2.1 Privacy Governance

Leadership

In 2014, Xiaomi established the Information Security and Privacy Committee ("the Committee") and appointed a Chief Privacy Officer to manage and coordinate information security and privacy matters across the company. Xiaomi adopts a cross-functional approach to privacy governance. Chaired by the Vice President, the Committee consists of members from the Information Security and Privacy, Legal, Internal Audit and Supervision, Corporate Communications, and Human Resources teams, and all the company's business units, including but not limited to smartphones, IoT products, software and Internet services, e-commerce, and sales and services. The Committee is responsible for creating and maintaining the information security and privacy management system, setting and implementing privacy principles and standards, conducting privacy impact assessments, and overseeing and managing privacy risks at all stages of product development and operations, as well as developing and promoting privacy enhancement technologies.

Privacy Protection Framework

Following the ISO/IEC 27701:2019 Privacy Information Management System (PIMS), Xiaomi has established a privacy protection framework that covers user communication, user data rights, data governance, data life cycle management, risk identification, security protection measures, and incident response. We strive to establish rigorous, standardized, and progressive internal privacy compliance review procedures and processes to ensure that our products and services meet our privacy protection standards. Every Xiaomi product or service available on the market has undergone a privacy impact assessment internally, which examines aspects such as data collection, storage, use, and destruction.

A copy of our Privacy Policy is provided to users, and their explicit consent is obtained when they use our products or services for the first time. Users are also offered options and controls to manage their data.

We are committed to ensuring the confidentiality and protection of our users' personal information. To prevent unauthorized access, disclosure, or other similar risks, we have put in place industry-recognized physical, electronic, and managerial procedures to safeguard and secure the information.

Each year, we ensure that all our employees receive general information security privacy training and assessment, where they gain knowledge about security and privacy protection concepts and practices. We also provide various professional privacy training courses, covering privacy laws, management, and technology for our engineers, specialists, and professionals in different departments. Starting in 2020, we have introduced an annual Information Security and Privacy Awareness Month, aiming to increase awareness of security and privacy among our employees and affiliates.

Our employees, business partners and third party service providers who access users' personal information are subject to contractual confidentiality obligations.

To safeguard users' personal information, we conduct due diligence on our business partners and third party service providers to verify their ability to provide adequate protection.

We are committed to protecting user's personal information and taking measures to minimize the occurrence of personal data breaches. If such an event occurs, we respond in accordance with applicable data protection laws, including notifying the relevant data protection or supervisory authority and the affected data subjects if necessary.

We hold ISO/IEC 27001, ISO/IEC 27018, and ISO/IEC 27701 certifications, as well as TRUSTe Enterprise Privacy certifications, all of which demonstrate our commitment to maintaining high privacy standards and security. Additionally, we conduct annual third party audits to ensure that we continue to meet the requirements of these certifications.