《闪捷信息&盈科律所:2023中国个人信息出境标准合同白皮书(英文版)(39页).pdf》由会员分享,可在线阅读,更多相关《闪捷信息&盈科律所:2023中国个人信息出境标准合同白皮书(英文版)(39页).pdf(39页珍藏版)》请在三个皮匠报告上搜索。
1、White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaCo-Published ByNational Quality Inspection and Testing Center of Security Products for Network and Information SystemsYingKe Law Firm Cyber Data Security Compliance CenterSecsmart Information Technology Co.,Lt
2、d.Wolters KluweriLawWhitePaperontheStandardContractforOutboundTransferofPersonalInformationinChinaWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaWhiteWhite PaperPaperonon thethe StandardStandard ContractContract forfor OutboundOutboundTransferTransfer ofof
3、 PersonalPersonal InformationInformation in inC ChinahinaChiefChief EditorEditorWeihong Guo(Davey)YingKe Cyber Data Security CenterDeputy directorEmail:Wechat:daveylawyerDeputyDeputy EditoEditor rLiang Shen()Yunsong Xu()EditorialEditorial CommitteeCommitteeScott JiangShuilin LiHe LiAlicia GeZubin Ca
4、oBo YuanYunfei LiElaine ZhouJunge WuWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaT Tableable ofof C Contentontents sPart I.1Global and Chinese Personal Information Cross-Border Compliance and Regulatory Trends.1I.Global Information Cross-Border Complianc
5、e and Regulatory Trends.1EU.1US.2Singapore.2South Korea.3Japan.3Russia.4II.Chinese Information Cross-Border Compliance and Regulatory Trends.4Route 1:Security Assessment.5Route 2:Certification.5Route 3:Standard Contract.6Part II.8The Key issues of Personal Information Cross-Border Transfer and the S
6、tandard ContractRoute in China.8I.The key issues of personal information cross-border transfer.8(i)Specific identification of domestic personal information processors.8(ii)Counting cross-border transfer personal information.9(iii)How can personal information be considered as cross-border transfer.9(
7、iv)Identify important data from the outbound transfer personal information.10(v)How to handle sensitive personal information.10II.Subject and scenario of applying standard contract route to cross-border transferpersonal information.11(i)Personal information handling subject applicable to standard co
8、ntract.11(ii)Cross-border transfer of personal information scenarios applicable to StandardContract.12III.The response plan-Standard Contract.13Prior:Internal compliance and preparation.13In-process:Implement standard contract filing.16Afterwards:Continuous supervision and timely update.17Part III.1
9、8Analysis of the key points of cross-border transfer of personal information in key industries18I.Finance.18(i)Financial information of financial institutions and individuals.18(ii)Commonscenariosofcross-bordertransmissionofpersonalfinancialinformation.19(iii)Compliancepointsofcross-bordertransmissi
10、onofpersonalfinancialWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in Chinainformation.20II.Vehicle.21(i)Personal vehicle information outbound transfer profile.21(ii)Common scenarios of cross-border transmission of personal vehicle information22(iii)Suggestions o
11、n compliance of cross-border transfer of personal vehicleinformation.22III.Medical health.23(i)Legal regulation of cross-border transfer of personal medical health information24(ii)Common scenarios of cross-border transfer of personal medical and healthinformation.25IV.Cross-border e-commerce.26(i)E
12、-commerce-related personal information cross-border transfer scenarios andlegal regulation.26(ii)E-commerce-related personal information cross-border transfer compliancepoints.27V.Aviation.28(i)Legal regulation of cross-border transfer of personal aviation information.28(ii)Common scenarios for cros
13、s-border transfer of personal aviation information.29Appendix:Introduction of the Publishers.32Introduction to YingKe.32Introduction to MSTL.32Introduction to Secsmart.33White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaForewordForewordBased on the protection
14、 of personal information and the importance of nationalsecurity,more and more countries and regions have strengthen the supervision ofcross-border personal information flow of enterprises.The legal and compliantcross-border transmission of personal information has become a problem that must besolved
15、 when enterprises operate internationally.In recent years,Relevant Chinese government departments,such as CyberspaceAdministration of China(CAC)has gradually passed a series of laws andregulations,and defined three basic paths for personal information outbound transfer:passing the mandatory security
16、 assessment organized by the CAC(SecurityAssessment);obtaining a personal information protection certificate issued by aqualified institution(Certification);and concluding and filing the Standard Contractformulated by the CAC with the overseas recipient(Standard Contract).T Thehe MeasuresMeasures fo
17、rfor thethe StandardStandard ContractContract forfor OutboundOutbound TransferTransfer ofof PersonalPersonalInformationInformation(Chinese(Chinese SCCs)SCCs)has taken effect on June 1,2023,and with the release oftheGuidelinesGuidelines forfor FilingFiling thethe StandardStandard ContractContract for
18、for OutboundOutbound TransferTransfer ofof PersonalPersonalInformation(firstInformation(first edition)edition)(StandardStandard ContractContract FilingFiling GuidelinesGuidelines),by the CAC onMay 30,2023,the implementation details of Standard Contract has been clear inChina.White Paper on the Stand
19、ard Contract for Outbound Transfer of Personal Information in ChinaPage 1 of 34PartPart I IGlobalGlobal andand ChineseChinese PersonalPersonal InformationInformation Cross-BorderCross-BorderComplianceCompliance andand RegulatoryRegulatory TrendsTrendsI.I.GlobalGlobal InformationInformation Cross-Bor
20、derCross-Border ComplianceCompliance andand RegulatoryRegulatory TrendsTrendsWith the advent of the Big Data era,data,as an important factor of economicproduction and a national security resource,has become an object of competitionamong countries.The worlds major economies have introduced several ru
21、les andregulations related to the protection of personal information,and on the whole,thecross-border flow of personal information has been tightened in various jurisdictionsaround the world.EUEUEU adopted theGeneralGeneral DataData ProtectionProtection RegulationRegulation(GDPR)(GDPR)in 2016,which
22、clearlysets out the conditions for the cross-border transfer of personal data.At present,thereare three main routes for the cross-border transfer of personal data in the EU:Firstly,adequate protection.According to theGDPRGDPR,personal data from EU memberstates can only be transferred across borders
23、if the level of protection of personal datain the third country meets the EUs requirements.The determination of whether athird country provides adequate data protection is mainly based on the completenessand implementation of the third countrys legal system related to personal dataprotection.China h
24、as not yet adopted this determination.Secondly,appropriate safeguards,the two common ones areEUEU S StandardtandardC Contractualontractual C Clauseslauses(EUEU SCCs)SCCs)andBindingBinding CorporateCorporate RulesRules(BCRs)(BCRs).EUEUStandardStandard ContractContract ClausesClauses(SCCs)(SCCs)are st
25、andard contractual texts used whentransferring data across borders from the EU Economic Area to third countries ororganisations outside the region,binding data exporters and data importers by contractWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 2 of
26、 34to ensure adequate protection of personal data,andBindingBinding CorporateCorporate RulesRules(BCRs)(BCRs)can simply be understood as a white list applicable to multinational enterprises,thatis,the cross-border flow of personal data within an enterprise is no longer restrictedwhen the EU administ
27、rative authorities have qualified the compliance framework forwithin the enterprise as a whole.Thirdly,derogations,which only apply to occasional cross-border transfers of datainvolving only a small number of data subjects in specific circumstances.The dataexporter should not use this as a legal bas
28、is for routine data transfer across borders.USUSUS is open to cross-border transfers of personal data and has signed theSafeSafe HarborHarborFrameworksFrameworks andand PrivacyPrivacy ShieldShield FrameworksFrameworkswith EU to regulate the privacyprotection of cross-border transfers of personal dat
29、a on both sides of the Atlantic.However,US has adopted restrictions on certain important data.For example,theCaliforniaCalifornia ConsumerConsumer PrivacyPrivacy ActAct(CCPA)(CCPA),which has been described as the worldsmost expensive data protection law,and theExportExport AdministrationAdministrati
30、on RegulationsRegulations(EAR)(EAR),which restrict the export of data on certain key technologies and in certainareas.In addition,industry-specific regulations such as theHealthHealth InsuranceInsurancePortabilityPortabilityandandAccountabilityAccountabilityActAct(HIPAA)(HIPAA)forhealthcareandtheGra
