HUAWEI CLOUD Compliance with Argentina PDPL

HUAWEI CLOUD Compliance withArgentina PDPL

Issue 1.1

Date 2022-05-12

HUAWEI CLOUD COMPUTING TECHNOLOGIES CO., LTD.

Copyright © Huawei Cloud Computing Technologies Co., Ltd. 2022. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Cloud Computing Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between HuaweiCloud and the customer. All or part of the products, services and features described in this document maynot be within the purchase scope or the usage scope. Unless otherwise specified in the contract, allstatements, information, and recommendations in this document are provided "AS IS" withoutwarranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Cloud Computing Technologies Co., Ltd.Address: Huawei Cloud Data Center Jiaoxinggong Road

Qianzhong AvenueGui'an New DistrictGui Zhou 550029People's Republic of China

Website: https://www.huaweicloud.com/intl/en-us/

Issue 1.1 (2022-05-12) Copyright © Huawei Cloud Computing Technologies Co., Ltd. i

https://www.huaweicloud.com/intl/en-us/

Contents

1 Overview....................................................................................................................................11.1 Scope of Application.............................................................................................................................................................. 11.2 Purpose of Publication...........................................................................................................................................................11.3 Basic Definitions...................................................................................................................................................................... 1

2 Cloud Services Privacy Protection Responsibilities Sharing Model............................. 3

3 Overview of Argentina Privacy Laws..................................................................................53.1 Background of Argentina Privacy Laws........................................................................................................................... 53.2 Core Regulatory Requirements of PDPL..........................................................................................................................53.3 Security Measures Requirements of Resolution 47/2018..........................................................................................73.4 Roles under PDPL.................................................................................................................................................................... 73.5 The Role of HUAWEI CLOUD under PDPL......................................................................................................................7

4 How HUAWEI CLOUD Responses to the Requirements of Argentina PDPL andImplementing Regulations....................................................................................................... 94.1 HUAWEI CLOUD Privacy Commitment............................................................................................................................94.2 HUAWEI CLOUD Basic Privacy Protection Principles.................................................................................................. 94.3 HUAWEI CLOUD's Compliance Measures in Response to PDPL...........................................................................104.4 HUAWEI CLOUD's Compliance Measures in Response to Resolution 47/2018...............................................18

5 How HUAWEI CLOUD Supports Customers to Comply with PDPL............................295.1 Customers' Privacy Protection Responsibilities Under PDPL..................................................................................295.2 Customer's Compliance Responsibilities with Resolution 47/2018..................................................................... 345.3 How HUAWEI CLOUD Products and Services Help Customers Implement Content Data Privacy andSecurity............................................................................................................................................................................................ 40

6 HUAWEI CLOUD Privacy Protection Related Certifications........................................ 47

7 Conclusion............................................................................................................................... 49

8 Version History.......................................................................................................................50

HUAWEI CLOUD Compliance with Argentina PDPL Contents

Issue 1.1 (2022-05-12) Copyright © Huawei Cloud Computing Technologies Co., Ltd. ii

1 Overview

1.1 Scope of ApplicationThe information provided in this document applies to HUAWEI CLOUD and all itsproducts and services available in Argentina.

1.2 Purpose of PublicationThis document is intended to help customers understand:

1. HUAWEI CLOUD's privacy protection responsibility model;2. Argentina Personal Data Protection Act 25,326 (PDPL) and related legal

requirements;3. The compliance of HUAWEI CLOUD with PDPL, as specified in the

responsibility model;4. HUAWEI CLOUD's controls and achievements in privacy management;5. Customers' responsibilities and obligations when falling under the jurisdiction

of PDPL, as specified in the responsibility model;6. How to leverage HUAWEI CLOUD's security products and services to achieve

privacy compliance.

1.3 Basic Definitions● HUAWEI CLOUD

HUAWEI CLOUD is the cloud service brand of the HUAWEI marquee,committed to providing stable, secure, reliable, and sustainable innovationcloud services.

● CustomerRegistered users having a business relationship with HUAWEI CLOUD.

● Personal DataInformation of any kind referred to certain or ascertainable physical personsor legal entities.

HUAWEI CLOUD Compliance with Argentina PDPL 1 Overview

Issue 1.1 (2022-05-12) Copyright © Huawei Cloud Computing Technologies Co., Ltd. 1

● Sensitive DataPersonal data reveals the data owner's racial and ethnic origin, politicalopinions, religious, philosophical or moral beliefs, labor union membership,and information on health, sexual habits or behaviors.

● Data ProcessingSystematic operations and procedures, electronic or not, that allow thecollection, retention, management, storage, modification, relationship,evaluation, blocking, destruction, and in general the processing of personaldata, as well as their transfer to third parties through communications,queries, interconnections or transfers.

● Data OwnerAny physical person or legal entity having a legal address or delegations orbranches in the country, whose data are subject to the treatment referred toin this Act.

● Data UserAny person, either public or private, performing in its, his or her discretion thetreatment of data contained in files, registers or banks (hereinafter referred toas platforms, systems, or other cloud services provided by HUAWEI CLOUD),owned by such persons or to which they may have access through aconnection.

● Data DissociationTreatment of personal data in such a way that the information obtainedcannot be associated with any certain or ascertainable or determinableperson.

● Account InformationPersonal data, such as names, phone numbers, email addresses, bankaccounts and billing information provided by customers to HUAWEI CLOUDwhen creating or managing their HUAWEI CLOUD accounts. HUAWEI CLOUDacts as the data user of any personal data included within accountinformation.

● Content DataContent stored or processed during the use of HUAWEI CLOUD services,including but not limited to data, documents, software, images, audio andvideo files.

HUAWEI CLOUD Compliance with Argentina PDPL 1 Overview


2 Cloud Services Privacy ProtectionResponsibilities Sharing Model

Due to the complexity of cloud service business model, the privacy protection isnot the sole responsibility of one single party, but requires the joint efforts of boththe tenant and HUAWEI CLOUD. As a result, HUAWEI CLOUD proposes aresponsibility sharing model to help tenants to understand the privacy protectionresponsibility scope for both parties and ensure the coverage of various areas ofprivacy protection. Below is an overview of the responsibilities distribution modelbetween the tenant and HUAWEI CLOUD:

Figure 2-1 Responsibility Sharing Model

As shown in the above model, the privacy protection responsibilities aredistributed between HUAWEI CLOUD and tenants as below:

HUAWEI CLOUD: As the Cloud Service Provider (CSP), HUAWEI CLOUD is not onlyresponsible for the security of personal data collected or processed during businessoperations and compliance, but also responsible for the platform security, whichmeans providing secure and compliant infrastructure, cloud platform and softwareapplications related to cloud services to tenants.

HUAWEI CLOUD Compliance with Argentina PDPL2 Cloud Services Privacy Protection Responsibilities

Sharing Model


● Protection of Tenant's Privacy: HUAWEI CLOUD identifies and protectstenants' personal data. HUAWEI CLOUD formulates privacy protection policiesfrom company policies, processes and operation levels and adopts activeprivacy control measures, such as anonymization, data encryption, system andplatform security protection, and comprehensively protect the security oftenants.

● Platform and Tenant Security Support: HUAWEI CLOUD is responsible forthe security and compliance of the platform and infrastructure involved in thecloud service, ensuring the applications' security and platform security levelsto comply with the requirements of applicable privacy protection laws andregulations. At the same time, HUAWEI CLOUD provides tenants with avariety of privacy protection technologies and services, such as access control,identity authentication, data encryption, logging and auditing functions, inorder to help tenants protect their privacy according to their commercialrequirements.

Tenant: As the purchaser of HUAWEI CLOUD's products and services, tenants arefree to decide on how to use the products or services and how to use cloudproducts or services to store and process content data, which may includepersonal data. Therefore, tenants are responsible of Content Security, which isdefined as the security and compliance of content data.

● Content Data Protection: Tenants should correctly and comprehensivelyidentify personal data in the cloud, formulate policies to protect the securityand privacy of personal data, and finally select appropriate privacy protectionmeasures. Specific measures include security configuration based on businessand privacy protection requirements, such as operating system configuration,network settings, security protection, database encryption policy, and setappropriate access controls and password policies.

● Respond to data owner's right requests: Tenants shall guarantee the rightsof data owners and respond to their requests in a timely manner. In the caseof a personal data breach, the tenant shall take adequate actions inaccordance with regulatory requirements, such as notifying both theregulators and the data owners or take mitigation measures.

HUAWEI CLOUD Compliance with Argentina PDPL2 Cloud Services Privacy Protection Responsibilities

Sharing Model


3 Overview of Argentina Privacy Laws

3.1 Background of Argentina Privacy LawsPDPL, which is approved by the Argentine Parliament on October 30, 2000, appliesto the processing of personal data in Argentina for individuals or legal entities(the latter needs to be located in Argentina or have offices or branches inArgentina). Its purpose is providing comprehensive protection to personal data indata files, registers, databases, or data banks or other technical data processingmeasures.

