All Things Newz
Law \ Legal

China Releases Notification Guidelines For Security Assessment On Cross-border Data Transfer (English Translation) – Security



To print this article, all you need is to be registered or login on Mondaq.com.

To enforce the Security Assessment Measures for
Cross-border Data Transfer
that came into effect on 1
September 1, 2022, the Cyberspace Administration of China
(“CAC”) released the Notification Guidelines for
Security Assessment on Cross-border Data Transfer (1st Edition)
(
数据出境安全评估申报指南
(
第一版)
in Chinese
)
(“Guideline”).

The Guideline has specified the application scope,
methods and procedures, lists of materials and consultation methods
of the security assessment notification for cross-border data
transfer, and included requirements for notification materials as
well as templates for letters of authorization, notification forms,
and reports on data transfer risk self-assessments as its four
annexes, which could greatly help enterprises to submit such
notifications in a standardized manner.

In this regard, Dentons China Data Protection Team have
prepared the English translation of this important rule for your
quick reference. Please be noted that the English version is a
courtesy of Dentons team, NOT an official translation

and is strictly for reference only.

If you have any inquiry regarding the Guidance and the
Security Assessment, please contact our partners Ken Dai
([email protected]) or Jet Deng
([email protected]).


数据出境安全评估申报指南
(第一版)

Notification Guidelines for Security Assessment on
Cross-border Data Transfer (1st Edition)


《数据出境安全评估办法》自2022年9月1日起施行。为指导和帮助数据处理者规范、有序申报数据出境安全评估,特制定本指南。

The Security Assessment Measures for Cross-border Data Transfer
is effective on September 1, 2022. This guidance is specially
formulated to guide and help data handlers to standardize and
orderly notify security assessment for cross-border data
transfer.

一.适用范围

  1. Scope of Application


数据处理者向境外提供数据,有下列情形之一的,应当通过所在地省级网信办向国家网信办申报数据出境安全评估:

To provide data abroad under any of the following circumstances,
a data handler shall make the notification of security assessment
for its cross-border data transfer to the Cyberspace Administration
of China (“CAC”) through the local cyberspace
administration at the provincial level:

( 一 )
数据处理者向境外提供重要数据;

(1) where a data handler provides important data abroad;

( 二 )
关键信息基础设施运营者和处理100万人以上个人信息的数据处理者向境外提供个人信息;

(2) where a critical information infrastructure operator or a
data handler processing the personal information of more than one
million individuals provides personal information abroad;

( 三 )
自上年1月1日起累计向境外提供
10
万人个人信息或者1万人敏感个人信息的数据处理者向境外提供个人信息;

(3) where a data handler has provided personal information of
100,000 individuals or sensitive personal information of 10,000
individuals accumulatively abroad since January 1 of the previous
year;

( 四 )
国家网信办规定的其他需要申报数据出境安全评
估的情形。

(4) other circumstances prescribed by the CAC for which
notification for security assessment for cross-border data transfer
is required.


以下情形属于数据出境行为:

The following situations are cross-border data transfer
behaviors:

( 一 )
数据处理者将在境内运营中收集和产生的数据传输、存储至境外;

(1) the data handler transfers and stores the data collected and
generated in the course of operations in China to overseas;

( 二 )
数据处理者收集和产生的数据存储在境内,境外的机构、组织或者个人可以查询、调取、下载、导出;

(2) the data collected and generated by the data handler is
stored in China, and overseas institutions, organizations or
individuals can access, retrieve, download and export;

( 三 )
国家网信办规定的其他数据出境行为。

(3) other cross-border data transfer behaviors stipulated by the
CAC.


二.申报方式及流程

  1. Method and Procedure of Notification


数据处理者申报数据出境安全评估,应当通过所在地省级网信办申报数据出境安全评估。申报方式为送达书面申报材料并附带材料电子版。

When a data handler notifies a security assessment for
cross-border data transfer, it shall notify the security assessment
to the local cyberspace administration at the provincial level. The
notification method is to serve the written notification materials
with the electronic version of the materials attached.


省级网信办收到申报材料后,在5个工作日内完成申报
材料的完备性查验。通过完备性查验的,省级网信办将申报材料上报国家网信办;未通过完备性查验的,数据处理者将收到申报退回通知。

The cyberspace administration at the provincial level shall
complete the examination of the completeness of notification
materials within five (5) working days after receiving them. Where
the notification materials are complete, they shall be submitted to
the CAC; where the notification materials are incomplete, the data
handler will be notified of the return of the notification.


