Privacy Protection for Individuals

ZTE develops compliance procedures for its key obligations for individuals, such as data breach response, response to Data Subject Right (DSR) requests, and Data Protection Impact Assessment (DPIA), and incorporates the systems into business processes to facilitate cross-departmental collaboration and automatically keep operation records that can prove the effectiveness of the compliance system.

• Personal Data Breach Response: ZTE has set up a personal data breach response mechanism based on rapid multi-party cooperation, which defined our work procedures by IT-based management and control system. A supporting information system has been developed based on the specialized event reporting system. The entire emergency response process can be tracked and recorded to meet internal and external potential document retrieval and evidence submission needs. In the meantime, data breach emergency drills have been organized on an irregular basis to strengthen the verifiability of job responsibilities and emergency response mechanisms, fully preventing data breach and handling data breach in an efficient and rational way. To ensure the implementation of personal data breach policies and measures, ZTE has also set up data protection audit mechanisms and violation reporting channels. Through the work of full-time compliance audit team, self-inspection audits have been incorporated into our internal control assurance system to perform regular audits to promote the normal cycle of cultural development, resource investment, process re-engineering, and capacity improvement.

• Response to DSR Requests: ZTE has provided IT-based, easy-to-use, and open channels for data subjects to apply for exercising their rights, thus ensuring that DSR requests are promptly accepted and comprehensively managed. Data subject can respond effectively when he/she exercises their data subject right through the Online Application Entrance. To be specific, a professional internal process response system has been built through IT-based tools, so that compliance experts and Data Protection Officer can participate in the process and meet the requirement of quickly responding requirement to data subjects. In the meantime, we can track and record the entire response process to meet internal and external potential document retrieval and evidence submission needs. Data subject can contact the Data Protection Compliance Department of the ZTE via the Online Application Entrance directly. At the same time, the system will ensure the security of the personal data during the process. Based on the IT-based data subject rights response system, ZTE provides data subjects with high-quality interactive experience and improves social trust with good compliance behavior.

• DPIA: For new products, new technologies and major product service changes, to ensure that the personal data processing process meets the international data protection compliance requirements, ZTE through IT online evaluation tools, adopts the Data Protection Impact Assessment method to carry out data protection risk assessment. In practice, ZTE has adopted the data protection impact assessment process to promote risk analysis and take related risk control measures in research & development (R&D), sales, operation, maintenance, and other main business processes. In the R&D stage, for example, we conduct Data Protection Impact Assessment of the personal data in order to analyze the security measures in respect of permissions, logs, encryption and anonymity that have been taken to guarantee the safety of personal data. Before data processing and transfer, the evaluation concerning the requirements of the relevant national laws has to be carried out, applicable international rules must be identified, and corresponding obligations must be fulfilled.