Information security technology—Personal Information Security Specifications

Source:http://www.gb688.cn/bzgk/gb/newGbInfo?hcno=4FFAA51D63BA21B9EE40C51DD3CC40BE

Competent authorities:National Standardization Administration

Effective Date: 2018-05-01

Information security technology—Personal Information Security Specifications
1. Scope

These standards specifies the principles and security requirements that should be followed in acts handling personal information such as collection, storage, use, sharing, transfer, and disclosure.

This standard is applied to regulate all types of organizations' activities handling personal information, and is also applied to the competent supervisory departments and third-party assessment organizations supervision, management and evaluation of personal information handling activities.

2. Normative Reference Documents
The following documents are indispensable to the application of this document. For any reference documents that indicate the date, only the versions with an indicated date apply to this document. For any undated reference documents, its latest version (including all amendments) applies to this document.

GB/T25069一2010 Technical language for information security

3 Technical language and Definitions
The terms defined in GB / T25069-2010 and herein below apply to this document

3.1
个人信息personal information
All kinds of information recorded electronically or through other means, that either alone or in combination with other information can identify specific natural persons or reflect the activities of specific natural persons.

Note 1：Personal information includes the full name, date of birth, identification card number, personal biometric information, address, communications contact Information, communication records and content, account passwords, property information, credit investigation information, tracking of whereabouts, accommodation information, health and physiological information, transaction information, and so forth.
Note 2:Consult Appendix A regarding the scope and types of personal information.

3.2
个人敏感信息personal sensitive information
Personal information that, once disclosed, illegally provided, or abused, might endanger personal and property security, can easily lead to harms to personal reputation, physical and psychological health, or discriminatory treatment, and so forth.
Note 1：Personal sensitive information includes the personal ID card numbers, personal biometric information, bank account numbers, communication records and content, property information, credit investigation information, tracking of whereabouts, accommodation information, health and physiological information, and transaction information of children up to 14 years old (inclusive).
Note 2: Consult Appendix B for the scope and types of personal sensitive information.

3.3
个人信息主体personal data subject
The natural person identified by personal information.

3.4
个人信息控制者personal data controller
The organization or individual that has the right to make decisions such as on the purpose and methods of disposing of personal information.

3.5
收集collect

Acts of acquiring control of personal information, including by active provision by the Personal Data Subject, through automatically collecting such as in interactions or recording the activity of Personal Data subjects, as well as through the sharing, transfer, compilation or other such indirect methods of acquiring of public information.

NoteIf the provider of a product or service provides tools for use by Personal Data Subject, but the provider does not access personal information, it is not collection as referred to in this standard. For example, offline navigation software that does not report back to the software provider after the terminal acquires user location information, is not a personal information collection behavior

3.6
明示同意explicit consent

The act of giving explicit authorization by the Personal Data Subject, through written statement or affirmative confirmation, to the specific handling of its personal information.
Note: Affirmative confirmation includes statements actively made by the Personal Data Subject (electronic or on paper), actively checking off selections, as well as clicking on "agree", "register", "send", or "call", etc.

3.7
用户画像user profiling
The process of using the collection, aggregation, and analysis of personal information to form a model of the personal features of a particular natural person, such as their employment, economics, health, education, personal preferences, credit, and behavior, to make analysis and predictions.
Note:Directly using the personal information of a specific natural person to form a model of the natural person's features, is called a direct user profile. Using personal information other than that from a specific natural person, such as the data of groups they are in, to form a model of the features of that natural person, is called an indirect user profile.

3.8
个人信息安全影响评估personal information security impact assessment
The process of testing the compliance with legal and regulatory procedures, aimed at activities handling personal information, to judge all kinds of risks to Personal Data Subject's lawful rights and interests, as well as assessing the effectiveness of all measures used to protect Personal Data Subject.

3.9
删除 delete
Removal of personal information from the system during routine business functions, to keep it in a state where it cannot be retrieved or accessed.

3.10
公开披露 public disclosure
The act of publishing information to the public or to unspecified groups of people.

3.11
转让transfer of control
The process of transferring control of personal data to another controller.

3.12
共享 sharing
The process by which Personal Data Controllers provide personal information to other controllers, and both have separate and independent control of the personal information.

3.13
匿名化 anonymization
The process of technically processing personal information so that the Personal Data Subject cannot be identified, and so that after processing, the information cannot be restored.
Note:After anonymization of personal is carried out, the information obtained is not personal information.

3.14
去标识化 de-identification
The process of technical processing of personal information so that without additional information the Personal Data Subject cannot be identified.

Note:De-identification is built upon individual foundations, storing individual particles, and employing technological measures such as encryption and hash functions to stand in for personal information.

4. Basic Principles of Personal Information Security

Personal Data Controllers controllers carrying out activities handling personal information should obey the following basic principles:
a) Principle of commensurate powers and responsibilities---- bear responsibility for harms caused to Personal Data Subject's lawful rights and interests in processing their information.
b) Clear purpose principle ---- have a legal, legitimate, necessary , and clear reason for processing personal information.
c) principle of choice and consent : express the purpose, methods, scope, and rules for processing personal information to the Personal Data Subject, and solicit their authorization and consent.
d) Principle of minimum sufficient use: Except as otherwise agreed upon with Personal Data Subject, only process the minimum types and volume of personal information necessary for the purposes authorized and consented to by the Personal Data Subject. After the purpose is achieved, personal information should be deleted as agreed.
e) Principle of openness and transparency: Disclose the scope, purpose, and rules for processing personal information in a clear and comprehensible manner, and accept external oversight.
f) Principle of ensuring security--- possess security capacity corresponding to the security risks faced, and employ sufficient management and technical measures to protect the confidentiality, integrity, and usability of personal information.
g) Principle of subject participation: Provide means for Personal Data Subject to access, modify, and delete their personal information, and to revoke consent and unregister accounts.

5. Collection of Personal Data
5.1 Requirements for the legality of the collection of personal information

Requirements for Personal Data Controllers include:

a) a Personal Data Subject must not be tricked, enticed, or compelled to provide their personal information;
b) Functions of products or services that collect personal information must not be concealed;
c) information must not be obtained through illegal channels;
d) Personal information that the collection of is expressly prohibited by laws and administrative regulations must not be collected.

5.2 Requirements for minimizing the collection of personal information

Requirements for Personal Data Controllers include:

a) The type of personal information collected should be directly related to realizing the products or services' business functions. Directly related refers to the products or services' business functions being impossible to realize without the information.
b) The frequency of the automatic collection of personal information should be the minimum frequency necessary to achieve the business function of a product or service.
c) The amount of indirectly acquired personal information should be the minimum amount that is necessary to achieve the business function of a product or service.

5.3 Authorization and consent for collection of personal information

Requirements for Personal Data Controllers include:

a) Before personal information is collected, the Personal Data Subject should be clearly informed of the types of personal information that will be separately collected by different business functions of the services or products to be provided, as well as the rules for collection and use of personal information (such as the purpose of collecting and using personal information, method and frequency of collection, storage domain, storage period, capacity for data security, and situations relevant to external sharing, transfer, and public disclosure of personal information), and obtain the Personal Data Subject's authorization and consent.
b) When indirectly collecting personal information:

1) The party providing the personal information should be requested to explain the source of the personal information and, and a confirmation of the legality of the sources of personal information should be conducted;
2) The scope of authorization and consent that the party providing the personal information has already obtained should be understood, including the purposes of use, whether the Personal Data Subject has authorized and consented to transfer, sharing, and public disclosure, and so forth. If the the personal information processing activities that need to be carried out for that organizations business operations exceed the scope of authorization and consent, the Personal Data Subject's explicit consent should be obtained within a reasonable period of time after the personal information is acquired of before the personal information is processed.

