement, or (b) as necessary to comply with applicable laws and regulations or a binding order issued by a court or competent public authority.
9.3 Transfers to Adequate Countries. The parties acknowledge that Applicable Data Protection Law does not require Data Transfer Agreement in order for Customer Data to be processed in or transferred to an Adequate Country.
9.4 Transfers to Third Countries. A Data Transfer Agreement (in the form as set out in SCHEDULE 2 to this DPA) will be entered into with transferees residing in Third Countries.
10. RETURN OR DELETION OF PERSONAL DATA
10.1 Return or Deletion of Personal Data. Via the functionalities of the Account, Huawei Cloud will provide the Customer with the ability to delete Customer Data in its entirety at any time, subject to the terms of the Agreement, unless the Applicable Data Protection Law requires storage of the Customer Data. Huawei Cloud will delete Customer Data if required by the Customer, or the Customer closes its Account, or as otherwise described in the Agreement (e.g., upon termination of an extended and/or retention period).
10.2 Deletion authorization. The Customer is entitled to instruct Huawei Cloud to delete all Customer Data.
11. DOCUMENTATION
11.1 Processing records. Huawei Cloud will keep appropriate documentation of its processing activities as required by the Applicable Data Protection Law. To the extent the Applicable Data Protection Law requires Huawei Cloud to collect and maintain records of certain information relating to the Customer, the Customer will use the controls and functionalities provided by Huawei Cloud to supply such information and keep it accurate and up-to-date. Huawei Cloud may make any such information available to the Supervisory Authorities if required by the Applicable Data Protection Law.
12. ENTIRE AGREEMENT
This DPA incorporates SCHEDULE 1 Security Measures and SCHEDULE 2 Data Transfer Agreement, attached hereto.
13. HIERARCHY
Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the Parties, including the Agreement and this DPA, this DPA prevails.
14. GOVERNING LAW AND JURISDICTION
In consideration of the mutual obligations in this DPA, the Parties agree that this DPA is subject to the governing law and jurisdiction set out in the Agreement.
15. DEFINITIONS
Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:
- “Additional Security Controls” means security resources, features, functionality and/or controls that the Customer may use at its option and/or as it determines, including encryption, logging and monitoring, identity and access management, security scanning, and firewalls.
- “Adequate Country” means in respect of data processed subject to the Applicable Data Protection Law, countries or territories considered as assuring adequate protection under the Applicable Data Protection Law.
- “Applicable Data Protection Law” means the legislation protecting an individual’s right to privacy with respect to the processing of personal data applicable to an organization, including but not limited to the Personal Data Protection Act 2012 of Singapore, including its regulations and the guidelines issued by Personal Data Protection Commission Singapore (“PDPC”) from time to time.
- “Customer Data”means personal data contained in Your Content.
- “End User” means any person the Customer allows to access and use the Services and/or Your Content.
- “Data Transfer Agreement” means the terms to govern the cross-border transfer of the Personal Data and to ensure that such transfer is in accordance with Applicable Data Protection Law as described in SCHEDULE 2 to this DPA.
- “Security Measures” means technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in SCHEDULE 1 to this DPA.
- “Sub-Processor” means a third party engaged by Huawei Cloud and authorized as another processor to have access to and process Customer Data in order to provide parts of the Services.
- “Sub-Processors List” means a list of approved Sub-Processors available at: https://www.huaweicloud.com/intl/en-us/declaration-sg/dpa_spl.html.
- “Supervisory Authority” means the competent authority constituted under Applicable Data Protection Law to supervise the regulatory framework in respect of personal data, such as the PDPC.
- “Third Country” means a country that is not an Adequate Country.
- “Your Content” means Your Content as defined in the Agreement.
In addition, the terms “personal data”, “personal data breach”, “data subject”, “processing”, “controller” and “processor” have the meanings given to them in the Applicable Data Protection Law.
SCHEDULE 1 – SECURITY MEASURES
Huawei Cloud:
- Sets up a privacy protection organization to identify and manage personal data protection risks.
- Adopts strict data security and personal data protection policies, in accordance with the risk of the categories of data processed. Develops security breach response and data breach process to reduce privacy and security risks brought by personal data breaches and guide relevant departments to handle personal data in compliance with laws and regulations.
- Holds security and privacy protection training courses, tests, and publicity activities to raise employees' personal data protection awareness.
- Takes a range of measures such as an entrance and exit control, entrance guard systems and CCTV system to ensure the physical security of the data centers to prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used.
