上海數據集團&段和段：2024中國數據出境實務實操白皮書：實務問答與實操演練（中英雙語版）（67頁）.pdf

《上海數據集團&段和段：2024中國數據出境實務實操白皮書：實務問答與實操演練（中英雙語版）（67頁）.pdf》由會員分享，可在線閱讀，更多相關《上海數據集團&段和段：2024中國數據出境實務實操白皮書：實務問答與實操演練（中英雙語版）（67頁）.pdf（67頁珍藏版）》請在三個皮匠報告上搜索。

1、 國際數據跨境規則系列國際數據跨境規則系列 Series on International Data Cross-Border Rules 中國中國數據出境實務實操白皮書數據出境實務實操白皮書 White Paper on Chinese Practice of Outbound Data Transfers 實務問實務問答答與與實操實操演練演練 Operational Q&As+Practical Exercises 二零二二零二四四年年一一月月 January 2024 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers P

2、ractice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 2/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 前前 言言 Preface 作為數據要素流動的主要國家之一，中國已經就數據跨境流動建立了完善的合規監管機制。三條數據出境的合規路徑安全評估、標準合同備案、個人信息保護認證，現均已正式落地實施，各省市陸續均有通過案例出臺，行業遍布生物醫藥、汽車制造、跨境電商、企業征信等行業。As one of the mai

3、n countries in the flow of data elements,China has already established a comprehensive compliance regulatory mechanism for cross-border data flows.Three paths for outbound data transferssecurity assessment,standard contract filing,and personal information protection certificationhave all been formal

4、ly implemented,with various provinces and cities introducing cases across industries such as biopharmaceuticals,automotive manufacturing,cross-border e-commerce,and corporate credit reporting.與此同時，中國也在積極制定推動相關“減負減負”政策，進一步為企業降低合規成本。如2023年 9 月 28日征求意見的規范和促進數據跨境流動規定，明確羅列了數據出境的豁免情形；又如 12月出臺的粵港澳大灣區（內地、香港

5、）個人信息跨境流動標準合同實施指引，針對內地與香港之間的個人信息流動的合規要求進行了簡化。At the same time,China is also actively formulating and promoting relevant“burden reduction”policies to further reduce compliance costs for enterprises.For example,the Provisions on Regulating and Promoting Cross-border Flow of Data(Exposure Draft)issued

6、on 28 September 2023,clearly listed the exemptions for data outbound tranfers;Similarly,the“Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area(Mainland,Hong Kong)”,issued in December 2023,simplifies

7、 the compliance requirements for the flow of personal information between the Mainland and Hong Kong.選擇哪種路徑出境、誰來申請數據出境、如何實現合規出境，是絕大多數外資企業及跨國集團公司等主體的困惑所在。為此，我們從企業實際業務場景出發，針對企業關注的核心中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Tran

8、sfers Practice 3/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 問題梳理形成本白皮書（實務問答+實操演練），希望能夠幫助企業明晰合規路徑，實現數據的有序流動。Choosing the right path for export,determining who applies for data export,and figuring out how to achieve compliant data export are major challenges for most foreign-o

9、wned enterprises and multinational corporations.For this reason,we wrote this white paper,starting from the actual business scenarios of enterprises,and combing through the core issues of enterprises concern to form Operational Q&As and Practical Exercises.We hope this will help enterprises to clari

10、fy the compliance path of outbound data transfer and achieve the orderly flow of data.面對數據出境路徑的選擇，我們分別以三條路徑為軸，逐一拎出各通路上將面臨的問題并予以分析，總結出 30個實務問題+10個實操案例，采用一問一答的方式，輔以實操演練，通過剖析解讀法規政策、挖掘數據出境常見場景，為擬出境企業選擇出境路徑提供指導思路，為強監管下的數據出境提供應對之道。In the face of the choice of outbound data transfer paths,we respectively t

11、ake three paths as the axis,addressing the issues and conducting analyses for each path one by one.We have summarized 30 operational questions along with 10 real cases,presented in a Q&A format supplemented by practical exercises.By analyzing and interpreting the regulations and policies,as well as

12、exploring common scenarios in outbound data transfers,we provide guidance for enterprises on choice of the right paths,and help them to find a way out of the strong regulation.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfe

13、rs Practice 4/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 目錄 目錄 Contents 一、中國數據出境路徑透視一、中國數據出境路徑透視.9 I.Pivot View of Chinas Outbound Data Transfer Paths.9(一一)路徑起源路徑起源.9(I)Origins of Paths.9(二二)路徑選擇路徑選擇.10(II)Path Selection.10(三三)路徑豁免（或有）路徑豁免（或有）.11(III)Path Exemptions(if any).

14、11 二、中國數據出境實務問答二、中國數據出境實務問答.13 II、Q&A on Chinese Practices of Outbound Data Transfers.13(一一)數據出境安全評估數據出境安全評估 10 問問.13(I)10 Questions on Security Assessment for Outbound Data Transfers.13 Q1:什么情形必須啟動數據出境安全評估？什么情形必須啟動數據出境安全評估？.13 Under what circumstances must security assessment for outbound data tran

15、sfers be conducted?.13 Q2:數據出境行為具體包含哪些？數據出境行為具體包含哪些？.14 What constitutes an act of outbound data transfer?.14 實操演練實操演練 1 Practical Exercise 1 Q3:如何識別如何識別“重要數據重要數據”？.16 How to identify important data?.16 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on

16、China Outbound Data Transfers Practice 5/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Q4:如何識別如何識別“敏感個人信息敏感個人信息”？.18 How to identify sensitive personal information?.18 Q5:如何界定如何界定“關鍵信息基礎設施運營者關鍵信息基礎設施運營者”？.18 Who is a critical information infrastructure operator?.18 Q6:如何界定如何界定

17、100 萬、萬、10 萬、萬、1 萬的數量規模？萬的數量規模？.19 How to define the quantitative scale of 1 million,100 thousand,and 10 thousand?19 Q7:同一數據處理者存在多個出境場景需要申報時應如何處理？同一數據處理者存在多個出境場景需要申報時應如何處理？.20 What should be done when there are multiple outbound scenarios to be declared by the same data processor?.20 Q8:什么情況應當重新進行數據

18、出境安全評估？什么情況應當重新進行數據出境安全評估？.21 When should a security assessment for outbound data transfers be re-conducted?21 實操演練實操演練 2 Practical Exercise 2 Q9:企業是否必須事先開展自評估工作？若需要，需要提前多久開展？自評估工作應當評估哪些方面？企業是否必須事先開展自評估工作？若需要，需要提前多久開展？自評估工作應當評估哪些方面？.23 Is it necessary for companies to carry out the self-assessment e

19、xercise in advance?If so,how far in advance?What should be assessed in the self-assessment?.23 實操演練實操演練 3 Practical Exercise 3 Q10:數據出境安全評估申報流程需要花多長時間？數據出境安全評估申報流程需要花多長時間？.26 How long does the security assessment filing process of outbound data transfers take?26(二二)個人信息出境標準合同備案個人信息出境標準合同備案 15 問問.28(

20、II)15 Questions on the Filing of the SC for Outbound Transfer of Personal Information(“SC Filing”).28 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 6/55 國際數據跨境規則系列 Series on International Data Cross-Border Rule

21、s Rules Q11:簽訂標準合同進行數據出境活動的適用范圍？簽訂標準合同進行數據出境活動的適用范圍？.28 What is the scope of application of a SC?.28 Q12:標準合同簽署的主體有哪些？標準合同簽署的主體有哪些？.29 Who are parties to a SC?.29 實操演練實操演練 4 Practical Exercise 4 Q13:規定提及規定提及“自主締約自主締約”，這是否意味著企業可以跳過備案環節？，這是否意味著企業可以跳過備案環節？.30 The provision refers to independent contrac

22、ting,does this mean that companies can skip the filing process?.30 Q14:能否針對多個數據出境場景使用同一套標準合同？能否針對多個數據出境場景使用同一套標準合同？.32 Can the same set of SC be used for multiple outbound data transfers?.32 實操演練實操演練 5 Practical Exercise 5 Q15:關聯方是否可以合并備案？關聯方是否可以合并備案？.34 Can related parties consolidate their filings

23、?.34 實操演練實操演練 6 Practical Exercise 6 Q16:可以修改標準合同條款嗎？可以修改標準合同條款嗎？.37 Can the terms of a SC be modified?.37 Q17:如果已簽署如果已簽署 GDPR 下的標準合同下的標準合同,是否還需簽署中國的標準合同？是否還需簽署中國的標準合同？.37 If a SC under the GDPR has been signed,do I need to sign a SC that conforms with the Chinese laws?.37 Q18:個人信息處理者是否可以提交非中文版標準合同？

24、個人信息處理者是否可以提交非中文版標準合同？.37 Can a PIP submit a non-Chinese version of a SC?.38 Q19:標準合同備案的有效期多久？標準合同備案的有效期多久？.38 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 7/55 國際數據跨境規則系列 Series on International Data Cross-Bo

25、rder Rules Rules How long is a filing of SC valid for?.38 Q20:什么情況下需要重新備案？什么情況下需要重新備案？.39 Under what circumstances will it be necessary to re-file?.39 實操演練實操演練 7 Practical Exercise 7 Q21:受托人是否可以簽訂標準合同？受托人是否可以簽訂標準合同？.41 Can a trustee enter into a SC?.41 實操演練實操演練 8 Practical Exercise 8 Q22:在標準合同備案路徑下，

26、在標準合同備案路徑下，PIA 是否有特殊之處？是否有特殊之處？.43 Is PIA special under the SC Filing path?.43 Q23:標準合同備案的結果是什么？標準合同備案的結果是什么？.43 What is the outcome of a SC Filing?.43 Q24:寬限期內的個人信息跨境傳輸是否合法？寬限期內的個人信息跨境傳輸是否合法？.44 Are outbound transfers of personal information during the grace period legal?44 Q25:若未能在寬限期內完成整改，數據出境是否非

27、法？是否需承擔責任？若未能在寬限期內完成整改，數據出境是否非法？是否需承擔責任？.44 In the event that modification is not completed within the grace period,would the outbound data transfer be illegal?Is there any legal consequence for such a failure?44 實操演練實操演練 9 Practical Exercise 9(三三)個人信息跨境處理活動安全認證個人信息跨境處理活動安全認證 5問問.49(III)5 Questions

28、on Security Certification for Cross-border Processing Activities of Personal Information(“PIPC”).49 Q26:何時可以選擇個人信息跨境處理活動安全認證路徑？何時可以選擇個人信息跨境處理活動安全認證路徑？.49 When can I choose the PIPC?.49 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Dat

29、a Transfers Practice 8/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Q27:是否可以選擇安全認證來代替標準合同備案？是否可以選擇安全認證來代替標準合同備案？.50 Is PIPC an alternative option to SC Filing?.50 實操演練實操演練 10 Practical Exercise 10 Q28:安全認證路徑下，是否需要指定個人信息保護負責人并設立個人信息保護機構？安全認證路徑下，是否需要指定個人信息保護負責人并設立個人信息保護機構？.51 Is

30、 it necessary to designate a person to be in charge of personal information protection and establish a personal information protection organization under the PIPC path?.51 Q29:安全認證具體怎么開展？安全認證具體怎么開展？.52 How is PIPC conducted?.52 Q30:安全認證的有效期？安全認證的有效期？.54 What is the validity period of the PIPC?.54 附件

31、一：問題附件一：問題/案例索引案例索引 Annex I:Index of Q&As and Practical Exercises 附件二：主要法律法規一覽表附件二：主要法律法規一覽表 Annex II:List of Major Laws and Regulations 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 9/55 國際數據跨境規則系列 Series on I

32、nternational Data Cross-Border Rules Rules 概概 覽覽 (Overview)一、中國數據出境路徑透視一、中國數據出境路徑透視 I.Pivot View of Chinas Outbound Data Transfer Paths(一一)路徑起源路徑起源(I)Origins of Paths 數據跨境流動是全球化數字經濟的必然，數據主權、數據安全以及個人信息保護也是全球監管的共識。The cross-border flow of data is an inevitable part of the globalized digital economy,an

33、d there is consensus that the protection of data sovereignty,data security,and personal information protection are subject to global regulation.我國目前法律就數據出境提供了三條通路，即：數據出境安全評估、個人信息出境標準合同備案（或稱“標準合同備案”）、個人信息跨境處理活動安全認證（或稱“個人信息保護認證”）。三者均來源于個人信息保護法第 38 條第 1 款的規定，個人信息處理者因業務等需要，確需向境外提供個人信息的，應當具備下列條件之一：（一）依照本

34、法第四十條的規定通過國家網信部門組織的安全評估；（二）按照國家網信部門的規定經專業機構進行個人信息保護認證；（三）按照國家網信部門制定的標準合同與境外接收方訂立合同，約定雙方的權利和義務；（四）法律、行政法規或者國家網信部門規定的其他條件。Chinas current laws provide three paths for outbound data transfers,namely:security assessment for outbound data transfers,the filing of the Standard Contract for outbound transfer

35、 of personal information(or“SC Filing”),and security certification for cross-border processing activities of personal information(or Personal Information Protection Certification,PIPC).All three are derived from Article 38,Paragraph 1 of the Personal Information Protection Law,which provides that wh

36、ere a PIP genuinely needs to provide personal information outside the territory of the Peoples Republic of China due to business or other needs,it shall meet any of the following conditions:(I)to have passed the security assessment organized by the Cyberspace Administration of China in accordance wi

37、th the provisions of Article 40 thereof;(II)to have obtained a Personal Information Protection Certification issued by a specialized agency in accordance with the regulations of the Cyberspace Administration of China;(III)to have entered into a contract with an oversea recipient under the standard c

