数据出境安全评估办法中英文版.docx

《数据出境安全评估办法中英文版.docx》由会员分享，可在线阅读，更多相关《数据出境安全评估办法中英文版.docx（10页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、数据出境安全评估办法中英文版第一条 Article 1In order to regulate outbound data transfer, protect personal information rights and interests, safeguard national security and social and public interests, and promote the security and free flow of outbound data, the Measures for Security Assessment for Outbound Data Tran

2、sfer (the Measures) are enacted in accordance with the Cybersecurity Law of the Peoples Republic of China, the Data Security Law of the Peoples Republic of China, the Personal Information Protection Law of the Peoples Republic of China and other laws and administrative regulations of the Peoples Rep

3、ublic of China.第二条 Article 2数据处理者向境外提供在中华人民共和国境内运营中收集和产生的重要数据和个人信息的安全评估，适用本办法。法律、行政法规另有规定的，依照其规 定。The Measures apply to the security assessment of Important Data and personal information collected and generated during operation within the territory of the Peoples Republic of China and transferred ab

4、road by a data handler. Where laws and administrative regulations provide otherwise, such provisions shall prevail.第三条 Article 3数据出境安全评估坚持事前评估和持续监督相结合、风险自评估与安全评估相结合，防范数据出境安全风险，保障数据依法有序自由流动。Security assessment for outbound data transfer shall adhere to the combination of a prior assessment and on-goi

5、ng supervision, as well as the combination of risk selfassessment and security assessment, so as to prevent security risks to outbound data transfer and ensure the orderly free-flow of data in accordance with the law.条 Article 4foreign recipient has occurred, or any Legal Document between the data h

6、andler and the foreign recipient has been amended or ceased to be valid, etc.; and(三)出现影响出境数据安全的其他情形。(3) any other circumstance affecting the security of the data to be transferred abroad. 有效期届满，需要继续开展数据出境活动的，数据处理者应当在有效期届满60个工作日前重新申报评估。If it is necessary to continue the outbound data transfer after

7、the expiration of the valid period, the data handler shall re-apply for assessment 60 working days before the expiration of the valid period.第十五条 Article 15参与安全评估工作的相关机构和人员对在履行职责中知悉的国家秘密、个人隐私、个人信息、商业秘密、保密商务信息等数据应当依法予以保密，不得泄露或者非法向他人提供、非法使用。The relevant institutions and personnel participating in secu

8、rity assessment work shall keep information confidential in accordance with the law, including matters such as state secrets, personal privacy, personal information, trade secrets, confidential business information and other data they come to know in fulfilling their duties, and shall not divulge or

9、 illegally provide the same to others, or illegally use such data.第十六条 Article 16任何组织和个人发现数据处理者违反本办法向境外提供数据的，可以向省级以上网信部门举报。Any organization or individual may report the case to the Cyberspace Administration at the provincial level or above if it finds that a data handler engaged in outbound data tra

10、nsfer in violation of the Measures.第十七条 Article 17国家网信部门发现已经通过评估的数据出境活动在实际处理过程中不再符合数据出境安全管理要求的，应当书面通知数据处理者终止数据出境活动。数据处理者需要继续开展数据出境活动的，应当按照要求整改，整改完成后重新申报 评估。As for an outbound data transfer that has passed the security assessment, if the State Cyberspace Administration finds out that the actual data

11、processing activities no longer meet the security management requirements in terms of the outbound data transfer, the State Cyberspace Administration shall notify the data handler in writing to terminate the outbound data transfer. If the data handler needs to continue the outbound data transfer, it

12、 shall make rectification as required, and re-apply for assessment after completing the rectification.第十八条Article 18违反本办法规定的，依据中华人民共和国网络安全法、中华人民共和国数据安全法、中华人民共和国个人信息保护法等法律法规处理；构成犯罪的，依法追究刑事责任。Any violation of the Measures shall be punished in accordance with the Cybersecurity Law of the Peoples Republ

