2024年中国数据出境实务实操白皮书.pdf

国际数据跨境规则系列国际数据跨境规则系列 Series on International Data Cross-Border Rules 中国中国数据出境实务实操白皮书数据出境实务实操白皮书 White Paper on Chinese Practice of Outbound Data Transfers 实务问实务问答答与与实操实操演练演练 Operational Q&As+Practical Exercises 二零二二零二四四年年一一月月 January 2024 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 2/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules 前前 言言 Preface 作为数据要素流动的主要国家之一，中国已经就数据跨境流动建立了完善的合规监管机制。三条数据出境的合规路径安全评估、标准合同备案、个人信息保护认证，现均已正式落地实施，各省市陆续均有通过案例出台，行业遍布生物医药、汽车制造、跨境电商、企业征信等行业。As one of the main countries in the flow of data elements,China has already established a comprehensive compliance regulatory mechanism for cross-border data flows.Three paths for outbound data transferssecurity assessment,standard contract filing,and personal information protection certificationhave all been formally implemented,with various provinces and cities introducing cases across industries such as biopharmaceuticals,automotive manufacturing,cross-border e-commerce,and corporate credit reporting.与此同时，中国也在积极制定推动相关“减负减负”政策，进一步为企业降低合规成本。如2023年 9 月 28日征求意见的规范和促进数据跨境流动规定，明确罗列了数据出境的豁免情形；又如 12月出台的粤港澳大湾区（内地、香港）个人信息跨境流动标准合同实施指引，针对内地与香港之间的个人信息流动的合规要求进行了简化。At the same time,China is also actively formulating and promoting relevant“burden reduction”policies to further reduce compliance costs for enterprises.For example,the Provisions on Regulating and Promoting Cross-border Flow of Data(Exposure Draft)issued on 28 September 2023,clearly listed the exemptions for data outbound tranfers;Similarly,the“Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area(Mainland,Hong Kong)”,issued in December 2023,simplifies the compliance requirements for the flow of personal information between the Mainland and Hong Kong.选择哪种路径出境、谁来申请数据出境、如何实现合规出境，是绝大多数外资企业及跨国集团公司等主体的困惑所在。为此，我们从企业实际业务场景出发，针对企业关注的核心qRyQtOnPmMoNrOnMtPpMsN9P9R8OtRpPoMsOlOpPnOkPmOpQbRrQrQxNqQmRuOnMrR中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 3/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules 问题梳理形成本白皮书（实务问答+实操演练），希望能够帮助企业明晰合规路径，实现数据的有序流动。Choosing the right path for export,determining who applies for data export,and figuring out how to achieve compliant data export are major challenges for most foreign-owned enterprises and multinational corporations.For this reason,we wrote this white paper,starting from the actual business scenarios of enterprises,and combing through the core issues of enterprises concern to form Operational Q&As and Practical Exercises.We hope this will help enterprises to clarify the compliance path of outbound data transfer and achieve the orderly flow of data.面对数据出境路径的选择，我们分别以三条路径为轴，逐一拎出各通路上将面临的问题并予以分析，总结出 30个实务问题+10个实操案例，采用一问一答的方式，辅以实操演练，通过剖析解读法规政策、挖掘数据出境常见场景，为拟出境企业选择出境路径提供指导思路，为强监管下的数据出境提供应对之道。In the face of the choice of outbound data transfer paths,we respectively take three paths as the axis,addressing the issues and conducting analyses for each path one by one.We have summarized 30 operational questions along with 10 real cases,presented in a Q&A format supplemented by practical exercises.By analyzing and interpreting the regulations and policies,as well as exploring common scenarios in outbound data transfers,we provide guidance for enterprises on choice of the right paths,and help them to find a way out of the strong regulation.