What is the purpose of this Privacy Notice?

We understand the importance of your privacy and pledge to take all appropriate security measures to protect it in accordance with the industry's well-established safety standards. This Privacy Policy gives you information about the personal data we collect about you in relation to your use of Open Source Technology Center (“ OSTC”), and how and why we use it to meet our obligations under the GDPR. It also contains a summary of your rights in relation to your personal data. Some of the terminology in this Statement may be unfamiliar to you – there is a glossary at the end of the Statement which you may find useful. Terms which are included in the glossary are in capital letters.

The identity and contact details of the Joint-Controllers

Huawei Poland and Huawei Italy are jointly responsible as joint controllers. The joint processes particularly pertain to the operation and use of jointly used databases, platforms and IT systems. With respect to the joint processes, we jointly determine the purposes and means of processing. In an agreement on joint controllership pursuant to Article 26 GDPR, we have determined how the respective tasks and responsibilities in the processing of personal data are structured and who fulfils which data protection obligations.

OSTC is a team managed by Huawei Poland (Domaniewska 39a, 02-672 Warsaw, Poland) and Huawei Technologies Italia (Via Lorenteggio, 240 - Tower A – 20147 Milan, Italy and registered with the Chamber of Commerce di Milano Monza Brianza Lodi with registration number 04501190963), (hereinafter jointly referred to as "we", "us" or "our").


What Personal Data do we process, for what purposes and how?

Personal Data collected and processed

The source of personal data

Data will be collected directly by you as the Data Subject.

Will we process special categories of data?


Below you will find detailed information on what personal data we process, for what purpose and on what legal basis arising from generally applicable data protection regulations.

For what purpose does Huawei process your personal information?

What categories of personal data do we process for this processing purpose

Legal basis of processing

Create your account, identify and authenticate your access to the Services and provide you with the Services you have requested

Your name, last name, username, email address and password as well as authentication token when you make use of dual-factor authentication to your user account

Legitimate interests. We use your personal information for our legitimate interests, such as to provide you with services you requested, allow you to participate in creation of OSTC platform

Completing your profile page with the information you voluntarily provided

Profile information: such as avatar (profile picture), time zone, social media IDs, website url, location, job title, organization, bio, and others available at your profile page

Implied consent granted by you hence you make the decision to voluntarily provide and upload unnecessary data to complete the profile page

Improve the security of and troubleshoot our Services, as necessary to perform the contract governing your use of our applications or to communicate with you

IP address, device type, operating system, browser type and version, language preference, cookie identifiers, hardware identifiers, and mobile IDs

Legitimate interests. We use your personal information for our legitimate interests, such as improving the security of and troubleshoot our Services

Detect, prevent, or otherwise address fraud and abuses

Personal data we collect through your use of the Services

Legitimate interests. We use your personal information for our legitimate interest, such as administrative, security, fraud prevention purposes as well as ensuring the safety of users of the platform

Comply with our legal obligations

Personal data that is necessary for compliance with a legal obligation that we are subject to

Legal obligation. We may disclose personal information or other information we collect about you to law enforcement if required in response to a valid subpoena, court order, search warrant, a similar government order


Recipients of the personal data

Huawei uses suppliers and service providers to ensure carrying out its business, including for the provision of OSTC, and to ensure adequate protection of the Personal Data. The processing of Personal Data in relation to our suppliers is always commissioned by us and the parties will act only on our behalf as data processors or based on another contractual set-up. Such processing is always protected with contractual arrangements to ensure that your Personal Data is processed in accordance with the laws and good data processing practices. To comply with applicable laws or respond to valid legal procedures, Huawei may also disclose your personal data to law enforcement or other government agencies.

Huawei and its suppliers and service providers shall establish technological, physical, administrative and procedural safeguards all in line with the industry accepted standards in order to ensure the confidentiality, integrity and accessibility of the Personal Data processed; prevent the unauthorized use of or unauthorized access to the Personal Data or prevent a Personal Data breach (security incident).

