Chapter I: General Provisions
Article 1: These Regulations ae drafted on the basis of the basic principles of relevant laws, administrative regulations, and in consideration of the actual conditions in the Shenzhen Special Economic Zone so as to regulate data handling activities, protect the lawful rights and interests of natural persons, legal persons, and unincorporated organizations, to promote the open flow of data as an element of production, and to promote the establishment of a digital economy, society, and government.
Article 2: The following language in these Regulations below has these meanings:
(1) "Data" refers to any record of information in electronic or other forms.
(2) "Personal data" refers to data that carries information with the capacity to identify specific natural persons, but does not include data that has been anonymized.
(3) "Sensitive personal data" refers to personal data that once leaked, illegally provided, or abused might cause natural persons to suffer discrimination or serious danger to their persons or property, with the specific scope to be determined in accordance with provisions of laws and administrative regulations.
(4) "Biometric Data" refers to personal data derived from processing natural persons' biology characteristics such as from their bodies, physiology, or behavior, that can identify unique identifiers of natural persons, including data such as natural persons' genes, fingerprints, voiceprints, palmprints, ear shape, irises, and facial features.
(5) "Public data" refers to data produced or handled by public management and service bodies in the course of their performing public management duties or providing public services.
(6) "Data handling" refers to activities such as the collection, storage, use, processing, transmission, provision, or disclosure of data.
(7) "Anonymization" refers to the process in which personal data is handled so that it cannot be used to identify a specific natural person and cannot be restored after being so handled.
(8) "User portraits" refers to activities conducting automated handling of personal data to assess certain attributes of natural persons, including assessments of natural persons' work performance, economic status, health status, personal preferences, interests, reliability, conduct methods, location, whereabouts, and so forth.
(9) "Public management and service bodies" refers to the city's state organs, public institutions, and other organizations managing public affairs in accordance with law, or organizations providing public services such as for education, health, social welfare, water, electricity, gas, environmental protection, and public transportation.
Article 3: Natural persons enjoy personality rights in personal data as provided by laws, administrative regulations, and these Regulations.
The handling of personal information shall have clear and reasonable goals, and obey the minimum necessary principle and principle of reasonable time limits.
Article 4: Natural persons, legal persons, and unincorporated organizations enjoy property rights in data products and services formed through the lawful handling of data in accordance with provisions of laws, administrative regulations, and these Regulations. They must not, however, endanger national security and the public interest, and must not harm the lawful rights and interests of others.
Article 5: The handling of public data shall obey the principles of lawful collection, overall management, sharing as needed, orderly disclosure, and full use; to give full play to the active role of public data resources in optimizing public management and services, increasing the level of modernization of municipal governance, and promoting economic and social development.
Article 6: The municipal people's government shall establish and complete data governance systems and systems of standards, planning efforts on the advancement of personal data protections, public data sharing, and openness, cultivating data element markets, and the oversight and management of data security.
Article 7: The municipal people's government is to establish a commission on municipal data work, responsible for researching and coordinating important matters in the city's data management efforts. The routine work of the municipal data work commission is to be undertaken by the municipal government services data management department.
The municipal data work commission may establish several special committees.
Article 8: The municipal internet information departments are responsible for the city's protection of personal data, internet data security, cross-border data flows, and other relevant oversight and management work.
The municipal department for government services data management is responsible for planning, guiding, coordinating, and overseeing the city's management of public data.
Municipal departments such as for development and reform, public security, finance, human resources and social security, planning and natural resources, market regulation, auditing, and national security, are to perform data oversight and management within the scope of their duties in accordance with laws and regulations.
The municipal departments in charge of each industry are responsible for planning, guiding, coordinating, and overseeing the corresponding industry's data management work.
Chapter II: Personal Data
Section 1: Ordinary Provisions
Article 9: The handling of personal data shall fully respect and protect each and every lawful right and interest related to natural persons and personal data.
Article 10: The handling of personal data shall meet the following requirements:
(1) The goal of handling personal data is to be clear and reasonable, and the methods are to be legal and proper;
(2) Be limited to the minimum scope necessary for the goals of handling and employ methods with the smallest impact on personal rights; data handling that is not related to the goals of data handling must not be conducted;
(3) Give lawful notice of the types, scope, goals, and methods of personal data handling in accordance with law, and obtain consent in accordance with law;
(4) Guarantee the accuracy and required integrity of personal data to avoid causing harm to parties as a result of inaccurate or incomplete personal data;
(5) ensure personal data security, preventing the leaking, destruction, loss, alteration, and illegal use of personal data.
