《数据出境安全评估办法》在我国的数据跨境制度中占据相当重要的地位,2022年9月1日起正式施行。
数据出境安全评估主要评估哪些内容?
数据出境安全评估重点评估数据出境活动可能对国家安全、公共利益、个人或者组织合法权益带来的风险,主要包括以下事项:
一是数据出境的目的、范围、方式等的合法性、正当性、必要性。
二是境外接收方所在国家或者地区的数据安全保护政策法规和网络安全环境对出境数据安全的影响;境外接收方的数据保护水平是否达到中华人民共和国法律、行政法规的规定和强制性国家标准的要求。
三是出境数据的规模、范围、种类、敏感程度,出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等风险
四是数据安全和个人信息权益是否能够得到充分有效保障。
五是数据处理者与境外接收方拟订立的法律文件中是否充分约定了数据安全保护责任义务。
六是遵守中国法律、行政法规、部门规章情况。
七是国家网信部门认为需要评估的其他事项。
欧盟《通用数据保护条例》(GDPR)设定的个人数据出境的限制,规定在第三国具备充分保护水平的前提下可将个人数据向第三国传输,而如第三国不具备充分保护水平的,控制者或处理者只有在提供了适当的保障措施,并为数据主体提供了可执行的权利和有效的法律救济措施的条件下,才可将个人数据传输至第三国。
理解跨境机制的法律要求,并建立起数据跨境的合规管理机制,是企业合规工作的当务之急。
国外早于国内注重数据隐私保护,欧美国家早在2000年开始,已有至少数百家公司设有DPO的职位,如花旗集团、美国运通、惠普、微软、脸书等。安永的一份调查数据显示,欧盟GDPR根本性地改变了全球范围内隐私保护的管理模式。
第三季度数据保护官(DPO)直播课程
即将开启
🔻
诚邀
对数据合规与实践内容有兴趣
想要提升的同学 加入
本课程的学习可以
🔺更体系化地理解基于GDPR的法律法规条例,以及与PIPL(个保法)的法律法规对比;
🔺构建个人数据保护的知识体系和实施能力,梳理企业数据合规和安全需求,设定制度流程,进行数据安全体系建设;
🔺提升企业的数据安全和隐私保护能力,组织建设数据安全治理团队,规避企业违规成本;
🔺考试通过可获得国际EXIN DPO证书,提升个人竞争力,对个人岗位提升、未来转型均有帮助。
数据保护官(DPO)课程大纲一览
PDPF考纲
PDPP考纲
PDPP实践者级别的考试要求考生获得PDPF认证之后报考。主要验证专业人员对欧盟隐私法规和其国际关联性的理解程度;更会进一步考察从业者在专业领域的实践中应用其知识的能力。该考试完成40道选择题以外还需要完成实践作业,两项成绩合格后可以获得资格证书。
PDPP认证学习项目基于所有基础级认证涵盖的欧盟《通用数据保护条例》GDPR的核心主题。重点关注:
- 如何制定并实施相应的规则,流程,以符合现有法规和新增法规的要求;
- 如何妥善应用隐私和数据保护指导纲要及其最佳实践;
- 以及如何建立起一个数据保护管理体系。
ISO/IEC 27001考纲
基于ISO/IEC 27001 的信息安全基础级认证主要考察以下领域:
• 信息与安全:信息的概念和价值,及其信息的可靠性和重要性
• 威胁与风险:威胁和风险的概念,以及与信息的可靠性之间的关系
• 方法与组织:安全策略和安全组织,包括安全组织的构成和(安全)事件管理
• 措施:安全措施及重要性,包括物理、技术和组织措施
• 法律法规:法律法规的重要性及影响
快来加入学习吧!
学习数据合规| Data compliance
从@谷安| 开始
学员在朋友圈的分享
社群内交流
实力师资
方乐老师,谷安资深讲师,谷安天下合伙人,超过20年的IT从业经验。在企业IT管理、IT治理、信息安全管理、IT风险管理、信息系统审计、数据治理等方面具有丰富的实战和咨询及培训经验,多次受邀在大型专业论坛和会议进行主题演讲。自2003年起,为超过500家企业的数千名IT经理、开发运维及安全相关人员培训CISSP/CISM/CRISC/ITILv3 Expert/CGEIT/CISA/ITSM Master/ISO27001LA/ISO20000LA/DPO/CIPM/CIPT、CIPP/E等课程,深受学员们喜爱
《数据出境安全评估办法》英文版
翻译者为世辉律师事务所的王新锐律师团队
Measures for Security Assessment for Outbound Data Transfer
Presented by Shihui Partners
Translated by Jing Lu, Raymond Wang and Jeanette Wang
Reviewed by Ian Read
Article 1
In order to regulate outbound data transfer, protect personal information rights and interests, safeguard national security and social and public interests, and promote the security and free flow of outbound data, the Measuresfor Security Assessment for Outbound Data Transfer (the “Measures”) are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and administrative regulations of the People’s Republic of China (together, the “Regulations”).