PDPL has been effort for a long time and the concept of cloud computing was firstintroduced 6 years after the legislation was passed which is in 2006. As to thesimilarity between cloud service models and data files, registers, databases or databanks mentioned in PDPL, HUAWEI CLOUD properly protects personal data thatcollected and contained in customer's content data according to PDPLrequirements.

In addition to PDPL, Argentine Regulators have issued a number of specificresolutions and guidelines to help data users better meet the requirements ofPDPL. A more central document is Resolution 47/2018 promulgated by theArgentine Acquisition of Public Information Agency (AAPI) on July 23, 2018.Resolution 47/2018 aims to promote data user's further compliance with PDPL-related requirements and to provide recommendations for security measures forthe management, planning, control and continuous improvement of informationsecurity.

3.2 Core Regulatory Requirements of PDPLPDPL specified the following core regulatory requirements for processing personaldata.

● Ensure the Quality of Personal Data

To ensure the quality of personal data, Article 4 of PDPL makes relevantprovisions, mainly including the appropriateness of purposes, legal andlegitimate, purpose limitation, data accuracy, data correction, data access anddata retention restriction.

HUAWEI CLOUD Compliance with Argentina PDPL 3 Overview of Argentina Privacy Laws


● Notify and Obtain ConsentWhenever the data user requires the data owner to provide personal data, thedata user should inform the data owner in advance that the purpose of dataprocessing, the identity and type of the data user, the consequences of notproviding or providing inaccurate data, and the rights of the data owner toaccess, correct, and delete the data. Notifications sent to the data owner mustbe in writing or in a similar manner, and the data user cannot process thepersonal data until they have the explicit consent from the data owner.

● Collect and Process Sensitive and Medical Data ConditionallyThe data user cannot force the data owner to provide sensitive data. Sensitivedata can only be collected and processed for statistical and scientific purposeswhich are authorized by law when public interests are taken intoconsiderations or data owners cannot be identified. It is prohibited to storethe information that may disclose sensitive data directly or indirectly underPDPL. Medical data can be collected from patients only when medicalinstitutions and medical research institutions provide patient medical services.

● Ensure Data SecurityThe data user must take necessary technical and organizational measures toprotect personal data from changes, losses, unauthorized access orprocessing, and fully protect the security and confidentiality of personal data.

● Confidentiality ObligationsData users and all persons participating in any stage of personal dataprocessing are responsible for the confidentiality of personal data. Even if theyno longer act as data users or participate in personal data processing, theystill hold responsible of confidentiality.

● Consent Related to Data TransferProcessed Personal data can only be transmitted when it is directly related tothe legitimate interests of data users and personal data receivers, given thatthe data owner is informed of the purpose of such data transfer andconsented to. The recipient has the same obligations as the data user.The data owner's consent of data transfer is revocable. When data transfersoccur directly between governments or data dissociation measures have beentaken, data users do not need to obtain data owner's consent.

● Conditional Cross-Border TransferWith the exception of international judicial cooperations, epidemiologicalinvestigation needs, international cooperation to combat crime, andArgentina's special international treaty on relevant transfer, PDPL prohibitsthe transfer of any type of personal data to countries, internationalorganizations, or supranational entities that cannot provide an adequate levelof protection.

● Requirements for Information RegistrationPDPL requires data users or person who are responsible for personal datafiles, databases or registers to register relevant information with registriesestablished by local regulatory bodies. The registered information includes thename and address of the person in charge, the purpose of collecting personaldata, the nature of collecting personal data, the methods of collecting andupdating personal data, the means of ensuring data security and possibletransfer of destination of personal data, etc.



● Time Limitation of Data RetentionData users shall delete stored personal data in time after fulfilling theircontract obligations. Personal data could be retained no longer than twoyears under reasonable assumptions about possible future services.

● Data Processing Restrictions for Directing MarketingData users can only send e-marketing business information to data ownersunder specific circumstances, such as when personal data can be obtained inpublic documents, data owners provide it on their own initiative, and datausers have obtained data owners' consent.

3.3 Security Measures Requirements of Resolution47/2018

AAPI, the Argentine data protection authority, issued Resolution 47/2018 in 2018,which stipulates that data users should take necessary technical andorganizational measures to ensure the security and confidentiality of theirpersonal data. The resolution starts from eight control areas: data collection,access control, change control, backup and recovery, vulnerability management,data deletion, security incidents and development environment, setting out 30specific security protection objectives in accordance with international standardsand corresponding recommended security control measures.

3.4 Roles under PDPLTwo roles are defined by PDPL, which are the data owner and the data user.

The data owner is the owner of personal data and has the rights to know, access,recall, correct and update the data and restrict data processing granted by PDPL.

The data user is responsible for the collected personal data, ensure that collecting,processing, protecting and transmitting data owners' personal data based on thecore requirements of the PDPL (refer to Chapter 3.2), and shall also comply withofficial documents such as Resolution 47/2018 and other resolutions, goodpractice guidelines issued by regulatory bodies.

3.5 The Role of HUAWEI CLOUD under PDPLPersonal data processed by HUAWEI CLOUD mainly includes personal data incustomer's content data and personal data provided by customers when creatingor managing HUAWEI CLOUD accounts.

When processing personal data in the customer's content data, the customer, as adata user, assumes the obligations set for the data user by PDPL. HUAWEI CLOUDwill only process content data in accordance with customer's instructions, keep thedata confidential and take appropriate security measures to protect customercontent data security.

When a customer performs operations on HUAWEI CLOUD platform, including butnot limited to registering, services purchasing, real-name authentication andservice support, HUAWEI CLOUD will collect some personal data, such as the



customer's name, address, ID number, bank accounts information, and other typesof information according to the service used. HUAWEI CLOUD, acting as the datauser, is responsible for the security and privacy protection of customers' personaldata, ensuring that the collection, processing and storage procedures comply withlegal requirements, and adequately responding to data owners' requests.



4 How HUAWEI CLOUD Responses to theRequirements of Argentina PDPL and

Implementing Regulations

4.1 HUAWEI CLOUD Privacy CommitmentHUAWEI CLOUD has placed cyber security and privacy protection as top priorities.HUAWEI CLOUD has integrated cyber security and privacy protection into its cloudservices promising to provide customers with stable, reliable, secure, trustworthy,and evolvable services while respecting and protecting customers' privacy.

HUAWEI CLOUD solemnly treats and actively assumes correspondingresponsibilities to comply with global privacy protection laws and regulations.HUAWEI CLOUD not only has set up professional privacy protection teams, butalso develops and optimizes processes and new technologies, and continuouslybuilds up privacy protection capabilities to achieve its own privacy protectionobjectives: strictly adhering to services' boundaries, protecting customers' personaldata security, and helping customers implement privacy protections.

4.2 HUAWEI CLOUD Basic Privacy Protection Principles● Lawfulness, Fairness and Transparency

HUAWEI CLOUD processes personal data of data owners lawfully, fairly and ina transparent manner.

● Purpose RestrictionHUAWEI CLOUD collects personal data for specific, explicit and lawfulpurposes and will not further process the data in a manner that isincompatible with those purposes.

● Data MinimizationWhen HUAWEI CLOUD processes personal data, personal data shall beadequate, relevant, and limited to what is necessary in relation to thepurposes for which the data is processed. Personal data will be anonymized orpseudonymized to the extent possible to reduce the risks for data owners.

HUAWEI CLOUD Compliance with Argentina PDPL

4 How HUAWEI CLOUD Responses to theRequirements of Argentina PDPL and Implementing

Regulations


● AccuracyHUAWEI CLOUD ensures that personal data is accurate and, when necessary,kept up to date. Every reasonable step must be taken to ensure thatinaccurate personal data is erased or rectified without delay depending on thepurpose of data processing.

● Minimize Storage DurationPersonal data shall not be retained beyond the period necessary for thepurposes of data processing.

● Integrity and ConfidentialityTaking into account the existing technical capabilities, implementation costs,and likelihood and severity of privacy risks, HUAWEI CLOUD processespersonal data in a manner that ensures appropriate security of the personaldata, including protection against accidental or unlawful destruction, loss,alteration, or unauthorized access and disclosure by using appropriatetechnical or organizational measures.

● AccountabilityHUAWEI CLOUD is responsible for and able to demonstrate its complianceswith the preceding principles.

4.3 HUAWEI CLOUD's Compliance Measures inResponse to PDPL

Based on the characteristics of HUAWEI CLOUD's business and the requirementsof PDPL, HUAWEI CLOUD, as a data user, actively responds to and fulfills itsobligations when managing customer account information. It adopts thefollowing privacy protection mechanisms and technologies to comply with thecore requirements of personal data utilization stipulated by PDPL.



