深圳经济特区数据条例
Regulations of Shenzhen Special Economic Zone On Data
(Adopted at the 2nd Session of the Standing Committee of the 7th People’s Congress of Shenzhen Municipality on June 29, 2021)
Chapter One General Provisions
Article 1 In order to regulate data processing activities, protect the legitimate rights and interests of natural persons, legal persons and unincorporated organizations, promote the opening, free flow, development and utilization of data as a factor of production, and accelerate the building of the digital economy, digital society and digital government, these Regulations are formulated in line with the basic principles of relevant laws and administrative regulations and in light of the realities of Shenzhen Special Economic Zone.
Article 2 For the purposes of these Regulations, the following terms are defined as follows:
1. Data refer to any record of information by electronic or other means.
2. Personal data refer to data that reveal information of specific identifiable natural persons, excluding information that has been anonymized.
3. Sensitive personal data refer to the personal data that can lead to discrimination against natural persons or serious harm to personal or property safety once leaked, illegally provided or abused. The scope of sensitive data shall be determined in accordance with the provisions of laws and administrative regulations.
4. Biometric data refer to the personal data that may identify the unique identity of natural person obtained by processing the physical, physiological, behavioral and other biological characteristics of the natural person, including genes, fingerprints, voice prints, palm prints, pinnae, irises and facial recognition features, etc.
5. Public data refer to the data generated and processed by public administration and service agencies in the process of performing public administration duties or providing public services in accordance with the law.
6. Data processing refers to the collection, storage, usage, processing, transmission, provision, opening and other activities of the data.
7. Anonymization refers to the irrecoverable process in which the personal data are processed so that the identification of specific natural persons is not possible.
8. User portrait refers to the activities of automated processing of personal data for the purpose of assessing certain conditions of natural persons, including automated processing for the purpose of assessing the natural person’s job performance, economic status, health status, personal preferences, hobbies, reliability, behavior patterns, location, whereabouts, etc.
9. Public administration and service agencies refer to the municipality’s state agencies, public institutions and other organizations administrating public affairs in accordance with the law, as well as organizations that provide education, health, social welfare, water supply, electricity supply, gas supply, environmental protection, public transportation and other public services.
Article 3 Natural person shall enjoy the personality rights and interests over personal data as provided by laws, administrative regulations and these Regulations.
Processing of personal data shall have clear and reasonable purposes and follow the principles of minimization, necessity and reasonable period.
Article 4 Natural persons, legal persons and unincorporated organizations shall enjoy the property rights and interests over data products and services formed by lawful data processing as provided by laws, administrative regulations and these Regulations. However, national security and public interests shall not be endangered, and the legitimate rights and interests of other people shall not be harmed.
Article 5 Processing of public data shall follow the principles of lawful collection, integrated management, sharing on demand, orderly opening and full utilization, to fully leverage the positive role of public data resources in improving public administration and service, enhancing urban governance modernization, and promoting economic and social development.
Article 6 The municipal people’s government shall establish and improve a data governance mechanism and standard system, and take coordinated steps to promote personal data protection, public data sharing and opening, data factor market cultivation and data security supervision and administration.
Article 7 The municipal people’s government shall establish a municipal data working committee in charge of major issues in the research and coordination of data administration in Shenzhen. The daily work of the municipal data working committee shall be undertaken by the municipal government services and data administration department.
The municipal data working committee may set up a number of specialized committees.
Article 8 The municipal cyberspace department shall be responsible for the coordination of supervision and administration of personal data protection, network data security, cross-border data flow and other issues in Shenzhen.
The municipal government services and data administration department shall be responsible for the coordination, guidance and supervision of public data administration in Shenzhen.
The municipal development and reform, industry and information technology, public security, finance, human resources and social security, planning and natural resources, market supervision, audit, national security departments and other departments shall perform data supervision and administration functions within their respective areas of responsibility in accordance with relevant laws and regulations.
Competent industrial authorities shall be responsible for the coordination, guidance and supervision of data administration in each industry.
Chapter Two Personal Data
Section One General Principles
Article 9 Processing of personal data shall fully respect and protect a natural person’s legitimate rights and interests over personal data.
Article 10 Processing of personal data shall meet the following requirements:
1. Personal information processing shall haves clear and reasonable purposes and follow a lawful and legitimate manner.
2. Processing of personal data shall be limited to the minimum scope necessary for achieving the processing purpose and in a manner that has the minimum impact on the rights and interests of individuals. Processing of personal data unrelated to the processing purpose is prohibited.
