Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizens for the delivery of clues on the way! CTOnews.com, August 3, the State Internet Information Office issued an announcement today that in order to guide and standardize the compliance audit activities of personal information protection, the State Internet Information Office drafted the "measures for the Administration of Compliance Audit of personal Information Protection (draft for soliciting opinions)" in accordance with the "Law of the people's Republic of China on the Protection of personal Information" and other laws and regulations, which are now open to the public for comments.

According to the draft of Picture Source Pexels for soliciting opinions, personal information processors dealing with the personal data of more than 1 million people shall conduct compliance audits on personal information protection at least once a year; other personal information processors shall conduct compliance audits on personal information protection at least once every two years.

The public can provide feedback through the following channels and ways:

1. Log on to the legal Information Network of the Chinese Government of the Ministry of Justice of the people's Republic of China (www.moj.gov.cn, www.chinalaw.gov.cn), and enter the "Collection of Legislative opinions" section of the main menu on the home page to express your opinions.

two。 Send it to: shujuju@cac.gov.cn by email.

3. The comments will be sent by letter to the Network data Administration of the State Internet Information Office, 15 Fucheng Road, Haidian District, Beijing, zip code 100048, and marked on the envelope "measures for the Administration of Compliance Audit for personal Information Protection".

CTOnews.com note: the deadline for feedback is September 2, 2023.

The full text of the measures for the Administration of Compliance Audit on personal Information Protection (draft for soliciting opinions): article 1 these measures are formulated in accordance with the laws, administrative regulations and relevant state regulations such as the Law of the people's Republic of China on the Protection of personal Information, in order to guide and standardize the compliance audit activities of personal information protection, improve the compliance level of personal information processing activities, and protect personal information rights and interests.

Article 2 personal information processors shall regularly carry out compliance audits of personal information protection, or entrust professional institutions to conduct compliance audits of their personal information processing activities in accordance with the requirements of the departments responsible for personal information protection, and these measures shall apply to the supervision and management of personal information protection compliance audit activities.

Article 3 the term "personal information protection compliance audit" as mentioned in these measures refers to the supervision activities that examine and evaluate whether the personal information processing activities of personal information processors comply with laws and administrative regulations.

Article 4 personal information processors dealing with the personal data of more than 1 million persons shall conduct compliance audits on personal information protection at least once a year; other personal information processors shall conduct compliance audits on personal information protection at least once every two years.

Article 5 personal information processors shall conduct compliance audits of personal information protection on their own, which may, in the light of the actual situation, be carried out by the internal institutions of the organization or by entrusting professional institutions in accordance with the requirements of these measures.

Article 6 where a department performing the duty of personal information protection discovers that there are greater risks in personal information processing activities or personal information security incidents occur in the performance of its duties, the personal information processor may be required to entrust a professional institution to conduct a compliance audit of his personal information processing activities.

Article 7 where a personal information processor conducts a personal information protection compliance audit in accordance with the requirements of the department performing the duty of personal information protection, he shall, as soon as possible after receiving the notice, select a professional institution to conduct the personal information protection compliance audit.

Article 8 where a personal information processor entrusts a professional institution to conduct a compliance audit of personal information protection in accordance with the requirements of the department performing the duty of personal information protection, it shall ensure that the professional institution can normally exercise the following powers:

(1) to request or assist in consulting relevant documents or materials

(2) access to places related to personal information processing activities

(3) personal information processing activities that take place in the observation site

(4) to investigate the relevant business activities and the information systems on which they depend

(5) to inspect and test equipment and facilities related to personal information processing activities

(6) to access and consult data or information related to personal information processing activities

(VII) interviewing people related to personal information processing activities

(8) to investigate, question and collect evidence on relevant issues

(9) other limits of authority necessary to carry out compliance audit.

Article 9 where a personal information processor entrusts a professional institution to carry out a personal information protection compliance audit in accordance with the requirements of the department performing the duty of personal information protection, it shall complete the personal information protection compliance audit within 90 working days; if the situation is complicated, it may be appropriately extended after being submitted to the department performing the duty of personal information protection for approval.

Article 10 where a personal information processor entrusts a professional institution to carry out a personal information protection compliance audit in accordance with the requirements of the department responsible for personal information protection, he shall organize and carry out the personal information protection compliance audit in accordance with the requirements of these measures. After implementing the necessary compliance audit procedures, timely submit the personal information protection compliance audit report issued by the professional institution to the department responsible for personal information protection. The personal information protection compliance audit report shall be signed by the person in charge of the compliance audit and the person in charge of the professional institution and stamped with the official seal of the professional institution.

Article 11 where a personal information processor entrusts a professional institution to carry out a compliance audit of personal information protection in accordance with the requirements of the department performing the duty of personal information protection, it shall carry out rectification and reform in accordance with the suggestions for rectification and reform given by the professional institution. After review by the professional institution, the rectification and reform shall be submitted to the department performing the duty of personal information protection.

Article 12 the professional institutions that carry out the personal information protection compliance audit shall maintain their independence and objectivity, and shall not conduct more than three consecutive personal information protection compliance audits for the same audit object.

Article 13 the state Internet information department, together with the public security organs and other relevant departments of the State Council, shall, in accordance with the principles of overall planning, rational layout and merit recommendation, establish the recommendation catalogue of compliance audit institutions for personal information protection, organize and carry out the evaluation and evaluation of compliance audit institutions for personal information protection every year, and dynamically adjust the recommendation catalogue of compliance audit institutions for personal information protection according to the evaluation.

Personal information processors are encouraged to give priority to professional institutions in the recommended catalogue to carry out personal information protection compliance audit activities.

Article 14 when engaging in compliance audit activities for the protection of personal information, professional institutions shall make professional judgments on compliance audit in an honest and honest manner.

Professional institutions shall not subcontract and entrust a third party to carry out compliance audit of personal information protection.

The information obtained by professional institutions in performing their duties of personal information protection compliance audit can only be used for the needs of personal information protection compliance audit and shall not be used for other purposes; professional institutions shall bear the responsibility of confidentiality of the information obtained; professional institutions shall take corresponding technical measures and other necessary measures to ensure data security.

When performing the duty of personal information protection compliance audit, professional institutions shall not maliciously interfere with the normal business activities of personal information processors.

If a professional institution issues false or false reports and other illegal acts, the personal information processor and relevant parties may lodge a complaint with the department performing the duty of personal information protection, which has been verified by the department performing the duty of personal information protection, it shall be permanently prohibited from being included in the recommended list of professional audit institutions for personal information protection and compliance.

Article 15 whoever violates the provisions of these measures shall be dealt with in accordance with the Law of the people's Republic of China on the Protection of personal Information and other laws and regulations; if the case constitutes a crime, he shall be investigated for criminal responsibility according to law.

Article 16 the State Internet Information Office shall be responsible for the interpretation of these measures and shall enter into force as of the day of the year.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.