One of the very distinctive and original aspects of the Data Security Regulations is that the subject of data processing is changed as a high-risk action, and then enhanced security requirements are put forward. This aspect deserves your attention.
Why does the subject of data processing change? There are two situations in the regulations: one is the external provision of data, specifically including “sharing, transaction, and entrusted processing”; the other is the merger, reorganization, or separation of data processors. In fact, there is still data provided overseas. The previous article analyzed[Data Security Regulations | Data Cross-Border Security Management]so I won’t go into details here.
For Situation 1: The Regulations on Data Security are generally regulated in Article 12.
Article 12 Where data processors provide personal information to third parties, or share, trade, or entrust important data to be processed, they shall abide by the following provisions:
(1) Notifying the individual of the purpose, type, method, scope, storage period, and storage location of providing personal information, and obtaining the individual’s individual consent, in compliance with laws and administrative regulations that do not require individual consent, or anonymized except;
(2) Agree with the data recipient on the purpose, scope, processing method, data security protection measures, etc. of data processing, clarify the data security responsibilities and obligations of both parties through contracts and other forms, and supervise the data processing activities of the data recipient;
(3) Retain individual consent records and log records of providing personal information, approval records and log records of sharing, trading, and entrusted processing of important data for at least five years.
The data recipient shall perform the agreed obligations, and shall not process personal information and important data beyond the agreed purpose, scope and processing method.
The analysis has the following points:
1. The external provision of personal information shall be informed in detail, and consent shall be obtained if consent is obtained. However, when there are situations (2) to (7) stipulated in Article 13 of the Personal Information Protection Law, consent is not required.
2. Whether it is the external provision of personal information and important data, a clear contract must be signed with the downstream.
3. Relevant records should be kept upstream to prepare for future supervision.
4. Downstream must abide by the contract, “shall not process personal information and important data beyond the agreed purpose, scope, and processing method.”
However, for important data, in addition to the general regulations, the Data Security Regulations also put forward further security requirements, mainly Articles 32 and 33 of the Data Security Regulations.
Article 32 When conducting security assessments of sharing, trading, entrusting processing, and providing important data overseas, data processors should focus on assessing the following:
(1) Whether sharing, trading, entrusting processing, and providing data overseas, and whether the purpose, method, and scope of the data recipient’s processing of the data are legal, legitimate, and necessary;
(2) Risks of leakage, damage, tampering, and misuse of data sharing, trading, entrusting processing, and providing data abroad, as well as risks to national security, economic development, and public interests;
(3) Whether the data recipient’s integrity status, law-abiding status, cooperation relationship with overseas government agencies, whether it has been sanctioned by the Chinese government, etc., and whether the responsibilities promised and the ability to perform responsibilities can effectively ensure data security;
(4) Whether the data security requirements in the relevant contracts concluded with the data recipient can effectively constrain the data recipient to perform data security protection obligations;
(5) Whether the management and technical measures in the process of data processing can prevent risks such as data leakage and damage.
The assessment believes that it may endanger national security, economic development and public interests, and data processors shall not share, trade, entrust processing, or provide data overseas.
analysis Summary:
1. It is proposed that before important data is shared, traded, entrusted to process, or provided overseas, it is necessary to conduct a security assessment by itself.
2. The focus of the security assessment is the identity of the data recipient, the ability to perform and assume responsibility, the purpose, the effectiveness and enforceability of the data security measures agreed in the contract, and the possible impact on “national security, economic development, public interest risks”.
3. If it is found after the assessment that it still “may endanger national security, economic development and public interests”, “data shall not be shared, traded, entrusted to process, or provided overseas”.
Article 33 If the data processor shares, trades, or entrusts the processing of important data, it shall obtain the consent of the competent department of the city divided into districts and above. Department agrees.
This is an administrative license-style requirement. It is equivalent to the competent department or the network information department to review the security assessment and make a decision to allow or prohibit it.
For Scenario 2: The Digital Security Regulations are mainly regulated in Article 14.
Article 14 In the event of a merger, reorganization, or separation of data processors, the data recipient shall continue to perform its data security protection obligations. If important data and personal information of more than one million people are involved, it shall report to the competent department of the city divided into districts If the data processor is dissolved, declared bankrupt, etc., it shall report to the competent department of the city divided into districts, and transfer or delete the data according to relevant requirements. Report.
This provision can be interpreted as follows:
1. In the event of “merger, reorganization, separation, etc.” of the data processor, there is actually a new subject to take over the data. The emergence of new data processing subjects is considered one of the high-risk processing actions.
