Heavy | National Network Information Office announced the "Measures for Evaluation of Data Outbound" (accompanied by full text)

On July 7, the National Internet Information Office announced the "Measures for Evaluation of Data Outbound Security" (hereinafter referred to as the "Measures"), which will be implemented from September 1, 2022. The relevant person in charge of the National Internet Information Office stated that the "Measures" aims to implement the provisions of the "Network Security Law", "Data Security Law", and "Personal Information Protection Law", standardize data outbound activities, protect personal information rights and interests, safeguard national security, and safeguard national security With the public interest of the society, promote cross -border security and free flow of data, and effectively keep the development of security and promote security with development.

Data outbound security assessment method

First article

In order to regulate data outbound activities, protect personal information rights, safeguard national security and social public interests, and promote cross -border security and free flow of data, in accordance with the "Cyber ​​Security Law of the People's Republic of China", "Data Security Law of the People's Republic of China", and "People's People's Republic of China" The Republic's Personal Information Protection Law and other laws and regulations formulate these measures.

Second

Data processors provide the security assessment of important data and personal information that are collected and generated in the operation of the People's Republic of China and apply for security evaluations. These measures are applicable. If laws and administrative regulations have other provisions, in accordance with their provisions.

Article 3

Data outbound security assessment adheres to the combination of advance evaluation and continuous supervision, risk self -assessment and security assessment, prevent data outbound security risks, and ensure the orderly and free flow of data in accordance with the law.

Article 4

If the data processor provides data to overseas, if there is one of the following circumstances, it shall apply to the national network information department to declare data outbound security assessment to the national network information department through the provincial network information department in which they are located:

(1) Data processors provide important data to overseas;

(2) Data processors with key information infrastructure operators and processing more than 1 million personal information provides personal information to the abroad;

(3) Data processors with a total of 100,000 personal information or 10,000 sensitive personal information from the last year from January 1 last year provide personal information to the abroad;

(4) Other situations stipulated by the national network information department to declare data outbound security assessment.

The fifth

Data processors shall carry out self -assessment of data outbound risks before applying for data outbound security assessment, and focus on the following matters:

(1) Data outbound and overseas receiving party's legality, scope, and method of processing data, legality, legitimacy, and necessity;

(2) The scale, scope, type, and sensitivity of outbound data. The outbound outbound outbound may bring the risk of national security, public interest, individual or organization's legitimate rights and interests;

(3) The responsibility and obligations committed by the overseas receiving party, as well as whether the management and technical measures and capabilities of fulfilling responsibility obligations can ensure the security of outbound data;

(4) The risk of tampering, destruction, leakage, loss, transfer or illegal use of data after the data out of China and exit, whether the channels for the protection of personal information rights and interests are unobstructed;

(5) Whether the data outbound related contracts formulated by the foreign receiver or other legal effects (hereinafter referred to as legal documents) have fully agreed the liability of the data security protection;

(6) Other matters that may affect data outbound security.

Article 6

Declars data outbound security assessment shall be submitted to the following materials:

(1) Declaration letter;

(2) Evaluation report of data outbound risk;

(3) Data processors and legal documents planned by the receiving party overseas;

(4) Other materials needed for safety assessment work.

Seventh

Provincial online information departments shall complete complete inspections within 5 working days from the date of receiving the application materials. If the application materials are complete, the application materials are submitted to the national network information department; if the application materials are not complete, the data processor shall be returned and the materials need to be supplemented in one sex.

The national network information department shall determine whether to accept and notify the data processing in writing within 7 working days from the date of receiving the application materials.

eighth

Data outbound security assessment key assessment of data outbound activities may bring the risks brought by national security, public interest, individual or organization's legitimate rights and interests, which mainly include the following items:

(1) The legality, legitimacy, and necessity of the purpose, scope, method, etc. of data outbound;

(2) Policy and regulations of data security protection policies and regulations where the overseas receiving party is located or region of the region and the influence of network security environment on the security of outbound data; Requirements;

(3) The scale, scope, type, and sensitivity of outbound data, and the risk of tampering, destruction, leakage, loss, transfer or illegal utilization after departure and exit;

(4) Can data security and personal information rights be fully effective;

(5) Whether the data processor and the overseas receiving party have fully agreed the liability for data security protection;

(6) Comply with Chinese laws, administrative regulations, and departmental regulations;

(7) The national network information department believes that other matters that need to be evaluated.

