数据出境安全评估办法英文版

MesuresfortheSecurityAssessmentOutboundDataTransferInordertoregulateoutbounddatatransfer,protectpersonalinformationrightsandinterests,safeguardnationalsecurityandsocialandpublicinterests,andpromotethesecurityandfreeflowofoutbounddata,theMeasuresforSecurityAssessmentforOutboundDataTransfer(the“Measures")areenactedinaccordancewiththeCybersecurityLawofthePeople'sRepublicofChina,theDataSecurityLawofthePeople'sRepublicofChina,thePersonalInformationProtectionLawofthePeople'sRepublicofChinaandotherlawsandadministrativeregulationsofthePeople'sRepublicofChina.TheMeasuresapplytothesecurityassessmentofImportantDataandpersonalinformationcollectedandgeneratedduringoperationwithintheterritoryofthePeople'sRepublicofChinaandtransferredabroadbyadatahandler.Wherelawsandadministrativeregulationsprovideotherwise,suchprovisionsshallprevail.Securityassessmentforoutbounddatatransfershalladheretothecombinationofapriorassessmentandon-goingsupervision,aswellasthecombinationofriskselfassessmentandsecurityassessment,soastopreventsecurityriskstooutbounddatatransferandensuretheorderlyfree-flowofdatainaccordancewiththelaw.Whereadatahandlertransfersdataabroadunderanyofthefollowingcircumstances,itshall,throughthelocalCyberspaceAdministrationattheprovinciallevel,applytotheStateCyberspaceAdministrationforsecurityassessmentfortheoutbounddatatransfer:adatahandlerwhotransfersImportantDataabroad;acriticalinformationinfrastructureoperator,oradatahandlerprocessingthepersonalinformationofmorethan1millionindividuals,who,ineithercase,transferspersonalinformationabroad;adatahandlerwhohas,sinceJanuary1ofthepreviousyearcumulativelytransferredabroadthepersonalinformationofmorethan100,000individuals,orthesensitivepersonalinformationofmorethan10,000individuals,orothercircumstanceswherethesecurityassessmentfortheoutbounddatatransferisrequiredbytheStateCyberspaceAdministration.Priortoapplyingforthesecurityassessmentfortheoutbounddatatransfer,adatahandlershall,inadvance,conductaself-assessmentontherisksoftheoutbounddatatransfer,andtheself-assessmentshallfocusonthefollowingmatters:thelegality,legitimacyandnecessityofthepurpose,scopeandmethodsoftheoutbounddatatransfer,andtheprocessingofthedatabytheforeignrecipient;thescale,scope,typeandsensitivityoftheoutbounddatatransfer,andtheriskstonationalsecurity,thepublicinterestortothelegitimaterightsandinterestsofindividualsororganizations,causedbytheoutbounddatatransfer;thedutiesandobligationswhichtheforeignrecipientcommitstoperform,andwhethertheforeignrecipient'sorganizationalandtechnicalmeasuresandcapabilitiesintermsofperformingthedutiesandobligationscanguaranteethesecurityoftheoutbounddatatransfer;therisksofthedatabeingtamperedwith,destroyed,divulged,lost,transferred,illegallyobtainedorillegallyusedduringandaftertheoutbounddatatransfer,andwhetherthereisasmoothchannelforsafeguardingpersonalinformationrightsandinterests;whethertheresponsibilitiesandobligationsfordatasecurityprotectionarefullyagreedinrelevantcontractsfortheoutbounddatatransfer,orotherlegallybindingdocumentstobeconcludedwiththeforeignrecipient(hereinaftercollectivelyreferredtoasthe“LegalDocuments")；andothermattersthatmayaffectthesecurityoftheoutbounddatatransfer.Toapplyforsecurityassessmentfortheoutbounddatatransfer,thefollowingmaterialsshallbesubmitted:anapplicationletter;aself-assessmentreportontherisksoftheoutbounddatatransfer;theLegalDocumentstobeconcludedbetweenthedatahandlerandtheforeignrecipient;andothermaterialsnecessaryforsecurityassessment.TheCyberspaceAdministrationattheprovinciallevelshallconductacompletenesscheckofapplicationmaterialswithin5workingdaysuponreceiptthereof.Wheretheapplicationmaterialsarecomplete,theyshallbesubmittedtotheStateCyberspaceAdministration;wheretheapplicationmaterialsareincomplete,theyshallbereturnedtothedatahandlerandthedatahandlershallbeinformed(onaone-timebasis)ofallsupplementarymaterialsstillrequired.TheStateCyberspaceAdministrationshall,within7workingdaysafterreceiptoftheapplicationmaterials,determinewhethertoaccepttheapplicationandwillinformthedatahandlerofthesameinwriting.Thesecurityassessmentforoutbounddatatransfershallfocusontheevaluationofthepossibleriskstonationalsecurity,publicinterests,orthelegitimaterightsandinterestsofindividualsororganizationsarisingfromtheactivityofoutbounddatatransfer,includingthefollowingmajorpoints:thelegality,legitimacyandnecessityofthepurpose,scopeandmethodoftheoutbounddatatransfer;theimpactofthedatasecurityprotectionpoliciesandregulationsaswellasnetworksecurityenvironmentofthecountryorregionwheretheforeignrecipientislocated,andtheeffectthereofonthesecurityofthedatatobetransferredabroad;whetherthedataprotectionleveloftheforeignrecipientmeetstherequirementsunderthelaws,regulationsandmandatorynationalstandardsofthePeople'sRepublicofChina;thescale,scope,typesandsensitivityofthedatatobetransferredabroad,andrisksthatthedatamaybetamperedwith,destroyed,leaked,lost,transferred,illegallyobtainedorillegallyusedbeforeoraftertheoutbounddatatransfer;whetherdatasecurityandpersonalinformationrightsandinterestscanbefullyandeffectivelyguaranteed;whethertheresponsibilitiesandobligationsfordatasecurityprotectionarefullyagreedintheLegalDocumentstobeconcludedbythedatahandlerandtheforeignrecipient;compliancewiththelaws,regulationsandagencyrulesofthePeople'sRepublicofChina;andothermattersthattheStateCyberspaceAdministrationconsidersnecessarytoassess.AdatahandlershallexpresslyagreeontheresponsibilitiesandobligationsfordatasecurityprotectionintheLegalDocumentsconcludedwiththeforeignrecipient,whichshall,atleast,includethefollowingmatters:thepurpose,methodandscopeofthedatatobetransferredabroad,andthepurposeandmethodforprocessingthedatabytheforeignrecipient;thelocationanddurationforthestorageofthedatalocatedabroad,aswellashowtoprocessthedatalocatedabroadupontheexpiryofthestorageperiod,achievementoftheagreedpurpose,orterminationoftheLegalDocuments;restrictionsontheforeignrecipient'sre-transferofthedatalocatedabroadtoanotherorganizationorindividual;securitymeasureswhichshouldbetakenincaseofamaterialchangetotheactualcontrolorbusinessscopeoftheforeignrecipient,orincaseofachangetothedatasecurityprotectionpoliciesorregulations,ornetworksecurityenvironmentofthecountryorregionwheretheforeignrecipientislocated,orincasethatthedatasecuritycannotbeguaranteedasaresultofanyotherforcemajeureevent;remedialmeasures,liabilityforbreachofcontractanddisputeresolutionmechanismintheeventofaviolationofdatasecurityprotectionobligationsasagreedintheLegalDocuments;andrequirementsonproperlyrespondingtoadatasecurityincident,aswellaschannelsandmethodtosafeguardindividuals'personalinformationrights,whenthedatalocatedabroadistamperedwith,destroyed,leaked,lost,transferred,illegallyobtainedorillegallyused.Afteracceptinganapplication,theStateCyberspaceAdministrationshallorganizerelevantdepartmentsoftheStateCouncil,CyberspaceAdministrationsattheprovinciallevelandspecializedagenciestoconductasecurityassessmentbaseduponapplicationmaterialssubmittedbyadatahandler.Wheretheapplicationmaterialssubmittedbyadatahandlerarefoundtobenon-compliantduringthesecurityassessmentprocess,theStateCyberspaceAdministrationmayrequirethedatahandlertosupplementorcorrectthenoncompliantmaterials.Ifthedatahandlerfailstosupplementorcorrectthematerialswithoutjustifiedreasons,theStateCyberspaceAdministrationmayterminatethesecurityassessment.Adatahandlershallberesponsiblefortheauthenticityofthematerialssubmitted.Ifadatahandlerpurposelysubmitsfalsematerials,itshallbedeemedasafailureoftheassessment,andthedatahandlershallbeheldliableaccordingtotheRegulations.TheStateCyberspaceAdministrationshall,within45workingdaysfromthedateofissuingawrittennoticeofacceptancetothedatahandler,completethesecurityassessmentfortheoutbounddatatransfer;ifthesituationiscomplicatedorsupplementaryorcorrectedmaterialsareneeded,theassessmentmaybeextended,andthedatahandlershallbenotifiedoftheexpectedextensionperiod.Thedatahandlershallbeinformedoftheassessmentresultsinwriting.Whereadatahandlerdisagreeswiththeassessmentresults,itmay,within15workingdaysafterreceiptoftheassessmentresults,applytotheStateCyberspaceAdministrationforre-assessment,andthere-assessmentresultsshallbefinal.Theresultsofthesecurityassessmentfortheoutbounddatatransferarevalidfor2years,commencingfromthedateofissuanceoftheassessmentresults.Adatahandlershallre-applyforassessmentifanyofthefollowingcircumstancesoccursduringtheperiodofvalidity:thepurpose,method,scopeandtypeofdatatobetransferredabroad,orthepurposeandmethodofdataprocessingbyaforeignrecipienthavechanged,affectingthesecurityofthedatatobetransferredabroad,orextendingtheperiodofstorageofpersonalinformationandImportantDatalocatedabroad;thesecurityofthedatatobetransferredabroadisaffectedduetochangesinthedatasecurityprotectionpoliciesorregulations,orthenetworksecurityenvironmentofthecountryorregionwheretheforeignrecipientislocated,oranyotherforcemajeureeventhasoccurred,orachangetotheactualcontrolofthedatahandlerortheforeignrecipienthasoccurred,oranyLegalDocumentbetweenthedatahandlerandtheforeignrecipienthasbeenamendedorceasedtobevalid,etc.;andanyothercircumstanceaffectingthesecurityofthedatatobetransferredabroad.Ifitisnecessarytocontinuetheoutbounddatatransferaftertheexpirationofthevalidperiod,thedatahandlershallre-applyforassessment60workingdaysbeforetheexpirationofthevalidperiod.Therelevantinstitutionsandpersonnelparticipatinginsecurityassessmentworkshallkeepinformationconfidentialinaccordancewiththelaw,includingmatterssuchasstatesecrets,personalprivacy,personalinformation,tradesecrets,confidentialbusinessinformationandotherdatatheycometoknowinfulfillingtheirduties,andshallnotdivulgeorillegallyprovidethesametoothers,orillegallyusesuchdata.AnyorganizationorindividualmayreportthecasetotheCyberspaceAdministrationattheprovincialleveloraboveifitfindsthatadatahandlerengagedinoutbounddatatransferinviolationoftheMeasures.Asforanoutbounddatatransferthathaspassedthesecurityassessment,iftheStateCyberspaceAdministrationfindsoutthattheactualdataprocessingactivitiesnolongermeetthesecuritymanagementrequirementsintermsoftheoutbounddatatransfer