下面是小编为大家整理的【中英文对照版】数据出境安全评估办法(范文推荐),供大家参考。
1 数据出境安全评估办法 Measures for the Security Assessment of Outbound Data Transfer 【中英文对照版】
发布部门:
国家互联网信息办公室
发文字号:
国家互联网信息办公室令第 1 11 号
发布日期:
2022.07.07
实施日期:
2022.09.01
效力级别:
部门规章
法规类别:
网络安全管理
Issuing Authority :
Cyberspace Administration of China Document Number :Order No. 11 of the Cyberspace Administration of China
Date Issued :07-07-2022
Effective Date :09-01-2022
Level of Authority :
Departmental Rules Area of Law :
Network Security Management
Order of the Cyberspace Administration of China 国家互联网信息办公室令
(No. 11) (第 11 号)
The Measures for the Security Assessment of Outbound Data Transfer, as deliberated and adopted at the 10th executive meeting of the Cyberspace Administration of China in 2022 on May 19, 2022, are hereby issued and shall come into force on September 1, 2022. 《数据出境安全评估办法》已经2022 年 5 月 19 日国家互联网信息办公室 2022 年第 10 次室务会议审议通过,现予 公布 , 自2022 年 9 月 1 日起施行。
Zhuang Rongwen, Director of the Cyberspace Administration of China 国家互联网信息办公室主任 庄荣文
July 7, 2022 2022 年 7 月 7 日
Measures for the Security Assessment of Outbound Data Transfer 数据出境安全评估办法
Article 1 These Measures are developed in accordance with the Cybersecurity Law of the People"s Republic of China, the Data Security Law of the People"s Republic of China, the Personal
第一条 为了规范数据出境活动,保护个人信息权益,维护国家安全和社会公共利益,促进
2 Information Protection Law of the People"s Republic of China, and other applicable laws and regulations for the purposes of regulating outbound data transfer activities, protecting personal information rights and interests, safeguarding national security and public interest, and promoting the safe and free cross-border flow of data. 数据跨境安全、自由流动,根据《中华人民共和国 网络安全法》、《中华人民共和国数据安全法》、《中华人民共和国个人信息保护法》等法律法规,制定本办法。
Article 2 These Measures shall apply to the security assessment of data processors" provision of important data and personal information collected and generated in their operations within the territory of the People"s Republic of China to overseas recipients. If it is otherwise provided for in any law or administrative regulation, such provisions shall prevail.
第二条 数据处理者向境外提供在中华人民共和国境内运营中收集和产生的重要数据和个人信息的安全评估,适用本办法。法律、行政法规另有规定的,依照其规定。
Article 3 The security assessment of outbound data transfer shall adhere to the integration of prior assessment and continuous supervision and the integration of risk self-assessment and security assessment, so as to prevent security risks arising from outbound data transfer and ensure the orderly and free flow of data in accordance with the law.
第三条 数据出境安全评估坚持事前评估和持续监督相结合、风险自评估与安全评估相结合,防范数据出境安全风险,保障数据依法有序自由流动。
Article 4 To provide data abroad under any of the following circumstances, a data processor shall apply to the national cyberspace administration for the security assessment of the outbound data transfer through the local provincial cyberspace administration:
第四条 数据处理者向境外提供数据,有下列情形之一的,应当通过所在地省级网信部门向国家网信部门申报数据出境安全评估:
(1) The data processor provides important data abroad. (一)数据处理者向境外提供重要数据;
(2) The critical information infrastructure operator or the data processor that has processed the personal information of over one million people provides personal information abroad. (二)关键信息基础设施运营者和处理 100 万人以上个人信息的数据处理者向境外提供个人信息;
(3) The data processor that has provided the personal information of over 100,000 people or the sensitive personal information of over 10,000 people cumulatively since January 1 of the previous year provides personal information abroad. (三)自上年 1 月 1 日起累计向境外提供 10 万人个人信息或者1 万人敏感个人信息的数据处理者向境外提供个人信息;
3
(4) Any other circumstance where an application for the security assessment of outbound data transfer is required by the national cyberspace administration. (四)国家网信部门规定的其他需要申报数据出境安全评估的情形。
Article 5 A data processor shall, before applying for the security assessment of outbound data transfer, conduct a self-assessment of the risks in the outbound data transfer with a focus on the assessment of the following matters:
第五条 数据处理者在申报数据出境安全评估前,应当开展数据出境风险自评估,重点评估以下事项:
(1) The legality, legitimacy, and necessity of the purpose, scope, and method, among others, of the outbound data transfer and data processing by the overseas recipient. (一)数据出境和境外接收方处理数据的目的、范围、方式等的合法性、正当性、必要性;
(2) The size, scope, type, and sensitivity of the data to be transferred abroad, and the risks that the outbound data transfer may endanger national security, public interest, or the lawful rights and interests of individuals or organizations. (二)出境数据的规模、范围、种类、敏感程度,数据出境可能对国家安全、公共利益、个人或者组织合法权益带来的风险;