2. If “involving important data and personal information of more than one million people, it shall be reported to the competent department of the city divided into districts”. However, the meaning of “report” is not clearly defined here. However, Gonghaojun believes that the intention of the legislators should be to require data processors to carry out security assessments in accordance with the requirements in Scenario 1 before “merger, reorganization, and separation”, and submit the security assessment results to the competent authority for approval. .
3. If the data processor ceases to exist—dissolution, bankruptcy, etc., the data shall be handed over or deleted, and the relevant information shall be reported to the competent authority.
Finally, a summary is made, why Gonghaojun thinks that the data security regulations regard the change of the subject of data processing as one of the high-risk processing situations. Provided to overseas” or “merger, reorganization, division, etc.”, the data security regulations actually set up an administrative license.
Interestingly, there is no such administrative license-style requirement for the collection of important data. Just an after-the-fact filing requirement:
Article 29 The processor of important data shall, within 15 working days after identifying its important data, file a record with the cybersecurity and informatization department of the city divided into districts, and the content of the record shall include:
(1) The basic information of the data processor, the information of the data security management agency, the name and contact information of the person in charge of data security, etc.;
(2) The purpose, scale, method, scope, type, storage period, storage location, etc. of data processing, excluding the data content itself;
(3) Other filing contents prescribed by the national cybersecurity and informatization department and competent and regulatory departments.
If there is a major change in the purpose, scope, type of data processing, and data security protection measures, it shall be re-recorded.
According to the division of responsibilities of the departments, the cybersecurity and informatization departments share filing information with relevant departments.
In other words, the collection of important data is less sensitive. However, the external and overseas provision of important data is very sensitive.
Another point: Compared with the “Several Regulations on the Security Management of Automobile Data (Trial)”, this is the only effective departmental regulation that clearly defines important data. In this regulation, only risk assessment (Article 10) and filing (Article 13) are stipulated for “sharing, trading, entrusted processing” of important data within the country, or “merger, reorganization, division, etc.” ) requirements only, and there are no administrative licensing requirements. This also reflects the evolution of the thinking of the legislative branch.
This article is over.
One of the very distinctive and original aspects of the Data Security Regulations is that the subject of data processing is changed as a high-risk action, and then enhanced security requirements are put forward. This aspect deserves your attention.
Why does the subject of data processing change? There are two situations in the regulations: one is the external provision of data, specifically including “sharing, transaction, and entrusted processing”; the other is the merger, reorganization, or separation of data processors. In fact, there is still data provided overseas. The previous article analyzed[Data Security Regulations | Data Cross-Border Security Management]so I won’t go into details here.
For Situation 1: The Regulations on Data Security are generally regulated in Article 12.
Article 12 Where data processors provide personal information to third parties, or share, trade, or entrust important data to be processed, they shall abide by the following provisions:
(1) Notifying the individual of the purpose, type, method, scope, storage period, and storage location of providing personal information, and obtaining the individual’s individual consent, in compliance with laws and administrative regulations that do not require individual consent, or anonymized except;
(2) Agree with the data recipient on the purpose, scope, processing method, data security protection measures, etc. of data processing, clarify the data security responsibilities and obligations of both parties through contracts and other forms, and supervise the data processing activities of the data recipient;
(3) Retain individual consent records and log records of providing personal information, approval records and log records of sharing, trading, and entrusted processing of important data for at least five years.
The data recipient shall perform the agreed obligations, and shall not process personal information and important data beyond the agreed purpose, scope and processing method.
The analysis has the following points:
1. The external provision of personal information shall be informed in detail, and consent shall be obtained if consent is obtained. However, when there are situations (2) to (7) stipulated in Article 13 of the Personal Information Protection Law, consent is not required.
2. Whether it is the external provision of personal information and important data, a clear contract must be signed with the downstream.
3. Relevant records should be kept upstream to prepare for future supervision.
4. Downstream must abide by the contract, “shall not process personal information and important data beyond the agreed purpose, scope, and processing method.”
However, for important data, in addition to the general regulations, the Data Security Regulations also put forward further security requirements, mainly Articles 32 and 33 of the Data Security Regulations.