国家网信办自收到省级网信办上报申报材料之日起7个工作日内,确定是否受理并书面通知数据处理者。

The CAC shall, within seven (7) working days after receipt of
notification materials, determine whether or not to accept the
notification, and notify the data handler in writing.


数据处理者如被告知补充或者更正申报材料,应当及时按照要求补充或者更正材料。无正当理由不补充或者更正申报材料的,安全评估将会终止。情况复杂的,数据处理者将被告知评估预计延长的时间。

If the data handler is informed to supplement or correct the
notification materials, it shall supplement or correct the
materials in a timely manner as required. In case that the data
handler fails to supplement or correct the materials without
justified reasons, the CAC may terminate the security assessment.
In complex cases, the data handler will be informed of the expected
extended period for the assessment.


评估完成后,数据处理者将收到评估结果通知书。对评估结果无异议的,数据处理者须按照数据出境安全管理相关法律法规和评估结果通知书的有关要求,规范相关数据出境活动;对评估结果有异议的,数据处理者可以在收到评估结果通知书
15个工作日内向国家网信办申请复评,复评结果为最终结论。

After the assessment is completed, the data handler will be
notified of the outcome of the assessment. If there is no objection
to the assessment result, the data handler must self-regulate the
relevant data export activities in accordance with the relevant
laws and regulations on data export security management and the
relevant requirements of the assessment result notification; where
a data handler has any objection to the assessment result, it may,
within fifteen (15) working days of receiving the result, apply to
the CAC for a re-assessment, and the re-assessment result is the
final decision.


三.申报材料

  1. Materials for Notification


数据处理者申报数据出境安全评估,应当提交如下材料
(数据出境安全评估申报材料要求见附件1)

To notify security assessment for a cross-border data transfer,
the data handler shall submit the following materials (See Annex 1
for the requirements for notification materials for cross-border
data transfer security assessment):


  1. 统一社会信用代码证件影印件

Photocopy of unified social credit code certificate


  1. 法定代表人身份证件影印件

Photocopy of the legal representative’s ID card


  1. 经办人身份证件影印件

Photocopy of the case handler’s ID card


  1. 经办人授权委托书(模板见附件2)

Power of attorney for the case handler (see Annex 2 for the
template)


  1. 数据出境安全评估申报书
    (模板见附件3 )

Notification letter for cross-border data transfer security
assessment (see Annex 3 for the template)


  1. 与境外接收方拟订立的数据出境相关合同或者其他具有法律效力的文件影印件

Photocopies of cross-border data transfer related contracts or
other legally binding documents to be concluded with overseas
recipients


  1. 数据出境风险自评估报告
    (模板见附件4)

Cross-border data transfer risk self-assessment report (see
Annex 4 for the template)


  1. 其他相关证明材料

Other relevant documentations


数据处理者对所提交材料的真实性负责,提交虚假材料的,按照评估不通过处理,并依法追究相应法律责任。

A data handler shall be responsible for the authenticity of the
materials submitted. If a data handler submits false materials on
purpose, it shall be deemed as failing in the assessment, and the
data handler shall be held legally liable correspondingly according
to the law.


四、申报咨询

  1. Notification Consultation

电子邮箱:[email protected]

Email address: [email protected]

联系电话:010-55627135

Tel: 010-55627135


附件:1.数据出境安全评估申报材料要求


2.经办人授权委托书
(模板)


3.数据出境安全评估申报书
(模板)


4.数据出境风险自评估报告
(模板)

Annex: 1.Requirements for Notification Materials for
Cross-border Data Transfer Security Assessment

2.Power of Attorney for the Case Handler (Template)

3.Notification Letter for Cross-border Data Transfer Security
Assessment (template)

4.Cross-border Data Transfer Risk Self-assessment Report
(template)

附件 1

Annex 1


数据出境安全评估申报材料要求

Requirements for Notification Materials for Cross-border
Data Transfer Security Assessment

















序号


No.

