June 13, 2019 00:00 source: China Netcom
In order to ensure the safety of personal information, safeguard the sovereignty of cyberspace, national security, social and public interests, and protect the legitimate rights and interests of citizens and legal persons, in accordance with the law of the people's Republic of China on cybersecurity and other laws and regulations, the state Internet Information Office, together with relevant departments, drafted the measures for the evaluation of the exit safety of personal information (Draft for comments), which is now open to the public Ask for advice. Relevant units and people from all walks of life can make comments by July 13, 2019 in the following ways:
1. Log in to the legal information network of the Chinese government (website: http://www.chinalaw.gov.cn) and enter the "legislative opinion collection" on the homepage to put forward opinions.
2. Email to: [email protected]
3. Send the opinions to the Network Security Coordination Bureau of the state Internet Information Office, No. 11 Chegongzhuang street, Xicheng District, Beijing, 100044, and mark "personal information exit security evaluation method for opinions" on the envelope.
Annex: Measures for the exit security assessment of personal information (Draft for comments)
National Internet Information Office
June 13, 2019
Measures for security assessment of personal information exit
(Draft for comments)
Article 1 in order to ensure the security of personal information in the cross-border flow of data, these measures are formulated in accordance with the network security law of the people's Republic of China and other relevant laws and regulations.
Article second network operators shall conduct security assessment in accordance with these measures when providing overseas personal information (hereinafter referred to as personal information outbound) collected in the operation within the territory of the People's Republic of China. If it is determined by the security assessment that the exit of personal information may affect national security, damage public interests, or it is difficult to effectively guarantee the security of personal information, it shall not be allowed to leave the country.
Where the state has other provisions on the exit of personal information, such provisions shall prevail.
Article 3 before the personal information leaves the country, the network operator shall report the exit security assessment of personal information to the local provincial network information department.
To provide personal information to different recipients, security assessment should be reported separately. It is not necessary to provide personal information to the same recipient repeatedly or continuously.
Reassessment shall be carried out every two years or when the purpose, type and overseas storage time of personal information are changed.
Article 4 when applying for exit security assessment of personal information, network operators shall provide the following materials and be responsible for the authenticity and accuracy of the materials:
(1) declaration.
(2) the contract signed by the network operator and the receiver.
(3) analysis report on exit security risks and security measures of personal information.
(4) other materials required to be provided by the state network information department.
Article 5 after receiving the application materials for exit security assessment of personal information and checking their completeness, the provincial online information department shall organize experts or technical forces to conduct security assessment. The safety assessment shall be completed within 15 working days, and it can be extended appropriately if the situation is complex.
Article 6 the evaluation of exit security of personal information shall focus on the following:
(1) whether it complies with the relevant laws, regulations and policies of the state.
(2) whether the terms of the contract can fully protect the legitimate rights and interests of the personal information subject.
(3) whether the contract can be effectively executed.
(4) whether the network operator or receiver has a history of damaging the legitimate rights and interests of the personal information subject, and whether there have been major network security events.
(5) whether the access to personal information by network operators is legal and legitimate.
6. Other contents to be evaluated.
Article 7 the provincial network information department shall, while informing the network operators of the conclusion of the exit security assessment of personal information, report the exit security assessment of personal information to the state network information department.
If the network operator has any objection to the conclusion of the exit security assessment of personal information of the provincial network information department, he may appeal to the state network information department.
Article 8 the network operator shall establish the exit record of personal information and keep it for at least 5 years, including:
(1) the date and time when personal information is provided to foreign countries.
(2) the identity of the recipient, including but not limited to the recipient's name, address, contact information, etc.
(3) the type, quantity and sensitivity of personal information provided overseas.
(4) other contents stipulated by the state Internet information department.
Article 9 before December 31 of each year, the network operator shall report the exit situation of personal information and contract performance of the current year to the local provincial network information department.
In case of major data security incidents, the local provincial network information department shall be reported in time.
Article 10 the provincial network information department shall regularly organize the inspection of the exit of personal information such as the exit record of the operator, and focus on the inspection of the performance of the obligations stipulated in the contract and whether there is any violation of the state regulations or damage to the legitimate rights and interests of the personal information subject.
In case of any damage to the legitimate rights and interests of the personal information subject, data leakage security incident, etc., the network operator shall be required to rectify in time, and the network operator shall urge the receiver to rectify.
Article 11 under any of the following circumstances, the network information department may require the network operator to suspend or terminate the provision of personal information abroad:
(1) major data leakage, data abuse and other events happen to network operators or receivers.
(2) the subject of personal information cannot or is difficult to maintain the legitimate rights and interests of the individual.
