1、Compliance Management for Cross-border Transfers of Personal InformationImplications of New Regulation Measures for Standard Contracts for Cross-border Transfer of Personal Information in ChinaKPMG CybersecurityApril,2023 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm

2、of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.2 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG

3、 global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.2Table of contents01Overview of compliance paths for cross-border data transfer0302A deep dive into th

4、e new“Standard Contract”0503Background to personal information protection impact assessment(PIPIA)0904Recommendations 1305KPMG personal information protection management service14 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of indepen

5、dent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.3 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member

6、 firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.3Timeline of regulatory developments01Overview of compliance paths for cross-border data transfer2015JulyNational Security Law2017AprilMeasures

7、for the Security Assessment of Cross-border Transfers of Personal Information and Key Data(Draft for comment)2017JuneCybersecurity Law2019JuneMeasures for Security Assessment of Cross-border Transfers of Personal Information(Draft for comment)2021SeptemberData Security Law2021NovemberPersonal Inform

8、ation Protection Law2021OctoberMeasures for the Security Assessment of Cross-border Data Transfer(Draft for comment)2022September Measures for Cross-border Data Transfer Security AssessmentNovemberAnnouncement on the Implementation of Personal Information ProtectionCertification2023JuneMeasures for

9、Standard Contracts for Cross-border Transfer of Personal Information On 7 July 2022,the Cyberspace Administration of China(CAC)issued the“Measures for Cross-border Data Transfer Security Assessment”(the“Security Assessment Measures”),effective from 1 September 2022.The Security Assessment Measures s

10、pecify the circumstances under which a cross-border data transfer security assessment(the“Security Assessment”)shall be declared,and proposes specific requirements for the Security Assessment.On 4 November 2022,the CAC issued the“Announcement on the Implementation of Personal Information Protection

11、Certification”(the“Announcement”),effective from 4 November 2022.The Announcement specifies the implementation rules for personal information protection certification,which requires personal information processors to comply with GB/T 35273“Information Security Technology Personal Information Securit

12、y Specification”.Processors engaged in cross-border processing activities shall also comply with the requirements of TC260-PG-20222A“Security Certification Specification for Personal Information Cross-border Processing Activities”(the“Certification Specification”).On 24 February 2023,the CAC issued“

13、Measures for Standard Contracts for Cross-border Transfer of Personal Information”(the“Measures for Standard Contract”)and the“Personal Information Cross-border Transfer Standard Contract”(the“Standard Contract”),effective from 1 June 2023.2023 KPMG Advisory(China)Limited,a limited company in China

14、and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.4 2023 KPMG Advisory(China)Limited,a limited company in China and a membe

15、r firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.4Paths to compliance for cross-border transfer of personal data01Overview of complia

16、nce paths for cross-border data transferSince the announcement of these latest regulatory changes around standard contracts for cross-border transfers,three paths have been clarified for the cross-border transfer of personal information.These include:(1)passing the Security Assessment by the CAC;(2)

17、being certified by a specialist agency for the protection of personal information;or(3)entering into a contract with an offshore recipient under the Standard Contract formulated by the CAC.Critical information infrastructure operators(CIIO)shall store personal information and important data collecte

18、d and generated within the territory of the Peoples Republic of China(PRC)during its operation within the territory of the PRC.When such data needs to be provided offshore for business purposes,a Security Assessment shall be conducted pursuant to the measures developed by the CAC together with relev

19、ant departments of the State Council.Other data processors shall determine the type and scale of proposed outbound data and the actual situation of data cross-border transfer scenarios,and execute or select applicable compliance paths accordingly:N.B.Data processors are not allowed to adopt measures

20、 such as volume splitting to avoid Security Assessment.Data processorswho meet any of the circumstances described in Article 4 of Security Assessment Measures still need to declare a Security Assessm entto the CAC through its provincial level CAC in accordance with the regulation.Other Data Processo

21、rs Involved in Cross-border Transfer of Personal Information and Important DataImportant DataPersonalInformationSecurity AssessmentStandard ContractPersonal Information Protection CertificationDeclarationFilingCertificationWhether any of the conditions of the Security Assessment*is met?Security Asse