Article 11: Limiting to the minimum scope necessary to achieve the goals of data handling and employing methods with the smallest impact on personal rights and interests as used in article 10(2) of these Regulations includes but is not limited to the following situations:
(1) The types and scope of personal information handling shall be directly relevant to the goals of the handling, so that not handling that personal data would make it impossible to achieve the goals;
(2) The volume of personal data shall be the smallest necessary volume needed to bring about the goals of handling;
(3) The frequency of handling personal data shall be the lowest frequency necessary to bring about the goals of the handling;
(4) The period for storing personal data shall be the shortest time necessary to bring about the goals of the handling, and where the period for storage is exceeded, the personal data shall be deleted or anonymization, except where laws and regulations provide otherwise or with the natural persons' consent;
(5) Establish a minimum authorization access control policy, making it so that persons authorized to access personal data can only access the minimum personal data necessary to complete their duties, and only possess the minimum authorization to handle personal data needed to complete their duties.
Article 12: Data handlers must not refuse to provide core functions or services to natural persons because they do not consent to the handling of personal data. Except, however, where that personal data is necessary for the provision of the core functions or services.
Article 13: In conjunction with municipal departments such as for industry and informatization, public security, and market regulation, as well as departments in charge of industries, the municipal internet information department is to establish and complete a joint working mechanism for the oversight of personal data protections, strengthening planning and guidance of efforts on the protection of personal data and for related oversight and management work; and is to establish mechanisms for handling complaints and reports on personal data protections to address the complaints and reports in accordance with law.
Section 2: Notice and Consent
Article 14: In the handling of personal data, natural persons shall be completely, truthfully, and accurately notified of the following matters in a manner that is colloquial and easily understood, clear and specific, and easily accessible:
(1) the name, title, and contact methods for data handlers;
(2) the types and scope of personal data to be handled;
(3) the goals and methods of handling personal data;
(4) The time limits for storing personal data;
(5) Security risks that might exist in the handling of personal data, as well as security protection measures employed for their personal data;
(6) the related rights that natural persons enjoy in accordance with law as well as the method of exercising them;
(7) Other matters that laws and regulations provide shall be announced.
Where sensitive personal data is handled, it shall be in accordance with the provisions of the preceding paragraph, and notice of the necessity of handling the sensitive personal data and the potential impact on natural persons is to be given through means that are more conspicuously indicated or prominently displayed.
Article 15: In emergency situations, in order to protect the safety of natural persons' persons and property, and their other major lawful rights and interests, where it is impossible to follow article 14 of these Regulations to conduct advance notification, notification shall be promptly made after the emergency situation has dissipated.
Article 14 of these Regulations does not apply to personal data handlers' handling of personal information where there are circumstances that laws and administrative regulations provide shall be kept confidential or need not have a notification.
Article 16: Data handlers shall obtain the consent of the natural person before handling personal data, and handle the personal data within the scope of their consent, except as otherwise provided by laws, regulations, or these Regulations.
Where there is a change in matters for which the preceding paragraph required consent, consent shall be newly obtained.
Article 17: Data handlers must not use methods contrary to natural persons' true will such as misdirection, fraud, or compulsion, to obtain their consent.
Article 18: Where handling sensitive personal data, the natural persons' explicit consent shall be acquired before the handling.
Article 19: Where the natural persons' explicit consent shall be obtained for handling biometric data, an alternate scheme for handling non-biometric data is to be provided. Except, however, where handling biometric data is necessary for the goals of handling personal data and an alternate scheme using other personal data cannot be provided.
Where biometric data is handled based on a specified goal, a natural person's biometric data must not be used for other goals without their explicit consent.
The specific methods for managing biometric data are to be drafted separately by the municipal people's government.
Article 20: Where handling the personal data of minors who are not yet 14 years old, it is to be implemented in accordance with the relevant provisions on handling sensitive personal information and shall obtain the explicit consent of their guardian before the handling.
Where handling the personal data of adults who lack or have limited civil capacity, the explicit consent of their guardians shall be obtained before the handling.
