2024數(shù)據(jù)出境實務實操手冊

中國數(shù)據(jù)出境實務實操白皮書中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRulesPAGE4/55目錄Contents一、中國數(shù)據(jù)出路徑透視 9I.PivotofOutboundDataPaths 9(一)路徑起源 9OriginsofPaths 9(二)路徑選擇 10PathSelection 10(三)路徑豁免（或有） PathExemptions(ifany) 二、中國數(shù)據(jù)出實務問答 13II、Q&AonChinesePracticesofOutboundData13(一)數(shù)據(jù)出境安全評估10問 1310QuestionsonSecurityAssessmentforOutboundData13Q1: 什么情形必須啟動數(shù)據(jù)出境安全評估？ 13Underwhatcircumstancesmustsecurityassessmentforoutbounddatatransfersbeconducted? Q2: 數(shù)據(jù)出境行為具體包含哪些？ 14Whatconstitutesanactofoutbounddatatransfer? 14實操演練1PracticalExercise1Q3: 如何識別重要數(shù)據(jù)”？ 16Howtoidentify"importantdata"? 16Q4: 如何識別敏感個人信息”？ 18Howtoidentify"sensitivepersonalinformation"? 18Q5: 如何界定關(guān)鍵信息基礎(chǔ)設施運營者”？ 18Whoisa"criticalinformationinfrastructureoperator"? 18Q6: 如何界定100萬、10萬、1萬的數(shù)量規(guī)模？ 19Howtodefinethequantitativescaleof1million,100thousand,and10thousand?19Q7: 同一數(shù)據(jù)處理者存在多個出境場景需要申報時應如何處理？ 20Whatshouldbedonewhentherearemultipleoutboundscenariostobedeclaredbythesamedataprocessor? Q8: 什么情況應當重新進行數(shù)據(jù)出境安全評估？ 21Whenshouldasecurityassessmentforoutbounddatatransfersbere-conducted?21實操演練2PracticalExercise2Q9: 企業(yè)是否必須事先開展自評估工作？若需要，需要提前多久開展？自評估工作應當評估哪些方面？ Isitnecessaryforcompaniestocarryouttheself-assessmentexerciseinadvance?Ifso,howfarinadvance?Whatshouldbeassessedintheself-assessment? 23實操演練3PracticalExercise3Q10: 數(shù)據(jù)出境安全評估申報流程需要花多長時間？ 26Howlongdoesthesecurityassessmentfilingprocessofoutbounddatatransferstake? 26(二)個人信息出境標準合同備案15問 2815QuestionsontheFilingoftheSCforOutboundofPersonalInformation(“SCFiling”) 簽訂標準合同進行數(shù)據(jù)出境活動的適用范圍？ 28WhatisthescopeofapplicationofaSC? 28Q12: 標準合同簽署的主體有哪些？ 29WhoarepartiestoaSC? 29實操演練4PracticalExercise4Q13: 規(guī)定提及自主締約”，這是否意味著企業(yè)可以跳過備案環(huán)節(jié)？ 30Theprovisionrefersto"independentcontracting",doesthismeanthatcompaniescanskipthefilingprocess? Q14: 能否針對多個數(shù)據(jù)出境場景使用同一套標準合同？ 32CanthesamesetofSCbeusedformultipleoutbounddatatransfers? 32實操演練5PracticalExercise5Q15: 關(guān)聯(lián)方是否可以合并備案？ 34Canrelatedpartiesconsolidatetheirfilings? 34實操演練6PracticalExercise6Q16: 可以修改標準合同條款嗎？ 37CanthetermsofaSCbemodified? 37Q17: 如果已簽署GDPR下的標準合同,是否還需簽署中國的標準合同？ 37IfaSCundertheGDPRhasbeensigned,doIneedtosignaSCthatconformswiththeChineselaws? Q18: 個人信息處理者是否可以提交非中文版標準合同？ 37CanaPIPsubmitanon-ChineseversionofaSC? 38Q19: 標準合同備案的有效期多久？ 38HowlongisafilingofSCvalidfor? 38Q20: 什么情況下需要重新備案？ 39Underwhatcircumstanceswillitbenecessarytore-file? 39實操演練7PracticalExercise7Q21: 受托人是否可以簽訂標準合同？ 41CanatrusteeenterintoaSC? 41實操演練8PracticalExercise8Q22: 在標準合同備案路徑下，PIA是否有特殊之處？ 43IsPIAspecialundertheSCFilingpath? 43Q23: 標準合同備案的結(jié)果是什么？ 43WhatistheoutcomeofaSCFiling? 43Q24: 寬限期內(nèi)的個人信息跨境傳輸是否合法？ 44Areoutboundtransfersofpersonalinformationduringthegraceperiodlegal?44Q25: 若未能在寬限期內(nèi)完成整改，數(shù)據(jù)出境是否非法？是否需承擔責任？44Intheeventthatmodificationisnotcompletedwithinthegraceperiod,wouldtheoutbounddatatransferbeillegal?Isthereanylegalconsequenceforsuchafailure?44實操演練9PracticalExercise9(三)個人信息跨境處理活動安全認證5問 495QuestionsonSecurityCertificationforCross-borderProcessingActivitiesofPersonalInformation(“PIPC”) Q26: 何時可以選擇個人信息跨境處理活動安全認證路徑？ 