中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 4/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules 目录 目录 Contents 一、中国数据出境路径透视一、中国数据出境路径透视.9 I.Pivot View of Chinas Outbound Data Transfer Paths.9(一一)路径起源路径起源.9(I)Origins of Paths.9(二二)路径选择路径选择.10(II)Path Selection.10(三三)路径豁免（或有）路径豁免（或有）.11(III)Path Exemptions(if any).11 二、中国数据出境实务问答二、中国数据出境实务问答.13 II、Q&A on Chinese Practices of Outbound Data Transfers.13(一一)数据出境安全评估数据出境安全评估 10 问问.13(I)10 Questions on Security Assessment for Outbound Data Transfers.13 Q1:什么情形必须启动数据出境安全评估？什么情形必须启动数据出境安全评估？.13 Under what circumstances must security assessment for outbound data transfers be conducted?.13 Q2:数据出境行为具体包含哪些？数据出境行为具体包含哪些？.14 What constitutes an act of outbound data transfer?.14 实操演练实操演练 1 Practical Exercise 1 Q3:如何识别如何识别“重要数据重要数据”？.16 How to identify important data?.16 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 5/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules Q4:如何识别如何识别“敏感个人信息敏感个人信息”？.18 How to identify sensitive personal information?.18 Q5:如何界定如何界定“关键信息基础设施运营者关键信息基础设施运营者”？.18 Who is a critical information infrastructure operator?.18 Q6:如何界定如何界定 100 万、万、10 万、万、1 万的数量规模？万的数量规模？.19 How to define the quantitative scale of 1 million,100 thousand,and 10 thousand?19 Q7:同一数据处理者存在多个出境场景需要申报时应如何处理？同一数据处理者存在多个出境场景需要申报时应如何处理？.20 What should be done when there are multiple outbound scenarios to be declared by the same data processor?.20 Q8:什么情况应当重新进行数据出境安全评估？什么情况应当重新进行数据出境安全评估？.21 When should a security assessment for outbound data transfers be re-conducted?21 实操演练实操演练 2 Practical Exercise 2 Q9:企业是否必须事先开展自评估工作？若需要，需要提前多久开展？自评估工作应当评估哪些方面？企业是否必须事先开展自评估工作？若需要，需要提前多久开展？自评估工作应当评估哪些方面？.23 Is it necessary for companies to carry out the self-assessment exercise in advance?If so,how far in advance?What should be assessed in the self-assessment?.23 实操演练实操演练 3 Practical Exercise 3 Q10:数据出境安全评估申报流程需要花多长时间？数据出境安全评估申报流程需要花多长时间？.26 How long does the security assessment filing process of outbound data transfers take?26(二二)个人信息出境标准合同备案个人信息出境标准合同备案 15 问问.28(II)15 Questions on the Filing of the SC for Outbound Transfer of Personal Information(“SC Filing”).28 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 6/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules Q11:签订标准合同进行数据出境活动的适用范围？签订标准合同进行数据出境活动的适用范围？.28 What is the scope of application of a SC?.28 Q12:标准合同签署的主体有哪些？标准合同签署的主体有哪些？.29 Who are parties to a SC?.29 实操演练实操演练 4 Practical Exercise 4 Q13:规定提及规定提及“自主缔约自主缔约”，这是否意味着企业可以跳过备案环节？，这是否意味着企业可以跳过备案环节？.30 The provision refers to independent contracting,does this mean that companies can skip the filing process?.30 Q14:能否针对多个数据出境场景使用同一套标准合同？能否针对多个数据出境场景使用同一套标准合同？.32 Can the same set of SC be used for multiple outbound data transfers?.32 实操演练实操演练 5 Practical Exercise 5 Q15:关联方是否可以合并备案？关联方是否可以合并备案？.34 Can related parties consolidate their filings?.34 实操演练实操演练 6 Practical Exercise 6 Q16:可以修改标准合同条款吗？可以修改标准合同条款吗？.37 Can the terms of a SC be modified?.37 Q17:如果已签署如果已签署 GDPR 下的标准合同下的标准合同,是否还需签署中国的标准合同？是否还需签署中国的标准合同？.37 If a SC under the GDPR has been signed,do I need to sign a SC that conforms with the Chinese laws?.37 Q18:个人信息处理者是否可以提交非中文版标准合同？个人信息处理者是否可以提交非中文版标准合同？.37 Can a PIP submit a non-Chinese version of a SC?.38 Q19:标准合同备案的有效期多久？标准合同备案的有效期多久？.38 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 7/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules How long is a filing of SC valid for?.38 Q20:什么情况下需要重新备案？什么情况下需要重新备案？.39 Under what circumstances will it be necessary to re-file?.39 实操演练实操演练 7 Practical Exercise 7 Q21:受托人是否可以签订标准合同？受托人是否可以签订标准合同？.41 Can a trustee enter into a SC?.41 实操演练实操演练 8 Practical Exercise 8 Q22:在标准合同备案路径下，在标准合同备案路径下，PIA 是否有特殊之处？是否有特殊之处？.43 Is PIA special under the SC Filing path?.43 Q23:标准合同备案的结果是什么？