Measures for Security Assessment for Outbound Data Transfer
第一条为了规范数据出境活动,保护个人信息权益,维护国家安全和社会公共利益,促进数据跨境安全、自由流动,根据《中华人民共和国网络安全法》、《中华人民共和国数据安全法》、《中华人民共和国个人信息保护法》等法律法规,制定本办法。
Article1
In order to regulate outbound data transfer,protect personal information rights and interests, safeguard national security and social and public interests,and promote the security and free flow of outbound data,the Measures for Security Assessment for Outbound Data Transfer(the “Measures”)are enacted in accordance with the Cybersecurity Law of the People’s Republic of China,the Data Security Law of the People’s Republic of China,the Personal Information Protection Law of the People’s Republic of China and other laws and administrative regulations of the People’s Republic of China(together,the“Regulations”).
第二条数据处理者向提供在中华人民共和国境内运营中收集和产生的重要数据和个人信息的安全评估,适用本办法。法律、行政法规另有规定的,依照其规定。
Article2
The Measures apply to the security assessment of Important Data and personal information collected and generated during operation within the territory of the People’s Republic of China and transferred abroad by a data handler.Where laws and administrative regulations provide otherwise,such provisions shall prevail.
第三条数据出境安全评估坚持事前评估和持续监督相结合、风险自评估与安全评估相结合,防范数据出境安全风险,保障数据依法有序自由流动。
Article3
个人敏感信息Security assessment for outbound data transfer shall adhere to the combination of a prior assessment and on-going supervision,as well as the combination of risk self-assessment and security assessment,so as to prevent security risks to outbound data transfer and ensure the orderly free-flow of data in accordance with the law.
第四条数据处理者向提供数据,有下列情形之一的,应当通过所在地省级网信部门向国家网信部门申报数据出境安全评估:
Article4
Where a data handler transfers data abroad under any of the following circumstances,it shall, through the local Cyberspace Administration at the provincial level,apply to the State Cyberspace Administration for security assessment for the outbound data transfer:
(一)数据处理者向提供重要数据;
(1)a data handler who transfers Important Data abroad;
(二)关键信息基础设施运营者和处理100万人以上个人信息的数据处理者向提供
个人信息;
(2)a critical information infrastructure operator,or a data handler processing the personal information of more than1million individuals,who,in either case,transfers personal information abroad;
(三)自上年1月1日起累计向提供10万人个人信息或者1万人敏感个人信息的数据处理者向提供个人信息;
(3)a data handler who has,since January1of the previous year cumulatively transferred abroad the personal information of more than100,000individuals,or the sensitive personal information of more than10,000individuals,or
(四)国家网信部门规定的其他需要申报数据出境安全评估的情形。
(4)other circumstances where the security assessment for the outbound data transfer is required by the State Cyberspace Administration.
第五条数据处理者在申报数据出境安全评估前,应当开展数据出境风险自评估,重点评估以下事项:
Article5
Prior to applying for the security assessment for the outbound data transfer,a data handler shall,in advance,conduct a self-assessment on the risks of the outbound data transfer,and the self-assessment shall focus on the following matters:
(一)数据出境和接收方处理数据的目的、范围、方式等的合法性、正当性、必要性;
(1)the legality,legitimacy and necessity of the purpose,scope and methods of the outbound data transfer,and the processing of the data by the foreign recipient;
(二)出境数据的规模、范围、种类、敏感程度,数据出境可能对国家安全、公共利益、个人或者组织合法权益带来的风险;
(2)the scale,scope,type and sensitivity of the outbound data transfer,and the risks to national security,the public interest or to the legitimate rights and interests of individuals or organizations, caused by the outbound data transfer;
(三)接收方承诺承担的责任义务,以及履行责任义务的管理和技术措施、能力等能否保障出境数据的安全;
(3)the duties and obligations which the foreign recipient commits to perform,and whether the foreign recipient’s organizational and technical measures and capabilities in terms of performing the duties and obligations can guarantee the security of the outbound data transfer;
(四)数据出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的风险,个人信息权益维护的渠道是否通畅等;
(4)the risks of the data being tampered with,destroyed,divulged,lost,transferred,illegally obtained or illegally used during and after the outbound data transfer,and whether there is a smooth channel for safeguarding personal information rights and interests;
(五)与接收方拟订立的数据出境相关合同或者其他具有法律效力的文件等(以下统称法律文件)是否充分约定了数据安全保护责任义务;
(5)whether the responsibilities and obligations for data security protection are fully agreed in relevant contracts for the outbound data transfer,or other legally binding documents to be concluded with the foreign recipient(hereinafter collectively referred to as the“Legal Documents”);and
(六)其他可能影响数据出境安全的事项。
(6)other matters that may affect the security of the outbound data transfer.
第六条申报数据出境安全评估,应当提交以下材料:
Article6
To apply for security assessment for the outbound data transfer,the following materials shall be submitted:
(一)申报书;
(1)an application letter;
(二)数据出境风险自评估报告;
(2)a self-assessment report on the risks of the outbound data transfer;
(三)数据处理者与接收方拟订立的法律文件;
(3)the Legal Documents to be concluded between the data handler and the foreign recipient;and
(四)安全评估工作需要的其他材料。
(4)other materials necessary for security assessment.