31、mm-Leach-BlileyGramm-Leach-Bliley ActAct(GLB)(GLB)for financial services data in the US also requireattention.SingaporeSingaporeThePersonalPersonal DataData ProtectionProtection ActAct(PDPA)(PDPA)is the primary personal data protectionlegislation in Singapore,for governing the collection,use and dis
32、closure of personaldata.ThePDPAPDPAapplies to all undertakings that collect,use and disclose personal datain Singapore,whether or not they have a physical presence in Singapore.ThePDPAPDPAimposes obligations on businesses to comply with data transfer restrictions.That is,personal data cannot be tran
33、sferred to a country or territory outside SingaporeWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 3 of 34unless the business ensures that the recipient is bound by legally enforceableobligations,and the transferred personal data is protected to a stan
34、dard of protectionequivalent to that set out in thePDPAPDPA.These legally enforceable obligationsinclude obligations under laws and regulations,contracts or binding corporate rules orany other legally binding instruments.S Southouth KoreaKoreaSouth Korea is one of the most stringent jurisdictions in
35、 the world in terms ofregulations relating to data security.In addition to the amendments tothethe PersonalPersonalInformationInformation ProtectionProtection ActAct(PIPA)(PIPA),which added methods for transferring personaldata overseas,thethe KoreanKorean PersonalPersonal InformationInformation Pro
36、tectionProtection CommissionCommission(PIPC)(PIPC)hasissued a series of implementing regulations to accompanyPIPAPIPA,includingthetheStandardStandard PersonalPersonal InformationInformation ProtectionProtection Guidelines,Guidelines,thethe NoticeNotice onon PersonalPersonalInformationInformation Imp
37、actImpact Assessment,Assessment,thethe CriteriaCriteria forfor PenaltiesPenalties forfor ViolationViolation ofof thethePersonalPersonal InformationInformation ProtectionProtection Act,Act,thethe PersonalPersonal InformationInformation TechnologyTechnology andandAdministrativeAdministrative Protectio
38、nProtection MeasuresMeasures StandardsStandards,etc.JapanJapanJapan and EU have made a adequate protection in 2019,recognizing each otherslevel of protection and security measures and allowing the free flow of personal databetween EU and Japan.However,Japan has a strict attitude to the cross-bordert
39、ransfer of personal data in its own country.TheThe ActAct onon thethe ProtectionProtection ofof PersonalPersonalInformationInformation ActAct(APPI)(APPI),amended in April 2022,retains the original requirementthat operators processing personal information should obtain the consent of the datasubject,
40、adds:the requirement to disclose the personal information protection systemof where the recipient is located,as well as the personal information protectionmeasures taken by the recipient in advance;the requirement to take necessarymeasures to ensure that such third party outside of Japan has continu
41、ouslyimplemented protection measures equivalent to those required by theAPPIAPPIforWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 4 of 34personal information protection,and the ability to provide information on thenecessary measures taken by the enter
42、prise if requested by the data subject,etc.RussiaRussiaArticle 22 of the newly amendedT Thehe FederalFederal LawLaw onon PersonalPersonal DataDataof Russianintroduces the obligation to notify the processing of personal data and adds apre-notification of the cross-border transfer of personal data,whi
43、ch means thatoperators will be subject to two notification obligations,namely the obligation tonotify the processing of personal data and the obligation to notify the cross-bordermovement of personal data.This means that operators are subject to two notificationobligations,namely the notification of
44、 personal data processing obligation and thenotification of cross-border movement of personal data obligation,both of whichshould be sent separately,and this requirement has been in force since 1 March 2023.At the same time,T Thehe FederalFederal LawLaw onon PersonalPersonal DataDataof Russian sets
45、out relativelystrict requirements for the regulation of the outbound personal data,outlined thatforeign governments or countries must have an equivalent data protection level beforepersonal information can be transferred out of Russian.I II I.ChineseChinese InformationInformation Cross-BorderCross-B
46、order ComplianceCompliance andand RegulatoryRegulatory TrendsTrendsAccording to thePersonalPersonal InformationInformation ProtectionProtection LawLaw ofof PRCPRC(PIPL)(PIPL)andInformationInformation s securityecurity TechnologyTechnology-PersonalPersonal InformationInformation s securityecurity spe
47、cificationspecification(GB/T(GB/T 35273-2020)35273-2020),personal information refers to all kinds of information recordedelectronically or by other means that can identify a specific natural person or reflectthe activities of a specific natural person,either alone or in combination with otherinforma
48、tion,including name,date of birth,identity document number,address,communication and contact method,health and physiological information,etc.Since the implementation of theCybersecurityCybersecurity lawlaw ofof PRCPRC(CSL)(CSL)on June 1,2017,Chinese legislature and government authorities have gradua
49、lly promoted theestablishment of laws,regulations and regulatory rules related to the exit of personalWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 5 of 34information,which has initially formed a framework of three laws,namely theCSLCSL,theDataData S
50、ecuritySecurity LawLaw ofof PRCPRC(DSL)(DSL)andand thethePIPLPIPL,supplemented by measures,regulations,standards and guidelines.According to Article 38 of thePIPLPIPLand relevant laws and regulations,China hasestablished three major routes for the cross-border transfer of personal information:RouteR
51、oute 1:1:SecuritySecurity AssessmentAssessmentArticle 4 of theMeasuresMeasures forfor thethe SecuritySecurity AssessmentAssessment ofof OutboundOutbound DataData TransferTransfer(Security(Security AssessmentAssessment Measures)Measures)issued by the Cybersecurity Administration ofChina(CAC)on 7 July
52、 2022 specifies the mandatory triggers for data exit securityassessment reviews:(a)it provides important data abroad;(b)it is a critical information infrastructure operator or it processes the personalinformation of more than one million individuals in total;(c)it has exported the personal informati
53、on of more than 100,000 persons inaggregate or the sensitive personal information of more than 10,000 persons inaggregate since January 1 of the previous year;(d)other circumstances subject to a security assessment as required by the CAC.Beforesubmittingtheapplication,thedataprocessorshouldcarryouta
54、self-assessment of the risks involved in the data export(self-assessment report)andsubmit the legally binding document to be established.The self-assessment report iscrucial to successfully passing the security assessment,so enterprises should carry outdata compliance work and complete data mapping
55、and rectification before submittingthe application.RouteRoute 2:2:C CertificationertificationCertification is an important means for multinational corporations or the sameeconomic entity to handle personal information out of the country.The applicableWhite Paper on the Standard Contract for Outbound
56、 Transfer of Personal Information in ChinaPage 6 of 34circumstances and underlying logic of this mechanism are similar to the BCRs of EU,which is approved for the cross-border transmission of personal information withinthe statutory/agreed scope.From November to December 2022,China releasedthethe Im
57、plementationImplementation RulesRules forforPersonalPersonal InformationInformation ProtectionProtection CertificationCertification(PI(PI CertificationCertification Rules)Rules)and itsaccompanyingdocument,thetheTechnicalTechnicalSpecificationSpecificationforforCertificationCertificationofofCross-Bor
58、derCross-Border TransfersTransfers ofof PersonalPersonal InformationInformation(Certification(Certification SpecificationSpecification V2.0)V2.0),to make improvements to the outbound personal information protection certificationmechanism.Certification process consists of certification application,te
59、chnicalverification,on-site audit,certification decision and post-certification supervision.RouteRoute 3:3:StandardStandard ContractContractTheThe MeasuresMeasures forfor thethe StandardStandard ContractContract forfor OutboundOutbound Cross-borderCross-border TransferTransfer ofofPersonalPersonal I
60、nformationInformation(StandardStandard ContractContract MeasuresMeasures)andthethe G Guidelinesuidelines forfor F Filingilingthethe S Standardtandard C Contractontract forfor O Outboundutbound T Transferransfer ofof P Personalersonal I Informationnformation(firstfirst editionedition)define the scope