标准合同备案的结果是什么？.43 What is the outcome of a SC Filing?.43 Q24:宽限期内的个人信息跨境传输是否合法？宽限期内的个人信息跨境传输是否合法？.44 Are outbound transfers of personal information during the grace period legal?44 Q25:若未能在宽限期内完成整改，数据出境是否非法？是否需承担责任？若未能在宽限期内完成整改，数据出境是否非法？是否需承担责任？.44 In the event that modification is not completed within the grace period,would the outbound data transfer be illegal?Is there any legal consequence for such a failure?44 实操演练实操演练 9 Practical Exercise 9(三三)个人信息跨境处理活动安全认证个人信息跨境处理活动安全认证 5问问.49(III)5 Questions on Security Certification for Cross-border Processing Activities of Personal Information(“PIPC”).49 Q26:何时可以选择个人信息跨境处理活动安全认证路径？何时可以选择个人信息跨境处理活动安全认证路径？.49 When can I choose the PIPC?.49 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 8/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules Q27:是否可以选择安全认证来代替标准合同备案？是否可以选择安全认证来代替标准合同备案？.50 Is PIPC an alternative option to SC Filing?.50 实操演练实操演练 10 Practical Exercise 10 Q28:安全认证路径下，是否需要指定个人信息保护负责人并设立个人信息保护机构？安全认证路径下，是否需要指定个人信息保护负责人并设立个人信息保护机构？.51 Is it necessary to designate a person to be in charge of personal information protection and establish a personal information protection organization under the PIPC path?.51 Q29:安全认证具体怎么开展？安全认证具体怎么开展？.52 How is PIPC conducted?.52 Q30:安全认证的有效期？安全认证的有效期？.54 What is the validity period of the PIPC?.54 附件一：问题附件一：问题/案例索引案例索引 Annex I:Index of Q&As and Practical Exercises 附件二：主要法律法规一览表附件二：主要法律法规一览表 Annex II:List of Major Laws and Regulations 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 9/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules 概概 览览 (Overview)一、中国数据出境路径透视一、中国数据出境路径透视 I.Pivot View of Chinas Outbound Data Transfer Paths(一一)路径起源路径起源(I)Origins of Paths 数据跨境流动是全球化数字经济的必然，数据主权、数据安全以及个人信息保护也是全球监管的共识。The cross-border flow of data is an inevitable part of the globalized digital economy,and there is consensus that the protection of data sovereignty,data security,and personal information protection are subject to global regulation.我国目前法律就数据出境提供了三条通路，即：数据出境安全评估、个人信息出境标准合同备案（或称“标准合同备案”）、个人信息跨境处理活动安全认证（或称“个人信息保护认证”）。三者均来源于个人信息保护法第 38 条第 1 款的规定，个人信息处理者因业务等需要，确需向境外提供个人信息的，应当具备下列条件之一：（一）依照本法第四十条的规定通过国家网信部门组织的安全评估；（二）按照国家网信部门的规定经专业机构进行个人信息保护认证；（三）按照国家网信部门制定的标准合同与境外接收方订立合同，约定双方的权利和义务；（四）法律、行政法规或者国家网信部门规定的其他条件。Chinas current laws provide three paths for outbound data transfers,namely:security assessment for outbound data transfers,the filing of the Standard Contract for outbound transfer of personal information(or“SC Filing”),and security certification for cross-border processing activities of personal information(or Personal Information Protection Certification,PIPC).All three are derived from Article 38,Paragraph 1 of the Personal Information Protection Law,which provides that where a PIP genuinely needs to provide personal information outside the territory of the Peoples Republic of China due to business or other needs,it shall meet any of the following conditions:(I)to have passed the security assessment organized by the Cyberspace Administration of China in accordance with the provisions of Article 40 thereof;(II)to have obtained a Personal Information Protection Certification issued by a specialized agency in accordance with the regulations of the Cyberspace Administration of China;(III)to have entered into a contract with an oversea recipient under the standard contract formulated by the Cyberspace Administration of China,specifying the rights and obligations of both parties;or(IV)to meet other conditions prescribed by laws,administrative regulations or the Cyberspace Administration of China.