数据出境安全评估办法 Measures for Security Assessment for Outbound Data Transfer 第一条 为了规范数据出境活动，保护个人信息权益，维护国家安全和社会公共利益， 促进数据跨境安全、自由流动，根据《中华人民共和国网络安全法》、《中华人民共和国数 据安全法》、《中华人民共和国个人信息保护法》等法律法规，制定本办法。 Article 1 In order to regulate outbound data transfer, protect personal information rights and interests, safeguard national security and social and public interests, and promote the security and free flow of outbound data, the Measures for Security Assessment for Outbound Data Transfer (the “Measures”) are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and administrative regulations of the People’s Republic of China (together, the “Regulations”). 第二条 数据处理者向境外提供在中华人民共和国境内运营中收集和产生的重要数据和 个人信息的安全评估，适用本办法。法律、行政法规另有规定的，依照其规定。 Article 2 The Measures apply to the security assessment of Important Data and personal information collected and generated during operation within the territory of the People’s Republic of China and transferred abroad by a data handler. Where laws and administrative regulations provide otherwise, such provisions shall prevail. 第三条 数据出境安全评估坚持事前评估和持续监督相结合、风险自评估与安全评估相 结合，防范数据出境安全风险，保障数据依法有序自由流动。 Article 3 Security assessment for outbound data transfer shall adhere to the combination of a prior assessment and on-going supervision, as well as the combination of risk self-assessment and security assessment, so as to prevent security risks to outbound data transfer and ensure the orderly free-flow of data in accordance with the law. 第四条 数据处理者向境外提供数据，有下列情形之一的，应当通过所在地省级网信部 门向国家网信部门申报数据出境安全评估： Article 4 Where a data handler transfers data abroad under any of the following circumstances, it shall, through the local Cyberspace Administration at the provincial level, apply to the State Cyberspace Administration for security assessment for the outbound data transfer: （一）数据处理者向境外提供重要数据； (1)a data handler who transfers Important Data abroad; （二）关键信息基础设施运营者和处理 100 万人以上个人信息的数据处理者向境外提供 个人信息； (2)a critical information infrastructure operator, or a data handler processing the personal information of more than 1 million individuals, who, in either case, transfers personal information abroad; （三）自上年 1 月 1 日起累计向境外提供 10 万人个人信息或者 1 万人敏感个人信息的 数据处理者向境外提供个人信息； (3)a data handler who has, since January 1 of the previous year cumulatively transferred abroad the personal information of more than 100,000 individuals, or the sensitive personal information of more than 10,000 individuals, or （四）国家网信部门规定的其他需要申报数据出境安全评估的情形。 (4)other circumstances where the security assessment for the outbound data transfer is required by the State Cyberspace Administration. 第五条 数据处理者在申报数据出境安全评估前，应当开展数据出境风险自评估，重点 评估以下事项： Article 5 Prior to applying for the security assessment for the outbound data transfer, a data handler shall, in advance, conduct a self-assessment on the risks of the outbound data transfer, and the self-assessment shall focus on the following matters: （一）数据出境和境外接收方处理数据的目的、范围、方式等的合法性、正当性、必要 性； (1)the legality, legitimacy and necessity of the purpose, scope and methods of the outbound data transfer, and the processing of the data by the foreign recipient; （二）出境数据的规模、范围、种类、敏感程度，数据出境可能对国家安全、公共利益、 个人或者组织合法权益带来的风险； (2)the scale, scope, type and sensitivity of the outbound data transfer, and the risks to national security, the public interest or to the legitimate rights and interests of individuals or organizations, caused by the outbound data transfer; （三）境外接收方承诺承担的责任义务，以及履行责任义务的管理和技术措施、能力等 能否保障出境数据的安全； (3)the duties and obligations which the foreign recipient commits to perform, and whether the foreign recipient’s organizational and technical measures and capabilities in terms of performing the duties and obligations can guarantee the security of the outbound data transfer; （四）数据出境中和出境后遭到篡改、破坏、泄露、丢失、转移或者被非法获取、非法 利用等的风险，个人信息权益维护的渠道是否通畅等； (4)the risks of the data being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the outbound data transfer, and whether there is a smooth channel for safeguarding personal information rights and interests; （五）与境外接收方拟订立的数据出境相关合同或者其他具有法律效力的文件等（以下 统称法律文件）是否充分约定了数据安全保护责任义务； (5)whether the responsibilities and obligations for data security protection are fully agreed in relevant contracts for the outbound data transfer, or other legally binding documents to be concluded with the foreign re