49WhencanIchoosethePIPC? 49Q27: 是否可以選擇安全認證來代替標準合同備案？ 50IsPIPCanalternativeoptiontoSCFiling? 50實操演練10PracticalExercise10Q28: 安全認證路徑下，是否需要指定個人信息保護負責人并設立個人信息保護機構(gòu)？ IsitnecessarytodesignateapersontobeinchargeofpersonalinformationprotectionandestablishapersonalinformationprotectionorganizationunderthePIPCpath? 51Q29: 安全認證具體怎么開展？ 52HowisPIPCconducted? 52Q30: 安全認證的有效期？ 54WhatisthevalidityperiodofthePIPC? 54附件一：問題/案例索引AnnexI:IndexofQ&AsandPracticalExercises附件二：主要法律法規(guī)一覽表AnnexII:ListofMajorLawsandRegulations中國數(shù)據(jù)出境實務實操白皮書中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules9/55—概 覽(Overview)—一、中國數(shù)據(jù)出境路徑透視I.PivotViewofChina’sOutboundDataTransferPaths(一)路徑起源OriginsofPaths數(shù)據(jù)跨境流動是全球化數(shù)字經(jīng)濟的必然，數(shù)據(jù)主權(quán)、數(shù)據(jù)安全以及個人信息保護也是全球監(jiān)管的共識。Thecross-borderflowofdataisaninevitablepartoftheglobalizeddigitaleconomy,andthereisconsensusthattheprotectionofdatasovereignty,datasecurity,andpersonalinformationprotectionaresubjecttoglobalregulation.我國目前法律就數(shù)據(jù)出境提供了三條通路，即：數(shù)據(jù)出境安全評估、個人信息出境標準合同備案（或稱“標準合同備案、個人信息跨境處理活動安全認證（或稱“個人信息。381，個人信息處理者因業(yè)務（一）依照本法第四十條的（二）按照國家網(wǎng)信部門的規(guī)定經(jīng)專業(yè)機構(gòu)進行個（三）按照國家網(wǎng)信部門制定的標準合同與境外接收方訂立合同，約定雙（四）法律、行政法規(guī)或者國家網(wǎng)信部門規(guī)定的其他條件。China'scurrentlawsprovidethreepathsforoutbounddatatransfers,namely:ecurityassessmentoroutbounddatatransfers,thefilingoftheStandardContractforoutboundtransferofpersonalnformation(or“SCFiling”),andsecuritycertificationforcross-borderprocessingactivitiesofersonalinformation(or"PersonalInformationProtectionCertification,PIPC").llthreeareerivedfromArticle38,Paragraph1ofthePersonalInformationProtectionwhichprovideshatwhereaPIPgenuinelyneedstoprovidepersonalinformationoutsidetheterritoryofthePeople'sRepublicofChinaduetobusinessorotherneeds,itshallmeetanyofthefollowingconditions:(I)tohavepassedthesecurityassessmentorganizedbytheCyberspaceAdministrationofChinainaccordancewiththeprovisionsofArticle40thereof;(II)tohaveobtainedaPersonalInformationProtectionCertificationissuedbyaspecializedagencyinaccordancewiththeregulationsoftheCyberspaceAdministrationofChina;(III)tohaveenteredintoacontractwithanoversearecipientunderthestandardcontractformulatedbytheCyberspaceAdministrationofChina,specifyingtherightsandobligationsofbothparties;or(IV)tomeetotherconditionsprescribedbylaws,administrativeregulationsortheCyberspaceAdministrationofChina.國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules10/55中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice(二)路徑選擇PathSelection注：特別地，針對注冊在粵港澳大灣區(qū)內(nèi)地部分/香港特別行政區(qū)的個人信息處理者及接收方，在粵港澳大灣區(qū)內(nèi)地部分與香港特別行政區(qū)之間的個人信息跨境流動，不含重要數(shù)據(jù)的，可以選擇標準合同備案。Inparticular,forPIprocessorsandrecipientsregisteredintheMainlandpartoftheGuangdong-HongKong-MacaoGreaterBayArea/HongKongSAR,forcross-borderflowofpersonaldatabetweentheMainlandpartoftheGuangdong-HongKong-MacaoGreaterBayAreaandtheHongKongSARthatdoesnotcontainimportantdata,theoptionoffilingofstandardcontractisavailable.