3. Individuals shall be informed of the type, scope, purpose and manner of data processing, and individuals’ consent shall be obtained in accordance with the law.
4. The accuracy and necessary integrity of personal data shall be guaranteed to avoid damage to the rights and interests of individuals due to inaccuracy or incompleteness of the personal data.
5. The security of personal data shall be ensured to prevent leakage, destruction, loss, tampering or illegal use of personal data.
Article 11 The minimum scope necessary for achieving the processing purpose and the manner with the minimum impact on the rights and interests of individuals as referred to in Paragraph 2 of Article 10 of these Regulations include, but are not limited to the following circumstances:
1. The type and scope of personal data to be processed shall be directly related to the processing purpose, and the processing purpose cannot be achieved without processing the personal data.
2. The amount of personal data to be processed shall be the minimum amount necessary in order to achieve the processing purpose;
3. The frequency of personal data processing shall be the minimum frequency necessary in order to achieve the processing purpose;
4. The storage period of personal data shall be the shortest time necessary in order to achieve the processing purpose. Where the storage period has expired, personal data shall be deleted or anonymized, except as otherwise provided by laws and regulations, or with the consent of the natural person;
5. A minimum authorized access control policy shall be established, so that the personnel authorized to access personal data shall have access to only the minimum amount of personal data necessary in order to perform their duties and have only the minimum data processing privileges necessary in order to perform their duties.
Article 12 Data processors shall not refuse to provide natural persons with core functions or services on the grounds that the natural persons do not consent to personal data processing, except where the personal data are necessary for the provision of the relevant core functions or services.
Article 13 The municipal cyberspace department shall work with the municipal industry and information technology, public security, market supervision departments and other departments and competent industrial authorities, to establish and improve a joint working mechanism for the supervision and administration of personal data protection, to strengthen coordination in and guidance on personal data protection and related supervision and administration. A mechanism for handling complaints and reports over personal data protection shall be established to deal with complaints and reports in accordance with the law.
Section Two Notice and Consent
Article 14 Natural person shall be notified of the following matters in a manner that is easily understandable, clear, specific and easily accessible in advance to processing of personal data:
1. Name and contact information of the data processor;
2. Types and scope of personal data to be processed;
3. Purposes and methods of the processing of personal data;
4. Storage period of personal data;
5. Potential security risks associated with the processing of personal data and the security measures taken to protect the personal data;
6. Relevant rights of the natural person in accordance with the law and the way to exercise those rights;
7. Other matters that should be notified as provided by laws and regulations.
Where sensitive personal data are processed, the necessity of processing sensitive personal data and the potential impact on the natural persons shall be informed in accordance with the provisions of the preceding paragraph in the form of a more conspicuous mark or highlight.
Article 15 Where it is impossible to notify natural person in advance in accordance with the provisions of Article 14 of these Regulations in an emergency in order to protect the major legitimate rights and interests, such as the personal and property safety of the natural person, the natural person shall be notified in a timely manner after the emergency is eliminated.
of these Regulations shall not apply if the processing of personal data shall be kept confidential or where notification shall be exempted, in each case, as provided by relevant laws and administrative regulations.
Article 16 Before processing personal data, data processors shall obtain the consent of the natural persons, and shall process personal data within the scope of the natural persons’ consent obtained, except as otherwise provided by laws, administrative regulations and these Regulations
Where the matters for which consent should be obtained in the preceding paragraph have changed, consent shall be obtained again.
Article 17 Data processors shall not obtain the consent of natural persons by misleading, deceiving or coercing them, or by other means against their true will.
Article 18 Where sensitive personal data are processed, express consent of the natural persons shall be obtained prior to processing.
Article 19 Where biometric data are processed, express consent of the natural persons shall be obtained; at the same time, the processors shall provide alternative ways of processing other non-biometric data, except where processing of biometric data are necessary for the intended purpose and the biometric data cannot be replaced by other personal data.
Where biometric data are processed for specific purposes, the biometric data shall not be used for other purposes without the express consent of the natural persons.
The specific administration measures for biometric data shall be formulated separately by the municipal people’s government.
