数据安全管理办法
(征求意见稿)
Measures for Data Security Management
(Draft for Comme n ts)
祖国我亲爱的祖国第一章总则
隔离室管理制度
Chapter I General Provisions下拉菜单
娓娓而谈第一条为了维护国家安全、社会公共利益,保护公民、法人和其他组织在网络空间的合法权益,保障个人信息和重要数据安全,根据《中华人民共和国网络安全法》等法律法规,制定本办法。
Article 1 The Measures are developed in accordance with the Cybercurity Law of the People's Republic of China and other laws and regulations for the purpos of safeguarding national curity, public interest, protecting the lawful rights and interests of citizens, legal persons and other organizations in cyberspace.
纹理烫发型图男第二条在中华人民共和国境内利用网络开展数据收集、存储、传输、处理、使用等活动(以下简称数据活动),以及数据安全的保护和监督管理,适用本办法。纯粹家庭和个人事务除外。
法律、行政法规另有规定的,从其规定。
Article 2 This Law shall apply to the collection, storage, transmission, process and u of data (hereinafter referred to as “data activities”) as well as the protection, supervision and administration of cybercurity within the territory of the People's Republic of China, except for pure domestic and personal matters.
In ca of inconformity with the provisions of the laws and regulations, the latter shall prevail.
第三条国家坚持保障数据安全与发展并重,鼓励研发数据安全保护技术,积极推进数据资源开发利用,保障数据依法有序自由流动。
Article 3 The state shall lay equal stress on data curity protection and development, encourage the rearch and development of data curity protection technologies, promote the development and u of data resources, and guarantee the orderly and free flow of data in accordance with the law.
第四条国家采取措施,监测、防御、处置来源于中华人民共和国境内外的数据安全风险和威胁,保护
数据免受泄露、窃取、篡改、毁损、非法使用等,依法惩治危害数据安全的违法犯罪活动。
Article 4 The state shall take measures to monitor, defend against and deal with cybercurity risks and threats from both inside and outside the territory of the People's Republic of China, protect data from divulged, stolen, falsified or illegal u, punish illegal and criminal activities relating to data curity in accordance with the law.
第五条在中央网络安全和信息化委员会领导下,国家网信部门统筹协调、指导监督个人信息和重要数据安全保护工作。
地(市)及以上网信部门依据职责指导监督本行政区内个人信息和重要数据安全保护工作。
Article 5 Under the leadership of the Central Cyberspace Affairs Commission, the state cyberspace administration organs shall be responsible for the overall planning, coordination, direction and supervision of protecting personal information and important data.
Cyberspace administrations at the municipal level or above shall direct and supervi the protection of personal information and important data within their respective administrative areas.
第六条网络运营者应当按照有关法律、行政法规的规定,参照国家网络安全标准,履行数据安全保护
义务,建立数据安全管理责任和评价考核制度,制定数据安全计划,实施数据安全技术防护,开展数据安全风险评估,制定网络安全事件应急预案,及时处置安全事件,组织数据安全教育、培训。
Article 6 Network operators shall perform data curity protection obligations in accordance with relevant laws and administrative regulations and by reference to national cybercurity standards, establish the accountability of data curity management and evaluation systems, formulate data curity plans, implement data protection technical measures, carry out data curity risk asssments, develop emergency respon plans, timely deal with curity incidents and organize data curity education and training.
第二章数据收集
Chapter II Data Collection
第七条网络运营者通过网站、应用程序等产品收集使用个人信息,应当分别制定并公开收集使用规则。收集使用规则可以包含在网站、应用程序等产品的隐私政策中,也可以其他形式提供给用户。
Article 7 Network operators shall, when collecting and using personal information through websites, applications and other products, develop and disclo the rules for collection and u parately. Th
e rules for collection and u may be included in the privacy policy of websites, applications and other products, or may be made available to urs in other forms.
第八条收集使用规则应当明确具体、简单通俗、易于访问,突出以下内容:
(一)网络运营者基本信息;
(二)网络运营者主要负责人、数据安全责任人的姓名及联系方式;
(三)收集使用个人信息的目的、种类、数量、频度、方式、范围等;
(四)个人信息保存地点、期限及到期后的处理方式;
(五)向他人提供个人信息的规则,如果向他人提供的;
(六)个人信息安全保护策略等相关信息;
(七)个人信息主体撤销同意,以及查询、更正、删除个人信息的途径和方法;
(八)投诉、举报渠道和方法等;
(九)法律、行政法规规定的其他内容。
Article 8 The rules for collection and u shall be specific, easy to understand and access and shall highlight the following information:
(1)General information about the network operator;
(2)The name and contact information of the network operator’s main responsible person
as well as the person responsible for the data curity;
(3)The purpos, types, volume, frequency, methods, scope of the personal information
to be collected and ud;
(4)The place of storage, retention period and what the network operator will do with
personal data after the retention period expires;
(5)The rules to be followed when providing personal information to others (if the
information will be provided to others);
(6)How the network operator protects the curity of personal information and other
实战经验
relevant information;
(7)The ways and methods for the data subject to withdraw connt, and to access, correct
and delete personal information;
(8)Channels and methods for making complaints and reports;
(9)Other information as prescribed by the laws and regulations.
