esg-governance-information-security

Information Security

LONGi has a strong commitment to users’ information security and privacy protection. Based on local applicable laws and regulations, such as the Data Security Law of the People’s Republic of China, Personal Information Protection Law of the People’s Republic of China, and European Union’s General Data Protection Regulation (GDPR), we formulated regulatory documents such as the Information Security and Privacy Management System Manual, Guidelines for Data Subject Rights Response, Guidelines for Personal Information Security Incident Management, and Information Security Management Policies. For the transmission of user information involving cross-border products or services, the Company strictly follows the provisions of applicable laws and regulations, manages and transmits cross-border data legally and securely, and ensures the security of users' personal information.

The Company established a comprehensive management system for information security and privacy protection, incorporating privacy protection policies and related efforts into the overall risk and compliance management across the Company. Internal and external audits on privacy policy compliance were conducted on a regular basis to ensure effective implementation of the Company’s privacy policies. In 2023, all of our IT infrastructure and information systems have obtained the ISO 27001 and ISO 27701 certifications. To ensure effective operation of the system, the Company conducts regular internal audits and regulatory reviews annually, and undergo audit trails by external organizations.

Emergency management

The Company adopts a set of whole-process information security response and protection measures: rigorous preventive efforts before incidents, proactive response during incidents, and swift handling upon incidents. The Company formulated the Information Security Emergency Response Plan and an information security issue reporting process to ensure timely handling of cybersecurity emergencies. At least one penetration testing is conducted on all information systems of the Group every year, with third-party vulnerability analysis and rectification based on the results ensured. In 2023, 263 system vulnerabilities were identified, all of which have been fully rectified or have a remediation plan in place, without impacting any customers or internal employees. No privacy breach incidents occurred during the year.

Capacity building

In terms of information security training for employees, the Company sent over ten tweets throughout the year via email and LONGi’s WeChat official account, disseminating information security knowledge to all employees, so that they handle information security issues with caution. In cases where information leakage incidents occur due to personal reasons of employees, the Company will implement disciplinary actions corresponding to the severity of the incident. In order to strengthen information security management of suppliers, the Company integrated supplier information security management standards into the Supplier Management Regulations, checked and assessed suppliers’ information security capabilities when necessary, and ensure information security rights and interests of both parties through confidentiality agreements, service monitoring, reviews, and other measures.