Article 20 Processing of personal data of minors under the age of fourteen shall be carried out in accordance with the relevant provisions on the processing of sensitive personal data, and the express consent of their guardians shall be obtained before processing. When personal data of adults with no capacity for civil conduct or with limited capacity for civil conduct are processed, the express consent of their guardians shall be obtained before processing.
Article 21 If the processing of personal data fall under any of the following circumstances, the consent of the natural person may not be obtained before processing:
1. The personal data have been disclosed by the natural persons themselves or disclosed lawfully, and are in line with the purpose for which the personal data were disclosed;
2. The processing is necessary for the conclusion or performance of a contract to which the natural person is a contracting party;
3. The processing of employees’ personal data within a reasonable scope is necessary for data processors to manage human resources or protect business secrets;
4. The processing is necessary for public administration and service agencies to perform public administration duties or provide public services in accordance with the law;
5. The processing is necessary for news units to report news in accordance with the law;
6. Other circumstances stipulated by laws and administrative regulations.
Article 22 Natural persons shall have the right to withdraw consent to the processing of some or all of their personal data.
Where natural persons withdraw their consent, the data processors shall not continue to process the natural persons’ personal data within the scope of their withdrawals. However, this does not affect the lawful processing of data by the data processors based on the consent prior to the withdrawals. Where laws and regulations provide otherwise, such provisions shall prevail..
Article 23 Means with easy access shall be adopted for natural persons to withdraw their consent to the processing of their personal data, and such withdrawals of consent shall not attach unreasonable conditions or be unreasonably restricted by service agreements or technology and other means.
Section Three Processing of Personal Data
Article 24 Where the personal data are incorrect or incomplete, processors shall correct or supplement the personal data in a timely manner upon the request of the natural persons.
Article 25 Under any of the following circumstances, data processors shall delete the natural persons’ personal data in a timely manner:
1. The storage period provided by laws and regulations or agreed upon has expired;
2. The processing purpose has been achieved, or the processing of personal data is no longer necessary to achieve the processing purpose;
3. The natural persons withdraw their consent and request to delete their personal data;
4. The data processors process data in violation of laws, regulations or agreements reached between the two parties, and the natural persons request to delete their data;
5. Other circumstances stipulated by laws and regulations.
If otherwise provided by laws and regulations or with the consent of the natural persons, data processors may retain the relevant personal data under the circumstances specified in Item 1 and Item 2 of the preceding paragraph.
Where data processor delete personal data in accordance with Paragraph 1 of this article, it may retain evidence of notice and consent, but shall not exceed the limits necessary for the performance of its legal obligations or for handling disputes.
Article 26 When data processors provide processed personal data to others, the data processors shall remove identifying information so that the personal data provided to others cannot be used to identify specific natural persons without the aid of other data. Where laws and regulations provide or the natural persons and data processors agree that the personal data shall be anonymized, the data processors shall anonymize the data in accordance with the laws, regulations or the agreement between the two parties.
Article 27 If the personal data provided by the data processor to others are under any of the following circumstances, de-identification may not be required:
1. The personal data is provided in response to the written requests of public administration and service agencies in order to perform public administration duties or provide public services in accordance with the law;
2. The personal data are provided to others with the consent of the natural persons;
3. The personal data are necessary for the conclusion or performance of a contract to which the natural person is a party;
4. Other circumstances stipulated by laws and administrative regulations.
Article 28 Natural persons may request data processors to provide access to or a copy of their personal data, and the data processors shall provide these services in a timely manner in accordance with relevant regulations and shall not charge fees.
Article 29 If data processors create the user portrait of natural persons for the purpose of improving the quality of products or services, the specific use and main rules of the user portrait shall be stated clearly to the natural persons. The natural persons may refuse to allow the data processors to make the user portrait as provided by the preceding paragraph or to recommend personalized products or services based on the user portrait. The data processors shall provide the natural persons with an effective way of refusal in an easily accessible manner.
Article 30 Data processors shall not recommend personalized products or services based on user portraits to minors under the age of fourteen, except when in order to safeguard their legitimate rights and interests and obtaining the express consent of their guardians.
Article 31 Data processors shall establish mechanisms for natural persons to exercise relevant rights and handle complaints and reports, and shall provide effective ways in an easily accessible manner. When the data processor receives a request for exercise of rights or a complaint or report, it shall accept it in a timely manner, and take corresponding measures in accordance with the law; if it refuses the request or complaint, it shall give reasons.
