To enforce the Security Assessment Measures for Cross-border Data Transfer that came into effect on 1 September 1, 2022, the Cyberspace Administration of China (“CAC”) released the Notification Guidelines for Security Assessment on Cross-border Data Transfer (1st Edition) (数据出境安全评估申报指南 (第一版)》 in Chinese) (“Guideline”).

The Guideline has specified the application scope, methods and procedures, lists of materials and consultation methods of the security assessment notification for cross-border data transfer, and included requirements for notification materials as well as templates for letters of authorization, notification forms, and reports on data transfer risk self-assessments as its four annexes, which could greatly help enterprises to submit such notifications in a standardized manner.

In this regard, Dentons China Data Protection Team have prepared the English translation of this important rule for your quick reference. Please be noted that the English version is a courtesy of Dentons team, NOT an official translation and is strictly for reference only.

If you have any inquiry regarding the Guidance and the Security Assessment, please contact our partners Ken Dai (jianmin.dai@dentons.cn) or Jet Deng (zhisong.deng@dentons.cn).

数据出境安全评估申报指南 (第一版)

Notification Guidelines for Security Assessment on Cross-border Data Transfer (1st Edition)

《数据出境安全评估办法》自2022年9月1日起施行。为指导和帮助数据处理者规范、有序申报数据出境安全评估,特制定本指南。

The Security Assessment Measures for Cross-border Data Transfer is effective on September 1, 2022. This guidance is specially formulated to guide and help data handlers to standardize and orderly notify security assessment for cross-border data transfer.

一.适用范围

  1. Scope of Application

数据处理者向境外提供数据,有下列情形之一的,应当通过所在地省级网信办向国家网信办申报数据出境安全评估:

To provide data abroad under any of the following circumstances, a data handler shall make the notification of security assessment for its cross-border data transfer to the Cyberspace Administration of China (“CAC”) through the local cyberspace administration at the provincial level:

( 一 ) 数据处理者向境外提供重要数据;

(1) where a data handler provides important data abroad;

( 二 ) 关键信息基础设施运营者和处理100万人以上个人信息的数据处理者向境外提供个人信息;

(2) where a critical information infrastructure operator or a data handler processing the personal information of more than one million individuals provides personal information abroad;

( 三 ) 自上年1月1日起累计向境外提供 10 万人个人信息或者1万人敏感个人信息的数据处理者向境外提供个人信息;

(3) where a data handler has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals accumulatively abroad since January 1 of the previous year;

( 四 ) 国家网信办规定的其他需要申报数据出境安全评 估的情形。

(4) other circumstances prescribed by the CAC for which notification for security assessment for cross-border data transfer is required.

以下情形属于数据出境行为:

The following situations are cross-border data transfer behaviors:

( 一 ) 数据处理者将在境内运营中收集和产生的数据传输、存储至境外;

(1) the data handler transfers and stores the data collected and generated in the course of operations in China to overseas;

( 二 ) 数据处理者收集和产生的数据存储在境内,境外的机构、组织或者个人可以查询、调取、下载、导出;

(2) the data collected and generated by the data handler is stored in China, and overseas institutions, organizations or individuals can access, retrieve, download and export;

( 三 ) 国家网信办规定的其他数据出境行为。

(3) other cross-border data transfer behaviors stipulated by the CAC.

二.申报方式及流程

  1. Method and Procedure of Notification

数据处理者申报数据出境安全评估,应当通过所在地省级网信办申报数据出境安全评估。申报方式为送达书面申报材料并附带材料电子版。

When a data handler notifies a security assessment for cross-border data transfer, it shall notify the security assessment to the local cyberspace administration at the provincial level. The notification method is to serve the written notification materials with the electronic version of the materials attached.

省级网信办收到申报材料后,在5个工作日内完成申报 材料的完备性查验。通过完备性查验的,省级网信办将申报材料上报国家网信办;未通过完备性查验的,数据处理者将收到申报退回通知。

The cyberspace administration at the provincial level shall complete the examination of the completeness of notification materials within five (5) working days after receiving them. Where the notification materials are complete, they shall be submitted to the CAC; where the notification materials are incomplete, the data handler will be notified of the return of the notification.