38、ontract formulated by the Cyberspace Administration of China,specifying the rights and obligations of both parties;or(IV)to meet other conditions prescribed by laws,administrative regulations or the Cyberspace Administration of China.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practic

39、e 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 10/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules(二二)路徑選擇路徑選擇(II)Path Selection 注注：特別地，針對注冊在粵港澳大灣區內地部分/香港特別行政區的個人信息處理者及接收方，在粵港澳大灣區內地部分與香港特別行政區之間的個人信息跨境流動，不含重要數據的，可以選擇標準合同備案。In particular,for PI processors and

40、recipients registered in the Mainland part of the Guangdong-Hong Kong-Macao Greater Bay Area/Hong Kong SAR,for cross-border flow of personal data between the Mainland part of the Guangdong-Hong Kong-Macao Greater Bay Area and the Hong Kong SAR that does not contain important data,the option of filin

41、g of standard contract is available.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 11/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules(三三)路徑豁免（或有）路徑豁免（或有）(III)Path Exemptions(if any)與此同時，為進一步降

42、低企業在數據跨境傳輸方面的合規成本，國家互聯網信息辦公室在 2023 年 9 月 28 日出臺了規范和促進數據跨境流動規定（征求意見稿）（下稱“征求意見稿”），意圖為數據要素跨境流通“減負”。該征求意見稿主要明確了以下兩點：Meanwhile,in order to further reduce the compliance cost of enterprises in cross-border data transfer,the Cyberspace Administration of China issued the Provisions on Regulating and Promoti

43、ng Cross-border Flow of Data(Exposure Draft)(the“Exposure Draft”)on 28 September 2023,with the intention of reducing the burden of cross-border flow of data elements.The Exposure Draft clarifies the following two main points:1.【新增豁免情形新增豁免情形】符合以下情形之一的，不需要申報數據出境安全評估、訂立個人信息出境標準合同、通過個人信息保護認證：【Exemptions

44、】Under any of the following circumstances,it is not required to apply for security assessment for outbound data transfers,the SC Filing,and PIPC：國際貿易、學術合作、跨國生產制造和市場營銷等活動中產生的數據出境，不包含個人信息或者重要數據的；where data outbound transfer arising from international trade,academic cooperation,cross-border production

45、and manufacturing,marketing activities,and others,excluding the transfer of personal information or important data;不是在境內收集產生的個人信息向境外提供；providing personal information not collected in China to locations outside China;為訂立、履行個人作為一方當事人的合同所必需，如跨境購物、跨境匯款、機票酒店預訂、簽證辦理等，必須向境外提供個人信息的；where the personal inform

46、ation must be provided abroad,as it is necessary for the conclusion and performance of a contract to which the individual is a party,such as cross-border shopping,cross-border remittance,air tickets and hotel booking,visa processing,etc.按照依法制定的勞動規章制度和依法簽訂的集體合同實施人力資源管理，必須向境外提供內部員工個人信息的；for human reso

47、urces management in accordance with the labor regulations and rules formulated in accordance with the law and collective contracts concluded in accordance with the law,it is necessary to provide abroad the personal information of internal employees;中國數據出境實務實操白皮書 White Paper on China Outbound Data Tr

48、ansfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 12/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 緊急情況下為保護自然人的生命健康和財產安全等，必須向境外提供個人信息的；where personal information has to be provided overseas to protect the life,health,and property safety of nat

49、ural persons in an emergency;and 預計一年內向境外提供不滿 1 萬人個人信息的。where the PIP is expected to provide personal information of less than 10,000 individuals to locations outside China within one year.2.【鼓勵創新試點鼓勵創新試點】自由貿易試驗區可自行制定本自貿區需要納入數據出境安全評估、個人信息出境標準合同、個人信息保護認證管理范圍的數據清單（以下簡稱負面清單），負面清單外數據出境，可以不申報數據出境安全評估、訂立個

50、人信息出境標準合同、通過個人信息保護認證?！綞ncouraging Innovative Pilots】Pilot free trade zones may,on their own,formulate lists of data that need to be included in the scope of administration of security assessment for the data to be provided abroad,standard contracts for outbound provision of personal information,and

51、certification for personal information protection(the Negative List),and data outbound transfer activities outside the Negative List may be carried out without applying for security assessment for outbound data transfers,the SC Filing,and PIPC.目前該征求意見稿尚未正式出臺，但已明確釋放出促進數據跨境自由流動的強烈信號。相信數據跨境有序合規自由流通的機制將

52、很快建立起來。The Exposure Draft has not yet been formally issued,but it has clearly released a strong signal to promote the free flow of data outbound transfers.It is believed that a mechanism for the orderly and compliant free flow of data across borders will soon be established.中國數據出境實務實操白皮書 White Paper

53、 on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 13/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 數據出境實務數據出境實務 30 問答問答 (30 Q&As)二、中國數據出境實務問答二、中國數據出境實務問答 II、Q&A on Chinese Practices of Outbound Data Transfers (一一)數據出境

54、安全評估數據出境安全評估 10 問問(I)10 Questions on Security Assessment for Outbound Data Transfers Q1:什么情形必須啟動數據出境安全評估？什么情形必須啟動數據出境安全評估？Under what circumstances must security assessment for outbound data transfers be conducted?A1:具備以下情形之一時，必須啟動數據出境安全評估：A security assessment for outbound data transfers must be con

55、ducted when one of the following circumstances arises:(1)數據處理者向境外提供重要數據；where a data processor provides important data abroad;(2)關鍵信息基礎設施運營者和處理 100 萬人以上個人信息的數據處理者向境外提供個人信息；where a key information infrastructure operator or a PIP of the data of more than one million people provides abroad personal in

56、formation;(3)自上年 1 月 1 日起累計向境外提供 10 萬人個人信息或者 1 萬人敏感個人信息的數據處理者向境外提供個人信息；或者 where a PIP has provided abroad personal information of 100,000 people or sensitive personal information of 10,000 people in total since January 1 of the previous year;or(4)國家網信部門規定的其他需要申報數據出境安全評估的情形。1 1 數據出境安全評估辦法（國家互聯網信息辦公室，

57、國家互聯網信息辦公室令第 11 號，中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 14/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Other circumstances prescribed by the Cyberspace Administration of China fo

58、r which declaration for security assessment for outbound data transfers is required.特別地，該境外包含香港特別行政區、澳門特別行政區以及臺灣地區。In particular,this territory includes the Hong Kong Special Administrative Region,the Macao Special Administrative Region,and Taiwan.Q2:數據出境行為具體包含哪些？數據出境行為具體包含哪些？What constitutes an act

59、 of outbound data transfer?A2:數據出境行為包括向境外提供或允許境外訪問境內數據，具體包括以下三種情形：Acts of data outbound transfers include providing or allowing access to data within the territory from outside the territory,specifically including the following three situations:(1)數據處理者將在境內運營中收集和產生的數據傳輸、存儲至境外；The data processor tran

60、sfers and stores the data collected and generated in its operations within the territory abroad;(2)數據處理者收集和產生的數據存儲在境內，境外的機構、組織或者個人可以查詢、調取、下載、導出；Data collected and generated by data processors are stored in the territory and can be queried,accessed,downloaded,or exported by institutions,organizations

61、,or individuals abroad;(3)國家網信辦規定的其他數據出境行為。2 2022.07.07 發布，2022.09.01 實施）第 4 條規定。Article 4,Measures for the Security Assessment of Outbound Data Transfer(Cyberspace Administration of China,Order No.11 of the Cyberspace Administration of China,issued on 7 July 2022,effective from 1 September 2022)2 數

62、據出境安全評估申報指南（第一版）（國家互聯網信息辦公室，2022.08.31 發布，2022.08.31 實施）“一、適用范圍”規定?！?.Scope of Application”of Guidelines for the Application for Security Assessment for Outbound Data Transfers(First Edition)(Cyberspace Administration of China,issued on 31 August 2022,effective from 31 August 2022)中國數據出境實務實操白皮書 Whit

63、e Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 15/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Other acts of outbound data transfers stipulated by the Cyberspace Administration of China.實操演練實操演練 1 Practical

64、 Exercise 1 Q：跨境電商平臺有許多商家，如何申報數據出境安全評估？跨境電商場景下平臺方與品牌方，誰來發起安全評估？：跨境電商平臺有許多商家，如何申報數據出境安全評估？跨境電商場景下平臺方與品牌方，誰來發起安全評估？Q:Cross-border e-commerce platforms have many merchants,how to declare security assessment for outbound data transfers?In the context of cross-border e-commerce between the platforms and

65、the brands,who will conduct the security assessment?A：需要區分場景。根據數據實際由平臺還是品牌方傳輸出境，品牌方自行傳輸出境的場景下，品牌方申報；平臺傳輸出境的場景下，平臺統一申報。A:There is a need to distinguish the scenarios.It is based on whether the data are actually transmitted by the platforms or the brands,if the brands transmit the data outside the ter

66、ritory of the Peoples Republic of China themselves,the brands should make the declaration.If the platforms transmit the data outside the territory of the Peoples Republic of China,the platform should make a consolidated declaration.實操演練實操演練 1 延伸延伸 Variation of Practical Exercise 1 境內 A 公司員工在境外出差，將 A

67、 公司業務經營中處理的重要數據通過硬盤方式提供給境外 B 公司。An employee of Company A within the territory is on business trip outside the territory and provides important data processed by Company A in business operation to Company B abroad via a hard drive.Q：該：該 A 公司是否應當啟動數據出境安全評估？公司是否應當啟動數據出境安全評估？Q:Should Company A conduct a

68、 security assessment for outbound data transfers?A：通過硬盤傳輸亦屬于數據出境，應當事前通過所在地省級網信部門向國家網信部門申報數據出境安全評估。A:Transferring data via a hard drive also constitutes outbound data transfers,so Company A should declare a security assessment for outbound data transfers to the national cyberspace administration depa

69、rtment via the provincial-level cyberspace administration department in advance.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 16/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Q3:如何識別“重要數據”

70、？如何識別“重要數據”？How to identify important data?A3:重要數據，是指一旦遭到篡改、破壞、泄露或者非法獲取、非法利用等，可能危害國家安全、經濟運行、社會穩定、公共健康和安全等的數據。3 Important data refers to data that may jeopardize national security,economic operation,social stability,public health,safety,etc.,if it is tampered with,damaged,leaked,illegally accessed,or

71、 illegally utilized,etc.在重要數據識別時，應當優先參考所屬行業、領域、地區數據安全管理相關規定（例如汽車數據對應的汽車數據安全管理若干規定（試行）（下稱“汽車數據規定”），其次可參考網絡數據安全管理條例（征求意見稿）中相關定義：When identifying important data,priority should be given to taking reference from relevant regulations on data security management of the industry,field,and region to which i

72、t belongs(e.g.,automobile data corresponds to the Several Provisions on Automotive Data Security Management(for Trial Implementation),Provisions on Automobile Data),and to a lesser extent,to the relevant definitions in the Regulations for the Administration of Network Data Security(Exposure Draft):(

73、1)未公開的政務數據、工作秘密、情報數據和執法司法數據；Unpublished government data,working secrets,intelligence data,and law enforcement and judicial data;(2)重點行業和領域安全生產、運行的數據、關鍵系統組件、設備供應鏈數據；Data on safe production and operation of key industries and fields,key system components,and equipment supply chain data;3 數據出境安全評估辦法（國家

74、互聯網信息辦公室，國家互聯網信息辦公室令第 11 號，2022.07.07 發布，2022.09.01 實施）第 19 條規定。Article 19,Measures for the Security Assessment of Outbound Data Transfers(Order No.11 of the Cyberspace Administration of China,issued on 7 July 2022,effective from 1 September 2022)中國數據出境實務實操白皮書 White Paper on China Outbound Data Tran

75、sfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 17/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules(3)達到國家有關部門規定規?；蛘呔鹊幕?、地理、礦產、氣象等國家基礎數據；National basic data such as genetics,geography,minerals,meteorology,etc.that have reached the scale or preci

76、sion specified by the relevant state departments;(4)影響關鍵信息基礎設施安全穩定運行的數據，國防設施、軍事管理區、國防科研生產單位等重要敏感區域的地理位置、安保情況等數據；Data affecting the safe and stable operation of critical information infrastructures,the geographic location and security of important and sensitive areas such as national defense faciliti

77、es,military management zones,and national defense research and production units;(5)出口管制物項涉及的核心技術、設計方案、生產工藝等相關數據，密碼、生物電子信息、人工智能等領域對國家安全、經濟競爭力有直接影響的科學技術成果數據；Data related to core technologies,design programs,production processes,etc.involved in export-controlled items,and data on scientific and technol

78、ogical achievements in the fields of cryptography,bio-electronic information,artificial intelligence,etc.,which have a direct impact on national security and economic competitiveness;(6)國家法律、行政法規、部門規章明確規定需要保護或者限制處理的國家經濟運行數據、重要行業和領域業務數據、統計數據等；National economic operation data,business data of importan

79、t industries and fields,and statistical data,the processing of which needs to be protected or restricted as stipulated by national laws,administrative regulations,departmental rules,and regulations;(7)其他一旦遭到篡改、破壞、泄露或者非法獲取、非法利用等，可能危害國家安全、經濟運行、社會穩定、公共健康和安全等的數據。Other data that may jeopardize national s

80、ecurity,economic operation,social stability,public health and safety,etc.once tampered with,damaged,leaked,中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 18/55 國際數據跨境規則系列 Series on International Data Cross-Borde