Article 21: Where handling personal data in any of the following circumstances, the natural persons' consent need not be acquired before the handling:
(1) Handling personal data that was disclosed by the natural person themselves or that was otherwise lawfully disclosed, where it complies with the purposes when disclosing that information;
(2) As necessary for the conclusion or performance of a contract to which a natural person is a party;
(3) Data handlers' handling of their staff's personal data within a reasonable range as needed for human resources management or the protection of commercial secrets;
(4) As needed for public management and service bodies to lawfully perform public management duties or provide public services;
(5) As needed for news units to lawfully conduct reporting of the news;
(6) Other situations provided for by laws or administrative regulations.
Article 22: Natural persons have the right to withdraw their consent to the handling of personal data in full or in part.
Where natural persons withdraw their consent, data handlers must not continue to handle those natural persons' personal data within the scope of the revoked consent. Except, however, that data handlers' lawful data handling conducted on the basis of the natural person's consent before it was revoked is not to be impacted. Where laws and regulations provide otherwise, follow those provisions.
Article 23: The handling of personal data shall employ easily accessible methods to provide natural persons' with channels for revoking their consent, and must not use service agreements or technical methods to conduct unreasonable restrictions on natural persons' withdrawal of consent or attach unreasonable requirements.
Section 3: Handling of Personal Data
Article 24: Where personal data is inaccurate or incomplete, data handlers shall promptly supplement or correct it based on the natural persons' requests.
Article 25: In any of the following circumstances, data handlers shall promptly delete personal data:
(1) Where the time period for storage provided by laws, regulations or agreements is completed;
(2) Where the goal of handling the personal data has already been realized or where handling the personal data is no longer necessary for the goals of the handling;
(3) natural persons revoke their consent and request deletion of personal data;
(4) Data handlers handling of data violates laws, regulations, or agreement between the parties, and the natural persons' request deletion;
(5) Other situations provided by laws or regulations.
Where there are circumstances provided for in items (1) or (2) of the preceding paragraph, but laws or regulations have other provisions or the natural persons' consent, the data handlers may retain the relevant personal data.
Where data handlers delete personal data on the basis of the first paragraph of this article, they may retain evidence of notice and consent, but they must not exceed the extent required to perform obligations or handle disputes.
Article 26: Data handlers providing data they have handled to others shall conduct de-identification of personal data so that the personal data provided can no longer identify specific natural persons without other data. Where there are laws, regulations, or agreements between natural persons and data handlers that call for anonymization, anonymization shall be conducted in accordance with those laws, regulations, and agreements.
Article 27: In any of the following circumstances where data handlers provide personal data they handle to others, they may opt to not conduct de-identification processing:
(1) As necessary for public management or service bodies lawful performance of public management duties and upon written request;
(2) Providing corresponding personal data to others based on the consent of natural persons;
(3) As necessary for the conclusion or performance of a contract to which a natural person is a party;
(4) Other situations provided for by law or administrative regulations.
Article 28: Natural persons may make requests to data handlers to access and reproduce their personal data, and data handles shall promptly provide it in accordance with relevant provisions and must not collect fees.
Article 29: Where data processors make user portraits of natural persons for the purpose of improving the quality of products or services, they shall clearly indicate the specific uses and main rules for user portraits.
Natural persons may refuse data handlers' creation of user portraits or pushing of personalized products based on user portraits on the basis of the preceding paragraph, and the data handlers shall provide easily accessible methods and channels for refusal.
Article 30: Data handlers must not recommend personalized products or services to minors under the age of 14 based on user portraits. Except, however, in order to preserve their lawful rights and interests and obtaining the explicit consent of their guardians.
Article 31: Data handlers shall establish mechanisms for natural persons to exercise their relevant rights and for handling complaints and reports, and shall provide effective channels in an easily accessible manner.
Where data handlers receive requests to exercise rights or receive complaints or reports, they shall be promptly accepted, and corresponding measures to handle them shall be employed; and where the matters requested or complaints are refused, the reasons shall be explained.
Chapter III: Public Data
Section 1: Ordinary Provisions
Article 32: The municipal data work commission is to establish a special committee on public data responsible for research and coordination of efforts on major matters in the management of public data.
The municipal department for the management of public service data is to undertake the routine work of the special committee on public data and is responsible for the overall planning of the entire city's efforts on the management of public data, establishing and improving management systems for public data resources, and advancing public data sharing, openness, and use.