国家网信办自收到省级网信办上报申报材料之日起7个工作日内,确定是否受理并书面通知数据处理者。

The CAC shall, within seven (7) working days after receipt of notification materials, determine whether or not to accept the notification, and notify the data handler in writing.

数据处理者如被告知补充或者更正申报材料,应当及时按照要求补充或者更正材料。无正当理由不补充或者更正申报材料的,安全评估将会终止。情况复杂的,数据处理者将被告知评估预计延长的时间。

If the data handler is informed to supplement or correct the notification materials, it shall supplement or correct the materials in a timely manner as required. In case that the data handler fails to supplement or correct the materials without justified reasons, the CAC may terminate the security assessment. In complex cases, the data handler will be informed of the expected extended period for the assessment.

评估完成后,数据处理者将收到评估结果通知书。对评估结果无异议的,数据处理者须按照数据出境安全管理相关法律法规和评估结果通知书的有关要求,规范相关数据出境活动;对评估结果有异议的,数据处理者可以在收到评估结果通知书 15个工作日内向国家网信办申请复评,复评结果为最终结论。

After the assessment is completed, the data handler will be notified of the outcome of the assessment. If there is no objection to the assessment result, the data handler must self-regulate the relevant data export activities in accordance with the relevant laws and regulations on data export security management and the relevant requirements of the assessment result notification; where a data handler has any objection to the assessment result, it may, within fifteen (15) working days of receiving the result, apply to the CAC for a re-assessment, and the re-assessment result is the final decision.

三.申报材料

  1. Materials for Notification

数据处理者申报数据出境安全评估,应当提交如下材料 (数据出境安全评估申报材料要求见附件1) :

To notify security assessment for a cross-border data transfer, the data handler shall submit the following materials (See Annex 1 for the requirements for notification materials for cross-border data transfer security assessment):

  1. 统一社会信用代码证件影印件

Photocopy of unified social credit code certificate

  1. 法定代表人身份证件影印件

Photocopy of the legal representative's ID card

  1. 经办人身份证件影印件

Photocopy of the case handler's ID card

  1. 经办人授权委托书(模板见附件2)

Power of attorney for the case handler (see Annex 2 for the template)

  1. 数据出境安全评估申报书 (模板见附件3 )

Notification letter for cross-border data transfer security assessment (see Annex 3 for the template)

  1. 与境外接收方拟订立的数据出境相关合同或者其他具有法律效力的文件影印件

Photocopies of cross-border data transfer related contracts or other legally binding documents to be concluded with overseas recipients

  1. 数据出境风险自评估报告 (模板见附件4)

Cross-border data transfer risk self-assessment report (see Annex 4 for the template)

  1. 其他相关证明材料

Other relevant documentations

数据处理者对所提交材料的真实性负责,提交虚假材料的,按照评估不通过处理,并依法追究相应法律责任。

A data handler shall be responsible for the authenticity of the materials submitted. If a data handler submits false materials on purpose, it shall be deemed as failing in the assessment, and the data handler shall be held legally liable correspondingly according to the law.

四、申报咨询

  1. Notification Consultation

电子邮箱:sjcj@cac.gov.cn

Email address: sjcj@cac.gov.cn

联系电话:010-55627135

Tel: 010-55627135

附件:1.数据出境安全评估申报材料要求

2.经办人授权委托书 (模板)

3.数据出境安全评估申报书 (模板)

4.数据出境风险自评估报告 (模板)

Annex: 1.Requirements for Notification Materials for Cross-border Data Transfer Security Assessment

2.Power of Attorney for the Case Handler (Template)

3.Notification Letter for Cross-border Data Transfer Security Assessment (template)

4.Cross-border Data Transfer Risk Self-assessment Report (template)

附件 1

Annex 1

数据出境安全评估申报材料要求

Requirements for Notification Materials for Cross-border Data Transfer Security Assessment

序号

No.