81、r Rules Rules or illegally accessed or illegally utilized.Q4:如何識別“敏感個人信息”？如何識別“敏感個人信息”？How to identify sensitive personal information?A4:敏感個人信息，是一旦泄露或者非法使用，容易導致自然人的人格尊嚴受到侵害或者人身、財產安全受到危害的個人信息，包括生物識別、宗教信仰、特定身份、醫療健康、金融賬戶、行蹤軌跡等信息，以及不滿十四周歲未成年人的個人信息。4 Sensitive personal information refers to the personal

82、information that is likely to result in damage to the personal dignity of any natural person or damage to the safety of his or her physical body or property once disclosed or illegally used,including information such as biometric identification,religious belief,specific identity,medical health,finan

83、cial account,and whereabouts and tracks,etc.,as well as the personal information of minors under the age of 14.可參考國家標準 GB/T 35273-2020信息安全技術個人信息安全規范中關于個人敏感信息的定義及相關舉例。Reference can be made to the definition of personal sensitive information and related examples in the national standard GB/T 35273-202

84、0 Information Security TechnologyPersonal Information Security Specification.Q5:如何界定“關鍵信息基礎設施運營者”？如何界定“關鍵信息基礎設施運營者”？Who is a critical information infrastructure operator?A5:根據關鍵信息基礎設施安全保護條例，關鍵信息基礎設施，是指公共通信和信息服務、能源、交通、水利、金融、公共服務、電子政務、國防科技工業等重要行業和領域的，以及其他一旦遭到破壞、喪失功能或者數據泄露，可能嚴重危害國家安全、國計民生、公共利益的重要網絡設施、信

85、 4 中華人民共和國個人信息保護法（全國人民代表大會常務委員會，主席令第九十一號，2021.08.20 發布，2021.11.01 實施）第 28 條規定。Article 28,Personal Information Protection Law of the Peoples Republic of China(Order No.91 of the President of the Peoples Republic of China,Standing Committee of the National Peoples Congress,issued on 20 August 2021,eff

86、ective from 1 November 2021)中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 19/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 息系統等。According to the Regulation on Protecting the Security of Cr

87、itical Information Infrastructure,critical information infrastructure(“CII”)refers to the network facilities and information systems in important industries and fields such as public telecommunications,information services,energy,transportation,water conservancy,finance,public services,e-government

88、and science,technology and industry for national defense,as well as other important network facilities and information systems which,in case of destruction,loss of function or leak of data,may result in serious damage to national security,the national economy and the peoples livelihood and public in

89、terests.根據該規定，關鍵信息基礎設施運營者的認定規則由各重要行業和領域的主管部門、監管部門（“保護工作部門”）制定，保護工作部門應及時將認定結果通知關鍵信息基礎設施運營者，并通報國務院公安部門。According to the provision,the rules for the determination of CII operators shall be formulated by the competent authorities and supervisory departments of each important industry and field(Protectio

90、n Working Departments),and the Protection Working Departments shall promptly notify the CII operators of the results of the determination and notify the public security department of the State Council.因此，建議數據處理者及時關注保護工作部門的通知，來判斷自身是否構成關鍵信息基礎設施運營者。Therefore,it is recommended that data processors pay a

91、ttention to the notification of the Protection Working Departments from time to time to determine whether they constitute a CII operator.Q6:如何界定如何界定 100 萬、萬、10 萬、萬、1 萬的數量規模？萬的數量規模？How to define the quantitative scale of 1 million,100 thousand,and 10 thousand?A6:前文 Q1 中 100 萬、10 萬和 1 萬的數量計算單位為“人”，而非“

92、人次”或“條數”，數量規模統計中若存在重復計算的，應標明是否去重及去重依據。中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 20/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules The unit of calculation for the quantities of 1,000,000

93、,100,000,and 10,000 in Q1 above is person,not person-time(s)or number of pieces.If there is any double-counting in the statistics of the quantity scale,it should be indicated whether it is deduplicated or not and the basis for deduplication.同樣的，針對申報材料中的擬出境數據情況，基于數據出境安全評估辦法第十四條要求，“通過數據出境安全評估的結果有效期為 2

94、 年，自評估結果出具之日起計算”，對應數據規模應填寫未來兩年出境數據的規模和涉及自然人數量，自然人數量應按人數計算，并標明是否去重及去重依據（如涉及）。Similarly,with regard to the intended outbound data in the declaration materials,based on the requirements under Article 14 of Measures for the Security Assessment of Outbound Data Transfers,which states that the result of s

95、ecurity assessment for an outbound data transfer is valid for two years,commencing from the date on which the result of the assessment is issued,the scale of the data shall correspondingly be filled in with the scale of the data to be exported in the next two years and the number of natural persons

96、involved.The number of natural persons should be calculated on the basis of the number of persons,and whether or not the data have been deduplicated and the basis for deduplication(if relevant)should be indicated.Q7:同一數據處理者存在多個出境場景需要申報時應如何處理？同一數據處理者存在多個出境場景需要申報時應如何處理？What should be done when there a

97、re multiple outbound scenarios to be declared by the same data processor?A7:數據處理者應在申報材料中說明是否符合數據出境安全評估申報條件，并需明確闡述具體符合數據出境安全評估辦法第四條中的哪種情形（詳見上文 Q1）。針對適用累計數量條件（即自上年 1月 1日起累計向境外提供10 萬人個人信息或者 1 萬人敏感個人信息）的，需要在申報材料中具體說明累計向境外提供的個人信息/敏感個人信息與本次申報出境數據的關系，以及對照個人信息保護法和數據出境安全評估辦法開展的整改情況（如涉及）。The data processor sh

98、all state in the declaration materials whether it meets the 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 21/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules declaration conditions for securi

99、ty assessment for outbound data transfers,and is required to clearly state which situation in Article 4 of the Measures for the Security Assessment of Outbound Data Transfers is specifically met(for details,please refer to Q1 of the above).If the cumulative quantity condition applies(i.e.,the cumula

100、tive provision of personal information of 100 thousand persons or sensitive personal information of 10 thousand persons abroad since January 1 of the previous year),it is necessary to specify in the declaration materials the relationship between the cumulative provision of personal information/sensi

101、tive personal information to abroad and the specific data to be sent abroad as declared in the declaration being made this particular time,as well as the status of the corrective actions carried out in accordance with the Personal Information Protection Law of the Peoples Republic of China and the M

102、easures for Security Assessment of Outbound Data Transfers (if relevant).如果數據處理者存在多個出境場景需要申報評估的，根據浙江省數據出境安全評估申報工作問答（三）海南省數據出境安全評估申報常見問答（二），原則上應合并申報，并在申報材料中對出境場景分別予以說明原則上應合并申報，并在申報材料中對出境場景分別予以說明。If a data processor has multiple outbound scenarios to be declared for assessment,according to the Questio

103、ns and Answers on the Declaration of Security Assessment for Outbound Data Transfers in Zhejiang Province(III)and the Frequently Asked Questions on the Declaration of Security Assessment for Outbound Data Transfers in Hainan Province(II),in principle the multiple outbound scenarios should be merged

104、and declared together and be individually explained in the declaration materials.Q8:什么情況應當重新進行數據出境安全評估？什么情況應當重新進行數據出境安全評估？When should a security assessment for outbound data transfers be re-conducted?A8:數據出境安全評估結果并非一次性永久有效，有兩種情況需要重新評估。The result of the security assessment for outbound data transfers

105、 is not valid permanently.There are two scenarios under which a reassessment would be required.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 22/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rule

106、s(1)有效期屆滿：結果出具之日起滿 2 年（通過數據出境安全評估的結果有效期為 2年，自評估結果出具之日起計算）；Expiration of its validity:2 years from the date of issuance of the result(the validity of the results of the security assessment for outbound data transfers is 2 years from the date of issuance);(2)安全評估結果依據的重點評估事項發生變化影響出境數據安全的，具體情形如下：One of

107、the key variables in the previous security assessment has changed and in return affected the security of outbound data,specifically:(a)向境外提供數據的目的、方式、范圍、種類和境外接收方處理數據的用途、方式發生變化影響出境數據安全的，或者延長個人信息和重要數據境外保存期限的；Changes in the purpose,manner,scope,and type of data provided abroad and in the use and manner

108、of data processing by overseas recipients,affecting the security of outbound data,or the extension of the period for which personal information and important data are kept outside of the territory;(b)境外接收方所在國家或者地區數據安全保護政策法規和網絡安全環境發生變化以及發生其他不可抗力情形、數據處理者或者境外接收方實際控制權發生變化、數據處理者與境外接收方法律文件變更等影響出境數據安全的；Cha

109、nges in data security protection policies and regulations and network security environment in the country or region where the overseas recipient is located,as well as other force majeure circumstances,changes in the actual control of the data processor or overseas recipient,and changes in the legal

110、documents between the data processor and the overseas recipient,which affect the security of outbound data;(c)出現影響出境數據安全的其他情形。Other circumstances that affect the security of outbound data.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound

111、Data Transfers Practice 23/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 有效期屆滿，需要繼續開展數據出境活動的，數據處理者應當在有效期屆滿 60個工作日前重新申報評估。5 Upon the expiration of the validity period,if there is a need to continue the data outbound transfer activities,the data processor should conduct a re-asse

112、ssment 60 working days before the expiry date.Q9:企業是否必須事先開展自評估工作？若需要，需要提前多久開展？自評估工作應當評估哪些方面？企業是否必須事先開展自評估工作？若需要，需要提前多久開展？自評估工作應當評估哪些方面？Is it necessary for companies to carry out the self-assessment exercise in advance?If so,how far in advance?What should be assessed in the self-assessment?A9:是的，符合條件

113、的企業應當在申報數據出境安全評估前進行風險自評估，5 數據出境安全評估辦法（國家互聯網信息辦公室，國家互聯網信息辦公室令第 11 號，2022.07.07 發布，2022.09.01 實施）第 14 條規定。Article 14,Measures for the Security Assessment of Outbound Data Transfers(Order No.11 of the Cyberspace Administration of China,issued on 7 July 2022,effective from 1 September 2022)實操演練實操演練 2 Pr

114、actical Exercise 2 Q：申報主體如何確定申報材料中需填寫的“擬出境數據情況”？：申報主體如何確定申報材料中需填寫的“擬出境數據情況”？Q:How should the declaring entity determine the intended outbound data to be filled in the declaration materials?A：因上文所述的 2年有效期規定，數據處理者申報的出境數據應為未來兩年的擬出境數據，包括數據規模和涉及自然人數量，自然人數量應按人數計算，并標注是否去重。A:Due to the provision of the vali

115、dity period of two years mentioned above,the outbound data declared by the data processor should be the intended outbound data for the next two years,including the scale of data and the number of natural persons involved,the number of natural persons should be calculated based on the number of perso

116、ns,and it should be indicated whether it is deduplicated or not.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 24/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 并在申報階段提交風險自評估報告。Yes,eligible

117、companies should conduct a self-risk-assessment before declaring a security assessment of data transfers and submit a self-risk-assessment report at the declaration stage.根據數據出境安全評估申報指南（第一版）附件 3數據出境安全評估申報書（模板）中的承諾書，申報主體應當承諾“自評估工作為申報之日前 3 個月內完成，且至申報之日未發生重大變化”。因此，自評估報告落款自評估報告落款時間應為申報之日前時間應為申報之日前 3 個月內

118、個月內，且申報前若發生重大變化，應當重新評估。According to the letter of commitment contained within the“Declaration Statement for Security Assessment of Outbound Data Transfers(TEMPLATE)in Annex 3 of the Guidelines for Application for Security Assessment of Outbound Data Transfers(First Edition),the declarer shall undert

119、ake that the self-risk-assessment shall be completed within three months prior to the date of the declaration,and that no significant changes have occurred prior to the date of the declaration.Therefore,the self-risk-assessment report should be dated within three months prior to the date of declarat

120、ion,and reassessment should be conducted if significant changes occur.自評估重點應當評估以下六個方面：The self-assessment should focus on assessing the following six areas:(1)合法性基礎、正當性、必要性合法性基礎、正當性、必要性 數據出境和境外接收方處理數據的目的、范圍、方式等的合法性、正當性、必要性；Basis of legality,legitimacy,necessity The legality,legitimacy,necessity of t

121、he purpose,scope,manner,etc.,of the outbound data transfers and data processing by overseas recipients;(2)出境數據對國家安全、公共利益、個人或組織可能帶來的風險出境數據對國家安全、公共利益、個人或組織可能帶來的風險 出境數據的規模、范圍、種類、敏感程度，數據出境可能對國家安全、公共利益、個人或者組織合法權益帶來的風險；Risks that outbound data may pose to national security,public interests,individuals,or

122、organizations The scale,scope,type,and sensitivity of 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 25/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules outbound data,and the risks that outbou

123、nd data may pose to national security,public interests,and the legitimate rights and interests of individuals or organizations;(3)境外接收方的安全保障能力境外接收方的安全保障能力 境外接收方承諾承擔的責任義務，以及履行責任義務的管理和技術措施、能力等能否保障出境數據的安全；Security guarantee capability of the overseas recipient The obligations the overseas recipient has

124、 committed to undertake,and whether the management and technical measures and capabilities to fulfill the responsibilities and obligations can guarantee the security of the outbound data;(4)數據傳輸（過程中或傳輸后）風險及安全保障（包括個人信息權益維護）數據傳輸（過程中或傳輸后）風險及安全保障（包括個人信息權益維護）數據出境中和出境后遭到篡改、破壞、泄露、丟失、轉移或者被非法獲取、非法利用等的風險，個人信息

