To better protect the rights of data subjects and guarantee their personal data security, Huawei Cloud has developed comprehensive data protection principles and specifications covering the entire personal data lifecycle, in compliance with applicable laws and regulations, and we follow these principles and regulations in all our business activities.

Privacy by Design (PbD) for Personal Data Collection

Prior Notification | Choice and Consent | Data Minimization

  • Prior Notification

    If we need to collect your personal data as you interact with Huawei Cloud, before collecting any data, we will inform you about the types of data we collect, the purposes, how we process your data, and the data retention period, as stated in our Privacy Statement.

    If we need to collect your personal data for offline marketing events, a privacy notice will be displayed in a prominent position on our website, and each item will require your consent.

    For cloud services that involve personal data processing, Huawei Cloud provides a list of the personal data it needs to collect and process and states the purposes, scopes, and methods of data processing in the user documentation, helping you evaluate regulatory compliance risks and the adequacy of the data protection measures in place. You can configure your own user privacy notifications for certain cloud services based on relevant compliance requirements.

  • Choice and Consent

    HUAWEI CLOUD collects personal data only under purposes agreed by you, or under legitimate purposes such as contract fulfillment.

    As stated in our Privacy Statement, you can change the scope of the personal data that you allow us to collect and withdraw your consent at any time. However, your decision to withdraw consent or authorization will not affect the lawfulness of processing based on consent before its withdrawal.

    You can contact us to exercise your rights as the data subject. For details, see section "How to Contact Huawei Cloud" in our Privacy Statement.

  • Data Minimization

    We take appropriate measures to ensure we only collect data that is necessary for us to provide services to you.

Privacy by Design (PbD) for Personal Data Collection

Prior Notification | Choice and Consent | Data Minimization

Prior Notification

If we need to collect your personal data as you interact with Huawei Cloud, before collecting any data, we will inform you about the types of data we collect, the purposes, how we process your data, and the data retention period, as stated in our Privacy Statement.

If we need to collect your personal data for offline marketing events, a privacy notice will be displayed in a prominent position on our website, and each item will require your consent.

For cloud services that involve personal data processing, Huawei Cloud provides a list of the personal data it needs to collect and process and states the purposes, scopes, and methods of data processing in the user documentation, helping you evaluate regulatory compliance risks and the adequacy of the data protection measures in place. You can configure your own user privacy notifications for certain cloud services based on relevant compliance requirements.

Choice and Consent

HUAWEI CLOUD collects personal data only under purposes agreed by you, or under legitimate purposes such as contract fulfillment.

As stated in our Privacy Statement, you can change the scope of the personal data that you allow us to collect and withdraw your consent at any time. However, your decision to withdraw consent or authorization will not affect the lawfulness of processing based on consent before its withdrawal.

You can contact us to exercise your rights as the data subject. For details, see section "How to Contact Huawei Cloud" in our Privacy Statement.

Data Minimization

We take appropriate measures to ensure we only collect data that is necessary for us to provide services to you.

Secure Use, Retention, and Disposal of Personal Data

Access Control | Encryption in Transit and at Rest | Storage Limitation | Log Audit

  • Access Control

    Access control and permission management are basic methods of data protection.


    Huawei Cloud implements stringent access control policies for personal data stored on its platform. To ensure personal data security, Huawei Cloud centrally manages personal data access, authentication, authorization, storage, and audit.


    A hierarchical, fine-grained permission control system is implemented, whereby different permissions are assigned to personnel of different levels, ensuring all personnel with access to personal data are granted only the permissions necessary to fulfil assigned roles and responsibilities. All cloud services are required to integrate Identity and Access Management (IAM) and verify user identities and permissions before allowing access.

  • Encryption in Transit and at Rest

    Huawei Cloud uses cryptographic techniques to ensure the confidentiality of personal data, whether they are in transit or at rest, and employs proven protection mechanisms to fend off malicious attacks on servers that store personal data.