材料名称

Document

要求

Requirement

备注

Note

1

统一社会信用代码证件

Unified social credit code certificate

影印件加盖公章

Photocopy with official seal

2

法定代表人身份证件

Legal representative's ID card

影印件加盖公章

Photocopy with official seal

3

经办人身份证件

Case Handler's ID card

影印件加盖公章

Photocopy with official seal

4

经办人授权委托书

Power of Attorney for the Case Handler

原件

Original copy

5

数据出境安全评估申报书

Notification Letter for Cross-border Data Transfer Security Assessment

5.1

承诺书

Commitment Letter

原件

Original copy

5.2

数据出境安全评估申报表

Notification Form for Cross-border Data Transfer Security Assessment

原件

Original copy

6

与境外接收方拟订立的数据出境相关合同或者其他具有法律效力的文件

Cross-border Data Transfer Related Contracts or Other Legally Binding Documents to be Concluded with Overseas Recipient

影印件加盖公章

Photocopy with official seal

对 数 据出境相关约 定条款作高亮、线框等显著标识。法律文件以中文译本为准,若仅有非中文版本,须同步提交准 确的中文译本

Highlight, use wireframe and other prominent signs for the agreed terms related to data export. The Chinese version of legal documents shall prevail. If there is only a non-Chinese version, an accurate Chinese translation must be submitted simultaneously

7

数据出境风险自评估报告

Cross-border Data Transfer Risk Self-assessment Report

原件

Original copy

8

其他相关证明材料

Other Relevant Documentations

原件或影印件加盖公章

Original copy or photocopy with official seal

相关证明材料以中 文 版本为准,若仅有非中文版本,须同步提交准确的中文译本

The Chinese version of the relevant documentations shall prevail. If there is only a non-Chinese version, an accurate Chinese translation must be submitted simultaneously

在提交上述书面材料的同时,需通过光盘方式提交相应电子版文件。

When submitting the above written materials, the corresponding electronic documents must be submitted by means of CD-ROM.

附件 2

Annex 2

经办人授权委托书

Power of Attorney for the Case Handler

本人姓名(身份证件号码: )系数据处理者名称的法定代表人,现授权我单位 姓名 (身份证件号码: )为数据出境安全评估申报工作经办人。经办人代表我单位进行数据出境安全评估申报工作过程中的一切行为,包括所签署和上传的资料,我单位均予以承认,并将承担相应的法律责 任。

I, name (ID number: ), legal representative of name of data handler, hereby authorize name (ID number: ) of our entity as the case handler of the security assessment notification for the cross-border data transfer. All actions of the case handler in the process of security assessment notification for cross-border data transfer on behalf of our entity, including the signed and uploaded materials, are recognized by our entity and our entity will bear the corresponding legal responsibility.

授权委托期限: 年 月 日至 年 月 日

Authorization period: YYYY/MM/DD/ to YYYY/MM/DD

经办人无转委托权。

The case handler has no right to sub-entrust.

单位名称 (盖章) :

Name of Entity (Seal)

法定代表人 (签字)

Legal Representative (Sign)

经办人 (签字 )

Case Handler (Sign)

年 月 日

YYYY/MM/DD

附件3

Annex3

数据出境安全评估申报书 (模板)

Notification Letter for Cross-border Data Transfer Security Assessment (Template)

填写说明:

Fill-in Instructions:

由数据处理者法定代表人或其授权的数据出境安全评估申报工作经办人填写;

  1. To be filled out by the legal representative of the data handler or its authorized person in charge of the data export security assessment and notification;

二、有选择的地方请勾选左侧“ ”符号,有横线的部分 应当填写相关信息;

  1. Where there is a choice, please tick the “” symbol on the left, and the part with a horizontal line should be filled with the relevant information;

三、所涉及的用语,可参考《中华人民共和国网络安全法》、《中华人民共和国数据安全法》、《中华人民共和国 个人信息保护法》和《数据出境安全评估办法》等法律法规和部门规章;

  1. For the terms involved, please refer to laws and regulations such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and the Security Assessment Measures for Cross-border Data Transfer;

四、 由国家互联网信息办公室制定并负责解释。

  1. It is formulated and interpreted by the Cyberspace Administration of China

、承诺书

Letter of Commitment

本单位郑重承诺:

We solemnly undertake that:

一、 申报出境数据的收集、使用符合中华人民共和国有关法律法规规定;

The collection and use of the notified cross-border data comply with the relevant laws and regulations of the People's Republic of China;

二、 申报材料所有内容真实、完整、准确和有效;

All contents of the notification materials are true, complete, accurate and valid;

三、为国家网信办组织实施的数据出境安全评估工作提供必要的配合和支持;

To provide necessary cooperation and support for the security assessment for cross-border data transfer organized and implemented by the CAC;

四、 自评估工作为申报之日前3个月内完成,且至申报之日未发生重大变化。

The self-assessment has been completed within 3 months before the date of notification, and no significant changes have taken place up to the date of notification.