125、權益維護的渠道是否通暢等；Risks and security guarantee(including protection of personal information rights and interests)of data transmission(during or after transmission)Risks of data being tampered with,damaged,leaked,lost,transferred,illegally obtained,illegally utilized,etc.,during or after data outbound tra

126、nsfer,and whether the channels for the protection of personal information rights and interests are accessible;(5)法律文件中約定的數據安全保護責任義務法律文件中約定的數據安全保護責任義務 與境外接收方擬訂立的數據出境相關合同或者其他具有法律效力的文件等（以下統稱法律文件）是否充分約定了數據安全保護責任義務。Responsibilities and obligations for data security protection as agreed in legal documents

127、 Whether or not the data security protection responsibilities and obligations are sufficiently allocated in contracts relating to outbound data transfers or other legally binding documents,etc.(hereinafter collectively referred to as legal documents)with the overseas recipient.(6)其他其他 其他可能影響數據出境安全的事

128、項。6 6 數據出境安全評估辦法（國家互聯網信息辦公室，國家互聯網信息辦公室令第 11 號，2022.07.07 發布，2022.09.01 實施）第 5 條規定。Article 14,Measures for the Security Assessment of Outbound Data Transfers(Order No.11 of the 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfe

129、rs Practice 26/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Other Other matters that may affect the security of outbound data transfers.Q10:數據出境安全評估申報流程需要花多長時間？數據出境安全評估申報流程需要花多長時間？How long does the security assessment filing process of outbound data transfers take?A10:考慮到數據出境安

130、全評估申報前期準備工作的復雜性，企業應預留充足 的內部時間用于組織申報相關材料和提交申報（含自評估時間）。Cyberspace Administration of China,issued on 7 July 2022,effective from 1 September 2022)實操演練實操演練 3 Practical Exercise 3 C 公司因符合“處理 100萬人以上個人信息的數據處理者向境外提供個人信息”而申報數據出境安全評估，其內部已根據個人信息保護法的規定，進行了個人信息保護影響評估（PIA）。Company C has declared a security assess

131、ment for outbound data transfers due to meeting the criteria of data processors who processed personal information of over one million persons providing personal information abroad.They have conducted internally a personal information protection impact assessment report(PIA)in accordance with the pr

132、ovisions of the Personal Information Protection Law.Q：該：該 PIA 是否可以作為自評估報告？是否可以作為自評估報告？Q:Can the PIA serve as a self-assessment report?A：不可以，二者評估維度基本相同，但 PIA 只針對標準合同，該 C公司申報數據出境安全評估的自評估報告應該參照數據出境安全評估申報指南（第一版）要求制定。A:No,it cannot.Although the assessment dimensions are fundamentally similar,the PIA is s

133、pecifically for standard contracts,the self-assessment report for Company Cs security assessment for outbound data transfers should be prepared in accordance with the requirements outlined in the Guidelines for Application for Security Assessment of Outbound Data Transfers(First Edition)”.中國數據出境實務實操

134、白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 27/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Considering the complexity of the preparatory work for the declaration of security assessment for outbo

135、und data transfers,companies should reserve sufficient time for organizing internally the relevant declaration materials and the submission of the declaration(inclusive of time for self-assessment).正式提交申報材料后，法規規定的申報流程總共約為57+N個工作日（N指補充材料及其審核的時間），若涉及對評估結果有異議申請復評的，時長將相應延長 15+N 個工作日（收到評估結果 15 個工作日內申請復評，

136、N 為復評時間）。建議有數據出境安全申報需求的企業應提前規劃數據出境安全評估申報工作，為后續網信辦的審批流程留足時間。After formally submitting the declaration materials,the declaration process stipulated in the regulations will take a total of about 57+N working days(N stands for the time for supplemental materials and review of the same).In the event that

137、 there is disagreement regarding the assessment result and an application for reassessment is made,the length of time will be extended by 15+N working days accordingly(the application for reassessment should be made within 15 working days upon receipt of the assessment result,and N stands for the ti

138、me required for a reassessment).It is recommended that companies with the need for a security declaration of outbound data transfers should plan in advance,so as to leave enough time for the subsequent approval process of the cyberspace administration office.中國數據出境實務實操白皮書 White Paper on China Outbou

139、nd Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 28/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules(二二)個人信息出境標準合同備案個人信息出境標準合同備案 15 問問(II)15 Questions on the Filing of the SC for Outbound Transfer of Personal Information(“SC Filing”)Q1

140、1:簽訂標準合同進行數據出境活動的適用范圍？簽訂標準合同進行數據出境活動的適用范圍？What is the scope of application of a SC?A11:通常而言，通過訂立標準合同的方式向境外提供個人信息的企業，應當同時同時符合下列情形：Generally,a company that provides personal information abroad by entering into a SC shall meet the following circumstances at any one given time:(1)非關鍵信息基礎設施運營者；it is not

141、a CII operator;(2)處理個人信息不滿 100萬人的；it processes the personal information of less than 1 million persons;(3)自上年 1月 1 日起累計向境外提供個人信息不滿 10萬人的；it has cumulatively transferred abroad the personal information of less than 100 thousand persons since January 1 of the previous year;and(4)自上年 1月 1 日起累計向境外提供敏感個人

142、信息不滿 1萬人的。it has cumulatively transferred abroad the sensitive personal information of less than 10 thousand persons since January 1 of the previous year.法律、行政法規或者國家網信部門另有規定的，從其規定。Where there are other relevant provisions in any laws,administrative regulations,or rules of the Cyberspace Administrati

143、on of China,such provisions shall apply.企業不得采取數量拆分等手段，將依法應當通過出境安全評估的個人信息通過訂立標準合同的方式向境外提供。7 7 個人信息出境標準合同辦法（國家互聯網信息辦公室國家互聯網信息辦公室令第 13 號中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 29/55 國際數據跨境規則系列 Series on Inte

144、rnational Data Cross-Border Rules Rules Companies shall not employ methods such as quantity splitting.They should abide by the law to provide personal data abroad via a SC in situations where one should have passed the security assessment for outbound data transfers as to personal information.特別地，根據

145、粵港澳大灣區（內地、香港）個人信息跨境流動標準合同實施指引的規定，注冊于或位于粵港澳大灣區內地部分（即廣東省廣州市、深圳市、珠海市、佛山市、惠州市、東莞市、中山市、江門市、肇慶市，下稱“粵港澳大灣區內地部分”）或香港特別行政區的個人信息處理者及接收方可以通過訂立標準合同的方式進行粵港澳大灣區內內地和香港之間的個人信息跨境流動，構成重要數據的個人信息除外。In particular,according to the Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Info

146、rmation Within the Guangdong-Hong Kong-Macao Greater Bay Area(Mainland,Hong Kong),PIP and the recipient registered or located in the Mainland part of Guangdong-Hong Kong-Macao Greater Bay Area(i.e.,Guangzhou City,Shenzhen City,Zhuhai City,Foshan City,Huizhou City,Dongguan City,Zhongshan City,Jiangme

147、n City,and Zhaoqing City in Guangdong Province,the Mainland part of the Guangdong-Hong Kong-Macao Greater Bay Area)and the Hong Kong Special Administrative Region(HKSAR)may,by way of entering into a standard contract,carry out cross-border flow of personal information(excluding important data)betwee

148、n the Mainland and Hong Kong within the Guangdong-Hong Kong-Macao Greater Bay Area.Q12:標準合同簽署的主體有哪些？標準合同簽署的主體有哪些？Who are parties to a SC?A12:涉及兩類主體：個人信息處理者與境外接收方8。2023.02.22 發布 2023.06.01 實施）第 4 條規定。Article 4,Measures for the Standard Contract for Outbound Transfer of Personal Information(Order No.1

149、1 of the Cyberspace Administration of China,issued on 2 February 2023,effective from 1 June 2023)8 個人信息出境標準合同辦法（國家互聯網信息辦公室，國家互聯網信息辦公室令第 13 號2023.02.22 發布 2023.06.01 實施）第 2 條規定。Article 2,Measures for the Standard Contract for Outbound Transfer of Personal Information(Order No.11 of the Cyberspace Adm

150、inistration of China,issued on 2 February 2023,effective from 1 June 2023)中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 30/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Mainly two types of

151、 entities:PIP and overseas recipients of such data.Q13:規定提及“自主締約”，這是否意味著企業可以跳過備案環節？規定提及“自主締約”，這是否意味著企業可以跳過備案環節？The provision refers to independent contracting,does this mean that companies can skip the filing process?實操演練實操演練 4 Practical Exercise 4 境外 D公司直接通過網站為境內自然人用戶提供服務，自上年 1月 1日起累計收集境內自然人用戶個人信息不

152、滿 10萬人。Overseas company D directly provides services to domestic natural person users through its website and has collected personal information from fewer than 100,000 natural person users since 1 January of the previous year.Q：該境外：該境外 D 公司需要辦理個人信息出境標準合同備案嗎？公司需要辦理個人信息出境標準合同備案嗎？Q:Does the overseas c

153、ompany D need to conduct filing of the Standard Contract for Outbound Transfer of Personal Information?A：不需要。個人信息處理者通過與境外接收方訂立個人信息出境標準合同的方式向境外提供個人信息的，才適用個人信息出境標準合同辦法進行備案。該情形下，僅有個人信息處理者境外 D 公司單一主體，不存在訂立標準合同的場景條件，無需辦理標準合同備案。但該場景構成“以向境內自然人提供產品或者服務為目的”，仍應當遵守個人信息保護法的各項要求。A:No,it is not required.The filin

154、g under Measures for the Standard Contract for Outbound Transfer of Personal Information is applicable only when the personal information processor provides personal information abroad through the entering into a SC with the overseas recipients.In that case,as the overseas company D is the only enti

155、ty as the PIP,and no condition of scenario for entering into the SC exists,there is no need to conduct filing of the SC.However,this scenario still falls under the category of where the purpose is to provide domestic natural persons with products or services and should comply with the various requir

156、ements of the Personal Information Protection Law.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 31/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules A13:不可以，雖然不同于數據安全評估的事前監管，標準合同備案屬于事后監事后監管管，但

157、企業應當依法在標準合同生效后 10個工作日內進行備案。No.Although,unlike the prior supervision of security assessment for data,the filing of a SC is by nature ex post supervision,the company should still file the SC within 10 working days after its entry into force in accordance with the law.為保障個人信息跨境安全、自由流動，通過訂立標準合同的方式開展個人信息

158、出境活動，個人信息出境標準合同辦法確立了核心原則“自主締約與備案管理相結合、保護權益與防范風險相結合”。9該“自主締約”是基于合同自愿原則，雙方自行締約（雙方訂立的其他與個人信息出境活動相關的合同，不得與標準合同的內容相沖突），但一旦采取該標準合同方式進行數據出境，即應當依法向所在地省級網信部門進行備案。In order to safeguard the safe and free flow of personal information across borders,and to carry out outbound activities of personal information th

159、rough a SC,the Measures for the Standard Contract for Outbound Transfer of Personal Information establishes the core principles-combining independent contracting with record management,and combining the protection of rights and interests with the prevention of risks.The autonomous contracting is bas

160、ed on the principle of contractual voluntariness,and both parties contract on their own(other contracts related to outbound transfer activities of personal information concluded by both parties shall not conflict with the content of the SC),but once the SC is adopted for outbound data transfers,it s

161、hall be filed with the local provincial cyberspace administration department in accordance with the law.特別地，如涉及個人信息在粵港澳大灣區內地部分與香港特別行政區之間跨境流動的，個人信息處理者及接收方均需在標準合同生效之日起 10 個工作日內按照屬地向廣東省互聯網信息辦公室或者香港特別行政區政府政府資訊科技總監辦公室進行標準合同備案。In Particular,if it involves the cross-border flow of personal information betw

162、een 9 個人信息出境標準合同辦法（國家互聯網信息辦公室，國家互聯網信息辦公室令第 13 號2023.02.22 發布 2023.06.01 實施）第 3 條規定。Article 3,Measures for the Standard Contract for Outbound Transfer of Personal Information(Order No.13 of the Cyberspace Administration of China,issued on 2 February 2023,effective from 1 June 2023)中國數據出境實務實操白皮書 White

163、 Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 32/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules the Mainland part of the Guangdong-Hong Kong-Macao Greater Bay Area and the HKSAR,both the PIP and the recipient

164、 shall,according to the jurisdiction concerned,conduct the filing procedures of the Standard Contract with the Cyberspace Administration of Guangdong Province or the Office of Government Chief Information Officer of the HKSAR Government within 10 working days from the effective date of the Standard

165、Contract.Q14:能否針對多個數據出境場景使用同一套標準合同？能否針對多個數據出境場景使用同一套標準合同？Can the same set of SC be used for multiple outbound data transfers?A14:可以，可以針對多個數據出境場景使用同一套標準合同。Yes,the same set of SC can be used for scenarios with multiple outbound data transfers.如果數據出境活動涉及的數據出境方和境外接收方相同，且數據出境的目的相同，那么即便存在多個數據出境場景，亦可以使用一套標

166、準合同，一次性辦理備案。但如果數據出境方和境外接收方不同，則應當分別簽訂標準合同，分別辦理標準合同備案。If the outbound data transfer activities involve the same data exporter and overseas recipient,and the purposes of outbound data transfers are the same,then even if there are multiple outbound data transfers,one SC can be filed for the multiple out

167、bound data transfers in one go.However,if the data exporter and overseas recipient are different,separate SCs should be signed and filed.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 33/55 國際數據跨境規則系列 Series on