中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules11/55(三)路徑豁免（或有）PathExemptions(ifany)與此同時，為進一步降低企業(yè)在數(shù)據(jù)跨境傳輸方面的合規(guī)成本，國家互聯(lián)網(wǎng)信息辦公室2023928（征求意見稿（Meanwhile,inordertofurtherreducethecompliancecostofenterprisesincross-borderdatatransfer,theCyberspaceAdministrationofChinaissuedthe"ProvisionsonRegulatingandPromotingCross-borderFlowofData(ExposureDraft)"(the“ExposureDraft”)on28September2023,withtheintentionofreducingtheburdenofcross-borderflowofdataelements.TheExposureDraftclarifiesthefollowingtwomainpoints:【新增豁免情形】符合以下情形之一的，不需要申報數(shù)據(jù)出境安全評估、訂立個人信息出境標準合同、通過個人信息保護認證：【xemptions】Underanyofthefollowingcircumstances,itisnotrequiredtoapplyforsecurityassessmentforoutbounddatatransfers,theSCFiling,andPIPC：國際貿(mào)易、學術(shù)合作、跨國生產(chǎn)制造和市場營銷等活動中產(chǎn)生的數(shù)據(jù)出境，不包含個人信息或者重要數(shù)據(jù)的；wheredataoutboundtransferarisingfrominternationaltrade,academiccooperation,cross-borderproductionandmanufacturing,marketingactivities,andothers,excludingthetransferofpersonalinformationorimportantdata;不是在境內(nèi)收集產(chǎn)生的個人信息向境外提供；providingpersonalinformationnotcollectedinChinatolocationsoutsideChina;為訂立、履行個人作為一方當事人的合同所必需，如跨境購物、跨境匯款、機票酒店預訂、簽證辦理等，必須向境外提供個人信息的；wherethepersonalinformationmustbeprovidedabroad,asitisnecessaryfortheconclusionandperformanceofacontracttowhichtheindividualisasuchascross-bordershopping,cross-borderremittance,airticketsandhotelbooking,visaprocessing,etc.按照依法制定的勞動規(guī)章制度和依法簽訂的集體合同實施人力資源管理，必須向境外提供內(nèi)部員工個人信息的；forhumanresourcesmanagementinaccordancewiththelaborregulationsandrulesformulatedinaccordancewiththelawandcollectivecontractsconcludedinaccordancewiththeitisnecessarytoprovideabroadthepersonalinformationofinternalemployees;中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules12/55緊急情況下為保護自然人的生命健康和財產(chǎn)安全等，必須向境外提供個人信息的；wherepersonalinformationhastobeprovidedoverseastoprotectthelife,health,andpropertysafetyofnaturalpersonsinanemergency;and1萬人個人信息的。wherethePIPisexpectedtoprovidepersonalinformationoflessthan10,000individualstolocationsoutsideChinawithinoneyear.【鼓勵創(chuàng)新試點】自由貿(mào)易試驗區(qū)可自行制定本自貿(mào)區(qū)需要納入數(shù)據(jù)出境安全評估、個人信息出境標準合同、個人信息保護認證管理范圍的數(shù)據(jù)清單（以下簡稱負面清單，負面清單外數(shù)據(jù)出境，可以不申報數(shù)據(jù)出境安全評估、訂立個人信息出境標準合同、通過個人信息保護認證。【ncouragingInnovativePilots】Pilotfreetradezonesontheirown,formulatelistsofdatathatneedtobeincludedinthescopeofadministrationofsecurityassessmentforthedatatobeprovidedabroad,standardcontractsforoutboundprovisionofpersonalinformation,andcertificationforpersonalinformationprotection(the"NegativeList"),anddataoutboundtransferactivitiesoutsidetheNegativeListmaybecarriedoutwithoutapplyingforsecurityassessmentforoutbounddatatransfers,theSCFiling,andPIPC.目前該《征求意見稿》尚未正式出臺，但已明確釋放出促進數(shù)據(jù)跨境自由流動的強烈信號。相信數(shù)據(jù)跨境有序合規(guī)自由流通的機制將很快建立起來。TheExposureDrafthasnotyetbeenformallyissued,butithasclearlyreleasedastrongsignaltopromotethefreeflowofdataoutboundtransfers.Itisbelievedthatamechanismfortheorderlyandcompliantfreeflowofdataacrossborderswillsoonbeestablished.中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules1PAGE3/55—數(shù)據(jù)出境實務30問答(30Q&As)—二、中國數(shù)據(jù)出境實務問答II、Q&AonChinesePracticesofOutboundDataTransfers(一) 數(shù)據(jù)出境安全評估10問10QuestionsonSecurityAssessmentforOutboundDataQ1:什么情形必須啟動數(shù)據(jù)出境安全評估？