本单位知晓并充分理解上述承诺内容,若承诺不实或者违背承诺,愿意承担相应法律责任。

We acknowledge and fully understand the content of the above commitment. If the commitment is false or violated, it is willing to bear corresponding legal liabilities.

法定代表人 (签字) :

Legal Representative (Sign):

单位 (盖章 ) :

Entity (Seal):

年 月 日

YYYY/MM/DD

、数据出境安全评估申报表

Notification Form of Cross-border Data Transfer Security Assessment

01 数据处理者情况

Information of Data Handler

单位名称

Name of Entity

单位性质

Nature of Entity

单位注册地

Registered Address

办公所在地

Business Address

有效期

Validity Period

邮政编码

Postcode

注册资金

Registered Capital

员工数量

Number of Employees

主营业务

Main Business

统一社会信用代码

Unified Social Credit Code

02 法定代表人信息

Information of Legal Representative

姓名

Name

职务/国籍

Position/Nationality

联系电话

Contact Number

电子邮箱

Email Address

证件类型

ID Type

证件号码

ID Number

03 数据安全负责人和管 理机构信息

Information of Data Security Responsible Person and Management Body

姓名

Name

职务/国籍

Poition/Nationality

联系电话

Contact Number

电子邮箱

Email Address

证件类型

ID Type

证件号码

ID Number

机构名称

Name of Body

机构人数

Number of People of Body

04 经办人信息

Information of Case Handler

姓名

Name

职务/国籍

Position/Nationality

联系电话

Contact Number

电子邮箱

Email Address

证件类型

ID Type

证件号码

ID Number

05 数据出境业务描述

Business Description of Cross-border Data Transfer

06 数据出境的目的

Purpose of Cross-border Data Transfer

07 数据出境的方式

Method of Cross-border Data Transfer

08 数据出境链路

Link of Cross-border Data Transfer

09 拟出境数据情况

Information of Proposed Cross-border Data

数据类型

Type of Data

重要数据

Important Data

个人信息

Personal Information

敏感程度 (如为个人信息)

Level of Sensitivity (for personal information)

数据规模Scale of Data

MB/GB/TB

涉及行业/领域

Industry/Field Involved

涉及自然人数量

Number of Natural Person Involved

涉及重要数据数量

Quantity of Important Data Involved

10 境外接收方情况

Information of Overseas Recipient

境外接收方名称

Name of Overseas Recipient

所在国家或者地区

Country or Region

所在地址

Address

注册登记号码

Registration Number

注册资金

Registered Capital

员工数量

Number of Employees

负责人姓名

Name of Responsible Person

负责人职务

Position of Responsible Person

联系电话

Contact Number

电子邮箱

Email Address

证件类型

ID Type

证件号码

ID Number

主营业务

Main Business

11 境外接收方数据安全责任人和管理机构情况

Information of Data Security Responsible Person and Management Body of Overseas Recipient

姓名

Name

职务

Position

联系电话

Contact Number

电子邮箱

Email Address

证件类型

ID Type

证件号码

ID Number

机构名称

Name of Body

机构人数

Number of People of Body

12 法律文件

Legal Documents

法律文件名称列表:

Name List of Legal Documents:

13 相关条款在法律文件中的页码及条款

The Page Number and Content of the Relevant Clauses in the Legal Documents

1.数据出境的目的、方式和数据范围,境外接收方处理数据的用途、方式等。

1. The purpose, method and scope of the cross-border data transfer; and the purpose, method, etc. of data processing by the overseas recipient.