(3) the network operator or receiver is unable to guarantee the security of personal information.
Article 12 any individual or organization shall have the right to report to the online information department at or above the provincial level or relevant departments any act of providing personal information to overseas countries in violation of the provisions of these measures.
Article 13 the contract or other legally effective documents (collectively referred to as the contract) signed by the network operator and the personal information receiver shall specify:
1. Purpose, type and retention time limit of personal information leaving the country.
(2) the personal information subject is the beneficiary of the clauses in the contract involving the rights and interests of the personal information subject.
(3) when the legitimate rights and interests of the personal information subject are damaged, the personal information subject may claim for compensation from the network operator or the receiver or both parties on its own or by an entrusted agent, and the network operator or the receiver shall make compensation, unless it is proved that there is no liability.
(4) if the legal environment of the recipient's country changes and the contract is difficult to perform, the contract shall be terminated or the safety assessment shall be conducted again.
(5) the termination of the contract shall not exempt the responsibilities and obligations of the network operator and the receiver specified in the relevant provisions concerning the legitimate rights and interests of the personal information subject in the contract, unless the receiver has destroyed the received personal information or made anonymous treatment.
(6) other contents agreed by both parties.
Article 14 a contract shall specify that the network operator shall bear the following responsibilities and obligations:
(1) to inform the network operators and recipients of the personal information subject of the basic information by means of e-mail, instant communication, letter, fax, etc., as well as the purpose, type and retention time of providing the personal information abroad.
(II) provide a copy of this contract at the request of the personal information subject.
(3) to convey the personal information subject's claim to the recipient upon request, including claim against the recipient; if the personal information subject is unable to obtain compensation from the recipient, it shall make compensation first.
Article 15 a contract shall specify that the recipient shall bear the following responsibilities and obligations:
(1) provide access to personal information for the personal information subject. When the personal information subject requests to correct or delete his personal information, he shall respond, correct or delete it within a reasonable cost and time limit.
(2) to use personal information for the purpose stipulated in the contract, and the period of overseas storage of personal information shall not exceed the time limit stipulated in the contract.
(3) confirm that the signing of the contract and the performance of the contract obligations will not violate the legal requirements of the recipient's country. When the legal environment of the recipient's country and region changes that may affect the implementation of the contract, the network operator shall be notified in time, and the network operator shall report to the provincial network information department of the network operator's location through the network operator.
Article 16 a contract shall specify that the recipient shall not transmit the personal information received to a third party unless the following conditions are met:
(1) the network operator has notified the main body of personal information of the purpose, identity and country of the third party, the type of personal information transmitted and the retention time of the third party through email, instant communication, letter, fax and other means.
(2) the recipient promises to stop transmitting personal information to the third party and ask the third party to destroy the received personal information when the personal information subject requests to stop transmitting it to the third party.
(3) when personal sensitive information is involved, the consent of the personal information subject has been obtained.
(4) when the transmission of personal information to a third party causes damage to the legitimate rights and interests of the subject of personal information, the network operator agrees to assume the responsibility of compensation in advance.
Article 17 the network operator's analysis report on the exit security risks and security measures of personal information shall at least include:
(1) the background, scale, business, finance, reputation and network security capabilities of network operators and receivers.
(2) exit plan of personal information, including duration, number of personal information subjects involved, scale of personal information provided overseas, whether personal information will be transmitted to a third party after exit, etc.
(3) analysis of the risk of personal information leaving the country and measures to ensure the safety of personal information and the legitimate rights and interests of the subject of personal information.
Article 18 If network operators violate the provisions of these measures to provide personal information abroad, they shall be dealt with in accordance with relevant laws and regulations.
Article 19 Where there are clear provisions on the exit of personal information in treaties and agreements that China participates in or concluded with other countries, regions or international organizations, the provisions shall apply, except for the provisions on which China has declared its reservation.
Article 20 in the business activities of overseas institutions, when collecting personal information of domestic users through the Internet, etc., they shall fulfill the responsibilities and obligations of network operators in these measures through their legal representatives or institutions in China.
Article 21 the meanings of the following terms in these measures:
(1) network operators refer to the owners, managers and network service providers of the network.
(2) personal information refers to all kinds of information recorded by electronic or other means that can identify the personal identity of a natural person individually or in combination with other information, including but not limited to the name, date of birth, ID number, personal biometric information, address, telephone number, etc. of a natural person.
(3) personal sensitive information refers to personal information that may endanger the personal and property safety of the personal information subject, or cause damage to the reputation and physical and mental health of the personal information subject once it is disclosed, stolen, tampered with or illegally used.
Article 22 these Measures shall be implemented as of.