第九条如果收集使用规则包含在隐私政策中,应相对集中,明显提示,以方便阅读。另仅当用户知悉收集使用规则并明确同意后,网络运营者方可收集个人信息。
Article 9 The rules for collection and u shall, if included in private policy, be relatively concentrated and prented in an obvious way to facilitate reading. The network operator may collect personal information only after the ur has acknowledged the rules for collection and u of personal data and provide express connt.
第十条网络运营者应当严格遵守收集使用规则,网站、应用程序收集或使用个人信息的功
能设计应同隐私政策保持一致,同步调整。
Article 10 Network operators shall strictly comply with the rules of collection and u. The functionality of the network operator’s websites and mobile applications to collect or u personal information shall be designed in accordance with the privacy policy, and it should be adjusted to be consistent with the privacy policy.
第十一条网络运营者不得以改善服务质量、提升用户体验、定向推送信息、研发新产品等为由,以默认授权、功能捆绑等形式强迫、误导个人信息主体同意其收集个人信息。西游记导读
个人信息主体同意收集保证网络产品核心业务功能运行的个人信息后,网络运营者应当向个人信息主体提供核心业务功能服务,不得因个人信息主体拒绝或者撤销同意收集上述信息以外的其他信息,而拒绝提供核心业务功能服务。
Article 11 Network operators shall not, through authorization by default, bundling functions or other means, force or mislead data subjects to connt to the collection of personal information on the grounds of improving rvice quality, ur experience, targeted push information or rearch and development of new products.
After the data subject has provided connt to the collection of personal information that enables the operation of the core functions of network products, network operators shall provide core rvice fun
ctions to the data subject, and shall not cea the provision of such core functions on the ground that the data subject refus to provide connt or withdraws connt to the collection of personal information.
第十二条收集14周岁以下未成年人个人信息的,应当征得其监护人同意。
Article 12 When collecting personal information of minors under the age of 14 years, connt from the guardians is required.
第十三条网络运营者不得依据个人信息主体是否授权收集个人信息及授权范围,对个人信息主体采取歧视行为,包括服务质量、价格差异等。
Article 13Network operators shall not take discriminatory actions, such as implementing different rvice quality and price, against data subjects bad on whether the data subjects have authorized the collection of personal information and the scope of such authorizations.
第十四条网络运营者从其他途径获得个人信息,与直接收集个人信息负有同等的保护责任和义务。
Article 14Network operators shall have the same responsibilities and obligations to protect personal information obtained from third party sources.
第十五条网络运营者以经营为目的收集重要数据或个人敏感信息的,应向所在地网信部门
备案。备案内容包括收集使用规则,收集使用的目的、规模、方式、范围、类型、期限等,不包括数据内容本身。
Article 15When network operators collect important data or nsitive personal information for the purpos of business operations, such network operators shall make a filing with the local cybercurity administration. The filing shall include the rules for collection and u of such data, the purpo, volume, method, scope, type, retention period of the data, excluding the content of data itlf.
第十六条网络运营者采取自动化手段访问收集网站数据,不得妨碍网站正常运行;此类行为严重影响网站运行,如自动化访问收集流量超过网站日均流量三分之一,网站要求停止自动化访问收集时,应当停止。
Article 16 Network operators shall not, when using automatic means to access or collect website data, interfere with the normal operation of their websites. If such acts riously affect the operation of websites (e.g., if the traffic of automatic visits or data collection exceeds one- third of the average traffic of the website) and the website requests the network operator to cea such automatic access
and collection, the network operator shall cea such practice.
第十七条网络运营者以经营为目的收集重要数据或个人敏感信息的,应当明确数据安全责任人。
数据安全责任人由具有相关管理工作经历和数据安全专业知识的人员担任,参与有关数据活动的重要决策,直接向网络运营者的主要负责人报告工作。
电脑变慢Article 17 Network operators shall, when collecting important data or personal nsitive information for the purpo of business operations, specify the person responsible for data curity.
The person responsible for the data curity shall be lected from among personnel who have relevant management work experience and professional knowledge on data protection, participate in important decisions of relevant data activities, and report work directly to the main responsible person of the network operators.
第十八条数据安全责任人履行下列职责:
(一)组织制定数据保护计划并督促落实;
(二)组织开展数据安全风险评估,督促整改安全隐患;
(三)按要求向有关部门和网信部门报告数据安全保护和事件处置情况;
(四)受理并处理用户投诉和举报。
网络运营者应为数据安全责任人提供必要的资源,保障其独立履行职责。
Article 18 The person responsible for data curity shall perform the following responsibilities and obligations:
(1)Organize the formulation of data protection plans and manage implementation;