Your personal data will also be shared with the engagement team of Huawei managing OSTC project which is located in Poland.

Your personal data may also be disclosed to another company in connection with a merger, acquisition, sale of assets (e.g., a service contract), or transfer of service delivery.


How long we retain the Personal Data for

Any personal data published by the user of GitLab and Mattermost services will be kept for one year. After that time the data will be automatically permanently deleted. Your user profile may be deleted anytime upon your request (please see below how to submit requests concerning your data subject rights).

Retention rules established and implemented for OSTC:

§ In order to ensure effective data minimization principle in the processing activity, Huawei reserves the right to permanently remove user profile if it has not been used for an extensive amount of time;

§ In the case of legitimate interest legal basis - we will keep your personal data until the project is completed, i.e., until The OpenHarmony Project is delivered;

§ In the case of implied consent legal basis (depending on which comes first) – we will keep your data until you withdraw your consent or if the profile page including voluntarily given personal data has not been used for one year;

§ In the case of legal obligation legal basis – we will keep your personal data as long as it is required by law, e.g. tax law.


Transfer of Personal Data out of the EEA

Your information is securely stored by our cloud infrastructure vendor in Europe/ Germany - Open Telekom Cloud. Our employees and contractors that process personal data information may be located in Europe/Poland.

Disclosure with our suppliers: we host our services at 3rd party cloud service for which infrastructure is located in Europe. Specific information about data protection and compliance can be found here .


Your rights as a data subject

As the data subject, you have the following rights in relation to your personal data. Depending on the case and the legal basis for processing your personal data, these rights may be subject to certain restrictions under the applicable data protection rules. To exercise these rights or contact us on privacy or data protection issues, please send your enquiry via the form:

Right of Access

You have the right to obtain from Huawei or any of its affiliates confirmation as to whether or not Personal Data concerning you is being processed and, where that is the case, access to a copy of the Personal Data and specific information about how Huawei or any of its affiliates processes your Personal Data.

Right of Rectification (Correction)

You have the right to obtain from Huawei the correction of inaccurate Personal Data concerning you and also the right to have incomplete Personal Data completed.

Right of Erasure (Deletion)

You have the right to obtain from Huawei or any of its affiliates the erasure (deletion) of your Personal Data in particular circumstances.

Right of Restriction

You have the right to obtain from Huawei or any of its affiliates restriction of processing in particular circumstances.

Right of Objection

You have the right to object to the processing of your Personal Data in particular circumstances.

Right of Portability

In certain circumstances, you have the right to receive your Personal Data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller Please bear in mind that the right of portability does not apply in the case of processing personal data on legitimate interests basis.

Right to Withdraw Consent

Where the legal basis of processing Personal Data is based on consent, you have the right to withdraw your consent at any time by providing a withdrawal notice to Huawei or any of its affiliates. Please note, however, that the withdrawal of your consent will not affect any use of the Personal Data made before you withdrew your consent.

Right to lodge a Complaint

If you consider your Personal Data is not being processed in compliance with the applicable laws, you have the right to lodge a complaint with any relevant supervisory authority, in Poland- President of the Personal Data Protection Office




An organisation who (alone or jointly with others) determines the purposes and means of the processing of Personal Data.

Data Transfer Agreement

An agreement containing standard data protection clauses adopted by the European Union Commission as referred to in Article 46(2)(c) of the GDPR.

Data Subject

The identified or identifiable natural person to whom the Personal Data relates.


The European Union General Data Protection Regulation (2016/679).

Legal Basis

Processing of Personal Data is only lawful if and to the extent that at least one legal basis specified in the GDPR applies. The available legal bases which are applicable are summarised as:

  • Consent of the Data Subject. Applies to personal data that you voluntarily provided while completing your profile page.
  • Processing is necessary for compliance with a legal obligation to which the Controller is subject
  • Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data (Legitimate Interests).

Personal Data

Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Special Categories of Personal Data

Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.