5.4 Exceptions to acquiring authorization and consent

In the following situations, Personal Data Controllers do not need to obtain the authorization and consent of the Personal Data Subject for collection and use of personal information;

a) where there is a direct relation to national security or national defense;
b) where there is direct relation to public safety, public health, or major public interests;
c) Where there is a direct relation to criminal investigations, prosecutions, trials, or enforcement of judgments and the like;
d) Where it is done to preserve the life, property, or major lawful rights and interests of the Personal Data Subject or another person, and it is very difficult to obtain their consent;
e) Where the personal information collected was voluntarily disclosed to the public by the Personal Data Subject;
f) Personal information that is collected from lawfully disclosed information, such as lawful news reports, open government information, and other such channels;
g) as necessary for signing and performing on a contract requested by the Personal Data Subject;
h) where used to preserve the secure and stable operations of products or services they provide, such as discovering or handling problems with the product or service.
i) Where the Personal Data Controller is a news unit and needs it for carrying out lawful news reporting;
j) Where the Personal Data Controller is an academic research institution, and it is needed to carry out statistics or academic research in the public interest, and when providing academic research outcomes or descriptions they carry out de-identification processing of personal information contained in the results.
k) Other situations provided for by laws and regulations.

5.5 Explicit consent when collecting personal sensitive information

Requirements for Personal Data Controllers include:

a) When personal sensitive information is collected, the Personal Data Subject's explicit consent should be obtained. It should be ensured that the Personal Data Subject's explicit consent was voluntarily given by them on a foundation of full understanding, is specific, and is a clear and definite expression of their desires.
b) Before collecting information through active provision or automatic collection, one should:

1) Inform the Personal Data Subject of the personal sensitive information required for the core operations and functions of the products or services provided, and clearly inform them of the impact of refusing to provide it or refusing consent.Personal Data Subjects should be allowed to select whether or not to so provide or to consent to automatic collection;
2) When products or service, such as providing addition functions, need to collect personal sensitive information, explanations of the additional functions that the personal sensitive information is needed to complete should be made to the Personal Data Subject for each item, before collection, and the Personal Data Subject should be allowed to select whether or not to provide each item or whether to consent to automatic collection of personal sensitive information. When Personal Data Subjects refuse, the corresponding additional functions may be not provided, but this should not be used as the grounds for stopping provision of core operations functions, and the quality of the services should be guaranteed.
Note: Refer to appendix C for methods of realizing the above requirements.

c) Before collecting the personal information of minors who are 14 years-old, their explicit consent, or that of their guardians should be obtained; for those not yet 14 years-old, the explicit consent of their guardians should be obtained.

5.6 The content and release of privacy policies

Requirements for Personal Data Controllers include:

a) Personal Data Controllers should draft privacy policies, and the content is to include but not be limited to:

1) The basic situation of Personal Data Controllers, including their registered name, registered address, regular office location, contact information for responsible persons, and so forth;
2) The purpose of collecting and using personal information, as well as each operation function covered by the purpose, such as using personal information for delivery of commercial advertisements, or using personal information to form the direct user profile and its uses;
3) The personal information that may be collected by each operational function, as well the method and frequency of collection, the storage domain, the storage period, and other rules for processing personal information and the actual scope of collection of personal information.
4) The purpose of external sharing, transfer, or public disclosure of personal information, the types of personal information involved, the types of third-parties receiving personal information, as well as the corresponding legal responsibility borne.
5) Comply with the basic principles of personal information security, posses the capacity for data security, as well as employing personal information security protection measures;
6) The rights of Personal Data Subject and mechanisms for realizing them, such as access methods, correction methods, deletion methods, methods for unregistering accounts, methods for revoking consent, methods for obtaining copies of personal information, methods for restricting automatic decisions by the information system, and so forth;
7) the security risks that might be present after providing the personal information, and the impact that might come from not providing the personal information;
8) Channels of mechanisms for handling Personal Data Subject's inquiries and complaints, as well as contact information for external conflict resolution bodies.

b) The information given in privacy policies should be true, accurate, and complete;
c) The content of privacy policies should be clear and understandable, consistent with common customary language, use standardized figures, illustrations, and so forth, avoid the use of ambiguous language, and provide a summary at the beginning, outlining the focus of the content;
d) Privacy policies should be publicly disclosed and easily accessed, such as by setting up links on websites' home page, the installation page for mobile applications, social media homepages, and other conspicuous places;
e) Privacy policies should be delivered to each Personal Data Subject individually. When the costs are too high or there are clear difficulties, they may be published through public announcement;
f) Where the matters indicated in 5.6 are changed, the privacy policy should be promptly updated and the Personal Data Subject should be newly informed.
Note:Consult Appendix D for content of privacy policies.

6. Storage of Personal Information

6.1 Minimization of Personal Information Storage times

Requirements for Personal Data Controllers include:

a) The period for storage of personal information should be the shortest possible necessary to realize the purpose;
b) After the period for storing personal information described above is exceeded, the personal information should be deleted or anonymized.

6.2 De-indentification processing
After personal information is completed, Personal Data Controllers should immediately conduct de-identification processing, employ technical and management measures, separately store the de-identified data and information that can be used to restore identifiers, and ensure that subsequent processing of personal information does not newly identify individuals.

6.3 Transfer and Storage of Personal sensitive information
Requirements for Personal Data Controllers include:

a) When personal sensitive information is transferred or stored, security measures such as encryption should be employed;
b) When storing personal biometric identification information, it should be stored again after processing with technological measures, such as only storing a summary of personal biometric identification information.

6.4 Stopping operations of Personal Data Controllers
When Personal Data Controllers stop operations of their products or services, they should:

a) Promptly stop the continuation of activities collecting personal information;
b) Send the notice of stopping operations to every Personal Data Subject either individually or by public announcement;
c) Carry out deletion or anonymization of the personal information they possess.

7. Use of Personal Information
7.1 Personal Information Access Control Measures
Requirements for Personal Data Controllers include:

a) Internal data manipulation personnel who are authorized to access personal information should, in accordance with the principle of minimum authorization, only be given access to the minimum amount of personal information sufficient for their duties, and only have the minimum authority to manipulate data required to complete their duties;
b) Set up an internal examination and approval process, such as batch modifications, copying, and downloading, appropriate to the important manipulation of personal information;
c) Conduct separated setup of the different roles of security management personnel, data manipulation personal, and accounting personnel;
d) If the work requires authorization for specific personnel to exceed authority to handle personal information, it should be subject to examination and approval by the person responsible for protecting personal information or the working body for personal information protection and recorded;
NOTE: To determine the person responsible for protecting personal information or the working body for personal information protection organization, see 10.1
e) Access and revision of personal sensitive information, and other such conduct, should be controlled according the scope of authority by role, and based on action triggered authorization as needed for the operations processes. For example, complaint handling personnel may only access users' relevant information upon a complaint by that user.

7.2 Limits on displaying information

Where interface displays are involved in displaying personal information (such as on screen or paper), Personal Data Controllers should employ measures such as deintification of the displayed personal information, reducing the risk that the personal information will be leaked during the display. For example, when personal information is displayed, prevent unauthorized internal personnel and persons other than the Personal Data Subject, from obtaining the personal information without authorization.

7.3 Limits on the use of personal information
Requirements for Personal Data Controllers include:

a) Except as necessary for the purpose, when using personal information clear identity indicators should be removed, to avoid precise targeting of specific individuals. For example, to accurately appraise personal credit states, direct user profiles may be used, but when used for the purpose of delivering commercial advertisements, it is appropriate to use indirect user profiles.
b) All information produced through the processing of collected personal information that can, either independently or in conjunction with other information, identify natural persons, or reflect the activities of natural persons, should be considered personal information. It's handling should comply with the scope of authorization and consent obtained when the personal information was collected.
Note 1: Where personal information generated through processing is personal sensitive information, its handling shall comply with these Standards requirements for personal sensitive information.
c) When using personal information, it must not exceed a scope directly and reasonably connected with the purpose stated when collecting the personal information. Where due to operational requirements, it is truly necessary to use personal information beyond the scope described above, the Personal Data Subject's explicit consent should should be obtained again.
Note 2:Descriptions of the overall state of the use of collected personal information in academic research or natural, scientific, social, economic, or other phenomenon arrived at, are within the scope of that reasonably related to the purpose for collecting personal information. But, when providing academic research externally or describing results, the personal information contained in the results should be de-identified.