所在文件名称及页码

Name of Document and Page Number_________

所述条款

Clause_________

2.数据在境外保存地点、期限,以及达到保存期限、完成约定目的或者法律文件终止后出境数据的处理措施。

2.The location of storage and retention period of data, as well as measures to be taken with the data after the retention period expires, the purpose agreed upon is completed or the legal documents are terminated.

所在文件名称及页码

Name of Document and Page Number_________

所述条款

Clause_________

3.对于境外接收方将出境数据再转移给其他组织、个人的约束性要求。

3. Binding requirements for overseas recipient to transfer data to other organizations and individuals.

所在文件名称及页码

Name of Document and Page Number_________

所述条款

Clause_________

4.境外接收方在实际控制权或者经营范围发生实质性变化,或者所在国家、地区数据安全保护政策法规和网络安全环境发生变化以及发生其他不可抗力情形导致难以保障数据安全时,应当采取的措施。

4. The security measures that the overseas recipient should take when the actual control right or business scope has changed substantially, or the data security protection policies and regulations and cybersecurity environment of the country or region where the overseas recipient is located has changed, and other force majeure situations has occurred so that it is difficult to ensure data security.

所在文件名称及页码

Name of Document and Page Number_________

所述条款

Clause_________

5.违反法律文件约定的数据安全保护义务的补救措施、违约责任和争议解决方式。

5. Remedies, liabilities and dispute resolution methods for breach of data security protection obligations agreed in legal documents.

所在文件名称及页码

Name of Document and Page Number_________

所述条款

Clause_________

6. 出境数据遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等风险时,妥善开展应急处置的要求和保障个人维护其个人信息权益的途径和方式。

6. The requirement for proper emergency response measures and the ways and means to protect individuals' rights and interests of personal information when the cross-border data is tampered with, damaged, leaked, lost, transferred or illegally obtained, illegally used or encountered other risks.

所在文件名称及页码

Name of Document and Page Number_________

所述条款

Clause_________

14 数据处理者遵守中国法律、行政法规、部门 规章情况

Data Handler's Compliance with Chinese Laws, Administrative Regulations and Departmental Rules

填表说明

Fill-in Instructions

  1. 申报书 01 项中的单位名称、性质、注册地、有效期、 注册资金等怎么填写?

How to fill in the entity name, nature, registered address, validity period, registered capital, etc. of Item 01 of the notification form?

数据处理者应当对照统一社会信用代码证件中的机构名称、机构性质/类型、有效期等栏目填写。单位注册地应具体到城市,如北京市、河北省石家庄市等。单位办公所在地应具体到门牌号,如北京市海淀区X 路 X 号。表中注册资金均需明确币种和金额。

The data handler shall fill in the fields of the institution name, institution nature/type, validity period, etc., in accordance with those columns of the unified social credit code certificate. The registered address of entity shall be detailed to city, for example, Beijing, or Shijiazhuang of Hebei Province. The business address of unit shall be detailed to the house number, for example, NO.X, X Rd, Haidian District, Beijing. The currency and amount of registered capital in the form must be specified.

  1. 申报书 02 、03 、04 项证件类型怎么填写?

How to fill in the certificate type of Item 02, 03 and 04 of the notification form?

可根据实际情况选择填写居民身份证、护照、台湾居民来往大陆通行证、港澳居民来往内地通行证等。

You can choose to fill in the Resident ID Card, Passport, Mainland Travel Permit for Taiwan Residents, Mainland Travel Permit for Hong Kong and Macao Residents, etc. according to the actual situation.

  1. 申报书05项中数据出境业务描述怎么填写?

How to fill in the business description of cross-border data transfer of Item 05 of the notification form?

据实填写此次申报的数据出境业务,应与法律文件中涉及业务名称一致。

Fill in the cross-border data transfer business of this notification according to the facts, which should be consistent with the name of the business involved in the legal document.

4.申报书06 项中数据出境的目的怎么填写?

How to fill in the purpose of cross-border data transfer of Item 06 of the notification form?

如开展业务合作、技术研究、经营管理等,需具体阐述。

Such as business cooperation, technical research, operating management, etc., need to be elaborated.