Regulations


CoreRequirements ofPDPL

Specific RequirementsApplicable to HUAWEICLOUD

Measures Taken by HUAWEICLOUD

Ensure theQuality ofPersonal Data

PurposeAppropriateness:Personal data collectedand processed must be fordefined, appropriate, andrelated processingpurposes.Legal and legitimate :Data collection shall notbe conducted by meansthat is unfaithful,fraudulent or in violationof PDPL regulations.Purpose Restriction:Personal data collectedand processed must notbe used for purposesinconsistent with orbeyond the scope ofcollection.Data Accuracy: Datashould be accurate, andupdated when necessary.Data Correction: For allinaccurate or incompletedata, the user of personaldata should disables/deletes or replaces it afterreceiving the information.Data Access: Dataconsumers should ensurethat data owners haveaccess to personal datathat they are collecting orprocessing.Data RetentionRestrictions: Destroy dataonce it is no longerneeded or irrelevant tothe purpose of collection

At its core, HUAWEI CLOUDcollects and processes personaldata based on the purposesdisclosed in the "PrivacyPolicy Statement". HUAWEICLOUD regularly conductsPrivacy Impact Assessments forproducts and services thatinvolve personal data in orderto prevent the collection andprocessing of personal data inproducts and services fromexceeding the scope requiredfor their actual purposes.HUAWEI CLOUD providescustomers with a convenientchannel to exercise dataowner's rights. Customers caninitiate requests to access ormodify their incorrect orincomplete personal datathrough their mailboxes, asindicated in the "PrivacyPolicy Statement". HUAWEICLOUD will provide customerswith copies of the personaldata they query or update,replace or discard incompleteor inaccurate information asrequested after verifying theidentity of the requester.HUAWEI CLOUD regularlyaudits the purposes ofcollecting, using and disclosingpersonal data, and performssecurity processing such asdata dissociation or deletion ofthe personal data that is nolonger needed. Customers canuse the Close Account functionin the Official Gateway todelete data stored in theHUAWEI CLOUD.



Regulations


https://www.huaweicloud.com/intl/en-us/declaration/sa_prp.html







Notifying andObtainingConsent

Notifications: Whencollecting personal data,the data owner should benotified in a clear andexplict way in advance,including the purpose ofdata processing, theidentity of the person whoreceives the data, theconsequences ofinaccurate or failure indata provision, and therights of the data owner.Explicit consent: Thenotice must be presentedto the data owner inwriting or otherequivalent manner, eitherexplicitly or prominently,before data can becollected and processedwith the consent of thedata owner.

The "Privacy PolicyStatement" introduces howHUAWEI CLOUD will collectand process customer'spersonal data, inform themwhether they must providedata, the consequences if thedata owner fails to provide thedata, the purpose of data use,types of the objets regardingthe data transfer , and therights of data owners.When a customer registers foran account, HUAWEI CLOUDwill clearly show the "PrivacyPolicy Statement" to thecustomer on the officialwebsite. The customer needsto click on the Confirm buttonto agree to the "Privacy PolicyStatement". Additional privacynotices will be provided in theproduct agreement and get thecustomer's consent again if thepurchased or after-sales serviceof the related product involvesthe collection or use ofpersonal data for purposesother than those originallystated in the privacystatement.When the scope or use purposeof personal data collected by aproduct or service changes, theprivacy statement will beupdated accordingly andcustomers will be asked againfor their consent.



Regulations











Ensure DataSecurity

Data users mustimplement reasonableand appropriateorganizational andtechnical measures toprotect personal datafrom changes, loss, andunauthorized access andprocessing. Data usersshould store personal datain an environment thatcomplies with technicalintegrity and security.

HUAWEI CLOUD uses a varietyof management and technicalcontrols to protect the securityof personal data.Organizational SecurityMeasures: HUAWEI has set upa global cyber security andprivacy protection officer whois responsible for theformulation andimplementation of HUAWEI'sprivacy protection policy .HUAWEI CLOUD has set up ateam of privacy protectionexperts, including privacyprotection experts, legalpersonnel, and network andinformation securityprofessionals, to provideprofessional support forHUAWEI CLOUD privacyprotection strategy andpractice. For countries andregions where it operates,HUAWEI CLOUD assignsdedicated legal and privacyprotection personnel to helpHUAWEI CLOUD implementlocal activities in compliancewith applicable privacy lawsand regulations.HUAWEI CLOUD hasestablished a privacyprotection governanceframework covering allbusinesses, and through aseries of privacy protectionprocesses, to support businessactivities to meet privacyprotection requirements, suchas data owners' rightsprotection, emergencyresponse to data breaches, andpersonal data retention, etc.HUAWEI CLOUD retainscomplete records of anypersonal data processingactivities performed by



Regulations





HUAWEI CLOUD. Every servicelists the type of data owners,the type of personal data, thecollection purpose, the transferof personal data, retentionperiod and security measuresetc. through conducting privacyimpact assessments.Physical security measures:HUAWEI CLOUD hasestablished comprehensivephysical security andenvironmental safetyprotection measures andstrategies. In addition, theHUAWEI CLOUD O&M teamenforces stringent accesscontrol, safety measures,regular monitoring andauditing, and emergencyresponse measures to protectthe physical security andenvironmental safety HUAWEICLOUD data centers.Technical security measures:Authentication: strict passwordpolicy and multi-factorauthentication are adopted;Permission management: role-based access control andpermission management foroperation and maintenancepersonnel is implemented;Data storage and transfer:sensitive data encryption isadopted; Risk monitoring:logging and auditing of dataprocessing is adopted tomonitor and audit the accessto the key systems.Security certification:In addition, customers can alsounderstand the privacy securitycontrols within HUAWEICLOUD's environment throughHUAWEI CLOUD securityreports or certifications.



Regulations


https://www.huaweicloud.com/intl/en-us/securecenter/compliance.html

https://www.huaweicloud.com/intl/en-us/securecenter/compliance.html




HUAWEI CLOUD has obtainedmultiple certifications inrelation to privacy complianceinternational standard,including ISO 27701, ISO29151, ISO 27018, BS 10012,SOC2 Type1, privacy auditreports., etc. (Detailedcertification is described inChapter 6). ISO 27018 is theInternational Code of Conductfocused on personal dataprotection in the cloud. Thepass of ISO 27018 indicatesthat HUAWEI CLOUD has acomplete personal dataprotection managementsystem.

ConfidentialityObligations

All persons participatingin personal dataprocessing or data usersshall maintain strictconfidentiality of personaldata that they have comeinto contact with.Thisobligation shouldcontinue to be fulfilledeven if they no longerparticipate in theprocessing of personaldata.

HUAWEI CLOUD makes thatall employees' qualifications,capabilities, and behaviorcomply with privacy protectionrequirements from variousaspects and requiresemployees to pass privacyprotection related assessmentevery year. In addition,HUAWEI CLOUD has identifiedprivacy protection relatedpositions and clearly definedthe responsibilities of thesepositions. HUAWEI CLOUD alsoconducts backgroundinvestigation and skillassessment for newemployeesto help that theymeet the requirements. Allemployees shall participate inthe training on privacyprotection awareness and passthe assessment . When anemployee is repositioned,related permissions will becanceled.



Regulations





Consent Relatedto Data Transfer

Personal data processedcan only be transmitted ifthe legitimate interests ofthe data user and thepersonal data recipientare directly related, andthe data owner isinformed of the purposeand consent of such datatransfer.

In the "Privacy PolicyStatement", HUAWEI CLOUDexplains the use of personaldata (purpose, third partyinformation, etc.) and obtainsthe consent from data owners.To provide customers with thenecessary transaction, serviceand security support, HUAWEICLOUD may share somepersonal data with thirdparties, i.e., affliatedcompanies, branches, serviceproviders, subcontractors,cooperation partners, etc.When transferring personaldata to a third party, HUAWEICLOUD uses encryptedchannels in order to protectthe personal data security.

Consent toCross-BorderTransfer

Except in exceptionalcases, cross-bordertransfer of personal datashould only be carried outwhen it is confirmed thatthe transmitting countryor internationalorganization has sufficientlevel of protection forpersonal data.

HUAWEI CLOUD has set up ateam of privacy experts toestimate the level of personaldata protection provided bythe countries involved in datatransfer. For the countries andregions where it operates,HUAWEI CLOUD also has full-time legal and privacyprotection personnel to helpHUAWEI CLOUD takenecessary measures inaccordance with applicableprivacy laws and regulations.



