Data Privacy

Data is critical to the digital economy. Almost every online action we take produces data, whether it’s something as simple as paying a friend or looking up a restaurant. Data can be used to help companies improve their products and services, maximizing value to users.

User privacy and data security are the top priorities at Tencent. We believe that protecting the privacy of our users’ data is essential to creating both safe and market-leading user experiences, and that users should be in control of their data and well informed about how their data is collected and used. This is why we practice “Privacy by Design” and “Privacy by Default” in developing our products and services.

It’s important to be transparent about how we manage data so we can build trust with users and help make our products and services safer and more accessible for everyone.

Design

Tencent focuses on privacy at every level. Our dedicated privacy and legal teams work hand-in-hand with our product teams to ensure that our products and services are built with privacy in mind from the ground up and comply with all applicable laws and regulations. Our product teams also work closely with our engineering teams to ensure that our data collection and data use practices are transparent.

We believe that users should be able to manage their own data. Our products and services are designed to minimize the amount of data that Tencent, or anyone else, collects and has access to. When data is collected, we provide a wealth of user controls so users can manage how much of their data is collected, used, and shared. These features have been researched, designed and implemented over many years in order to protect users’ privacy and allow them to directly manage their data.

Privacy by Design

Our approach to data protection follows the widely recognized ‘Privacy by Design’ concept, which is the foundation on which all of our products and services are designed and developed. ‘Privacy by Design’ means integrating privacy protection features from the very early stages of development to ensure it is a core component of a new product or service. We then continuously think about and aim to improve privacy protection throughout the product lifecycle. Our approach to ‘Privacy by Design’ is encapsulated in three words: ‘Person-Button-Data’.

‘Person’ reflects our users are central to everything we do. Core to this is the notion of transparency and our commitment to letting users know how their data is used. Privacy remains our highest priority in all that we do. We strive to ensure that, in line with applicable laws and regulations, users can manage their personal data. We only collect the minimum amount of data required to power our products and services, we do not provide users’ data to third parties without a clear legal basis, and users are informed as to what data is shared, how it is shared, and with whom it is shared.
‘Button’ represents a reminder of our commitment to providing users with the ability to manage their data in an easy, seamless way - like the click of a button. Our products and services generally include a privacy control suite or center where users are empowered to access, obtain a copy, or request deletion of their data in accordance with applicable laws.
‘Data’ refers to user data, which we safeguard with our thorough and cutting-edge cybersecurity technology and management protocols. Our round-the-clock Security Platform Department comprises some of the world’s leading data security experts. They collaborate with external security researchers and partners worldwide through our online Tencent Security Response Center platform to create a more robust and secure digital environment. Together, these provide world-class threat monitoring, defense, and response mechanisms to safeguard user data and enable prompt detection and resolution of security incidents.

Tencent’s Data Protection Officer is available to address any and all questions regarding Tencent’s privacy practices, or any product-specific privacy policy, at [email protected].

Internationally-recognized efforts

Tencent’s data privacy protection efforts are internationally recognized. WeChat/Weixin and QQ have secured TrustArc and ISO/IEC 27018 accreditations, and Tencent Cloud has secured CISPE and ISO 27701 accreditations, among others.

Building a Secure and Privacy-Focused Culture

Culture and Responsibility

We are committed to developing and maintaining a privacy-focused culture, placing user privacy at the heart of everything we do. We believe that protecting our users’ privacy is a shared responsibility for each member of our team regardless of job function or level, and we provide comprehensive and regular company-wide privacy education and awareness training programs for all of our employees. We systematically communicate our privacy and cybersecurity guidelines and procedures to all staff, and strictly enforce safeguards across our products and services at all levels.

Oversight

Tencent and its board of directors have always attached great importance to the protection of our users' personal data. Tencent has a top-down approach when it comes to data privacy compliance and has developed a robust internal evaluation process to ensure that all products are fully assessed to comply with all applicable data privacy laws, and that all data collected are securely transmitted and stored.

Privacy Impact Assessments

As part of our privacy-focused work, we regularly undertake Privacy Impact Assessments (PIAs) for our products and services. These PIAs evaluate the privacy-related risks of our products and services in the relevant jurisdictions where we operate. Our dedicated privacy legal team identifies, highlights, and manages privacy risks and minimizes potential impacts to individual rights and any other adverse privacy issues.

Incident Management

Tencent has comprehensive systems in place to ensure that our teams respond rapidly to information security incidents (such as attacks from attrition, ransomware, the web, email, impersonation, improper usage, system outages and deletion, loss or theft of data, etc.). Our main goals are to ensure the integrity of our systems, to protect the data entrusted with us by users, and ensure we meet all business and compliance regulations. We use various incident analysis mechanisms and risk protocols to ensure that Tencent responds appropriately and swiftly to any threat detected.

Reporting

Government Enforcement

Tencent acts in accordance with applicable laws and is guided by the following general principles whenever we receive requests for disclosure of data from authorities and regulators:

We respond to valid legal requests consistently and fairly across all jurisdictions where we offer our products and services, subject to applicable laws and regulations and our interpretation of potential differences between jurisdictions;
Whenever possible and subject to applicable laws, we are transparent with our users in the actions that we take in response to valid legal requests, to afford affected users an opportunity to respond to the request;
We carefully review all requests to ensure that we comply with all applicable laws and regulations in our response, while respecting our users’ rights. That may include taking sufficient internal and third-party professional advice.