61、 of subjects that can adopt standard contracts for transferring personalinformation abroad,including:(a)it is not a critical information infrastructure operator;(b)it processes the personal information of less than 1 million individuals;(c)it has cumulatively transferred abroad the personal informat
62、ion of less than100,000 individuals since January 1 of the previous year;(d)it has cumulatively transferred abroad the sensitive personal information of lessthan 10,000 individuals since January 1 of the previous year.Under the current regulations,personal information processors must meet all four o
63、fthe above conditions in order for the standard contract route to apply,and if any oneof these conditions is not met,the processor shall conduct the security assessment.White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 7 of 34The trend in the regulation
64、of cross-border activities of personal information invarious jurisdictions is characterised by a gradual improvement of regulations and aclearer path.We will then analyse the application and implementation of standardcontract based on the key issues faced in the process of exporting personalinformat
65、ion from China.White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 8 of 34PartPart II IITheThe KeyKey issuesissues ofof PersonalPersonal InformationInformation Cross-BorderCross-BorderTransferTransfer andand thethe StandardStandard ContractContract RouteRo
66、ute in in ChinaChinaOutbound data not only affects personal information rights,but also concerns nationalsecurity and social public interests.Chinese regulatory authorities are issuing a seriesof laws and regulations to regulate the personal information cross-border transfer.Related enterprises are
67、facing a new round of data compliance challenge.The illegaldata transfer would not only lead to economic compensation,but also damage thereputation of multinational companies and even trigger criminal responsibility.In thispart,we will analyze the key issues of the personal information cross-border
68、transfer,and how to implement the standard contract.I.I.T Thehe keykey ississu ue es s ofof personalpersonal informationinformation cross-bordercross-border transfertransfer(i)(i)SpecificSpecific identificationidentification ofof domesticdomestic personalpersonal informationinformation processorspro
69、cessorsWhether domestic personal information processors are recognized as CIIO is theprimary concern.According to the provisions ofCSLCSL,theRegulationsRegulations onon thetheSecuritySecurity ProtectionProtection ofof CriticalCritical InformationInformation InfrastructureInfrastructureand theInforma
70、tionInformationSecuritySecurity TechnologyTechnology-MethodsMethods forfor DeterminDeterminationation thethe BoundaryBoundary ofof CriticalCriticalInformationInformation InfrastructureInfrastructure(GB/T(GB/T 39204-2022)39204-2022).Whether a personal informationprocessor is a critical information in
71、frastructure operator is usually judged as follows:generally speaking,key industries and fields involved in critical informationinfrastructure operation(CII)include:public communication and information services,energy,transportation,water conservancy,finance,public services,e-government,and other in
72、dustries and fields that may seriously endanger national security,nationaleconomy and people livelihood and public interest once they are destroyed,lose theirfunctions or have data leaked.White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 9 of 34At presen
73、t,the identification of CII and CIIO in China depends on the judgment andnotice of the competent authorities.In other words,as long as the enterprise is notclearly recognized as a CIIO,the first step of applying the standard contract foroutbound transfer of personal information is met.(ii)(ii)Counti
74、ngCounting cross-bocross-bor rderder transfertransfer personalpersonal informationinformationIn view of that the outbound transfer route needs to be distinguished according to thevolume of personal information abroad,counting the number of personal informationabroad therefore is the basic step for e
75、nterprise.The pain for most enterprise are numerous departments and scattered data.If there isno unified management,counting the amount of personal information is impossible.Therefore,more and more enterprises choose to manage enterprise data throughprofessional database audit system.As the basic sy
76、stem of data security governance,database audit can not only record,analyze and report the behavior of accessing thedatabase in real time,which is convenient for enterprises to form data statisticalreports,but also analyze enterprise data activities from multiple angles,andautomatically manage data
77、according to relevant laws and regulations,so as to helpenterprises complete data security and compliance.(iii)(iii)HowHow cancan personalpersonal informationinformation bebe consideredconsidered asas cross-bordercross-border transfertransferAccordingtoStandardStandardContractContractFilingFilingGui
78、delinesGuidelines,anyofthefollowingcircumstances shall be considered an cross-border transfer of personal information:(a)personal information handler transmits,or stores overseas personal informationcollected and generated domestically in the course of business operations;(b)personal information col
79、lected and generated by the personal information handleris stored within the territory of China,but can be assessed,retrieved,downloaded andexported by foreign institutions,organizations or individuals;(c)other acts of outbound data transfer stipulated by the CAC.White Paper on the Standard Contract
80、 for Outbound Transfer of Personal Information in ChinaPage 10 of 34It can be seen that the cross-border transfer of personal information covers not onlythe physical personal information outbound transfer,but also the remote access ofpersonal information.Data flow monitoring system(SMP)can clarify t
81、he outboundlink and then clarify cross-border transfer personal information.SMP generally usestechnologies such as data gathering and monitoring,sensitive data identification,dataflow tracking,etc.to monitor and trace the data behaviors such as data access,datacall,data sharing and data use,intellig
82、ently identify the behaviors and transfers ofdata flow,and visually present the data flow relationship among organizations andnodes.At present,mature SMP could fully consider its own security,easy operation,easymaintenanceandotherrequirements,andcanseparatetechnologyimplementation from platform busi
83、ness to ensure the data security and businessefficiency maximization of enterprise.(iv)(iv)IdentifyIdentify importantimportant datadata fromfrom thethe outboundoutbound transfertransfer personalpersonal informationinformationInformationInformation SecuritySecurity TechnologyTechnology-RulesRules for
84、for IdentificationIdentification ofof ImportantImportant DataData(Draft(Draft forfor Comments)Comments)issued by the National Information Security StandardizationTechnical Committee on January 13,2022 defines the scope of important data,stipulates that important data refers to data in specific field
85、,specific group,specificregion or reaching a certain precision and scale,which may directly endanger nationalsecurity,economic operation,social stability,public health and safety once leaked ortampered with or destroyed.According toSecuritySecurity AssessmentAssessment MeasuresMeasures,if the person
86、al information transferredoverseas includes important data,the enterprise must declare the security assessmentfor the outbound data transfer through the local Cyberspace Administration at theprovincial level,and cannot choose other outbound data transfer routes.(v)(v)HowHow toto handlehandle sensiti
87、vesensitive personalpersonal informationinformationAccording toPIPLPIPL,sensitive personal information refers to personal information that,once leaked or illegally used,will easily lead to the violation of personal dignity ofWhite Paper on the Standard Contract for Outbound Transfer of Personal Info
88、rmation in ChinaPage 11 of 34natural persons or the harm to personal and property safety,including biometricidentification,religious belief,specific identity,medical and health care,financialaccounts,whereabouts and tracks,and personal information of minors under 14.InformationInformation s security
89、ecurity TechnologyTechnology-PersonalPersonal InformationInformation s securityecurity specificationspecification(GB/T(GB/T 35273-2020)35273-2020)has listed some types of sensitive personal information inAppendix B,which provides the compliance practice guide for enterprises.Because Chinese regulato
90、ry authorities now tend not to identify de-labeling sensitivepersonal information as sensitive personal information,how to de-identification thecross-border sensitive personal information has become a key concern for enterprisesto choose the data export route.At present,database desensitization tech
