Privacy/Data Protection in Products

ZTE incorporates privacy by default concepts into its products and service solutions by formulating regulations based on the concepts of privacy by design and privacy by default, specifying the principles, policies, and basic requirements for privacy protection in the product research & development (R&D) process and business activities. ZTE also implements privacy by design throughout the entire product R&D process:

• Requirement Analysis Phase: Identify the personal privacy that the products may involve, assess the personal privacy protection requirements, analyze whether the product functions related to personal privacy processing are necessary based on risk assessment and the specified personal privacy protection requirements and principles, and for functions to be preserved, identify the potential risks and set protection strategies based on the personal privacy protection requirements.

• Product Design Phase: Design a reasonable security structure and technical measures according to the identified personal privacy protection requirements, review the product design plan, output privacy protection impact assessment reports, adjust the requirements or take targeted organizational and technical measures to address the identified risks, including personal privacy protection contents in the product design plan, and keep documents related to privacy protection design to provide proof for product improvement, evaluation, management, and maintenance.

• Product Development Phase: Implement personal privacy protection requirements and design, and evaluate whether the collection, use, transmission, storage, and deletion of personal data meet the design requirements when the functions are implemented.

• Testing and Verification Phase: Verify the personal privacy protection measures, include the personal privacy protection contents in the product test scheme, and perform compliance tests.

• Release Phase: Conduct privacy protection impact assessment or review key control points before releasing a product, and organize the assessment. Only after the assessment is passed can the product be released or deployed.

• Operation and Maintenance Phase: Ensure that the product operation, use, maintenance, and management processes comply with the management requirements of personal privacy protection.