Authoritative release || "Data Outbound Security Evaluation Measures" hot question answers

On July 7, the National Internet Information Office announced the "Evaluation Measures for Data Outbound Security" (hereinafter referred to as the "Measures"). The relevant person in charge of the National Internet Information Office answered the "Measures" related questions.

Q: Please briefly introduce the background of the "Measures"?

Answer: In recent years, with the vigorous development of the digital economy, data cross -border activities have become increasingly frequent, and data processor's data outbound demand has grown rapidly. At the same time, due to the differences in the legal system and protection level of different countries and regions, the risk of data outbound security is also prominent. Data cross -border activities not only affect personal information rights and interests, but also affect national security and social public interests. Many countries and regions in the world have successively proceeded from their own countries and regions, and have made institutional exploration of cross -border security management in data. The formulation of the "Measures" is an important measure to implement the "Cyber ​​Law", "Data Security Law", and "Personal Information Protection Law". Social public interests promote cross -border security and free flow of data.

Question: What does the data outbound activity of the "Measures" refer to?

Answer: The data outbound activities mentioned in the "Measures" mainly include: First, data processors will collect and store data transmission and storage of data transmission and generated in domestic operations. The second is that data processor collected and generated data is stored in the country, and overseas institutions, organizations or individuals can access or call.

Q: What situations need to declare data outbound security assessment?

Answer: The "Measures" specifies the four types that should declare data outbound security assessment: First, data processors provide important data to overseas. The second is the data processor of key information infrastructure operators and data processors who handle more than 1 million personal information to provide personal information abroad. Third, from January 1 last year, the data processor provided with a total of 100,000 personal information or 10,000 sensitive personal information from overseas provided personal information overseas. Fourth, other situations stipulated by the national network information department to declare data outbound security assessment.

Q: What are the main assessments of data outbound security assessment?

Answer: Data outbound security assessment key assessment of data outbound activities may bring the risks brought by national security, public interest, individual or organization's legitimate rights and interests, which mainly include the following matters: First, the legality of the purpose, scope, method, etc. of data outbound exit, legitimacy, and legitimateness Sexuality and necessity. The second is the impact of data security protection policies and regulations of the country or region where the overseas receiving party is located or the network security environment on the security of outbound data; Require. Third, the scale, scope, type, type, and sensitivity of outbound data. After departure and outbound, the risks such as tampering, destruction, leakage, loss, transfer or illegal utilization are illegally obtained. Fourth, whether data security and personal information rights can be fully guaranteed. Fifth, whether the data processor and the overseas receiving party have fully agreed the liability for data security protection in the legal documents planned by the foreign receiver. Sixth, comply with Chinese laws, administrative regulations, and departmental regulations. Seventh, the national network information department believes that other matters that need to be evaluated.

Question: In order to regulate the data outbound security assessment activities, what specific processes of the Measures clarify?

Answer: The "Measures" clarify the specific process of data outbound. The first is to evaluate beforehand. Before providing data to the country, data processors should first carry out self -assessment of data outbound risks. The second is to apply for assessment and comply with the assessment of exit security assessment, the data processor shall apply to the national network information department to declare data outbound security assessment to the national network information department through the provincial network information department in which they are located. The third is to carry out evaluation. From 7 working days from the date of receiving the application materials, the national network information department determines whether to accept the assessment; the data outbound security assessment is completed within 45 working days from the date of issuing the notice of writing; the situation is complicated or the situation is complicated or the situation If you need to add and correct the materials, you can appropriately extend and inform the data processor's expected extension time. The fourth is to re -evaluate and terminate the outbound. If the validity period of the evaluation results expires or re -evaluate the situation in these measures during the validity period, the data processor shall re -declare the data outbound security assessment. If the data outbound activities that have been evaluated will no longer meet the requirements of data outbound security management in the actual processing process, after receiving the written notice of the national network information department, the data processor shall terminate the data outbound event. If the data processor needs to continue to carry out data outbound activities, rectification shall be rectified as required, and the evaluation shall be reorganized after the rectification is completed.

Question: How to guarantee legal rights such as the business secrets of the data processor during the evaluation process?

Answer: The "Measures" stipulates that relevant institutions and personnel participating in the safety assessment work shall keep secrets of state secrets, personal privacy, personal information, business secrets, and confidential business information that they know in their duties. Provided by others and illegally.

Question: What regulations do the "Measures" clarify?

Answer: In addition to the above evaluation content, specific procedures, confidentiality requirements and other management measures, the "Measures" also clarify the national network information department responsible for deciding whether to accept the security assessment, and organize the relevant departments of the State Council, the provincial online information department, and specialize in the application of the statement. Institutions such as institutions and other safety assessments. Provincial online information departments are responsible for receiving data outbound security assessment application materials and complete complete inspections. Any organization or individual finds that data processors provide data to overseas, and they can report to the online information departments at or above the provincial level. Question: When did the data processor declare data outbound security assessment?

Answer: Data processors shall declare before the data outbound event and pass the data outbound security assessment. In practice, data processors should declare data outbound security assessment before signing data outbound -related contracts with overseas receiving parties or other legal effects (hereinafter referred to as legal documents). If you declare evaluation after signing legal documents, it is recommended to indicate that this document must take effect after passing the data outbound security assessment to avoid losses that may not be caused by failure to pass the evaluation.

Question: What are the results of enterprise declaration data outbound security assessment?

Answer: First, the declaration will not be accepted. For those who do not belong to the scope of security assessment, data processors can carry out data outbound activities through other legitimate channels stipulated by the national network information department without acceptance. The second is through safety assessment. Data processors can carry out data outbound activities strictly in accordance with the written notice of the evaluation. The third is not to pass safety assessment. Those who fail to pass the data outbound security assessment shall not carry out the data outbound activities they declare.

Q: How to deal with objection to the evaluation results?

Answer: Data processors have objections to the assessment results. They can apply for re -evaluation to the national network information department within 15 working days when they receive the evaluation results. The re -evaluation results are the final conclusion.

Question: How long is the result of the data outbound security assessment?

Answer: The results of the data outbound security assessment are valid for 2 years, and calculated from the date of the evaluation results. If the validity period expires, the data processing activities need to be carried out, and the data processor shall re -apply for evaluation before 60 working periods of the validity period.

Question: How to investigate the legal responsibility in violation of the Measures?

Answer: If the Measures clarify that the data processor violates the provisions of these Measures, it shall be handled in accordance with the provisions of the "Cyber ​​Security Law", "Data Security Law", and "Personal Information Protection Law"; if a crime is constituted, criminal responsibility shall be investigated in accordance with the law.

Question: How can personal information be provided abroad, the relationship between security assessment and standard contracts, and personal information protection certification, how can three ways be connected?

Answer: The scope of the "Measures" has been clear. For the data processing situation of personal information processors who are applicable to security assessment, the status of security assessment shall be declared; Or sign a standard contract formulated by the national network information department to meet the conditions for cross -border personal information, and facilitate personal information processors to carry out data outbound activities in accordance with the law.

(Source: "Internet Information China" WeChat public account)

- END -