Chapter Three Public Data
Section One General Principles
Article 32 The municipal data working committee shall establish a specialized committee on public data which shall be responsible for research and coordination of major issues in public data administration.
The municipal government services and data administration department undertakes the daily work of the municipal specialized committee on public data, and shall be responsible for coordinating public data administration in Shenzhen, establishing and improving an administration system for public data resources, and promote the sharing, opening and utilization of public data.
The government services and data administration department of each district shall be responsible for coordinating the public data administration in each district under the guidance of the municipal government services and data administration department.
Article 33 The municipal people’s government shall establish an urban big data center, establish and improve its construction, operation and administration mechanisms, and administrate the city’s public data resources in a unified, intensive, safe and efficient administration manner.
The district people’s governments may, in accordance with the unified planning of the municipality, build sub-centers of the urban big data center, and incorporate public data resources into the unified administration of the urban big data center.
The urban big data center includes public data resources as well as hardware and software infrastructure supporting the administration of public data resources.
Article 34 The municipal government services and data administration department shall be responsible for promoting the aggregation of public data to the urban big data center, and organizing public administration and service agencies for data sharing, opening and utilization based on the urban big data center.
Article 35 A public data classification administration system shall be implemented.
The municipal government services and data administration department shall be responsible for coordinating the overall planning, building and administration of the city’s public data resource system, and build and administrate basic databases such as population, legal persons, housing, natural resources and spatial geography, electronic licenses and public credit in collaboration with relevant departments.
Competent industrial authorities shall plan the public data resource system of each industry and build and administrate relevant subject databases in accordance with the overall planning of the public data resource system and the requirements of relevant norms.
Public administration and service agencies shall build and administrate their own business databases in accordance with the overall planning of the public data resource system, industry-specific planning and the requirements of relevant norms.
Article 36 A public data catalog administration system shall be implemented.
The municipal government services and data administration department shall be responsible for establishing a unified public data resource catalog system for the municipality, formulating public data resource catalog compilation specifications, organizing public administration and service agencies to compile catalogs and process various types of public data in accordance with the requirements of the public data resource catalog compilation specifications, identifying the source of data and clearing administration responsibilities.
Public administration and service agencies shall conduct catalog administration of their own public data in accordance with public data resource catalog compilation specifications.
Article 37 Collection of data by public administration and service agencies shall meet the following requirements:
1. The collection of data shall be necessary for the performance of public administration duties or the provision of public services in accordance with the law, and shall be within the scope of performing the public administration duties or providing the public services;
2. The type and scope of data collected shall be commensurate with the public administration duties it performs or public services it provides in accordance with the law;
3. The collection procedures comply with relevant laws and regulations.
The data that public administration and service agencies can obtain through sharing shall not be separately collected from natural persons, legal persons and unincorporated organizations.
Article 38 Public administration and service agencies shall keep records of the process of public data processing in accordance with relevant regulations.
Article 39 The municipal government services and data administration department shall organize the formulation of quality administration systems and norms for public data, establish and improve a quality monitoring and evaluation system, and organize its implementation.
Public administration and service agencies shall, in accordance with the quality administration systems and norms for public data, establish and improve their own data quality administration systems to strengthen data quality administration, and ensure the authenticity, accuracy, integrity, timeliness and availability of data.
The municipal specialized committee on public data shall regularly evaluate the data administration work of public administration and service agencies, and report the evaluation results to the municipal data working committee.
Article 40 The municipal people’s government shall strengthen institutional mechanisms and technological innovations for the sharing, opening and utilization of public data, and continue to improve the quality and efficiency of the sharing, opening and utilization of public data.
Section Two Public Data Sharing
Article 41 Sharing of public data shall be the principle, while non-sharing shall be the exception.
The municipal government services and data administration department shall establish a matchmaking mechanism for the demand of public data sharing and related administration system based on the public data resource catalog system.
Article 42 The public data included in the public data sharing catalog shall be shared in a timely and accurate manner among public administration and service agencies in need through the public data sharing platform of the urban big data center in accordance with relevant regulations, unless otherwise provided by laws and regulations.
The public data sharing catalog shall be separately formulated and adjusted in time by the municipal government services and data administration department.
Article 43 A public administration and service agency may submit applications for public data sharing according to the needs of performing its public administration duties or providing public services in accordance with the law. It shall clarify the basis, purpose, scope, method and relevant demands of such data utilization, and shall strengthen the administration of shared data in accordance with the requirements of the government services and data administration department and data provider at the corresponding level, to make sure that the shared data shall not exceed the scope of use or be used for other purposes.
