Page 8 - THE SOUTH CHINA BUSINESS JOURNAL
P. 8
PTH
What are the
responsibilities of data
holders?
According to the draft Measures, firms are as other data security measures. The penalties include
required to sort out and record important and fines, suspension of the relevant business, suspension
core data and report a data catalogue to the local of the business for rectification, and revocation of the
branch of the MIIT. If reported data changes, firms relevant business permit or business license.
are also obliged to report the updated information
to the government within three months. In addition, the draft Measures point out that
enterprises should set up the responsible
Based on the importance of the data, firms should departments and identify main persons in charge
adopt different degrees of protection measures of data security management, as well as make clear
when collecting, storing, processing, transferring, key positions and personnel for data processing.
providing, disclosing, and disposing the important
and core data. The following compliance requirements also
deserve the attention of enterprises:
Most notably, when it comes to cross-border
data flows, the Measures has clearly prohibited • Without the consent of the individual or
core data from being transferred overseas and the entity, enterprises shall not obtain accurate
transferring important data overseas will be user portraits or restore data of specific subjects
subject to government review. through data mining, association analysis, or other
technical means.
This is consistent with China’s Data Security
Law and Cybersecurity Law. The Cybersecurity • When it is necessary to protect national
Law stipulates that the operator of a critical security and social and public interests, enterprises
information infrastructure should store important should destroy the data when a third-party
data collected and generated domestically within organization provides proof to request such
the territory of China. Where such information destruction.
and data have to be provided abroad for business
purpose, a security review should be conducted. • Enterprises should establish registration
and approval mechanisms and keep record of its
China’s Data Security Law, while it doesn’t offer transmission of important data, and its use and
detailed rules on the safety management for cross- processing of important data and core data.
border transfers of important data, prescribes the
penalties for firms transferring important data • The transmission and provision of core
overseas in violation of the Cybersecurity Law as well data shall be approved by the State.
5 AMCHAM SOUTH CHINA
What are the
responsibilities of data
holders?
According to the draft Measures, firms are as other data security measures. The penalties include
required to sort out and record important and fines, suspension of the relevant business, suspension
core data and report a data catalogue to the local of the business for rectification, and revocation of the
branch of the MIIT. If reported data changes, firms relevant business permit or business license.
are also obliged to report the updated information
to the government within three months. In addition, the draft Measures point out that
enterprises should set up the responsible
Based on the importance of the data, firms should departments and identify main persons in charge
adopt different degrees of protection measures of data security management, as well as make clear
when collecting, storing, processing, transferring, key positions and personnel for data processing.
providing, disclosing, and disposing the important
and core data. The following compliance requirements also
deserve the attention of enterprises:
Most notably, when it comes to cross-border
data flows, the Measures has clearly prohibited • Without the consent of the individual or
core data from being transferred overseas and the entity, enterprises shall not obtain accurate
transferring important data overseas will be user portraits or restore data of specific subjects
subject to government review. through data mining, association analysis, or other
technical means.
This is consistent with China’s Data Security
Law and Cybersecurity Law. The Cybersecurity • When it is necessary to protect national
Law stipulates that the operator of a critical security and social and public interests, enterprises
information infrastructure should store important should destroy the data when a third-party
data collected and generated domestically within organization provides proof to request such
the territory of China. Where such information destruction.
and data have to be provided abroad for business
purpose, a security review should be conducted. • Enterprises should establish registration
and approval mechanisms and keep record of its
China’s Data Security Law, while it doesn’t offer transmission of important data, and its use and
detailed rules on the safety management for cross- processing of important data and core data.
border transfers of important data, prescribes the
penalties for firms transferring important data • The transmission and provision of core
overseas in violation of the Cybersecurity Law as well data shall be approved by the State.
5 AMCHAM SOUTH CHINA