13、ic of China, the Data Security Law of the Peoples Republic of China, the Personal Information Protection Law of the Peoples Republic of China, and other laws and regulations; if any act is held to constitute a criminal act, criminal liabilities shall be investigated in accordance with the laws and r

14、egulations of the Peoples Republic of China.第十九条Article 19本办法所称重要数据，是指一旦遭到篡改、破坏、泄露或者非法获取、非法利用等，可能危害国家安全、经济运行、社会稳定、公共健康和安全等的数据。For the purpose of the Measures, the term Important Data” refers to the data that, once tampered with, destroyed, leaked or illegally obtained or used, may endanger national

15、security, economic operation, social stability, public health and security, etc. 第二十条 Article 20本办法自2022年9月1日起施行。本办法施行前已经开展的数据出境活动，不符合本办法规定的，应当自本办法施行之日起6个月内完成整改。The Measures shall come into force on September 1, 2022. For the data transferred abroad prior to the effectiveness of the Measures, if it

16、is found that such transfer is not in compliance with the Measures, rectification shall be completed within 6 months upon the effective date of the Measures.数据处理者向境外提供数据，有下列情形之一的，应当通过所在地省级网信部 门向国家网信部门申报数据出境安全评估：Where a data handler transfers data abroad under any of the following circumstances, it s

17、hall, through the local Cyberspace Administration at the provincial level, apply to the State Cyberspace Administration for security assessment for the outbound data transfe 亡(-)数据处理者向境外提供重要数据；a data handler who transfers Important Data abroad;(二)关键信息基础设施运营者和处理100万人以上个人信息的数据处理者向境外提供个人信息；(1) a critic

18、al information infrastructure operator, or a data handler processing the personal information of more than 1 million individuals, who, in either case, transfers personal information abroad;(三)自上年1月1日起累计向境外提供10万人个人信息或者1万人敏感个人信息的数据处理者向境外提供个人信息；(2) a data handler who has, since January 1 of the previou

19、s year cumulatively transferred abroad the personal information of more than 100,000 individuals, or the sensitive personal information of more than 10,000 individuals, or(四)国家网信部门规定的其他需要申报数据出境安全评估的情形。(3) other circumstances where the security assessment for the outbound data transfer is required by

20、 the State Cyberspace Administration.第五条 Article 5数据处理者在申报数据出境安全评估前，应当开展数据出境风险自评估，重点评估以下事项：Prior to applying for the security assessment for the outbound data transfer, a data handler shall, in advance, conduct a self-assessment on the risks of the outbound data transfer, and the self-assessment sha

21、ll focus on the following matters:（一）数据出境和境外接收方处理数据的目的、范围、方式等的合法性、正当 性、必要性；the legality, legitimacy and necessity of the purpose, scope and methods of the outbound data transfer, and the processing of the data by the foreign recipient;(二)出境数据的规模、范围、种类、敏感程度，数据出境可能对国家安全、公共利益、个人或者组织合法权益带来的风险；(1) the sc

22、ale, scope, type and sensitivity of the outbound data transfer, and the risks to national security, the public interest or to the legitimate rights and interests of individuals or organizations, caused by the outbound data transfer;(三”竟外接收方承诺承担的责任义务，以及履行责任义务的管理和技术措施、能力等能否保障出境数据的安全；(2) the duties and

23、 obligations which the foreign recipient commits to perform, and whether the foreign recipients organizational and technical measures and capabilities in terms of performing the duties and obligations can guarantee the security of the outbound data transfer;(四)数据出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的

24、风险，个人信息权益维护的渠道是否通畅等；(3) the risks of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer, and whether there is a smooth channel for safeguarding personal information rights and interests;(五)与境外接收方拟订立的数

