2024数据出境实务实操手册.docx

《2024数据出境实务实操手册.docx》由会员分享，可在线阅读，更多相关《2024数据出境实务实操手册.docx（61页珍藏版）》请在课桌文档上搜索。

1、中国数据出境实务实操白皮书目录Contents一、中国数据出境路径透视9LPivotViewofChina,sOutboundDataTransferPaths9(一)路径起源9(I) OriginsofPaths9(二)路径选择10(II) PathSelection10()路径豁免(或有)11(III) PathExemptions(ifany)11二、中国数据出境实务问答BII、Q&AonChinesePracticesofOutboundDataTransfers13(一)数据出境安全评估10问13(I) 10QuestionsonSecurityAssessmentforOutbou

2、ndDataTransfers13QI：什么情形必须启动数据出境安全评估？13Underwhatcircumstancesmustsecurityassessmentforoutbounddatatransfersbeconducted?13Q2:数据出境行为具体包含哪些？14Whatconstitutesanactofoutbounddatatransfer?14实操演练1PracticalExercise1Q3:如何识别“重要数据”？16Howtoidentifyimportantdata*?16Q4:如何识别“敏感个人信息”？18Howtoidentifysensitivepersona

3、linformation?18Q5:如何界定“关键信息基础设施运营者”？18Whoisacriticalinformationinfrastructureoperator*?18Q6:如何界定100万、10万、1万的数量规模？19Howtodefinethequantitativescaleof1million,100thousand,andIOthousand?19Q7:同一数据处理者存在多个出境场景需要申报时应如何处理？20Whatshouldbedonewhentherearemultipleoutboundscenariostobedeclaredbythesamedataproces

4、sor?20Q8:什么情况应当重新进行数据出境安全评估？21Whenshouldasecurityassessmentforoutbounddatatransfersbere-conducted?21实操演练2PracticalExercise2Q9:企业是否必须事先开展自评估工作？若需要，需要提前多久开展？自评估工作应当评估哪些方面？23Isitnecessaryforcompaniestocarryouttheself-assessmentexerciseinadvance?Ifso,howfarinadvance?Whatshouldbeassessedintheself-assessm

5、ent?23实操演练3PracticalExercise3Q10:数据出境安全评估申报流程需要花多长时间？26Howlongdoesthesecurityassessmentfilingprocessofoutbounddatatransferstake?26(二)个人信息出境标准合同备案15问28(II) 15QuestionsontheFilingoftheSCforOutboundTransferofPersonalInformation(“SCFiling)28国际数据跨境规则系列555SeriesonInternationalDataCross-BorderRulesRulesQll

6、:签订标准合同进行数据出境活动的适用范围？28WhatisthescopeofapplicationofaSC?28Q12:标准合同签署的主体有哪些？29WhoarepartiestoaSC?29实操演练4PracticalExercise4Q13:规定提及，咱主缔约”，这是否意味着企业可以跳过备案环节？30Theprovisionreferstoindependentcontracting,doesthismeanthatcompaniescanskipthefilingprocess?30Q14:能否针对多个数据出境场景使用同一套标准合同？32CanthesamesetofSCbeused

7、formultipleoutbounddatatransfers?32实操演练5PracticalExercise5Q15:关联方是否可以合并备案？34Canrelatedpartiesconsolidatetheirfilings?34实操演练6PracticalExercise6Q16:可以修改标准合同条款吗？37CanthetermsofaSCbemodified?37Q17:如果已签署GDPR下的标准合同,是否还需签署中国的标准合同？.37IfaSCundertheGDPRhasbeensigned,doIneedtosignaSCthatconformswiththeChinesel

8、aws?37Q18:个人信息处理者是否可以提交非中文版标准合同？37CanaPIPsubmitanon-ChineseversionofaSC?38Q19:标准合同备案的有效期多久？38HowlongisafilingofSCvalidfor?38国际数据跨境规则系列6/55SeriesonInternationalDataCross-BorderRulesRulesQ20:什么情况下需要重新备案？39Underwhatcircumstanceswillitbenecessarytore-file?39实操演练7PracticalExercise7Q21:受托人是否可以签订标准合同？41Can

9、atrusteeenterintoaSC?41实操演练8PracticalExercise8Q22:在标准合同备案路径下，PlA是否有特殊之处？43IsPIAspecialundertheSCFilingpath?43Q23:标准合同备案的结果是什么？43WhatistheoutcomeofaSCFiling?43Q24:宽限期内的个人信息跨境传输是否合法？44Areoutboundtransfersof,personalinformationduringthegraceperiodlegal?44Q25:若未能在宽限期内完成整改，数据出境是否非法？是否需承担责任？.44Intheeventt

