数据出境安全评估务实问题探讨
2023-01-20 10:39:58 9 举报AI智能生成
1
作者其他创作
大纲/内容
要不要报【Should I report it or not?】
对于“出境”的理解【Understanding of "Data Cross-border"】
数据本身的角度【The perspective of the data itself】
数据是否源自境内?【Does the data originate in China?】
对于境外入境的数据再处理后的出境【Outbound data after reprocessing of inbound data】
未经境内加工、处理的出境【Cross-border without domestic processing or treatment】
非在境内运营中收集和产生的个人信息和重要数据经由本国出境,未经任何变动或加工处理的,不属于数据出境。
Personal information and important data that are not collected and generated in the domestic operation will not be considered as data outbound if they leave the country without any change or processing.
Personal information and important data that are not collected and generated in the domestic operation will not be considered as data outbound if they leave the country without any change or processing.
经过境内加工、处理的出境【Cross-border after domestic processing and treatment】
非在境内运营中收集和产生的个人信息和重要数据在境内存储、加工处理后出境,不涉及境内运营中收集和产生的个人信息和重要数据的,不属于数据出境。
Personal information and important data that are not collected and generated in domestic operations are stored and processed in China before leaving the country, and those that do not involve personal information and important data collected and generated in domestic operations do not belong to data exit.
Personal information and important data that are not collected and generated in domestic operations are stored and processed in China before leaving the country, and those that do not involve personal information and important data collected and generated in domestic operations do not belong to data exit.
出境数据是否“可读”?【Is the exit data "readable"?】
主体的角度【point of view of subject】
是否存在境内出境方?【Is there an outbound party within China?】
境外主体直接收集境内个人信息【Overseas entities directly collect personal information within China】
it is clear in data security risk assessment form
是否存在境外接收方?【Is there a foreign recipient?】
境外邮件服务器【Overseas mail server】
谁是境外接收方?【Who is the foreign recipient?】
Privacy impact assessment had done for e-mail
境外网盘【Overseas web disk】
Privacy impact assesment had done for google drive
境外系统【Offshore systems】
Data security risk assesment had done for 263 APPs+concur+workday's my-learning module
要不要进行数据本地化储存【Whether to do data localization storage】
本地化义务解读【Localized obligation interpretation】
本地化的门槛是否就是《数据出境安全评估办法》中的门槛?【Is the localization threshold the same as the threshold in the Data Cross-border Security Assessment Method?】
个保法第40条∶“处理个人信息达到国家网信部门规定数量的个人信息处理者,应当将在中华人民共和国境内收集和产生的个人信息存储在境内。确需向境外提供的,应当通过国家网信部门组织的安全评估。【Article 40 of the National Security Law: "Any individual who processes personal information in the amount prescribed by the national cyberspace Administration shall store in China the personal information collected and generated within the territory of the People's Republic of China. If it really needs to be provided overseas, it shall pass the security assessment organized by the state cyberspace administration department.】
数据出境安全评估办法第4条∶“数据处理者向境外提供数据﹐有下列情形之一的,应当通过所在地省级网信部门向国家网信部门申报数据出境安全评估"。【Article 4 of the Measures for Data Exit Security Assessment: "If a data processor provides data abroad under one of the following circumstances, it shall report the data exit security assessment to the national cyberspace department through the local provincial cyberspace department".】
怎样算本地化?【How do you count localization?】
“本地化存储"不等于"本地化"【"Localized store" is not the same as "localized."】
“本地化存储”【"Localization"】
达标后,不管出不出境,要先在境内存储【After reaching the standard, regardless of whether they leave the country or not, they must be stored in China first】
“本地化"【"Localization"】
"本地化"意味着完全没有数据出境【"Local" means no data leaves the country at all】
"本地化"意味着一整套业务、IT架构的调整【"Localization" means a whole set of business and IT architecture changes】