Regulations







InformationRegistrationRequirements

Before processing thecontent data, relevantinformation should beregistered with theregistry established by thelocal regulatory authority,including the name andaddress of the person incharge, the purpose ofcollecting personal data,the characteristics ofpersonal data collection,the methods of collectingand updating personaldata, the means ofensuring data security,and the destination ofpossible transfer ofpersonal data.

According to the requirementsof ISO27001 standard,HUAWEI CLOUD has assignedspecial personnel to keep intouch with industryorganizations, risk andcompliance organizations, localauthorities and regulatoryagencies and establish contactpoints.HUAWEI CLOUD has set upspecial posts to maintainpositive contact with externalparties to pay attention to thedynamics of laws andregulations.

Time Limitationof DataRetention

After fulfilling thecontractual obligations,the stored personal datashall be deleted in atimely manner. Personaldata can be retained forup to 2 years when it isreasonably inferred thatservices may be providedin the future.

When customers activelydelete data or need to deletedata due to service expiration,HUAWEI CLOUD will strictlyfollow applicable laws andregulations，as well asagreements with customers,，delete the stored customerdata in accordance with datadestruction standards.



Regulations





Data ProcessingRestrictions forDirectMarketing

E-marketing businessinformation should onlybe sent to data ownersunder specificcircumstances, such aspersonal data can beobtained in publicdocuments, provided bydata owners on their owninitiative, and the consentof data users has beenobtained.

Customers can choose whetherto agree to use personal datafor marketing when registeringthe account number ofHUAWEI CLOUD officialwebsite. Only after obtainingthe consent of the customer, asthe data owner, can HUAWEICLOUD send the promotioninformation to the customer.Only after the customer agreesto the direct marketing,HUAWEI CLOUD can sends thepromotion information to thecustomer by SMS or email.If the customer decides toterminate the consent on usinghis/her personal data for directmarketing, it can be modifiedin the message receptionconfiguration of the usercenter.

4.4 HUAWEI CLOUD's Compliance Measures inResponse to Resolution 47/2018

HUAWEI CLOUD actively takes various types and dimensions of control measuresto ensure the security of data. According to the requirements of Resolution47/2018, HUAWEI CLOUD fulfills the obligations of personal data users to protectpersonal data security during collecting, accessing, changing, developing,destructing and security incidents occurring. The specific measures are as follows:

● Data Collection



Regulations


Purposes BriefIntroduction ofControls

Measures Taken by HUAWEI CLOUD

A.1 Integrity A.1.1 To EnsureDataCompleteness

HUAWEI CLOUD has developed a datasecurity specification, whichstandardizes the hierarchicalmanagement and control requirementsof data collection and transfer, and usesreasonable encryption technology todetect the integrity of important datatransfer process. HUAWEI CLOUDaccording to the data classificationstandard, use the correspondingencryption technology for differentlevels of data to protect the integrity ofthe data.

A.1.2 MinimizeInput Errors

HUAWEI CLOUD has designed differentdata input strategies for the types ofdata collected, which limits the format,number of bits and characterrequirements of user input data, andreduces the possibility of input errors.

A.1.3 To EnsureData Accuracy

HUAWEI CLOUD has a data verificationmechanism, which checks the inputdata such as mobile phone number andemail address through the verificationcode to verify that the collected data isaccurate and effective.

A.2Confidentiality

A.2.1 To WarrantConfidentialityDuring theEntire DataCollectionProcess

HUAWEI CLOUD has established ascientific and effective managementsystem that can systematically andcontinuously manage security risks andensure data confidentiality, integrity,and availability of itself and customers, ,and HUAWEI CLOUD has passed theCSA STAR Gold Certification.

A.2.2 To RestrictAccess to DataCollection

HUAWEI CLOUD has established strictpassword policy and enables multi-factor authentication to strictly controlthe access to the collection process.At the same time, HUAWEI CLOUD usesIAM access control and identityauthentication technology to managethe access control of the accesscollection process, and uses encryptiontechnology for the transfer channel torestrict unauthorized access to thecollection process.

A.2.3 To RestrictUnauthorizedAccess DuringCollection



Regulations


https://www.huaweicloud.com/intl/en-us/securecenter/safetycompliance.html

● Access Control



B.1Identificationof Assets

B.1.1 IdentifyAssets

HUAWEI CLOUD's information assetclassification is monitored and managedby special tools to form an asset list,and each asset is assigned an owner.For personal data, HUAWEI CLOUD usePrivacy Impact Assessment (PIA)regularly combing the list of personaldata assets and identifies thecorresponding asset owner.HUAWEI CLOUD checks the controleffect through internal and externalaudit. Internal audit continuously tracksthe effectiveness of security controlmeasures, while external audit who actas an independent auditor review theefficiency and effectiveness ofimplemented security controls.

B.1.2 IdentifyResponsibleParties andDetermine TheirResponsibilities

B.1.3 Verify theControlsApplication

HUAWEI CLOUD has an access controlmechanism, which provides eachemployee with a unique identity anddivides permissions according toemployee's job responsibilities. It alsorecords the access to key systemsthrough log records and audittechnology, and manages privilegedaccounts through regular monitoringand auditing.



Regulations




B.2 Access ofData

B.2.1 ManageAccess toSystems

HUAWEI CLOUD has established accesscontrol management requirementsaccording to ISO27001, followed theprinciple of minimum authority andseparation of authority, regularlyreviewed the scope of employees' rights,and avoided the permission beyond itsscope of work.The employee shall verify their identityat each login to HUAWEI CLOUD, andthe log can be traced back to the stafffor accountability in case of an accident.When an employees' on-the-job statuschanges, the permissions shall becleaned and modified in time. Logs ofemployees' logins and operations will bekept for the required time to respond tothe audit requirements.

B.2.2 AssignPermission

HUAWEI CLOUD has establishedcomprehensive physical security andenvironmental safety protectionmeasures, strategies, and procedures .HUAWEI CLOUD enforces stringent datacenter access control for both personneland equipment. Security guards,stationed 24/7 at every entrance toeach HUAWEI CLOUD data center siteas well as at the entrance of eachbuilding on site, are responsible forregistering and monitoring visitors andstaff, managing their access scope onan as-needed basis. Different securitystrategies are applied to the physicalaccess control systems at differentzones of the data center site for optimalphysical security.HUAWEI CLOUD data centers employindustry standard data center physicalsecurity technologies to monitor andeliminate physical hazards and physicalsecurity concerns. CCTV monitoring isenabled 24/7 for data centers' physicalperimeters, entrances, exits, hallways,elevators, and computer cage areas.CCTV is also integrated with infraredsensors and physical access controlsystems. Security guards routinely patrol



Regulations




B.2.3 Verify theIdentificationand theAuthorization

data centers and set up onlineelectronic patrol systems such thatunauthorized access and other physicalsecurity incidents promptly triggersound and light alarms.HUAWEI CLOUDassigns permissions to employeesaccording to the minimum scope ofworking needs. The access andmodification of the information securitymanagement system and sensitiveinformation are under monitored andrecorded. Access to all ports,applications, system components, etc.are only open to authorized individualsand applications.

B.2.4 ControlPhysical Accessto Data Centers

Strictly following the international andnational standards, HUAWEI CLOUDcarries out site selection, design, andconstruction of data centers (DCs), andimplements hierarchical securityprotection for data centers, from thefence to the DC building, and from theDC building to modules, from modulesto cabinets, from cabinets to servers, toensure the physical and environmentalsecurity of cloud DCs. In the meantime,24x7 monitoring is enabled to detectand eliminate potential risks to ensurestable running of DCs.

B.2.5 MonitoringActivities

HUAWEI CLOUD has access rightsmanagement mechanism, which strictlycontrols the access to personal data,and immediately removes thepermission when it is not needed. At thesame time, HUAWEI CLOUD monitorsaccess to sensitive data through loggingand auditing technology.

B.2.5 MonitoringActivities(Sensitive data)

● Change Control



C.1 ChangeControl

C.1.1 EnsureChanges

HUAWEI CLOUD has a configurationand change management mechanism. Itadopts a unified change management



Regulations




C.1.1 EnsureChanges(Sensitive Data)

process for the changes of variouselements of the productionenvironment, such as computer roomfacilities, network, system platformsoftware and hardware, and application.The change can only be carried outafter application, environmental testand other verification tests and securityreviews, so as to improve the integrity,availability and confidentiality of data.

● Backup and Recovery



D.1 BackupCopies andRecoveryProcedure

D.1.1 Ensure aFormal Backupand RecoveryProcedure

HUAWEI CLOUD has a backup strategy.It will regularly back up personal data,and regularly test the effectiveness ofthe backup of personal data in thesystem, and keep the records of thebackup test.

D.1.2 EnsureAccess Control

HUAWEI CLOUD has access controlmechanism, which controls the accessrights and physical access to the serveror computer room storing personal databackup and the environment for backuprecovery test, and encrypts the storedbackup by integrating with dataencryption service.