10、hatmodificationisnotcompletedwithinthegraceperiod,wouldtheoutbounddatatransferbeillegal?Isthereanylegalconsequenceforsuchafailure?44实操演练9PracticalExercise9(三)个人信息跨境处理活动安全认证5问49(III) 5QuestionsonSecurityCertificationforCross-borderProcessingActivitiesofPersonalInformation(“PIPC”)49Q26:何时可以选择个人信息跨境处理活

11、动安全认证路径？49WhencanIchoosethePIPC?49Q27:是否可以选择安全认证来代替标准合同备案？50IsPIPCanalternativeoptiontoSCFiling?50实操演练10PracticalExercise10Q28:安全认证路径下，是否需要指定个人信息保护负责人并设立个人信息保护机构？51Isitnecessarytodesignateapersontobeinchargeofpersonalinformationprotectionandestablishapersonalinformationprotectionorganizationunderthe

12、PIPCpath?51Q29:安全认证具体怎么开展？52HowisPIPCconducted?52Q30:安全认证的有效期？54WhatisthevalidityperiodofthePIPC?54附件一：问题/案例索引Annex I: IndexofQ&AsandPracticalExercisesAnnex II: 附件二：主要法律法规一览表Annex III: 1.istofMajorLawsandRegulations一概览(Overview)一一、中国数据出境路径透视1.PivotViewofChina,sOutboundDataTransferPaths(一)路径起源(I)Orig

13、insofPaths数据跨境流动是全球化数字经济的必然，数据主权、数据安全以及个人信息保护也是全球监管的共识。Thecross-borderflowofdataisaninevitablepartoftheglobalizeddigitaleconomy,andthereisconsensusthattheprotectionofdatasovereignty,datasecurity,andpersonalinformationprotectionaresubjecttoglobalregulation.我国目前法律就数据出境提供了三条通路，即：数据出境安全评估、个人信息出境标准合同备案(或

14、称“标准合同备案”)、个人信息跨境处理活动安全认证(或称“个人信息傀认逃2。一:者均来源于个人信息保护法第38条第1款的规定,个人信息处理者因业务等需要，确需向境外提供个人信息的，应当具备下列条件之一：(一)依照本法第四十条的规定通过国家网信部门组织的安全评估；(二)按照国家网信部门的规定经专业机构进行个人信息保护认证；(三)按照国家网信部门制定的标准合同与境外接收方订立合同，约定双方的权利和义务；(四)法律、行政法规或者国家网信部门规定的其他条件。Chinascurrentlawsprovidethreepathsforoutbounddatatransfers,namely:SeCUrit

15、yassessmentforOUtboUnddatatransfers,thefIingOftheStandardContraCtforC)UtboUndtransferOfPerSonaIinfbrmation(OrSCFiling),andSeCUrityCertifiCatiOnforCroSS-borderDroCeSSingactivitiesOfPerSonalinformation(OrPers。IlalInformatiKiiProtectionCertification,PIPC).AllthreearederivedfromArticle38,Paragraph1ofthe

16、PersonalInformationProtectionLaw,whichprovidesthatwhereaPIPgenuinelyneedstoprovidepersonalinformationoutsidetheterritoryofthePeople,sRepublicofChinaduetobusinessorotherneeds,itshallmeetanyofthefollowingconditions:(I)tohavepassedthesecurityassessmentorganizedbytheCyberspaceAdministrationofChinainacco

17、rdancewiththeprovisionsofArticle40thereof;(II)tohaveobtainedaPersonalInformationProtectionCertificationissuedbyaspecializedagencyinaccordancewiththeregulationsoftheCyberspaceAdministrationofChina;(III)tohaveenteredintoacontractwithanoversearecipientunderthestandardcontractformulatedbytheCyberspaceAd

18、ministrationofChina,specifyingtherightsandobligationsofbothparties;or(IV)tomeetotherconditionsprescribedbylaws,administrativeregulationsortheCyberspaceAdministrationofChina.（二）路径选择(II)PathSelection关键信息豌设施运营者CriticalInformationInfranstructureOperator附:BSifi桃函PivotViewofthePathfNoteG类曳界定7Definetbtype故