- Deploys access control mechanisms and implements hierarchical permission management on them based on service requirements and personnel levels to ensure that only authorized personnel can access personal data.
- Clearly defines and assigns cyber security roles and responsibilities, and implements separation of duties (SOD) based on a risk assessment to reduce risks to prevent data processing systems from being used by unauthorized persons.
- Encryption and pseudonymisation of personal data, as appropriate, using recommended industry standard protocols to prevent data breach and unauthorized access,
- Degausses the discarded storage media before returning to the warehouse to ensure that software-based overwriting shall be performed on media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction shall be performed.
- Implements appropriate O&M security management and technical measures, including identity authentication and access control, change and event management, vulnerability management, configuration management, event logging, and continuously monitors cyber security events and threats, detects exceptions in a timely manner, and proactively takes measures to deal with them to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons.
- Implements protection mechanisms such as DDoS protection to protect networks from attacks, develops vulnerability management policies, evaluation standards, and management processes to manage security vulnerabilities throughout the lifecycle. In addition, regularly runs vulnerability scanning programs to detect potential security vulnerabilities and promptly take countermeasures.
- Identifies suppliers associated with data processing during the authorization phase, then signs off Data Protection Agreement (DPA) to ensure that personal data processed on behalf of the Customer can only be processed in accordance with the Customer's instructions.
SCHEDULE 2-Data Transfer Agreement
1. Obligations of Data Exporter
Data Exporter agrees and warrants that:
a) it has taken reasonable efforts to ensure that the Personal Data is accurate and complete before providing the same to the Data Importer; and
b) it has communicated, and throughout the duration data processing services in respect of Personal Data are provided by the Data Importer to the Data Exporter, will communicate the data subject’s instructions to Data Importer for processing the Personal Data transferred only on behalf of the data subject and to abide by Applicable Data Protection Law and the Clauses.
2. Obligations of Data Importer
a) Data Importer agrees and warrants:
(i) to process the Personal Data only on behalf of the data subject and in compliance with the written instructions of the data subject and the additional written instructions of Data Exporter, this Agreement and the data processing requirements set out in the DPA; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly Data Exporter of its inability to comply, in which case Data Exporter is entitled to suspend the transfer of data and/or terminate this Agreement; and
(ii) that in the event that it becomes aware of a change in the Applicable Data Protection Law or such other laws which is likely to have a substantial adverse effect on the warranties and obligations provided under the Clauses, it will promptly notify Data Exporter about the change as soon as it is aware, in which case Data Exporter is entitled to suspend the transfer of data and/or terminate this Agreement.
(b) In any event, the Data Importer shall not retain Personal Data (or any documents or records containing Personal Data, electronic or otherwise) for any period of time longer than necessary for legitimate purposes.
(c) The Data Importer shall, upon the request of Data Exporter:
(i) return to Data Exporter, all Data Exporter’s Personal Data; or
(ii) delete all Data Exporter’s Personal Data in its possession,
and, after returning or deleting all Data Exporter’s Personal Data, provide Data Exporter with written confirmation that it no longer possesses any Data Exporter’s Personal Data. Where applicable, the Data Importer shall also instruct all third parties to whom it has disclosed Data Exporter’s Personal Data pursuant to this Agreement to return to Data Exporter or delete, such Data Exporter’s Personal Data.
3. The Parties' obligations after the termination of Personal Data processing services
The Parties agree that upon termination of the provision of data processing services pursuant to the DPA, Data Importer shall return, and shall procure that any third party that received Personal Data from Data Importer returns, all the Personal Data transferred and the copies thereof to Data Exporter or shall destroy all the Personal Data and certify to Data Exporter that it has done so, unless legislation imposed upon Data Importer prevents it from returning or destroying all or part of the Personal Data transferred to it. In that case, Data Importer shall warrant that it will guarantee the confidentiality of the Personal Data transferred and that it will not actively process the Personal Data transferred anymore.
4. Description of the Transfer
The details of the transfer and of the Personal Data are specified in Annex A available at: https://www.huaweicloud.com/intl/en-us/declaration-sg/dpa_dot.html. Annex A may, if necessary, be drafted to cover multiple transfers.
5. For the contents not expressly stipulated in this Agreement, the DPA shall prevail and the terms of the DPA shall be incorporated into this Agreement by reference hereto, where expedient and necessary to do so.
Updated: July 18, 2023