The following provisions on the implementation of the "Measures for the Security Assessment of Data Exports" and the "Measures on Standard Contracts for the Export of Personal Information" are made on the basis of relevant laws in order to safeguard national data security, protect rights and interests in personal information, and to further regulate and promote the orderly free flow of data in accordance with law.
1. Where the export of data in international trade, academic cooperation, or cross-border manufacturing and marketing activities does not include personal information or important data, it is not necessary to make data export security assessment declarations, conclude a standard personal information export contract, or pass personal information protection certification.
2. Where relevant departments have not given notification or public announcement that something is important data, data handlers do not need to make data export security assessment declarations for important data.
3. It is not necessary to make data exit security assessment declarations, conclude standard personal information export contracts, or pass personal information protection certification for the overseas provision of personal information that was not collected or produced domestically.
4. In any of the following situations, it is not necessary to make data export security assessment declarations, conclude standard personal information export contracts, or pass personal information protection certification:
(1) Where personal information must be provided overseas as needed to conclude or perform on a contract to which the individual is a party, such as for cross-border purchases, cross-border money transfers, air and hotel reservations, and handling visas;
(2) Where the personal information of internal staff must be provided overseas to carry out human resources management in accordance with lawfully drafted labor rules systems and lawfully concluded collective contracts;
(3) Where personal information must be provided overseas in urgent situations in order to protect natural persons' security in their lives, health, and property.
5. Where it is estimated that the personal information of less than 10,000 individuals will be provided overseas in one year, it is not necessary to make data export security assessment declarations, conclude a standard personal information export contract, or pass personal information protection certification. However, where personal information is provided overseas on the basis of individual consent, the personal information subject's consent shall be obtained.
6. Where it is estimated that the personal information of between 10,000 and 1 million individuals will be provided overseas in one year, and a standard personal information export contract has been concluded with the foreign recipient and filed with the provincial-level internet information department or personal information protection certification has been passed, data export security assessment declarations may be waived; where 1 million or more individuals personal information, data export security assessment declarations shall be made. However, where personal information is provided overseas on the basis of individual consent, the personal information subject's consent shall be obtained.
7. Pilot free trade zones may make their own list of data (hereinafter "negative list") that needs to be included within the scope of data export security assessments, standard contracts for the export of personal information, and personal information protection certification in that free trade zone, and after reporting it for approval to the provincial-level cybersecurity and informatization committee, report it for filing to the national internet information department.
In exporting data outside the negative list, it is permissible to not make data export security assessment declarations, conclude standard personal information export contracts, or pass personal information protection certification.
8. Where state organs and the operators of critical information infrastructure provide personal information and important data overseas, it is to be implemented in accordance with relevant laws, administrative regulations, and departmental rules.
Where sensitive information involving the Party, government, military, and units involved with secrets or sensitive personal information are provided overseas, it is to be carried out in accordance with relevant laws, administrative regulations, and departmental rules.
9. Data handlers providing important data and personal information overseas shall comply with laws and administrative regulations, fulfill data security obligations, and ensure the security of the data export; and where data export security incidents occur or increased data export security risks are discovered, remedial measures shall be taken and reported to the internet information departments.
10. Each local internet information department shall strengthen guidance and oversight of data handlers' data export activities, strengthening ex-ante, ex-post, and ongoing regulation, and where it is discovered that there are larger risks in data export activities or where security incidents occur, they are to require the data handlers to make corrections and eliminate the risks; and where corrections are refused or serious consequences are caused, they are to order the handlers to stop the data export activities and ensure data security.
11. Where relevant provisions of the Measures for the Security Assessment of Data Exports, the Measures on Standard Contracts for the Export of Personal Information, and so forth are inconsistent with these Provisions, implementation is to be in accordance with these Provisions.
English
中文(简体)
Be First to Comment