91、nology candeform and hide sensitive information through specified rules,and transform sensitivedata into non-sensitive data,thus providing security guarantee for the use of sensitivedata.More importantly,the structure of desensitized data can be consistent with theoriginal data,the desensitized data
92、 can still be used for business processes withoutchanging the supporting system or data storage equipment,and would not affect thecontinuous operation of enterprise business.(vi)(vi)EnsureEnsure thethe transmissiontransmission safetysafety ofof cross-bordercross-border personalpersonal informationin
93、formationThe ultimate goal of the laws and regulations on outbound transfer data is to ensurethe safety of data,so it is necessary to apply reliable security technology to supportthe transmission safety.In practice,the API audit system can help to sort out thecomplex APIs,draw API portraits and API
94、access trajectories,monitor the risk ofsensitive data flow,identify abnormal user behavior of API calls,and provide datasecurity for the use and flow of business data.II.II.SubjectSubject andand scenarioscenario ofof applyingapplying standardstandard contractcontract routeroute toto cross-bordercros
95、s-bordertranstransferfer personalpersonal informationinformation(i)(i)PersonalPersonal informationinformation handlhandlinging subjectsubject applicableapplicable toto standardstandard contractcontractGenerally speaking,foreign-invested enterprises,branches and Chinese-fundedWhite Paper on the Stand
96、ard Contract for Outbound Transfer of Personal Information in ChinaPage 12 of 34overseas enterprises,such as representative offices and wholly-owned subsidiaries offoreign companies in China,handle or transmit abroad less personal information,usually only involve personal information of employees an
97、d suppliers or sellers.(ii)(ii)Cross-borderCross-border transfertransfer ofof personalpersonal informationinformation scenariosscenarios applicableapplicable totoStandardStandard ContractContract1.Based on the unified requirements of global information management of the parentcompany,the enterprise
98、provides overseas parent companies with managementinformation such as personal information of employees through office automation OAsystem.2.The enterprise provides overseas recipients with user address information andidentity information needed to complete the order,and may further provide addition
99、aldata such as the users shopping records and browsing behavior.3.In the process of purchasing from multinational suppliers,international freighttransportation and warehousing,the enterprise will collect relevant personalinformation such as suppliers,consignees,warehouse docking,etc.,and transmit th
100、emto the supplier department at headquarters for use.4.When an enterprise remotely accesses the system network of overseas customersthrough the network for technical support and fault handling,it will involve theprocessing of customers personal information.5.Enterprises organize brand promotion,exhi
101、bitions and other activities overseas,collect personal information such as customer business cards,and then share themwith overseas parent companies.6.Enterprises need to collect,transmit,use and maintain customer information in theprocess of global market research and customer relationship maintena
102、nce.7.In the process of cross-border business cooperation and providing cross-borderproducts,enterprises provide personal information collected during their operations toWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 13 of 34overseas companies,or stor
103、e corresponding personal information in servers and datacenters set up overseas.8.Due to the needs of FCPA investigation of cases,anti-fraud investigation,overseaslitigation and arbitration institutions,the enterprise provides investigation informationand evidence materials involving personal inform
104、ation to overseas governmentdepartments,overseas parent companies and law firms.III.III.T Thehe responseresponse planplan-S Standardtandard C ContractontractAt present,the threshold of triggering data outbound transfer security assessment isquite high,the applicable subjects and scenarios are limite
105、d,and the certification pathof personal information protection in China needs to be further tested.Howerver,thestandard contract has the advantages of high efficiency,convenience,high recognition,easy connection of multinational companies compliance systems,and open andflexible dispute resolution me
106、thods.Therefore,for enterprises with small personalinformation processing scale and low frequency of data outbound transfer demand,itis more appropriate to choose the standard contract.In June 2022,CAC issued theProvisionsProvisions ononStandardStandard ContractContracts s forforthetheCross-borderCr
107、oss-border TransferTransfer ofof PersonalPersonal InformatioInformation n(Draft(Draft forfor CommentComments s)and thestandard contract text,and then in February and May 2023,CAC successively issuedtheChineseChinese SCCsSCCsandStandardStandard ContractContract FilingFiling GuidelinesGuidelines,which
108、 jointly providedthe legal basis and implementation guide for the standard contract for personalinformation exit formally implemented in China on June 1,2023.Under the current supervision system of cross-border transmission of personalinformation,we suggest that enterprises carry out the filing of s
109、tandard contracts forpersonal information exit in compliance with the following steps:Prior:Prior:InternalInternal compliancecompliance andand preparationpreparation1.1.CorporateCorporate internalinternal compliancecompliance governancegovernance systemsystemWhite Paper on the Standard Contract for
110、Outbound Transfer of Personal Information in ChinaPage 14 of 34(1)Establish a pre-cross-border data assessment mechanism.Complete datacross-border feasibility assessment,data cross-border field minimization assessmentand data cross-border security assessment before cross-border transmission ofperson
111、al information.(2)Improve the individual consent collection procedure in the business model andfully fulfill the obligation of informing.(3)Identify outbound transfer scenes and make data inventory.Domestic personalinformation processors should first conduct a comprehensive inspection of theiroutbou
112、nd activities,take stock of the outbound scenes of personal information,thescale and attributes of outbound personal information,and judge whether the standardcontract is applicable to enterprises.2.Complete the Personal Information Protection Impact Assessment(PIA)According to the requirements ofPI
113、PLPIPL,InformationInformation s securityecurity TechnologyTechnology-PersonalPersonalInformationInformation s securityecurity specification,specification,InformationInformation s securityecurity TechnologyTechnology-PersonalPersonalInformationInformation SecuritySecurity ImpactImpact AssessmentAsses
114、sment Guide,Guide,etc.,domestic personal informationprocessors need to set up a PIA working group,carry out or hire a third-party(such asa law firm or a consultancy)to assist in analyzing the personal rights and interestsimpact and security protection measures of processing activities involving pers
115、onalinformation,and make an PIA report.As an essential step in the standard contract filing procedure,domestic personalinformation processors need to pay attention to the following points when conductingPIA:(1)Data mapping analysis:enterprises should form a clear data list and data mappingchart afte
116、r conducting a comprehensive investigation.(2)Sensitive personal data identification:identify and classify sensitive personal data(including personal property information,personal health physiological information,personal biometric information,personal identity information,etc.)according to theWhite
117、 Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 15 of 34InformationInformation s securityecurityTechnologyTechnology-PersonalPersonal InformationInformation s securityecurity specificationspecification.(3)Analysisofpersonal information processing activities
118、:classifypersonalinformation processing activities according to the types,sensitivities,collectionscenarios,processing methods,related parties and other factors,and describe thespecific situation of each type of personal information processing activities.(4)Drawing personal data flow chart:do ot bas
119、ed on the analysis of personalinformation processingactivities,includingprocessingscenarios,departmentsinvolved,flow forms,personal information data involved,business systems involved,etc.(5)Risk source identification:it is to analyze which threat sources personalinformation processing activities ar
120、e facing,and whether there is insufficient securitymeasures and leads to vulnerability and security incidents.Risk source identificationcan be summarized into four aspects:network environment and technical measures,personal information processing flow,participants and third parties,businesscharacter