25、据出境相关合同或者其他具有法律效力的文件等(以下统称法律文件)是否充分约定了数据安全保护责任义务；(4) whether the responsibilities and obligations for data security protection are fully agreed in relevant contracts for the outbound data transfer, or other legally binding documents to be concluded with the foreign recipient (hereinafter collectivel

26、y referred to as the “Legal Documents); and(六)其他可能影响数据出境安全的事项。(5) other matters that may affect the security of the outbound data transfer.第六条Article 6申报数据出境安全评估，应当提交以下材料：To apply for security assessment for the outbound data transfer, the following materials shall be submitted:(-)申报书；an application

27、 letter;(二)数据出境风险自评估报告；a self- assessment report on the risks of the outbound data transfer;(三)数据处理者与境外接收方拟订立的法律文件；the Legal Documents to be concluded between the data handler and the foreign recipient; and(四)安全评估工作需要的其他材料。(1) other materials necessary for security assessment.第七条Article 7省级网信部门应当自收到

28、申报材料之日起5个工作日内完成完备性查验。申报 材料齐全的，将申报材料报送国家网信部门；申报材料不齐全的，应当退回数 据处理者并一次性告知需要补充的材料。The Cyberspace Administration at the provincial level shall conduct a completeness check of application materials within 5 working days upon receipt thereof. Where the application materials are complete, they shall be submi

29、tted to the State Cyberspace Administration; where the application materials are incomplete, they shall be returned to the data handler and the data handler shall be informed (on a one-time basis) of all supplementary materials still required.国家网信部门应当自收到申报材料之日起7个工作日内，确定是否受理并书面 通知数据处理者。The State Cybe

30、rspace Administration shall, within 7 working days after receipt of the application materials, determine whether to accept the application and will inform the data handler of the same in writing.第八条Article 8数据出境安全评估重点评估数据出境活动可能对国家安全、公共利益、个人或者组织合法权益带来的风险，主要包括以下事项：The security assessment for outbound

31、data transfer shall focus on the evaluation of the possible risks to national security, public interests, or the legitimate rights and interests of individuals or organizations arising from the activity of outbound data transfer, including the following major points:（一）数据出境的目的、范围、方式等的合法性、正当性、必要性；the

32、 legality, legitimacy and necessity of the purpose, scope and method of the outbound data transfer;（二）境外接收方所在国家或者地区的数据安全保护政策法规和网络安全环境对出境数据安全的影响；境外接收方的数据保护水平是否达到中华人民共和国法律、行政法规的规定和强制性国家标准的要求；the impact of the data security protection policies and regulations as well as network security environment of

33、the country or region where the foreign recipient is located, and the effect thereof on the security of the data to be transferred abroad; whether the data protection level of the foreign recipient meets the requirements under the laws, regulations and mandatory national standards of the Peoples Rep

34、ublic of China;（三）出境数据的规模、范围、种类、敏感程度，出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的风险；(1) the scale, scope, types and sensitivity of the data to be transferred abroad, and risks that the data may be tampered with, destroyed, leaked, lost, transferred, illegally obtained or illegally used before or after the

35、outbound data transfer;（四）数据安全和个人信息权益是否能够得到充分有效保障；whether data security and personal information rights and interests can be fully and effectively guaranteed;(五)数据处理者与境外接收方拟订立的法律文件中是否充分约定了数据安全保护责任义务；(2) whether the responsibilities and obligations for data security protection are fully agreed in the

36、 Legal Documents to be concluded by the data handler and the foreign recipient;(六)遵守中国法律、行政法规、部门规章情况；compliance with the laws, regulations and agency rules of the Peoples Republic of China; and(七)国家网信部门认为需要评估的其他事项。(3) other matters that the State Cyberspace Administration considers necessary to asse

37、ss.第九条Article 9数据处理者应当在与境外接收方订立的法律文件中明确约定数据安全保护责任义务，至少包括以下内容：A data handler shall expressly agree on the responsibilities and obligations for data security protection in the Legal Documents concluded with the foreign recipient, which shall, at least, include the following matters:(一)数据出境的目的、方式和数据范围，