材料名称


Document

要求


Requirement

备注


Note

1


统一社会信用代码证件


Unified social credit code certificate

影印件加盖公章


Photocopy with official seal


2


法定代表人身份证件


Legal representative’s ID card

影印件加盖公章


Photocopy with official seal


3

经办人身份证件


Case Handler’s ID card

影印件加盖公章


Photocopy with official seal


4


经办人授权委托书


Power of Attorney for the Case Handler

原件


Original copy


5


数据出境安全评估申报书


Notification Letter for Cross-border Data Transfer Security
Assessment

5.1

承诺书


Commitment Letter

原件


Original copy


5.2


数据出境安全评估申报表


Notification Form for Cross-border Data Transfer Security
Assessment

原件


Original copy


6


与境外接收方拟订立的数据出境相关合同或者其他具有法律效力的文件


Cross-border Data Transfer Related Contracts or Other Legally
Binding Documents to be Concluded with Overseas Recipient

影印件加盖公章


Photocopy with official seal

对 数
据出境相关约
定条款作高亮、线框等显著标识。法律文件以中文译本为准,若仅有非中文版本,须同步提交准
确的中文译本


Highlight, use wireframe and other prominent signs for the
agreed terms related to data export. The Chinese version of legal
documents shall prevail. If there is only a non-Chinese version, an
accurate Chinese translation must be submitted simultaneously

7


数据出境风险自评估报告


Cross-border Data Transfer Risk Self-assessment Report

原件


Original copy


8


其他相关证明材料


Other Relevant Documentations


原件或影印件加盖公章


Original copy or photocopy with official seal

相关证明材料以中

版本为准,若仅有非中文版本,须同步提交准确的中文译本


The Chinese version of the relevant documentations shall
prevail. If there is only a non-Chinese version, an accurate
Chinese translation must be submitted simultaneously


在提交上述书面材料的同时,需通过光盘方式提交相应电子版文件。

When submitting the above written materials, the corresponding
electronic documents must be submitted by means of CD-ROM.

附件 2

Annex 2


经办人授权委托书

Power of Attorney for the Case Handler


本人姓名(身份证件号码:
)系数据处理者名称的法定代表人,现授权我单位
姓名
(身份证件号码:
)为数据出境安全评估申报工作经办人。经办人代表我单位进行数据出境安全评估申报工作过程中的一切行为,包括所签署和上传的资料,我单位均予以承认,并将承担相应的法律责
任。

I, name (ID number: ), legal representative of name of data
handler, hereby authorize name (ID number: ) of our entity as the
case handler of the security assessment notification for the
cross-border data transfer. All actions of the case handler in the
process of security assessment notification for cross-border data
transfer on behalf of our entity, including the signed and uploaded
materials, are recognized by our entity and our entity will bear
the corresponding legal responsibility.

授权委托期限:
年 月 日至 年 月 日

Authorization period: YYYY/MM/DD/ to YYYY/MM/DD


经办人无转委托权。

The case handler has no right to sub-entrust.

单位名称
(盖章) :

Name of Entity (Seal)


法定代表人 (签字)

Legal Representative (Sign)

经办人
(签字 )

Case Handler (Sign)

年 月 日

YYYY/MM/DD

附件3

Annex3


数据出境安全评估申报书
(
模板)

Notification Letter for Cross-border Data Transfer
Security Assessment (Template)

填写说明:

Fill-in Instructions:


由数据处理者法定代表人或其授权的数据出境安全评估申报工作经办人填写;

  1. To be filled out by the legal representative of the data
    handler or its authorized person in charge of the data export
    security assessment and notification;


二、有选择的地方请勾选左侧“
”符号,有横线的部分
应当填写相关信息;

  1. Where there is a choice, please tick the “
    symbol on the left, and the part with a horizontal line should be
    filled with the relevant information;


三、所涉及的用语,可参考《中华人民共和国网络安全法》、《中华人民共和国数据安全法》、《中华人民共和国
个人信息保护法》和《数据出境安全评估办法》等法律法规和部门规章;

  1. For the terms involved, please refer to laws and regulations
    such as the Cybersecurity Law of the People’s Republic of
    China, the Data Security Law of the People’s Republic of
    China, the Personal Information Protection Law of the
    People’s Republic of China, and the Security Assessment
    Measures for Cross-border Data Transfer;

四、
由国家互联网信息办公室制定并负责解释。

  1. It is formulated and interpreted by the Cyberspace
    Administration of China


、承诺书

Letter of Commitment


本单位郑重承诺:

We solemnly undertake that:

一、
申报出境数据的收集、使用符合中华人民共和国有关法律法规规定;

The collection and use of the notified cross-border data comply
with the relevant laws and regulations of the People’s
Republic of China;

二、
申报材料所有内容真实、完整、准确和有效;

All contents of the notification materials are true, complete,
accurate and valid;


三、为国家网信办组织实施的数据出境安全评估工作提供必要的配合和支持;

To provide necessary cooperation and support for the security
assessment for cross-border data transfer organized and implemented
by the CAC;

四、
自评估工作为申报之日前3个月内完成,且至申报之日未发生重大变化。

The self-assessment has been completed within 3 months before
the date of notification, and no significant changes have taken
place up to the date of notification.


本单位知晓并充分理解上述承诺内容,若承诺不实或者违背承诺,愿意承担相应法律责任。

We acknowledge and fully understand the content of the above
commitment. If the commitment is false or violated, it is willing
to bear corresponding legal liabilities.


法定代表人 (签字)

Legal Representative (Sign):

单位 (盖章 )

Entity (Seal):

年 月 日

YYYY/MM/DD


、数据出境安全评估申报表

Notification Form of Cross-border Data Transfer Security
Assessment









































01 数据处理者情况


Information of Data Handler

单位名称


Name of Entity

单位性质


Nature of Entity


单位注册地


Registered Address

办公所在地


Business Address


有效期


Validity Period

邮政编码


Postcode


注册资金


Registered Capital

员工数量


Number of Employees


主营业务


Main Business



统一社会信用代码


Unified Social Credit Code


02 法定代表人信息


Information of Legal Representative

姓名


Name

职务/国籍


Position/Nationality


联系电话


Contact Number

电子邮箱


Email Address


证件类型


ID Type

证件号码


ID Number


03
数据安全负责人和管
理机构信息


Information of Data Security Responsible Person and Management
Body

姓名


Name

职务/国籍


Poition/Nationality


联系电话


Contact Number

电子邮箱


Email Address


证件类型


ID Type

证件号码


ID Number


机构名称


Name of Body

机构人数


Number of People of Body


04 经办人信息


Information of Case Handler

姓名


Name

职务/国籍


Position/Nationality


联系电话


Contact Number

电子邮箱


Email Address


证件类型


ID Type

证件号码


ID Number


05
数据出境业务描述


Business Description of Cross-border Data Transfer


06 数据出境的目的


Purpose of Cross-border Data Transfer


07 数据出境的方式


Method of Cross-border Data Transfer


08 数据出境链路


Link of Cross-border Data Transfer


09 拟出境数据情况


Information of Proposed Cross-border Data

数据类型


Type of Data

重要数据


Important Data


个人信息


Personal Information

敏感程度
(如为个人信息)


Level of Sensitivity (for personal information)


数据规模Scale of Data

MB/GB/TB

涉及行业/领域


Industry/Field Involved


涉及自然人数量


Number of Natural Person Involved


涉及重要数据数量


Quantity of Important Data Involved


10 境外接收方情况


Information of Overseas Recipient

境外接收方名称


Name of Overseas Recipient


所在国家或者地区


Country or Region


所在地址


Address

注册登记号码


Registration Number


注册资金


Registered Capital

员工数量


Number of Employees


负责人姓名


Name of Responsible Person

负责人职务


Position of Responsible Person


联系电话


Contact Number

电子邮箱


Email Address


证件类型


ID Type

证件号码


ID Number


主营业务


Main Business


11
境外接收方数据安全责任人和管理机构情况


Information of Data Security Responsible Person and Management
Body of Overseas Recipient

姓名


Name

职务


Position


联系电话


Contact Number

电子邮箱


Email Address


证件类型


ID Type

证件号码


ID Number


机构名称


Name of Body

机构人数


Number of People of Body


12 法律文件


Legal Documents


法律文件名称列表:


Name List of Legal Documents:

13
相关条款在法律文件中的页码及条款


The Page Number and Content of the Relevant Clauses in the Legal
Documents


1.数据出境的目的、方式和数据范围,境外接收方处理数据的用途、方式等。


1. The purpose, method and scope of the cross-border data
transfer; and the purpose, method, etc. of data processing by the
overseas recipient.