D.1.2 EnsureAccess Control(Sensitive Data)

● Vulnerability Management



Regulations




E.1VulnerabilityManagement

E.1.1 PreventSecurityIncidents byDesign

HUAWEI CLOUD has built a unifiedanalysis and early warning platform tocomprehensively grasp the data securitysituation, quickly identify and respondto security incidents. At the same time,through the correlation analysis ofalarm, incident, asset and otherinformation, risk assessment andsecurity situation prediction can becarried out, so as to formulate securityprotection strategies in advance, so asto prevent in the bud.

E.1.2 EnsureProperProtection

HUAWEI CLOUD deploys Anti-DDoSdevices on the Internet boundary todetect and clean abnormal and ultra-large traffic attacks. Intrusionprevention devices are deployed at theborder of key network zones to identifyattacks from the Internet and customersand automatically block these attacks.All cloud platform hosts of HUAWEICLOUD are installed with securityprotection software for weak passworddetection, configuration management,intrusion detection and emergencyresponse to build a compliant andsecure host environment.HUAWEI CLOUD implements physicalseparation and encryption forproduction, test and developmentenvironment, and has a complete accesscontrol mechanism to manage access todifferent environments.HUAWEI CLOUD has a completesecurity event management mechanismand established an event managementplatform. Through security logmonitoring and audit log monitoring,HUAWEI CLOUD provides early warningand tracking of all information securityincidents, their progress, disposalmeasures and implementation, andanalyzes the impact of incident disposal.For the daily diversified attack alarmincidents, HUAWEI CLOUD has aprofessional security incidentmanagement system to track the



Regulations




E.1.2 EnsureProperProtection(Sensitive Data)

security incidents end-to-end, and thewhole disposal process can be tracedback.

E.1.3 DetectingPossible SecurityIncidents

HUAWEI CLOUD uses IPS intrusionprevention system, web applicationfirewall, anti-virus software and HIDShost based intrusion detection systemfor vulnerability management of systemcomponents and networks. IPS intrusionprevention system can detect andprevent potential network intrusionactivities; Web application firewall isdeployed at the network boundary toprotect the security of applicationsoftware from external SQL injection,CSS, CSRF and other applicationoriented attacks; antivirus softwareprovides virus protection and firewall inWindows system; HIDS host typeintrusion detection system protects thesecurity of cloud server, provides weakpassword detection, malicious programdetection, double factor authentication,vulnerability management, webpagetamper prevention and other functions.HUAWEI CLOUD continuously tracks theeffectiveness of security controlmeasures and system securityconfiguration by combining internal andexternal audit.

E.1.4 EnsureEfficient andLastingMeasures(Sensitive Data)

HUAWEI CLOUD has designed a unifiedanalysis and early warning platform forcustomers to understand the overalldata security posture, quickly identifyand respond to security events, andperform risk assessment and securityposture prediction by analyzingcorrelations among alarms, events, andassets. In this way, protection policiescan be generated in advance to preventpotential risks.

● Data Deletion



Regulations




F.1 DataDeletion

F.1.1 Establish aData DeletionProcess

HUAWEI CLOUD supports the securedeletion of data according to customerrequirements. The methods of securedeletion include deleting the encryptionkey of encrypted storage, recycling andrewriting the underlying storage,degaussing/bending/crushing ofscrapped physical media.

F.1.2 EstablishSecure DeletionMethods

HUAWEI CLOUD has established a datasecurity processing mechanism, whichspecifies the requirements for the securedestruction and disposal of data.Personal data which is no longerneeded will be conducted with safedisposal such as anonymization ordeletion, and the corresponding recordswill be saved and stored.According to ISO27001 standard, theinformation asset classification ofHUAWEI CLOUD is monitored andmanaged by special tools to form anasset list. Each asset is designated to anowner, and the corresponding deletionrecord will be formed for the deletedmedia or data assets.

F.1.3 Appoint aResponsiblePerson for DataDeletion

F.1.4 Monitorthe DeletionProcess

HUAWEI CLOUD establishesmanagement methods for informationsystem security and personal dataprocessing monitoring, and monitorsand records the information securitymanagement system, data access,modification, and destruction operationsfor processing personal data.

F.1.5 Discard ofMedia Devices(Sensitive Data)

HUAWEI CLOUD supports the securedeletion of data according to customerrequirements. The methods of securedeletion include deleting the encryptionkey of encrypted storage, recycling andrewriting the underlying storage,degaussing/bending/crushing ofscrapped physical media.

● Security Incidents



Regulations




G.1Notificationof SecurityIncidents

G.1.1 DefineResponsibilitiesand Procedures

HUAWEI CLOUD has establishedcomprehensive security logmanagement requirements, securityevent rating and handling processes, a24/7 professional security eventresponse team, and a correspondingsecurity expert resource pool. HUAWEICLOUD strives to achieve rapid securityincident response in terms of incidentdetection, impact scoping, damageisolation, and service recovery. Inaddition, HUAWEI CLOUD keepssecurity event rating criteria, time toresponse, and time to resolution up todate by taking into account the impactof a security event or incident on ourentire network and customers. Refer tothe "HUAWEI CLOUD Security WhitePaper" published by HUAWEI CLOUDfor details.When a security incident occurs, thescope, nature, personal data typesaffected will be summarized as reportsby a HUAWEI CLOUD specialist, whoshall notify the related the AAPI securityincident response organizations andaffected data owners as required.

G.1.2 PrepareReports

G.1.3Notification

● Development Environment



Regulations


https://www.huaweicloud.com/intl/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/SecurityWhitepaper_en.pdf

https://www.huaweicloud.com/intl/content/dam/cloudbu-site/archive/hk/en-us/securecenter/security_doc/SecurityWhitepaper_en.pdf



H.1 SecurityofDevelopmentEnvironment

H.1.1 Implementa SecureDevelopmentPolicy

HUAWEI CLOUD uses DevOps andDevSecOps mode for development,realizes the separation of development,test and QA environment, andformulates corresponding managementsystem and process to controldevelopment and change activities.HUAWEI CLOUD and related cloudservices comply with security andprivacy design principles andspecifications as well as legal andregulation requirements. HUAWEICLOUD runs threat analysis based onthe service scenario, data flow diagram,networking model during the securityrequirement analysis and designphases, and specifies the threatreduction schemes. At the same time,all cloud services need to pass multiplerounds of security testing and codereview before released.



Regulations


5 How HUAWEI CLOUD SupportsCustomers to Comply with PDPL

5.1 Customers' Privacy Protection ResponsibilitiesUnder PDPL

When the customer's content data contains personal data of other data owners,the customer may be subject to the PDPL. If so, customers should comply with therequirements stipulated in the PDPL for data users, and HUAWEI CLOUD helpscustomers respond to their requirements and obligations as much as possible.

HUAWEI CLOUD Compliance with Argentina PDPL5 How HUAWEI CLOUD Supports Customers to

Comply with PDPL


CoreRequirementsof PDPL

Customer's PrivacyProtectionResponsibilities

HUAWEI CLOUD ServiceSupport Provided ToCustomers

Ensure theQuality ofPersonal Data

Customers are responsiblefor the quality of thepersonal data they collectto meet the followingrequirements:Purpose Appropriateness:Personal data collectedand processed must beprocessed for defined,appropriate, and relatedpurposes.Legal and legitimate :Data collection shall notbe conducted by means ofunfaithful or fraudulentmeans or in violation ofPDPL regulations.Purpose Restriction:Personal data collectedand processed must not beused for purposesinconsistent with orbeyond the scope ofcollection.Data Accuracy: Datashould be accurate andupdated when necessary.Data Correction: For allinaccurate or incompletedata, the data user shalldisable/delete or replace itafter receiving theinformation.Data Access: Data usersshould ensure that dataowners have access topersonal data that they arecollecting or processing.Data RetentionRestrictions: Once nolonger needed or irrelevantto the purpose ofcollection, the data shouldbe destroyed.

HUAWEI CLOUD only processdata in accordance withcustomer's instructions.Customers should collectpersonal data through theprinciple of fairness andtransparency and ensure theappropriateness of thepurpose. They should not usepersonal data for non-contractual purposes.Customers can revise andextract their own personal datastored in the HUAWEICLOUD.When personal data isno longer needed, customerscan delete it by their own.At the same time, HUAWEICLOUD has set up a dedicatedteam to support andcommunicate with customers.When customers encounterdifficulties, they can seek helpfrom HUAWEI CLOUD throughthe Service Ticket.