(3) The responsibilities and obligations that the overseas recipient undertakes to assume, and whether the overseas recipient"s management and technical measures and capabilities, among others, to perform its responsibilities and obligations can ensure the security of the data to be transferred abroad. (三)境外接收方承诺承担的责任义务,以及履行责任义务的管理和技术措施、能力等能否保障出境数据的安全;
(4) The risk that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained, or illegally used, among others, during and after the outbound data transfer;and whether the channels for the protection of personal information rights and interests are smooth, among others. (四)数据出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的风险,个人信息权益维护的渠道是否通畅等;
(5) Whether data security protection responsibilities and obligations are fully agreed upon in the contract to be concluded with the overseas recipient in relation to the outbound data transfer or any other legally binding document, among others (hereinafter collectively referred to as the “legal documents”). (五)与境外接收方拟订立的数据出境相关合同或者其他具有法律效力的文件等(以下统称法律文件)是否充分约定了数据安全保护责任义务;
(6) Other matters that may affect the security of the outbound data transfer. (六)其他可能影响数据出境安全的事项。
Article 6 To apply for the security assessment of outbound data
第六条 申报数据出境安全
4 transfer, the following materials shall be submitted: 评估,应当提交以下材料:
(1) A written application. (一)申报书;
(2) A report on the self-assessment of the risks in the outbound data transfer. (二)数据出境风险自评估报告;
(3) The legal documents to be concluded between the data processor and the overseas recipient. (三)数据处理者与境外接收方拟订立的法律文件;
(4) Other materials as required for the security assessment. (四)安全评估工作需要的其他材料。
Article 7 The provincial cyberspace administration shall complete the examination of the completeness of application materials within five working days after receiving them, and if the application materials are complete, submit them to the national cyberspace administration; or if the application materials are incomplete, return them to the data processor and inform the data processor of all required supplements at one time.
第七条 省级网信部门应当自收到申报材料之日起 5 个工作日内完成完备性查验。申报材料齐全的,将申报材料报送国家网信部门;申报材料不齐全的,应当退回数据处理者并一次性告知需要补充的材料。
The national cyberspace administration shall, within seven working days after receiving the application materials, determine whether to accept the application and notify the data processor of the decision in writing. 国家网信部门应当自收到申报材料之日起 7 个工作日内,确定是否受理并书面通知数据处理者。
Article 8 The security assessment of outbound data transfer shall focus on assessing the risks that the outbound data transfer may endanger national security, public interest, or the lawful rights and interests of individuals or organizations, which shall mainly cover the following matters:
第八条 数据出境安全评估重点评估数据出境活动可能对国家安全、公共利益、个人或者组织合法权益带来的风险,主要包括以下事项:
(1) The legality, legitimacy, and necessity of the purpose, scope, and method, among others, of the outbound data transfer. (一)数据出境的目的、范围、方式等的合法性、正当性、必要性;
(2) The impact of the data security protection policies and regulations and cybersecurity environment of the country or region where the overseas recipient is located on the security of the data to be transferred abroad; and whether the data protection level of the overseas recipient satisfies the (二)境外接收方所在国家或者地区的数据安全保护政策法规和网络安全环境对出境数据安全的影响;境外接收方的数据保护水平是否达到中华人民共和国法
5 requirements of laws and administrative regulations and the compulsory national standards of the People"s Republic of China. 律、行政法规的规定和强制性国家标准的要求;
(3) The size, scope, type, and sensitivity of the data to be transferred abroad, and the risk that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained, or illegally used, among others, during and after the outbound transfer. (三)出境数据的规模、范围、种类、敏感程度,出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的风险;
(4) Whether data security and personal information rights and interests are fully and effectively safeguarded. (四)数据安全和个人信息权益是否能够得到充分有效保障;
(5) Whether data security protection responsibilities and obligations are fully agreed on in the legal documents to be concluded between the data processor and the overseas recipient. (五)数据处理者与境外接收方拟订立的法律文件中是否充分约定了数据安全保护责任义务;
(6) The compliance with China"s laws, administrative regulations, and departmental rules. (六)遵守中国法律、行政法规、部门规章情况;
(7) Other matters that shall be assessed as required by t...