所在文件名称及页码


Name of Document and Page Number_________


所述条款


Clause_________



2.数据在境外保存地点、期限,以及达到保存期限、完成约定目的或者法律文件终止后出境数据的处理措施。


2.The location of storage and retention period of data, as well
as measures to be taken with the data after the retention period
expires, the purpose agreed upon is completed or the legal
documents are terminated.



所在文件名称及页码


Name of Document and Page Number_________


所述条款


Clause_________



3.对于境外接收方将出境数据再转移给其他组织、个人的约束性要求。


3. Binding requirements for overseas recipient to transfer data
to other organizations and individuals.



所在文件名称及页码


Name of Document and Page Number_________


所述条款


Clause_________



4.境外接收方在实际控制权或者经营范围发生实质性变化,或者所在国家、地区数据安全保护政策法规和网络安全环境发生变化以及发生其他不可抗力情形导致难以保障数据安全时,应当采取的措施。


4. The security measures that the overseas recipient should take
when the actual control right or business scope has changed
substantially, or the data security protection policies and
regulations and cybersecurity environment of the country or region
where the overseas recipient is located has changed, and other
force majeure situations has occurred so that it is difficult to
ensure data security.



所在文件名称及页码


Name of Document and Page Number_________


所述条款


Clause_________



5.违反法律文件约定的数据安全保护义务的补救措施、违约责任和争议解决方式。


5. Remedies, liabilities and dispute resolution methods for
breach of data security protection obligations agreed in legal
documents.



所在文件名称及页码


Name of Document and Page Number_________


所述条款


Clause_________


6.
出境数据遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等风险时,妥善开展应急处置的要求和保障个人维护其个人信息权益的途径和方式。


6. The requirement for proper emergency response measures and
the ways and means to protect individuals’ rights and
interests of personal information when the cross-border data is
tampered with, damaged, leaked, lost, transferred or illegally
obtained, illegally used or encountered other risks.



所在文件名称及页码


Name of Document and Page Number_________


所述条款


Clause_________

14
数据处理者遵守中国法律、行政法规、部门
规章情况


Data Handler’s Compliance with Chinese Laws,
Administrative Regulations and Departmental Rules


填表说明

Fill-in
Instructions

  1. 申报书 01
    项中的单位名称、性质、注册地、有效期、
    注册资金等怎么填写?

How to fill in the entity name, nature, registered
address, validity period, registered capital, etc. of Item 01 of
the notification form?


数据处理者应当对照统一社会信用代码证件中的机构名称、机构性质/类型、有效期等栏目填写。单位注册地应具体到城市,如北京市、河北省石家庄市等。单位办公所在地应具体到门牌号,如北京市海淀区X
路 X
号。表中注册资金均需明确币种和金额。

The data handler shall fill in the fields of the institution
name, institution nature/type, validity period, etc., in accordance
with those columns of the unified social credit code certificate.
The registered address of entity shall be detailed to city, for
example, Beijing, or Shijiazhuang of Hebei Province. The business
address of unit shall be detailed to the house number, for example,
NO.X, X Rd, Haidian District, Beijing. The currency and amount of
registered capital in the form must be specified.

  1. 申报书 02
    、03 、04
    项证件类型怎么填写?

How to fill in the certificate type of Item 02, 03 and
04 of the notification form?


可根据实际情况选择填写居民身份证、护照、台湾居民来往大陆通行证、港澳居民来往内地通行证等。

You can choose to fill in the Resident ID Card, Passport,
Mainland Travel Permit for Taiwan Residents, Mainland Travel Permit
for Hong Kong and Macao Residents, etc. according to the actual
situation.


  1. 申报书05项中数据出境业务描述怎么填写?

How to fill in the business description of cross-border
data transfer of Item 05 of the notification form?


据实填写此次申报的数据出境业务,应与法律文件中涉及业务名称一致。

Fill in the cross-border data transfer business of this
notification according to the facts, which should be consistent
with the name of the business involved in the legal document.


4.申报书06
项中数据出境的目的怎么填写?

How to fill in the purpose of cross-border data transfer
of Item 06 of the notification form?


如开展业务合作、技术研究、经营管理等,需具体阐述。

Such as business cooperation, technical research, operating
management, etc., need to be elaborated.


  1. 申报书07项数据出境的方式怎么填写?

How to fill in the method of cross-border data transfer
of Item 07 of the notification form?


