IT The home of 7 month 7 Daily news , News from the website of the office of the network security and Information Technology Commission of the CPC Central Committee ,7 month 7 Japan , The state Internet Information Office announced 《 Measures for data exit security assessment 》( hereinafter referred to as 《 Way 》), since 2022 year 9 month 1 The effective date . National Internet Information Office official said , a 《 Way 》 It aims to implement 《 Network security law 》、《 Data security law 》、《 Personal information protection law 》 The provisions of the , Standardize data outbound activities , Protect personal information rights and interests , Safeguard national security and social public interests , Promote cross-border data security 、 Free flow , Ensure development with safety 、 Promoting safety with development .
In recent years , With the rapid development of digital economy , Data cross-border activities are increasingly frequent , Data processors' data export demand is growing rapidly . Clarify the specific provisions of data exit safety assessment , It is to promote the healthy development of digital economy 、 The need to prevent and resolve cross-border security risks of data , It is the need to safeguard national security and social public interests , It is the need to protect the rights and interests of personal information .《 Way 》 It stipulates the scope of data exit safety assessment 、 Conditions and procedures , It provides specific guidance for data exit safety assessment .
《 Way 》 clear , These Measures apply to the security assessment of data processors providing overseas important data and personal information collected and generated in the operation within the territory of the people's Republic of China . It is proposed that the data exit safety assessment adhere to the combination of prior assessment and continuous supervision 、 The principles of combining risk self-assessment with safety assessment .
《 Way 》 It stipulates the circumstances under which data exit safety assessment should be declared , Including data processors providing important data to overseas 、 Key information infrastructure operators and processors 100 Data processors of personal information of more than 10000 people provide personal information abroad 、 Since last year 1 month 1 From the date of, we will provide 10 10000 personal information or 1 Data processors of sensitive personal information of 10000 people provide personal information abroad and other situations requiring declaration of data exit security assessment stipulated by the national Internet and Information Department .
《 Way 》 Make it clear 4 There are three situations in which data exit safety assessment should be declared : First, data processors provide important data to overseas . Second, key information infrastructure operators and processing 100 Data processors of personal information of more than 10000 people provide personal information abroad . Third, since last year 1 month 1 From the date of, we will provide 10 10000 personal information or 1 10000 data processors of sensitive personal information provide personal information abroad . Fourth, other situations requiring declaration of data exit security assessment stipulated by the national Internet Information Department .
《 Way 》 Put forward specific requirements for data exit safety assessment , It stipulates that data processors should carry out data exit risk self-assessment and clarify key assessment items before applying for data exit safety assessment . It stipulates that the data processor clearly stipulates the responsibility and obligation of data security protection in the legal documents signed with overseas receivers , Within the validity period of the data exit security assessment, any situation that affects the data exit security shall be re declared for assessment . Besides , It also clarified the data exit safety assessment procedures 、 Supervision and management system 、 Legal responsibilities and compliance rectification requirements .
The relevant person in charge of the state Internet Information Office 《 Way 》 Relevant questions answered the reporter's questions .
ask : Please briefly introduce 《 Way 》 The background of the introduction ?
answer : In recent years , With the rapid development of digital economy , Data cross-border activities are increasingly frequent , Data processors' data export demand is growing rapidly . meanwhile , Due to different national and regional legal systems 、 Differences in protection levels , Data exit security risks are also highlighted . Data cross-border activities affect personal information rights , It is also related to national security and social public interests . Many countries and regions in the world have come from their own countries 、 The actual situation in this region , It explores the system of data cross-border security management . Make it 《 Way 》 It's implementation 《 Network security law 》、《 Data security law 》、《 Personal information protection law 》 Important measures related to data exit regulations , The purpose is to further standardize data outbound activities , Protect personal information rights and interests , Safeguard national security and social public interests , Promote cross-border data security 、 Free flow .
ask :《 Way 》 What does the data outbound activity mean ?
answer :《 Way 》 The data outbound activities mainly include : The first is the data transmission that the data processor will collect and generate in the domestic operation 、 Store abroad . Second, the data collected and generated by the data processor is stored in China , Overseas institutions 、 Organizations or individuals can access or invoke .
ask : Which situations need to declare data exit safety assessment ?
answer :《 Way 》 Make it clear 4 There are three situations in which data exit safety assessment should be declared : First, data processors provide important data to overseas . Second, key information infrastructure operators and processing 100 Data processors of personal information of more than 10000 people provide personal information abroad . Third, since last year 1 month 1 From the date of, we will provide 10 10000 personal information or 1 10000 data processors of sensitive personal information provide personal information abroad . Fourth, other situations requiring declaration of data exit security assessment stipulated by the national Internet Information Department .
ask : What are the main contents of data exit safety assessment ?