District government service data management departments are responsible for the overall planning of public data management efforts for that district under the guidance of the municipal government service data management department.
Article 33: The municipal people's government shall establish a municipal Big Data Center, establish and complete mechanisms for its establishment, operations, and management, and bring about uniform, centralized, secure, and effective management of the city's public data resources.
The people's governments of each district may establish branch centers of the municipal Big Data Center in accordance with the uniform plan for the entire city, and include public data resources in the uniform management of the municipal Big Data Center.
The municipal Big Data Center is to include public data resources and the software and hardware infrastructure supporting its management.
Article 34: The municipal department for government services data management is responsible for promoting aggregation of public data at the Big Data Center, organizing public management and service bodies relying on the Big Data Center to carry out public data sharing, opening, and use.
Article 35: A system of categorized management is to be implemented for public data.
The municipal government services management department is responsible for the coordination of the planning, establishment, and management of the city's public data resource system as a whole, and is to establish and manage foundational databases such for the populace, legal persons, housing, natural resources, geographic space, electronic licenses, and public credit.
Each department in charge of an industry shall plan the public data resource systems for that industry and establishing and managing corresponding subject databases in accordance with the overall planning for public data resources and the related requirements for regulating corresponding systems.
Public management and service bodies shall establish and manage the body's operations database in accordance with the overall planning for public data resources, industry-specific plans, and related regulatory requirements.
Article 36: A directory management system is to be implemented for public data.
The municipal department for government service data is to establish and complete a uniform public data directory system for the entire city, drafting specifications for compiling the public data resource directory, organizing public management and service bodies in accordance to compile the directory in accordance with the requirements of the public data resource directory compilation specifications, handling all types of public data, and clarifying data source departments and management duties.
Public management and service bodies shall conduct directory management of the body's public data in accordance with the requirements of public data resource directory compilation specifications.
Article 37: Public management and service bodies' collection of data shall comply with the following requirements:
(1) Necessary for the lawful performance of public management duties or the provision of public services and within the scope of their public management duties or provision of public services;
(2) The type and scope of data collected corresponds to the lawful performance of public management duties or the provision of public services;
(3) The collection procedures comply with the relevant provisions of laws and regulations.
The data that public management and service bodies may obtain through sharing must not be separately collected from natural persons, legal persons, and unincorporated organizations.
Article 38: Public management and service bodies shall store records of the process of data handling in accordance with relevant provisions.
Article 39: The municipal departments for government service data shall organize the drafting of systems and regulations for public data quality management, establish and complete quality monitoring and assessment systems, and organize their implementation.
Public management and service bodies shall establish and improve the body's quality management systems in accordance with the public data quality management systems and regulations, to strengthen quality management of data and ensure the veracity, accuracy, integrity, timeliness, and usability of data.
The city's special committee on public data shall periodically conduct appraisals of public management and service bodies' data management efforts, and report the outcomes to the municipal data work commission.
Article 40: The municipal people's government shall strengthen institutional mechanisms and technical innovation for sharing, openness, and use of public data, continuously increasing the quality and efficacy of public data sharing, openness, and use.
Section 2: Sharing of Public Data
Article 41: Public data shall have sharing as the rule, and not sharing as the exception.
The municipal department for government data management shall establish a connected mechanism and relevant management systems for requests to share public data based on the directory system for public data resources.
Article 42: Public data entered into the public data sharing directory shall be promptly and accurately shared between public management and service bodies through the municipal Big Data Center's public data sharing platform in accordance with relevant provisions, except as otherwise provided by laws and regulations.
The municipal government service data management department is to separately draft the public data sharing directory and promptly adjust it.
Article 43: Public management and service bodies may submit applications for sharing public data as needed for the lawful performance of their public management duties or the provision of public services, indicating the basis, goal, scope, and method for using the data and the related requests, and in accordance with the requirements of that level of government service data management department's and the department providing the data, to strengthen the management and use of data sharing, but must not exceed the scope of use or use it for other purposes.
The department that provided the public data shall respond to requests for data sharing from departments using public data within the time provided, and provide the necessary guidance and technical support for using the data.
Article 44: Where it is not possible to obtain data needed by public management and service bodies for the lawful performance of public management duties or provision of public services through the public data sharing platform, the municipal people's government may purchase it externally and include it in the public data sharing directory in accordance with relevant provisions, with the specific work being planned by the municipal government affairs data management department.