7.4 Personal information access
Personal Data Controllers provide Personal Data Subject with methods for accessing the following information:

a) All personal information they have regarding that subject or class;
b) The source and reason for having personal information described above;
c) The identity or class of third parties that have already obtained the personal information described above.
Note: When Personal Data Subject propose accessing personal information that was not actively provided, upon comprehensive consideration of the risks and harms that not complying might cause for the lawful rights and interests of the Personal Data Subject, as well as the technical feasibility, costs of bringing about the request and other such factors, the Personal Data Controller is to make a decision on whether or not to comply, and give explanations.

7.5 Correction of personal information
Where Personal Data Subject find that there are errors in the their own personal information that is in possession of Personal Data Controllers, or that it is incomplete, the Personal Data Controller should provide them with methods for correcting or supplementing information.

7.6 Deletion of personal information
Requirements for Personal Data Controllers include:

a) Where the following conditions are met and Personal Data Subjects request deletion, the personal information should be promptly deleted;

1) Personal Data Controllers violate provisions of laws or regulations, in collecting or using personal information;
2) Personal Data Controllers violate agreements with the Personal Data Subject in collecting or using information.

b) Where Personal Data Controllers share or transfer personal information in violation of laws, regulations, or agreements with Personal Data Subject, and the Personal Data Subject requests that they delete it, the Personal Data Controller should immediately stop the sharing and transfer, and inform third-parties to delete it.
c) Where Personal Data Controllers violate provisions of laws or regulations, or agreements with Personal Data Subject, in publicly disclosing personal information, and the Personal Data Subject requests deletion, the Personal Data Controller should immediately stop the public disclosure, and issue a notice requesting that relevant recipients delete the corresponding information.

7.7 Revocation of consent by Personal Data Subject
Requirements for Personal Data Controllers include:

a)Personal Data Subjects should be provided with methods for revoking consent and authorization for collection and use of personal information. After consent is revoked, Personal Data Controllers must not continue to handle the relevant personal information.
b)Personal Data Subjects' right to refuse to accept delivery of commercial advertisements based on their personal information should be guaranteed. Personal Data Subjects should be provided with a method for revoking consent for external sharing, transfer, and public disclosure of personal information.
Note:Revocation of consent does not impact the prior handling of personal information based on that consent.

7.8 Unregistering Personal Data Subject's accounts
Requirements for Personal Data Controllers include:

a) Personal Data Controllers that provide services through registered accounts should provide Personal Data Subject with methods for unregistering accounts, and those methods should be simple and easy to perform;
b) After Personal Data Subject unregister accounts, their personal information should be deleted or anonymized.

7.9 Personal Data Subjects acquisition of copies of personal information
Based on the requests of the Personal Data Subject, Personal Data Controllers should provide methods for Personal Data Subject to obtain copies of the following types of personal information, or, where so long as it is technically possible, directly transfer the following personal information to third parties.

a) Basic personal materials and personal ID information；
b) Personal health and physiological information, and personal education and work information.

7.10 Restrictions on information systems' automatic decisions

When decisions are made based solely on automatic decisions of information systems that clearly impact the rights and interests of Personal Data Subject (such as decisions on individual's credit level and borrowing amount based on their user profile, or using profiles in employment interview screenings), Personal Data Controllers should provide methods for raising appeals.

7.11 Responding to requests of the Personal Data Subject

Requirements for Personal Data Controllers include:

a) After verifying the Personal Data Subject's identities, Personal Data Subject's requests based on 7.4-7.10 should be promptly complied with, a response and explanation should be made within 30 days or within the period provided by laws and regulations, and the Personal Data Subject is to be informed of channels for submitting disputes for external resolution;
b) In principle, fees are not accepted for reasonable requests, but where duplicative requests are made in a certain time period, fees for costs may be collected in light of the circumstances;
c) If directly realizing the requests of the Personal Data Subject requires spending large amounts, or if there are clear difficulties, the Personal Data Controller should provide the Personal Data Subject with alternative methods, to protect the lawful rights and interests of the Personal Data Subjects;
d) in the following circumstances, Personal Data Subject's requests based on 7.4 - 7.10 may be not complied with, including but not limited to:

1) where there is a direct relation to national security or national defense;
2) where there is direct relation to public safety, public health, or major public interests;
3) Where there is a direct relation to criminal investigations, prosecutions, trials, or enforcement of judgments and the like;
4）Where Personal Data Controllers have sufficient evidence to show that the Personal Data Subject has subjective malice or abused power;
5) Where responding to the request of the Personal Data Subject would cause serious harm to the lawful rights and interests of other individuals or organizations;
6）involves commercial secrets.

7.12 complaints management
Personal Data Controllers should establish mechanisms for managing complaint appeals, including follow up processes, and respond to complaint appeals in a reasonable amount of time.

8 Commissioning Handling
8.1 When commissioning the handling of personal information, the following requirements shall be complied with:

a) Where Personal Data Controllers make commissions, the must not exceed the scope of authority and consent obtained from the Personal Data Subject, or comply with the circumstances provided for in 5.4.
b) Personal Data Controllers should conduct a personal information risk impact assessment on commissions, ensuring that the the commissioned parties possess sufficient capacity for data security, and provide sufficient security protection levels.
c) The party accepting the commission should:

1) Strictly follow the requirements of Personal Data Controllers in handling personal information. If, for special reasons, the commissioned party does not follow the Personal Data Controllers' requirements in handling personal information, they should promptly reflect this to the Personal Data Controller;
2) When the commissioned party truly needs to be commissioned again, it should first obtain the authorization of the Personal Data Controller;
3) Assist Personal Data Controllers respond to Personal Data Subject's requests based on 7.4 - 7.10;
4) If the commissioned party cannot provide a sufficient level of security protections, or security incidents occur, in the course of handling personal information, they should promptly reflect this to the Personal Data Controllers.
5) When the retention relationship is dissolved, personal information is to no longer be stored.

d) Personal Data Controllers should conduct oversight of commissioned parties by means including, but not restricted to:

1) Using contracts or other such methods to provide the commissioned party's responsibilities and obligations;
2）Conducting audits of the commissioned party.

e) Personal Data Controllers should accurately record and store circumstances of commissioned handling of personal information.

8.3 Sharing and transfer of personal information
In principle, personal information must not be shared or transferred. When Personal Data Controllers truly have need to share or transfer it, they should pay full attention to risks. Where he sharing and transfer of personal information is for reasons other than sale, mergers, or reorganization, the follow requirements should be complied with:
a) Carry out personal information security impact assessments beforehand, and employ effective measures for protecting Personal Data Subject based on the assessment results.
b) Inform the Personal Data Subject of the purpose of sharing or transferring personal information, the type of party receiving the data, and should obtain the authorization and consent of the Personal Data Subject in advance. Except where sharing or transferring personal information that has been de-identified, and ensuring that the recipient has no way to newly identify the Personal Data Subject.
c) Before sharing or transferring personal sensitive information, in addition to the information in 8.2b), the Personal Data Subject should also be informed of the type of personal sensitive information involved, the identity and security capability of the recipient, and obtain the explicit consent of the Personal Data Subject;
d) Accurately record and store the circumstances of sharing or transferring personal information, including the date, scale, and purpose of the sharing or transfer, as well as the basic circumstances of the recipient parties, and so forth;
e) Bear responsibility corresponding to the harms caused to Personal Data Subject's lawful rights and interests by the sharing or transfer of personal information;
f) Help Personal Data Subject understand circumstances such as the recipients' retention and use of personal information, as well as the rights of Personal Data Subject, for example, to access, correct, delete, or unregister accounts.

8.3 Transfer of personal information in acquisitions, mergers, and restructuring
When Personal Data Controllers have acquisitions, mergers, reorganizations or other changes, the Personal Data Controller should:

a) Inform the Personal Data Subject of the relevant situation;
b) The modified Personal Data Controllers should continue to perform the responsibilities and obligations of the original Personal Data Controller, and if changing the purpose of using personal information, should newly obtain the Personal Data Subject's express consent.