  1. 申报书07项数据出境的方式怎么填写?

How to fill in the method of cross-border data transfer of Item 07 of the notification form?

说明数据出境的方式,如公共互联网传输、专线传输等。

Specify the method of cross-border data transfer, such as public Internet transfer, dedicated line transfer, etc.

  1. 申报书08项数据出境链路怎么填写?

How to fill in the link of cross-border data transfer of Item 08 of the notification form?

说明数据出境的链路,如链路提供商、链路数量与带宽、 境内外落地数据中心名称及机房物理位置、IP 地址等

Illustrate links for cross-border data transfer, such as link provider, link quantity and bandwidth, name and physical location of equipment room of landing data centers at home and abroad, and IP address.

  1. 申报书09项拟出境数据情况怎么填写?

How to fill in information of proposed cross-border data of Item 09 of the notification form?

关于个人信息的敏感程度,可参照国家标准《信息安全技术 个人信息安全规范》

The level of sensitivity of personal information can refer to the national standard Information Security Technology-Personal Information (PI) Security Specification.

涉及行业/领域填写出境数据涉及的行业领域范围,如工 业、电信、金融、交通、自然资源、卫生健康、能源、教育、 科技、国防科工等。

When it comes to industries/fields, fill in the scope of industry field relate to cross-border data, such as industry, telecommunications, finance, transportation, natural resources, health, energy, education, science and technology, and science and technology industries for national defense, etc.

8.申报书 13 项相关条款在法律文件中的页码怎么填写?

How to fill in the page number of relevant clauses in the legal document of Item 13 of the notification form?

数据处理者填写对应法律文件条款所在的页码,并对相关条款作高亮、线框等显著标识。

The data handler fills in the page number where the clause of the corresponding legal document is, and makes prominent marks such as highlighting and wireframe on the relevant clause.

9.申报书 14 项遵守中国法律、行政法规、部门规章情况怎么填写?

How to fill in data handler' compliance with Chinese laws, administrative regulations and departmental rules of Item 14 of the notification form?

数据处理者简述近 2 年在业务经营活动中受到行政处罚和有关主管监管部门调查及整改情况,重点说明数据和网络安全方面相关情况。

The data handler briefly describes the administrative penalties and the investigation and rectification by the relevant competent regulatory authorities in the business operations in the past two (2) years, focusing on data security and cybersecurity.

附件 4

Annex 4

数据出境风险自评估报告(模板)

Cross-border Data Transfer Risk Self-assessment Report (Template)

数据处理者名称: (盖章)

Name of Data Handler: (Seal)

年 月 日

(YYYY/MM/DD)

说明:

Explanation:

(一)数据处理者申报数据出境安全评估时需提供自评估报告;

(1) The data handler shall provide self-assessment report when declaring security assessment for its cross-border data transfer;

(二)数据处理者须对所提交的自评估报告及附件材料真实性负责;

(2) The data handler shall be responsible for the authenticity of the self-assessment report and the attached materials;

(三)本报告所述自评估活动为本次申报前 3 个月内完成;

(3) The self-assessment activities mentioned in this report shall be completed within 3 months before the notification;

(四)如有第三方机构参与自评估,须在自评估报告中说明第三方机构的基本情况及参与评估的情况,并在相关内容页上加盖第三方机构公章。

(4) If a third-party organization is involved in the self-assessment, the basic information of the third-party organization and conditions of its participation in the assessment must be specified in the self-assessment report, and the official seal of the third-party organization must be affixed on the relevant content page.

一、自评估工作简述

  1. Brief Introduction of Self-assessment

自评估工作开展情况,包括起止时间、组织情况、实施过程、实施方式等内容。

The report shall describe the implementation of self-assessment, including the start and end time, organization, implementation process, and implementation method, etc.