168、International Data Cross-Border Rules Rules 實操演練實操演練 5 Practical Exercise 5 云南 E公司因業務經營與人事管理，需要向位于法國的總部 F公司傳輸個人信息（場景包含通過 Workday 傳輸員工個人信息、通過Salesforce 傳輸客戶個人信息以及通過 CRM 系統傳輸消費者個人信息），云南 E 公司在境內五個省分別設有分支機構，員工、客戶、消費者合計人數不足 5000人。Yunnan Company E needs to transfer personal information to its headquarter

169、Company F in France(the scenario includes transferring employee personal information through Workday,customer personal information through Salesforce,and consumer personal information through the CRM system)due to its business operations and personnel management.Yunnan Company E has branch offices i

170、n five provinces within China,with a total of less than 5,000 employees,customers,and consumers.Q：該：該 E 公司可以合并辦理個人信息出境標準合同備案嗎？公司可以合并辦理個人信息出境標準合同備案嗎？Q:Can Yunnan Company E consolidate the filing of SCs?A：可以。云南 E 公司存在多個出境場景需要備案，境外接收方為單一主體，可以通過訂立一套標準合同的方式合并備案（根據云南省個人信息出境標準合同備案指引，如果申請人存在多個出境事項（場景）需要備案，原

171、則上合并備案，并在材料中分事項予以說明）。A:Yes,they can.There is multiple outbound transfers from Yunnan Company E that require filing,with one single overseas recipient,where they can consolidate the filing by establishing a set of standard contracts(according to the Filing Guidelines of Yunnan Province Standard Contr

172、act for Outbound Transfer of Personal Information,if the applicant has multiple outbound matters or scenarios which require filing,they should generally consolidate the filing and provide explanations for each item in the materials).中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice

173、 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 34/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Q15:關聯方是否可以合并備案？關聯方是否可以合并備案？Can related parties consolidate their filings?A15:標準合同的備案是向申報主體所在地的省級網信辦進行備案，一般而言，對于不在同一省級行政區的關聯方，應當分別與境外接收方簽訂標準合同并向各自所在地的省級網信辦進行備案。

174、對于存在不同的境外接收方,也建議分別簽訂標準合同并進行備案。The SC Filings are to be made with the cyberspace administration at the provincial level where the declarer is located.Generally speaking,for related parties which are not in the same provincial administrative region,a separate SC should be signed between them and the o

175、verseas recipients and be filed with the cyberspace administration at the provincial level where the concerned related parties are located.For the existence of different overseas recipients,it is also recommended that separate SCs be signed and filed.但針對同一集團公司項下多家獨立法人企業的，根據公開信息檢索，目前，已有北京市、湖南省、江西省、云南

176、省、河北省、河南省、新疆生產建設特別地，采取合并備案方式，一旦某一場景觸發重新備案的條件的，則應當重新備案（詳見下文 Q20），提醒個人信息處理者提前權衡利弊。In particular,when adopting the consolidation of filing method,if a specific scenario triggers the conditions for re-filing,it should be refiled(see Q20 below).PIPs should be reminded to carefully consider the pros and c

177、ons in advance.個人信息的出境場景因企業業務和性質不同而有較大差異,建議跨國公司結合自身業務及特點,仔細、全面梳理出境場景,避免遺漏。The outbound scenarios of personal information vary significantly due to the business and nature of the company.It is recommended that the multi-national corporations carefully and comprehensively review their outbound scenari

178、os based on their own business and characteristic as to avoid any mistakes.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 35/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 兵團等省級網信部門發布問答，明確“標

179、準合同的備案主體須為法人實體，且備案主體應與境內合同簽署方一致。如多家獨立法人企業同屬一家集團如多家獨立法人企業同屬一家集團公司，可由集團公司作為個人信息出境標準合同備案主體公司，可由集團公司作為個人信息出境標準合同備案主體。分公司不具備獨立法人，不可代替總部或子公司備案?！比羝髽I選擇合并由集團公司備案的，建議提前關注集團公司所在地省級網信部門的指導意見，并事先咨詢確認。However,for various independent legal person corporations of the same parent group,according to public informatio

180、n retrievable to date,cyberspace administration at the provincial level,including Beijing,Hunan Province,Jiangxi Province,Yunnan Province,Hebei Province,Henan Province,Xinjiang Production and Construction Corps etc.have issued Q&A,clearly stating that the entity filing a SC must be a legal person en

181、tity,and the same party should be the signatory to the SC within the territory.For various independent legal person corporations belonging to the same parent group,the parent company can be the responsible entity for the entering and filing of a SC.For branch corporations that are not independent le

182、gal persons,they may not replace the parent company or subsidiaries for filing.If corporations decide to consolidate and have the parent company file a SC,it is recommended to pay attention to the guidance opinion of the cyberspace administration at the provincial level where the parent company is l

183、ocated,along with consultation and confirmation.特別地，采取合并備案方式，一旦某一主體觸發重新備案的條件的，則應當重新備案（詳見下文 Q20），提醒個人信息處理者提前權衡利弊。In particular,by adopting a consolidated filing approach,once a subject entity triggers the condition for re-filing,it should re-file(see Q20 below for details),and PIPs are reminded to we

184、igh the pros and cons in advance.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 36/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 實操演練實操演練 6 Practical Exercise 6 總部在英國的化妝品零售業 G 集團，在北京設立了大中華區

185、控股公司 H 公司，并由 H 公司于上海、廣東、湖南等地設立了子公司，使用統一的集團管理系統，G 集團可以在英國訪問北京、上海、廣東、湖南的銷售數據（含消費者個人信息）。G Group,a cosmetics retail business company with its headquarters in the UK,established a Greater China holding company,Company H,in Beijing,and set up subsidiaries in places like Shanghai,Guangdong,and Hunan throug

186、h Company H.G Group uses a unified group management system,where they can access the sales data(including personal information of consumers)of Beijing,Shanghai,Guangdong,and Hunan while situating in the UK.Q：四家中國主體分別辦理標準合同備案，還是選擇合并辦理？：四家中國主體分別辦理標準合同備案，還是選擇合并辦理？Q:Should the four Chinese entities sepa

187、rately file the SCs,or should they choose to consolidate the filing?A：根據現有數據流，應當分別申報，但因北京市網信辦認可由集團公司作為備案主體（詳見上文），可在事前與主管部門進行咨詢確認的基礎上，選擇合并申報。A:Based on the current data flow,they should file separately.However,since the Cyberspace Administration office in Beijing acknowledges that the group company c

188、an act as the filing entity(see above),they can choose to consolidate the filing after consultation and confirmation with the competent authorities in advance.特別地特別地，若在申報前，集團公司基于內部數據管理進行數據流調整，境內子公司數據先行匯總到北京控股公司 H 公司，由 H 公司統一提供給 G集團，則可以直接由 H公司進行標準合同備案。In particular,if,before filing,the group company

189、adjusts the data flow based on internal data management and aggregates data from local subsidiaries to Company H,the holding company in Beijing,which is then provided to G Group in a unified manner,filing of the SC can be done by Company H directly.中國數據出境實務實操白皮書 White Paper on China Outbound Data Tr

190、ansfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 37/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Q16:可以修改標準合同條款嗎？可以修改標準合同條款嗎？Can the terms of a SC be modified?A16:不可以，標準合同的文本內容不得修改。個人信息處理者與境外接收方應當嚴格按照標準合同模板訂立合同，不得修改或刪除標準合同正文中的任一條款。在不與標準合同正文內

191、容相沖突的前提下，雙方如有其他約定可在標準合同的附錄二中詳述，附錄構成標準合同的組成部分。No.The terms of the SC shall not be modified.The PIP and the overseas recipient shall enter into a contract in strict accordance with the SC template and shall not modify or delete any of the clauses contained within.Provided the absence of conflict with

192、the terms of the SC,other agreed terms between the parties may be detailed in Appendix II of the SC,forming an integral part of their contract.Q17:如果已簽署如果已簽署 GDPR 下的標準合同下的標準合同,是否還需簽署中國的標準合同？是否還需簽署中國的標準合同？If a SC under the GDPR has been signed,do I need to sign a SC that conforms with the Chinese law

193、s?A17:仍然需要。Yes.GDPR 標準合同適用于從歐盟國家向第三國出境個人信息，而中國標準合同適用于從中國向第三國出境個人信息，二者傳輸路徑具有很大差異，GDPR 下的標準合同無法作為從中國向其他國家傳輸個人信息的合法依據。The GDPR SC applies to the outbound provision of personal information from an EU country to a third country,while the Chinese SC applies to the outbound provision of personal informatio

194、n from China to a third country,and the transmission paths of the two are so different that the standard contract under the GDPR cannot be used as a legal basis for the transfer of personal information from China to other countries.Q18:個人信息處理者是否可以提交非中文版標準合同？個人信息處理者是否可以提交非中文版標準合同？中國數據出境實務實操白皮書 White

195、Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 38/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Can a PIP submit a non-Chinese version of a SC?A18:原則上，個人信息處理者應當提交中文版標準合同（中英雙語標準合同亦可，但建議注明如有差異，以中文版為準）。In princip

196、le,PIPs should submit a SC in Chinese(a bilingual version is also acceptable,but one is recommended to state clearly that in case of discrepancies,the Chinese version prevails).若僅有非中文版本，須同步提交準確的中文譯本，中文譯本形式（如個人信息處理者蓋章承諾譯本內容與原版一致，或是要求第三方公證等形式）建議與所在地省級網信部門提前咨詢確認。If there is only a non-Chinese version,t

197、hen an accurate Chinese translation must be submitted together,and one recommends that the form of the Chinese translation(e.g.,the PIP seals to promise that the content of the translation is the same as the original version,or requesting a third-party notarization,etc.)be confirmed in advance by co

198、nsulting the local cyberspace administration department at the provincial level.Q19:標準合同備案的有效期多久？標準合同備案的有效期多久？How long is a filing of SC valid for?A19:不同于數據出境安全評估存在兩年有效期（詳見上文Q8）的法定要求，標準合同并無有效期的強制規定，個人信息處理者可以與境外接收方基于個人信息出境的具體場景，在滿足個人信息保護法規定的情形下（如最小必要原則），約定適當的有效期。Unlike the statutory requirement of a

199、two-year validity period for the security assessment for outbound data transfers(see Q8 above for details),there is no mandatory validity period for the SC,and the PIP may agree with the overseas recipient on an appropriate validity period based on the specific scenario of the outbound transfer of p

200、ersonal information,provided that it meets the provisions of the Personal Information Protection Law(e.g.,the principle of minimum necessity).中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 39/55 國際數據跨境規則系列 Serie

201、s on International Data Cross-Border Rules Rules Q20:什么情況下需要重新備案？什么情況下需要重新備案？Under what circumstances will it be necessary to re-file?A20:在標準合同有效期內出現下列情形之一的，個人信息處理者應當重新開展PIA，補充或者重新訂立標準合同，并履行相應備案手續：Where any of the following circumstances occur during the validity period of the SC,the PIP shall condu

202、ct the personal information protection impact assessment again,supplement or re-sign the SC,and conduct relevant record-filing formalities:(1)向境外提供個人信息的目的、范圍、種類、敏感程度、方式、保存地點或者境外接收方處理個人信息的用途、方式發生變化，或者延長個人信息境外保存期限的；the purpose,scope,category,sensitivity,method,and storage location of personal informat

203、ion transferred abroad,or the purpose and method of personal information processing by the overseas recipient has changed,or the retention period of personal information located abroad is extended;(2)境外接收方所在國家或者地區的個人信息保護政策和法規發生變化等可能影響個人信息權益的；the personal information rights and interests will be affe

204、cted by the changes in the policies and regulations on personal information protection in the country or region where the overseas recipient is located;or(3)可能影響個人信息權益的其他情形。10 other circumstances that may affect the personal information rights and interests.個人信息處理者在標準合同有效期內補充訂立標準合同的，應當向所在地省級網信辦提交補充材

205、料；重新訂立標準合同的，應當重新備案。補充或 10 個人信息出境標準合同辦法（國家互聯網信息辦公室，國家互聯網信息辦公室令第 13 號2023.02.22 發布 2023.06.01 實施）第 8 條規定。Article 8,Measures for the Standard Contract for Outbound Transfer of Personal Information(Order No.11 of the Cyberspace Administration of China,issued on 2 February 2023,effective from 1 June 2023

206、)中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 40/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 者重新備案的材料查驗時間為 15個工作日。Where a supplemental agreement is entered into within the validity peri

207、od of a pre-existing SC,the PIP shall submit supplementary materials to the concerned local provincial cyberspace administration office.Re-filing is necessary where a new SC has been entered into.The time frame for the review of the supplemental or re-filed materials is 15 working days.個人信息處理者對所提交材料

208、的真實性負責，提交虛假材料的，按照備案不通過處理，并依法追究相應法律責任。11 The PIP shall be responsible for the authenticity of the materials submitted.In case of false materials submitted,the filing shall be deemed as a failure and the PIP to bear any corresponding legal liabilities so arising.11 個人信息出境標準合同備案指南（第一版）（國家互聯網信息辦公室，2023.