Comply with PDPL





Notifying andObtainingConsent

Customers should ensurethat notifications andconsents to collectpersonal data comply withapplicable laws andregulations:Notifications: Whencollecting personal data,the data owner should beinformed in advance of thepurpose of dataprocessing, the identity ofthe data recipient, theconsequences of inaccurateor inaccurate dataprovision, and the rights ofthe data owner in a clearand clear manner.Explicit Consent: Anotification must bepresented to the dataowner in writing or otherequivalent manner, eitherexplicitly or prominently,with the consent of thedata owner before datacan be collected andprocessed.

HUAWEI CLOUD only processdata in accordance withcustomer's instructions. Thepurpose and scope of contentdata collection are managedby the customers themselves.Some of HUAWEI CLOUD'sproducts and services providecustomers with the ability toembed privacy statements andrecord related operations tohelp them implement policiesthat inform their data ownersabout personal dataprocessing.

ConditionalCollection andProcessing ofSensitive andMedical Data

Customers shoulddetermine whethersensitive personal ormedical data can becollected based on theirbusiness nature. Individualsor entities that can legallycollect or process sensitiveor medical data shouldobtain the consent of theircustomers and use certaintechniques to separate ordesensitize sensitive databefore storing it.

HUAWEI CLOUD productsprovide dynamic datadesensitization and sensitivedata discovery strategies tohelp customers generatedesensitization rules and auditrules to desensitize thepersonal sensitive dataprocessed and the personalsensitive data that may becontained in the processedrecords.


Comply with PDPL





Ensuring DataSecurity

Customers are required totake the necessarytechnical andorganizational measures toensure the security andconfidentiality of personaldata, to protect theirpersonal data fromchanges, loss,unauthorized access orprocessing.

HUAWEI CLOUD providescustomers with a variety ofsecurity products and services,including network securityprotection, incident monitoringand response, access control,data encryption and otherproducts. See chapter 5.3 ofthis document for details.HUAWEI CLOUD providesspecial security products tohelp customers improve theirsecurity capabilities in someaspects, such as DatabaseSecurity Service, AdvancedAnti-DDoS (AAD),Vulnerability ScanningService, etc.

ConfidentialityObligations

Customers and all personelwho participate in anystage of personal dataprocessing are obligated tokeep personal dataconfidential. Even if theyare no longer data users orparticipants in personaldata processing, they stillhave a duty ofconfidentiality.

HUAWEI CLOUD's employeeshave signed a confidentialityagreement, which stipulatestheir confidentiality obligationsin data processing, andperiodically audits theircompliance.

Consent forData Transfer

Before transmittingpersonal data, thecustomer should providethe data owner withinformation about thepurpose of the transfer, therelevant personal datacategory, and the nature ofthe data sharing, andobtain the consent of thedata owner for thetransfer.

Some of HUAWEI CLOUDproducts and services provideclients with an interface toembed privacy statements andthe ability to record relatedoperations. Customers caninform data owners in theprivacy statements about thepurpose of transfer, relatedpersonal data categories, andnature of data sharing.


Comply with PDPL


https://www.huaweicloud.com/intl/en-us/product/aad.html


https://www.huaweicloud.com/intl/en-us/product/vss.html





ConditionalCross-BorderTransfer

Customers should conductcross-border transfer ofpersonal data only whenthey confirm that the datatransfer are made tocountry that have anadequate level of dataprotection.

Some of HUAWEI CLOUDproducts and services provideclients with the ability toembed privacy statements andrecord related operations.Customers can notify dataowners in their privacystatements that their personaldata may be transmitted andstored in other countries andregions.

DataRegistrationRequirements

Before processing contentdata, customers shouldregister relevantinformation with a registryestablished by the localregulatory body, includingthe name and address ofthe person in charge, thepurpose of collectingpersonal data, the natureof collecting personal data,the method of collectingand updating personaldata, the means ofensuring data security, andthe possible destination fortransmitting personal data.

-

Time Limitationof DataRetention

After fulfilling thecontractual obligations, thestored personal datashould be deleted in time.Personal data can beretained for a maximum of2 years, given reasonablespeculation about possiblefuture services

Customers should form thedeletion mechanism ofpersonal data in content dataand can delete specified datathrough cloud databaseproducts.


Comply with PDPL





Data ProcessingLimitations forDirectMarketing

Customers can sendbusiness information for E-marketing to data ownersonly under specificcircumstances, such aswhen personal data isavailable in publicdocuments, data ownersprovide it on their owninitiative, and data usersagree to it.

Some of HUAWEI CLOUDproducts and services provideclients with the ability toembed privacy statements andrecord related operations.Customers can inform dataowners in the privacystatement that their personaldata will be used for marketingpurposes.

5.2 Customer's Compliance Responsibilities withResolution 47/2018

As a data user, customer should improve data security measures in accordancewith the requirements of Resolution 47/2018.

PURPOSE BRIEF INTRODUCTION OFCONTROLS

Data Security Responsibility

A. Data Collection

A.1 Integrity A.1.1 To Ensure DataCompleteness

Customer's PrivacyResponsibility:As a data user, customersshould ensure the integrity ofthe collected personal dataduring transfer and adoptappropriate encryption methodsto protect personal data duringtransfer.Customers should ensure theaccuracy of personal datacollection and data validation ofdata provided by data owners.Customers should set up accesscontrol and identitymanagement to restrictunauthorized access to thecollected personal data.HUAWEI CLOUD ProvidesCustomer Service Support:HUAWEI CLOUD Productsprovides security products and

A.1.2 To MinimizationUploading Mistakes

A.1.3 To Ensure DataIntegrity

A.2Confidentiality

A.2.1 To WarrantConfidentiality During theEntire Data CollectionProcess

A.2.2 To Restrict Access toData Collection


Comply with PDPL




A.2.3 To RestrictUnauthorized AccessDuring Collection

services such as Identity andAccess Management (IAM),Direct Connect (DC), VirtualPrivate Network (VPN), andData Encryption Workshop(DEW) to help customersensure confidentiality andaccess control during personaldata collection and avoid therisk of unauthorized access.

B. Access Control

B.1Identificationof Assets

B.1.1 Identify Assets Customer's PrivacyResponsibility:As a data user, the customershould identify the personaldata assets being processed,form a list of responding dataassets, and confirm with theowner of the assets.Customers should set up accesscontrol and authenticationmechanisms for personal dataand systems that processpersonal data, encrypt systemsand personal data that processpersonal data, assigncorresponding access rights, andprevent unauthorized access tosystem or personal data.And customers should monitorthe system and open accesslogs to record and monitor theactivities of system usersaccessing personal data.HUAWEI CLOUD ProvidesCustomer Service Support:The Elastic Cloud Server (ECS)products provided by HUAWEICLOUD to customers includesthe ability to tag cloudresources such as instances,mirrors, and disks. If there aremultiple cloud resources underthe customer's account, andthere are multiple associationsbetween different cloudresources, the cloud resources

B.1.2 Identify ResponsibleParties and DetermineTheir Responsibilities

B.1.3 Verify the ControlsApplication

B.2 Access ofData

B.2.1 Manage Access toSystems

B.2.2 Assign Permission

B.2.3 Verify theIdentification and theAuthorization

B.2.4 Control PhysicalAccess to Data Centers

B.2.5 Monitoring Activities


Comply with PDPL




B.2.5 Monitoring Activities(Sensitive data)

can be tagged to realize theclassification and unifiedmanagement of cloudresources, so that the customercan identify and manageinformation assets.In addition, HUAWEI CLOUD'sIAM services can manageemployee privileges by role andvalidate employee identitiesthrough multifactor validation.Also, the IAM collaborates withLog Tank Service (LTS) andCloud Trace Service (CTS) torecord and audit the operationsof employees and monitor theoccurrence of abnormalbehavior.

C. Change Control

C.1 ChangeControl

C.1.1 Ensure Changes Customer's PrivacyResponsibility:Customers should verify themaintenance of the productionenvironment and protect theintegrity of their personal dataduring changes to theproduction environment.Production environments shouldbe isolated with set-up accesscontrols. Customers should alsoensure that the integrity,availability, and confidentialityof personal data are verifiedand any records are maintained.HUAWEI CLOUD ProvidesCustomer Service Support:Customers can use the HostSecurity Service (HSS) to checkthe integrity of the mirroredfile, compare it to determine ifthe current file state is differentfrom its state when the file waslast scanned, and use thiscomparison to determinewhether valid or suspectmodifications have occurred tothe file. When potential risks


Comply with PDPL




C.1.1 Ensure Changes(Sensitive Data)

are discovered, the customerwill be promptly reminded.

D. Backup and Recovery

D.1 BackupCopies andRecoveryProcedure

D.1.1 Ensure a FormalBackup and RecoveryProcedure

Customer's PrivacyResponsibility:Customers should set upappropriate backup policies andbackup recovery processes,encrypt backup copies, and setup access control measures toprotect the security of backups.HUAWEI CLOUD ProvidesCustomer Service Support:HUAWEI CLOUD providescustomers with Cloud Backupand Recovery (CBR), VolumeBackup Service (VBS), andCloud Server Backup Service(CSBS). Customers can back updata and servers as needed andset access authorization ofbacked up data through IAM.