Underwhatcircumstancesmustsecurityassessmentforoutbounddatatransfersbeconducted?A1:具備以下情形之一時，必須啟動數(shù)據(jù)出境安全評估：Asecurityassessmentforoutbounddatatransfersmustbeconductedwhenoneofthefollowingcircumstancesarises:數(shù)據(jù)處理者向境外提供重要數(shù)據(jù)；whereadataprocessorprovidesimportantdataabroad;100境外提供個人信息；whereakeyinformationinfrastructureoperatororaPIPofthedataofmorethanonemillionpeopleprovidesabroadpersonalinformation;11101人信息的數(shù)據(jù)處理者向境外提供個人信息；或者whereaPIPhasprovidedabroadpersonalinformationof100,000peopleorsensitivepersonalinformationof10,000peopleintotalsinceJanuary1ofthepreviousyear;or國家網(wǎng)信部門規(guī)定的其他需要申報數(shù)據(jù)出境安全評估的情形。11《數(shù)據(jù)出境安全評估辦法》（國家互聯(lián)網(wǎng)信息辦公室，國家互聯(lián)網(wǎng)信息辦公室令第11號，OthercircumstancesprescribedbytheCyberspaceAdministrationofChinaforwhichdeclarationforsecurityassessmentforoutbounddatatransfersisrequired.特別地，該境外包含香港特別行政區(qū)、澳門特別行政區(qū)以及臺灣地區(qū)。Inparticular,thisterritoryincludestheHongKongSpecialAdministrativeRegion,theMacaoSpecialAdministrativeRegion,andQ2:數(shù)據(jù)出境行為具體包含哪些？Whatconstitutesanactofoutbounddatatransfer?A2:數(shù)據(jù)出境行為包括向境外提供或允許境外訪問境內(nèi)數(shù)據(jù)，具體包括以下三種情形：Actsofdataoutboundtransfersincludeprovidingorallowingaccesstodatawithintheterritoryfromoutsidetheterritory,specificallyincludingthefollowingthreesituations:數(shù)據(jù)處理者將在境內(nèi)運營中收集和產(chǎn)生的數(shù)據(jù)傳輸、存儲至境外；Thedataprocessortransfersandstoresthedatacollectedandgeneratedinitsoperationswithintheterritoryabroad;數(shù)據(jù)處理者收集和產(chǎn)生的數(shù)據(jù)存儲在境內(nèi)，境外的機構(gòu)、組織或者個人可以查詢、調(diào)取、下載、導出；Datacollectedandgeneratedbydataprocessorsarestoredintheterritoryandcanbequeried,accessed,downloaded,orexportedbyinstitutions,organizations,orindividualsabroad;國家網(wǎng)信辦規(guī)定的其他數(shù)據(jù)出境行為。22022.07.07發(fā)布，2022.09.01實施）第4條規(guī)定。Article4,MeasuresfortheSecurityAssessmentofOutboundDataTransfer(CyberspaceAdministrationofChina,OrderNo.11oftheCyberspaceAdministrationofChina,issuedon7July2022,effectivefrom1September2022)2《數(shù)據(jù)出境安全評估申報指南（第一版（國家互聯(lián)網(wǎng)信息辦公室，2022.08.3120220831實施“一、適用范圍”規(guī)定?！?.ScopeofApplication”ofGuidelinesfortheApplicationforSecurityAssessmentforOutboundDataTransfers(FirstEdition)(CyberspaceAdministrationofChina,issuedon31August2022,effectivefrom31August2022)OtheractsofoutbounddatatransfersstipulatedbytheCyberspaceAdministrationofChina.1PracticalExerciseQ：跨境電商平臺有許多商家，如何申報數(shù)據(jù)出境安全評估？跨境電商場景下平臺方與品牌方，誰來發(fā)起安全評估？Q:Cross-bordere-commerceplatformshavemanymerchants,howtodeclaresecurityassessmentforoutbounddatatransfers?Inthecontextofcross-bordere-commercebetweentheplatformsandthebrands,whowillconductthesecurityassessment?A：需要區(qū)分場景。根據(jù)數(shù)據(jù)實際由平臺還是品牌方傳輸出境，品牌方自行傳輸出境的場景下，品牌方申報；平臺傳輸出境的場景下，平臺統(tǒng)一申報。A:Thereisaneedtodistinguishthescenarios.Itisbasedonwhetherthedataareactuallytransmittedbytheplatformsorthebrands,ifthebrandstransmitthedataoutsidetheterritoryofthePeople’sRepublicofChinathemselves,thebrandsshouldmakethedeclaration.IftheplatformstransmitthedataoutsidetheterritoryofthePeople’sRepublicofChina,theplatformshouldmakeaconsolidateddeclaration.1延伸VariationofPracticalExercise1境內(nèi)A公司員工在境外出差，將A公司業(yè)務經(jīng)營中處理的重要數(shù)據(jù)通過硬盤方式提供給境外B公司。