answer : The data exit security assessment focuses on the possible impact of data exit activities on national security 、 public interest 、 Risks arising from the legitimate rights and interests of individuals or organizations , It mainly includes the following items : First, the purpose of data exit 、 Range 、 Legitimacy of methods, etc 、 Legitimacy 、 The need for . Second, the impact of data security protection policies and regulations and network security environment of the country or region where the overseas recipient is located on the outbound data security ; Whether the data protection level of the overseas receiver meets the laws of the people's Republic of China 、 Provisions of administrative regulations and requirements of mandatory national standards . Third, the scale of outbound data 、 Range 、 species 、 Sensitivity , Being tampered with during and after leaving the country 、 damage 、 Let the cat out of the 、 The loss of 、 Transferred or illegally acquired 、 Illegal use and other risks . Fourth, whether data security and personal information rights and interests can be fully and effectively guaranteed . Fifth, whether the legal documents to be concluded between the data processor and the overseas receiver fully stipulate the responsibility and obligation of data security protection . Sixth, abide by Chinese laws 、 Administrative regulations 、 Department regulations . Seventh, other matters that the national cyberspace department believes need to be evaluated .
ask : In order to standardize data exit safety assessment activities ,《 Way 》 What specific processes are defined ?
answer :《 Way 》 Clear the specific process of data exit . First, prior assessment , The data processor shall provide data to overseas before , First, we should carry out data exit risk self-assessment . Second, apply for evaluation , Conform to the exit safety assessment of the declared data , The data processor shall report the data exit safety assessment to the national cyberspace department through the local provincial cyberspace Department . Third, carry out evaluation , The national e-mail department shall, from the date of receiving the application materials 7 Determine whether to accept the evaluation within working days ; From the date of issuing the written acceptance notice 45 Complete the data exit safety assessment within working days ; The situation is complex or needs to be supplemented 、 Correct the material , It can be extended appropriately and inform the data processor of the estimated extension time . Fourth, reassess and terminate exit , The validity period of the evaluation results expires or there is a reassessment stipulated in these measures within the validity period , The data processor shall re apply for the data exit safety assessment . The data exit activities that have passed the evaluation no longer meet the requirements of data exit safety management in the actual processing process , After receiving the written notice from the national e-mail Department , Data processors should stop data outbound activities . Data processors need to continue to carry out data exit activities , It should be rectified as required , Re apply for evaluation after rectification .
ask : How to protect the legitimate rights and interests of data processors such as trade secrets in the evaluation process ?
answer :《 Way 》 It stipulates that the relevant institutions and personnel involved in the security assessment work shall be responsible for the state secrets learned in the performance of their duties 、 privacy 、 Personal information 、 Trade secret 、 Confidential business information and other data shall be kept confidential according to law , Do not disclose or illegally provide to others 、 Illegal use .
ask :《 Way 》 What provisions are also specified ?
answer : In addition to the above assessment 、 Specific process 、 Confidentiality requirements and other management measures ,《 Way 》 It is also clear that the national cyberspace department is responsible for deciding whether to accept the security assessment , And organize relevant departments of the State Council according to the application 、 Provincial Network Information Department 、 Specialized agencies carry out safety assessment . The provincial cyberspace department is responsible for receiving the application materials for data exit security assessment , And complete the completeness check . Any organization or individual finds that the data processor provides data abroad in violation of these measures , You can report to the Internet information department at or above the provincial level .
ask : When does the data processor declare the data exit safety assessment ?
answer : The data processor shall declare and pass the data exit safety assessment before the data exit activities occur . In practice , Data processors should sign data exit related contracts or other legally effective documents with overseas receivers ( Hereinafter collectively referred to as legal documents ) front , Declaration data exit safety assessment . If you apply for evaluation after signing legal documents , It is suggested to note in the legal document that this document must take effect after passing the data exit safety assessment , To avoid possible losses caused by failure to pass the assessment .
ask : What are the possible types of exit safety assessment results of enterprise declaration data ?
answer : First, the declaration will not be accepted . For , After the data processor receives the written notice that the national network information department will not accept , Data exit activities can be carried out through other legal channels stipulated by law . The second is to pass the safety assessment . The data processor can , Carry out data exit activities in strict accordance with the declared items . Third, it failed to pass the safety assessment . Fail to pass the data exit safety assessment , The data processor shall not carry out the declared data exit activities .
ask : How to deal with objections to the evaluation results ?
answer : The data processor disagrees with the evaluation results , The evaluation results can be received 15 Apply for reappraisal to the national cyberspace department within working days , The re evaluation result is the final conclusion .
ask : How long is the validity period of the results of the exit safety assessment through data ?
answer : The validity period of the results of the exit safety assessment of the data is 2 year , Calculated from the date of issuance of the evaluation results . Expiration of validity , Those who need to continue to carry out data exit activities , The data processor should expire 60 Re apply for assessment three working days ago .
ask : In violation of the 《 Way 》 How to investigate legal responsibility ?
answer :《 Way 》 Clarify that the data processor violates the provisions of these measures , according to 《 Network security law 》、《 Data security law 》、《 Personal information protection law 》 And other laws and regulations ; Criminal , Investigate criminal responsibility according to law .
ask : For personal information provided overseas , Safety assessment and standard contract 、 The relationship between personal information protection and authentication , How to connect the three ways ?
answer :《 Way 》 The scope of application has been clarified , The data exit situation of personal information processors who apply for security assessment shall be reported for security assessment ;《 Way 》 Data exit of personal information processors outside the scope of application , The conditions for cross-border provision of personal information can be met through personal information protection certification or the signing of standard contracts formulated by the national cyberspace Department , Facilitate personal information processors to carry out data exit activities according to law .
