2.1 Privacy Governance

Dating back to 2014, Xiaomi established the Information Security and Privacy Committee and appointed a Chief Privacy Officer to manage and coordinate the information security and privacy affairs across the company. Xiaomi adopts a cross-functional approach to privacy governance. Chaired by the vice president, the Committee consists of members from the teams of Information Security and Privacy, Legal, Internal Audit and Supervision, Cooperates Communications, Human Resources and all the business units in the company, including but not limited to smart phones, IoT products, software and internet services, e-commerce, and sales and services. The Committee is responsible for creating and maintaining the information security and privacy management system, setting and implementing privacy principles and standards, conducting privacy impact assessment, overseeing and managing privacy risks and at all stages of product development and operations, as well as developing and promoting of privacy enhancement technologies.

Following the ISO/IEC 27701 Privacy Information Management System (PIMS), Xiaomi has established the privacy protection framework that covers user communication, data governance, data life cycle management, risk identification, security protection measures, and incident response. We strive to establish rigorous, standardized, and progressive internal privacy compliance review procedures and processes to ensure that our products and services meet our privacy protection standards. Every product or service of Xiaomi available on the market has undertaken a privacy impact assessment internally, which covers such aspects as data collection, storage, use, and destruction.

We provide users with a copy of our Privacy Policy and ask them for consent when they use our product or service for the first time. We also provide choices and controls for users to manage their data as easy as possible.

We are committed to keeping your personal information secure. To prevent unauthorized access, disclosure, or other similar risks, we have put in place industry-recognized physical, electronic, and managerial procedures to safeguard and secure your information.

All our employees receive general information security privacy training and assessment every year, where they learn about the concepts and practices of security and privacy protection. Additionally, we provide various professional privacy training courses, covering the topic of privacy laws, management, and technology, for our engineers, specialists, and professionals in different departments. Since 2020, we also host Information Security and Privacy Awareness Month every year in the company to raise security and privacy awareness among our employees and affiliates.

Our employees and those of our business partners and third-party service providers who access your personal information are subject to enforceable contractual obligations of confidentiality.

We conduct due diligence on business partners and third-party service providers to make sure that they can protect your personal information.

We care about protecting your personal information and try to minimize any personal data breaches, which we address in compliance with applicable data protection laws. Our responses include, where required, providing notice of the breach to the relevant data protection or supervisory authority and data subjects affected by the breach.

We have obtained ISO/IEC 27001, ISO/IEC 27701, BSI IoT Kitemark™, and TÜV Rheinland Cybersecurity and Privacy Protection Standard Certificate and carry out yearly third-party audits to maintain these certifications.