121、istics and scale and security situation.(6)Impact analysis of personal rights and interests:analyze whether specific personalinformation processing activities would have impact on the rights and interests ofpersonal information subjects,and what impact it may have.The influence of personalrights and
122、 interests includes the following aspects:the sensitivity analysis stage ofpersonal information,the characteristics analysis stage of personal informationprocessing activities,the problem analysis stage of personal information processingactivities and the influence degree analysis stage of personal
123、rights and interests.(7)Keytechnicalcapabilities:includingpersonalinformationmanagementcapabilities,datasourceidentificationcapabilities,personalsensitivedataidentification capabilities,personal information life cycle monitoring capabilities,personal information desensitization/encryption technology
124、 verification capabilities,API audit capabilities,etc.White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 16 of 34In-process:In-process:I Implementmplement standardstandard contractcontract filingfiling1.Determine the signing subject:As far as domestic con
125、tracting entities are concerned,if the group enterprise hasmultiple entities in China,in order to distinguish the personal information outboundactivities carried out by different entities,it is suggested that each entity sign astandard contract with the overseas recipient separately and put it on re
126、cord;As far asoverseas contracting entities are concerned,there may be multiple recipients at thesame time,and there may also be cases where overseas recipients entrust processingor retransmission abroad.In practice,there may be some cases where overseasrecipients are unwilling to become the signing
127、 subject.In this case,it is necessary toadjust the data processing flow of overseas recipients,and adjust the one-to-manydata outbound activities to one-to-many data outbound activities.2.Verify whether there is a conflict:In view of the fact that the text of the standard contract can not be modifie
128、d at will,and other cooperation agreements signed by both parties can not conflict with thestandard contract,enterprises should pay special attention to the conflict andcompatibility between agreements before signing the standard contract,such aschecking the compatibility between different agreement
129、s,especially whether therights and obligations of all parties conflict,the application of laws,and theresponsibility of supervision and response.3.Declaration and implementation:To complete the filing procedures of an information standard contract,an enterpriseshould submit a standard contract,a PIA
130、 and procedural documents to the localCyberspace Administration at the provincial level.After receiving the materials,theCAC shall complete the material inspection within 15 working days and notify theenterprise of the filing results.If it passes the filing,the CAC will issue the filingnumber to the
131、 enterprise;If the filing fails,the CAC will inform the results andWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 17 of 34reasons of the failure.If the CAC requests to supplement and improve the materials,the enterprise should supplement and improve t
132、hem and resubmit them for filingwithin 10 working days.AfterwardsAfterwards:ContinuousContinuous supervisionsupervision andand timelytimely updateupdateUnlike the safety assessment that must be re-evaluated every two years,the filing ofstandard contracts continues to be effective.However,under the f
133、ollowingcircumstances,the enterprise needs to supplement or re-conclude the standardcontract and re-file it with the CAC:1.the purpose,scope,type,sensitivity,method,storage location of providing personalinformation overseas,or the purpose and method of the foreign recipient processingpersonal inform
134、ation have changed,or the period of overseas storage of personalinformation has been extended;2.the personal information rights and interests may be affected by a change to thepolicies and regulations on personal information protection in the country or regionwhere the foreign recipient is located;3
135、.other situations that may affect the rights and interests of personal information.Based on this,after the personal information exit standard contract is filed,theenterprise should continuously monitor the cross-border transmission activities ofpersonal information,and assess whether it is necessary
136、 to inform the personalinformation subject again and obtain separate consent when there is a change,andwhether it is necessary to re-sign the standard contract and file it.White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 18 of 34PartPart IIIIIIAnalysisA
137、nalysis ofof thethe keykey pointspoints ofof cross-bordercross-border transfertransfer ofofpersonalpersonal informationinformation in in keykey industriesindustriesI.I.FinanceFinance(i i)FinancialFinancial informationinformation ofof financialfinancial institutionsinstitutions andand individualsindi
138、vidualsWith the wide application of network technology in the financial industry,the transferand flow of personal financial information has actually constituted the blood ofmodern financial life.At present,the cross-border financial business volume isincreasing year by year,and the cross-border tran
139、smission scenarios of personalfinancial information are increasing.At present,Chinas financial institutions mainly include entities engaged in financialbusiness approved by the national financial management department,such ascommercial banks,financial leasing companies,trust companies,securities com
140、panies,futures companies,insurance companies,etc.,and financial enterprises or otherorganizations engaged in financial activities,such as private equity fund managementcompanies,small loan/online loan companies,internet payment institutions,varioustrading venues,commercial factoring companies,etc.Th
141、ese subjects belong tofinancial institutions in a broad sense,and they may all involve the compliance ofpersonal financial information.TheTechnicalTechnical SpecificationSpecification forfor thethe ProtectionProtection ofof PersonalPersonal FinancialFinancial InformationInformationissued by the Peop
142、les Bank of China(PBoC)on February 13th,2020 gives a cleardefinition of personal financial information,that is,personal information obtained,processed and saved by financial institutions through providing financial products andservices or other channels,including but not limited to:1.Personal identi
143、ty information;White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 19 of 342.Personal property information(income,movable property,real estate,etc.);3.Personal account information(account number,account opening time,bank,etc.);4.Personal credit information
144、;5.Financial transaction information;6.Derivative information(information that reflects certain situations of specificindividuals financial information subjects,such as consumption habits,investmentwillingness,etc.);7.Other personal information obtained and saved in the process of establishingbusine
145、ss relations with individuals.(ii ii)CommonCommon scenariosscenarios ofof cross-bordercross-border transmissiontransmission ofof personalpersonal financialfinancialinformationinformationUsually,the cross-border transmission of financial personal information has thefollowing situations:1.Branches of
146、foreign-funded companies in China need to report customer financialinformation to the head office;2.The home countries of multinational financial groups obtain overseas informationaccording to the requirements of judicial and law enforcement departments such asthe United States,the European Union an
147、d the United Kingdom for audit needs or taxsupervision and anti-money laundering requirements;3.Cross-border payment(such as cross-border payment by bank card)cannot besettled without providing customer financial information;4.Conventional data transmission stipulated in the agreement,such as the pr
148、ivacyshield agreement between the EU and the US;White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 20 of 345.If a customer of a bank in China uses a credit card to pay overseas,the Chinaissuing bank will transmit the customers personal information abroad
149、to verify thecredit card;6.International financial groups should also transfer personal financial informationduring internal management.For example,if the parent behavior of multinationalbanks complies with the regulations of the home country to carry out dailymanagement activities,overseas branches
150、 are usually required to submit relevantbusiness information and statements on a regular basis.(iiiiii)ComplianceCompliance pointspoints ofof cross-bordercross-border transmissiontransmission ofof personalpersonal financialfinancialinformationinformationNoticeNotice onon thethe bankingbanking financ
151、ialfinancial institutionsinstitutions to to dodo a a goodgood jobjob in in thethe protectionprotection ofofpersonalpersonal financialfinancial informationinformationissued by the PBoC in January 2011 prohibitsbanking financial institutions from providing personal financial information collectedin Ch