说明数据出境的方式,如公共互联网传输、专线传输等。

Specify the method of cross-border data transfer, such as public
Internet transfer, dedicated line transfer, etc.


  1. 申报书08项数据出境链路怎么填写?

How to fill in the link of cross-border data transfer of
Item 08 of the notification form?


说明数据出境的链路,如链路提供商、链路数量与带宽、
境内外落地数据中心名称及机房物理位置、IP
地址等

Illustrate links for cross-border data transfer, such as link
provider, link quantity and bandwidth, name and physical location
of equipment room of landing data centers at home and abroad, and
IP address.


  1. 申报书09项拟出境数据情况怎么填写?

How to fill in information of proposed cross-border data
of Item 09 of the notification form?


关于个人信息的敏感程度,可参照国家标准《信息安全技术
个人信息安全规范》

The level of sensitivity of personal information can refer to
the national standard Information Security Technology-Personal
Information (PI) Security Specification.


涉及行业/领域填写出境数据涉及的行业领域范围,如工
业、电信、金融、交通、自然资源、卫生健康、能源、教育、
科技、国防科工等。

When it comes to industries/fields, fill in the scope of
industry field relate to cross-border data, such as industry,
telecommunications, finance, transportation, natural resources,
health, energy, education, science and technology, and science and
technology industries for national defense, etc.

8.申报书
13

项相关条款在法律文件中的页码怎么填写?

How to fill in the page number of relevant clauses in
the legal document of Item 13 of the notification
form?


数据处理者填写对应法律文件条款所在的页码,并对相关条款作高亮、线框等显著标识。

The data handler fills in the page number where the clause of
the corresponding legal document is, and makes prominent marks such
as highlighting and wireframe on the relevant clause.

9.申报书
14

项遵守中国法律、行政法规、部门规章情况怎么填写?

How to fill in data handler’ compliance with
Chinese laws, administrative regulations and departmental rules of
Item 14 of the notification form?

数据处理者简述近
2
年在业务经营活动中受到行政处罚和有关主管监管部门调查及整改情况,重点说明数据和网络安全方面相关情况。

The data handler briefly describes the administrative penalties
and the investigation and rectification by the relevant competent
regulatory authorities in the business operations in the past two
(2) years, focusing on data security and cybersecurity.

附件 4

Annex 4


数据出境风险自评估报告(模板)

Cross-border Data Transfer Risk Self-assessment Report
(Template)


数据处理者名称:
(盖章)

Name of Data Handler: (Seal)

年 月 日

(YYYY/MM/DD)

说明:

Explanation:


(一)数据处理者申报数据出境安全评估时需提供自评估报告;

(1) The data handler shall provide self-assessment
report when declaring security assessment for its cross-border data
transfer;


(二)数据处理者须对所提交的自评估报告及附件材料真实性负责;

(2) The data handler shall be responsible for the
authenticity of the self-assessment report and the attached
materials;


(三)本报告所述自评估活动为本次申报前
3 个月内完成;

(3) The self-assessment activities mentioned in
this report shall be completed within 3 months before the
notification;


(四)如有第三方机构参与自评估,须在自评估报告中说明第三方机构的基本情况及参与评估的情况,并在相关内容页上加盖第三方机构公章。

(4) If a third-party organization is involved in the
self-assessment, the basic information of the third-party
organization and conditions of its participation in the assessment
must be specified in the self-assessment report, and the official
seal of the third-party organization must be affixed on the
relevant content page.


一、自评估工作简述

  1. Brief Introduction of Self-assessment


自评估工作开展情况,包括起止时间、组织情况、实施过程、实施方式等内容。

The report shall describe the implementation of self-assessment,
including the start and end time, organization, implementation
process, and implementation method, etc.


二、出境活动整体情况

  1. Overall Information of Cross-border Transfer
    Activities


详细说明数据处理者基本情况、数据出境涉及的业务和信息系统、出境数据情况、数据处理者安全保障能力情况、境外接收方情况、法律文件约定情况等。包括不限于:

Provide details of the data handler, the business and
information systems involved in the cross-border data transfer, the
information of cross-border data transfer, the security
capabilities of data handler, the information of overseas
recipient, and the information of legal documents agreed. This part
includes, but is not limited to:


(一)数据处理者基本情况

  1. Basic information of data handler


1.组织或者个人基本信息;

  1. Basic information of organization or individual;


2.股权结构和实际控制人信息;