19、0界定Definethequantity_l处理个人信息!ProcessingPl工处理敝感个人信息-TProcessingsensitivePl一处理重要数据Processingimportantdata咨Conclusion:SecurityAssessmentforOutboundDataTransfers苻合任一情形MeetanyonescenarioJ5国公司或同一经济.事业实体下属子公司或关联公司之间的个人信息聘填处理活动Cross-borderprocessingofpersonalinformationbetweenmultinationalcompaniesorsubsidi

20、arycompaniesandaffiliatedcompanieswithinthesameeconomicOrbusinessentity在境外，以向境内自然人提供产品或者服务为目的,处理境内自然人个人信息Handlepersonalinformationofdomesticnaturalpersonsfromoutsidetheterritorywrththepurposeofprovidingdomesticnaturalpersonswithproductsorservices在境外.分析、评估境内自然人的行为Theactsofdomesticnaturalpersonsareana

21、lyzedandevaluatedfromoutsidetheterritory特殊情形SpecialScenario.UAXINWPerson,notperon-tta11M,notno.ofPteoM结论：KCftfiIMXCondution:FilingofStoncterdUColrct(Accordingtothcurrentpreferredsuggestioninprctice可选：安全认证Option:SecurtiyCertification耒Iwt任一fit论Ift的(如处TKi).K三1AMMIfnoneoftheconcludedHemshasbeentriggered

22、(suchasprocssxggeneraldaU),thedatamaybdlrctiytransferred处理1oo万人以上个人信息的Bag处理者均不符合All not meet任选其一：S81：标准合同备案82：安全认证Choose either on:Path 1: Filing of Standard ContractPath 2: Security CertificationAdataprocessorwhohasprocessedpersonalinformationofoveronemillionpersons自上年1月1日起累计向境外提供10万人个人信患Providedpe

23、rsonalinformationof100.000personscumulativelysinceJanuary1ofthepreviousyearabroad自上年1月1日起累计向境外提供1万人敝感个人信息的数据处理者AdataProCeSSorwhohasprovidedsensitivepersonalinformationof10f000personscumulativelysinceJanuary1ofthepreviousyearabroad注：特别地，针对注册在导港澳大湾区内地部分/香港特别行政区的个人信息处理者及接收方，在号港澳大湾区内地部分与香港特别行政区之间的个人信息跨境

24、流动，不含重要数据的，可以选择标准合同备案。Inparticular,forPlprocessorsandrecipientsregisteredintheMainlandpartoftheGuangdong-HongKong-MacaoGreaterBayArea/HongKongSAR,forcross-borderflowofpersonaldatabetweentheMainlandpartoftheGuangdong-HongKong-MacaoGreaterBayAreaandtheHongKongSARthatdoesnotcontainimportantdata,theopti

25、onoflingofstandardcontractisavailable.国际数据跨境规则系列SeriesonInternationalDataCross-BorderRulesRules(三)路径豁免(或有)(111) PathExemptions(ifany)与此同时，为进一步降低企业在数据跨境传输方面的合规成本，国家互联网信息办公室在2023年9月28日出台了规范和促进数据跨境流动规定(征求意见稿)(下称“征求意见稿”)，意图为数据要素跨境流通“减负”。该征求意见稿主要明确了以下两点：Meanwhile,inordertofurtherreducethecompliancecostof

26、enterprisesincross-borderdatatransfer,theCyberspaceAdministrationofChinaissuedthenProvisionsonRegulatingandPromotingCross-borderFlowofData(ExposureDraft)(thettExposureDraft)on28September2023,withtheintentionofreducingtheburdenofcross-borderflowofdataelements.TheExposureDraftclarifiesthefollowingtwom

27、ainpoints:- .【新增豁免情形】符合以下情形之一的，不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证：Exemptions!Underanyofthefollowingcircumstances,itisnotrequiredtoapplyforsecurityassessmentforoutbounddatatransfers,theSCFiling,andPlPC：- 国际贸易、学术合作、跨国生产制造和市场营销等活动中产生的数据出境，不包含个人信息或者重要数据的；wheredataoutboundtransferarisingfrominternatio

28、naltrade,academiccooperation,cross-borderproductionandmanufacturing,marketingactivities,andothers,excludingthetransferofpersonalinformationorimportantdata;- 不是在境内收集产生的个人信息向境外提供；providingpersonalinformationnotcollectedinChinatolocationsoutsideChina;- 为订立、履行个人作为一方当事人的合同所必需，如跨境购物、跨境汇款、机票酒店预订、签证办理等，必须向境