    1) Encryption of data at rest:

    By default, cloud services encrypt customers' sensitive or personal data (if any) and all data transmitted over untrusted networks. Some cloud services allow customers to configure whether and how to encrypt data. For example, Elastic Volume Service (EVS), Object Storage Service (OBS), Image Management Service (IMS), and Relational Database Service (RDS) all provide server-side encryption, where highly secure algorithms are used to encrypt data at rest.


    Huawei Cloud also provides encryption management services, such as Data Encryption Workshop (DEW), which you can use to easily manage data encryption.


    2) Encryption of data in transit:

    Huawei Cloud services are made publicly available via standard RESTful APIs, and all data in transit is encrypted using Transport Layer Security (TLS). X.509 user certificate authentication is also used to protect web security.


    When you provide web services over the Internet, you can use the certificate management service that Huawei Cloud provides in partnership with the world's most trusted certificate authorities (CAs). By configuring certificates for your websites, you can implement trusted user authentication and secure transmission through encryption protocols.


    If your workloads are deployed in a hybrid cloud structure across national borders, you can use Huawei Cloud's Virtual Private Network (VPN), Direct Connect, and Cloud Connect to enable interconnection and secure data transmission across different countries and territories.


    For more information, see Huawei Cloud's Security White Paper and Data Security White Paper.

  • Storage Limitation

    We will retain your personal data for as long as needed to fulfill the purposes stated in our Privacy Statement, unless the retention period needs to be extended as required by relevant laws and regulations. The retention period may vary depending on the data processing purpose and related services.

    Generally, after you withdraw your consent or cancel your account, Huawei Cloud will continue to retain your personal data until the retention period ends, in accordance with applicable laws and regulations or service agreements. When the retention period ends and no laws or regulations require us to continue processing your personal data, we will delete your personal data or anonymize it according to applicable laws and regulations.

  • Log Audit

    Traceability is a basic principle of Huawei Cloud's personal data protection, and logging is a basic feature of all Huawei Cloud services. You can use the logging function of the Huawei Cloud services you use or use Cloud Trace Service (CTS) together with this logging function to collect enough data for log auditing in accordance with relevant regulatory compliance requirements.


    Huawei Cloud regularly reviews and audits logs to check the necessity and legal compliance of all personal data-related operations.

Secure Use, Retention, and Disposal of Personal Data

Access Control | Encryption in Transit and at Rest | Storage Limitation | Log Audit

Access Control

Access control and permission management are basic methods of data protection.


Huawei Cloud implements stringent access control policies for personal data stored on its platform. To ensure personal data security, Huawei Cloud centrally manages personal data access, authentication, authorization, storage, and audit.


A hierarchical, fine-grained permission control system is implemented, whereby different permissions are assigned to personnel of different levels, ensuring all personnel with access to personal data are granted only the permissions necessary to fulfil assigned roles and responsibilities. All cloud services are required to integrate Identity and Access Management (IAM) and verify user identities and permissions before allowing access.

Encryption in Transit and at Rest

Huawei Cloud uses cryptographic techniques to ensure the confidentiality of personal data, whether they are in transit or at rest, and employs proven protection mechanisms to fend off malicious attacks on servers that store personal data.


1) Encryption of data at rest:

By default, cloud services encrypt customers' sensitive or personal data (if any) and all data transmitted over untrusted networks. Some cloud services allow customers to configure whether and how to encrypt data. For example, Elastic Volume Service (EVS), Object Storage Service (OBS), Image Management Service (IMS), and Relational Database Service (RDS) all provide server-side encryption, where highly secure algorithms are used to encrypt data at rest.


Huawei Cloud also provides encryption management services, such as Data Encryption Workshop (DEW), which you can use to easily manage data encryption.


2) Encryption of data in transit:

Huawei Cloud services are made publicly available via standard RESTful APIs, and all data in transit is encrypted using Transport Layer Security (TLS). X.509 user certificate authentication is also used to protect web security.