8.4 Disclosure of personal information
In principle, personal information must not be disclosed. When Personal Data Controllers have legal authorization or truly need to publicly disclose for legitimate reasons, they should fully emphasize risks and follow the requirements below:

a) Carry out personal information security impact assessments beforehand, and employ effective measures for protecting Personal Data Subject based on the assessment results.
b) Inform the Personal Data Subject of the goal and types of personal information being publicly disclosed, and obtain the explicit consent of the Personal Data Subject in advance;
c) Before publicly disclosing personal sensitive information other than the content of the notice in 8(b), the Personal Data Subject should also be informed of the content of sensitive personal information;
d) The circumstances of disclosing personal information are to be accurately recorded and stored, including the date, scale, goals, and scope of disclosure.
e) corresponding responsibility is borne for harms caused to Personal Data Subject by the public disclosure of personal information; and personal biometric information must not be publicly disclosed.

8.5 Exceptions to obtaining authorization and consent prior to sharing, transferring, and publicly disclosing personal information
In the following circumstances, Personal Data Controllers sharing, transferring, or publicly disclosing personal information do not need to first obtain the Personal Data Subject's authorization and consent:

8.6 Joint Personal Data Controllers
When Personal Data Controllers and third parties are joint Personal Data Controllers (such as service platforms and businesses contracting with the platform), the Personal Data Controllers should satisfy personal information security requirements through methods such as joint confirmation with the third party in contract or other forms, as well as separately bearing responsibility and obligations for personal information security between themselves and the third party, and clearly informing the Personal Data Subject.
Note:Personal Data Controllers deploying third-party plugins that collect personal information in the course of providing products or services (such as website businesses, deploying statistical analysis tools, software development tools including SDK or API map calls) in that webpage or applications, where the third-party has not independently obtained the authorization and consent of the Personal Data Subject to collect and use personal information, the Personal Data Controller and the third party are joint Personal Data Controllers.

8.7 requirements for cross-border transmission of personal information
Where personal information collected during business operations in the mainland territory of the People's Republic of China is provided outside the mainland territory, the Personal Data Controller shall conduct security assessments in accordance with the Measures and relevant standards drafted by the State Internet Information Departments together with the relevant departments of the State Council, and comply with their requirements.

9. Resolution of Personal Information Security Incidents

9.1 Emergency response and reporting for security incidents
Requirements for Personal Data Controllers include:

a) a personal information security incident response plan should be drafted.
b) Emergency response training and drills should be periodically (at lest once annually) organized for relevant internal personal, giving the a grasp on the duties of their position and and emergency tactics and procedures.
c) After personal information security incidents occur, Personal Data Controllers should conduct the following disposition measures based on the emergency response plan:

1） Record the content of the incident, including but not limited to: the personnel who discovered the incident, the time, place, number of persons' personal information involved, name of the system in which the incident occurred, the impact on other connected systems, and whether enforcement organs or relevant departments have already been contacted;
2） Assess the impact that might be caused by incidents, and employ necessary measures to control the status and eliminate the emergency;

3）Follow the relevant procedures of the "National Network Security Emergency Response Plan" to promptly make a report, and the content of the report is to include, but is not limited to: the type, number, content, character, and other overall circumstances of the Personal Data Subject involved; the impact that the incident might cause, disposition measures that have already been employed, and contact information for the relevant incident response personnel;
4） Follow the requirements of 9.2 to implement security incident notices.

d) Promptly update the emergency response plan on the basis of changes in the relevant laws and regulations, as well as the handling of incidents.

9.2 Information on security incidents

Requirements for Personal Data Controllers include:

a)Personal Data Subjects that have been impacted should be promptly informed on the circumstances of an incident through means such as mail, letter, phone, push notification, and so forth. When it is difficult to notify Personal Data Subject one by one, reasonable and effective methods should be used to release warning information relevant to the public.
b) The content of the notification should included, but is not limited to:

1) The content and impact of the security incident;
2) handling measures that have been taken or will be taken;
3) recommending that the Personal Data Subject independently take precautions to prevent and reduce risks;
4) The remedial measures provided to the subject of personal information;
5) Contact information of persons responsible for protection of personal information and institutions working on personal information protection.

10. Organizational Management Requirements
10.1 Clarify responsible departments and personnel
Requirements for Personal Data Controllers include:

a) It should be made clear that their legally-designated representative or principal responsible person has comprehensive leadership responsibility for personal information security, including providing manpower, assets, and material safeguards for personal information security efforts.
b) persons responsible for personal information protection, and personal information working bodies, should be named.
c) Organizations that satisfy any of the following requirements should set up a full time person responsible for personal information protection and a personal information protection body, responsible for personal information security work:

1) the primary operations involve handling personal information, and the scale of operations personnel is greater than 200;
2）Handling the personal information of more than 500,000 people, or expecting to handle the personal information of more than 500,000 people within 12 months.

d） The duties to be performed by persons responsible for protecting personal information and personal information protection work bodies include, but are not limited to:

1) Comprehensively planning the implementation and organization of personal information security work, and being directly responsible for personal information security:
2) Drafting, issuing, implementing, and periodically updating privacy policies and relevant procedures;
3) Should establish, preserve and update lists of personal information in the organization's possession (including the types, number, source, recipients and so for of personal information) and tactic for authorizing access;
4) Carrying out personal information security impact assessments;
5) Organizing the carrying out of personal information security training;
6) Conducting tests before products or services are released online, avoiding unknown collection, use, sharing, or other handling of personal information;
7) Conducting security audits.

10.2 Carry out personal information security impact assessments
Requirements for Personal Data Controllers include:

a) Establish systems for personal information security impact assessments, periodically (at least once each year) carrying out personal information security impact assessments.
b) Personal information security impact assessments should primarily assess handling activities compliance with the basic principles of personal information security, as well as the impact of personal information handling on Personal Data Subject's lawful rights and interests, with content including, but not limited to:

1）Where the personal information collection phases complied with principles such as the clear purpose principle, selective consent, and minimum sufficient use principle;
2）Whether handling of personal information might cause adverse impact to the lawful rights and interests of Personal Data Subject, including whether handling can harm personal and property security, harm personal reputations and physical health, or lead to discriminatory treatment;
3） The effectiveness of personal information security measures;
4） The risks that concentrating anonymized or de-indified data might newly identify Personal Data Subject;
5) The adverse impacts that might be caused to Personal Data Subject's lawful rights and interests from sharing, transfer, or public disclosure or personal information.
6）The adverse impacts that might be caused to Personal Data Subject's lawful rights and interests if security incidents occur.

c) When laws and regulations have new requirements, or when there are major changes in operations models, information systems, or the operating environment, or when major personal information security incidents occur, a new personal information security impact assessment should be conducted.
d) Form a personal information security impact assessment report, and employ measures to protect Personal Data Subject on this basis, reducing risks to an acceptable level.
e) Properly retain personal information security impact assessment reports, ensure that they may be provided for review to relevant parties, and disclose them externally in appropriate forms.

10.3 Data Security Capacity

On the basis of the requirements of relevant international standards, Personal Data Controllers should establish appropriate data protection capacity, put in place necessary management and technical measures, and prevent leaks, damage, and loss of personal information.

10.4 Personnel management and training
Requirements for Personal Data Controllers include:

a) confidentiality agreements should be signed with practitioners in posts handling personal information, and background investigations conducted for personnel encountering large quantities of personal sensitive information;
b) The internal security duties for different positions that involve handling personal information should be made clear, as well as punishment mechanisms for the occurrence of security incidents;
c) When personnel in positions handling personal information are transferred to other posts or terminate employment, they should be required to continue performing on confidentiality obligations;
d) Requirements for personal information security for external service personnel that might access personal information should be clarified.
e) Periodically (at least once each year) or when there are major changes to the privacy policy, carry out specialized training of and evaluations of personnel in positions handling personal information, ensuring that the relevant personnel are familiar with and understand the relevant provisions of the privacy policy.