29、外提供个人信息的；wherethepersonalinformationmustbeprovidedabroad,asitisnecessaryfortheconclusionandperformanceofacontracttowhichtheindividualisaparty,suchascross-bordershopping,cross-borderremittance,airticketsandhotelbooking,visaprocessing,etc.- 按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理，必须向境外提供内部员工个人信息的；forhumanreso

30、urcesmanagementinaccordancewiththelaborregulationsandrulesformulatedinaccordancewiththelawandcollectivecontractsconcludedinaccordancewiththelaw,itisnecessarytoprovideabroadthepersonalinformationofinternalemployees;中国数据出境实务实操白皮书WhitePaperonChinaOutboundDataTransfersPractice紧急情况下为保护自然人的生命健康和财产安全等，必须向境

31、外提供个人信息的;-wherepersonalinformationhastobeprovidedoverseastoprotectthelife,health,andpropertysafetyofnaturalpersonsinanemergency;and- 预计一年内向境外提供不满1万人个人信息的。wherethePlPisexpectedtoprovidepersonalinformationoflessthan10,000individualstolocationsoutsideChinawithinoneyear.2.【鼓励创新试点】自由贸易试验区可自行制定本自贸区需要纳入数据出

32、境安全评估、个人信息出境标准合同、个人信息保护认证管理范围的数据清单(以下简称负面清单)，负面清单外数据出境，可以不申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。IEncouraeingInlWVatiVePilots】Pilotfreetradezonesmay,ontheirown,formulatelistsofdatathatneedtobeincludedinthescopeofadministrationofsecurityassessmentforthedatatobeprovidedabroad,standardcontractsforoutboundp

33、rovisionofpersonalinformation,andcertificationforpersonalinformationprotection(theNegativeList),anddataoutboundtransferactivitiesoutsidetheNegativeListmaybecarriedoutwithoutapplyingforsecurityassessmentforoutbounddatatransfers,theSCFiling,andPIPC.目前该征求意见稿尚未正式出台，但已明确释放出促进数据跨境自由流动的强烈信号。相信数据跨境有序合规自由流通的

34、机制将很快建立起来。TheExposureDrafthasnotyetbeenformallyissued,butithasclearlyreleasedastrongsignaltopromotethefreeflowofdataoutboundtransfers.Itisbelievedthatamechanismfortheorderlyandcompliantfreeflowofdataacrossborderswillsoonbeestablished.数据出境实务30问答(30Q&As)二、中国数据出境实务问答II、Q&AonChinesePracticesofOutboundDa

35、taTransfers(一)数据出境安全评估10问(I)10QuestionsonSecurityAssessmentforOutboundDataTransfersQI：什么情形必须启动数据出境安全评估？Underwhatcircumstancesmustsecurityassessmentforoutbounddatatransfersbeconducted?Al:具备以下情形之一时，必须启动数据出境安全评估：Asecurityassessmentforoutbounddatatransfersmustbeconductedwhenoneofthefollowingcircumstance

36、sarises:(1)数据处理者向境外提供重要数据；whereadataprocessorprovidesimportantdataabroad;关键信息基础设施运营者和处理100万人以上个人信息的数据处理者向境外提供个人信息；whereakeyinformationinfrastructureoperatororaPlPofthedataofmorethanonemillionpeopleprovidesabroadpersonalinformation;(3)自上年1月1日起累计向境外提供10万人个人信息或者1万人敏感个人信息的数据处理者向境外提供个人信息；或者whereaPIPhaspr

37、ovidedabroadpersonalinformationof100,000peopleorsensitivepersonalinformationof10,000peopleintotalsinceJanuary1ofthepreviousyear;or(4)国家网信部门规定的其他需要申报数据出境安全评估的情形。II数据出境安全评估办法(国家互联网信息办公室，国家互联网信息办公室令第Ii号，OthercircumstancesprescribedbytheCyberspaceAdministrationofChinaforwhichdeclarationforsecurityassess

38、mentforoutbounddatatransfersisrequired.特别地，该境外包含香港特别行政区、澳门特别行政区以及台湾地区。Inparticular,thisterritoryincludestheHongKongSpecialAdministrativeRegion,theMacaoSpecialAdministrativeRegion,andTaiwan.Q2:数据出境行为具体包含哪些？Whatconstitutesanactofoutbounddatatransfer?A2:数据出境行为包括向境外提供或允许境外访问境内数据，具体包括以下三种情形：Actsofdataout

