Where data processors provide data overseas, in any of the following circumstances, they shall declare a data export security assessment to the national network information department through the provincial-level internet information department where they are located:

Data processors provide important data abroad; Critical information infrastructure operators and data processors that handle personal information of more than 1 million people provide personal information overseas; Data processors who have provided 100,000 people's personal information abroad or 10,000 people with sensitive personal information since January 1 of the previous year have provided personal information overseas.

Before declaring a data export security assessment, the data processor shall carry out a self-assessment of the data export risk, focusing on the following matters:

The legality, legitimacy and necessity of the purpose, scope, and method of data processing by the data export and the overseas recipient; The scale, scope, type, and sensitivity of outbound data, and the risks that data export may bring to national security, public interests, and the lawful rights and interests of individuals or organizations; Whether the responsibilities and obligations undertaken by the overseas recipient, as well as the management and technical measures and capabilities to perform the responsibilities and obligations, can ensure the security of outbound data; The risk that data will be tampered with, destroyed, leaked, lost, transferred, or illegally acquired or used during or after it is exported, and whether the channels for safeguarding the rights and interests of personal information are smooth; Whether the data security protection responsibility obligations and obligations are sufficiently stipulated in the data export-related contracts or other legally binding documents (hereinafter collectively referred to as the legal documents) formulated with the overseas recipient.

Data export security assessment focuses on assessing the risks that data export activities may bring to national security, public interests, and the lawful rights and interests of individuals or organizations, mainly including the following matters:

The legality, legitimacy and necessity of the purpose, scope, and method of data export; The impact of data security protection policies and regulations and the network security environment of the country or region where the overseas recipient is located on the security of outbound data; Whether the level of data protection of the overseas recipient meets the requirements of the laws and administrative regulations of the People's Republic of China and mandatory national standards; The scale, scope, type and sensitivity of outbound data, and the risk of being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used during or after exiting the country.

In the course of a security assessment, it is found that the declaration materials submitted by the data processor do not meet the requirements, the State Internet Information Department may request that they supplement or correct them. Where data processors do not supplement or correct without a legitimate reason, the state network information departments may terminate the security assessment.

Mike Chang

Partner

mikechang@shanghaiinnvest.com