Joke Collection Website - Blessing messages - Cross-border data transmission
Cross-border data transmission
1) personal information data, then:
The amount of personal information before leaving the country must undergo a security assessment:
1. The number of people handling personal information reached 1 10,000;
2. Providing overseas personal information of more than 654.38 million people;
3. More than 6,543,800 pieces of personal sensitive information have been provided overseas;
2) Important data to be evaluated before leaving the country:
Definition of important data:
1. According to the provisions of the Cyber Security Law, the important data collected and generated by the operators of key information infrastructure during their operation in People's Republic of China (PRC) should be stored in China, and if it is really necessary to leave the country, a security assessment should be conducted.
2. Several Provisions on Safety Management of Automobile Data (Trial), in which Article 3 [6] clearly lists the important data of automobile industry, such as geographic information, personnel flow, traffic data in important sensitive areas, traffic data, logistics and other data reflecting economic operation.
3. The National Internet Information Office 202114 issued the Regulations on Network Data Security Management (Draft for Comment), which lists:
(1) undisclosed government data, work secrets, intelligence data and law enforcement and judicial data; (2) Export control data, related data such as core technologies, design schemes and production processes involved in export control items, and data on scientific and technological achievements that have a direct impact on national security and economic competitiveness in the fields of cryptography, biology, electronic information and artificial intelligence; (3) National economic operation data, business data of important industries and statistical data that need to be protected or controlled according to national laws, administrative regulations and departmental rules; (4) Data on safe production and operation in key industries and fields such as industry, telecommunications, energy, transportation, water conservancy, finance, national defense science and technology industry, customs, taxation, and data on supply chain of key system components and equipment; (5) National basic data such as genes, geography, minerals, meteorology, population and health, natural resources and environment, etc., have reached the scale or accuracy specified by relevant state departments; (six) the construction and operation of national infrastructure and key information infrastructure and their safety data, as well as the geographical location and safety status of important sensitive areas such as national defense facilities, military administrative zones and national defense scientific research and production units; (seven) other data that may affect the national politics, territory, military, economy, culture, society, science and technology, ecology, resources, nuclear facilities, overseas interests, biology, space, polar regions, deep sea and other security.
(2) Withdrawal of data information: It does not mean the end of data obligation of domestic data processors. Processors should have a clear understanding and control of overseas data and have the obligation to report.
With reference to Article 40 of the Regulations on the Security Management of Network Data (Draft for Comment), data processors who provide personal information and important data abroad shall prepare a data exit safety report before 65438+ 10/0 every year, and report the data exit situation of the following year to the municipal network information department of the district: (1) the names and contact information of all data recipients; (2) The types, quantities and uses of exit materials; (3) The storage location, storage period, scope and mode of use of the data abroad; (four) complaints and handling of users involved in providing data overseas; (5) The occurrence and disposal of data security incidents; (6) Information on data transfer after leaving the country; (seven) other matters that need to be reported by the national network information department.
(two) to verify the legitimacy and legitimacy of the third party data sources (pre-guarantee, requiring the third party to sign a letter of commitment, guarantee, etc.));
1) Article 32 of the Data Security Law stipulates that any organization or individual must collect data in a lawful and proper way and may not steal or obtain data by other illegal means.
2) Article 51 of the Data Security Law stipulates that anyone who steals or obtains data by other illegal means, conducts data activities that exclude or restrict competition, and damages the legitimate rights and interests of individuals and organizations shall be punished in accordance with the provisions of relevant laws and administrative regulations, which is further cited in the provisions of the Network Security Law, Criminal Law, Anti-monopoly Law and Personal Information Protection Law.
(three) the establishment of data security management system, take necessary technical measures to ensure the safety of data transmission.