Article 32 When conducting security assessments of sharing, trading, entrusting processing, and providing important data overseas, data processors should focus on assessing the following:
(1) Whether sharing, trading, entrusting processing, and providing data overseas, and whether the purpose, method, and scope of the data recipient’s processing of the data are legal, legitimate, and necessary;
(2) Risks of leakage, damage, tampering, and misuse of data sharing, trading, entrusting processing, and providing data abroad, as well as risks to national security, economic development, and public interests;
(3) Whether the data recipient’s integrity status, law-abiding status, cooperation relationship with overseas government agencies, whether it has been sanctioned by the Chinese government, etc., and whether the responsibilities promised and the ability to perform responsibilities can effectively ensure data security;
(4) Whether the data security requirements in the relevant contracts concluded with the data recipient can effectively constrain the data recipient to perform data security protection obligations;
(5) Whether the management and technical measures in the process of data processing can prevent risks such as data leakage and damage.
The assessment believes that it may endanger national security, economic development and public interests, and data processors shall not share, trade, entrust processing, or provide data overseas.
analysis Summary:
1. It is proposed that before important data is shared, traded, entrusted to process, or provided overseas, it is necessary to conduct a security assessment by itself.
2. The focus of the security assessment is the identity of the data recipient, the ability to perform and assume responsibility, the purpose, the effectiveness and enforceability of the data security measures agreed in the contract, and the possible impact on “national security, economic development, public interest risks”.
3. If it is found after the assessment that it still “may endanger national security, economic development and public interests”, “data shall not be shared, traded, entrusted to process, or provided overseas”.
Article 33 If the data processor shares, trades, or entrusts the processing of important data, it shall obtain the consent of the competent department of the city divided into districts and above. Department agrees.
This is an administrative license-style requirement. It is equivalent to the competent department or the network information department to review the security assessment and make a decision to allow or prohibit it.
For Scenario 2: The Digital Security Regulations are mainly regulated in Article 14.
Article 14 In the event of a merger, reorganization, or separation of data processors, the data recipient shall continue to perform its data security protection obligations. If important data and personal information of more than one million people are involved, it shall report to the competent department of the city divided into districts If the data processor is dissolved, declared bankrupt, etc., it shall report to the competent department of the city divided into districts, and transfer or delete the data according to relevant requirements. Report.
This provision can be interpreted as follows:
1. In the event of “merger, reorganization, separation, etc.” of the data processor, there is actually a new subject to take over the data. The emergence of new data processing subjects is considered one of the high-risk processing actions.
2. If “involving important data and personal information of more than one million people, it shall be reported to the competent department of the city divided into districts”. However, the meaning of “report” is not clearly defined here. However, Gonghaojun believes that the intention of the legislators should be to require data processors to carry out security assessments in accordance with the requirements in Scenario 1 before “merger, reorganization, and separation”, and submit the security assessment results to the competent authority for approval. .
3. If the data processor ceases to exist—dissolution, bankruptcy, etc., the data shall be handed over or deleted, and the relevant information shall be reported to the competent authority.
Finally, a summary is made, why Gonghaojun thinks that the data security regulations regard the change of the subject of data processing as one of the high-risk processing situations. Provided to overseas” or “merger, reorganization, division, etc.”, the data security regulations actually set up an administrative license.
Interestingly, there is no such administrative license-style requirement for the collection of important data. Just an after-the-fact filing requirement:
Article 29 The processor of important data shall, within 15 working days after identifying its important data, file a record with the cybersecurity and informatization department of the city divided into districts, and the content of the record shall include:
(1) The basic information of the data processor, the information of the data security management agency, the name and contact information of the person in charge of data security, etc.;
(2) The purpose, scale, method, scope, type, storage period, storage location, etc. of data processing, excluding the data content itself;
(3) Other filing contents prescribed by the national cybersecurity and informatization department and competent and regulatory departments.
If there is a major change in the purpose, scope, type of data processing, and data security protection measures, it shall be re-recorded.
According to the division of responsibilities of the departments, the cybersecurity and informatization departments share filing information with relevant departments.
In other words, the collection of important data is less sensitive. However, the external and overseas provision of important data is very sensitive.
Another point: Compared with the “Several Regulations on the Security Management of Automobile Data (Trial)”, this is the only effective departmental regulation that clearly defines important data. In this regulation, only risk assessment (Article 10) and filing (Article 13) are stipulated for “sharing, trading, entrusted processing” of important data within the country, or “merger, reorganization, division, etc.” ) requirements only, and there are no administrative licensing requirements. This also reflects the evolution of the thinking of the legislative branch.
This article is over.
The Links: GD15PIK120C5S LM12S49 LCD-SOURCE