10.5 Security Audits

Requirements for Personal Data Controllers include:

a) Should conduct audits of the privacy policy and relevant provisions, as well the efficacy of security measures;
b) Should establish automated auditing systems monitoring and recording activities handling personal information;
c) Records formed in the course of auditing should be able to provide support for handling security incidents and investigations following emergency responses; precautions should be taken against unauthorized access, tampering, or deletion of the audit records;
d) Use and monitoring of personal information in violation of rules, and similar circumstances, that is discovered in the course of audits, should be promptly handled.

AppendixA

(materials annex)

Examples of personal information

Personal information refers to information, recorded electronically or by other means, that can, independently or in conjunction with other information, identify the identity of a particular natural person or reflect the activities of a particular natural person, such as their name, date of birth, ID number, personal biometric identification information, address, communications contact method, communication records and content, account passwords, property information, credit investigation information, location tracking, accommodation information, health and physiological information, transaction information, and so forth.

The following two paths should be considered in determining whether a piece of information is personal information: First is identification from information to individuals, the special nature of the information itself identifies a particular natural person, personal information is that which is helpful to identifying a particular person. Second is relevance, from individuals to information, if the particular natural person is already known, then the information produced by the particular natural person in their activities (such as personal positioning information, personal telephone records, personal browsing records, and so forth) is personal information. Information that meets either of the two situations described above is to be considered personal information.

Table A.1 gives examples of personal information.

TABLE A.1: Examples of Personal Information

Basic personal materials	Persons' names, birth dates, sex, ethnicity, nationality, family relationships, address, personal telephone number, email, and so forth.
Individual ID information	ID cards, military ID, passports, driver's licenses, work permits, the witnesses, social security card, residence permit, and so forth.
Personal Biological Identifying information	Personal genetics, fingerprints, handprints, auricle, or facial characteristics;
Network ID identifier information	System accounts, IP addresses, email addresses and password associated with the foregoing, code words, code word protection answers, users personal data certificates, and so forth.
Personal health and Physiological Information	Personal records produced through treatment of illness, such as symptoms, hospitalization logs, doctor's orders, examination reports, surgery and anesthesia records, nursing records, medication records, food-drug allergy information, birth information, past medical history, circumstances of diagnosis and treatment, family history, history of present illness, history of infectious diseases, as well as information that is generated relevant to personal physical health, and so forth.
Personal Education and Work Information	Persons' professions, jobs, workplace, education, degrees, educational experience, work experience, training records, transcripts, etc.
Personal Asset Information	Bank account numbers, identification information (passcodes), deposit information (including the amount of funds, payments, and accounts receivable records, etc.), real estate information, borrowing history, credit investigation information, transaction and purchasing records, bank statements, as well as virtual transactions, gaming exchange codes, and other virtual assets.
Personal Communications Information	Communications records and content, text messages [sms], multimedia messages [MMS], emails, as well as data describing individual communications (frequently called metadata), and so forth.
Contact Person Information	Address books, buddy lists, group lists, email address lists, and so forth.
Personal network records	Refers to the user operations stored in logs, including browser records, software use records, click records, and so forth
Persons' frequently used equipment information	Refers to internal information describing the basic condition of individual's frequently used equipment, including hardware serial numbers, MAC addresses, software lists, unique device identification code (e.g., IMEI / androidID / IDFA / OPENUDID / GUID, SIM card IMSI information, etc.).
Personal location information	Including the tracking, precise positioning information, accommodation information, latitude and longitude, and so forth
Other information	Marital history, religious faith, sexual orientation, undisclosed criminal records, and so forth.

Appendix B (Materials Appendix)

Sensitive personal information decision

Sensitive personal information refers to personal information that once disclosed, illegally provided or abused might endanger personal or property security, easily lead to reputational or physical harm, or discriminatory treatment. Ordinarily, the personal information of children up to 14 years old (inclusive) and the private information of natural persons is personal sensitive information. Whether it is personal sensitive information may be determined from the following perspectives.

Leaking: Once personal information is leaked, it leads to Personal Data Subjects, and the organizations or institutions that gather or use personal information, losing the ability to control it, causing uncontrollable spreading of the scope and uses of personal information. Where after certain personal information is leaked, its direct use in manners against the will of the Personal Data Subjects, or analysis together with other information, might bring major risks to the lawful rights and interests of Personal Data Subjects', it is to be found to be personal sensitive information. For example, copies of Personal Data Subject's identify cards used to register mobile phone cards under the real-name system or to open accounts or cards with bank accounts.

Illegal provision: Certainly personal information can carry major risks to Personal Data Subjects' rights and interests just through their spreading beyond the scope of the Personal Data Subject's authorization, and should be deemed personal sensitive information. For example, sexual orientation, savings information, infectious diseases history, and so forth.

Abuse: Certain personal information might carry major risks to Personal Data Subjects' rights and interests when used beyond the authorized reasonable scope (such as by changing the purpose of handling or expanding the scope of handling). For example, using health information for insurance company sales and determining individual fees, when the Personal Data Subject's authorization has not be obtained.

Table B.1 Gives Examples of Personal Sensitive Information

Table B.1 Examples of Personal Sensitive Information

Personal Asset Information	Bank account numbers, identification information (passwords), deposit information (including the number of funds, payment of accounts receivable records, etc.), real estate information, credit history, credit investigation information, transaction and spending records, and flow records; as well as virtual currency, virtual transactions, game redemption codes, and other virtual property information.
Personal health and Physiological Information	Personal records produced through treatment of illness, such as symptoms, hospitalization logs, doctor's orders, examination reports, surgery and anesthesia records, nursing records, medication records, food-drug allergy information, birth information, past medical history, circumstances of diagnosis and treatment, family history, history of present illness, history of infectious diseases, as well as information that is generated relevant to personal physical health, and so forth.
Personal Biological Identifying information	Persons' genetics, fingerprints, voiceprints, palmprints, auricles, iris, facial recognition features, and so forth.
Individual ID information	ID cards, military IDs, passports, driver's licenses, work permits, social security cards, residence permits etc.
Network ID indentification information	System accounts, e-mail addresses and their associated passwords; passwords, password protection answers, users' personal digital certificates, and so forth.
Other information	Personal phone numbers, sexual orientation, marital history, religious faith, undisclosed criminal records, communication records and content, tracking, web browsing history, accommodation information, precision positioning information, and so forth.

Appendix D

(materials annex)

Publishing a privacy policy is an important manifestation of Personal Data Controllers compliance with the principles of openness and transparency, it is an important tactic for ensuring Personal Data Subjects' right to know, and is an important mechanism for restraining one's own conduct and cooperating with oversight and management. Privacy policies should be clear, accurate, and complete descriptions of the Personal Data Controller's handling of personal information.

【Note： The following table contains many typos in the Chinese that are the result of the OCR software issues, and are not from the original text. We have ignored these in the translation process】

