中国数据出境实务实操白皮书：实务问答与实操演练

Series on International Data Cross-BorderRules 中国数据出境实务实操白皮书 White Paper on Chinese Practice ofOutbound Data Transfers 实务问答与实操演练 OperationalQ&As + PracticalExercises 二零二四年一月 January2024 前言 Preface 作为数据要素流动的主要国家之一，中国已经就数据跨境流动建立了完善的合规监管机制。三条数据出境的合规路径——安全评估、标准合同备案、个人信息保护认证，现均已正式落地实施，各省市陆续均有通过案例出台，行业遍布生物医药、汽车制造、跨境电商、企业征信等行业。 As one of the main countries in the flow of data elements, China has already established acomprehensive compliance regulatory mechanism for cross-border data flows. Three paths foroutbound data transfers—security assessment, standard contract filing, and personal informationprotection certification—have all been formally implemented, with various provinces and citiesintroducing cases across industries such as biopharmaceuticals, automotive manufacturing, cross-border e-commerce, and corporate credit reporting. 与此同时，中国也在积极制定推动相关“减负”政策，进一步为企业降低合规成本。如2023年9月28日征求意见的《规范和促进数据跨境流动规定》，明确罗列了数据出境的豁免情形；又如12月出台的《粤港澳大湾区（内地、香港）个人信息跨境流动标准合同实施指引》，针对内地与香港之间的个人信息流动的合规要求进行了简化。 At the same time, China is also actively formulating and promoting relevant “burden reduction”policies to further reduce compliance costs for enterprises. For example, the "Provisions onRegulating and Promoting Cross-border Flow of Data (Exposure Draft)" issued on 28 September2023, clearly listed the exemptions for data outbound tranfers; Similarly, the “ImplementationGuidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within theGuangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”, issued in December2023, simplifies the compliance requirements for the flow of personal information between theMainland and Hong Kong. 选择哪种路径出境、谁来申请数据出境、如何实现合规出境，是绝大多数外资企业及跨国集团公司等主体的困惑所在。为此，我们从企业实际业务场景出发，针对企业关注的核心 问题梳理形成本白皮书（实务问答+实操演练），希望能够帮助企业明晰合规路径，实现数据的有序流动。 Choosing the right path for export, determining who applies for data export, and figuring out howto achieve compliant data export are major challenges for most foreign-owned enterprises andmultinational corporations. For this reason, we wrote this white paper, starting from the actualbusiness scenarios of enterprises, and combing through the core issues of enterprises' concern toform Operational Q&As and Practical Exercises. We hope this will help enterprises to clarify thecompliance path of outbound data transfer and achieve the orderly flow of data. 面对数据出境路径的选择，我们分别以三条路径为轴，逐一拎出各通路上将面临的问题并予以分析，总结出30个实务问题+10个实操案例，采用一问一答的方式，辅以实操演练，通过剖析解读法规政策、挖掘数据出境常见场景，为拟出境企业选择出境路径提供指导思路，为强监管下的数据出境提供应对之道。 In the face of the choice of outbound data transfer paths, we respectively take three paths as theaxis, addressing the issues and conducting analyses for each path one by one. We havesummarized 30 operational questions along with 10 real cases, presented in a Q&A formatsupplemented by practical exercises. By analyzing and interpreting the regulations and policies, aswell as exploring common scenarios in outbound data transfers, we provide guidance forenterprises on choice of the right paths, and help them to find a way out of the strong regulation. 目录Contents 一、中国数据出境路径透视...................................................9 I. Pivot View of China’s Outbound Data Transfer Paths......................9 Under what circumstances must security assessment for outbound data transfersbe conducted?.............................................................................................................13 实操演练1Practical Exercise 1 Q3:如何识别“重要数据”？.................................................................................16 How to identify "important data"?..........................................................................16 4/55国际数据跨境规则系列Series on International Data Cross-Border Rules Rules White Paper on China Outbound Data Transfers PracticeQ4:如何识别“敏感个人信息”？.........................................................................18How to identify "sensitive personal information"?................................................18Q5:如何界定“关键信息基础设施运营者”？.....................................................18Who is a "critical information infrastructure operator"?.....................................18Q6:如何界定100万、10万、1万的数量规模？.............................................19How to define the quantitative scale of 1 million, 100 thousand, and 10 thousand?19Q7:同一数据处理者存在多个出境场景需要申报时应如何处理？.................20What should be done when there are multiple outbound scenarios to be declaredby the same data processor?.....................................................................................20Q8:什么情况应当重新进行数据出境安全评估？.............................................21When should a security assessment for outbound data transfers be re-conducted?21 实操演练2Practical Exercise 2 Q9:企业是否必须事先开展自评估工作？若需要，需要提前多久开展？自评估工作应当评估哪些方面？.....................................................................................23 Is it necessary for companies to carry out the self-assessment exercise in advance?If so, how far in advance? What should be assessed in the self-assessment?...