Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizen Paradise Boy for the clue delivery! CTOnews.com, May 30, in order to guide and help personal information processors to standardize and orderly file personal information exit standard contracts, the State Internet Information Office compiled the "guidelines for the filing of personal Information exit Standard contracts (first Edition)," which explained the specific requirements for personal information exit standard contracts, such as filing methods, filing procedures, and filing materials.

If a personal information processor provides personal information abroad by concluding a standard contract for the exit of personal information with an overseas receiver, he shall, in accordance with the provisions of the Standard contract measures for the exit of personal Information, in accordance with the guidelines for filing, put on record with the local provincial network information department.

The original text of CTOnews.com is as follows:

Guidelines for filing personal Information exit Standard contracts (first Edition)

The Standard contract measures for the exit of personal Information shall enter into force as of June 1, 2023. This guide is formulated to guide and help personal information processors to standardize and file personal information exit standard contracts (hereinafter referred to as standard contracts).

1. Where a personal information processor provides personal information abroad by concluding a standard contract, the following circumstances shall be met at the same time:

(I) operators of non-critical information infrastructure

(2) 1 million people who are dissatisfied with their personal information

(3) A total of 100000 people who have provided personal information abroad since January 1 of last year.

(4) less than 10,000 people who have provided sensitive personal information abroad since January 1 of last year.

Where there are other provisions in laws, administrative regulations or the state Internet information department, such provisions shall prevail.

Personal information processors shall not use quantitative separation or other means to provide overseas personal information that should be assessed through exit security assessment in accordance with the law through the conclusion of a standard contract.

The following circumstances belong to the behavior of personal information leaving the country:

(1) personal information processors will transmit and store personal information collected and generated in domestic operations abroad.

(2) the personal information collected and generated by personal information processors is stored in China, and overseas institutions, organizations or individuals can inquire, access, download and export.

(3) the behavior of leaving the country of other personal information as prescribed by the State Internet Information Office.

2. the personal information processor of the filing method shall, within 10 working days from the date of entry into force of the standard contract, submit the written materials together with the electronic version of the materials to the local provincial cyber information office for the record.

III. Filing process Standard contract filing process includes material submission, material inspection and feedback on filing results, supplement or re-filing, etc.

(1) submission of materials

For the filing of a standard contract by a personal information processor, the following materials shall be submitted (see Annex 1 for requirements):

1. Photocopy of uniform social credit code and certificate

two。 Photocopy of identity certificate of legal representative

3. Photocopy of the identity certificate of the agent

4. Power of attorney of the agent (see attachment 2 for the template)

5. Letter of commitment (see Annex 3 for the template)

6. Standard contract (see Annex 4 for the model)

7. Personal Information Protection impact Assessment report (see Annex 5 for templates)

(2) material inspection and feedback on record results

After receiving the materials, the provincial Internet Information Office shall complete the material inspection within 15 working days and notify the personal information processors of the record results.

The result of filing is divided into yes and no. Through the filing, the provincial cyber information office shall issue the filing number to the personal information processor; if the personal information processor fails to pass the filing, the personal information processor will receive a notice and reasons for the failure of the filing and request to supplement and improve the materials, the personal information processor shall supplement and improve the materials and submit them again within 10 working days.

(3) supplement or re-filing

If any of the following circumstances occur within the validity period of the standard contract, the personal information processor shall re-carry out the impact assessment of personal information protection, supplement or re-conclude the standard contract, and go through the corresponding filing procedures:

1. Where there is a change in the purpose, scope, type, sensitivity, method, place of preservation or the use and way in which the personal information is processed by the recipient abroad, or to extend the overseas preservation period of personal information.

two。 Changes in policies and regulations on the protection of personal information in the country or region where the overseas recipient is located, which may affect the rights and interests of personal information.

3. Other circumstances that may affect the rights and interests of personal information.

If a personal information processor complements the conclusion of a standard contract within the period of validity of the standard contract, it shall submit supplementary materials to the provincial cyber information office where it is located; if the standard contract is re-concluded, it shall be re-filed. The inspection time for supplementary or re-filing materials shall be 15 working days.

The personal information processor shall be responsible for the authenticity of the materials submitted, and those who submit false materials shall not be dealt with according to the record, and shall be investigated for corresponding legal liability in accordance with the law.

Fourth, consultation, report contact information email: bzht@cac.gov.cn

Contact: 010-55627565

The following is an excerpt from the terms of the attached contract:

Article 1 is defined in this contract, unless the context otherwise provides:

(1) "personal information processor" refers to an organization or individual who independently decides on the purpose and method of personal information processing and provides personal information outside the people's Republic of China.

(2) "overseas recipient" refers to the organization or individual that receives personal information from personal information processors outside the people's Republic of China.

(3) the personal information processor or the overseas receiver is simply referred to as "one party" and collectively referred to as "both parties".