152、ina to overseas in principle,with the exception of laws and regulations andrelevant provisions of the PBoC.If personal financial information really needs to leave the country,according to thefinancial industry standardTechnicalTechnical SpecificationSpecification forfor thethe ProtectionProtection o
153、fof PersonalPersonalFinancialFinancial InformationInformation(JR/T0171-2020)(JR/T0171-2020)issued by the PBoC in February 2020,outbound personal financial information needs to follow the four elements ofbusiness necessity+customer authorization+overseas affiliates+confidentiality,thatis,financial in
154、stitutions(including other financial enterprises providing financialservices)can refer to the following when it comes to cross-border transmission ofpersonal financial information.1.Obtain the express consent of the subject of personal financial information;2.Meet the requirement of subject qualific
155、ations and confidentiality,for the premiseto process financial data is corresponding business qualifications;White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 21 of 343.Personal financial information security impact assessment can be carried out to testt
156、he legal compliance of processing activities,and to assess whether the data securityprotection capability of overseas institutions meets the security requirements of thestate,relevant industry departments and financial institutions;4.Clarify and supervise overseas institutions to perform their oblig
157、ations such aspersonal financial information confidentiality,data deletion and case investigationthrough signing agreements and on-site verification;5.Use data encryption and data integrity check to ensure data confidentiality andintegrity during data storage;6.Authenticate the identities of both co
158、mmunication parties(including institutions,API,equipment,systems,etc.),and ensure the non-repudiation of data transfer bymeans of digital signature;7.Use channel encryption,data encryption,dedicated channel and other mechanismsto protect data transfer security;8.Establish personal information outbou
159、nd transfer records and keep it for at least 5years.II.II.VehicleVehicle(i i)PersonalPersonal vehiclevehicle informationinformation outboundoutbound transfertransfer profileprofileWith the global business layout of Chinese car companies,it is inevitable for vehicledata processors to transfer their p
160、ersonal information across borders.The so-calledvehicle data processor is the organization that carries out intelligent networkedvehicledataprocessingactivities,includingintelligentnetworkedvehiclemanufacturers,parts and software suppliers,dealers,maintenance agencies and travelservice enterprises.A
161、s long as the above-mentioned entities carry out vehicle dataprocessing activities in China,they may become the parties of vehicle data outboundtransfer.White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 22 of 34Combined with relevant regulations and indu
162、stry practice,most of the above datacollected by intelligent vehicles belong to personal information,including the ownersname,ID number and biometric information that can directly identify the identity ofnatural persons,as well as the license plate number,vehicle track and vehicleidentification numb
163、er(VIN)that can be combined with other information to identifythe identity of natural persons,as well as the technical data of the vehicle itself(suchas operating parameters of various components,driving habits,etc.).Moreover,theinformation such as identity information,biological information,traject
164、ory andlocation information belongs to personal sensitive information.(ii ii)CommonCommonscenariosscenarios ofof cross-bordercross-bordertransmissiontransmissionofof personalpersonal vehiclevehicleinformationinformationAs far as multinational automobile companies are concerned,the cross-border trans
165、ferof vehicle data may involve both domestic transmission to overseas and directoverseas access.The scenarios of cross-border transfer of personal vehicleinformation mainly include:1.Collect users personal information and sensitive personal information throughvehicle and mobile apps,and then provide
166、 them overseas for the development of apps;2.The data collected by the camera in the vehicle,such as the drivers audio and videodata,are then provided overseas for technology research and development and serviceimprovement;3.Data collected by the camera outside the vehicle:for example,after collecti
167、ng thevideo and image data outside the car including face information and license plateinformation,and the information outside the vehicle such as road and trafficconditions,it will be provided overseas for the research and development ofautonomous driving technology;4.Cross-border law enforcement i
168、nvestigation,etc.(iiiiii)SuggestionsSuggestions onon compliancecompliance ofof cross-bordercross-border transtransferfer ofof personalpersonal vehiclevehicleWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 23 of 34informationinformationSeveralSeveralPro
169、visionsProvisionsononVehicleVehicleDataDataSecuritySecurityManagementManagement(for(forTrialTrialImplementation)Implementation)stipulates that the video and image data outside the vehicleincluding face information and license plate information,and personal informationinvolving more than 100,000 pers
170、onal information subjects are important data.Inprinciple,the above-mentioned important data should be stored in China.If it is reallynecessary to provide it overseas due to business needs,it should pass the securityassessment organized by the national network information department in conjunctionwit
171、h relevant departments in the State Council.In the process of cross-border transfer of personal vehicle data,according to theRequirementsRequirements forfor thethe ProtectionProtection ofof PersonalPersonal InformationInformation ofof UsersUsers ofof TelematicsTelematicsServicesServices(YD/t(YD/t 37
172、46-2020)3746-2020),domestic personal information processors could refer tothe following compliance suggestions:1.Implement strict technical and management measures,obtain users consent beforecollecting and transferring personal information;2.Take necessary encryption measures in the period of inform
173、ation collection andtransfer to ensure the confidentiality and integrity of data;3.Ensure the safety of personal information access control of users of telematicsservices,establish strict personal information safety management norms and real-timedata monitoring mechanisms;4.Set up the internal data
174、approval process and system,monitor and warn the use ofpersonal information in real time.III.III.MedicalMedical healthhealthWith the increasingly frequent global medical exchanges,the cross-border demand formedical and health data is becoming more and more urgent.In recent years,ChinasInternet+medic
175、al health and the informationization of medical institutions haveWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 24 of 34gradually spread out,so domestic medical institutions have mastered a large numberof medical and health personal information.In add
176、ition,PIPPIPL Lregards medicalhealth information as sensitive information,and a large number of patient-relatedinformation in the medical industry,such as medical record information,adversereaction report information,clinical trial data,etc.,will fall into the category ofsensitive personal informati
177、on because of its medical health attribute.(i i)L Legalegal regulationregulation ofof cross-bordercross-bordertranstransferferofof personalpersonal medicalmedical healthhealthinformationinformationWhen carrying out personal medical and health information outbound transfer,domestic personal informati
178、on processors should not only pay attention to therequirements of industry norms,but also ignore the medical data attributes in thenetwork and data security supervision system.Cross-border transfer of personalmedical and health information mainly has the following special provisions:1.In principle,m
179、edical health data should be stored in domestic servers.If it is reallynecessary to provide it overseas due to business needs,it should be assessed andaudited in accordance with relevant laws and regulations and relevant requirements;However,theMeasuresMeasures forfor thethe ManagementManagement ofo
180、f PopulationPopulation HealthHealth InformationInformation(for(forTrialTrial Implementation)Implementation)stipulates that once medical data constitute population healthinformation,the cross-border transfer would be strictly prohibited.2.According to theRegulationsRegulations onon thethe ManagementM
181、anagement ofof HumanHuman GeneticGenetic ResourcesResources,human genetic resources information refers to data and other information materialsgenerated by using human genetic resources materials.TheDetailedDetailed RulesRules forfor thetheImplementationImplementation ofof thethe RegulationsRegulatio