22、ssment is applicable to any of the following circumstances:1.Where a data processor provides important outbound data;2.Where a data processor processing the personal information of more than one million individuals provides outbound personal information;3.Where a data processor has provided outbound

23、 personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total since January 1 of the previous year;and4.Other circumstances prescribed by the CAC for which a declaration of a Security Assessment for outbound data transfers is required.YesNoOption 1Opti

24、on 2Key points for declaration preparation:Conduct cross-border data risk self-assessmentPrepare declaration materials for Security Assessment in line with the requirementsAdhere to prior evaluation and continuous monitoringKey points for filing preparationConduct personal information protection imp

25、act assessment(PIPIA)Execute the contract in strict accordance with Standard Contract templatesConduct filing within 10 working days from the effective date of the contractKey points for certification preparationConduct PIPIA Meet the requirements of GB/T 35273 and TC260-PG-20222A Technical verifica

26、tion,on-site audit and supervision after receiving the certification 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company li

27、mited by guarantee.All rights reserved.Printed in China.5 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by gu

28、arantee.All rights reserved.Printed in China.5Highlights02A deep dive into the new“Standard Contract”1.Non-conflicting termsWhen concluding a Standard Contract or adding supplementary agreements,two levels of no conflict requirements should be considered:The supplementary agreements shall not confli

29、ct with the terms in the Standard Contract.That is,the terms in the Standard Contract take precedence over other terms agreed upon by the contracting parties.Terms in other legal documents shall not conflict with those in the Standard Contract.That is,the terms in the Standard Contract take preceden

30、ce over the terms in other agreements and legal documents between the contracting parties.2.Third-party beneficiary mechanismThree parties are involved in the contract:the personal information processor(“processor”),offshore recipient(“recipient”)and personal information subject(“individual”).The in

31、dividual is entitled to corresponding rights of the contract.The processor and the recipient,as the parties to the contract,enter into and perform the agreement,whereas the Individual,as third-party beneficiary,is granted corresponding rights through the agreement between the two parties.The individ

32、ual is entitled to claim personal rights.In the event of infringement of personal information rights,the individualcan either claim rights from the processor in accordance with the Personal Information Protection Law,or directly claim rights from either or both parties to the contract in accordance

33、with the content of the Standard Contract.3.Grace period of six monthsThe processor shall remediate the non-compliance of personal information cross-border activities within six months from the date that the Measures for Standard Contracts become effective(i.e.by November 30,2023).4.Personal informa

34、tion subject rightsAn individual shall be informed of being a third-party beneficiary of the contract.The processor needs to inform the individual that it has agreed with the recipient that the individual is a third-party beneficiary under the contract.If the individual does not raise an explicit ob

35、jection within 30 days,the individual may request assistance from either the processor or the recipient to address individual subject rights under the contract.Protection of individual rights.The processor and recipient need to take appropriate measures to respond to reasonable requests from the ind

36、ividual during the performance of personal information cross-border activities.Reference:Measures for Standard Contracts for Cross-border Transfer of Personal Information,Cyberspace Administration of China 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG glob

37、al organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.6 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisa

38、tion of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.6Highlights(Contd)025.Legal responsibilities of the Processor and RecipientWhen the joint liability is occurred When t

39、he processor or the recipient needs to take full liability1.The party who breaches the obligation to protection shall bear civil liabilities.2.The Processor may be subject to administrative liability or criminal liability.Individuals are entitled to request each party or both parties to bear civil l

40、iabilities.When the liability taken by one party exceeds the liability such party can take,it shall have the right to recover from the other party accordingly.Cyberspace Administration Regulatory InterviewWhere the Cyberspace Administration identifies high risks in the cross-border transfer activiti

41、es of personal information or a personal information security incident,it may interview the processor in accordance with the law.The processor shall rectify and eliminate hidden risks as required.6.Major obligations of the ProcessorPersonal Information SubjectsOffshore RecipientsRegulatory Authoriti

42、esInternal Management1.Only provide personal information offshore within the minimum scope required for the purpose of processing;2.Fulfil the obligation of notification;3.Obtain consent from the individual(applies to the scenarios when the cross-border transfer of personal information is based on c