AnemployeeofCompanyAwithintheterritoryisonbusinesstripoutsidetheterritoryandprovidesimportantdataprocessedbyCompanyAinbusinessoperationtoCompanyBabroadviaaharddrive.Q：該A公司是否應當啟動數(shù)據(jù)出境安全評估？Q:ShouldCompanyAconductasecurityassessmentforoutbounddatatransfers?A：通過硬盤傳輸亦屬于數(shù)據(jù)出境，應當事前通過所在地省級網(wǎng)信部門向國家網(wǎng)信部門申報數(shù)據(jù)出境安全評估。A:Transferringdataviaaharddrivealsoconstitutesoutbounddatatransfers,soCompanyAshoulddeclareasecurityassessmentforoutbounddatatransferstothenationalcyberspaceadministrationdepartmentviatheprovincial-levelcyberspaceadministrationdepartmentinadvance.Q3:如何識別“重要數(shù)據(jù)”？Howtoidentify"importantdata"?A3:重要數(shù)據(jù)，是指一旦遭到篡改、破壞、泄露或者非法獲取、非法利用等，可能危害國家安全、經(jīng)濟運行、社會穩(wěn)定、公共健康和安全等的數(shù)據(jù)。3Importantdatareferstodatathatmayjeopardizenationalsecurity,economicoperation,socialstability,publichealth,etc.,ifitistamperedwith,damaged,leaked,illegallyaccessed,orillegallyutilized,etc.在重要數(shù)據(jù)識別時，應當優(yōu)先參考所屬行業(yè)、領(lǐng)域、地區(qū)數(shù)據(jù)安全管理相關(guān)規(guī)定（例如汽車數(shù)據(jù)對應的《汽車數(shù)據(jù)安全管理若干規(guī)定（試行（下，其次可參考《網(wǎng)絡數(shù)據(jù)安全管理條例（征求意見稿》中相關(guān)定義：Whenidentifyingimportantdata,priorityshouldbegiventotakingreferencefromrelevantregulationsondatasecuritymanagementoftheindustry,field,andregiontowhichitbelongs(e.g.,automobiledatacorrespondstothe"SeveralProvisionsonAutomotiveDataSecurityManagement(forTrialImplementation)","ProvisionsonAutomobileData"),andtoalesserextent,totherelevantdefinitionsinthe"RegulationsfortheAdministrationofNetworkDataSecurity(ExposureDraft)":未公開的政務數(shù)據(jù)、工作秘密、情報數(shù)據(jù)和執(zhí)法司法數(shù)據(jù)；Unpublishedgovernmentdata,workingsecrets,intelligencedata,andlawenforcementandjudicialdata;重點行業(yè)和領(lǐng)域安全生產(chǎn)、運行的數(shù)據(jù)、關(guān)鍵系統(tǒng)組件、設備供應鏈數(shù)據(jù)；Dataonsafeproductionandoperationofkeyindustriesandfields,keysystemcomponents,andequipmentsupplychaindata;3《數(shù)據(jù)出境安全評估辦法》（國家互聯(lián)網(wǎng)信息辦公室，國家互聯(lián)網(wǎng)信息辦公室令第11號，2022.07.07發(fā)布，2022.09.01實施）第19條規(guī)定。Article19,MeasuresfortheSecurityAssessmentofOutboundDataTransfers(OrderNo.11oftheCyberspaceAdministrationofChina,issuedon7July2022,effectivefrom1September2022)達到國家有關(guān)部門規(guī)定規(guī)模或者精度的基因、地理、礦產(chǎn)、氣象等國家基礎(chǔ)數(shù)據(jù)；Nationalbasicdatasuchasgenetics,geography,minerals,meteorology,etc.thathavereachedthescaleorprecisionspecifiedbytherelevantstatedepartments;影響關(guān)鍵信息基礎(chǔ)設施安全穩(wěn)定運行的數(shù)據(jù)，國防設施、軍事管理區(qū)、國防科研生產(chǎn)單位等重要敏感區(qū)域的地理位置、安保情況等數(shù)據(jù)；Dataaffectingthesafeandstableoperationofcriticalinformationinfrastructures,thegeographiclocationandsecurityofimportantandsensitiveareassuchasnationaldefensefacilities,militarymanagementzones,andnationaldefenseresearchandproductionunits;出口管制物項涉及的核心技術(shù)、設計方案、生產(chǎn)工藝等相關(guān)數(shù)據(jù)，密碼、生物電子信息、人工智能等領(lǐng)域?qū)野踩?