到底是做本地化还是做安全评估?【Is it localization or security assessment?】
数据出境的必要性分析【Necessity analysis of data exit】
经济成本【Economic costs】
IT架构的调整(例如订单/交易的服务器本来是在境内)【Adjustment of IT architecture (e.g. the order/transaction server was originally located in China)】
业务模式的调整(数据分析·数据处理需要迁移到境内)【Adjustment of business model (data analysis and data processing need to be migrated to China)】
合规成本【The cost of compliance】
准备出境评估前进行调查、整改的费用【Expenses for investigation and rectification before preparing for exit assessment】
进行出境安全评估时的第三方机构费用【Third-party agency fees for exit security assessment】
后续再评估的成本【The cost of subsequent reassessment】
安全评估不通过的风险【Risk of failing a security assessment】
如何计算是否达到门槛数量【How to calculate whether the threshold quantity has been met】
区分场景【Distinguish scene】
标准场景【Standard scenario】
信息系统【information system】
263 APPs+concur+workday
数据库【database】
“非标准”场景【"Non-standard" scenarios】
邮件【mail】
Google application
远程访问【remote access】
internal access from EU
境外网盘【Overseas web disk】
Google application
境外备份【Offshore backup】
the backup policy should make more clear
注意去重【Attentional deweighting】
适用于数量接近门槛的企业【Suitable for the number of enterprises close to the threshold】
currently, this point only relate to personal information, the amount of data subject less than 3000 in the whole of China
在统计前设计好统计方式,避免在统计时避免重复【Design statistical methods before statistics to avoid repetition during statistics】
through unified account identity authentication center
持续监测【continuous monitoring】
统计周期为上年1月1日至统计的时点【The statistical period is from January 1 of last year to the statistical point】
如果统计时点不是年末,则需要本年度后续是不是会达标【If the statistical point is not the end of the year, it needs to be whether the following year will meet the standards】
是否可以在关联实体间分配数据来避免申报【Whether data can be distributed among associated entities to avoid filing】
“数据处理者"定义︰数据处理活动中自主决定处理目的和处理方式的个人和组织【Definition of "data processor" : a person or organization in a data processing activity that has the autonomy to determine the purpose and manner of processing】
组织并不一定是单个法人或非法人实体【An organization does not have to be a single legal or unlegal entity】
可能按数据出境的场景来划分【It may be divided by the scenario in which the data exits】
出境场景与单独的公司实体也许不是一一对应【The Cross-border scenario may not correspond to a single corporate entity】
For enterprises of group, ACEMS can conduct self-assessment on behalf of them
一个数据出境场景可能包括多个关联实体【A data Cross-border scenario may include multiple associated entities】
Of course, 263 systems have listed which entities are in use
一个关联实体也可能对应多个数据出境场景【An associated entity may also correspond to multiple data exit scenarios】
在关联实体间分配数据可能并不能避免申报义务【Distribution of data among related entities may not avoid reporting obligations】
It should be determined whether the affiliated entity has received the notice from the superior regulatory authority. At present, it seems that it has not received the notice for data exit self-assessment
如果境内出境方是受托方,要不要报【If the outbound party is the entrusted party, shall we report it】
境外机构直接委托境内实体在境内收集个人信息后向其提供【An overseas institution directly entrusts a domestic entity to collect personal information within China and then provides it to it】
法理【legal principle】
安全评估的义务方是"数据处理者",而非受托方【The obligation of the security assessment is the "data handler", not the trustee】
这种情形理论上应当对境外机构直接适用个保法【In theory, this kind of situation should be directly applied to foreign institutions】
实践【practice】
“认证"的适用范围不明﹐且不适用于达标的情况【The scope of application of "certification" is unclear and does not apply in the case of compliance】
对境外主体直接适用个保法确有难度【It is difficult to directly apply the law to foreign subjects】
监管部门对于"数据处理者"及"受托方"的解释可能与企业不一致【The regulatory interpretation of "data processor" and "trustee" may not be consistent with the enterprise】