Section 3: Opening Public Data
Article 45: Public Data Openness as used in these Regulations refers to public management and service bodies' activities of providing machine-readable public data to the public through the public data openness platform.
Article 46: Public data openness shall follow the principles of being sorted by type and level, need-oriented, secure and controllable, and being open to the greatest extent permissible by laws and regulations.
Article 47: Fees of any kind must not be collected in making public data open in accordance with laws and regulations. Where laws and administrative regulations provide otherwise, those provisions control.
Article 48: Public data is to be divided in three categories for openness: unconditionally open, conditionally open, and not open.
Public data that is unconditionally open refers to public data that shall be made open to natural persons, legal persons, and unincorporated organizations without qualifications; Public data that is conditionally open refers to public data that is to be made equally open to natural persons, legal persons, and unincorporated organizations through specified means; and data that is not open refers to public data the involves national security, commercial secrets, and personal privacy, or that must not be made open in accordance with laws and regulations.
Article 49: The municipal government service data management department shall establish a system for the management of public data openness on the foundation of the public data resource directory system, and compile a directory of open public data and promptly adjust it.
The methods of opening, usage requirements, security safeguard measures, and so forth for conditionally open public data shall be indicated when compiling the directory of open public data.
Article 50: The municipal department for management of government service data shall rely on the municipal Big Data Center to establish a uniform and high-efficiency platform for opening public data, and organize public management and service bodies to make public data open to the public through that platform.
Based on the types of data being opened, the public data openness platform shall provide data downloads, application interfaces, a secure and reliable environment for the overall opening and use of data, and diverse services for data openness.
Section 4: The Use of Public Data
Article 51: The municipal people's government shall accelerate the advancement of the construction of a data government, deepening the application of data in economic adjustments, market regulation, social management, public services, and protection of the ecology and environment; establish and improve institutional rules for managing the use of data; and innovate in government models for decision making, regulation, and services; to bring about public management and services that are proactive, precise, integrated, and incorporate smart technology.
Article 52: The municipal people's government shall rely on the municipal Big Data Center to establish an operational hub, data hub, and function hub based on a uniform structure, forming a uniform platform system of smart hubs to provide uniform and comprehensive digital services for public management and services as well as each region and sector, promoting technical, operational, and data integration.
The municipal people's government may rely on the municipal smart hub platform to establish a government management and service command center, establish and complete operations management mechanisms, promote the overall digital transformation of government, deepening data sharing and operational coordination across levels, regions, systems, departments, and operations, and establishing a government operations system that has uniform command, united action, is smart and precise, scientific and highly-effective.
Each department for regulating industry shall rely on the municipal smart hub platform to construct management and service platforms for that industry and promote the full digitalization of management and services in that industry.
Each district's people's government shall rely on the municipal smart hub platform to integrate data resources, optimize operation processes, and innovate management models aimed at serving the basic levels, to advance governance and services that are scientific, refined, and incorporate smart technology.
Article 53: The municipal people's government shall rely on the municipal smart hub platform to promote operational integration and process reformation, deepening innovation of new integrated government affairs and service models with uniform up-front acceptance and coordination and approvals behind the scenes.
The municipal departments for government affairs and services data management shall promote the strengthening of innovative applications in the course of public management and services by public management and services bodies, simplifying the materials and steps for handling matters, and optimizing the processes for handling matters; and may carry out smart review and approvals without human intervention for matters that can be approved and decided upon through data comparison.
Article 54: The municipal people's government shall rely on the municipal smart node platform to strengthen the aggregation of regulation data and credit data, fully using public data and each sector's regulatory system, to advance new regulatory models such as off-site regulation, credit regulation, and risk alerts to increase the level of regulation.
Article 55: The municipal departments for government affairs data management may organize the construction of integrated data application and service platforms, providing the public with a secure and reliable overall environment for the comprehensive opening and use of data, and jointly carrying out smart city applications and innovation.
Chapter IV: Data element market
Section 1: Ordinary Provisions
Article 56: The municipal people's government shall make overall plans and accelerate the cultivation of a data elements market, promoting the building of data element market systems such as for the collection, processing, sharing, opening, trading, and application of data, to promote the orderly and high-efficiency flow and use of data resources.