Article 2
The Measures apply to the security assessment of Important Data and personal information collected and generated during operation within the territory of the People’s Republic of China and transferred abroad by a data handler. Where laws and administrative regulations provide otherwise, such provisions shall prevail.
Article 3
Security assessment for outbound data transfer shall adhere to the combination of a prior assessment and on-going supervision, as well as the combination of risk self-assessment and security assessment, so as to prevent security risks to outbound data transfer and ensure the orderly free-flow of data in accordance with the law.
Article 4
Where a data handler transfers data abroad under any of the following circumstances, it shall, through the local Cyberspace Administration at the provincial level, apply to the State Cyberspace Administration for security assessment for the outbound data transfer:
(1)a data handler who transfers Important Data abroad;
(2)a critical information infrastructure operator, or a data handler processing the personal information of more than 1 million individuals, who, in either case, transfers personal information abroad;
(3)a data handler who has, since January 1 of the previous year cumulatively transferred abroad the personal information of more than 100,000 individuals, or the sensitive personal information of more than 10,000 individuals, or
(4)other circumstances where the security assessment for the outbound data transfer is required by the State Cyberspace Administration.
Article 5
Prior to applying for the security assessment for the outbound data transfer, a data handler shall, in advance, conduct a self-assessment on the risks of the outbound data transfer, and the self-assessment shall focus on the following matters:
(1)the legality, legitimacy and necessity of the purpose, scope and methods of the outbound data transfer, and the processing of the data by the foreign recipient;
(2)the scale, scope, type and sensitivity of the outbound data transfer, and the risks to national security, the public interest or to the legitimate rights and interests of individuals or organizations, caused by the outbound data transfer;
(3)the duties and obligations which the foreign recipient commits to perform, and whether the foreign recipient’s organizational and technical measures and capabilities in terms of performing the duties and obligations can guarantee the security of the outbound data transfer;
(4)the risks of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer, and whether there is a smooth channel for safeguarding personal information rights and interests;
(5)whether the responsibilities and obligations for data security protection are fully agreed in relevant contracts for the outbound data transfer, or other legally binding documents to be concluded with the foreign recipient (hereinafter collectively referred to as the “Legal Documents”); and
(6)other matters that may affect the security of the outbound data transfer.
Article 6
To apply for security assessment for the outbound data transfer, the following materials shall be submitted:
(1)an application letter;
(2)a self-assessment report on the risks of the outbound data transfer;
(3)the Legal Documents to be concluded between the data handler and the foreign recipient; and
(4)other materials necessary for security assessment.
Article 7
The Cyberspace Administration at the provincial level shall conduct a completeness check of application materials within 5 working days upon receipt thereof. Where the application materials are complete, they shall be submitted to the State Cyberspace Administration; where the application materials are incomplete, they shall be returned to the data handler and the data handler shall be informed (on a one-time basis) of all supplementary materials still required.
The State Cyberspace Administration shall, within 7 working days after receipt of the application materials, determine whether to accept the application and will inform the data handler of the same in writing.
Article 8
The security assessment for outbound data transfer shall focus on the evaluation of the possible risks to national security, public interests, or the legitimate rights and interests of individuals or organizations arising from the activity of outbound data transfer, including the following major points:
(1)the legality, legitimacy and necessity of the purpose, scope and method of the outbound data transfer;
(2)the impact of the data security protection policies and regulations as well as network security environment of the country or region where the foreign recipient is located, and the effect thereof on the security of the data to be transferred abroad; whether the data protection level of the foreign recipient meets the requirements under the laws, regulations and mandatory national standards of the People’s Republic of China;
(3)the scale, scope, types and sensitivity of the data to be transferred abroad, and risks that the data may be tampered with, destroyed, leaked, lost, transferred, illegally obtained or illegally used before or after the outbound data transfer;
(4)whether data security and personal information rights and interests can be fully and effectively guaranteed;
(5)whether the responsibilities and obligations for data security protection are fully agreed in the Legal Documents to be concluded by the data handler and the foreign recipient;
(6)compliance with the laws, regulations and agency rules of the People’s Republic of China; and
(7)other matters that the State Cyberspace Administration considers necessary to assess.