43、onsent);4.Provide a copy of the contract to the individual upon request.1.Investigate whether the recipient has the organisational and technical measures and capabilities to perform the obligations;2.Provide copies of relevant legal regulations and technical standards.1.Reply to inquiries from the r

44、egulatory authorities;2.Provide compliance audit result for cross-border processing activities;3.Assume a burden of proof for the performance of obligations under the contract.PIPIA shall be conducted and the PIPIA report shall be kept for at least three years.A deep dive into the new“Standard Contr

45、act”2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.7 2023 KP

46、MG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.7Highlights(Contd)02

47、7.Major obligations of the RecipientPersonal Information SubjectsPersonal Information ProcessorsInternal ManagementThird-party(If applicable)1.Process personal information in accordance with the contract;2.Provide a copy of the Standard Contract in response to the individuals request;3.Process perso

48、nal information in a manner that has minimal impact on personal rights and interests;4.The retention period of personal information shall be the minimum period necessary for achieving the purpose of processing;5.If automated decision-making is involved,the principle of transparency,fairness and just

49、ice shall be followed;6.Adopt remedial measures to respond to security incidents,and perform notification and logging obligations timely;7.Provide the necessary information required to comply with obligations under the Standard Contract;8.Inform the individual about the contact channels;9.Respond to

50、 the individuals requests when exercising his/her rights.1.Process personal information within the agreed scope with the processor;2.Provide compliance certification materials to the processor,allowing the processor to conduct compliance audits and review documents;3.Provide all necessary informatio

51、n to the processor.1.Record objectively for personal information processing activities and maintain the records for at least three years;2.Take technical and management measures;3.Establish access control permissions of minimum authorisation;4.Respond to security incidents in a timely and standardis

52、ed manner.Provision of personal information to third-party offshore recipients:1.Have business needs;2.Inform the individual of personal information provision and obtain separate consent(this is applicable to scenarios where processing personal information is on a consent basis);3.Execute written ag

53、reement with the third party and provide a copy of the agreement upon the individuals request.Sub-contracting of personal information processing:1.Obtain consent from the processor in advance;2.Process the personal information within the agreements in the contract;3.Supervise the processing activiti

54、es of the third party.Regulatory Authorities1.Be under the supervision and management of regulatory authorities;2.Obey measures or decisions adopted by regulatory authorities;3.Provide written confirmation that the required actions have been taken.A deep dive into the new“Standard Contract”2023 KPMG

55、 Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.8 2023 KPMG Advisory(C

56、hina)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.8Key stages of a Standard Contrac

57、t arrangement 02Pre-contract execution Contract negotiation and conclusionPost-contract execution1Determine whether personal information can be transferred offshore through the conclusion of a Standard Contract1Whether the data processor is a CIIO;2The amount of personal information being processed;

58、3The amount of cumulatively outbound transferred personal information and sensitive information since January 1 of the previous year.2Sort out existing cross-border data transfer businessThe data processor shall clarify the details involved in cross-border transfer activities,such as the purpose,sco

59、pe,scale,method,personal information category,offshore recipient,retention period and location,and whether the offshore recipient has sub-contracted processing activities.3Conduct PIPIAPIPIA must be conducted before executing a Standard Contract.PIPIA mainly focuses on the detailed content and asses

60、sment process.Please refer to the introduction of PIPIA in the following slides.1.Improve the contract termsThere may still be parts of the contract that need to be supplemented,such as contact information,address,details of personal information cross-border transfer activities,etc.2.Contract negoti

61、ation and conclusionThe implementation of a Standard Contract faces the following challenges:(1)Currently,no official English translation version of the Standard Contract has been issued;(2)The standard terms of the contract cannot be amended.The CAC strictly defines the Standard Contract format ter

62、ms.The contracting parties shall properly negotiate adjustments to the commercial parts;(3)Compliance requirements.Enterprises may face the requirement to sign an offshore version of a standard contract or cooperate with the recipient to fulfil obligations required by foreign laws.Enterprises should

63、 carefully evaluate whether the documents they will execute or the compliance obligations they need to perform violate Chinese legal requirements.1Conduct filing proceduresFiling requirements:the processor shall apply for filing with the cyberspace administration at the provincial level within 10 wo