Article 57: Market entities carrying out data handling activities shall implement entity responsibility for data management, establish and complete organizational structures, management systems, and self-assessment mechanisms for data governance; implementing categorical and graded protections and management for data, strengthening the management of data quality, and ensuring the veracity, accuracy, integrity, and timeliness of data.
Article 58: Market entities may use, profit from, and dispose of data products and services formed from their lawful handling of data.
Article 59: Where market entities open or provide use of personal data to third parties, they shall comply with the relevant provisions of Chapter II of these Regulations; where personal data is opened to designated third parties, handling is entrusted, or use is provided to designated third parties, a relevant agreement shall be signed.
Article 60: Where the use, transmission, or acceptance of entrustment to handle other market entity's data products and services involves personal data, it shall comply with the relevant provisions of Chapter II of these Regulations as well as relevant agreements.
Section 2: Market cultivation
Article 61: The municipal people's government shall organize the drafting of compliance standards for data handling activities, data product and service standards, data quality standards, data security standards, data value appraisal standards, data governance assessment standards, and other such local standards.
Support data-related industry organizations in the formulation of group standards and industry norms; provide information, technology, training, and other services; guide and urge market entities to standardize their data conduct; and promote the healthy development of industry.
Encourage market entities to draft standards for data-related enterprises, and participate in drafting related local standards and group standards.
Article 62: Data handlers may entrust third-party bodies to conduct data quality assessment certifications; and the third-party bodies shall follow the principles of independence, openness, and justice to carry out data quality assessment certification activities.
Article 63: Encourage data value appraisal bodies to explore the construction of a system of indexes for data asset pricing and promote the formulation of data value assessment criteria in terms of whether data is real-time, its time span, the sample's coverage, its integrity, they type and level of data, and the potential for data mining.
Article 64: The municipal departments for statistics shall explore the establishment of a statistical accounting system for data production factors, clarifying the scope of the statistics, statistical indicators, and statistical methods, and accurately reflecting the value of data production element assets and promoting the inclusion of data production factors in the national economic accounting system.
Article 65: The municipal people's government shall promote the establishment of data trading platforms, guiding market entities to conduct data transactions through the data trading platforms.
Market entities may conduct data transactions through lawfully established data trading platforms, and the parties to the transaction may also conduct transactions on their own.
Article 66: Data trading platforms shall establish a secure, reliable, controllable, and traceable data trading environment, drafting rules for data trading, information disclosures, self-discipline and regulation, and so forth, and employ effective measures to protect personal data, commercial secrets, and important data as provided by the state.
Article 67: Market entities may lawfully trade data products and services formed from their lawful handling of data. However, there is an exception in any of the following situations:
(1) where the data products and services being traded include personal data for which authorization has not been obtained in accordance with law;
(2) where the data products and services being traded include public data that has not been made open in accordance with law;
(3) Other situations where laws or administrative regulations prohibit transactions.
Section 3: Fair Competition
Article 68: Market entities shall comply with the principle of fair competition and must not carry out the following conduct that infringes on the lawful rights and interests of other market entities:
(1) use of illegal methods to obtain other market entities' data;
(2) use of other market entities' data that was illegally collected to provide alternative products or services;
(3) Other situations prohibited by laws or regulations.
Article 69: Market entities must not use data analysis to treat trading counterparts differently in similar trading conditions, except in any of the following circumstances:
(1) The implementation of different trading conditions is based on the trading counterpart's actual demands, and in compliance with legitimate trading norms and industry customs;
(2) Carrying out preferential activities aimed at new users for a reasonable period of time;
(3) Carrying out random transactions based on the principles on fairness, reasonableness, and non-discrimination;
(4) Other situations provided by laws or regulations.
"Similar trading conditions" as used in the preceding paragraph refers to having no substantive difference between transaction counterparts in terms of transaction security, transaction costs, credit status, transaction stage, the time that the transaction will continue, and other areas.
Article 70: Market entities must not exclude or restrict competition through means such as reaching monopoly agreements, abusing their dominant position in the data element market, or illegally implementing a concentration of operators.
Chapter V: Data Security
Section 1: Ordinary Provisions
Article 71: Data security management is to comply with the principles of government regulation, the responsibility of the entity in charge, active defense, and comprehensive prevention; persisting in equally emphasizing security and development, encouraging the research and development of data security techniques, and ensuring the security of data throughout its lifecycle.