第七条省级网信部门应当自收到申报材料之日起5个工作日内完成完备性查验。申报材料齐全的,将申报材料报送国家网信部门;申报材料不齐全的,应当退回数据处理者并一次性告知需要补充的材料。
Article7
The Cyberspace Administration at the provincial level shall conduct a completeness check of application materials within5working days upon receipt thereof.Where the application materials are complete,they shall be submitted to the State Cyberspace Administration;where the application materi
als are incomplete,they shall be returned to the data handler and the data handler shall be informed(on a one-time basis)of all supplementary materials still required.
国家网信部门应当自收到申报材料之日起7个工作日内,确定是否受理并书面通知数据处理者。
The State Cyberspace Administration shall,within7working days after receipt of the application materials,determine whether to accept the application and will inform the data handler of the same in writing.
第八条数据出境安全评估重点评估数据出境活动可能对国家安全、公共利益、个人或者组织合法权益带来的风险,主要包括以下事项:
Article8
The security assessment for outbound data transfer shall focus on the evaluation of the possible risks to national security,public interests,or the legitimate rights and interests of individuals or organizations arising from the activity of outbound data transfer,including the following major points:
(一)数据出境的目的、范围、方式等的合法性、正当性、必要性;
(1)the legality,legitimacy and necessity of the purpose,scope and method of the outbound data transfer;
(二)接收方所在国家或者地区的数据安全保护政策法规和网络安全环境对出境数据安全的影响;接收方的数据保护水平是否达到中华人民共和国法律、行政法规的规定和强制性国家标准的要求;
(2)the impact of the data security protection policies and regulations as well as network security environment of the country or region where the foreign recipient is located,and the effect thereof on the security of the data to be transferred abroad;whether the data protection level of the foreign recipient meets the requirements under the laws,regulations and mandatory national standards of the People’s Republic of China;
(三)出境数据的规模、范围、种类、敏感程度,出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的风险;
(3)the scale,scope,types and sensitivity of the data to be transferred abroad,and risks that the data may be tampered with,destroyed,leaked,lost,transferred,illegally obtained or illegally used before or after the outbound data transfer;
(四)数据安全和个人信息权益是否能够得到充分有效保障;
(4)whether data security and personal information rights and interests can be fully and effectively guaranteed;
(五)数据处理者与接收方拟订立的法律文件中是否充分约定了数据安全保护责任义务;
(5)whether the responsibilities and obligations for data security protection are fully agreed in the Legal Documents to be concluded by the data handler and the foreign recipient;
(六)遵守中国法律、行政法规、部门规章情况;
(6)compliance with the laws,regulations and agency rules of the People’s Republic of China;and
(七)国家网信部门认为需要评估的其他事项。
(7)other matters that the State Cyberspace Administration considers necessary to assess.
第九条数据处理者应当在与接收方订立的法律文件中明确约定数据安全保护责任义务,至少包括以下内容:
Article9
A data handler shall expressly agree on the responsibilities and obligations for data security protection in the Legal Documents concluded with the foreign recipient,which shall,at least, include the following matters:
(一)数据出境的目的、方式和数据范围,接收方处理数据的用途、方式等;(1)the purpose,method and scope of the data to be transferred abroad,and the purpose and method for processing the data by the foreign recipient;
(二)数据在保存地点、期限,以及达到保存期限、完成约定目的或者法律文件终
止后出境数据的处理措施;
(2)the location and duration for the storage of the data located abroad,as well as how to process the data located abroad upon the expiry of the storage period,achievement of the agreed purpose, or termination of the Legal Documents;
(三)对于接收方将出境数据再转移给其他组织、个人的约束性要求;
(3)restrictions on the foreign recipient’s re-transfer of the data located abroad to another organization or individual;
(四)接收方在实际控制权或者经营范围发生实质性变化,或者所在国家、地区数据安全保护政策法规和网络安全环境发生变化以及发生其他不可抗力情形导致难以保障数据安全时,应当采取的安全措施;
(4)security measures which should be taken in case of a material change to the actual control or business scope of the foreign recipient,or in case of a change to the data security protection policies or regulations,or network security environment of the country or region where the foreign recipient is located,or in case that the data security cannot be guaranteed as a result of any other force majeure event;
(五)违反法律文件约定的数据安全保护义务的补救措施、违约责任和争议解决方式;
(5)remedial measures,liability for breach of contract and dispute resolution mechanism in the event of a violation of data security protection obligations as agreed in the Legal Documents;and (六)出境数据遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等风险
时,妥善开展应急处置的要求和保障个人维护其个人信息权益的途径和方式。
(6)requirements on properly responding to a data security incident,as well as channels and method to
safeguard individuals’personal information rights,when the data located abroad is tampered with,destroyed,leaked,lost,transferred,illegally obtained or illegally used.
第十条国家网信部门受理申报后,根据申报情况组织国务院有关部门、省级网信部门、专门机构等进行安全评估。
Article10
After accepting an application,the State Cyberspace Administration shall organize relevant departments of the State Council,Cyberspace Administrations at the provincial level and specialized agencies to conduct a security assessment based upon application materials submitted
发布评论