209、05.30 發布，2023.05.30 實施）“三、備案流程”規定。3.Filing Process,Guidelines for Filing Standard Contract for Outbound Transfer of Personal Information(First Edition)(Cyberspace Administration of China,issued on 30 May 2023,effective from 30 May 2023)實操演練實操演練 7 Practical Exercise 7 境內 J 公司委托境外 K 公司處理個人信息，依法訂立了標準合同

210、并辦理備案。但有效期內，因業務所需，需要延長個人信息境外保存期限。Domestic Company J entrusted overseas Company K to process the personal information and has legally entered into a SC and the filing has been completed.However,due to the business needs,they need to extend the overseas storage period for personal information within t

211、he validity period.Q：境內：境內 J 公司與境外公司與境外 K 公司只能重新簽訂標準合同并重新進行備案嗎？公司只能重新簽訂標準合同并重新進行備案嗎？Q:Can Domestic Company J and Overseas Company K only re-sign the standard contract and re-file it?A：不是?！把娱L個人信息境外保存期限”屬于法定應當重新開展 PIA的情形，J 公司與 K 公司除了重新簽訂標準合同外，可以考慮通過在標準合同的附件二其他條款中完善或簽訂補充協議等方式補充，而非僅能重新訂立標準合同。一定程度上，可以避免重

212、新談判的負擔。中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 41/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Q21:受托人是否可以簽訂標準合同？受托人是否可以簽訂標準合同？Can a trustee enter into a SC?A21:根據個人信息出境標準合同辦法的規定，標準

213、合同應在個人信息處理者和境外數據接收方之間簽署并實施。出境方為個人信息處理者，境外接出境方為個人信息處理者，境外接收方可能是個人信息處理者或者受托處理個人信息的受托人收方可能是個人信息處理者或者受托處理個人信息的受托人。According to the Measures for the Standard Contract for Outbound Transfer of Personal Information,a SC shall be signed and implemented between the PIP and the overseas recipient of the data.

214、The data exporter is the PIP,and the overseas recipient could be a PIP or a trustee entrusted with the processing of personal information.但實踐中因個人信息處理者與受托人界定不清，也存在受托人辦理標準合同備案的情形。若是作為受托人受托處理個人信息而需向境外接收方傳輸的，建議提前咨詢所在地省級網信部門意見。However,in practice,due to the unclear definition of a PIP and a trustee,there

215、 are also cases where the trustee handles the SC Filing.If a trustee is entrusted with the processing of personal information and needs to transmit the same to overseas recipients,one is recommended to consult the local cyberspace administration department at the provincial level in advance.A:Not ne

216、cessarily.Extending the overseas storage period for personal information falls under the situation where a PIA should be conducted again.Apart from re-signing the SC,Company J and Company K may consider supplementing it by amending other clauses in Appendix 2 of the SC or signing a supplemental agre

217、ement,rather than entering into a new SC.To some extent,this can help avoid the burden of renegotiation.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 42/55 國際數據跨境規則系列 Series on International Data Cross-Border R

218、ules Rules 實操演練實操演練 8 Practical Exercise 8 境內 L 公司向境外集團總部 M 公司傳送境內員工個人信息，位于美國的關聯公司 N公司可以查看上述個人信息。Company L,a company within the territory,transmits personal information of domestic employees to Company M,the headquarters of Group,located overseas.Affiliated Company N,located in the United States,is

219、able to access the aforementioned personal information.Q：境內：境內 L 公司需要與公司需要與 M 公司、公司、N 公司分別訂立標準合同并備案嗎？公司分別訂立標準合同并備案嗎？Does Company L within the territory need to separately enter into SC with Company M and Company N and file them?A：不需要。根據國家網信辦制定的個人信息出境標準合同附錄一個人信息出境說明，上述情形，可以將 N 公司作為“境外接收方只向以下中華人民共和國境外

220、第三方提供個人信息（如適用）”中的第三方進行披露，因此，境內 L公司僅需與 M 公司訂立標準合同，并在標準合同內披露 N 公司的訪問事宜即可。Not necessary.According to Appendix 1 Explanation on the Cross-border Transfer of Personal Information of the SC formulated by the Cyberspace Administration of China,in the aforementioned situation,N company can be disclosed as a

221、“Overseas Recipients that only provides personal information(if applicable)to the following third parties outside the territory of the Peoples Republic of China”.Therefore,Company L only needs to enter into a SC with Company M and disclose the access of Company N within the SC.特別地特別地，該情形下，M 公司仍應當注意滿

222、足標準合同中約定的相關義務（如 M公司與 N 公司簽署書面協議、確保 N 公司的個人信息處理活動達到我國相關法律法規規定的個人信息保護標準等）；同時，N 公司訪問 L 公司傳送給 M 公司的數據，可能構成 M 公司所在國的數據出境，應注意滿足當地法律法規的要求。In particular,in this situation,Company M should still pay attention to fulfilling the relevant obligations stipulated in the SC(such as signing a written agreement with

223、 Company N,ensuring that the processing of personal information by Company N meets the personal information protection standards as required by relevant laws and regulations in our country).At the same time,when Company N accesses the data transmitted by Company L to Company M,it may constitute outb

224、ound data transfers to the country where Company M is located,so attention should be paid to meeting the requirements of local laws and regulations of Company M.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 43/

225、55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules Q22:在標準合同備案路徑下，在標準合同備案路徑下，PIA 是否有特殊之處？是否有特殊之處？Is PIA special under the SC Filing path?A22:PIA 工作應當在備案之日前 3 個月內完成，且至備案之日未發生重大變化。The PIA work should be completed within three months prior to the date of filing and with no significant

226、changes between the date of the PIA work and the filing date.個人信息處理者應當保存個人信息保護影響評估報告至少 3年。PIPs shall keep the personal information protection impact assessment report for at least three years.通常情形下，標準合同備案時需要提交個人信息保護影響評估報告；但在粵港澳大灣區內地部分與香港特別行政區的個人信息跨境流動情形下，無需遞交。Generally,a personal information protect

227、ion impact assessment report is required to be submitted for the filing of a standard contract;however,it is not required in the case of the cross-border flow of personal information between the Mainland part of the Guangdong-Hong Kong-Macao Greater Bay Area and the HKSAR.Q23:標準合同備案的結果是什么？標準合同備案的結果是

228、什么？What is the outcome of a SC Filing?A23:備案結果分為通過、不通過。The filing results are divided into Pass and Failure.通過備案的，省級網信辦向個人信息處理者發放備案編號；不通過備案的，個人信息處理者將收到備案未成功通知及原因，要求補充完善材料的，個人信息處理者應當補充完善材料并于 10個工作日內再次提交。在獲得“通過”結果前,建議企業暫停相關個人信息的出境活動。For PIPs who passed the filing,the provincial cyberspace administrati

229、on office will issue them a filing number.For PIPs who fail to pass the filing,the PIP will 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 44/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules r

230、eceive a notice on unsuccessful filing and the reasons therefor.For cases where the PIP is required to supplement and perfect the materials,the PIP shall do so and resubmit its filing again within ten working days.Before obtaining the Pass result,it is recommended that the company suspends any outbo

231、und activities of personal information.Q24:寬限期內的個人信息跨境傳輸是否合法？寬限期內的個人信息跨境傳輸是否合法？Are outbound transfers of personal information during the grace period legal?A24:個人信息出境標準合同辦法自 2023 年 6 月 1日起施行，并規定“本辦法施行前已經開展的個人信息出境活動，不符合本辦法規定的，應當自本辦法施行之日起 6個月內完成整改”。Measures for the Standard Contract for Outbound Trans

232、fer of Personal Information has come into force since 1 June 2023,and stipulates that for the outbound transfer of personal information that has already happened before the Measures takes effect,if it is found that any such transfer is not in compliance with the Measures,rectification shall be compl

233、eted within 6 months upon the effective date of the Measures.意味著，若個人信息處理者符合標準合同備案的適用條件，且在 2023 年 6月 1 日前已經開展個人信息出境活動的，可以在 6 個月的寬限期內繼續傳輸個人信息，但應當在 2023 年 11 月 30 日之前訂立標準合同并進行備案。2023 年 11月 30日后，如果未能完成整改的，應暫停出境，直至完成。In other words,if a PIP falls within the category of having to file for a SC but has alr

234、eady been carrying out outbound transfer activities of personal information before 1 June 2023,it may continue to transmit personal information during the 6-month grace period.However,it should enter into a SC and file it before 30 November 2023.After 30 November 2023,if it fails to complete the rec

235、tification,it should suspend all its outbound activities until after completion.Q25:若未能在寬限期內完成整改，數據出境是否非法？是否需承擔責任？若未能在寬限期內完成整改，數據出境是否非法？是否需承擔責任？In the event that modification is not completed within the grace period,would 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操

236、白皮書 White Paper on China Outbound Data Transfers Practice 45/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules the outbound data transfer be illegal?Is there any legal consequence for such a failure?A25:是非法的（本處指亦未選擇個人信息保護認證路徑的情形），且應當依法承擔責任。Yes,it is illegal(this refers to cases whe

237、re the personal information protection certification path has not been selected either)and shall be held liable in accordance with the law.(1)行政責任：個人信息出境標準合同辦法援引個人信息保護法對違規行為進行處罰規制，包括責令改正，給予警告，沒收違法所得等，最高適用 5000 萬元人民幣或上一年度營業額 5%的罰款，并可責令暫停相關業務或者停業整頓、通報有關主管部門吊銷相關業務許可或者吊銷營業執照。此外，企業直接負責的主管人員和其他直接責任人員（如 DP

238、O）可能被追究個人責任，包括被處以最高 100 萬元人民幣的罰款，并可禁止其在一定期限內擔任相關企業的董事、監事、高級管理人員和個人信息保護負責人。Administrative Liability:Measures for the Standard Contract for Outbound Transfer of Personal Information quote the Personal Information Protection Law which imposes penalties for non-compliance,including ordering corrections,

239、giving warnings,confiscating illegal income,etc.,and applying fines of up to RMB 50 million or 5%of the turnover of the previous year,as well as ordering the suspension of the relevant business or the closure of the business,informing the relevant competent authorities for the revocation of the rele

240、vant business permits or the revocation of business licenses.In addition,directly responsible supervisors and other directly responsible persons of the company(such as DPO)may be held personally liable,including being fined up to RMB 1 million,and may be prohibited from serving as directors,supervis

241、ors,senior management and persons in charge of personal information protection of the relevant company for a certain period.(2)民事責任：個人信息主體也可因損害其合法權益而提起民事訴訟。中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 46/55 國際

242、數據跨境規則系列 Series on International Data Cross-Border Rules Rules Civil liability:The owner of the personal information may also bring a civil action for damage to his or her legal rights and interests.特別地，按照現有個人信息出境標準合同模板，其將該合同義務其將該合同義務履行的舉證責任作為個人信息處理者的義務履行的舉證責任作為個人信息處理者的義務（第二條 個人信息處理者的義務（十）對本合同義務的履行承

243、擔舉證責任），意味著，對意味著，對境內出境方提出了更高的要求，一旦出現爭議情形，即便是應由境外境內出境方提出了更高的要求，一旦出現爭議情形，即便是應由境外接收方來履行的義務，在觸發監管或者訴訟時，都有可能直接要求境接收方來履行的義務，在觸發監管或者訴訟時，都有可能直接要求境內出境方進行舉證。建議境內出境方加強對于境外接收方的日常監督內出境方進行舉證。建議境內出境方加強對于境外接收方的日常監督與管理，并注意留痕相應證據材料，以免承擔舉證不利的后果與管理，并注意留痕相應證據材料，以免承擔舉證不利的后果。In particular,the existing SC template places th

244、e burden of proof for the fulfillment of the obligations under the SC on the PIP(Article 2 The Obligations of the PIP.(x)The Burden of proof for the fulfillment of the obligations of this contract).This means that a higher requirement is placed on the data exporters in the event that a dispute arise

245、s.In case of disputes,even if the obligations should be fulfilled by the overseas recipient,the data exporters may be directly required to provide evidence when regulation or litigation is triggered.It is recommended that the data exporters should strengthen the daily supervision and management of t

246、he overseas recipient and pay attention to leaving trails of corresponding evidential materials,so as to avoid the consequences of a failure to provide evidence when the need so arises.(3)刑事責任：根據我國法律規定，構成犯罪的（如侵犯公民個人信息罪等），依法追究刑事責任。Criminal Liability:According to the laws of China,any act that constit

247、utes a crime(such as the crime of violating citizens personal information,etc.),will be accounted for in accordance with the laws.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 47/55 國際數據跨境規則系列 Series on Interna

248、tional Data Cross-Border Rules Rules 實操演練實操演練 9 Practical Exercise 9 境內 O 公司自 2022 年開始，每月 10 日前均將匯總整理上一月度境內業務 APP 運營中收集的消費者個人信息，并傳送境外集團總部。From 2022,Company O within the territory has been summarizing and organizing the personal information of consumers collected from the operation of its domestic AP

249、P before the 10th of each month,and transmitting it to the overseas headquarters of the Group.2023 年 7 月，因跨境業務合作，準備將消費者個人信息傳送境外第三方合作公司 P 公司。In July 2023,in preparation for cross-border business cooperation,Company O intends to transfer the personal information of consumers to a third-party cooperati

250、ng company,Company P,located overseas.Q：2023 年年 6 月起，境內月起，境內 O 公司還能向集團總部進行傳輸嗎？境內公司還能向集團總部進行傳輸嗎？境內O 公司可以向境外公司可以向境外 P 公司傳輸嗎？公司傳輸嗎？Q:Starting from June 2023,can Company O within the territory continue to transmit data to the Group headquarters?Can Company O within the territory transmit data to Company

251、 P overseas?A：須區分業務場景：A:It is necessary to distinguish between different business scenarios:針對面向集團總部的數據傳輸，若符合標準合同路徑要求的（詳見Q11），境內 O公司仍可以繼續傳送，但應當在 2023年 11月 30 日前與集團總部公司訂立標準合同并進行備案。Regarding the transmission of data to the Group headquarters,if it meets the requirements of the standard contract path(s

252、ee Q11 for details),Company O within the territory can still continue to transmit data.However,it should enter into a SC with the Group headquarters company and complete the filing before 30 November 2023.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper o