The department providing the public data shall respond to the demands of sharing from the public data using department within the specified time, and shall provide necessary data use guidance and technical support.
Article 44 Where the data demanded by public administration and service agencies to perform public administration duties or provide public services in accordance with the law cannot be shared and obtained through the public data sharing platform, the municipal people’s government may purchase it from external sources and incorporate it into the public data sharing catalog in accordance with relevant regulations. The detailed work shall be coordinated by the municipal government services and data administration department.
Section Three Public Data Opening
Article 45 The term “public data opening” as referred to in these Regulations means the provision of machine-readable public data to the society through the public data opening platform by public administration and service agencies.
Article 46 The opening of public data shall follow the principles of categorization and grading, demand-orientation, safety and controllability, and shall be made open to the maximum extent permitted by laws and regulations.
Article 47 No fees shall be charged for opening public data in accordance with laws and regulations. Where laws and administrative regulations provide otherwise, such provisions shall prevail.
Article 48 According to conditions for opening, public data are divided into three categories: unconditionally open, conditionally open and non-open.
Unlimited access public data refer to public data accessible by all natural persons, legal persons and unincorporated organizations without any limitation; limited access public data refer to public data equally accessible by natural persons, legal persons and unincorporated organizations in a specific way; restricted public data refer to public data which involve national security, business secrets and personal privacy, or public data to which public access shall be prohibited according to laws and regulations.
Article 49 The municipal government services and data administration department shall establish an administration system for opening public data based on the public data resource catalog system, compile a catalog for open public data and adjust it in a timely manner.
For conditionally open public data, the opening method, usage requirements and security measures shall be clearly provided when compiling the catalog for open public data.
Article 50 The municipal government services and data administration department shall take advantage of the urban big data center to build a unified and efficient public data opening platform, and organize public administration and service agencies to open public data to the society through this platform.
The public data opening platform shall, according to the type of open public data, provide a variety of data opening services such as data download, application program interface and a secure and credible environment for comprehensive development and utilization of data.
Section Four Public Data Utilization
Article 51 The municipal people’s government shall accelerate the building of a digital government, deepen the application of data in economic regulation, market supervision, social administration, public services and ecological environmental protection, establish and improve systems and rules that use data administration, and reform government decision-making, supervision and service models, so as to achieve active, accurate, integrated and intelligent public administration and services.
Article 52 The municipal people’s government shall take advantage of the urban big data center to build a business center, data center and capability center based on a unified structure, to form a unified system for urban intelligent central platform that will provide unified and comprehensive digital services for public administration and service as well as applications in various regions and industries, and promote technology integration, business integration and data integration.
The municipal people’s government shall take advantage of the urban intelligent central platform to build a government administration and service command center, establish and improve the operation and administration mechanism, promote the overall digital transformation of the government, and deepen cross-level, cross-regional, cross-system, cross-department and cross-business data sharing and business collaboration, so as to establish a unified command, connected, intelligent, accurate, science-based and efficient government operation system.
Competent industrial authorities shall take advantage of the urban intelligent central platform to build administration and service platforms of their own industry, and promote the comprehensive digitalization of administration and service of their own industry.
The district people’s governments, with the goal of serving primary-level administration, shall take advantage of the urban intelligent central platform to integrate data resources, improve business procedures and innovate administration models to promote science-based, refined and smart primary-level governance and service.
Article 53 The municipal people’s government shall take advantage of the urban intelligent central platform to promote business integration and procedure re-organizing, and push for the innovation of an integrated government service mode where requests shall be received at the front desk, approved at the back end and operated across the whole city.
The municipal government services and data administration department shall encourage public administration and service agencies to strengthen the innovative application of public data in the course of public administration and service, reduce materials and streamline links required for handling public affairs and optimize procedures of handling public affairs. For matters that can be approved through data comparison, intelligent approval without human intervention can be carried out.
Article 54 The municipal people’s government shall take advantage of the urban intelligent central platform to strengthen the collection and sharing of regulatory data and credit data, make full use of public data and regulatory systems in various fields, and implement new regulatory models such as off-site supervision, credit supervision and risk warning, so as to improve supervision.
Article 55 The municipal government services and data administration department may organize the building of a service platform for data integration applications, provide a secure and credible environment for comprehensive development and utilization of data to the public, and jointly carry out the innovation of smart city applications.