、?jīng)濟競爭力有直接影響的科學技術(shù)成果數(shù)據(jù)；Datarelatedtocoretechnologies,designprograms,productionprocesses,etc.involvedinexport-controlleditems,anddataonscientificandtechnologicalachievementsinthefieldsofcryptography,bio-electronicinformation,artificialintelligence,etc.,whichhaveadirectimpactonnationalsecurityandeconomiccompetitiveness;國家法律、行政法規(guī)、部門規(guī)章明確規(guī)定需要保護或者限制處理的國家經(jīng)濟運行數(shù)據(jù)、重要行業(yè)和領(lǐng)域業(yè)務數(shù)據(jù)、統(tǒng)計數(shù)據(jù)等；Nationaleconomicoperationdata,businessdataofimportantindustriesandfields,andstatisticaldata,theprocessingofwhichneedstobeprotectedorrestrictedasstipulatedbynationallaws,administrativeregulations,departmentalrules,andregulations;其他一旦遭到篡改、破壞、泄露或者非法獲取、非法利用等，可能危害國家安全、經(jīng)濟運行、社會穩(wěn)定、公共健康和安全等的數(shù)據(jù)。Otherdatathatmayjeopardizenationalsecurity,economicoperation,socialstability,publichealthandsafety,etc.oncetamperedwith,damaged,leaked,orillegallyaccessedorillegallyutilized.Q4:如何識別“敏感個人信息”？Howtoidentify"sensitivepersonalinformation"?A4:敏感個人信息，是一旦泄露或者非法使用，容易導致自然人的人格尊嚴受到侵害或者人身、財產(chǎn)安全受到危害的個人信息，包括生物識別、宗教信仰、特定身份、醫(yī)療健康、金融賬戶、行蹤軌跡等信息，以及不滿十四周歲未成年人的個人信息。4Sensitivepersonalinformationreferstothepersonalinformationthatislikelytoresultindamagetothepersonaldignityofanynaturalpersonordamagetothesafetyofhisorherphysicalbodyorpropertyoncedisclosedorillegallyused,includinginformationsuchasbiometricidentification,religiousbelief,specificidentity,medicalhealth,financialaccount,andwhereaboutsandtracks,etc.,aswellasthepersonalinformationofminorsundertheageof14.GB/T35273-2020于個人敏感信息的定義及相關(guān)舉例。ReferencecanbemadetothedefinitionofpersonalsensitiveinformationandrelatedexamplesinthenationalstandardGB/T35273-2020"InformationSecurityTechnology—PersonalInformationSecuritySpecification".Q5:如何界定“關(guān)鍵信息基礎(chǔ)設施運營者”？Whoisa"criticalinformationinfrastructureoperator"?A5:信和信息服務、能源、交通、水利、金融、公共服務、電子政務、國防科技工業(yè)等重要行業(yè)和領(lǐng)域的，以及其他一旦遭到破壞、喪失功能或者數(shù)據(jù)泄露，可能嚴重危害國家安全、國計民生、公共利益的重要網(wǎng)絡設施、信4《中華人民共和國個人信息保護法》（全國人民代表大會常務委員會，主席令第九十一號，2021.08.20發(fā)布，2021.11.01實施）第28條規(guī)定。Article28,PersonalInformationProtectionLawofthePeople'sRepublicofChina(OrderNo.91ofthePresidentofthePeople'sRepublicofChina,StandingCommitteeoftheNationalPeople'sCongress,issuedon20August2021,effectivefrom1November2021)息系統(tǒng)等。AccordingtotheRegulationonProtectingtheSecurityofCriticalInformationInfrastructure,criticalinformationinfrastructure(“CII”)referstothenetworkfacilitiesandinformationsystemsinimportantindustriesandfieldssuchaspublictelecommunications,informationservices,transportation,waterconservancy,finance,publicservices,e-governmentandscience,technologyandindustryfornationaldefense,aswellasotherimportantnetworkfacilitiesandinformationsystemswhich,incaseofdestruction,lossoffunctionorleakofdata,mayresultinseriousdamagetonationalsecurity,thenationaleconomyandthepeople'slivelihoodandpublicinterests.根據(jù)該規(guī)定，關(guān)鍵信息基礎(chǔ)設施運營者的認定規(guī)則由各重要行業(yè)和領(lǐng)域的主管部門、監(jiān)管部門）制定，保護工作部門應及時將認定結(jié)果通知關(guān)鍵信息基礎(chǔ)設施運營者，并通報部門。Accordingtotheprovision,therulesforthedeterminationofCIIoperatorsshallbeformulatedbythecompetentauthoritiesandsupervisorydepartmentsofeachimportantindustryandfield("ProtectionWorkingDepartments"),andtheProtectionWorkingDepartmentsshallpromptlynotifytheCIIoperatorsoftheresultsofthedeterminationandnotifythepublicsecuritydepartmentoftheStateCouncil.因此，建議數(shù)據(jù)處理者及時關(guān)注保護工作部門的通知，來判斷自身是否構(gòu)成關(guān)鍵信息基礎(chǔ)設施運營者。