253、n China Outbound Data Transfers Practice 48/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 針對面向 P 公司的數據傳輸，其非在 2023 年 6 月 1 日前已經開展個人信息出境活動的，不符合上述寬限期適用條件，應當先行與 P 公司訂立標準合同，并在標準合同生效之日起 10 個工作日內，通過送達書面材料并附帶材料電子版的方式，向所在地省級網信辦備案。否則，將構成非法行為，存在承擔上述責任的風險。Regarding the transmission of data

254、 to Company P,since the outbound transfer activities of personal information has not been engaged before 1 June 2023,the above-mentioned grace period conditions have not been met.Therefore,they should first enter into a SC with Company P and,within 10 working days from the effective date of the SC,s

255、ubmit written materials and electronic copies to the provincial-level Cyberspace Administration office for record filing.Otherwise,it will constitute an illegal act and carry the risk of assuming the aforementioned responsibilities.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice

256、中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 49/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules(三三)個人信息跨境處理活動安全認證個人信息跨境處理活動安全認證 5 問問(III)5 Questions on Security Certification for Cross-border Processing Activities of Personal Information(“PIPC”)Q26:何時可以選擇個人

257、信息跨境處理活動安全認證路徑？何時可以選擇個人信息跨境處理活動安全認證路徑？When can I choose the PIPC?A26:對于不適用數據出境安全評估，其業務范圍涉及個人信息處理活動的企業，可自行選擇采取標準合同備案或者個人信息跨境處理活動安全認證。For companies whose business scope involves personal information processing activities but is not suitable for a security assessment for outbound data transfers,they ma

258、y choose to adopt a SC Filing or PIPC instead.如果企業符合以下兩類主體標準，其更適合走安全認證路徑：If a company meets the criteria for the following two categories of subjects,it is more appropriate for it to follow the PIPC path:(1)跨國公司或同一經濟、事業實體下屬子公司或關聯公司之間的個人信息跨境處理活動；CPAPI between subsidiaries or affiliates of multination

259、al corporations or the same economic or business entity;(2)個人信息保護法第 3 條第 2 款規定的境外個人信息處理者處理中國境內自然人個人信息的活動（在境外處理中國境內自然人個人信息的活動，有下列情形之一的，也適用本法：（一）以向境內自然人提供產品或者服務為目的；（二）分析、評估境內自然人的行為；（三）法律、行政法規規定的其他情形）。Activities of overseas PIPs dealing with personal information of natural persons in China,as stipulate

260、d in Article 3,paragraph 2 of the Personal Information Protection Law(this Law shall also apply to the processing of the personal information of natural persons within the territory of the Peoples Republic of China outside the territory of the Peoples Republic of China 中國數據出境實務實操白皮書 White Paper on C

261、hina Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 50/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules under any of the following circumstances:(i)where the purpose is to provide domestic natural persons with products or servi

262、ces;(ii)where the acts of domestic natural persons are analyzed and evaluated;and(iii)other circumstances as prescribed by laws and administrative regulations).Q27:是否可以選擇安全認證來代替標準合同備案？是否可以選擇安全認證來代替標準合同備案？Is PIPC an alternative option to SC Filing?A27:可以，針對安全認證與標準合同備案路徑均可適用的情形，結合通過后的結合通過后的時效時效（安全認證有效

263、期 3 年12（詳見下文 Q30），標準合同無強制有效期（詳見上文 Q19）以及便利程度以及便利程度（安全認證除了需要標準合同備案路徑下需要的合同以及 PIA 外，還需要委托第三方認證機構實施認證），現階段仍更建議采取標準合同備案方式。Yes,for situations whereby both the PIPC and SC Filing path are applicable,considering the time limit after the passing(PIPC is valid for three years(see Q30 below for details),the S

264、C does not have a mandatory expiration date(see Q19 above for details)and the degree of convenience(for PIPC,in addition to the contract and PIA required under the SC path,the commissioning of a third-party certification agency to do the certification is also required),the SC Filing route is prefera

265、ble at this stage.12 個人信息保護認證實施規則（國家市場監督管理總局，國家互聯網信息辦公室，國家市場監督管理總局，國家互聯網信息辦公室公告，2022 年第 47 號，2022.11.04 發布，2022.11.04 實施）之“5.1.1 認證證書的保持”。5.1.1 Holding of Certification Certificate,Implementation Rules on Personal Information Protection Certification(State Administration of Market Regulation(SAMR),C

266、yberspace Administration of China(CAC),Announcement No.47 of 2022 of SAMR and CAC,issued on 4 November 2022,effective from 4 November 2022 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 51/55 國際數據跨境規則系列 Series o

267、n International Data Cross-Border Rules Rules Q28:安全認證路徑下，是否需要指定個人信息保護負責人并設立個人信息保護機構？安全認證路徑下，是否需要指定個人信息保護負責人并設立個人信息保護機構？Is it necessary to designate a person to be in charge of personal information protection and establish a personal information protection organization under the PIPC path?A28:需要，個人信

268、息處理者個人信息處理者和境外接收方境外接收方均需要指定個人信息保護負責人，并設立個人信息保護機構。Yes.Both the PIP and the overseas recipient are required to designate a person in charge of personal information protection and establish a personal information protection organization.其中，個人信息保護負責人應具備個人信息保護專業知識和相關管理工作 實操演練實操演練 10 Practical Exercise 10

269、 境外 Q公司面向境內自然人，運營獨立網站以銷售其境外商品。Overseas Company Q operates an independent website targeting domestic natural persons to sell its overseas goods.Q：境外：境外 Q 公司也可以用安全認證來代替標準合同備案嗎？公司也可以用安全認證來代替標準合同備案嗎？Q:Can overseas Company Q use PIPC as a substitute for SC Filing?A：不可以，該場景不適用標準合同備案路徑（詳見上文 Q12），境外Q公司應當通過安

270、全認證路徑出境。No,this scenario does not fall within the scope of the SC Filing process(refer to Q12 above for more details).Overseas Company Q should comply with the law and obtain PIPC for outbound data transfers.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Pape

271、r on China Outbound Data Transfers Practice 52/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 經歷，由該組織的決策層成員承擔。13 In particular,the person in charge of personal information protection shall have expertise in personal information protection and relevant management experience and s

272、hall be a member of the decision-making level of the organization.Q29:安全認證具體怎么開展？安全認證具體怎么開展？How is PIPC conducted?A29:企業開展安全認證的具體流程分為下述五個步驟：The specific process for companies to carry out PIPC is divided into the five steps described below:(1)認證委托認證委托：認證委托人應當按認證機構要求提交認證委托資料（包括但不限于認證委托人基本材料、認證委托書、相關證

273、明文檔等），認證機構在對認證委托資料審查后及時反饋是否受理。Certification commission:The person commissioning certification shall submit materials for the certification commission in accordance with the requirements of the certification agency(including,but not limited to,the basic information of the person commissioning the cer

274、tification,power of attorney for certification,relevant documents of proof,etc.),the certification agency will provide timely feedback on whether to accept the commission after reviewing the certification commissioning materials.認證機構受理的，應當確定認證方案，包括個人信息類型和數量、涉及的個人信息處理活動范圍、技術驗證機構信息等，并通知認證委托人。If the ce

275、rtification agency accepts the commission,it shall determine the 13 網絡安全標準實踐指南個人信息跨境處理活動安全認證規范 V2.0（全國信息安全標準化技術委員會，信安秘字2022216 號，2022.12.16 發布 2022.12.16 實施）之“第 5.2 組織管理”。5.2 Organization Management,Guidelines for Cybersecurity Standard Practice-Security Certification Specification for Cross-border

276、Processing Activities of Personal Information V2.0(National Information Security Standardization Technical Committee,No.216 of 2022,issued on 16 December 2022,effective from 16 December 2022)中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbou

277、nd Data Transfers Practice 53/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules certification scheme,including the type and amount of personal information,the scope of personal information processing activities involved,and the information of the technical verification agency,and n

278、otify the person commissioning certification er.(2)技術驗證技術驗證：技術驗證機構應當按照認證方案實施技術驗證，并向認證機構和認證委托人出具技術驗證報告。Technical verification:The technical verification agency shall implement technical verification in accordance with the certification scheme,and issue a technical verification report to the certifica

279、tion agency and person commissioning the certification.(3)現場審核現場審核：認證機構實施現場審核，并向認證委托人出具現場審核報告。On-site audit:the certification agency will implement an on-site audit,and issue an on-site audit report to the person commissioning the certification.(4)認證結果評價和批準認證結果評價和批準：認證機構根據認證委托資料、技術驗證報告、現場審核報告和其他相關資料

280、信息進行綜合評價，作出認證決定。對符合認證要求的，頒發認證證書；對暫不符合認證要求的，可要求認證委托人限期整改，整改后仍不符合的，以書面形式通知認證委托人終止認證。Evaluation and approval of certification results:the certification agency will make a decision for certification based on the comprehensive evaluation made according to the materials for the certification commission,te

281、chnical verification reports,on-site audit reports,and other relevant information.For cases that meet the certification requirements,a certificate of certification will be issued.For the ones that do not yet meet the certification requirements,the person commissioning the certification may be requir

282、ed to make rectifications before the deadline.If the certification agency finds that after rectification,the application is still not sufficient for certification purposes,then the agency will notify the person commissioning the certification in writing of the termination of the commission for certi

283、fication.中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 54/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 如發現認證委托人、個人信息處理者存在欺騙、隱瞞信息、故意違反認證要求等嚴重影響認證實施的行為時，認證不予通過。If it is found that the perso

284、n commissioning the certification or PIP has committed acts that seriously affect the implementation of certification such as deception,concealment of information,or intentional violation of certification requirements,the certification will not be allowed.(5)獲證后監督獲證后監督：認證機構應當在認證有效期內，對獲得認證的個人信息處理者進行持

285、續監督（認證機構應當采取適當的方式實施獲證后監督，確保獲得認證的個人信息處理者持續符合認證要求），并合理確定監督頻次。認證機構對獲證后監督結論和其他相關資料信息進行綜合評價，評價通過的，可繼續保持認證證書；不通過的，認證機構應當根據相應情形作出暫停直至撤銷認證證書的處理。Post-certification supervision:The certification agency shall,within the validity period of the certification,carry out continuous supervision of the certified PIPs

286、(the certification agency shall take appropriate measures to implement the post-certification supervision to ensure that the certified PIPs continue to comply with the certification requirements),and reasonably determine the frequency of supervision.The certification agency shall conduct a comprehen

287、sive evaluation of the outcomes of the post-certification supervision and other relevant information,and if the evaluation is passed,the concerned entity can keep the certification;if the evaluation is not passed,the certification agency shall suspend or revoke the certification accordingly.Q30:安全認證

288、的有效期？安全認證的有效期？What is the validity period of the PIPC?A30:安全認證的認證證書有效期為 3 年。若證書到期需延續使用的，企業應在有效期屆滿前 6 個月內向認證機構提出認證申請。認證機構采用獲證后監督的方式，對符合認證要求的頒發新證書。14 14 個人信息保護認證實施規則（國家市場監督管理總局，國家互聯網信息辦公室，國家市場中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outboun

289、d Data Transfers Practice 55/55 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules The PIPC is valid for three years.If after its expiration,one intends to continue activities that require one to have a valid certificate,then the company should make an application for certification at

290、least 6 months before the certification expiration date.The certification agency will adopt the same compliance standard for post-certification supervision in evaluating whether a given applicant meets the requirement for the issuance of a new certification.以下無正文 監督管理總局，國家互聯網信息辦公室公告，2022 年第 47 號，202

291、2.11.04 發布，2022.11.04 實施）之“5.1.1 認證證書的保持”。5.1.1 Holding of Certification Certificate,Implementation Rules on Personal Information Protection Certification(State Administration of Market Regulation(SAMR),Cyberspace Administration of China(CAC),Announcement No.47 of 2022 of SAMR and CAC,issued on 4 No

292、vember 2022,effective from 4 November 2022 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 附件一 附件一(Annex I)1/4 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 附件一：問題附件一：問題/案例索引案例索引 Annex I:Index

293、of Q&As and Practical Exercises 問題問題/案例案例 Q&As/Practical Exercises 頁碼頁碼 Page Q1:什么情形必須啟動數據出境安全評估？Under what circumstances must security assessment for outbound data transfers be conducted?P13 Q2:數據出境行為具體包含哪些？What constitutes an act of outbound data transfer?P 14 實操演練 1 Practical Exercise 1 P 15 Q3:如

294、何識別“重要數據”？How to identify important data?P 16 Q4:如何識別“敏感個人信息”？How to identify sensitive personal information?P 18 Q5:如何界定“關鍵信息基礎設施運營者”？Who is a critical information infrastructure operator?P 18 Q6:如何界定 100萬、10 萬、1萬的數量規模？How to define the quantitative scale of 1 million,100 thousand,and 10 thousand?P

295、 19 Q7:同一數據處理者存在多個出境場景需要申報時應如何處理？What should be done when there are multiple outbound scenarios to be declared by the same data processor?P 20 Q8:什么情況應當重新進行數據出境安全評估？When should a security assessment for outbound data transfers be re-conducted?P 21 實操演練 2 Practical Exercise 2 P 23 中國數據出境實務實操白皮書 White

296、 Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 附件一 附件一(Annex I)2/4 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 問題問題/案例案例 Q&As/Practical Exercises 頁碼頁碼 Page Q9:企業是否必須事先開展自評估工作？若需要，需要提前多久開展？自評估工作應當評估哪些方面？Is it n