Privacy Policy Template	Drafting requirements
This policy applies only to ×××× ×××× products or services, including: ×××××× Last updated: Month ×××, Year ××× . If you have any questions, comments or suggestions, please contact us through the following contact methods: Email： Phone： Fax：	This section is the scope of use. It includes the scope of products and services that the privacy policy applies to, the types of users that it applies to, and its validity period, updates times, and so forth
This policy will help you understand the following: 1. How we collect and use your personal information 2．How we use Cookies and similar technology 3．How we share, transfer, and publicly disclose your personal information 4. How we protect your personal information 5. Your rights 6. How we handle children's information 7．How your personal information is transferred globally 8. How this policy is updated 9. How to contact us ** thoroughly understand the importance of your personal information to you, and will spare no effort in reliably and securely protecting your personal information. We strive to maintain the trust you place in us, scrupulously abiding by the following principles to protect your personal information: The principle of responsibilities commensurate with rights, the clear purpose principle, the principle of selective consent, the minimum sufficient use, the principle of ensuring security, the principle of subject participation, the principle of openness and transparency, and so forth. At the same time, ** promises that we will follow mature industry security standards, employing relevant security and protection measures to protect your personal information. Before using our product (or service), please carefully read and understand this "Privacy Policy."	This section is for key explanations of the privacy policy, it is a summary of the privacy policy's important points. The goal is to make the Personal Data Subject quickly understand the main components of the privacy policy, and the core messages that the personal information control is making.
Privacy Policy Template	Drafting requirements
I. How we collect and use your personal information Personal information refers to all types of information, recorded in electronic or other forms, that can independently or together with other information identify specific natural persons identity or reflect the activities of specific natural persons. XXXX will only collect and use your personal information for the purposes stated below in this policy: （1） Providing you with online purchasing services [Note: Examples] 1. Operation function one: Registering as a user. To finish create an account, you must provide the following information: your name, e-mail address, create a user name and password, ....... If, in the course of registering, you provide the following additional information, it will help us to provide you better services and experience: cell phone number, job title, company, educational background， ......... . However, if you do not provide this information, it will not impact your use of this service's basic functions. The information you provide will remain authorized for our use during the period which use use this service. when you unregister your account, we will stop using and delete the above information. The information above will be stored in the mainland territory of the People's Republic of China. If it is necessary to transfer it across borders, we will independently obtain your authorization and consent. 2. Operation function 2: Product display, personalized recommendations, and delivery of promotional sales information. (omitted) 3. Operation Function 3: Communication and exchange with the sellers. (omitted) 4. Operation function 4: Payment Calculations. (omitted) (2) Delivery of products or services [Note: Examples] (omitted) (3) Carrying out internal audits, data analysis and research, improving our products and services [note: examples] (omitted) (4) ...... …… When we want to use information in ways other than those indicated in this Policy, we will solicit your consent in advance. When we want to use information that was collected for a specific purpose for a different purpose, we will solicit your consent in advance.	1. List in detail the purposes of collecting and using personal information, general [all-inclusive] language must not be used. 2. A detailed listing of the type of personal details collected, based on different operation functions corresponding to the purpose. 3. Clearly describe what types of personal information are necessary for certain operation functions. 4. When collecting identification documents, passports, drivers licenses, and other information from legally-designated documents and individual bio-metric identification information, the Personal Data Subject should be specially reminded of the information involved in this collection activity, and have the purpose and rules for the handling explained. 5. General language must not be used to summarize the personal information collected, for example, descriptions like 'we collect identification information and other relevant information", should instead be clearly written as 'we collect your name, telephone number, and address." 6. Explain the geographic areas involved in the process of using personal information, such as the places where information is stored and backed up, and the scope of places involved in the course of transferring personal information; if there are situations of transferring personal information across borders, it requires independent listing or emphasis. 7. When using personal information, whether or not it will for a direct user profile and its uses must be clearly explained. 8. Based on the usage of personal information, note the estimated period for retaining different types of personal information (example: 5 years from collection) as well as dates on which it must be deleted or destroyed (example: December 31, 2019 or when users unregister). 9. Where it is truly necessary to change the purpose of collecting or using personal information, it shall be explained, and the users consent obtained.
Privacy Policy Template	Drafting requirements
II. How we use Cookies and similar technology (I) Cookie To ensure the normal operation of the website, We will store small data files called Cookies on your computer or mobile device. Cookies frequently include identifier tags, site names, as well as a few codes and symbols. With the aid of Cookies, websites can store your preferences, items in your shopping cart, and other such data. We will not use Cookies except for the purposes described in this Privacy Policy. You can manage or delete cookies based on your preference. For details, please visit AboutCookies.org. You may clear all Cookies stored on your computer, and the majority of web browsers have functions that may be set to obstruct Cookies. However, if you do so, you will need to personally modify user settings each time you visit our website. If you need detailed information on how to modify browser settings, please visit the following links: Internet Explorer, Google Chrome, Mozilla Firefox, Safari , and 0pera. (2) Web Beacons and Pixel Tags In addition to Cookies, we will also use web beacons, pixel tags, and other similar techniques on websites. For example, for example, emails we send you might contain links to our website content URL. If you click these links, we will follow the number of clicks, to help us understand your preferences for our products and services and to improve customer service. Web beacons are a type of transparent picture frequently embedded in websites or emails. With the help of pixel tags, we can learn whether an email was opened. If you don't wish for your activities to be tracked in this fashion, you may unsubscribe from our mailings at any time. (3) Do Not Track (请勿追踪〉 Many web browsers have a Do Not Track function, and this function can send a Do Not Track request to websites. As of now, the main internet standards organizations have not set up a policy on how websites should deal with this type of request. However, if your browser uses Do Not Track, all of our websites will respect your choice. (4) ...... ......	1. If Personal Data Controllers or other authorized third parties use automatic data collection tools to collect personal information, the need to make a detailed explanation of the technological mechanisms employed. 2. Common automatic data collection tools are: Cookies, scripts, Web beacons, Flash Cookies, embedded Web links, local storage, and so forth. 3. Explain the purpose of using automated tools to collect personal information, and provide users with methods for limiting the automated tools' data collection, and detailed guidance
Privacy Policy Template	Drafting requirements
III. How we share, transfer, and publicly disclose your personal information （1） Sharing We will not share your personal information with any companies, organizations and individuals outside of ××× ×, with the following exceptions: 1. In the case of obtaining express consent to share: With your explicit consent, we will share your personal information with other parties. 2. We might，in accordance with laws and regulations, or according to the mandatory requirements of competent government departments， externally share your personal information. 3 . 3. 与我们的附属公司共享:您的个人信息可能会与X X X X的附属公司共享。我们只会共享必要的个人信息，且受本隐私政策中所声明目的的约束。附属公司如要改变个人信息的处理目的，将再次征求您的授权同意。 Our subsidiaries include:... 4 . 与授权合作伙伴共享2仅为实现本政策中声明的目的，我们的某些服务将由授权合作伙伴提供。我们可能会与合作伙伴共享您的某些个人信息，以提供更好的客户服务和用户体验。例如，在您上网购买我们的产品时，我们必须与物流服务提供商共享您的个人信息才能安排送货，或者安排合作伙伴提供服务。我们仅会出于合法、正当、必要、特定、明确的目的共享您的个人信息，并且只会共享提供服务所必要的个人信息。我们的合作伙伴元权将共享的个人信息用于任何其他用途。目前，我们的授权合作伙伴包括以下×大类型： 1) 广告、分析服务类的授权合作伙伴。除非得到您的许可，否则我们不会将您的个人身份信息〈指可以识别您身份的信息，例如姓名或电子邮箱，通过这些信息可以联系到您或识别您的身份〉与提供广告、分析服务的合作伙伴分享。我们会向这些合作伙伴提供有关其广告覆盖面和有效性的信息，而不会提供您的个人身份信息，或者我们将这些馆、息进行汇总，以使它不会识别您个人。例如，只有在广告主同意遵守我们的广告发布准则后，我们才可能会告诉广告主他们广告的效果如何，或者有多少人看了他们广告或在看到广告后安装了应用，或者向这些合作伙伴提供不能识别个人身份的人口统计信息（例如“位于北京的25 岁男性，喜欢软件开发“），帮助他们了解其受众或顾客。 2) 供应商、服务提供商和其他合作伙伴。我们将信息发送给在全球范围内支将我们业务的供应商、服务提供商和其他合作伙伴，这些支持包报提供技术基础设施服务、分析我们服务的使用方式、衡量广告和服务的有效性、提供客户服务、支付便和；j ~逃行学术研究和调查。 3) 。。。。。我们会与其签署严格的保密协定，要求他们按照我们的说明、本隐私政策以及其他任何相关的保密和安全措施来处理个人信息。全措施来处理个人信息。（2） Transfer of Control We will not transfer your personal information to any company, organization, or individual, except in the following circumstances: 1. In the case of obtaining the express consent of the transfer: With your explicit consent, we will transfer your personal information to other parties; 2. When involved in a merger, acquisition or liquidation, that involves the transfer of personal information, we will request that the new company or organization that has your personal information, continue to be bound by the privacy policy, otherwise we will require the company arrange to get your authorization and consent again. （3） public disclosure Only in the following circumstances, will we publicly disclose your personal information: 1. After obtaining your explicit consent; Disclosure based on law: In situations where there are mandatory requirements from laws, legal procedures, litigation, or the competent government department, we might disclose your personal information.	1. 个人信息控制者说明是否需要共享、转让个人信息，并详细描述耑要共享转让的个人信息类型、共享转让的原因、个人信息的接收方、对接收方的约束和管理准则、接收方使用个人信息的目的、个人信息共享转让过程中的安全措施、共享转让个人信息是否对用户带来髙危风险。 2. 个人信息控制者说明是否需要公开披露个人信息，并详细描述需要公开披露的个人信息类型、原因、是否对用户带来高危风险。 3. 说明何种情况下个人信息控制者会不经过用户同意，共享转让和公开披露数据，如响应执法机关和政府机构的要求、进行个人信息安全审计、保护用户免受遭受欺诈和严重人身伤害等。 4. 平台服务相关责任说明。如果个人信息控制者提供的服务属于平台服务（如：电商、社交、信息发布等），耑要明确提醒用户其在上传、交流、发布共享个人信息时所面临的风险，并说明共享此类信息采取的安全措施