(4) "personal information subject" refers to the natural person identified or associated by personal information.

(5) "personal information" refers to all kinds of information related to identified or identifiable natural persons recorded electronically or by other means, excluding information processed anonymously.

(6) "sensitive personal information" refers to personal information that, once disclosed or illegally used, is likely to infringe upon the personal dignity of a natural person or endanger the safety of the person and property, including biometrics, religious beliefs, specific identities, medical and health information, financial accounts, whereabouts and other information, as well as personal information of minors under the age of 14.

(7) "regulatory authority" refers to the Internet communication department at or above the provincial level of the people's Republic of China.

(8) "relevant laws and regulations" refer to the laws and regulations of the people's Republic of China, such as the Network Security Law of the people's Republic of China, the data Security Law of the people's Republic of China, the personal Information Protection Law of the people's Republic of China, the Civil Code of the people's Republic of China, the Civil procedure Law of the people's Republic of China, and the Standard contract measures for the exit of personal Information.

(9) the meanings of other undefined terms in this contract are consistent with those stipulated in relevant laws and regulations.

Article 2 obligations of personal information processors personal information processors shall perform the following obligations:

(1) to deal with personal information in accordance with the provisions of relevant laws and regulations, and the personal information provided abroad is limited to the minimum scope required to achieve the purpose of processing.

(2) to inform the subject of personal information of the name or contact information of the overseas recipient, the purpose and method of handling, the type of personal information and the period of preservation in Appendix I to the exit instructions for personal Information, as well as the ways and procedures for exercising the rights of the subject of personal information. If sensitive personal information is provided abroad, the subject of personal information shall also be informed of the necessity of providing sensitive personal information and its impact on personal rights and interests. With the exception of those that do not need to be informed as stipulated by laws or administrative regulations.

(3) where personal information is provided abroad on the basis of individual consent, the separate consent of the subject of personal information shall be obtained. If the personal information of a minor under the age of 14 is involved, the separate consent of the minor's parents or other guardians shall be obtained. Where written consent should be obtained as stipulated by laws or administrative regulations, written consent shall be obtained.

(4) to inform the personal information subject that it and the overseas receiver have agreed through this contract that the personal information subject is the third-party beneficiary, and if the personal information subject does not explicitly refuse within 30 days, he may enjoy the rights of the third-party beneficiary in accordance with this contract.

(5) to make reasonable efforts to ensure that the overseas receiver adopts the following technical and management measures (taking into account the purpose of personal information processing, the type, scale, scope and sensitivity of personal information, the quantity and frequency of transmission, the personal information transmission and the personal information security risks that may be brought about by the overseas receiver, etc.), in order to fulfill the obligations stipulated in this contract:

(such as encryption, anonymization, de-identification, access control, etc.)

(6) to provide copies of relevant legal provisions and technical standards to the overseas receiver in accordance with the requirements of the overseas receiver.

(7) to respond to inquiries from regulatory agencies about the personal information processing activities of overseas receivers.

(8) to conduct a personal information protection impact assessment on activities intended to provide personal information to overseas receivers in accordance with relevant laws and regulations. Focus on evaluating the following:

1. The legitimacy, legitimacy and necessity of the purpose, scope and way of handling personal information by personal information processors and overseas receivers.

two。 The scale, scope, type and sensitivity of outbound personal information, and the risks that personal information leaving the country may bring to the rights and interests of personal information.

3. The obligations undertaken by the overseas receiver, and whether the management, technical measures and capabilities to fulfill the obligations can ensure the security of outbound personal information.

4. After leaving the country, personal information is subject to the risk of tampering, destruction, disclosure, loss, illegal use, whether the channels for the protection of personal information rights and interests are unobstructed, and so on.

5. Evaluate the impact of local personal information protection policies and regulations on the performance of the contract in accordance with Article 4 of this contract.

6. Other matters that may affect the safety of personal information leaving the country.

Keep the personal information protection impact assessment report for at least 3 years.

(9) to provide a copy of this contract to the personal information subject in accordance with the requirements of the personal information subject. If trade secrets or confidential business information are involved, the relevant contents of the copy of this contract may be dealt with appropriately without affecting the understanding of the subject of personal information.

(10) to bear the burden of proof for the performance of the obligations under this contract.

(11) to provide the regulatory authorities with the information mentioned in paragraph 11 of Article 3 of this contract, including the results of all compliance audits, in accordance with relevant laws and regulations.

Article 3 the obligations of the overseas receiver the overseas receiver shall perform the following obligations:

(1) to deal with personal information in accordance with the agreements listed in Appendix I "personal Information exit instructions". If the personal information is processed on the basis of personal consent beyond the agreed purpose, method and type of personal information, the separate consent of the subject of personal information shall be obtained in advance; if it involves the personal information of minors under the age of 14, the separate consent of the parents or other guardians of the minors shall be obtained.