受托方有可能也要做安全评估,建议做好评估准备【The trustee may also need to do a security assessment and it is recommended to be prepared for that】
何时报【when to report】
企业如何确定何时向网信办提交申请【How does an enterprise determine when to submit an application to the CAC】
22.9.1法律生效,但有宽限期【22.9.1 Laws come into effect, subject to a grace period】
“静态场景"(即达到l00万标准,或者单次出境或出境数量未来不会发生变化)【"Static scenario "(i.e., the standard of L million is met, or the single departure or number of departures will not change in the future)】
尽早提交【Submit early】
“动态场景"(即出境数量不断变化或累计,但暂时还未达标)【"Dynamic scenario "(i.e., the number of departures is changing or accumulating, but not reaching the target for the time being)】
2023年1月初会是个好的时间吗?【Would early January 2023 be a good time?】
宽限期如何适用【How does the grace period apply】
宽限期【period of grace】
2022年9月1日至2023年2月28日【From September 1, 2022 to February 28, 2023】
关键词【antistop】
“施行前已开展"【"Carried out before implementation"】
按照场景进行划分【Divide by scene】
施行前已结束【Ended before execution】
无须评估【No evaluation】
出境活动延续至宽限期内【The exit activities will be extended to the grace period】
宽限期内可继续出境,但宽限期内应完成评估【Exit may continue within the grace period, but the assessment should be completed within the grace period】
施行后新开始【Start fresh after implementation】
理论上应当进行安全评估后才能进行【In theory, safety assessments should be carried out】
“完成整改”【"Complete the rectification"】
完成本地化【Complete localization】
数据出境完成安全评估【Data exit to complete security assessment】
怎么报【How to report】
个人信息范围的判定【Determine the scope of personal information】
敏感个人信息【Sensitive personal information】
门槛较低【Lower threshold】
注意识别【Pay attention to recognition】
It is different from the definition of GDPR
GDPR personal data of special natural persons include those that can reveal their race, nationality, political views, religion and philosophical beliefs, or membership of trade unions; Genetic data and biometric data for the purpose of identifying specific individuals; Health data, data related to natural human orientation or sexual experience
去标识化、匿名化的个人信息【De-identified, anonymized personal information】
去标识化的个人信息出境仍需进行安全评估【De-identified personal information leaving the country still needs to undergo security assessment】
去标识化等数据保护措施有助于通过安全评估【Data protection measures such as de-identification help pass security assessments】
At present, it is not clear what the specific European approach is
重要数据现阶段如何应对【How to deal with important data at this stage】
大部分行业的重要数据的具体规定尚不明确【The specific rules for important data in most industries are unclear】
At present, industry standards and national standards are not clearly stated. The opinion of the superior supervision department is that the enterprise itself identifies important data according to relevant standards.
可结合国标,草案等的规定,先对重要数据进行预判【It can be combined with the provisions of national standard, draft, etc., to predict important data first】
整改期后,审慎出境【After the rectification period, Cross-border carefully】
集团企业,以哪个主体来报?在哪报?【Group enterprises, with which subject to report? Where is it?】
按数据出境场景划分【Divided by data Cross-border scenario】
确定每个出境场景中涉及的关联实体,并确定其中的"核心实体"【Identify the associated entities involved in each Cross-border scenario and identify the "core entities" among them】
对于该出境场景·在"核心实体"所在地向省级网信办提交申报【For the Cross-border scenario, submit the declaration to the provincial Cyberspace Administration Office at the location of the "core entity"】
与境外接收方签订的"法律文件"可以是哪些【What "legal documents" can be signed with the foreign recipient】
数据出境合同【Data Cross-border contract】
pending status
单方的承诺?【Unilateral commitment?】
接收方的制度,政策?【The system, the policy of the recipient?】
Collection have been completed
supplement documents for China local have been completed in Chinese
收藏
0 条评论
下一页
为你推荐
查看更多
