《 Way 》 The full text is as follows :
Measures for data exit security assessment
Article 1 with a To standardize data outbound activities , Protect personal information rights and interests , Safeguard national security and social public interests , Promote cross-border data security 、 Free flow , according to 《 Network security law of the people's Republic of China 》、《 Data security law of the people's Republic of China 》、《 Personal information protection law of the people's Republic of China 》 And other laws and regulations , Formulate these measures .
Second Data processors provide overseas security assessments of important data and personal information collected and generated during operations in the people's Republic of China , The measures shall apply . law 、 Where there are other provisions in administrative regulations , According to its rules .
Article 3 the The data exit safety assessment adheres to the combination of prior assessment and continuous supervision 、 The combination of risk self-assessment and safety assessment , Guard against data exit security risks , Ensure the orderly and free flow of data according to law .
Article 4. The data processor provides data abroad , Under any of the following circumstances , The data exit safety assessment shall be reported to the national network information department through the local provincial network information department :
( One ) Data processors provide important data to overseas ;
( Two ) Key information infrastructure operators and processors 100 Data processors of personal information of more than 10000 people provide personal information abroad ;
( 3、 ... and ) Since last year 1 month 1 From the date of, we will provide 10 10000 personal information or 1 10000 data processors of sensitive personal information provide personal information abroad ;
( Four ) Other situations that need to declare data for exit security assessment as stipulated by the national network information department .
Article 5. Before declaring the data exit safety assessment , Data exit risk self-assessment should be carried out , Focus on the following items :
( One ) The purpose of data processing for outbound and overseas receivers 、 Range 、 Legitimacy of methods, etc 、 Legitimacy 、 The need for ;
( Two ) The scale of outbound data 、 Range 、 species 、 Sensitivity , Data exit may be harmful to national security 、 public interest 、 Risks arising from the legitimate rights and interests of individuals or organizations ;
( 3、 ... and ) Responsibilities and obligations undertaken by the overseas receiving party , And management and technical measures to fulfill responsibilities and obligations 、 Ability to ensure the security of outbound data ;
( Four ) The data has been tampered with during and after the exit 、 damage 、 Let the cat out of the 、 The loss of 、 Transferred or illegally acquired 、 The risk of illegal exploitation , Whether the channels for maintaining personal information rights and interests are smooth, etc ;
( 5、 ... and ) Data exit related contracts or other legally effective documents to be concluded with overseas receivers ( Hereinafter collectively referred to as legal documents ) Whether the responsibility and obligation of data security protection are fully agreed ;
( 6、 ... and ) Other matters that may affect the safety of data exit .
Article 6. Declaration data exit safety assessment , The following should be submitted :
( One ) Declaration ;
( Two ) Data exit risk self-assessment report ;
( 3、 ... and ) Legal documents to be concluded between the data processor and the overseas receiver ;
( Four ) Other materials required for safety assessment .
Article 7. The provincial e-mail department shall, from the date of receiving the application materials 5 Complete the completeness check within working days . Those with complete application materials , Submit the application materials to the national e-mail Department ; The application materials are incomplete , It should be returned to the data processor and informed of the materials that need to be supplemented at one time .
The national e-mail department shall, from the date of receiving the application materials 7 Within 5 working days , Determine whether to accept it and notify the data processor in writing .
Article 8. The data exit security assessment focuses on the possible impact of data exit activities on national security 、 public interest 、 Risks arising from the legitimate rights and interests of individuals or organizations , It mainly includes the following items :
( One ) The purpose of data exit 、 Range 、 Legitimacy of methods, etc 、 Legitimacy 、 The need for ;
( Two ) The impact of data security protection policies and regulations and network security environment of the country or region where the overseas recipient is located on the outbound data security ; Whether the data protection level of the overseas receiver meets the laws of the people's Republic of China 、 Provisions of administrative regulations and requirements of mandatory national standards ;
( 3、 ... and ) The scale of outbound data 、 Range 、 species 、 Sensitivity , Being tampered with during and after leaving the country 、 damage 、 Let the cat out of the 、 The loss of 、 Transferred or illegally acquired 、 The risk of illegal exploitation ;
( Four ) Whether data security and personal information rights and interests can be fully and effectively guaranteed ;
( 5、 ... and ) Whether the legal documents to be concluded between the data processor and the overseas receiver fully stipulate the responsibility and obligation of data security protection ;
( 6、 ... and ) Abide by Chinese laws 、 Administrative regulations 、 Department regulations ;
( 7、 ... and ) Other matters deemed necessary to be assessed by the national network information department .