Article 9

Data processors shall clearly stipulate the liability obligations of data security protection in the legal documents set up with overseas receiving parties, including at least the following:

(1) The purpose, method, and data scope of data outbound, and the purpose and method of processing data to process data overseas;

(2) Data preserve the location and period of preservation overseas, as well as the processing measures for outbound data after the preservation period, the completion of the agreed purpose, or the termination of the legal documents; (3) Require;

(4) In substantial changes in the actual control of the overseas receiving party or the scope of the business, or the changes in the data security protection policies and regulations of the country and region, and the occurrence of other non -resistant circumstances that causes difficulty to ensure data security, it should be taken. measure;

(5) Remedial measures, liability and dispute solutions that violate the data security protection obligations agreed in legal documents;

(6) When the outbound data is tampered with, destroyed, leaked, lost, transferred, or illegally obtained, illegal utilization, etc., it is necessary to properly carry out the requirements and methods of emergency response and ensure that individuals protect their personal information rights and interests.

Article 10

After the national network information department accepted the application, the relevant departments of the State Council, the provincial network information department, and specialized agencies were organized according to the application.

Article 11

In the process of security assessment, if the application materials submitted by the data processor do not meet the requirements, the national network information department may ask it to supplement or correct it. If the data processor does not replenish or corrected, the national network information department may terminate the security assessment.

Data processors are responsible for the authenticity of the materials submitted. If they deliberately submitted false materials, they will not be treated in accordance with the evaluation, and the corresponding legal responsibilities shall be investigated according to law.

Article 12

The national network information department shall complete the data outbound security assessment within 45 working days from the date of issuing a written acceptance notice from the data processor. time.

The evaluation results shall notify the data processing in writing.

Article 13

If the data processor has objections to the evaluation results, he can apply for a re -evaluation with the national network information department within 15 working days when he receives the evaluation results. The re -evaluation result is the final conclusion.

Article 14

The results of the data outbound security assessment are valid for 2 years, and calculated from the date of the evaluation results. If one of the following circumstances appears within the validity period, the data processor shall re -apply for evaluation:

(1) The purpose, method, scope, type, type, type, type, and overseas receiving party's use of data to process data will affect the security of outbound data, or extend the period of overseas preservation of personal information and important data;

(2) Data security protection policies and regulations where the overseas receiving party is located or regional data security environment and network security environment, as well as other non -resistant cases, data processing, or the actual control of the overseas receiving party changes, data processor and foreign receiver legal documents change Wait for the safety of outbound data;

(3) Other situations that affect the security of outbound data.

If the validity period expires, the data processing activities need to be carried out, and the data processor shall re -apply for evaluation before 60 working periods of the validity period.

Article 15

Relevant agencies and personnel participating in the safety assessment work shall keep secrets in accordance with the law, and shall not be leaked or illegally provided to others in accordance with the law.

Article 16

Any organization or individual finds that data processors provide data to overseas, and they can report to the online information departments at or above the provincial level.

Article 17

If the national network information department finds that the data outbound activities that have been evaluated will no longer meet the requirements of data outbound security management in the actual processing process, the data processor shall notify the data processor to terminate the data outbound event. If the data processor needs to continue to carry out data outbound activities, rectification shall be rectified as required, and the evaluation shall be reorganized after the rectification is completed.

Article 18

In violation of these Measures, the Cyber ​​Security Law of the People's Republic of China, the "Data Security Law of the People's Republic of China", and the "Personal Information Protection Law of the People's Republic of China" and other laws and regulations shall be handled; if a crime is constituted, criminal responsibility shall be investigated in accordance with the law.

Article 19

The important data referred to in these Measures refers to data that once tampered with, destruction, leaked, or illegally obtained, illegal use, etc., may endanger data such as national security, economic operation, social stability, public health and safety.

20

This method will be implemented from September 1, 2022. If the data outbound activities that have been carried out before the implementation of these measures do not meet the requirements of these Measures, the rectification shall be completed within 6 months from the date of the implementation of these Measures. As well as

Source: China Net Information Network

- END -