182、ns onon thethe ManagementManagement ofof HumanHuman GeneticGeneticResourcesResourcesissued by the Ministry of Science and Technology on May 26,2023provides information on human genetic resources abroad,and the domesticinformation owner shall,in principle,report to the Ministry of Science andTechnolo
183、gy in advance and submit information backup;If the information providedon human genetic resources may affect public health,national security and publicWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 25 of 34interests,it shall pass the safety review org
184、anized by the Ministry of Science andTechnology.3.According to theInformationInformation s securityecurity TechnologyTechnology-MedicalMedical HealthHealth DataDataSecuritySecurity Guide,Guide,cross-border transfer of medical and health data based on academicresearch needs to be de-labeled,and non-c
185、onfidential and non-important data with aquantity of less than 250 can leave the country after discussion and approval by theData Security Committee.(ii)(ii)CommonCommon scenariosscenarios ofof cross-bordercross-border transtransferfer ofof personalpersonal medicalmedical andand healthhealthinformat
186、ioninformation1.Pharmaceutical research and developmentAt present,a common mode in the field of pharmaceutical R&D is internationalmulti-regional clinical trial(MRCT),that is,clinical trials are conducted in multipleregions under the same scheme,so as to save time and cost and avoid the repetition o
187、fclinical trials.There are many areas sharing test results,so it is necessary to transferrelevant test data.2.The clinical trial data involved in international cooperative research outboundtransferForeign units and China partners jointly carry out national cooperative research,which involves clinica
188、l trials.If it is necessary to transmit data abroad,or open accessrights to data to overseas subjects,or deploy their servers and operations abroad,itmay constitute clinical trial data leaving the country.3.Cross-border declaration of investigational new drug(IND)and new drugapplication(NDA)If Chine
189、se pharmaceutical companies apply for the listing of new drugs in the US,they need to apply to the US Food and Drug Administration(FDA)for the approvalof IND and NDA,and the applicants must provide clinical research plans.TheseWhite Paper on the Standard Contract for Outbound Transfer of Personal In
190、formation in ChinaPage 26 of 34documents often contain important data and personal sensitive information.4.Based on scientific research purposes to release the results of clinical trials abroadResearch institutions conducting clinical trials may submit their research findings tooverseas institutions
191、 or publications,and the process of submitting or reviewing mayinvolve the provision of relevant clinical trial data to overseas institutions.5.Personal information of patients leaving the country:such as going abroad formedical treatment or cross-border consultation.6.Commercial insurance dockingCo
192、mmercial insurance institutions usually establish a connection with medicalinstitutions,and carry out circulation docking of information such as the treatmentstatus of the patient and the medical expenses,so as to realize the automaticsettlement and payment of commercial insurance by the system.7.Se
193、condary utilization of desensitization dataPublic health departments,scientific research institutions and enterprises maydesensitize health care data for government decision-making,scientific researchstatistics and other purposes,and then carry out analysis,mining and other processingactivities.IV.I
194、V.C Cross-borderross-border e e-commercecommerce(i)(i)E E-commerce-commerce-relatedrelated personalpersonal informationinformation cross-bordercross-border t transransferfer scenariosscenariosandand legallegal regulationregulationWith the acceleration of economic globalization and the increase of do
195、mesticconsumer demand,cross-border e-commerce has developed more rapidly.The globallarge-scale cross-border e-commerce platforms,such as Alibaba and Amazon,transmit and process information across borders through the Internet,and build aworld user network of cross-border e-commerce operators,which he
196、lps to reducetransaction costs and achieve business expansion.It can be said that the developmentWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 27 of 34of cross-border e-commerce will inevitably be accompanied by the flow ofcross-border data.In the wh
197、ole life cycle process of cross-border e-commerce activities,online andoffline scenes of subjects such as customs and other government departments,domestic and foreign consumers,cross-border e-commerce enterprises,platformenterprises and domestic service providers are deeply intertwined,forming data
198、interaction among many subjects.Personal information such as transaction electronicdata,payment and logistics information derived from each transaction of consumers isan important part of the closed loop of cross-border e-commerce transactions.In thecross-border e-commerce retail import mode,because
199、 one party of the transaction islocated abroad,it is bound to involve the issue of data outbound transfer.For example,in the b2c mode,it is impossible to deliver express delivery without giving the contactinformation and address of consumers abroad.(ii ii)E E-commerce-commerce-relatedrelated persona
200、lpersonal informationinformation cross-bordercross-border t transransferfer compliancecompliancepointspointsArticle 58 of thePIPLPIPLadds the gatekeeper obligation for platform enterprises toprotect personal information,requiring personal information processors who provideimportant Internet platform
201、 services,have a large number of users and have complexbusiness types to fulfill the following obligations:1.Establish and improve the compliance system of personal information protection inaccordance with state regulations,and set up an independent organization mainlycomposed of external members to
202、 supervise the protection of personal information;2.Follow the principles of openness,fairness and justice,formulate rules for theplatform,and clarify the norms for products or service providers in the platform tohandle personal information and the obligation to protect personal information;3.Stop p
203、roviding services to products or service providers in platforms that seriouslyviolate laws and administrative regulations to handle personal information;White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 28 of 344.Regularly publish personal information pr
204、otection social responsibility report,accept social supervision.5.Under the current unified legislative model of cross-border protection of personalinformation,we must sort out the rules of personal information outbound transferfrom the aspects of reasonably and clearly defining the scope of persona
205、l information,improving the rules of cross-border data flow,and clarifying the legal responsibilitiesof cross-border e-commerce operators.V.V.A AviationviationAs an industry with a huge amount of information,the protection of personalinformation involved in aviation industry should not be underestim
206、ated.Civil aviationenterprises should be the main body involved in the cross-border transmission ofpersonal information in the aviation field.Civil aviation passengers personalinformation has the characteristics of authenticity and national security attributes,andits cross-border transfer compliance
207、 and security requirements should be paid specialattention.(i i)LegalLegal regulationregulation ofof cross-bordercross-border transtransferfer ofof personalpersonal aviationaviation informationinformationAt present,the legislation concerning the protection of personal information mostlyfocuses on th
208、e protection of private law,but it needs to pay attention to nationalsecurity issues when it comes to cross-border transfer.When aviation enterprises are involved in providing personal information abroad,they should not only fulfill the obligation of informing+obtaining individual consentstipulated
209、in Article 39 of thePIPLPIPL,such as providing personal information to lawenforcement agencies such as border inspection and customs,but also follow theadditional obligation stipulated in Article 41 of thePIPLPIPL,that is,China should abideby the international treaties and agreements concluded or ac
210、ceded to,and handle thepersonal information provided by foreign judicial or law enforcement agencies inaccordance with the principle of equality and reciprocity.However,without theWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 29 of 34approval of the
211、relevant competent authorities,personal information processors maynot provide personal information stored in China to foreign judicial or lawenforcement agencies.(ii ii)CommonCommon scenariosscenarios forfor cross-bordercross-border transtransferfer ofof personalpersonal aviationaviation information