Chapter Four Data Factor Market
Section One General Principles
Article 56 The municipal people’s government shall make an overall planning to accelerate the cultivation of a data factor market, promote the building of a market system for data factors including data collection, processing, sharing, opening, trading and application, and drive the orderly and efficient flow and utilization of data resources.
Article 57 When undertaking data processing activities, market entities shall implement entity responsibility of data management, establish and improve the organizational structure, management system and self-assessment mechanism for data governance, in order to implement categorized and graded protection and management of data, strengthen data quality management, and ensure the authenticity, accuracy, integrity and timeliness of data.
Article 58 Market entities may use data products and services formed by lawful processing of data to gain benefits and dispose of them in accordance with the law.
Article 59 Market entities that open or provide personal data for use to third parties shall abide by the relevant provisions of Chapter Two of these Regulations; market entities that open, entrust data processing and provide personal data for use to specific third parties shall sign relevant agreements.
Article 60 Where the use, transmission and entrusted processing of data products and services of other market entities involve personal data, such use, transmission and entrusted processing shall abide by the provisions of Chapter Two of these Regulations and the stipulations of relevant agreements.
Section Two Market Cultivation
Article 61 The municipal people’s government shall organize the establishment of local standards such as compliance standards for data processing activities, data product and services standards, data quality standards, data security standards, data value evaluation standards and data governance evaluation standards.
It shall support data-related industrial authorities in establishing group standards and industrial norms, provide information, technology, training and other services, and guide and urge market entities to regulate their data-related behaviors, so as to promote the healthy development of the industry.
It shall encourage market entities to establish data-related corporate standards and participate in the establishment of relevant local standards and group standards.
Article 62 Data processors may entrust third-party institutions to conduct data quality assessment and certification; third-party institutions shall conduct data quality assessment and certification in accordance with the principles of independence, openness and impartiality.
Article 63 Data value assessment institutions shall be encouraged to explore the establishment of a data asset pricing index system in terms of real-timeliness, time span, sample coverage, integrity, type and level of data and mining potential of data, to promote the establishment of data value assessment criteria.
Article 64 The municipal statistics department shall explore the establishment of a statistical accounting system for data production factors with clear scope of statistics, statistical indicators and statistical methods, which will accurately reflect the asset value of data production factors, and shall promote the incorporation of data production factors into the national economic accounting system.
Article 65 The municipal people’s government shall promote the establishment of a data trading platform and guide market entities in data trading through the data trading platform.
Data trading may be conducted through the data trading platform established in accordance with the law, or by market entities themselves in accordance with the law.
Article 66 The data trading platform shall establish a safe, credible, controllable and traceable data trading environment, formulate rules for data trading, information disclosure, self-discipline and supervision, etc., and take effective measures to protect personal data, business secrets and important data stipulated by the state.
Article 67 Data products and services formed by the lawful data processing by market entities may be traded in accordance with the law, except in one of the following situations:
1. The data products and services to be traded contain personal data collected without obtaining proper consent in accordance with the law;
2. The data products and services to be traded contain public data not accessible to the public in accordance with the law;
3. Other circumstances where trading is prohibited by laws and regulations.
Section Three Fair Competition
Article 68 Market entities shall abide by the principle of fair competition, and shall not conduct the following acts that infringe upon the legitimate rights and interests of other market entities:
1. btain data of other market entities by illegal means;
2. Provide alternative products or services using illegally collected data of other market entities;
3. Other acts prohibited by laws and regulations.
Article 69 Market entities shall not use data analysis to accord differential treatment to counterparties with the same trading conditions, except in one of the following circumstances:
1. Market entities set different trading terms according to the actual needs of trading counterparties and in compliance with the legitimate trading habits and industry practices;
2. Market entities carry out promotions towards new users within a reasonable period;
3. Market entities carry on random trades based on fair, reasonable and non-discriminatory rules;
4. Other circumstances stipulated by laws and regulations.
The term “same trading conditions” as referred to in the preceding paragraph means that there is no substantial difference between the trading counterparties in terms of trading security, trading costs, credit status, trade links and trading duration.
Article 70 Market entities shall not exclude or restrict competition by reaching monopoly agreements, abusing their dominant position in the data factor market or by illegal concentration of undertakings.
