个人信息保护合规审计暨大数据工程师双证上海班
时间:2023年10月底(周末两天)
地点:上海交大附近,广州、北京同步招生
联系:手机(朱老师 )138 1664 6268;微信(徐博士) heguilvshi
规范和促进数据跨境流动规定
Provisions on Regulating and Facilitating Cross border Flow of Data(Draft for Public Consultation)
为保障国家数据安全,保护个人信息权益,进一步规范和促进数据依法有序自由流动,依据有关法律,对《数据出境安全评估办法》、《个人信息出境标准合同办法》等数据出境规定的施行,作出以下规定。
In order to safeguard national data security, protect the rights and interests of personal information, further regulate and promote the free flow of data in an orderly and lawful manner, and in accordance with the relevant laws, the following provisions (hereinafter referred to as the “Provisions”) are made for the implementation of the data export regulations including the Measures for Security Assessment on Cross-border Data Transfer and the Measures for the Standard Contract for Cross-border Transfer of Personal Information.
一、国际贸易、学术合作、跨国生产制造和市场营销等活动中产生的数据出境,不包含个人信息或者重要数据的,不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。
1. Where data generated and exported in international trade, academic cooperation, multinational manufacturing and marketing activities do not contain personal information or important data, it is not necessary to apply for security assessment on cross-border data transfer, enter into a standard contract for the cross-border transfer of personal information, or obtain a personal information protection certification.
二、未被相关部门、地区告知或者公开发布为重要数据的,数据处理者不需要作为重要数据申报数据出境安全评估。2. If the data has not been notified or publicly released as important data by relevant departments or regions, local data handlers are not required to apply for security assessment on cross-border transfer of important data.
三、不是在境内收集产生的个人信息向境外提供,不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。3. If personal information which was not collected or generated within the territory is provided overseas, local data handlers are not required to apply for security assessment on cross-border data transfer, enter into a standard contract for the cross-border transfer of personal information, or obtain a personal information protection certification.
四、符合以下情形之一的,不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证:4. Where one of the following circumstances is met, there is no need to apply for security assessment on cross-border data transfer, enter into a standard contract for the cross-border transfer of personal information, or obtain a personal information protection certification;
(一) 为订立、履行个人作为一方当事人的合同所必需,如跨境购物、跨境汇款、机票酒店预订、签证办理等,必须向境外提供个人信息的;
(1)Where personal information must be provided across the border for the purpose of entering into and performing contracts to which the individual is a party, such as cross-border shopping, cross-border remittance, air ticket and hotel booking, and visa applications;
(二) 按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理,必须向境外提供内部员工个人信息的;
(2)Where personal information of internal employees must be provided across the border in order to implement human resources management on the basis of labor regulations formulated in accordance with the law and collective contracts signed in accordance with the law;
(三) 紧急情况下为保护自然人的生命健康和财产安全等,必须向境外提供个人信息的。
Where personal information must be provided across the border in order to protect the life, health and property safety of natural persons, etc., in an emergency situation.
五、预计一年内向境外提供不满1万人个人信息的,不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。但是,基于个人同意向境外提供个人信息的,应当取得个人信息主体同意。5. If it is expected that less than 10,000 natural person s’ personal information will be provided across the border within one year, there is no need to apply for safety assessment on cross border data transfer, enter into a standard contract for the cross border transfer of personal information, or pass a certification for the protection of personal information. However, where personal information is provided overseas on the basis of individual consent, the consent of the data subject shall still be obtained.
六、预计一年内向境外提供1万人以上、不满100万人个人信息,与境外接收方订立个人信息出境标准合同并向省级网信部门备案或者通过个人信息保护认证的,可以不申报数据出境安全评估;向境外提供100万人以上个人信息的,应当申报数据出境安全评估。但是,基于个人同意向境外提供个人信息的,应当取得个人信息主体同意。
6. If it is expected that personal information of more than 10,000 but less than 1 million natural persons will be provided across the border within one year, local data handlers is not required to apply for security assessment on cross border data transfer , but shall enter into a standard contract for the cross border transfer of personal information with the overseas recipient and apply for record filing of such standard contract with the cyberspace administration at the provincial level or o btain a personal information protection certification; where personal information of more than 1 million natural persons is provided across the border , local data handers shall apply for security assessment on cross border data transfer. However, where personal information is provided overseas on the basis of individual consent, the consent of the data subject shall still be obtained.
七、自由贸易试验区可自行制定本自贸区需要纳入数据出境安全评估、个人信息出境标准合同、个人信息保护认证管理范围的数据清单(以下简称负面清单),报经省级网络安全和信息化委员会批准后,报国家网信部门备案。负面清单外数据出境,可以不申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。7.The Pilot free trade zone may on its own formulate a l ist of data (hereinafter referred to as the Negative List that need to be included in the scope of security assessment on ross border data transfer, a standard contract for the cross border transfer of personal information, or a personal information protection certification , and submit the Negative List for the app roval by the cyberspace affairs commission at provincial level. After the above approval has been obtained, the Negative List shall be applied for record filing with the Central Cyberspace Administration of China.Data excluded from the Negative List ca n be provided acr oss the border with no need to apply for security assessment on cross border data transfer , enter into a standard contract for the cross border transfer of personal information, or obtain a personal information protection certification.
八、国家机关和关键信息基础设施运营者向境外提供个人信息和重要数据的,依照有关法律、行政法规、部门规章规定执行。向境外提供涉及党政军和涉密单位敏感信息、敏感个人信息的,依照有关法律、行政法规、部门规章规定执行。8. State organs and critical information infrastructure operators which provide personal information and important data across the bor der shall do so in accordance wi th relevant laws, administrative regulations, and departmental rules.The provision of sensitive information involving the Party, government, military and classified units and sensitive personal information across the border shall be carried out in accordance with relevant laws, administrative regulations, and departmental rules.
九、数据处理者向境外提供重要数据和个人信息,应当遵守法律、行政法规的规定,履行数据安全保护义务,保障数据出境安全;发生数据出境安全事件或者发现数据出境安全风险增大的,应当采取补救措施,及时向网信部门报告。9. Local data handlers that provide important data and personal information outside the country shall comply with the provisions of laws and administrative regulations, fulfil their data security protection obligations and safeguard the security of the cross border transfer of data; in the event of a security incident in the data export or discovery of an increase in the security risk of the data export, remediation measures shall be taken and a report shall be made in a timely manner to cyberspace administration十、各地方网信部门应当加强对数据处理者数据出境活动的指导监督,强化事前事中事后监管,发现数据出境活动存在较大风险或者发生安全事件的,要求数据处理者进行整改消除隐患;对拒不改正或者导致严重后果的,依法责令其停止数据出境活动,保障数据安全。10. Cyberspace administration at the provincial or municipal level shall strengthen the guidance and supervision of local data handlers' data export activities, reinforce the supervision beforehand , during and after data export activities , and instruct local data handlers to carry out rectification to eliminate hidden dangers if a higher risk is de tected in data export activities or if a security incident occurs; and if local data handlers refuse to make corrections or bring about serious consequences, cyberspace administration at the provincial or municipal level shall order them to halt data export activities in accordance with relevant laws for safeguarding the data security.十一、《数据出境安全评估办法》、《个人信息出境标准合同办法》等相关规定与本规定不一致的,按照本规定执行。11.In the event there is any inconsistency between the Provisions and the rel evant provisions including the Measures for Security Assessment on Cross border Data Transfer and the Measures for the Standard Contract for Cross border Transfer of Personal Information , the Provisions shall be prevailing and implemented.
(Issued by Central Cyberspace Administration of China on Sep.28, 2023)