64、rking days from the effective date of the Standard Contract.It is worth noting that the completion of the filing formalities is not a prerequisite for the Standard Contract coming into effect.2Follow-up supervision after signing the contractIn case of any of the following circumstances during the va

65、lidity period of the Standard Contract,the processor shall re-conduct PIPIA,supplement or re-execute the Standard Contract,and perform filing procedures:(1)Changes in the cross-border transfer activities of personal information;(2)Changes in personal information protection regulations and policies i

66、n the recipients location,which may affect the rights and interests of the personal information;(3)Other circumstances that may affect the rights and interests of personal information.3Other obligatory measures(1)Continuously monitor and evaluate the changes in personal information protection polici

67、es and regulations in the location of recipients;(2)Actively exercise contractual rights of supervision and inspection over the recipient;(3)Conduct compliance audit for processing activities under the contract;(4)Actively respond to requests from personal information subjects.A deep dive into the n

68、ew“Standard Contract”2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed i

69、n China.9 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.9Un

70、der any of the following circumstances,a personal information processor shall conduct a personal information protection impact assessment beforehand and keep the processing record:(1)The processing of sensitive personal information;(2)Using personal information to conduct automatic decision-making;(

71、3)Entrusting others to process personal information,providing other personal information processors with personal information and disclosing personal information;(4)Providing personal information to offshore parties;(5)Other personal information processing activities that have significant impact on

72、personal rights and interests.Personal Information Protection Law(PIPL)Article 55According to“GB/T 39335-2020 Information Security Technology Guidelines for Personal Information Security Impact Assessment”,PIPIA is the process for testing the compliance of personal information processing activities,

73、identifying the various risks that may cause damage to the legitimate rights and interests of personal information subjects,and evaluating the effectiveness of various measures used to protect personal information subjects.PIPIA provides an overview of how and why personal information is used,stored

74、,and shared across business operations and shared services.The aim of PIPIA is to identify risks of the impact on processing personal information and to take remediation actionsaccordingly,as well as to fulfil related regulatory requirements under PIPL.What is PIPIAWhen does PIPIA need to be conduct

75、edLegal basisof personal information protection impact assessment(PIPIA)03Background to personal information protection impact assessment 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG Int

76、ernational Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.10 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International

77、 Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.10Announcement on the Implementation of Personal Information Protection Certification,Cyberspace Administration of China&State Administration for Market RegulationTwo standards are refe

78、rred and mentioned in the announcement.Processors should comply with the requirements of“GB/T 35273 Information Security Technology Personal Information Security Specification”.For processors engaged in cross-border processing activities,the requirements of“TC260-PG-20222ASpecification for Security

79、Certification of Personal Information Cross Border Processing Activities”also needs to be complied with.Specification for Security Certification of Cross-border Personal Information Processing Activities V2.0,National Information Security Standardization Technical CommitteeArticle 5.4:A personal inf

80、ormation processor shall conduct PIPIA on activities intended to provide personal information to offshore recipients,and form a PIPIA report,which shall be kept for at least three years.The assessment report shall include at a minimum the following items:a)The legality,legitimacy,and necessity of th

81、e purpose,scope,and method of processing personal information by personal information processors and offshore recipients;b)The scale,scope,type,sensitivity,and frequency of cross-border processing of personal information,as well as the risks that cross-border processing of personal information may b

82、ring to the rights and interests of personal information;c)Whether the responsibilities and obligations promised by the offshore recipients,as well as the management and technical measures and capabilities to fulfil the responsibilities and obligations,can ensure the security of cross-border process

83、ing of personal information;d)The risks of leakage,damage,tampering,abuse,etc.in cross-border processing of personal information,and whether the channels for individuals to protect their personal information rights and interests are easily accessible;e)The impact of the personal information protecti

84、on policies and regulations of the country or region where the offshore recipient is located on the performance of personal information protection obligations and the protection of personal information rights and interests;f)Other factors that may affect the security of cross-border processing of pe

85、rsonal information.Measures for Standard Contracts for Cross-border Transfer of Personal Information,Cyberspace Administration of ChinaArticle 5:Prior to the cross-border transfer of personal information,the personal information processors shall conduct PIPIA,with the focus of the following:a)The le