(2) those entrusted by the personal information processor to deal with personal information shall deal with personal information in accordance with the agreement with the personal information processor, and shall not deal with personal information beyond the purpose and mode agreed with the personal information processor.

(3) to provide a copy of this contract to the personal information subject according to the requirements of the personal information subject. If trade secrets or confidential business information are involved, the relevant contents of the copy of this contract may be dealt with appropriately without affecting the understanding of the subject of personal information.

(4) to deal with personal information in a way that has the least impact on individual rights and interests.

(5) the preservation period of personal information shall be the shortest time necessary for the purpose of processing. If the preservation period expires, the personal information (including all backups) shall be deleted. If the entrustment contract is not effective, invalid, cancelled or terminated by the personal information processor, the personal information shall be returned to the personal information processor or deleted, and a written explanation shall be provided to the personal information processor. If the deletion of personal information is technically difficult to achieve, the processing other than storage and taking necessary security measures shall be stopped.

(6) to ensure the security of personal information processing in the following ways:

1. Take technical and management measures including, but not limited to, item 5 of Article 2 of this contract, and conduct regular inspections to ensure the security of personal information.

two。 Ensure that personnel authorized to process personal information comply with their confidentiality obligations and establish minimum authorized access control rights.

(7) if the personal information processed is or is likely to be tampered with, destroyed, disclosed, lost, illegally exploited, provided without authorization or accessed, the following work shall be carried out:

1. Take appropriate remedial measures in a timely manner to reduce the adverse impact on the subject of personal information.

two。 Notify the personal information processor immediately and report to the regulatory body in accordance with relevant laws and regulations. The notice shall contain the following items:

(1) the types, causes and possible harm of tampering, sabotage, disclosure, loss, illegal exploitation, unauthorized provision or access of personal information that occurs or may occur.

(2) remedial measures taken.

(3) the measures that the subject of personal information can take to reduce the harm.

(4) the person in charge of dealing with the relevant situation or the contact information of the team.

3. If the relevant laws and regulations require the subject of personal information to be notified, the content of the notice shall include the matters for the second purpose of this item. If it is entrusted by the personal information processor to process the personal information, the personal information processor shall notify the personal information subject.

4. Record and retain all circumstances relating to tampering, damage, disclosure, loss, illegal exploitation, unauthorized provision or access, including all remedial measures taken.

(8) personal information may be provided to third parties outside the people's Republic of China only if the following conditions are met at the same time:

1. There is a business need.

two。 The subject of personal information has been informed of the name or name of the third party, contact information, processing purpose, processing method, type of personal information, preservation period, ways and procedures for exercising the rights of the subject of personal information, etc. Where sensitive personal information is provided to a third party, the subject of personal information shall also be informed of the necessity of providing sensitive personal information and its impact on personal rights and interests. With the exception of those that do not need to be informed as stipulated by laws or administrative regulations.

3. Where personal information is processed on the basis of personal consent, the individual consent of the subject of personal information shall be obtained. If the personal information of a minor under the age of 14 is involved, the separate consent of the minor's parents or other guardians shall be obtained. Where written consent should be obtained as stipulated by laws or administrative regulations, written consent shall be obtained.

4. Reach a written agreement with a third party to ensure that the personal information processing activities of the third party meet the personal information protection standards stipulated in the relevant laws and regulations of the people's Republic of China, and bear the legal liability for infringing upon the rights of the subject of personal information by providing personal information to third parties outside the people's Republic of China.

5. A copy of the written agreement is provided to the personal information subject according to the requirements of the personal information subject. If trade secrets or confidential business information are involved, the relevant contents of the written agreement may be dealt with appropriately without affecting the understanding of the subject of personal information.

(9) where the personal information is entrusted by the personal information processor and transferred to a third party, the consent of the personal information processor shall be obtained in advance, it is required that the third party shall not deal with personal information beyond the purpose and mode of handling personal information as stipulated in Appendix 1 to this contract, and supervise the personal information processing activities of the third party.

(10) those who use personal information to make automatic decision-making shall ensure the transparency of the decision-making and the fairness and impartiality of the results, and shall not give unreasonable differential treatment to the subject of personal information in terms of transaction prices and other transaction conditions. For information push and commercial marketing to personal information subjects through automatic decision-making, options that are not aimed at their personal characteristics shall be provided at the same time, or convenient refusal methods shall be provided to personal information subjects.

(11) undertake to provide the personal information processor with the necessary information necessary to comply with the obligations of this contract, and to allow the personal information processor to consult the necessary data files and documents, or to conduct compliance audits of the processing activities covered by this contract, and to facilitate the conduct of compliance audits by personal information processors.