297、ecessary for companies to carry out the self-assessment exercise in advance?If so,how far in advance?What should be assessed in the self-assessment?P 23 實操演練 3 Practical Exercise 3 P 26 Q10:數據出境安全評估申報流程需要花多長時間？How long does the security assessment filing process of outbound data transfers take?P 26

298、Q11:簽訂標準合同進行數據出境活動的適用范圍？What is the scope of application of a SC?P 28 Q12:標準合同簽署的主體有哪些？Who are parties to a SC?P 29 實操演練 4 Practical Exercise 4 P 30 Q13:規定提及“自主締約”，這是否意味著企業可以跳過備案環節？The provision refers to independent contracting,does this mean that companies can skip the filing process?P 30 Q14:能否針對

299、多個數據出境場景使用同一套標準合同？Can the same set of SC be used for multiple outbound data transfers?P 32 實操演練 5 Practical Exercise 5 P 33 Q15:關聯方是否可以合并備案？Can related parties consolidate their filings?P 34 實操演練 6 Practical Exercise 6 P 36 Q16:可以修改標準合同條款嗎？Can the terms of a SC be modified?P 37 中國數據出境實務實操白皮書 White P

300、aper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 附件一 附件一(Annex I)3/4 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 問題問題/案例案例 Q&As/Practical Exercises 頁碼頁碼 Page Q17:如果已簽署 GDPR 下的標準合同,是否還需簽署中國的標準合同？If a SC under the G

301、DPR has been signed,do I need to sign a SC that conforms with the Chinese laws?P 37 Q18:個人信息處理者是否可以提交非中文版標準合同？Can a PIP submit a non-Chinese version of a SC?P 37 Q19:標準合同備案的有效期多久？How long is a filing of SC valid for?P 38 Q20:什么情況下需要重新備案？Under what circumstances will it be necessary to re-file?P 39 實

302、操演練 7 Practical Exercise 7 P 40 Q21:受托人是否可以簽訂標準合同？Can a trustee enter into a SC?P 41 實操演練 8 Practical Exercise 8 P 42 Q22:在標準合同備案路徑下，PIA是否有特殊之處？Is PIA special under the SC Filing path?P 43 Q23:標準合同備案的結果是什么？What is the outcome of a SC Filing?P 43 Q24:寬限期內的個人信息跨境傳輸是否合法？Are outbound transfers of person

303、al information during the grace period legal?P 44 Q25:若未能在寬限期內完成整改，數據出境是否非法？是否需承擔責任？In the event that modification is not completed within the grace period,would the outbound data transfer be illegal?Is there any legal consequence for such a failure?P 44 實操演練 9 Practical Exercise 9 P 47 中國數據出境實務實操白皮

304、書 White Paper on China Outbound Data Transfers Practice 中國數據出境實務實操白皮書 White Paper on China Outbound Data Transfers Practice 附件一 附件一(Annex I)4/4 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 問題問題/案例案例 Q&As/Practical Exercises 頁碼頁碼 Page Q26:何時可以選擇個人信息跨境處理活動安全認證路徑？When can I choose t

305、he PIPC?P 49 Q27:是否可以選擇安全認證來代替標準合同備案？Is PIPC an alternative option to SC Filing?P 50 實操演練 10 Practical Exercise 10 P 51 Q28:安全認證路徑下，是否需要指定個人信息保護負責人并設立個人信息保護機構？Is it necessary to designate a person to be in charge of personal information protection and establish a personal information protection orga

306、nization under the PIPC path?P 51 Q29:安全認證具體怎么開展？How is PIPC conducted?P 52 Q30:安全認證的有效期？What is the validity period of the PIPC?P 54 附件二(附件二(Annex II)1/4 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 附件二：主要法律法規一覽表附件二：主要法律法規一覽表15 Annex II:List of Major Laws and Regulations 序號序號 No

307、.文件名稱文件名稱 Name of Document 發文機關發文機關 Issuing Body 發文時間發文時間 Issuing Date 生效時間生效時間 Effective Date 效力層級效力層級 Level of Strength 1 中華人民共和國網絡安全法 PRC Cybersecurity Law 全國人民代表大會常務委員會 Standing Committee of the National Peoples Congress(“SCNPC”)2016.11.07 2017.06.01 法律 Law 2 中華人民共和國數據安全法 PRC Data Security Law 全

308、國人民代表大會常務委員會 SCNPC 2021.06.10 2021.09.01 法律 Law 3 中華人民共和國個人信息保護法 PRC Personal Information Protection Law 全國人民代表大會常務委員會 SCNPC 2021.08.20 2021.11.01 法律 Law 4 信息安全技術 個人信息安全規范（GB/T 352732020）Information Security Technology-Personal Information Security Specification(GB/T 35273-2020)全國信息安全標準化技術委員會 Nation

309、al Information Security Standardization Technical Committee 2020.03.06 2020.10.01 推薦性國標 Recommended National Standard 15 暫未納入各地網信部門發布的問答或者指引，請以官方發布為準。Not yet included in the questions and answers or guidelines published by local cyberspace administration departments.Please refer to official publicat

310、ions for accurate information.附件二(附件二(Annex II)2/4 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 序號序號 No.文件名稱文件名稱 Name of Document 發文機關發文機關 Issuing Body 發文時間發文時間 Issuing Date 生效時間生效時間 Effective Date 效力層級效力層級 Level of Strength 5 數據出境安全評估辦法 Measures for Security Assessment of Outbou

311、nd Data Transfers 國家互聯網信息辦公室 Cyberspace Administration of China 2022.07.07 2022.09.01 部門規章 Departmental Regulations 6 數據出境安全評估申報指南（第一版）Guidelines for Application for Security Assessment of Outbound Data Transfers(First Edition)國家互聯網信息辦公室 Cyberspace Administration of China 2022.08.31 2022.08.31 規范性文件

312、 Normative Document 7 個人信息出境標準合同辦法 Method of Standard Contract for Outbound Transfer of Personal Information 國家互聯網信息辦公室 Cyberspace Administration of China 2023.02.22 2023.06.01 部門規章 Departmental Regulations 8 個人信息出境標準合同備案指南（第一版）Guidelines for Filing Standard Contract for Outbound Transfer of Persona

313、l Information(First Edition)國家互聯網信息辦公室 Cyberspace Administration of China 2023.05.30 2023.05.30 規范性文件 Normative Document 9 粵港澳大灣區（內地、香港）個人信息跨境流動標準合同實施指引“Implementation Guidelines on the Standard Contract for Cross-boundary 國家互聯網信息辦公室,香港創新科技及工業局 Cyberspace Administration of China,Hong Kong 2023.12.10

314、 2023.12.10 地方法規 Local Regulations 附件二(附件二(Annex II)3/4 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 序號序號 No.文件名稱文件名稱 Name of Document 發文機關發文機關 Issuing Body 發文時間發文時間 Issuing Date 生效時間生效時間 Effective Date 效力層級效力層級 Level of Strength Flow of Personal Information Within the Guangdong-

315、Hong Kong-Macao Greater Bay Area(Mainland,Hong Kong)”Innovation and Technology Commission 10 個人信息保護認證實施規則 Implementation Rules for Personal Information Protection Certification 國家互聯網信息辦公室,國家市場監督管理總局 Cyberspace Administration of China,State Administration for Market Regulation 2022.11.04 2022.11.04 規

316、范性文件 Normative Document 11 規范和促進數據跨境流動規定（征求意見稿）“Provisions on Regulating and Promoting Cross-border Flow of Data(Exposure Draft)”國家互聯網信息辦公室 Cyberspace Administration of China 2023.09.28 部門規章 Departmental Regulations 12 網絡安全標準實踐指南個人信息跨境處理活動安全認證規范 V2.0 V2.0 Guidelines for Cybersecurity Standard Practi

317、ce-Security Certification Specification for Cross-border Processing Activities of Personal Information V2.0 全國信息安全標準化技術委員會 National Information Security Standardization Technical Committee 2022.12.16 2022.12.16 標準相關技術文件 Standard-related Technical Document 附件二(附件二(Annex II)4/4 國際數據跨境規則系列 Series on In

318、ternational Data Cross-Border Rules Rules 序號序號 No.文件名稱文件名稱 Name of Document 發文機關發文機關 Issuing Body 發文時間發文時間 Issuing Date 生效時間生效時間 Effective Date 效力層級效力層級 Level of Strength 13 網絡安全標準實踐指南個人信息跨境處理活動安全認證規范 Guidelines for Cybersecurity Standard Practice-Security Certification Specification for Cross-borde

319、r Processing Activities of Personal Information 全國信息安全標準化技術委員會 National Information Security Standardization Technical Committee 2022.06.24 2022.06.24 標準相關技術文件 Standard-related Technical Document 14 網絡數據安全管理條例（征求意見稿）Regulations on Network Data Security Management(Draft for Comments)國家互聯網信息辦公室 Cybers

320、pace Administration of China 2021.11.14 規范性文件 Normative Document 15 信息安全技術 重要數據識別指南（征求意見稿）Information Security Technology-Guidelines for Identification of Important Data(Draft for Comments)全國信息安全標準化技術委員會 National Information Security Standardization Technical Committee 2022.01.13 推薦性國標 Recommended N

321、ational Standard 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 作者作者 Authors 上海段和段律師事務所上海段和段律師事務所 Duan&Duan Law Firm 編寫成員（Members）：高亞平 Vera GAO|權益合伙人、高級合伙人、香港注冊外地律師、DPO授權講師 Equity Partner,Senior Partner,HK Registered Foreign Lawyer,DPO Accredited Trainer by EXIN 周夢 Zoe ZHOU|合伙人、DPO

322、 授權講師 Partner,DPO Accredited Trainer by EXIN 紀倩 Joyce JI|律師 Associate 徐晶 Icey XU|律師 Associate 上海數據集團有限公司上海數據集團有限公司 Shanghai Data Group Co.,Ltd.編寫成員（Members）:高瑞鑫 Ruixin GAO|數據安全合規專家、數據跨境小組成員 EXIN-DPO、CCRC-DCO、ESI-CDO Data security compliance expert,member of data cross-border team 袁旻旭 Minxu YUAN|投資管理

323、專家、數據跨境小組牽頭人 Investment management expert,leader of data cross-border team 陳茜 Qian CHEN|法律事務專家、數據跨境小組成員 Legal affairs expert,member of data cross-border team 國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 上海段和段律師事務所上海段和段律師事務所 Duan&Duan Law Firm 段和段律師事務所 1993 年在上海成立，是一家擁有 30 多家境內外分所

324、/辦公室的綜合性和國際化律所。段和段秉承法律至上、依法治國和客戶為先、回饋社會的基本準則，走出了中國律所國際化、專業化、規?；某晒Πl展之路。段和段數據團隊是國內數據合規領域特色法律服務的創新開拓者與引領者，在數據出境、IPO 數據合規、數據合規管理體系搭建等領域均具備獨特資源優勢與豐富業務經驗。Established in 1993 in Shanghai,Duan&Duan Law Firm is a comprehensive and international law firm with more than 30 domestic and international branches/

325、offices.Adhering to the basic principles of legal supremacy,ruling the country according to the law,putting clients first and contributing to the society,Duan&Duan has walked out of the road of successful development of Chinese law firms in internationalization,specialization and scale.The Duan&Duan

326、 Data Team is an innovator and key player in providing unique legal services for data compliance in China,with unique resource advantages and rich business experience in the field of cross-border data transfer,IPO data compliance,and data compliance management system construction,etc.上海數據集團有限公司上海數據集

327、團有限公司 Shanghai Data Group Co.,Ltd.上海數據集團有限公司是以數據為核心業務的具有功能保障屬性的市場競爭類市屬一級國企。作為上海市公共數據授權運營主體和城市一體化大數據資源基礎治理的支撐主體，以推進數據要素市場建設、激發數據要素潛能、保障數據安全為戰略使命，以促進公共數據、社會數據、個人數據融合開發利用為主責主業，聚焦數字產業化、產業數字化和推動數據產業生態發展，踐行“數據治理體系共建者、數據資源體系開拓者、數字經濟發展引領者、數字政府建設推動者、國際數據合作先行者”的責任擔當，致力于成為世界一流的數據要素型企業。國際數據跨境規則系列 Series on Inte

328、rnational Data Cross-Border Rules Rules Shanghai Data Group Co.,Ltd.is a first-level state-owned enterprise with data as its core business.As the authorized operating entity of Shanghais public data and the supporting entity for the basic governance of urban integrated big data resources,it takes pr

329、omoting the construction of the data element market,stimulating the potential of data elements,and ensuring data security as its strategic mission to promote public data,social data,and personal data.Integrated development and utilization are the main responsibilities and main businesses,focusing on

330、 digital industrialization,industrial digitization and promoting the ecological development of the data industry,practicing co-builder of data governance system,pioneer of data resource system,leader of digital economy development,promoter of digital government construction As a pioneer in internati

331、onal data cooperation,we are committed to becoming a world-class data element-based enterprise.知識產權保護聲明知識產權保護聲明：本白皮書正文、思維導圖及表格等所有內容相關知識產權歸屬本書作者所有。如需轉載，您可發送郵件與我們聯系，并顯著標明來源。INTELLECTUAL PROPERTY PROTECTION DISCLAIMER:All intellectual property rights related to the text,mind maps and tables of this Whi

332、tepaper belong to the authors of this Whitepaper.If you would like to republish this Whitepaper,please contact us with the source prominently displayed.國際數據跨境規則系列 Series on International Data Cross-Border Rules Rules 上海數據集團有限公司上海數據集團有限公司 Shanghai Data Group Co.,Ltd.了解更多，關注微信公眾號 WeChat Official Accounts QR Code 段和段律所事務所段和段律所事務所 Duan&Duan Law Firm