38、境外接收方处理数据的用途、方式等；(1) the purpose, method and scope of the data to be transferred abroad, and the purpose and method for processing the data by the foreign recipient;(二)数据在境外保存地点、期限，以及达到保存期限、完成约定目的或者法律文件终止后出境数据的处理措施；(2) the location and duration for the storage of the data located abroad, as well as

39、how to process the data located abroad upon the expiry of the storage period, achievement of the agreed purpose, or termination of the Legal Documents;(三)对于境外接收方将出境数据再转移给其他组织、个人的约束性要求；restrictions on the foreign recipients re-transfer of the data located abroad to another organization or individual;

40、(四)境外接收方在实际控制权或者经营范围发生实质性变化，或者所在国家、地区数据安全保护政策法规和网络安全环境发生变化以及发生其他不可抗力情形导致难以保障数据安全时，应当采取的安全措施；security measures which should be taken in case of a material change to the actual control or business scope of the foreign recipient, or in case of a change to the data security protection policies or regula

41、tions, or network security environment of the country or region where the foreign recipient is located, or in case that the data security cannot be guaranteed as a result of any other force majeure event;(五)违反法律文件约定的数据安全保护义务的补救措施、违约责任和争议解决方式；(3) remedial measures, liability for breach of contract an

42、d dispute resolution mechanism in the event of a violation of data security protection obligations as agreed in the Legal Documents; and(六)出境数据遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等风险时，妥善开展应急处置的要求和保障个人维护其个人信息权益的途径和方式。(4) requirements on properly responding to a data security incident, as well as channels and

43、 method to safeguard individuals personal information rights, when the data located abroad is tampered with, destroyed, leaked, lost, transferred, illegally obtained or illegally used.第十条 Article 10国家网信部门受理申报后，根据申报情况组织国务院有关部门、省级网信部门、专门机构等进行安全评估。After accepting an application, the State Cyberspace Ad

44、ministration shall organize relevant departments of the State Council, Cyberspace Administrations at the provincial level and specialized agencies to conduct a security assessment based upon application materials submitted by a data handler.第十一条 Article 11安全评估过程中，发现数据处理者提交的申报材料不符合要求的，国家网信部 门可以要求其补充或

45、者更正。数据处理者无正当理由不补充或者更正的，国家 网信部门可以终止安全评估。Where the application materials submitted by a data handler are found to be non- compliant during the security assessment process, the State Cyberspace Administration may require the data handler to supplement or correct the non- compliant materials. If the dat

46、a handler fails to supplement or correct the materials without justified reasons, the State Cyberspace Administration may terminate the security assessment.数据处理者对所提交材料的真实性负责，故意提交虚假材料的，按照评估不通过处理，并依法追究相应法律责任。A data handler shall be responsible for the authenticity of the materials submitted. If a data

47、 handler purposely submits false materials, it shall be deemed as a failure of the assessment, and the data handler shall be held liable according to the Regulations.第十二条 Article 12国家网信部门应当自向数据处理者发出书面受理通知书之日起45个工作日内完成数据出境安全评估；情况复杂或者需要补充、更正材料的，可以适当延长并告知数据处理者预计延长的时间。The State Cyberspace Administration

48、 shall, within 45 working days from the date of issuing a written notice of acceptance to the data handler, complete the security assessment for the outbound data transfer; if the situation is complicated or supplementary or corrected materials are needed, the assessment may be extended, and the dat

49、a handler shall be notified of the expected extension period.评估结果应当书面通知数据处理者。The data handler shall be informed of the assessment results in writing.第十三条Article 13数据处理者对评估结果有异议的，可以在收到评估结果15个工作日内向国家网信部门申请复评，复评结果为最终结论。Where a data handler disagrees with the assessment results, it may, within 15 working days after receipt of the assessment results, apply to the St