Article 9. The data processor shall clearly stipulate the responsibility and obligation of data security protection in the legal documents signed with the overseas receiver , At least include the following :
( One ) The purpose of data exit 、 Mode and data range , Purpose of data processed by overseas receiver 、 Way, etc ;
( Two ) Where the data is kept overseas 、 Time limit , And reach the shelf life 、 Processing measures for outbound data after completing the agreed purpose or the termination of legal documents ;
( 3、 ... and ) For overseas receivers, the outbound data will be transferred to other organizations 、 Personal binding requirements ;
( Four ) Substantial change in the actual control or business scope of the overseas receiving party , Or country 、 When the regional data security protection policies and regulations and the network security environment change and other force majeure situations make it difficult to ensure data security , Safety measures to be taken ;
( 5、 ... and ) Remedies for breach of data security protection obligations agreed in legal documents 、 Liability for breach of contract and dispute resolution ;
( 6、 ... and ) Outbound data has been tampered 、 damage 、 Let the cat out of the 、 The loss of 、 Transferred or illegally acquired 、 Illegal use and other risks , The requirements for properly carrying out emergency disposal and the ways and means to protect individuals' rights and interests in personal information .
Article 10. After the national Internet Information Department accepts the declaration , Organize relevant departments of the State Council according to the application 、 Provincial Network Information Department 、 Specialized agencies, etc. conduct safety assessment .
Article 11 During the safety assessment , It is found that the application materials submitted by the data processor do not meet the requirements , The national Internet information department may require it to supplement or correct . The data processor does not supplement or correct without justified reasons , The national cyberspace department can terminate the security assessment .
The data processor is responsible for the authenticity of the submitted materials , Deliberately submitting false materials , If it fails to pass the assessment , And investigate the corresponding legal responsibilities according to law .
Twelfth article The national Internet information department shall issue a written acceptance notice to the data processor 45 Complete the data exit safety assessment within working days ; The situation is complex or needs to be supplemented 、 Correct the material , It can be extended appropriately and inform the data processor of the estimated extension time .
The results of the evaluation shall be notified in writing to the data processor .
Article 13 The data processor disagrees with the evaluation results , The evaluation results can be received 15 Apply for reappraisal to the national cyberspace department within working days , The re evaluation result is the final conclusion .
Article 14 The validity period of the results of the exit safety assessment of the data is 2 year , Calculated from the date of issuance of the evaluation results . One of the following circumstances occurs within the validity period , The data processor shall re apply for evaluation :
( One ) The purpose of providing data overseas 、 The way 、 Range 、 Type and purpose of overseas receiver processing data 、 Changes in methods affect the security of outbound data , Or extend the overseas storage period of personal information and important data ;
( Two ) Changes in data security protection policies and regulations and network security environment in the country or region where the overseas recipient is located, as well as other force majeure situations 、 The actual control of the data processor or overseas receiver changes 、 Data processors and overseas receiving methods, changes in legal documents, etc., which affect the safety of outbound data ;
( 3、 ... and ) There are other situations that affect the security of outbound data .
Expiration of validity , Those who need to continue to carry out data exit activities , The data processor should expire 60 Re apply for assessment three working days ago .
Article 15 The relevant institutions and personnel involved in the security assessment are aware of the state secrets learned in the performance of their duties 、 privacy 、 Personal information 、 Trade secret 、 Confidential business information and other data shall be kept confidential according to law , Do not disclose or illegally provide to others 、 Illegal use .
Article 16 Any organization or individual finds that the data processor provides data abroad in violation of these measures , You can report to the Internet information department at or above the provincial level .
Article 17. The national cyberspace department finds that the data exit activities that have passed the evaluation no longer meet the requirements of data exit safety management in the actual processing process , The data processor shall be notified in writing to terminate data outbound activities . Data processors need to continue to carry out data exit activities , It should be rectified as required , Re apply for evaluation after rectification .
Article 18 Violating the provisions of these measures , basis 《 Network security law of the people's Republic of China 》、《 Data security law of the people's Republic of China 》、《 Personal information protection law of the people's Republic of China 》 And other laws and regulations ; Criminal , Investigate criminal responsibility according to law .
Article 19 The important data mentioned in these measures , It means that once it is tampered with 、 damage 、 Divulge or illegally acquire 、 Illegal utilization, etc , May endanger national security 、 Economic operation 、 Social stability, 、 Public health and safety data .
Twentieth This method comes from 2022 year 9 month 1 The effective date . Data exit activities that have been carried out before the implementation of these measures , Not in conformity with the provisions of these measures , It shall be implemented as of the date of implementation of these measures 6 Complete the rectification within months .