Network security level protection certification adopts various basic systems of data security management such as data classification management, risk assessment, monitoring and early warning, and emergency response;
1) data classification: practical guide to network security standards-data classification guide (draft for comment)
Classification:
A) Personal information: general personal information; Sensitive personal information
b)? * * * data;
c)? Legal person data;
2) Data exit security assessment: Regardless of whether the data exit activities of data processors trigger security assessment and declaration requirements, data exit risk self-assessment should be conducted in advance before data is provided overseas. -Measures for Security Assessment of Data Exit (draft for comments)
Article 5 Before providing data abroad, data processors shall conduct self-assessment of data exit risk in advance, focusing on the following matters:
(1) The legality, legitimacy and necessity of the purpose, scope and methods of data exit and data processing of overseas recipients;
(2) The quantity, scope, type and sensitivity of exit data, and the risks that the data may bring to national security, public interests and the legitimate rights and interests of individuals or organizations;
(3) Whether the management and technical measures and capabilities of data processors in data transmission can prevent risks such as data leakage and damage;
(4) Whether the responsibilities and obligations undertaken by overseas recipients, as well as the management and technical measures and capabilities to fulfill the responsibilities and obligations can guarantee the safety of outbound data;
(five) the risk of data leakage, damage, tampering, abuse and retransmission after leaving the country, and whether the channels for individuals to safeguard their personal information rights and interests are smooth;
(6) Whether the data exit-related contracts signed with overseas recipients fully stipulate the responsibilities and obligations for data security protection.
Article 9 The contract signed between the data processor and the overseas receiver shall comprehensively stipulate the responsibilities and obligations of data security protection, including but not limited to the following contents:
(1) The purpose, mode and data range of data leaving the country, and the purpose and mode of data processing by overseas recipients;
(2) The place and time limit for keeping the data abroad, and the measures for handling the data leaving the country after reaching the time limit, completing the agreed purpose or terminating the contract;
(3) Binding clauses restricting overseas recipients from transferring exit data to other organizations and individuals;
(4) When the actual control right or business scope changes substantially, or the legal environment of the country or region where it is located changes and it is difficult to ensure data security, the security measures that the overseas recipient should take;
(5) Liability for breach of contract in violation of data security protection obligations and binding and enforceable dispute settlement clauses;
(six) when the risk of data leakage occurs, properly carry out emergency treatment to ensure the smooth channels for individuals to safeguard their personal information rights and interests.
(4) Obligation to report data security incidents.
According to the provisions of Article 29 of the Data Security Law, risk monitoring should be strengthened in data activities, and measures should be taken immediately when risks such as data security defects and loopholes are discovered; When a data security incident occurs, it shall promptly inform the user and report to the relevant competent department in accordance with the regulations.
Article 35 of the Measures for the Administration of Data Security points out that when data security incidents such as personal information disclosure, damage or loss occur, or the risk of data security incidents increases significantly, network operators should immediately take remedial measures, promptly inform personal information subjects by telephone, SMS, mail or letter, and report to the competent regulatory authorities of the industry and the network information department in accordance with regulations.
(five) the obligation to report in advance in case of extraterritorial law enforcement.
According to Article 36 of the Data Security Law, organizations and individuals in China are not allowed to provide data required by overseas law enforcement agencies without the approval of the competent authorities in People's Republic of China (PRC).
Paragraph 2 of Article 48 of the Data Security Law stipulates that those who provide data to overseas judicial or law enforcement agencies without the approval of the competent authorities shall be given a warning by the relevant competent authorities and may be fined 1 00000 yuan or more1000000 yuan or less, and the directly responsible person in charge and other directly responsible personnel may also be fined100000 yuan or more100000 yuan. If serious consequences are caused, a fine of100000 yuan to 5 million yuan shall be imposed, and the company may be ordered to suspend business, suspend business for rectification, revoke relevant business licenses or revoke business licenses, and the directly responsible person in charge and other directly responsible personnel shall be fined 50,000 yuan to 500,000 yuan.
- Related articles
- Can I sue for sending insulting text messages?
- I need 200,000 yuan to buy a house, 170,000 yuan for a debit card, and I still need 30,000 yuan to use a credit card (the limit is 36,000 yuan). But the sales department said that the card can only b
- Is it true that Secco Holding Company reduced the price of second-hand houses three times in a row?
- I dreamed of receiving a message from my girlfriend.
- Will SMS hijacking sniffing technology definitely receive the verification code of registered app?
- What does the loan balance mean?
- How to check the traffic of Apple mobile phone?
- A few New Year greetings are suitable for most people.
- 10 unpopular apps you may have never heard of, but once you use them you won’t want to leave them
- What exactly does the convenience hotline 12345 do?