Data Exit Security Assessment Measures
(Draft for comments)
Article 1 In order to regulate data export activities, protect the rights and interests of personal information, safeguard national security and public interests, and promote the cross-border security and free flow of data, in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, These Measures are formulated by laws and regulations such as the Personal Information Protection Law of the People’s Republic of China.
Article 2 When data processors provide overseas important data collected and generated during operations within the territory of the People’s Republic of China and personal information that should be subject to security assessment in accordance with the law, security assessments shall be conducted in accordance with the provisions of these Measures; , in accordance with its regulations.
Article 3 The data export security assessment adheres to the combination of prior assessment and continuous supervision, and the combination of risk self-assessment and security assessment, to prevent data export security risks, and to ensure the lawful, orderly and free flow of data.
Article 4 When a data processor provides data overseas and falls under one of the following circumstances, it shall report to the national cybersecurity and informatization department through the provincial cybersecurity and informatization department where it is located.
(1) Personal information and important data collected and generated by operators of critical information infrastructure;
(2) The exit data contains important data;
(3) Personal information processors whose processing personal information reaches one million people provide personal information overseas;
(4) accumulatively providing personal information of more than 100,000 people or sensitive personal information of more than 10,000 people abroad;
(5) Other situations required to declare data export security assessment as stipulated by the national cybersecurity and informatization department.
Article 5 Before providing data overseas, data processors shall conduct self-assessment of data export risks in advance, focusing on the following matters:
(1) The legitimacy, legitimacy, and necessity of the purpose, scope, and method of data export and overseas recipient processing data;
(2) The quantity, scope, type, and sensitivity of the data going abroad, and the risks that the data export may bring to national security, public interests, and the legitimate rights and interests of individuals or organizations;
(3) Whether the data processor’s management, technical measures, and capabilities in the data transfer process can prevent risks such as data leakage and damage;
(4) The responsibilities and obligations undertaken by the overseas recipient, and whether the management and technical measures and capabilities for fulfilling the responsibilities and obligations can ensure the security of outbound data;
(5) Risks of leakage, damage, tampering, abuse, etc. after data exit and re-transfer, and whether the channels for individuals to safeguard their personal information rights and interests are unobstructed, etc.;
(6) Whether the data export-related contract concluded with the overseas recipient fully stipulates the responsibility and obligation of data security protection.
Article 6 To declare data export security assessment, the following materials shall be submitted:
(1) a declaration form;
(2) Self-assessment report on data export risk;
(3) The contract or other legally binding documents to be concluded between the data processor and the overseas recipient (hereinafter collectively referred to as the contract);
(4) Other materials required for the safety assessment work.
Article 7 The national cybersecurity and informatization department shall, within seven working days from the date of receipt of the application materials, determine whether to accept the evaluation and feedback the acceptance result in the form of a written notice.
Article 8 The data export security assessment focuses on assessing the risks that data export activities may bring to national security, public interests, and the legitimate rights and interests of individuals or organizations, mainly including the following matters:
(1) The legitimacy, legitimacy, and necessity of the purpose, scope, and method of data export;
(2) The impact of the data security protection policies and regulations of the country or region where the overseas recipient is located and the network security environment on the security of outbound data; whether the data protection level of the overseas recipient meets the laws, administrative regulations and mandatory national standards of the People’s Republic of China. Require;
(3) The quantity, scope, type, and sensitivity of outbound data, and risks such as leakage, tampering, loss, destruction, transfer, or illegal acquisition or use during or after departure;
(4) Whether data security and personal information rights and interests can be fully and effectively guaranteed;
(5) Whether the contract concluded between the data processor and the overseas recipient fully stipulates the responsibility and obligation of data security protection;
(6) Compliance with Chinese laws, administrative regulations and departmental rules;
(7) Other matters deemed necessary by the national cybersecurity and informatization department.
Article 9 The contract concluded between the data processor and the overseas recipient fully stipulates the responsibility and obligation of data security protection, which shall include but not be limited to the following:
(1) The purpose, method and data scope of the data going abroad, and the purpose and method of the data processing by the overseas recipient;
(2) The location and duration of data storage overseas, and the processing measures for data leaving the country after the storage duration is reached, the agreed purpose is fulfilled, or the contract is terminated;
(3) Binding clauses that restrict overseas recipients from transferring outbound data to other organizations and individuals;
(4) The security measures that the overseas recipient should take when there is a substantial change in the actual control or business scope, or when the legal environment of the country or region where it is located makes it difficult to ensure data security;
(5) Liability for breach of contract for breach of data security protection obligations and binding and enforceable dispute resolution clauses;
(6) In the event of data leakage and other risks, properly carry out emergency response, and ensure an unobstructed channel for individuals to safeguard their personal information rights and interests.
Article 10 After the national cybersecurity and informatization department accepts the declaration, it will organize the industry competent department, relevant departments of the State Council, provincial cybersecurity and informatization departments, specialized agencies, etc. to conduct security assessments.
Where important data is to be exported abroad, the national cybersecurity and informatization department shall seek opinions from relevant industry authorities.
Article 11 The national cybersecurity and informatization department shall complete the data export security assessment within 45 working days from the date of issuing the written acceptance notice; if the situation is complicated or supplementary materials are required, it may be appropriately extended, but generally no more than 60 work hours day.
The results of the evaluation are notified to the data processor in writing.
Article 12 The data export assessment results are valid for two years. If one of the following circumstances occurs within the validity period, the data processor shall re-apply for evaluation:
(1) The purpose, method, scope, and type of data provided overseas and the purpose and method of data processing by overseas recipients have changed, or the overseas storage period of personal information and important data has been extended;
(2) The legal environment of the country or region where the overseas recipient is located has changed, the actual control rights of the data processor or the overseas recipient have changed, and the contract between the data processor and the overseas recipient has changed, which may affect the security of outbound data;
(3) Other circumstances that affect the security of outbound data occur.
When the validity period expires and it is necessary to continue the export of the original data, the data processor shall re-apply for evaluation 60 working days before the validity period expires.
Those who fail to re-apply for evaluation in accordance with the provisions of this article shall stop data export activities.
Article 13 Data processors shall submit evaluation materials in accordance with the provisions of these Measures. If the materials are incomplete or do not meet the requirements, they shall supplement or correct them in a timely manner. If supplements or corrections are refused, the national cybersecurity and informatization department may terminate the security evaluation; The applicant is responsible for the authenticity of the submitted materials, and those who deliberately submit false materials will be dealt with as failing the evaluation.
Article 14 The relevant institutions and personnel participating in the security assessment work shall keep confidential the state secrets, personal privacy, personal information, business secrets, confidential business information and other data that they learn in the performance of their duties, and shall not disclose or illegally provide them to others.
Article 15 Any organization or individual who finds that the data processor has not provided data overseas after the evaluation in accordance with the provisions of these Measures may file a complaint or report to the internet information department at or above the provincial level.
Article 16 If the national network information department finds that the data export activities that have passed the evaluation no longer meet the data export security management requirements in the actual processing process, they shall revoke the evaluation results and notify the data processor in writing, and the data processor shall terminate the data export activities. . If it is necessary to continue to carry out data export activities, the data processor shall rectify as required, and re-apply for evaluation after the rectification is completed.
Article 17 Those who violate the provisions of these Measures shall be dealt with in accordance with the “Network Security Law of the People’s Republic of China”, “Data Security Law of the People’s Republic of China”, “Personal Information Protection Law of the People’s Republic of China” and other laws and regulations; Be held criminally responsible.
Article 18 These Measures shall come into force from the date of the year.
The Links: CM30MD-12H LM7MS623