中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 10/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules(二二)路径选择路径选择(II)Path Selection 注注：特别地，针对注册在粤港澳大湾区内地部分/香港特别行政区的个人信息处理者及接收方，在粤港澳大湾区内地部分与香港特别行政区之间的个人信息跨境流动，不含重要数据的，可以选择标准合同备案。In particular,for PI processors and recipients registered in the Mainland part of the Guangdong-Hong Kong-Macao Greater Bay Area/Hong Kong SAR,for cross-border flow of personal data between the Mainland part of the Guangdong-Hong Kong-Macao Greater Bay Area and the Hong Kong SAR that does not contain important data,the option of filing of standard contract is available.中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 11/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules(三三)路径豁免（或有）路径豁免（或有）(III)Path Exemptions(if any)与此同时，为进一步降低企业在数据跨境传输方面的合规成本，国家互联网信息办公室在 2023 年 9 月 28 日出台了规范和促进数据跨境流动规定（征求意见稿）（下称“征求意见稿”），意图为数据要素跨境流通“减负”。该征求意见稿主要明确了以下两点：Meanwhile,in order to further reduce the compliance cost of enterprises in cross-border data transfer,the Cyberspace Administration of China issued the Provisions on Regulating and Promoting Cross-border Flow of Data(Exposure Draft)(the“Exposure Draft”)on 28 September 2023,with the intention of reducing the burden of cross-border flow of data elements.The Exposure Draft clarifies the following two main points:1.【新增豁免情形新增豁免情形】符合以下情形之一的，不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证：【Exemptions】Under any of the following circumstances,it is not required to apply for security assessment for outbound data transfers,the SC Filing,and PIPC：国际贸易、学术合作、跨国生产制造和市场营销等活动中产生的数据出境，不包含个人信息或者重要数据的；where data outbound transfer arising from international trade,academic cooperation,cross-border production and manufacturing,marketing activities,and others,excluding the transfer of personal information or important data;不是在境内收集产生的个人信息向境外提供；providing personal information not collected in China to locations outside China;为订立、履行个人作为一方当事人的合同所必需，如跨境购物、跨境汇款、机票酒店预订、签证办理等，必须向境外提供个人信息的；where the personal information must be provided abroad,as it is necessary for the conclusion and performance of a contract to which the individual is a party,such as cross-border shopping,cross-border remittance,air tickets and hotel booking,visa processing,etc.按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理，必须向境外提供内部员工个人信息的；for human resources management in accordance with the labor regulations and rules formulated in accordance with the law and collective contracts concluded in accordance with the law,it is necessary to provide abroad the personal information of internal employees;中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 中国数据出境实务实操白皮书 White Paper on China Outbound Data Transfers Practice 12/55 国际数据跨境规则系列 Series on International Data Cross-Border Rules Rules 紧急情况下为保护自然人的生命健康和财产安全等，必须向境外提供个人信息的；where personal information has to be provided overseas to protect the life,health,and property safety of natural persons in an emergency;and 预计一年内向境外提供不满 1 万人个人信息的。where the PIP is expected to provide personal information of less than 10,000 individuals to locations outside China within one year.2.【鼓励创新试点鼓励创新试点】自由贸易试验区可自行制定本自贸区需要纳入数据出境安全评估、个人信息出境标准合同、个人信息保护认证管理范围的数据清单（以下简称负面清单），负面清单外数据出境，可以不申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。【Encouraging Innovative Pilots】Pilot free trade zones may,on their own,formulate lists of data that need to be included in the scope of administration of security assessment for the data to be provided abroad,stan