39、boundtransfersincludeprovidingorallowingaccesstodatawithintheterritoryfromoutsidetheterritory,specificallyincludingthefollowingthreesituations:(1)数据处理者将在境内运营中收集和产生的数据传输、存储至境外；Thedataprocessortransfersandstoresthedatacollectedandgeneratedinitsoperationswithintheterritoryabroad;数据处理者收集和产生的数据存储在境内，境外的机

40、构、组织或者个人可以查询、调取、下载、导出；Datacollectedandgeneratedbydataprocessorsarestoredintheterritoryandcanbequeried,accessed,downloaded,orexportedbyinstitutions,organizations,orindividualsabroad;(3)国家网信办规定的其他数据出境行为。2022.07.07发布,2022.09.01实施)第4条规定。Article 4, Measures for the Security Assessment of Outbound Data Tr

41、ansfer (Cyberspace Administration of China, Order No.l 1 of the Cyberspace Administration of China, issued on 7 July 2022, effective from September 2022)数据出境安全评估申报指南(第一一版)(国家互联网信息办公室，2022.08.31发布， 2022.08.31实施)“一、适用范围”规定。“1. Scope of Application5 of Guidelines for the Application for Security Assess

42、ment for Outbound Data Transfers (First Edition) (Cyberspace Administration of China, issued on 31 August 2022, effective from 31 August 2022)中国数据出境实务实操白皮书WhitePaperonChinaOutboundDataTransfersPracticeOtheractsofoutbounddatatransfersstipulatedbytheCyberspaceAdministrationofChina.实操演练1PracticalExerci

43、se1Q：跨境电商平台有许多商家，如何申报数据出境安全评估？跨境电商场景下平台方与品牌方，谁来发起安全评估？Q:Cross-bordere-commerceplatformshavemanymerchants,howtodeclaresecurityassessmentforoutbounddatatransfers?Inthecontextofcross-bordere-commercebetweentheplatformsandthebrands,whowillconductthesecurityassessment?A：需要区分场景。根据数据实际由平台还是品牌方传输出境，品牌方自行传输出

44、境的场景下，品牌方申报；平台传输出境的场景下，平台统一申报。A:Thereisaneedtodistinguishthescenarios.Itisbasedonwhetherthedataareactuallytransmittedbytheplatformsorthebrands,ifthebrandstransmitthedataoutsidetheterritoryofthePeoplc,sRepublicofChinathemselves,thebrandsshouldmakethedeclaration.Iftheplatformstransmitthedataoutsidethe

45、territoryofthePeople,sRepublicofChina,theplatformshouldmakeaconsolidateddeclaration.实操演练1延伸VariationofPracticalExercise1境内A公司员工在境外出差，将A公司业务经营中处理的重要数据通过硬盘方式提供给境外B公司。AnemployeeofCompanyAwithintheterritoryisonbusinesstripoutsidetheterritoryandprovidesimportantdataprocessedbyCompanyAinbusinessoperationt

46、oCompanyBabroadviaaharddrive.Q：该A公司是否应当启动数据出境安全评估？Q:ShouldCompanyAconductasecurityassessmentforoutbounddatatransfers?A：通过硬盘传输亦属于数据出境，应当事前通过所在地省级网信部门向国家网信部门申报数据出境安全评估。A:Transferringdataviaaharddrivealsoconstitutesoutbounddatatransfers,soCompanyAshoulddeclareasecurityassessmentforoutbounddatatransfers

47、tothenationalcyberspaceadministrationdepartmentviatheprovincial-levelcyberspaceadministrationdepartmentinadvance.Q3:如何识别“重要数据”?Howtoidentify,importantdata”？A3:重要数据，是指一旦遭到篡改、破坏、泄露或者非法获取、非法利用等，可能危害国家安全、经济运行、社会稳定、公共健康和安全等的数据。3Importantdatareferstodatathatmayjeopardizenationalsecurity,economicoperation,socialstability,publichealth,safety,etc.,ifitistamperedwith,damaged,leaked,illegallyaccessed,orillegallyutilized,etc.在重要数据识别时，应当优先参考所属行业、领域、地区数据安全管理相关规定(例如汽车数据对应的汽车数据安全管理若干规定(试行)(下称“汽车数据规定”),其次可参考网络数据安全管