二、出境活动整体情况

  1. Overall Information of Cross-border Transfer Activities

详细说明数据处理者基本情况、数据出境涉及的业务和信息系统、出境数据情况、数据处理者安全保障能力情况、境外接收方情况、法律文件约定情况等。包括不限于:

Provide details of the data handler, the business and information systems involved in the cross-border data transfer, the information of cross-border data transfer, the security capabilities of data handler, the information of overseas recipient, and the information of legal documents agreed. This part includes, but is not limited to:

(一)数据处理者基本情况

  1. Basic information of data handler

1.组织或者个人基本信息;

  1. Basic information of organization or individual;

2.股权结构和实际控制人信息;

  1. Information of equity structure and actual controller;

3.组织架构信息;

  1. Information of organization structure;

4.数据安全管理机构信息;

  1. Information of data security management body;

5.整体业务与数据情况;

  1. Overall information of business and data;

6.境内外投资情况。

  1. Information of domestic and overseas investment.

(二)数据出境涉及业务和信息系统情况

  1. Information of business and information system involved in cross-border data transfer

1.数据出境涉及业务的基本情况;

  1. Basic information of business involved in cross-border data transfer;

2.数据出境涉及业务的数据资产情况;

  1. Information of data assets related to the business of cross-border data transfer;

3.数据出境涉及业务的信息系统情况;

  1. Information of information system related to the business of the cross-border data transfer;

4.数据出境涉及的数据中心(包含云服务)情况;

  1. Information of data centers (including cloud services) related to cross-border data transfer;

5.数据出境链路相关情况。

  1. Information of cross-border data transfer links.

(三)拟出境数据情况

  1. Information of data to be exported

1.说明数据出境及境外接收方处理数据的目的、范围、 方式,及其合法性、正当性、必要性;

  1. Illustrate the purpose, scope, method, as well as the legality, legitimacy, and necessity of cross-border data transfer and data processing by overseas recipient;

2.说明出境数据的规模、范围、种类、敏感程度;

  1. Illustrate the scale, scope, type, and sensitivity of cross-border data;

3.拟出境数据在境内存储的系统平台、数据中心等情况,计划出境后存储的系统平台、数据中心等;

  1. The conditions of system platform and data center where the proposed cross-border data are stored domestically, and the system platform and data center where the data are stored after the cross-border transfer;

4.数据出境后向境外其他接收方提供的情况。

  1. Information of providing cross-border data to other overseas recipients after the cross-border data transfer.

(四)数据处理者数据安全保障能力情况

  1. Information of data security protection capability of data handler

1.数据安全管理能力,包括管理组织体系和制度建设情况,全流程管理、分类分级、应急处置、风险评估、个人信息权益保护等制度及落实情况;

  1. Capability of management of data security, including the system for organization and management and the development of the system, the whole-process management, categorization and classification, emergency response, risk assessment, the implementation of the protection of personal information interests, etc.;

2.数据安全技术能力,包括数据收集、存储、使用、加工、传输、提供、公开、删除等全流程所采取的安全技术措施等;

  1. Technical capability of data security, including technical security measures conducted in the whole process such as data collection, storage, use, processing, transfer, provision, disclosure, or deletion of data, etc.;

3.数据安全保障措施有效性证明,例如开展的数据安全风险评估、数据安全能力认证、数据安全检查测评、数据安全合规审计、网络安全等级保护测评等情况;

  1. Proof of the effectiveness of data security protection measures, such as the implementation of data security risk assessment, data security capability certification, data security inspection, data security compliance audit, and evaluation for classified protection of cybersecurity, etc.;

4.遵守数据和网络安全相关法律法规的情况。

  1. Information of compliance with data and cybersecurity related regulations.

(五)境外接收方情况

  1. Information of overseas recipient

1.境外接收方基本情况;

  1. Basic information of overseas recipient;

2.境外接收方处理数据的用途、方式等;

  1. The purpose and method of data processing by the overseas recipient;

3.境外接收方的数据安全保障能力;

  1. Data security protection capability of overseas recipient;

4.境外接收方所在国家或地区数据安全保护政策法规和网络安全情况;

  1. Conditions of the data security protection policies and regulations and cybersecurity of the country or region where the overseas recipient locates;

5.境外接收方处理数据的全流程过程描述。

  1. Description of the whole process of data processing by the overseas recipient.

(六)法律文件约定数据安全保护责任义务的情况

  1. Data security protection responsibilities and obligations agreed in the legal documents

1.数据出境的目的、方式和数据范围,境外接收方处理数据的用途、方式等;