D.1.2 Ensure AccessControl

D.1.2 Ensure AccessControl (Sensitive Data)

E. Vulnerability Management

E.1VulnerabilityManagement

E.1.1 Prevent SecurityIncidents by Design

Customer's PrivacyResponsibility:Customers should establish asound security incidentmanagement mechanism toprevent and monitor theoccurrence of security incidents.Customers should prevent andmonitor security incidentsthrough vulnerability scanning,environmental isolation, foreignintrusion protection, audit logs,and ongoing device/hardware/program updates.HUAWEI CLOUD ProvidesCustomer Service Support:HUAWEI CLOUD has adedicated Product SecurityIncident Response Team to helpcustomers establish a maturevulnerability response

E.1.2 Ensure ProperProtection

E.1.2 Ensure ProperProtection (Sensitive Data)

E.1.3 Detecting PossibleSecurity Incidents


Comply with PDPL




E.1.4 Ensure Efficient andLasting Measures(Sensitive Data)

mechanism to reduce the risk ofvulnerabilities.At the same time, customerscan also use the five corefunctions of the VulnerabilityScanning Service (VSS) providedby HUAWEI CLOUD to discoversecurity risks exposed bywebsites or servers in thenetwork automatically. The fivecore functions are webvulnerability scanning,operating system vulnerabilityscanning, asset contentcompliance detection,configuration baseline scanning,and weak password detectionHUAWEI CLOUD provides HostSecurity Service (HSS) toprovide the functions of assetmanagement, vulnerabilitymanagement, baselineinspection, intrusion detection,etc. to reduce host security risksand enhance overall securityassurance capabilities.

F. Data Deletion

F.1 DataDeletion

F.1.1 Establish a DataDeletion Process

Customer's PrivacyResponsibility:Customers should set up a datadestruction mechanism todelete personal data when thedata owner requests or the datauser no longer needs it, toensure the security,confidentiality and irreversibilityof the destruction, and to keepthe corresponding records ofthe destruction.Customers should set updestruction mechanisms formedia that store personal dataand implement physicaldestruction processes throughdemagnetization,decomposition, incineration,

F.1.2 Establish SecureDeletion Methods

F.1.3 Appoint a ResponsiblePerson for Data Deletion

F.1.4 Monitor the DeletionProcess


Comply with PDPL




F.1.5 Discard of MediaDevices (Sensitive Data)

and shredding or replicationtechnologies.HUAWEI CLOUD ProvidesCustomer Service Support:HUAWEI CLOUD only followsthe customer's instructions fordata destruction. The type,quantity and media of datadestroyed are at the customer'sdiscretion.

G. Security Incidents

G.1Notification ofSecurityIncidents

G.1.1 DefineResponsibilities andProcedures

Customer's PrivacyResponsibility:Customers should establish asound reporting mechanism forsecurity incidents, and quicklyform and report securityincidents to related parties afterthe occurrence of securityincidents.HUAWEI CLOUD ProvidesCustomer Service Support:Customers can use the CloudEye Service (CES) to monitorthe running status of the serverand the resources on the cloudin real time. When a hardwarefailure occurs, CES will notifythe customer via email, SMS,and HTTP/S.

G.1.2 Prepare Reports

G.1.3 Notification

H. Development Environment


Comply with PDPL




H.1 Security ofDevelopmentEnvironment

H.1.1 Implement a SecureDevelopment Policy

Customer's PrivacyResponsibility:Customers should beresponsible for formulating andimplementing securitydevelopment strategies to meetthe security requirements forthe development environmentas defined by regulations.Customers should also encryptor anonymize personal data intheir development environment.HUAWEI CLOUD ProvidesCustomer Service Support:HUAWEI CLOUD supportscustomers to establish isolatedproduction and testingenvironment processes in thecloud using Virtual PrivateCloud VPC.

5.3 How HUAWEI CLOUD Products and Services HelpCustomers Implement Content Data Privacy andSecurity

HUAWEI CLOUD has a deep understanding of the customers' privacy protectionneeds, combining it with its own privacy protection practices and technicalcapabilities in order to help customers achieve compliance with the PDPLleveraging HUAWEI CLOUD products and services. HUAWEI CLOUD providescustomers with a large range of products and services such as networkingproducts, database products, security products, solutions for management anddeployment as well as other products. Data protection, data deletion, networkisolation, rights management and other functions implemented in HUAWEICLOUD products can help customers implement privacy and security of contentdata.● Management and Deployment of Products


Comply with PDPL


Product Description CorrespondingCore Requirementsand ControlMeasures

Identity andAccessManagement(IAM)

Identity and AccessManagement (IAM) providesidentity authentication andpermissions management.With IAM, customers cancreate users for employees,applications, or systems in theirorganization, and control theusers' permissions on ownedresources.Through IAM, customers canperform user management,identity authentication, andfine-grained resource accesscontrol on the cloud to preventunauthorized modification ofcontent data.

PDPL - Ensure thequality of personaldataPDPL - Ensure datasecurity;PDPL-ConfidentialityObligation;Resolution47/2018-A.2;Resolution47/2018-B.1;Resolution47/2018-B.2;

Cloud TraceService (CTS)

Customers can review logs toperform security analysis,review compliance, and locateissues, etc.Customers can configure CTSobject storage service to saveoperation records to CTS in realtime and for a long period,protect the right to know ofdata owners, and enable quicksearching.

PDPL - Ensure datasecurity;PDPL-ConfidentialityObligation;Resolution47/2018-A.2;Resolution47/2018-B.1;Resolution47/2018-B.2;

Cloud Eye Service(CES)

Providing customers with amultidimensional monitoringplatform for elastic cloudservers, bandwidth and otherresources.Through CES, customers canhave a comprehensiveunderstanding of HUAWEICLOUD resources usage andbusiness operations status, andrespond to alarms in time toensure business continuity.

PDPL - Ensure thequality of personaldataPDPL - Ensure datasecurity;Resolution47/2018-E.1;Resolution47/2018-G.1;


Comply with PDPL


https://www.huaweicloud.com/intl/en-us/product/iam.html



https://www.huaweicloud.com/intl/en-us/product/cts.html

https://www.huaweicloud.com/intl/en-us/product/cts.html

https://www.huaweicloud.com/intl/en-us/product/ces.html

Product Description CorrespondingCore Requirementsand ControlMeasures

Log Tank Service(LTS)

Providing functions such as logcollection, real-time query andstorage, which can be used tomake real-time decisionanalysis, improve the efficiencyof log processing, and helpcustomers to cope with dailyoperations and maintenancescenarios such as real-timelogs collection and queryanalysis without development'srequirements.Customers can keep records ofoperations on personal datathrough LTS to guarantee thedata owners' right to know.

PDPL - Ensure datasecurity;PDPL-ConfidentialityObligation;Resolution47/2018-A.2;Resolution47/2018-B.1;Resolution47/2018-B.2;Resolution47/2018-G.1;

● Security Products

Product Description CorrespondingPrivacy ProtectionObligations

DatabaseSecurity Service(DBSS)

Database Security Service (DBSS)uses machine learning mechanismand big data technologies toprotect customers' databases onthe cloud, audit and detect riskybehaviors, such as SQL injection,operational risks identification, etc.Customers can use DBSS to detectpotential risks and ensure thesecurity of their databases.

PDPL - Ensure thequality of personaldataPDPL - Ensure datasecurity;Resolution47/2018-A.1;Resolution47/2018-E.1;Resolution47/2018-G.1;


Comply with PDPL


https://www.huaweicloud.com/intl/en-us/product/lts.html


DataEncryptionWorkshop(DEW)

Data Encryption Workshop (DEW)is a full-stack data encryptionservice. It covers Key ManagementService (KMS), Key Pair Service(KPS), and Dedicated HSM. WithDEW, customers can developcustomized encryptionapplications, and integrate it withother HUAWEI CLOUD services tomeet the most demandingencryption scenarios. Customerscan also use the service to developtheir own encryption applications.Customers can use DEW forcentralized key lifecyclemanagement to ensure theintegrity of data storageprocedures.

PDPL - Ensure thequality of personaldataPDPL - Ensure datasecurity;Resolution47/2018-A.1;Resolution47/2018-A.2;Resolution47/2018-E.1;

WebApplicationFirewall (WAF)

Web Application Firewall (WAF)can conduct multi-dimensionaldetection and protection ofwebsite traffic, combining withdeep machine learning to identifymalicious requests, protect againstunknown threats, and blockcommon attacks such as SQLinjection or cross-site scripting.Customers can use WAF to protecttheir websites or servers fromexternal attacks that affect theavailability, security, or unwantedadditional resources consumptionof their web applications, reducingthe risk of data tampering andtheft.