(12) keep objective records of the personal information processing activities carried out, keep the records for at least 3 years, and provide relevant records and documents to the regulatory authorities directly or through the personal information processors in accordance with the requirements of relevant laws and regulations.

(XIII) agree to be subject to the supervision and administration of the regulatory authority in the relevant procedures for supervising the implementation of this contract, including, but not limited to, responding to inquiries of the regulatory authority, cooperating with the inspection of the regulatory authority, complying with the measures or decisions taken by the regulatory authority, and providing written proof that the necessary action has been taken.

Article 4 the impact of the policies and regulations on the protection of personal information in the country or region where the overseas recipient is located on the performance of the contract (1) both parties shall ensure that they have fulfilled their reasonable duty of care at the time of the conclusion of this contract It is not found that the personal information protection policies and regulations of the country or region in which the overseas recipient is located (including any requirements for the provision of personal information or provisions authorizing public authorities to access personal information) affect the performance of the overseas recipient's obligations under this contract.

(2) both parties declare that at the time of making the guarantee in paragraph 1 of this Article, an assessment has been made in the light of the following circumstances:

1. Specific circumstances of leaving the country Including the purpose of personal information processing, the type, scale, scope and sensitivity of personal information transmission, the scale and frequency of transmission, the transmission of personal information and the preservation period of overseas receivers, previous similar cross-border transmission and processing of personal information by overseas receivers, whether there have been incidents related to personal information security and whether they have been dealt with in a timely and effective manner, Whether the overseas recipient has received a request from the public authority of the country or region in which it is located to provide personal information and the response of the overseas receiver.

two。 The policies and regulations on the protection of personal information in the country or region where the overseas recipient is located include the following elements:

(1) the current laws and regulations and generally applicable standards for the protection of personal information in that country or region.

(2) the regional or global organizations for the protection of personal information to which the country or region is a member, and the binding international commitments made.

(3) the national or regional mechanisms for the protection of personal information, such as whether there are supervision and law enforcement agencies and relevant judicial bodies for the protection of personal information.

3. The security management system and technical means guarantee capability of overseas receivers.

(3) the overseas recipient guarantees that in conducting the assessment in accordance with paragraph 2 of this Article, every effort has been made to provide the personal information processor with the necessary relevant information.

(IV) the parties shall record the process and results of the assessment in accordance with paragraph 2 of this Article.

(5) if the overseas receiver is unable to perform this contract due to changes in the policies and regulations on the protection of personal information in the country or region where the overseas receiver is located (including the change of the law in the country or region where the overseas receiver is located, or if compulsory measures are taken), the overseas receiver shall notify the personal information processor immediately after being aware of the change.

(6) if the overseas receiver receives a request from the government department or judicial organ of the country or region where it is located to provide personal information under this contract, it shall immediately notify the personal information processor.

Article 5 the rights of the subject of personal information both parties agree that the subject of personal information as the third party beneficiary of this contract shall enjoy the following rights:

(1) the subject of personal information shall, in accordance with relevant laws and regulations, have the right to know and make decisions on the handling of his personal information, and shall have the right to restrict or refuse others to process his personal information, shall have the right to request to consult, copy, correct, supplement or delete his personal information, and shall have the right to request an explanation of his personal information processing rules.

(2) when the subject of personal information requests to exercise the above-mentioned rights over the personal information that has already left the country, the subject of personal information may request the personal information processor to take appropriate measures to achieve it, or make a request directly to the overseas receiver. If the personal information processor is unable to achieve it, it shall notify and request the overseas receiver to assist in realizing it.

(3) the overseas receiver shall, in accordance with the notice of the personal information processor or at the request of the personal information subject, realize the rights enjoyed by the personal information subject in accordance with the relevant laws and regulations within a reasonable period of time.

The overseas receiver shall inform the subject of personal information truthfully, accurately and completely in a clear and easy-to-understand language.

(4) if the overseas receiver rejects the request of the personal information subject, it shall inform the personal information subject of the reasons for his refusal, as well as the ways for the personal information subject to lodge a complaint with the relevant regulatory authorities and seek judicial relief.

(5) the subject of personal information, as the third-party beneficiary of this contract, shall have the right to claim and demand the performance of the following provisions relating to the rights of the subject of personal information under this contract against one or both parties of the personal information processor and the overseas receiver in accordance with the terms of this contract:

1. Article 2, with the exception of items 5, 6, 7 and 11 of Article 2.

two。 Article 3, with the exception of item 2 and item 4 of item 7 of Article 3, item 9, item 11, item 12 and item 13.

3. Article 4, with the exception of items 5 and 6 of Article 4.

4. Article 5.

5. Article 6.

6. Article 8 items 2 and 3.

7. Item 5 of Article 9.

The above agreement shall not affect the rights and interests of the subject of personal information in accordance with the Law of the people's Republic of China on the Protection of personal Information.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.