Privacy Policy Template	Drafting requirements
IV. How we protect your personal information (一）我们已使用符合业界标准的安全防护措施保护您提供的个人信息，防止数据遭到未经授权访问、公开披露、使用、修改、损坏或丢失。我们会采取一切合理可行的措施，保护您的个人信息。例如，在您的浏览器与“服务”之间交换数据（如信用卡信息）时受SSL加密保护；我们同时对XX XX网站提供https安全浏览方式;我们会使用加密技术确保数据的保密性；我们会使用受信赖的保护机制防止数据遭到恶意攻击；我们会部署访问控制机制，确保只有授权人员才可访问个人信息；以及我们会举办安全和隐私保护培训课程，加强员工对于保护个人信息重要性的认识。 (2) We've already obtained the following certifications:... (3) Our Data security capacity: ...... (4) We will take all reasonable and practical measures to ensure that we do not collect irrelevant information. We will only retain your personal information for the time necessary for achieving the purposes described in this Policy, except where it is necessary to extend the retention period or where laws permit. (5) The internet is by no means an absolutely secure environment, and emails, instant messengers, and methods of communicating with other XXXX users are not encrypted; we strongly recommend that you do not use these methods to send information. Please use complicated passwords to assist us in ensuring your account security. (6) We will periodically update and disclose security risks, personal information security impact assessment reports, and other relevant content. You can obtain them through the following methods...... (7) The internet environment is by no means 100% safe. We will strive to ensure or guarantee the security of all information you send us. If our upkeep, technology, or management protections are undermined, causing your personal information to be accessed, publicly disclosed, altered, or destroyed, causing harm to your lawful rights and interests, we will bear corresponding legal responsibility. (八）在不幸发生个人信息安全市件后，我们将按照法律法规的要求，及时向您告知：安全牛的基本情况和可能的影响、我们已采取或将要采取的处罝措施、您可自主防范和降低风险的建议、对您的补救措施等。我们将及时将事件相关情况以邮件、信函、电话、推送通知等方式告知您，难以逐一告知个人信息主体时，我们会采取合理、有效的方式发布公告。 At the same time, we will also the requirements of the competent departments to actively report on the handling of security incidents.	1. 详细说明个人信息控制者对个人信息进行安全保护的措施。包括但不限T个人信息完整性保护措施，个人信息传输、存储和备份过程的加密措施，个人信息访问、使用的授权和审计机制，个人信息的保留和删除机制等。 2. 目前遵循的个人信息安全协议和取得的认证。包含个人信息控制者目前主动遵循的国际或国内的个人信息安全法律、法规、标准、协议等，以及个人信息控制者目前已取得的个人信息安全相关的权威独立机构认证。 3. May focus on reminding the public on how to protect personal information when using the product or service. 4. Security risks that might exist after providing personal information should be described. 5. Should indicate that after a person information security incident occurs, Personal Data Controllers bear legal responsibility. 6. Should indicate that after a personal information security incident will, Personal Data Subject will be promptly informed
Privacy Policy Template	Drafting requirements
V. Your Rights According to the relevant Chinese laws, regulations, standards, and the common practice of other countries and regions, we will ensure your exercise of the following rights to protect your own personal information: (1) Accessing your personal information You have the right to access your own personal information, except where laws and regulations provide exceptions. If you want to exercise you right to access your data, you may do so through the following methods: Account Information - If you want to access or edit your account's profile information and payment information, change your password, add security information, close your account, and so forth, you may visit x x x x to perform such operations. Search information - You can access or clear your search history, view and edit their interests, and manage other data in XXXX. If you are unable to access this personal information through the links above, you may use our WEB contact form at any time, or send us an email at X X X X. We will respond to your request within 30 days. As to your personal information that is generated during the use of our products and services, we will provide it to you so so long as it is not overly labor intensive. If you want to exercise you right to access data, please send an email to XXXX. (2) Correction of Personal Information When you discover errors in personal information we are handling that is related to you, you have the right to request that we correct it. You may go through the methods enumerated in "(1) Accessing your personal information" to apply for a correction. If you are unable to correct this personal information through the links above, you may use our WEB contact form at any time, or send us an email at X X X X. We will respond to your request within 30 days. (3) Deletion of Personal Information In the following situations, you may request that we delete personal information: 1. If our handling personal information violates laws or regulations: 2. If we collect and use your personal information without having obtained your consent; 3. If our handling of your personal information violates our agreements with you. 4. If you no longer use our products or services, or you unregister your account: 5. If we no longer provide products or services to you. 若我们决定响应您的删除请求，我们还将同时通知从我们获得您的个人信息的实体，要求其及时删除，除非法律法规另有规定，或这些实体获得您的独立授权。当您从我们的服务中删除信息后，我们可能不会立即备份系统中删除相应的信息，但会在备份更新时删除这些信息D (4) The scope of the right to modify your authorization and consent Each operational function needs some personal data before it can be completed (see Section 1 of this Policy). You may give or retract your authorization and consent for collection and use of additional information at any time. You may do this yourself in the following ways: 当您收冋同意后，我们将不再处理相应的个人信息。但您收冋同意的决定，不会影响此前基于您的授权而开展的个人信息处理。 If you do not want to accept commercial advertising we sent you, you can cancel at any time in the following ways:	1. 说明用户对其个人信息拥有何种权利，内容包括但不限于：信息收集、使用和公开披露时允许用户选择的个人信息范围，用户所具备的访问、更正、删除、获取等控制权限，用户隐私偏好设罝，用户可以选择的通信和广锊偏好，用户不再使用服务后撤冋同意和注销账号的渠道、用户进行维权的有效渠道等。 2. 对于窬要自行配罝或操作（如对所使用的软件、浏览器、移动终端等进行配罝和操作）以达到访问、更正、删除、撤冋同意等目的，个人信息控制者应对配罝和操作的过程进行详细说明，说明方式易丁用户理解，必要时提供技术支持的渠道（客服电话、在线客服等）。 3. If the users' exercise of their rights incurs fees, the reasons and basis for fees needs to be clearly explained. 4. If after a user submits a request to exercise their rights an extended time is needed before it can be complied with, the timeline for complying must be clearly explained as well as the reasons why it cannot be complied with in a short time. 5. If users need to have their identity verified again during the course of exercising their rights, the reason for verifying their identity is to be clearly stated and appropriate control measures employed to avoid the disclosure of personal information during the course of identity verification. 6. If the Personal Data Controller denies user requests to access, correct, or delete personal information, or to revoke consent, they need to clearly explain the reasons and basis for refusing.
Privacy Policy Template	Drafting requirements
（5） Unregistering Personal Data Subjects' accounts 您随时可注销此前注册的账户，您可以通过以下方式自行操作：在注销账户之后，我们将停止为您提供产品或服务，并依据您的要求，删除您的个人信息，法律法规另有规定的除外。 (6)Personal Data Subjects obtaining copies of personal information You have the right to obtain a copy of your personal information, you may do this yourself in the following ways: 在技术可行的前提下，例如数据接口匹配，我们还可按您的要求，直接将您的个人信息副本传输给您指定的第-:方。 (七）约束信息系统自动决策在某些业务功能中，我们可能仅依据信息系统、算法等在内的非人工自动决策机制做出决定。如果这些决定显著影响您的合法权益，您有权要求我们做出解释，我们也将提供适当的救济方式。 (八）响应您的上述请求为保瘅安全，您可能需要提供书面请求，或以其他方式证明您的身份。我们可能会先要求您验证自己的身份，然后再处理您的请求。我们将在30天内做出答复。如您不满意，还可以通过以下途径投诉：对于您合理的请求，我们原则上不收取费用，但对多次重复、超出合理限度的请求，我们将视情收取一定成本费用。对丁•那些无端*S、X要过多技术手段（例如，®要开发新系统或从根本上改变现行惯例）、给他人合法权益带来风险或者非常不切实际(例如，涉及备份磁带上存放的信息）的请求，我们可能会予以拒绝。 In the following situations, we will not be able to comply with your requests, in accordance with the requirements of laws and regulations: 1. It is directly related to national security or national defense; 2. It is directly related to public safety, public health, and major public interests; 3. It is directly related to criminal investigation, indictment, trial and enforcement of judgments; 4. There is ample evidence that you have subjective malice or have abused of rights; 5. Complying with your request will cause severe harm to the legitimate rights and interests of you or other individuals and organizations. 6. Where commercial secrets are involved.
Privacy Policy Template	Drafting requirements
VI. How we handle children's personal information Our products, websites, and services are primarily addressed to adults. Without the consent of their parents or guardians, children must not create their own accounts. Where parents have consented to collection of children's personal information, we will only use or publicly disclose this information as allowed by law, with the explicit consent of parents or guardians or as necessary to protect the children. Even if local laws and customs have a different definition of child, we will view anyone under the age of 14 as a child. If we discover that we collected children's personal information without having first obtained verifiable parental consent, we will find a way to delete the relevant data as quickly as possible.
VII, How your personal information is transferred globally In principle, we collect personal information and produced in the mainland territory of People's Republic of China, the PRC will be stored in the mainland territory of the PRC. 由于我们通过遍布全球的资源和服务器提供产品或服务，这意味着，在获得您的授权同意后，您的个人信息可能会被转移到您使用产品或服务所在国家/地区的境外管辖区.，或者受到来自这些管辖区的访问。此类管辖区可能设有不同的数据保护法，甚至未设立相关法律。在此类情况下，我们会确保您的个人信息得到在中华人民共和国境内足够同等的保护。例如，我们会请求您对跨境转移个人信息的同意，或者在跨境数据转移之前实施数据去标识化等安全举措。	如果因业务流求、政府和司法监管要求存在跨境信息传输情况，需详细说明需要进行跨境传输的数据类型，以及跨境传输遵守的标准、协议和法律机制（合同等）
VIII: How this policy is updated Our privacy policy could change. 未经您明确同意，我们不会削减您按照本隐私政策所应享有的权利。我们会在本页面上发布对本政策所做的任何变更。对于重大变更，我们还会提供更为显著的通知（包括对于某些服务，我们会通过电子邮件发送通知，说明隐私政策的具体变更内容h 本政策所指的重大变更包括但不限于： 1. There are major changes to our service model. Such as the purpose of handling your personal information, they types of personal information handled, the methods of using personal information, and so forth. 2. There are major changes in our ownership structure, organizational arrangements, or other such areas. Such as operations adjustments, bankruptcy, mergers and acquisitions, and other changes to ownership. 3. There are changes to the primary targets of personal information sharing, transfer, or public disclosure. 4. There are major changes to your right to participate in information handling or the means of exercising them. 5. When there is a change in the department responsible for handling personal information security, its contact information, or complaint channels 6. When personal information security impact assessment reports indicate the presence of high risk. We will also archive the previous versions of this Policy, and make them available for you to read.	个人信息控制者在隐私政策发生重大变化时，需及时更新隐私政策，并说明使用何种方式及时通知用户。通常情况下采取的通知方式如：用户登录信息系统时、更新信息系统版本并在用户使用时弹出窗口、用户使用信息系统时直接向用户推送通知、向用户发送邮件、短信等
Privacy Policy Template	Drafting requirements
IX. How to contact us If you have any questions, comments, or suggestions,about this privacy policy, contact us by the following ways: We have set up a special department to protect personal information (or the Personal Information Protection Professional), you can contact them through the following ways: ...... Under normal circumstances, we will respond within 30 days. If you are not satisfied with our response, especially where our handling of your personal information harmed your lawful rights and interests, you may also use the following external channels to seek resolution: ......	1. 个人信息控制者需要明确给出处理个人信息安全问题相关反馈、投诉的渠道，如个人信息安全责任部门的联系方式、地址、电子邮箱、用户反馈问题的表单等，并明确用户可以收到回应的时间。 2. 个人信息控制者添给出外部争议解决机构及其联络方式，以应对与用户出现无法协商解决的争议和纠纷。外部争议解决机构通常为:个人信息控制者所在管辖区的法院、认证个人信息控制者隐私政策的独立机构、行业自律协会或政府相关管理机构等

