As a global leader in building Internet communities, NetDragon highly values privacy and data security. China has established one of the strictest regulations on Internet user private information protection in the world. In March 2020, the National Information Safety Standardization Technique Committee released the national standard GB/T 35273-2020 <Information Safety Technology and Personal Information Safety Standard>. In March 2021, <Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications> were released by four governing ministry-level bodies. In May 2021, the <Civil Code> was approved by the National Congress. In June, the <Data Security Law> was approved, and the <Personal Information Protection Law> was approved in August. These laws, regulations, and national standards have set up a complete legal protection system for privacy and data security.
To ensure we strictly follow these laws and regulations, NetDragon enforces a complete set of internal policies and procedures on information security management (based on the framework in the GB/T 35273-2020 <Standard>) that cover all our relevant business lines. These policies and procedures include the following:
Full-cycle preventive measures covering data collection, transmission, storage and usage phases
Clear definition of data owners’ right
Mechanism to handle collection of complaints and response procedures
Mechanism for reporting of data breach incidences
Data protection impact assessment
Organizational measures to strengthen information security management
Regular engagement and cooperation with the regulatory bodies
Below are our Privacy and Data Security Principles:
Data Collection Phase：
Principle of Legality: No data collected from any illegal channels
Principle of Minimum Necessity: Only collect the data necessary to fulfill the application
Principle of Autonomy: Set isolated application scenarios and provide unbundled services, allowing for user’s autonomy
Principle of Authorized Consent: Fully inform users about the intent, method and range of the data collection before their authorization, and no data collection without user authorization
Data Storage and Transmission Phase：
Shortest Time Principle: The storage period is the minimum time required
De-Identification Management: Apply de-identification after the data collection, store the data separately and strengthen access and usage control
Encryption Measures: Apply national encryption standard during data storage and transmission
Data Access and Application Phase：
Principle of Access Control: Implement minimum access control strategy, internal supervision and approval process for data revision and download
Principle of Purpose Limitation: Data application must comply with the purpose stated during collection phase, any applications beyond the stated purpose need separate authorization
Principle of Publicity Restrictions: Utilize de-identification technology to exclude sensitive information in the presentation of personal data to protect privacy and security
NetDragon is committed to protecting personal data owners’ rights during all business operations. Users have explicit rights and convenient channels to inquire, revise, delete, revoke the authorization of all their personal data.
Cross-border Issues of Personal Data：
NetDragon fully complies with all relevant laws and regulations on cross border transmission of personal data to ensure our users’ privacy and personal data are safe and protected. We achieved segregated management of onshore and offshore personal data by implementing effective business structures together with the use of our technology infrastructures. Going forward, we will continue to strive to uphold the highest global standard to enhance Privacy and Data Security.
Employee Training and External Audit
Similar to business ethics polices, employee training on privacy and data security covers all relevant employees. We also require all relevant suppliers and business partners to adopt similar principles to fully protect Privacy and Data Security. NetDragon has passed ISO/IEC27001 Information Security Management System Evaluation. We also invite external audit to conduct Category Three Evaluation (please refer to GB/T 28448-2019 <Information Security Protection Evaluation Requirements> annually. In addition, our major overseas subsidiary – Promethean has acquired iKeepSafe FERPA and COPPA certification in the US.
Links to Privacy and Data Security Policies of Subsidiaries
Privacy and Data Security Policy of China Gaming Subsidiary
Privacy and Data Security Policy of China Education Subsidiary
Privacy and Data Security Policy of Promethean
Privacy and Data Security Policy of Edmodo
Privacy and Data Security Policy of Jumpstart
Note: revenue of the above subsidiaries represents over 96% of our group revenue in 1H 2021.