  1. The purpose, method and scope of cross-border data transfer, the purpose, method of processing data by overseas recipient, etc.;

2.数据在境外保存地点、期限,以及达到保存期限、完成约定目的或者法律文件终止后出境数据的处理措施;

  1. The location and period of data storage overseas, as well as the processing measures for cross-border data after the retention period expires, the purpose is achieved, or the legal documents terminate;

3.对于境外接收方将出境数据再转移给其他组织、个人的约束性要求;

  1. The binding requirements of transferring the cross-border data to other organizations and individuals by the overseas recipient;

4.境外接收方在实际控制权或者经营范围发生实质性变化,或者所在国家、地区数据安全保护政策法规和网络安全环境发生变化以及发生其他不可抗力情形导致难以保障数据安全时,应当采取的安全措施;

  1. Security measures that the overseas recipient should take when the actual control right or business scope changes substantially, when the data security protection policies and regulations and the cybersecurity environment in the country and region where the overseas recipient locates change, and when the appearance of other force majeure situations makes it difficult to ensure data security;

5.违反法律文件约定的数据安全保护义务的补救措施、违约责任和争议解决方式;

  1. Remedies, liabilities and dispute resolution methods for breach of data security protection obligations agreed in legal documents;

6.出境数据遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等风险时,妥善开展应急处置的要求和保障个人维护其个人信息权益的途径和方式。

  1. Requirements for proper emergency response when cross-border data is tampered with, destroyed, leaked, lost, transferred, or illegally obtained and illegally used, and ways and means to safeguard individuals' exercising of rights and interests in personal information.

(七)数据处理者认为需要说明的其他情况。

  1. Other circumstances that the data handler considers necessary to illustrate.

三、拟出境活动的风险评估情况

III. Risk Assessment on Cross-border Transfer Activities

就下列事项逐项说明风险评估情况,重点说明评估发现的问题和风险隐患,以及相应采取的整改措施及整改效果。

Explain the risk assessment one by one for the following items, focusing on the problems and potential risks found in the assessment, as well as the corresponding rectification measures and rectification effects.

(一)数据出境和境外接收方处理数据的目的、范围、方式等的合法性、正当性、必要性;

1.The legality, legitimacy, and necessity of cross-border data transfer and the purpose, the scope, the method of data processing activities by overseas recipient;

(二)出境数据的规模、范围、种类、敏感程度,数据出境可能对国家安全、公共利益、个人或者组织合法权益带来的风险;

  1. The scale, scope, type and sensitivity of cross-border data, the risks that cross-border data transfer may bring to the legitimate rights and interests of individuals or organizations in national security and public interests;

(三)境外接收方承诺承担的责任义务,以及履行责任义务的管理和技术措施、能力等能否保障出境数据的安全;

  1. Whether the responsibilities and obligations committed by the overseas recipient and the ability of management and technical measures to fulfill the responsibilities and obligations can guarantee the security of cross-border data;

(四)数据出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法利用等的风险,个人信息权益维护的渠道是否通畅等;

  1. The risks such as tampering, destruction, leakage, loss, transfer or illegal acquisition and illegal use of data during and after cross-border data transfer, whether the channels for exercising the rights and interests of personal information are smooth;

(五)与境外接收方拟订立的数据出境相关合同或者其他具有法律效力的文件等,是否充分约定了数据安全保护责任义务;

  1. Whether the contracts related to cross-border data transfer or other legally effective documents proposed to be entered into with overseas recipient fully stipulate the responsibility and obligation of data security protection;

(六)其他可能影响数据出境安全的事项。

  1. Other matters that may affect the security of cross-border data transfer.

四、出境活动风险自评估结论

  1. Conclusion of Risk Self-assessment for Cross-border Transfer Activities

综合上述风险评估情况和相应整改情况,对拟申报的数据出境活动作出客观的风险自评估结论,充分说明得出自评估结论的理由和论据。

Based on the above-mentioned risk assessment and corresponding rectification, an objective risk self-assessment conclusion shall be made for the cross-border data transfer activities to be notified, with fully explanation on the reasons and arguments for drawing the self-assessment conclusion.