When you provide web services over the Internet, you can use the certificate management service that Huawei Cloud provides in partnership with the world's most trusted certificate authorities (CAs). By configuring certificates for your websites, you can implement trusted user authentication and secure transmission through encryption protocols.


If your workloads are deployed in a hybrid cloud structure across national borders, you can use Huawei Cloud's Virtual Private Network (VPN), Direct Connect, and Cloud Connect to enable interconnection and secure data transmission across different countries and territories.


For more information, see Huawei Cloud's Security White Paper and Data Security White Paper.

Storage Limitation

We will retain your personal data for as long as needed to fulfill the purposes stated in our Privacy Statement, unless the retention period needs to be extended as required by relevant laws and regulations. The retention period may vary depending on the data processing purpose and related services.

Generally, after you withdraw your consent or cancel your account, Huawei Cloud will continue to retain your personal data until the retention period ends, in accordance with applicable laws and regulations or service agreements. When the retention period ends and no laws or regulations require us to continue processing your personal data, we will delete your personal data or anonymize it according to applicable laws and regulations.

Log Audit

Traceability is a basic principle of Huawei Cloud's personal data protection, and logging is a basic feature of all Huawei Cloud services. You can use the logging function of the Huawei Cloud services you use or use Cloud Trace Service (CTS) together with this logging function to collect enough data for log auditing in accordance with relevant regulatory compliance requirements.


Huawei Cloud regularly reviews and audits logs to check the necessity and legal compliance of all personal data-related operations.

Disclosure to Third Parties

Lawful Disclosure of Personal Data

  • Lawful Disclosure of Personal Data

    Huawei Cloud may subcontract data processing to a service provider via a data processing agreement. In this case, Huawei Cloud will conduct due diligence and carefully assess the provider's data protection capabilities. We will stipulate the service provider's data protection obligations and requirements as a processor/subprocessor according to applicable laws and regulations in the data processing agreement, ensuring that the data processor fulfills their obligations. For other situations where Huawei Cloud may disclose data to third parties as required by applicable laws and regulations, see our Privacy Statement .

Disclosure to Third Parties

Lawful Disclosure of Personal Data

Lawful Disclosure of Personal Data

Huawei Cloud may subcontract data processing to a service provider via a data processing agreement. In this case, Huawei Cloud will conduct due diligence and carefully assess the provider's data protection capabilities. We will stipulate the service provider's data protection obligations and requirements as a processor/subprocessor according to applicable laws and regulations in the data processing agreement, ensuring that the data processor fulfills their obligations. For other situations where Huawei Cloud may disclose data to third parties as required by applicable laws and regulations, see our Privacy Statement .

Cross-border Data Transfer

Region-based Service Provisioning | Cross-border Data Transfer Based on Agreements or Consent

  • Region-based Service Provisioning

    In order to provide the Services to you, we may store your personal data in countries/regions where Huawei Cloud, Huawei Cloud’s affiliate companies, or Huawei Cloud’s service providers or subcontractors are located. This means your personal data may be transferred to regions outside of the country/region where you use Huawei Cloud services or products, and may be accessed from these regions.


    These regions may have different or no data protection laws. In such cases, Huawei Cloud will ensure your personal data receives equivalent or higher protection after the transfer in accordance with applicable laws and regulations. For example, Huawei Cloud will ask for your consent or anonymize your personal data before any cross-border transfer.


    The Huawei Cloud website includes information about the availability of Huawei Cloud's global infrastructure and service catalog in each region. You need to select the right region when signing up for Huawei Cloud services.

  • Cross-border Data Transfer Based on Agreements or Consent

    Huawei Cloud has data centers in many countries and regions around the world. If data needs to be transferred across borders for reasons such as operations and maintenance or technical support, the transfer will be conducted in a manner that strictly complies with local laws and regulations and subjected to stringent internal reviews. For example, cross-border data transfer is allowed only after a data transfer agreement is signed or the data subject's explicit consent is obtained. This ensures personal data is processed lawfully, fairly, and transparently.