Article 9
A data handler shall expressly agree on the responsibilities and obligations for data security protection in the Legal Documents concluded with the foreign recipient, which shall, at least, include the following matters:
(1)the purpose, method and scope of the data to be transferred abroad, and the purpose and method for processing the data by the foreign recipient;
(2)the location and duration for the storage of the data located abroad, as well as how to process the data located abroad upon the expiry of the storage period, achievement of the agreed purpose, or termination of the Legal Documents;
(3)restrictions on the foreign recipient’s re-transfer of the data located abroad to another organization or individual;
(4)security measures which should be taken in case of a material change to the actual control or business scope of the foreign recipient, or in case of a change to the data security protection policies or regulations, or network security environment of the country or region where the foreign recipient is located, or in case that the data security cannot be guaranteed as a result of any other force majeure event;
(5)remedial measures, liability for breach of contract and dispute resolution mechanism in the event of a violation of data security protection obligations as agreed in the Legal Documents; and
(6)requirements on properly responding to a data security incident, as well as channels and method to safeguard individuals’ personal information rights, when the data located abroad is tampered with, destroyed, leaked, lost, transferred, illegally obtained or illegally used.
Article 10
After accepting an application, the State Cyberspace Administration shall organize relevant departments of the State Council, Cyberspace Administrations at the provincial level and specialized agencies to conduct a security assessment based upon application materials submitted by a data handler.
Article 11
Where the application materials submitted by a data handler are found to be non-compliant during the security assessment process, the State Cyberspace Administration may require the data handler to supplement or correct the non-compliant materials. If the data handler fails to supplement or correct the materials without justified reasons, the State Cyberspace Administration may terminate the security assessment.
A data handler shall be responsible for the authenticity of the materials submitted. If a data handler purposely submits false materials, it shall be deemed as a failure of the assessment, and the data handler shall be held liable according to the Regulations.
Article 12
The State Cyberspace Administration shall, within 45 working days from the date of issuing a written notice of acceptance to the data handler, complete the security assessment for the outbound data transfer; if the situation is complicated or supplementary or corrected materials are needed, the assessment may be extended, and the data handler shall be notified of the expected extension period.
The data handler shall be informed of the assessment results in writing.
Article 13
Where a data handler disagrees with the assessment results, it may, within 15 working days after receipt of the assessment results, apply to the State Cyberspace Administration for re-assessment, and the re-assessment results shall be final.
Article 14
The results of the security assessment for the outbound data transfer are valid for 2 years, commencing from the date of issuance of the assessment results. A data handler shall re-apply for assessment if any of the following circumstances occurs during the period of validity:
(1)the purpose, method, scope and type of data to be transferred abroad, or the purpose and method of data processing by a foreign recipient have changed, affecting the security of the data to be transferred abroad, or extending the period of storage of personal information and Important Data located abroad;
(2)the security of the data to be transferred abroad is affected due to changes in the data security protection policies or regulations, or the network security environment of the country or region where the foreign recipient is located, or any other force majeure event has occurred, or a change to the actual control of the data handler or the foreign recipient has occurred, or any Legal Document between the data handler and the foreign recipient has been amended or ceased to be valid, etc.; and
(3)any other circumstance affecting the security of the data to be transferred abroad.
If it is necessary to continue the outbound data transfer after the expiration of the valid period, the data handler shall re-apply for assessment 60 working days before the expiration of the valid period.
Article 15
The relevant institutions and personnel participating in security assessment work shall keep information confidential in accordance with the law, including matters such as state secrets, personal privacy, personal information, trade secrets, confidential business information and other data they come to know in fulfilling their duties, and shall not divulge or illegally provide the same to others, or illegally use such data.
Article 16
Any organization or individual may report the case to the Cyberspace Administration at the provincial level or above if it finds that a data handler engaged in outbound data transfer in violation of the Measures.
Article 17
As for an outbound data transfer that has passed the security assessment, if the State Cyberspace Administration finds out that the actual data processing activities no longer meet the security management requirements in terms of the outbound data transfer, the State Cyberspace Administration shall notify the data handler in writing to terminate the outbound data transfer. If the data handler needs to continue the outbound data transfer, it shall make rectification as required, and re-apply for assessment after completing the rectification.
Article 18
Any violation of the Measures shall be punished in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other laws and regulations; if any act is held to constitute a criminal act, criminal liabilities shall be investigated in accordance with the laws and regulations of the People’s Republic of China.
Article 19
For the purpose of the Measures, the term “Important Data” refers to the data that, once tampered with, destroyed, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, public health and security, etc.
Article 20
The Measures shall come into force on September 1, 2022. For the data transferred abroad prior to the effectiveness of the Measures, if it is found that such transfer is not in compliance with the Measures, rectification shall be completed within 6 months upon the effective date of the Measures.
阅读82
发表评论
您还未登录,请先登录。
登录