  1. Information of equity structure and actual controller;

3.组织架构信息;

  1. Information of organization structure;


4.数据安全管理机构信息;

  1. Information of data security management body;


5.整体业务与数据情况;

  1. Overall information of business and data;


6.境内外投资情况。

  1. Information of domestic and overseas investment.


(二)数据出境涉及业务和信息系统情况

  1. Information of business and information system involved in
    cross-border data transfer


1.数据出境涉及业务的基本情况;

  1. Basic information of business involved in cross-border data
    transfer;


2.数据出境涉及业务的数据资产情况;

  1. Information of data assets related to the business of
    cross-border data transfer;


3.数据出境涉及业务的信息系统情况;

  1. Information of information system related to the business of
    the cross-border data transfer;


4.数据出境涉及的数据中心(包含云服务)情况;

  1. Information of data centers (including cloud services) related
    to cross-border data transfer;


5.数据出境链路相关情况。

  1. Information of cross-border data transfer links.


(三)拟出境数据情况

  1. Information of data to be exported


1.说明数据出境及境外接收方处理数据的目的、范围、
方式,及其合法性、正当性、必要性;

  1. Illustrate the purpose, scope, method, as well as the legality,
    legitimacy, and necessity of cross-border data transfer and data
    processing by overseas recipient;


2.说明出境数据的规模、范围、种类、敏感程度;

  1. Illustrate the scale, scope, type, and sensitivity of
    cross-border data;


3.拟出境数据在境内存储的系统平台、数据中心等情况,计划出境后存储的系统平台、数据中心等;

  1. The conditions of system platform and data center where the
    proposed cross-border data are stored domestically, and the system
    platform and data center where the data are stored after the
    cross-border transfer;


4.数据出境后向境外其他接收方提供的情况。

  1. Information of providing cross-border data to other overseas
    recipients after the cross-border data transfer.


(四)数据处理者数据安全保障能力情况

  1. Information of data security protection capability of data
    handler


1.数据安全管理能力,包括管理组织体系和制度建设情况,全流程管理、分类分级、应急处置、风险评估、个人信息权益保护等制度及落实情况;

  1. Capability of management of data security, including the system
    for organization and management and the development of the system,
    the whole-process management, categorization and classification,
    emergency response, risk assessment, the implementation of the
    protection of personal information interests, etc.;


2.数据安全技术能力,包括数据收集、存储、使用、加工、传输、提供、公开、删除等全流程所采取的安全技术措施等;

  1. Technical capability of data security, including technical
    security measures conducted in the whole process such as data
    collection, storage, use, processing, transfer, provision,
    disclosure, or deletion of data, etc.;


3.数据安全保障措施有效性证明,例如开展的数据安全风险评估、数据安全能力认证、数据安全检查测评、数据安全合规审计、网络安全等级保护测评等情况;

  1. Proof of the effectiveness of data security protection
    measures, such as the implementation of data security risk
    assessment, data security capability certification, data security
    inspection, data security compliance audit, and evaluation for
    classified protection of cybersecurity, etc.;


4.遵守数据和网络安全相关法律法规的情况。

  1. Information of compliance with data and cybersecurity related
    regulations.


(五)境外接收方情况

  1. Information of overseas recipient


1.境外接收方基本情况;

  1. Basic information of overseas recipient;


2.境外接收方处理数据的用途、方式等;

  1. The purpose and method of data processing by the overseas
    recipient;


3.境外接收方的数据安全保障能力;

  1. Data security protection capability of overseas recipient;


4.境外接收方所在国家或地区数据安全保护政策法规和网络安全情况;

  1. Conditions of the data security protection policies and
    regulations and cybersecurity of the country or region where the
    overseas recipient locates;


5.境外接收方处理数据的全流程过程描述。

  1. Description of the whole process of data processing by the
    overseas recipient.


(六)法律文件约定数据安全保护责任义务的情况

  1. Data security protection responsibilities and obligations
    agreed in the legal documents


1.数据出境的目的、方式和数据范围,境外接收方处理数据的用途、方式等;

  1. The purpose, method and scope of cross-border data transfer,
    the purpose, method of processing data by overseas recipient,
    etc.;


2.数据在境外保存地点、期限,以及达到保存期限、完成约定目的或者法律文件终止后出境数据的处理措施;