Chapter Five Data Security
Section One General Principles
Article 71 Data security management follows the principles of government supervision, due responsibilities, active defense and comprehensive prevention, values both security and development, encourages research and development of data security technologies, and ensures the security of data throughout its life cycle.
The municipal people’s government shall coordinate the city’s data security administration, and establish and improve a comprehensive data security governance system.
Article 72 Data processors shall, in accordance with laws and regulations, establish and improve data categorization and grading, risk monitoring, security assessment, security education and other security management mechanisms, implement safeguard measures and continuously improve technical means, so as to ensure data security.
Where a data processor is changed due to merger, division, acquisition, etc., the new data processor shall take the responsibility for data security management.
Article 73 Where sensitive personal data or important data stipulated by the state are processed, a data security management institution shall be established, and persons in charge of data security management shall be specified in accordance with relevant regulations. Special technical protection shall also be provided.
Article 74 The municipal cyberspace department shall coordinate relevant competent authorities and industrial authorities in formulating department-wise and industry-wise catalogs of important data in accordance with the national categorized and graded protection system on data, and provide key protection for data in the catalogs.
Section Two Data Security Management
Article 75 Data processors shall record the entire process of data processing, to ensure that the data source is lawful and the entire processing is clear and traceable.
Article 76 Data processors shall de-identify or anonymize the personal data collected in accordance with laws, regulations and national standards, and the personal data shall be stored separately from those data that can be used to restore the identification of specific natural persons.
Data processors shall formulate and implement security measures such as de-identification or anonymization for sensitive personal data and important data stipulated by the state.
Article 77 Data processors shall manage the storage of data according to its domain and security level, and select storage carriers whose security performance and protection level are commensurate with the security level; sensitive personal data and important data stipulated by the state shall enjoy additional encrypted storage, authorized access or other stricter security measures.
Article 78 Data processors shall give security technical protection for the process of data processing, and establish a disaster tolerant and backup mechanism for important systems and core data.
Article 79 Where data processors share or open data, they shall establish a data sharing and security management mechanism for data opening, and establish and improve a security management mechanism for external data interfaces.
Article 80 Data processors shall establish data destruction procedures to effectively destroy the data that needs to be destroyed.
Where there is no data receiver after the data processor is terminated or dissolved, the data under its control shall be destroyed in a timely and effective manner, except as otherwise provided by laws and regulations.
Article 81 Where a data processor entrusts another person to process data on its behalf, the processor shall conclude a data security protection contract with the entrustee and clarify security protection obligations of both parties.
After the entrustee completes the processing, it shall promptly and effectively destroy the data stored by it, unless otherwise provided by laws and regulations or otherwise agreed by both parties.
Article 82 When data processors make cross-border provision of personal data or important data as defined by the state, the data processors shall apply for a security assessment of cross-border data that involves national security review in accordance with relevant regulations
Article 83 Data processors shall take monitoring and warning measures commensurate with the level of data security protection, and conduct monitoring and warning for abnormalities such as data leakage, damage, loss and tampering, etc..
In the event that data security incidents such as data leakage, damage, loss or tampering are detected or may occur, the data processor shall immediately take remedial and preventive measures.
Article 84 When dealing with sensitive personal data or important data stipulated by the state, regular risk assessments shall be carried out in accordance with relevant regulations, and risk assessment reports shall be submitted to relevant competent authorities.
Article 85 Data processors shall establish an emergency response mechanism for data security and formulate emergency plans for data security. The emergency plans for data security shall grade data security incidents according to factors such as the degree of harm and the scope of influence, and provide corresponding emergency response measures.
Article 86 In the event of data security incidents such as data leakage, damage, loss, tampering, etc., data processors shall immediately initiate the emergency response plan, take corresponding emergency response measures, promptly notify relevant rights holders, and report to the municipal cyberspace department, public security department and relevant competent industrial authorities in accordance with relevant regulations.
Section Three Data Security Supervision
Article 87 The municipal cyberspace department shall take charge of the overall planning and coordination of data security and supervision in accordance with relevant laws, administrative regulations and these Regulations, and establish and improve a supervision mechanism for data security and organize inspections of data security supervision in collaboration with the municipal public security, national security and other departments and relevant competent industrial authorities.
Article 88 The municipal cyberspace department shall strengthen analysis, prediction and assessment for data security risk, and collect relevant information in collaboration with relevant competent departments; when it discovers data security incidents that may lead to large-scale data leakage, damage, loss, tampering, etc., it shall promptly issue an early warning, propose preventive measures, and guide and supervise data processors in properly protecting data security.