References

[l] GB/ Z 28828-2012 信息安全技术公共及商用服务信息系统个人信息保护指南
[ 2] GB/ T 32921-2016 信息安全技术信息技术产品供应方行为安全准则
[3] 中华人民共和国网络安全法〈中华人民共和国主席令第五十三号〉
[4] 全国人大常委会关于维护互联网安全的决定（ 2000 年12 月28 日第丸届全国人民代表大会
常务委员会第十九次会议通过〉
[ 5] 全国人大常委会关于加强网络信息保护的决定（ 2012 年12 月28 日第十一届全国人民代表
大会常务委员会第三十次会议通过〉
[ 6] 电信和互联网用户个人信息保护规定（中华人民共和国工业和信息化部令第24 号）
[ 7] 中华人民共和国刑法修正案（七）（ 2009 年2 月28 日第十一届全国人民代表大会常务委员会
第七次会议通过〉
[8] 中华人民共和国刑法修正案。1)(2015 年8 月29 日第十二届全国人民代表大会常务委员会
第十六次会议通过〉
work
[ 9] ISO/IEC 29100- 2011 Information technology- Security techniques- Privacy framework
[ 10] EU General data protection regulation
[ 11] cw八16113-2012 Personal data protection good practices
[ l 月ISO/IEC 29101: 2013 Information technology「Security techniques- Privacy architecture frame-
[1 3] NIST SP 800-53 Rev. 4 Security and privacy controls for federal information systems
and organizations
[ 14] NIST SP 800-122 Guide to protecting the confidentiality of personally identifiable information
(PII)
[ 15] ISO/ IEC FDIS 29134 Information technology- Security techniques- Privacy impact assessment
[ 16] ISO/ IEC FDIS 29151 Information technology- Security techniques- Code of practice for
personally identifiable information protection
[ 17] NISTIR 8062 An introduction to privacy engineering and risk management for federal systems
[ 18] ISO/ IEC 2nd WD 29184 Information technology- Security techniques－一Guidelines for
online privacy notices and consent
[ 19] EU-U.S Privacy Shield
[ 20] The OECD Privacy Framework OECD
[ 21 ］ APEC Privacy Framework APEC
[ 22] Consumer Privacy Bill of Rights Act of 2015 Administration Discussion Draft )
White House

Click to rate this post!

[Total: 0 Average: 0]

Information security technology—Personal Information Security Specifications

TABLE A.1: Examples of Personal Information

Table B.1 Examples of Personal Sensitive Information

Be First to Comment

Leave a Reply Cancel reply

Translate

Information security technology—Personal Information Security Specifications

TABLE A.1: Examples of Personal Information

Table B.1 Examples of Personal Sensitive Information

Related posts:

Be First to Comment

Leave a Reply Cancel reply

Translate