The municipal people's government shall plan the entire city's efforts on data security management, establishing and improving comprehensive governance systems for data security.
Article 72: In accordance with laws and regulations, data handlers shall establish and complete security management systems such as data classification and grading, risk monitoring, security appraisal, and security education, and implementing protective measures to continuously increase technical measures and ensure data security.
Where the data handlers change due to mergers, divisions, sales, and so forth, the new data handlers are to continue implementing responsibility for data security.
Article 73: Where sensitive personal data or important data as provided for by national provisions is handled, data security management bodies shall be established in accordance with relevant provisions, clarifying the persons responsible for data security management, and implementing special technical protections.
Article 74: The municipal department for internet information shall plan and coordinate relevant regulatory departments and departments in charge of industry are to draft specific catalogs of important data in that department or industry in accordance with the national classified and graded protection system, and conduct key protection of data included in the catalog.
Section 2: Data Security Management
Article 75: Data handlers shall record the full process of their data handling, to ensure that data sources are legal and that the data handling process is clear and traceable.
Article 76: In accordance with the requirements of laws, regulations, and national standards, data handlers shall conduct de-identification or anonymization handling for personal data they collect, and store it separately from data that could be used to restore identifiers of specific natural persons.
Data handlers shall formulate and carry out de-identification or anonymization handling and other security measures for sensitive personal data and important data as provided for by the state.
Article 77: Data handlers shall conduct management of data storage by different domains and levels, and select storage media with corresponding security capacity, protection level, and security levels; encrypted storage, authorization for access, or other stricter security protection measures shall be further employed for sensitive personal data and important data as provided for by the state.
Article 78: Data handlers shall implement technical security protections in the course of data handling, and establish disaster-resistant backup systems for important systems and core data.
Article 79: Data handlers sharing and opening data shall establish security management systems for data sharing and openness, and establish and improve security management mechanisms for external data interfaces.
Article 80: Data handlers shall establish rules for data destruction, to effectively destroy data that needs to be destroyed.
Where data handlers are terminated or disbanded and there is no successor, the data they controlled shall be promptly and effectively destroyed. Unless otherwise provided by laws and regulations.
Article 81: Where data handlers entrust others to handle data on their behalf, they shall sign data security protection contracts with them, clarifying both parties' responsibility for data security.
After the entrusted party completes is handling tasks, it shall promptly and effectively destroy data it has stored, except where otherwise provided by laws and regulations or as agreed upon by the parties.
Article 82: Data handlers providing personal data or important data as provided for by the state abroad shall apply for a data export security appraisal in accordance with relevant provisions and conduct a national security review.
Article 83: Data handlers shall implement monitoring and alert measures corresponding to the data security protection level and conduct monitoring and alerts for data leaks, damage, loss, alteration, and other such abnormal situations.
Where monitoring finds data leaks, damage, loss, alteration, and other data security incidents that have occurred or might occur, data handlers shall immediately employ remedial or preventative measures.
Article 84: In handling sensitive personal data or important data as provided by the state, risk assessments shall be periodically carried out in accordance with relevant provisions, and reports on the risk assessment shall be sent to the departments in charge.
Article 85: Data handlers shall establish mechanisms for handling data security emergencies, and draft data security emergency response plans. Data security emergency response plans shall rank data security incidents on the basis of factors such as the degree of threat and the scope of impact, and provide corresponding emergency response handling measures.
Article 86: Where data leaks, damage, loss, alteration, and other data security incidents occur, data handlers shall immediately initiate the emergency response plan, employ corresponding emergency response measures, promptly inform relevant stakeholders, and report to the internet information and public security departments and relevant departments in charge of industry in accordance with relevant provisions.
Section 3: Data Security Oversight
Article 87: The municipal internet and information departments shall plan and coordinate efforts on data security and related oversight in accordance with relevant laws, administrative regulations, and the provisions of these Regulations; and establish and complete mechanisms for data security oversight in conjunction with the municipal departments for public security, state security, and so forth as well as departments in charge of industry, and organize data security oversight inspections.