212、informationBecause of the international nature of air transport,it is inevitable to transmit thepersonal information of civil aviation passengers across borders.There are manysubjects involved in civil aviation passenger information processing.At the industrylevel,there are complicated information f
213、lows among public air transport enterprises,air transport sales agents,air transport sales guarantee enterprises,airport groundservice departments and passengers.Therefore,on the outbound route,civil aviationenterprises that sell tickets usually need to transefr the passenger ticketing informationto
214、 the following institutions:1.Ground service companies at transit and destinationairports;2.the actual carrier along the way;3.IT information providers that providesupport for overseas ground services;4.Government border inspection and customsdepartments along the road.At present,there are two main
215、ways of cross-border transmission of China civilaviation passenger information:1.Cross-border e-commerce mode in the air ticket sales market,the air ticket salesplatform is directly connected with foreign civil aviation computer reservation system(CRS)and other tourism product suppliers through tech
216、nical means,which provides away for China tourists to purchase overseas air ticket products in RMB at home;2.Overseas CRS enterprises enter the mode of domestic direct ticket sales.CRS isdefined as air transport auxiliary service in WTOGeneralGeneral AgreementAgreement onon TradeTrade in inServicesS
217、ervices.CRS enterprise is an information enterprise,which has many data resourcesof passengers,airlines and industry development,and its services cover all aspects ofpassenger travel,such as inquiry,selection,reservation and flight.At the same time,the travel information of inbound and outbound pass
218、engers has anWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 30 of 34important impact on ensuring national security,chasing criminals and dealing withemergencies.In view of the fact that China has adopted the international standard ofAPI/PNR mechanism(
219、ICAO TRIPS trategy)regulated by international civil aviationorganization(ICAO),according to the principles of equality and reciprocity andexemption from international treaties,Chinese aviation enterprises usually have theneed to provide data to foreign government.White Paper on the Standard Contract
220、 for Outbound Transfer of Personal Information in ChinaPage 31 of 34ConclusionConclusionUnder the trend of global integration and data-driven economy,the smoothcross-border flow of personal information is an inevitable way to deepen cooperationbetween countries and enterprises,and the standard contr
221、act for outbound transfer ofpersonal information provides an efficient and convenient path for qualified subjects.At present,the industrial characteristics of cross-border data flow supervision rules inChina are increasingly prominent,and the related technologies of cross-border dataflow are becomin
222、g mature and widely used.In the future,enterprises should shift theirfocus from meeting regulatory requirements to generating actual efficiency forenterprise development,and shift the construction of compliance system forcross-border data flow from compliance-driven to business value-driven,so thatc
223、ompliance input can be changed from cost input to value investment to fullystimulate application potential,and then realize the ultimate goal of cross-border dataflow of enterprises-improving enterprise efficiency through data empowerment.More informationDisclaimer:Disclaimer:ThisThis whitewhite pap
224、erpaper is is onlyonly forfor thethe industryindustry exchangeexchange,andandis is notnotforforcommercialcommercial use,use,investmentinvestmentrecommendationrecommendationororlegallegaladvice.advice.TheThe copyrightcopyright ofof thethe imagesimages ininvolvedvolved inin ththe e whitewhite paperpap
225、erbelongsbelongs toto thethe originaloriginal ownownerer.D Donon t t hesihesit tateate toto contactcontact usus if if youyouwantwant a a furtherfurther communicationcommunication.White Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 32 of 34Appendix:Appendix
226、:IntroductionIntroduction ofof thethe PublishersPublishersIntroductionIntroduction toto YingKeYingKe:YingKe is a global legal service organization with more than 14,000 lawyers,rankingfirst in the 2022 Global 200 global number of lawyers.Headquartered in Beijing,YingKe has 111 branches in China.Ying
227、Kes global legal service network covers 164international cities in 95 countries including France,Germany,Britain,Italy,Switzerland,Poland and Singapore,including direct branches in 19 countriesincluding the United States,Australia,Germany and South Korea,providing highlysatisfactory legal services t
228、o more than 800,000 domestic and foreign enterprises.YingKe Network Compliance Team,led by Guo Weihong(Davey),deputy director ofYingKe Cyber Data Security Center and senior equity partner of YingKe,is one ofthe earliest teams of lawyers specializing in the legal field of network data in China.Ithas
229、provided comprehensive solutions such as network data compliance,platformcompliance,business model compliance,crawler and open source compliancegovernance,network-related litigation,and perennial compliance consultants for morethan dozens of companies in the digital economy fields such as Internet,f
230、inancialtechnology,manufacturing,e-commerce platform,communication,big data,andInternet of Things.It has rich experience in“law+technology”projects,and YingKehas been listed in“Data Protection&Privacy”in Chambers.IntroductionIntroduction toto MSTLMSTL:National Quality Inspection and Testing Center o
231、f Security Products for Network andInformationSystems(MSTL),authorizedbytheNationalCertificationandWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 33 of 34Accreditation Administration,relying on the Third Research Institute of the Ministryof Public Sec
232、urity,was established on May 19,2015,on the basis of the Ministry ofPublic Security Computer Information System Security Products Quality Supervisionand Inspection Center.MSTL has a total investment of more than 100 million yuan in equipment,an area of8,000 square meters of experimental and office s
233、pace,more than 1,300 sets of majorinstruments and equipment for testing,179 items of national laboratory-accreditedtesting capabilities,and a highly qualified inspection team specializing in electronicinformation,computer technology,information security,etc.Business closely aroundthe development of
234、network and data security industry,including network securitylevel protection assessment,data security compliance consulting,data security riskassessment,personal information security impact assessment,commercial passwordapplication security assessment,critical information infrastructure security te
235、sting andassessment,network security product testing,security equipment selection testing,APP security testing,online website real-time monitoring,source code audit andrecord,security testing,security training,etc.,providing one-stop services forgovernment and enterprises in testing,consulting and c
236、ertification.IntroductionIntroduction toto SecsmartSecsmart:Secsmart Information Technology Co.,Ltd.(Secsmart)is a high-tech enterprisefocusing on data security,innovatively puts forward a three-dimensional dynamicdata security concept of Cloud Connect Device,and successfully appliesartificial intel
237、ligence and cutting-edge cryptography technology to the field of datasecurity,thus realizing comprehensive protection of structured and unstructured dataWhite Paper on the Standard Contract for Outbound Transfer of Personal Information in ChinaPage 34 of 34assets.Secsmart has built a full-stack data
238、 security product system and servicecapabilities covering big data security,cloud data security,application data security,data leakage prevention,industrial internet security and data security governance,which are widely used in government,electric power,finance,communication,medical care,education
239、and other industries.The founding team of Secsmart has a global data security vision and technicalpractice ability.With the mission of Make Data More Secure,Secsmart now hasmore than 100 invention patents and software copyrights,and has been certified bythe Ministry of Public Security,the Office of
240、Security CommercialCodeAdministration and the State Administration for Market Regulation.At present,thecompany has set up two R&D centers and more than 20 branches in China,and hascontinued to cooperate with more than 2,000 well-known units such as the Ministry ofEmergency Management,State Taxation
241、Administration,ICBC,Industrial Bank,State Grid,China Southern Power Grid,China Telecom,China Unicom and Tencent.Adhering to the corporate culture of Walk together on the journey and strive to meetcustomers needs,Secsmart is willing to build a data security ecosystem with partners,promote the construction of digital China with advanced technological innovation,and escort the development of digital economy!