Therefore,itisrecommendedthatdataprocessorspayattentiontothenotificationoftheProtectionWorkingDepartmentsfromtimetotimetodeterminewhethertheyconstituteaCIIoperator.Q6:如何界定100萬、10萬、1萬的數(shù)量規(guī)模？Howtodefinethequantitativescaleof1million,100thousand,and10thousand?A6:1100萬、101中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules20/55Theunitofcalculationforthequantitiesof1,000,000,100,000,and10,000inQ1aboveis"person",not"person-time(s)"or"numberofpieces".Ifthereisanydouble-countinginthestatisticsofthequantityscale,itshouldbeindicatedwhetheritisdeduplicatedornotandthebasisfordeduplication.同樣的，針對申報材料中的擬出境數(shù)據(jù)情況，基于《數(shù)據(jù)出境安全評估辦2及自然人數(shù)量，自然人數(shù)量應按人數(shù)計算，并標明是否去重及去重依據(jù)（如涉及。Similarly,withregardtotheintendedoutbounddatainthedeclarationmaterials,basedontherequirementsunderArticle14ofMeasuresfortheSecurityAssessmentofOutboundDataTransfers,whichstatesthat"theresultofsecurityassessmentforanoutbounddatatransferisvalidfortwoyears,commencingfromthedateonwhichtheresultoftheassessmentisissued",thescaleofthedatashallcorrespondinglybefilledinwiththescaleofthedatatobeexportedinthenexttwoyearsandthenumberofnaturalpersonsinvolved.Thenumberofnaturalpersonsshouldbecalculatedonthebasisofthenumberofpersons,andwhetherornotthedatahavebeendeduplicatedandthebasisfordeduplication(ifrelevant)shouldbeindicated.Q7:同一數(shù)據(jù)處理者存在多個出境場景需要申報時應如何處理？Whatshouldbedonewhentherearemultipleoutboundscenariostobedeclaredbythesamedataprocessor?A7:數(shù)據(jù)處理者應在申報材料中說明是否符合數(shù)據(jù)出境安全評估申報條件，并需明確闡述具體符合《數(shù)據(jù)出境安全評估辦法》第四條中的哪種情形（詳見上文1。針對適用累計數(shù)量條件（11101萬人敏感個人信息）明累計向境外提供的個人信息/敏感個人信息與本次申報出境數(shù)據(jù)的關(guān)系，以及對照《個人信息保護法》和《數(shù)據(jù)出境安全評估辦法》開展的整改情況（如涉及。Thedataprocessorshallstateinthedeclarationmaterialswhetheritmeetsthe中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice中國數(shù)據(jù)出境實務實操白皮書WhitePaperonChinaOutboundDataTransfersPractice國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules國際數(shù)據(jù)跨境規(guī)則系列SeriesonInternationalDataCross-BorderRulesRules2PAGE1/55declarationconditionsforsecurityassessmentforoutbounddatatransfers,andisrequiredtoclearlystatewhichsituationinArticle4oftheMeasuresfortheSecurityAssessmentofOutboundDataTransfersisspecificallymet(fordetails,pleaserefertoQ1oftheabove).Ifthecumulativequantityconditionapplies(i.e.,thecumulativeprovisionofpersonalinformationof100thousandpersonsorsensitivepersonalinformationof10thousandpersonsabroadsinceJanuary1ofthepreviousyear),itisnecessarytospecifyinthedeclarationmaterialstherelationshipbetweenthecumulativeprovisionofpersonalinformation/sensitivepersonalinformationtoabroadandthespecificdatatobesentabroadasdeclaredinthedeclarationbeingmadethisparticulartime,aswellasthestatusofthecorrectiveactionscarriedoutinaccordancewiththePersonalInformationProtectionLawofthePeople'sRepublicofChinaandtheMeasuresforSecurityAssessmentofOutboundDataTransfers(ifrelevant).如果數(shù)據(jù)處理者存在多個出境場景需要申報評估的，根據(jù)《浙江省數(shù)據(jù)出境安全評估申報工作問答（三（二原則上應合并申報，并在申報材料中對出境場景分別予以說明。