86、gality,legitimacy and necessity of the purpose,scope and method of the processing of personal information by the personal information processor and the offshore recipient;b)The scale,scope,type,and sensitivity of personal information that is to be transferred outbound,and the risks to the personal i

87、nformation rights and interests that may be caused by the cross-border transfer of personal information;c)The obligations that the offshore recipient promises to undertake,and whether the management and technical measures and capabilities of the offshore recipient to perform their obligations can en

88、sure the security of the personal information that is to be transferred outbound;d)The risk of tampering,damage,leakage,loss and abuse after the cross-border transfer of personal information,and whether the channels for individuals to protect their personal information rights and interests are acces

89、sible and smooth;e)The impact of policies and regulations for the protection of personal information on the performance of the Standard Contract in the country or region where the offshore recipient is located;f)Other factors that may affect the security of cross-border transfer of personal informat

90、ion.Personal Information Protection CertificationConclusion of Standard Contract Legal basis of personal information protection impact assessment(Contd)03In addition,the following regulations propose more detailed requirements for PIPIA for the two cross-border transfer paths of concluding a Standar

91、d Contract and obtaining a personal information protection certification:Background to personal information protection impact assessment 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG Inte

92、rnational Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.11 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International

93、Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.11Personal information protection impact assessment process03Background to personal information protection impact assessmentAssessment ResultsScenariosRecurrent scenarios that trigger PI

94、PIA:1)Newly launched systems,applications,products,and services2)Significant changes in business operations or system functions3)New supplier onboarding4)Existing supplier review5)Supplier contract renewal or updateIdentificationPersonal information processing is included in business activities/agre

95、ements/plansAssessmentPersonal Information Evaluation domains:Network environment and technical measuresPersonal information processing procedureParticipants and related third partiesSecurity circumstance and processing scaleProbability of PI security incidentsImpact on personal rights and interests

96、Impact on data subjects self decision-making rightGenerate discriminatory treatmentPersonal reputation damage or mental stressPersonal property lossesRisk LevelPossibilityLowMediumHighStrictly HighStrictly HighMediumHighStrictly HighStrictly HighHighMediumMediumHighStrictly HighMediumLowMediumMedium

97、HighLowLowLowMediumMedium2134The company shall consider internal control objectives and risk appetite to determine actions,such as avoiding/mitigating/accepting risks.Reference:Information Security Technology-Guidelines for Personal Information Security Impact Assessment(GB/T 39335-2020),State Admin

98、istration for Market Regulation and Standardization Administration of the Peoples Republic of China 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International

99、”),a private English company limited by guarantee.All rights reserved.Printed in China.12 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a priva

100、te English company limited by guarantee.All rights reserved.Printed in China.12Common challenges in managing personal information protection impact assessment and recommendations 03Challenge:Currently,organisations may not have fully identified their personal information processing activities and/or

101、 which processing activities shall be subject to PIPIA according to relevant laws and regulations.Response suggestions:A complete inventory of personal information processing activities should be identified and established,and the scope of processing activities subject to PIPIA should be defined.Ina

102、dequate Identification and Scoping of PI Processing Activities01Challenge:Organisations may not have established toolkits and processes for PIPIA,and/or not even conducted PIPIA yet.Response suggestions:PIPIA toolkits and processes should be developed in accordance with regulations and relevant nati

103、onal standards.PIPIA shall be conducted and archived for applicable personal information processing activities in accordance with regulatory requirements.Lack of PIPIA Toolkits and Processes02Challenge:Currently,multinational companies may have established data protection impact assessment(DPIA)proc

104、esses and toolkits based on foreign regulatory requirements such as the EUs General Data Protection Regulations(GDPR).Assessments of this kind present both similarities and differences with PIPIA.Response suggestions:Localised toolkits and processes for PIPIA should be established and integrated wit

105、h the existing DPIA procedure to meet local compliance requirements while meeting the globally unified requirements for its operations.Difficult to Integrate PIPIA Process within Existing DPIA Process03During the implementation of PIPIA,common challenges may occurred,including:Background to personal

106、 information protection impact assessment 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All righ

107、ts reserved.Printed in China.13 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserve

108、d.Printed in China.1304Recommendations01Identification andEvaluation02Cross-border Transfer Path Decision03ContinuousFollow-UpComb through cross-border data transfer scenarios based on the identified affected applications and business processes,and clarify the corresponding Recipients.Establish a lo

109、calized PIPIA process and checklist to assess the impact of clear cross-border data transfer scenarios/processing activities.Implement internal remediation work rapidly.Continuously monitor whether the data volume involved in the personal information processing activities have reached the threshold

110、of data cross-border transfer self-assessment and prepare the declaration of self-assessment based on the requirements of Security Assessment Measures.Continuously pay attention to the official release of important data catalogues and identify whether the organization is involved in important data c

111、ross-border transfer.Continuously pay attention to the term of validity of the Standard Contract filing or the personal information protection certification filing and make on-time updates.Based on business conditions,enterprises need to determine the type of cross-border transfer path,including Sec

112、urity Assessment,Standard Contract and personal information protection certificationSecurity Assessment:Enterprises must declare the Security Assessment when relevant conditions are triggered.Standard Contract:Flexible with a simpler process,but its necessary to clarify the specific scenarios of dat

113、a cross-border transfer activities,and implement PIPIA.Term of validity shall be in accordance with the contract.Personal information protection certification:It could cover a wide scope,but the certification process and contents are rather complicated.it requires the Processors and the Recipients t

114、o both agree on and comply with the same personal information cross-border processing policy.The certification requirements also include the signing of legally binding documents and the implementation of PIPIA.Term of validity is 3 years.Recommendations 2023 KPMG Advisory(China)Limited,a limited com

115、pany in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.14 2023 KPMG Advisory(China)Limited,a limited company in Ch

116、ina and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.14KPMG personalinformation protection management service05KPMG Person

117、alInformation Protection Management ServiceOptimizeAnalyseIdentifyImplementEstablishPersonal information grading and processing activities identificationPersonal information protection management maturity assessment,regular risk assessment and compliance auditPersonal information protection assessme

118、nt and design(governance,process and technology)Personal information management system establishmentPersonal information protection management,operation and compliance implementationMobile app/mini-program privacy compliance assessment and rectificationCBDT scenario inventory,evaluation and manageme

119、nt framework process constructionReview and update of privacy policy and related contract document templatesThird-party personal information protection management mechanism optimisation and auditPersonal information security engineering design and implementation(access control,data encryption,de-ide

120、ntification,etc.)Personal information protection impact assessment design and implementation Personal information protection management operational support for external compliance activitiesData and system localisation analysis,planning,and establishmentKPMG automated tool and platform to support IM

121、PLEMENTATION 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.

122、15 2023 KPMG Advisory(China)Limited,a limited company in China and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited(“KPMG International”),a private English company limited by guarantee.All rights reserved.Printed in China.15Contacts

123、Kevin ZhouDirector,Cybersecurity AdvisoryKPMG ChinaTel:+86(21)2212 Henry ShekPartner,Cybersecurity AdvisoryKPMG ChinaTel:+852 2143 Richard ZhangPartner,Cybersecurity AdvisoryKPMG ChinaTel:+86(21)2212 Danny HaoPartner,Cybersecurity AdvisoryKPMG ChinaTel:+86(10)8508 Quin HuangPartner,Cybersecurity Adv

124、isoryKPMG ChinaTel:+86(21)2212 2355 Brian CheungPartner,Cybersecurity AdvisoryKPMG ChinaTel:+852 2847 Lanis LamPartner,Cybersecurity AdvisoryKPMG ChinaTel:+852 2143 Jason LiDirector,Cybersecurity AdvisoryKPMG ChinaTel:+86(10)8508 FrankWuDirector,Cybersecurity AdvisoryKPMG ChinaTel:+86(21)2212 The in

125、formation contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.Although we endeavourto provide accurate and timely information,there can be no guarantee that such information is accurate as of the date it is received or that

126、it will continue to be accurate in the future.No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.2023 KPMG Advisory(China)Limited,a limited liability company in China and a member firm of the KPMG global organisation

127、 of independent member firms affiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.Printed in China.The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global a list of KPMG China offices,please scan the QR code or visit our website:https:/home.kpmg/cn/en/home/about/offices.html