Article 88: In conjunction with relevant regulatory departments, the municipal internet information department shall strengthen risk analysis, forecasting, assessment, and the collection of relevant information; and where risks that might lead to larger data leaks, damage, loss, alteration, or other data security incidents are discovered, they shall promptly publish warning information, submit prevention and response measures, and guide and oversee data handlers in completing data security protection efforts.
Article 89: The municipal internet information departments and other departments performing data security oversight duties may entrust third-party bodies to carry out data certification and data security assessment work in accordance with the requirements of laws, regulations and relevant standards, and conduct security rating.
Article 90: Where the municipal internet information department and other departments performing data security oversight duties discover in the course of performing their duties that data handlers have failed to implement security management responsibility in accordance with provisions, they shall give a talking to the data handlers and urge their making corrections.
Article 91: The municipal internet information department as well as other data oversight and management departments and their staffs shall strictly maintain the confidentiality of personal data, commercial secrets, and other data that needs to be kept secret which is learned of in the performance of their duties, and must not leak, sell, or illegally provide it to others.
Chapter VI: Legal Responsibility
Article 92: Where these Regulations are violated in the handling of personal data, punishments are to be given in accordance with laws and regulations related to personal information protections.
Article 93: Where public management and service bodies violate the provisions of these Regulations, a higher-level or relevant competent department is to order corrections, and where corrections are refused or serious consequences are caused, legal responsibility is to be pursued in accordance with law; and where loses are caused to natural persons, legal persons, or unincorporated organizations, responsibility for compensation shall be borne in accordance with law.
Article 94: Where data is traded in violation of article 67 of these Regulations, the municipal department for market regulation or other relevant departments in charge of industry is to order corrections in accordance with their duties and confiscate unlawful gains; where the amount of the transaction is less than 10,000 RMB, a fine of between 50,000 and 200,000 RMB is to be given; and where the amount of the transaction is greater than 10,000 RMB a fine of between 200,000 and 1,000,000 RMB is to be given, and other administrative punishments may be concurrently given in accordance with laws and administrative regulations. Where laws and administrative regulations provide otherwise, those provisions control.
Article 95: Where articles 68 or 69 of these Regulations are violated infringing on the lawful rights and interests of other market entities or consumers, the municipal department for market regulation or relevant departments for the management of industry are to order corrections in accordance with their duties and confiscate unlawful gains; where corrections are refused a fine of between 50,000 and 500,000 RMB is to be given; where the circumstances are serious, a fine of up to 5% of their annual sales is to be given with a maximum not to exceed 50,000,000 RMB, and other administrative punishments provided for by laws and administrative regulations may be given in accordance with law. Where laws and administrative regulations provide otherwise, those provisions control.
Where market entities violate article 70 of these Regulations by exhibiting acts of unfair competition or monopolistic conduct, punishment is to be given in accordance with laws and regulations opposing unfair competition and monopolies.
Article 96: Where data handlers violate provisions of these Regulations by failing to perform data security protection responsibilities, punishments are to be given in accordance with laws and regulations on data security.
Article 97: Where departments performing data oversight and management duties as well as public management and service bodies do not perform or do not correctly perform the duties provided for in these Regulations, sanctions are to be given to the directly responsible managers and other directly responsible personnel in accordance with law, and where a crime is constituted, criminal responsibility is pursued in accordance with law.
Article 98: Where these Regulations are violated in handling data causing harm to national interests or the public interest, the organizations provided for by laws and regulations may initiate civil public interest litigation in accordance with law. Where the organizations provided for by laws and regulations initiate civil public interest litigation and the people's procuratorate may support the prosecution where it finds it necessary.
Where the organizations provided for by laws and regulations do not initiate civil public interest litigation, the people's procuratorate may initiate civil public interest litigation in accordance with law.
Where the people's procuratorate finds that departments performing data oversight and management duties have illegally exercised their authority or not acted and caused harm to national interests or the public interest, they shall submit a procuratorial suggestion to the relevant administrative organs; and where the administrative organs do not perform their duties in accordance with law, the people's procuratorate may initiate administrative public interest litigation in accordance with law.
Article 99: Where data handlers' handling of data in violation of these Regulations causes harm to others, they shall bear civil liability in accordance with law; where it constituted a violation of public security administration, public security administration punishments are to be given in accordance with law; where a crime is constituted, criminal responsibility is to be pursued in accordance with law.
Chapter VII: Supplementary Provisions
Article 100: These Regulations are to take force on January 1, 2022.