Cross-border Data Transfer

Region-based Service Provisioning | Cross-border Data Transfer Based on Agreements or Consent

Region-based Service Provisioning

In order to provide the Services to you, we may store your personal data in countries/regions where Huawei Cloud, Huawei Cloud’s affiliate companies, or Huawei Cloud’s service providers or subcontractors are located. This means your personal data may be transferred to regions outside of the country/region where you use Huawei Cloud services or products, and may be accessed from these regions.


These regions may have different or no data protection laws. In such cases, Huawei Cloud will ensure your personal data receives equivalent or higher protection after the transfer in accordance with applicable laws and regulations. For example, Huawei Cloud will ask for your consent or anonymize your personal data before any cross-border transfer.


The Huawei Cloud website includes information about the availability of Huawei Cloud's global infrastructure and service catalog in each region. You need to select the right region when signing up for Huawei Cloud services.

Cross-border Data Transfer Based on Agreements or Consent

Huawei Cloud has data centers in many countries and regions around the world. If data needs to be transferred across borders for reasons such as operations and maintenance or technical support, the transfer will be conducted in a manner that strictly complies with local laws and regulations and subjected to stringent internal reviews. For example, cross-border data transfer is allowed only after a data transfer agreement is signed or the data subject's explicit consent is obtained. This ensures personal data is processed lawfully, fairly, and transparently.

Protection of Data Subject Rights

Response to Data Subject Requests (DSR) | Prompt Reporting of and Response to Personal Data Breaches and Security Incidents

  • Fast DSR Response

    According to applicable laws and regulations in many countries and regions where Huawei Cloud operates, data subjects have the right to request the data controller to allow them to access, correct, and delete their personal data.


    Huawei Cloud provides convenient DSR channels and has a professional DSR response team. Upon receiving a DSR, the team handles the request within the specified time and promptly sends the result back to the data subject. You can submit a DSR to us through the Personal Data Management Request page on the Huawei Cloud website.

  • Prompt Reporting of and Response to Personal Data Breaches and Security Incidents

    To ensure prompt response to security incidents such as personal data breaches, damage, or loss, Huawei Cloud has developed comprehensive regulations and rules that specify how to classify and grade security incidents and vulnerabilities as well as the standard response procedures.


    Huawei Cloud has an emergency response team for security incidents. Guided by preset regulations and standard procedures, they work with other teams and departments to handle loss prevention, problem diagnosis, and remediation.


    Huawei Cloud also has a professional data protection team that informs customers about personal data breaches in compliance with applicable laws and regulations and executes emergency response and recovery plans to alleviate the impact of such incidents.

Protection of Data Subject Rights

Response to Data Subject Requests (DSR) | Prompt Reporting of and Response to Personal Data Breaches and Security Incidents

Fast DSR Response

According to applicable laws and regulations in many countries and regions where Huawei Cloud operates, data subjects have the right to request the data controller to allow them to access, correct, and delete their personal data.


Huawei Cloud provides convenient DSR channels and has a professional DSR response team. Upon receiving a DSR, the team handles the request within the specified time and promptly sends the result back to the data subject. You can submit a DSR to us through the Personal Data Management Request page on the Huawei Cloud website.

Prompt Reporting of and Response to Personal Data Breaches and Security Incidents

To ensure prompt response to security incidents such as personal data breaches, damage, or loss, Huawei Cloud has developed comprehensive regulations and rules that specify how to classify and grade security incidents and vulnerabilities as well as the standard response procedures.


Huawei Cloud has an emergency response team for security incidents. Guided by preset regulations and standard procedures, they work with other teams and departments to handle loss prevention, problem diagnosis, and remediation.


Huawei Cloud also has a professional data protection team that informs customers about personal data breaches in compliance with applicable laws and regulations and executes emergency response and recovery plans to alleviate the impact of such incidents.