  1. The location and period of data storage overseas, as well as
    the processing measures for cross-border data after the retention
    period expires, the purpose is achieved, or the legal documents
    terminate;


3.对于境外接收方将出境数据再转移给其他组织、个人的约束性要求;

  1. The binding requirements of transferring the cross-border data
    to other organizations and individuals by the overseas
    recipient;


4.境外接收方在实际控制权或者经营范围发生实质性变化,或者所在国家、地区数据安全保护政策法规和网络安全环境发生变化以及发生其他不可抗力情形导致难以保障数据安全时,应当采取的安全措施;

  1. Security measures that the overseas recipient should take when
    the actual control right or business scope changes substantially,
    when the data security protection policies and regulations and the
    cybersecurity environment in the country and region where the
    overseas recipient locates change, and when the appearance of other
    force majeure situations makes it difficult to ensure data
    security;


5.违反法律文件约定的数据安全保护义务的补救措施、违约责任和争议解决方式;

  1. Remedies, liabilities and dispute resolution methods for breach
    of data security protection obligations agreed in legal
    documents;


6.出境数据遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等风险时,妥善开展应急处置的要求和保障个人维护其个人信息权益的途径和方式。

  1. Requirements for proper emergency response when cross-border
    data is tampered with, destroyed, leaked, lost, transferred, or
    illegally obtained and illegally used, and ways and means to
    safeguard individuals’ exercising of rights and interests in
    personal information.


(七)数据处理者认为需要说明的其他情况。

  1. Other circumstances that the data handler considers necessary
    to illustrate.


三、拟出境活动的风险评估情况

III. Risk Assessment on Cross-border Transfer
Activities


就下列事项逐项说明风险评估情况,重点说明评估发现的问题和风险隐患,以及相应采取的整改措施及整改效果。

Explain the risk assessment one by one for the following items,
focusing on the problems and potential risks found in the
assessment, as well as the corresponding rectification measures and
rectification effects.


(一)数据出境和境外接收方处理数据的目的、范围、方式等的合法性、正当性、必要性;

1.The legality, legitimacy, and necessity of cross-border data
transfer and the purpose, the scope, the method of data processing
activities by overseas recipient;


(二)出境数据的规模、范围、种类、敏感程度,数据出境可能对国家安全、公共利益、个人或者组织合法权益带来的风险;

  1. The scale, scope, type and sensitivity of cross-border data,
    the risks that cross-border data transfer may bring to the
    legitimate rights and interests of individuals or organizations in
    national security and public interests;


(三)境外接收方承诺承担的责任义务,以及履行责任义务的管理和技术措施、能力等能否保障出境数据的安全;

  1. Whether the responsibilities and obligations committed by the
    overseas recipient and the ability of management and technical
    measures to fulfill the responsibilities and obligations can
    guarantee the security of cross-border data;


(四)数据出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的风险,个人信息权益维护的渠道是否通畅等;

  1. The risks such as tampering, destruction, leakage, loss,
    transfer or illegal acquisition and illegal use of data during and
    after cross-border data transfer, whether the channels for
    exercising the rights and interests of personal information are
    smooth;


(五)与境外接收方拟订立的数据出境相关合同或者其他具有法律效力的文件等,是否充分约定了数据安全保护责任义务;

  1. Whether the contracts related to cross-border data transfer or
    other legally effective documents proposed to be entered into with
    overseas recipient fully stipulate the responsibility and
    obligation of data security protection;


(六)其他可能影响数据出境安全的事项。

  1. Other matters that may affect the security of cross-border data
    transfer.


四、出境活动风险自评估结论

  1. Conclusion of Risk Self-assessment for Cross-border
    Transfer Activities


综合上述风险评估情况和相应整改情况,对拟申报的数据出境活动作出客观的风险自评估结论,充分说明得出自评估结论的理由和论据。

Based on the above-mentioned risk assessment and corresponding
rectification, an objective risk self-assessment conclusion shall
be made for the cross-border data transfer activities to be
notified, with fully explanation on the reasons and arguments for
drawing the self-assessment conclusion.



Source link

Related posts

Failure To Diagnose Cancer – Healthcare

Horace Hayward

Who owns what? Why life sciences companies need intellectual property policies – Patent

Horace Hayward

Doubling of foreign investment fees – Inward/ Foreign Investment

Horace Hayward