Article 89 The municipal cyberspace department and other departments performing duties on data security supervision may entrust a third-party institution to certificate a data processor’s data security management, assess its data security performance and grade its security level in accordance with laws, regulations and relevant standards.
Article 90 Where the municipal cyberspace department and other departments performing data security supervision duties find that a data processor fails to fulfill its security management obligations during the performance of their duties in accordance with regulations, they shall interview the data processor in accordance with regulations and urge them to make rectifications.
Article 91 The municipal cyberspace department, other data supervision and administration departments and their staff shall strictly keep confidential the personal data, business secrets learned in the course of performing their duties as well as other data required to be kept secret, and shall not leak, sell or illegally provide them to others.
Chapter Six Legal Liability
Article 92 Those who process personal data in violation of the provisions of these Regulations shall be punished in accordance with the relevant laws and regulations on personal information protection.
Article 93 Public administration and service agencies that violate the relevant provisions of these Regulations shall be ordered to make corrections by the competent department at a higher level or the relevant competent department; those who refuse to make corrections or cause serious consequences shall be investigated for legal liability according to the law; if losses are caused, such agencies shall be liable for compensation according to the law.
Article 94 For those who trade data in violation of Article 67 of these Regulations, the municipal market supervision and administration department or relevant competent industrial departments shall, according to their duties, order corrections and confiscate the illegal income. A fine of RMB50,000 shall be imposed for income of less than RMB10,000; a fine of not less than RMB200,000 but not more than RMB1 million shall be imposed for income of more than RMB10,000; other administrative penalties stipulated by laws and administrative regulations may also be imposed in accordance with the law. Where laws and administrative regulations provide otherwise, such provisions shall prevail.
Article 95 For those who violate the provisions of Articles 68 and 69 of these Regulations and infringe upon the lawful rights and interests of other market entities and consumers, the municipal market supervision and administration department or relevant competent industrial authorities shall, according to their duties, order corrections and confiscate the illegal income. Those who refuse to make corrections shall be fined not less than RMB50,000 but not more than RMB500,000; if the circumstances are serious, they shall be fined not more than 5% of the previous year’s turnover, but not more than RMB50 million; other administrative penalties prescribed by laws and administrative regulations may also be imposed. Where laws and administrative regulations provide otherwise, such provisions shall prevail.
Market entities who violate Article 70 of these Regulations and commit acts of unfair competition or monopoly shall be punished in accordance with relevant laws and regulations on anti-unfair competition or anti-monopoly.
Article 96 Where data processors violate the provisions of these Regulations and fail to perform their data security protection obligations, they shall be punished in accordance with relevant laws and regulations on data security.
Article 97 Where departments performing data supervision and administration duties and public administration and service agencies fail to or incorrectly perform their duties as stipulated in these Regulations, the person directly in charge and other persons directly responsible shall be punished in accordance with the law; and if the violation constitutes a crime, the violator shall be held criminally liable in accordance with the law.
Article 98 Where data are processed in violation of the provisions of these Regulations, resulting in damage to national interests or public interests, organizations stipulated by laws and regulations may institute a civil public interest litigation in accordance with the law. Where an organization stipulated by laws and regulations institutes civil public interest litigation, the people’s procuratorate may support the prosecution if it deems it necessary.
Where an organization stipulated by laws and regulations has not instituted a civil public interest litigation, the people’s procuratorate may institute a civil public interest litigation in accordance with the law.
If the people’s procuratorate discovers that the department performing data supervision and administration duties illegally exercises its functions and powers or fails to act, causing damage to national interests or public interests, it shall submit a procuratorial suggestion to the relevant administrative organ; if the administrative organ fails to perform its duties in accordance with the law, the people’s procuratorate may institute an administrative public interest litigation in accordance with the law.
Article 99 Where data processors process data in violation of the provisions of these Regulations, causing damage to others, it shall assume civil liability in accordance with the law; if a violation of public security administration is constituted, the violator shall be subject to public security administration penalties according to the law; if the violation constitutes a crime, the violator shall be held criminally liable in accordance with the law.
Chapter Seven Supplementary Provisions
Article 100 These Regulations shall enter into force on January 1, 2022.
附件下载:
粤公网安备 44030402002963号