Comply with PDPL


https://www.huaweicloud.com/intl/en-us/product/dew.html



https://www.huaweicloud.com/intl/en-us/product/waf.html




VulnerabilityScan Service(VSS)

Vulnerability Scan Service (VSS) isa multi-dimensional securitydetection service, with five corefunctions: web vulnerabilityscanning, asset contentcompliance detection,configuration baseline scanning,operating system vulnerabilityscanning, and identification ofsystems with a weak password.VSS enables customers to protecttheir data integrity byautomatically identifying securitythreats on their exposed websitesor servers.


Advanced Anti-DDoS (AAD)

Advanced Anti-DDoS (AAD) is avalue-added security defenseservice that defends against largevolumetric DDoS attacks onInternet servers.Customers can configure AAD todivert the attack traffic to high-defense IP addresses withsignificant defense capabilities forscrubbing, keeping customers'business stable and reliable.


● Network Products


VirtualPrivateNetwork(VPN)

Virtual Private Network (VPN)establishes a flexible, scalable IPsecencrypted communication channelbetween customers' local datacenter and their VPC on HUAWEICLOUD.Customers can build a flexible andscalable hybrid cloud computingenvironment, and improve theirsecurity posture with encryption ofthe communication channel.

PDPL - Ensure thequality of personaldataPDPL - Ensure datasecurity;Resolution47/2018-A.1;Resolution47/2018-A.2;Resolution47/2018-E.1;


Comply with PDPL






https://www.huaweicloud.com/intl/en-us/product/vpn.html




VirtualPrivate Cloud(VPC)

Virtual Private Cloud (VPC) enablescustomers to create private,isolated virtual networks onHUAWEI CLOUD. Customers canconfigure IP address ranges,subnets, and security groups, assignElastic IP (EIP) addresses, andallocate bandwidth in a VPC.VPC is the customer's privatenetwork on the cloud, with 100%isolation from other customers,enhancing the data security on thecloud.

PDPL - Ensure thequality of personaldataPDPL - Ensure datasecurity;Resolution47/2018-A.1;Resolution47/2018-A.2;Resolution47/2018-B.1;Resolution47/2018-B.2;Resolution47/2018-H.1;

● Storage Products

Product Description Correspondingprivacy protectionobligations

Volume BackupService (VBS)

Volume Backup Service (VBS)creates online permanentincremental backup for cloudhard disk, automatically encryptsthe backup disk data, and canrestore the data to any backuppoint to enhance dataavailability.VBS can reduce the possibility ofvirus attack, human errordeletion as well as hardware orsoftware failure, protect datasecurity and reliability, andreduce the risk of datatampering.

PDPL - Ensure thequality of personaldataPDPL - Ensure datasecurity;Resolution47/2018-D.1;


Comply with PDPL


https://www.huaweicloud.com/intl/en-us/product/vpc.html

https://www.huaweicloud.com/intl/en-us/product/vpc.html

https://www.huaweicloud.com/intl/en-us/product/vbs.html

https://www.huaweicloud.com/intl/en-us/product/vbs.html

Product Description Correspondingprivacy protectionobligations

Cloud ServerBackup Service(CSBS)

Cloud Server Backup Service(CSBS) can simultaneously createa consistent online backup ofmultiple cloud drives within thecloud server.CSBS can reduce the possibility ofvirus attack, human errordeletion as well as hardware orsoftware failure, protect datasecurity and reliability, andreduce the risk of datatampering.

PDPL - Ensure thequality of personaldataPDPL - Ensure datasecurity;Resolution47/2018-D.1;


Comply with PDPL


https://www.huaweicloud.com/intl/en-us/product/csbs.html

https://www.huaweicloud.com/intl/en-us/product/csbs.html

6 HUAWEI CLOUD Privacy ProtectionRelated Certifications

HUAWEI CLOUD complies with all applicable privacy laws and regulations in theplace where it operates. HUAWEI CLOUD has a professional legal team to closelymonitor the update of laws and regulations, continuously track and analyze globallaws and regulations, to be compliance with applicable laws and regulations.

HUAWEI CLOUD's capabilities and achievements in privacy protection andpersonal data security have been widely recognized worldwide. Up to now,HUAWEI CLOUD has obtained almost 20 domestic and foreign certifications frommore than ten organizations, including global standard certifications related toprivacy and data security and regional data security certifications.

Privacy Related Standard Certifications:● ISO 27701

Privacy information management system certification. The ISO 27701certification shows that HUAWEI CLOUD has established a solid managementsystem related to data privacy protection.

● ISO 29151International practical guide to the protection of personal identityinformation. The adoption of ISO 29151 confirms HUAWEI CLOUD'simplementation of internationally recognized management measures for theentire lifecycle of personal data processing.

● ISO 27018International code of conduct focused on the protection of personal data inCloud. The adoption of ISO 27018 indicates that HUAWEI CLOUD has met therequirements of an internationally recognized personal data protectionmeasures of public cloud platform, and can guarantee the security ofcustomers' personal data.

● BS 10012Personal data management system standard issued by the British StandardsInstitute (BSI). The BS 10012 certification indicates that HUAWEI CLOUDoffers a complete personal data protection system to ensure personal datasecurity.

● SOC2 Audit

HUAWEI CLOUD Compliance with Argentina PDPL6 HUAWEI CLOUD Privacy Protection Related

Certifications


An independent audit report issued by a third party audit institution based onthe relevant guidelines developed by the American Institute of Certified PublicAccountants (AICPA) for the system and internal control of outsourced serviceproviders. At present, HUAWEI CLOUD has passed the audit of SOC2 type 1Privacy Principle, which proves that HUAWEI CLOUD has reasonable controlmeasures in terms of cloud management and technology.

Data Security Standard Certifications:● ISO 27001 Information Security Management System Certification● ISO 27017 Cloud Service Information Security Management System● ISO 20000 Information Technology Service Management System Certification● ISO 22301 Business Continuity Management System● ISO 27799 Health Information Security Management System Certification● CSA STAR Cloud Security International Gold Certification● PCI DSS Third-Party Payment Industry Data Security Standard Certification● International Common Criteria (CC) EAL3+ Security Assessment Standard● Management & Operations Stamp of Approval (M&O Program)● NIST Cybersecurity Framework● Payment Card Industry Three Domain Secure Certification (PCI 3DS)

Regional Security Certifications:● Multi-Tier Cloud Security(MTCS) Level3 (Singapore)● Certification for the Capability of Protecting Cloud Service User Data (China)● Trusted Cloud Service (China)● Classified Cybersecurity Protection of China's Ministry of Public Security

(China)● Gold Operations and Management certification (China)● Cloud Service Security Certification by Cyberspace Administration of China

(China)● ITSS Cloud Computing Service Capability Evaluation by the Ministry of

Industry and Information Technology (China).

HUAWEI CLOUD Compliance with Argentina PDPL6 HUAWEI CLOUD Privacy Protection Related

Certifications


7 Conclusion

HUAWEI CLOUD always adheres to HUAWEI's "customer-centric" core values, fullyunderstands the importance of customer personal data security, and respects andprotects customer privacy rights. HUAWEI CLOUD uses industry-wide security andprivacy protection technologies and provides customers with capabilities throughcloud services and solutions to help customers cope with increasingly complex andopen network environments and increasingly strict privacy protection laws andregulations.

To satisfy the requirements of local privacy protection laws and regulations,HUAWEI CLOUD follows up on the updates of relevant laws and regulations,converting new requirements into internal HUAWEI CLOUD regulations, andoptimizing internal processes to ensure that all activities carried out by HUAWEICLOUD meet the requirements of laws and regulations. HUAWEI CLOUDcontinuously develops and launches privacy protection related services andsolutions to help customers implement privacy protection laws and regulations ineach region.

Compliance with data protection laws and regulations is a long-term and multi-disciplinary activity. HUAWEI CLOUD is committed to continuously improvingcapabilities in the future in order to satisfy relevant laws and regulations and tobuild a secure and trustworthy cloud platform for customers.

This white paper is for reference only and does not have any legal effect orconstitutes a legal advice. Customers should assess their own situation when usingcloud services and ensure compliance with the PDPL and other regulatoryrequirements when using HUAWEI CLOUD.

HUAWEI CLOUD Compliance with Argentina PDPL 7 Conclusion


8 Version History

Date Version Description

2022-4 1.1 Routine update

2020-12 1.0 First release

HUAWEI CLOUD Compliance with Argentina PDPL 8 Version History


HUAWEI CLOUD Compliance with Argentina PDPL

Documents