Ifadataprocessorhasmultipleoutboundscenariostobedeclaredforassessment,accordingtothe"QuestionsandAnswersontheDeclarationofSecurityAssessmentforOutboundDataTransfersinZhejiangProvince(III)"andthe"FrequentlyAskedQuestionsontheDeclarationofSecurityAssessmentforOutboundDataTransfersinHainanProvince(II)",inprinciplethemultipleoutboundscenariosshouldbemergedanddeclaredtogetherandbeindividuallyexplainedinthedeclarationmaterials.Q8:什么情況應當重新進行數(shù)據(jù)出境安全評估？Whenshouldasecurityassessmentforoutbounddatatransfersbere-conducted?A8:數(shù)據(jù)出境安全評估結(jié)果并非一次性永久有效，有兩種情況需要重新評估。Theresultofthesecurityassessmentforoutbounddatatransfersisnotvalidpermanently.Therearetwoscenariosunderwhichareassessmentwouldberequired.2年（2年，自評估結(jié)果出具之日起計算；Expirationofitsvalidity:2yearsfromthedateofissuanceoftheresult(thevalidityoftheresultsofthesecurityassessmentforoutbounddatatransfersis2yearsfromthedateofissuance);安全評估結(jié)果依據(jù)的重點評估事項發(fā)生變化影響出境數(shù)據(jù)安全的，具體情形如下：Oneofthekeyvariablesintheprevioussecurityassessmenthaschangedandinreturnaffectedthesecurityofoutbounddata,specifically:向境外提供數(shù)據(jù)的目的、方式、范圍、種類和境外接收方處理數(shù)據(jù)的用途、方式發(fā)生變化影響出境數(shù)據(jù)安全的，或者延長個人信息和重要數(shù)據(jù)境外保存期限的；Changesinthepurpose,manner,scope,andtypeofdataprovidedabroadandintheuseandmannerofdataprocessingbyoverseasrecipients,affectingthesecurityofoutbounddata,ortheextensionoftheperiodforwhichpersonalinformationandimportantdataarekeptoutsideoftheterritory;境外接收方所在國家或者地區(qū)數(shù)據(jù)安全保護政策法規(guī)和網(wǎng)絡安全環(huán)境發(fā)生變化以及發(fā)生其他不可抗力情形、數(shù)據(jù)處理者或者境外接收方實際控制權(quán)發(fā)生變化、數(shù)據(jù)處理者與境外接收方法律文件變更等影響出境數(shù)據(jù)安全的；Changesindatasecurityprotectionpoliciesandregulationsandnetworksecurityenvironmentinthecountryorregionwheretheoverseasrecipientislocated,aswellasotherforcemajeurecircumstances,changesintheactualcontrolofthedataprocessororoverseasrecipient,andchangesinthelegaldocumentsbetweenthedataprocessorandtheoverseasrecipient,whichaffectthesecurityofoutbounddata;出現(xiàn)影響出境數(shù)據(jù)安全的其他情形。Othercircumstancesthataffectthesecurityofoutbounddata.有效期屆滿，需要繼續(xù)開展數(shù)據(jù)出境活動的，數(shù)據(jù)處理者應當在有效期屆60個工作日前重新申報評估。5Upontheexpirationofthevalidityperiod,ifthereisaneedtocontinuethedataoutboundtransferactivities,thedataprocessorshouldconductare-assessment60workingdaysbeforetheexpirydate.實操演練實操演練2PracticalExerciseQ：申報主體如何確定申報材料中需填寫的“擬出境數(shù)據(jù)情況”？Q:Howshouldthedeclaringentitydeterminethe"intendedoutbounddata"tobefilledinthedeclarationmaterials?A2來兩年的擬出境數(shù)據(jù)，包括數(shù)據(jù)規(guī)模和涉及自然人數(shù)量，自然人數(shù)量應按人數(shù)計算，并標注是否去重。A:Duetotheprovisionofthevalidityperiodoftwoyearsmentionedabove,theoutbounddatadeclaredbythedataprocessorshouldbetheintendedoutbounddataforthenexttwoyears,includingthescaleofdataandthenumberofnaturalpersonsinvolved,thenumberofnaturalpersonsshouldbecalculatedbasedonthenumberofpersons,anditshouldbeindicatedwhetheritisdeduplicatedornot.Q9:企業(yè)是否必須事先開展自評估工作？若需要，需要提前多久開展？自評估工作應當評估哪些方面？Isitnecessaryforcompaniestocarryouttheself-assessmentexerciseinadvance?Ifso,howfarinadvance?Whatshouldbeassessedintheself-assessment?A9:是的，符合條件的企業(yè)應當在申報數(shù)據(jù)出境安全評估前進行風險自評估，5《數(shù)據(jù)出境安全評估辦法》（國家互聯(lián)網(wǎng)信息辦公室，國家互聯(lián)網(wǎng)信息辦公室令第11號，2022.07.07發(fā)布，2022.09.01實施）第14條規(guī)定。Article14,MeasuresfortheSecurityAssessmentofOutboundDataTransfers(OrderNo.11oftheCyberspaceAdminis