To guide and standardizePersonal information protectionCompliance auditactivities, according to the "People's Republic of ChinaPersonal Information Protection Act" and other laws and regulations, the Cyberspace Administration of China has drafted the "Personal Information Protection Compliance Audit Management Measures (Draft for Comments)", which is now open to the public for comments. The public can provide feedback through the following channels and methods:
1. Log in to the Chinese Government Legal Information Network of the Ministry of Justice of the People's Republic of China (www.moj.gov.cn, www.chinalaw.gov.cn) and enter the "Legislative Opinion Collection" column on the main menu of the homepage to submit your opinions.
2.Send via email to: shujuju@cac.gov.cn.
3. Send your opinions by letter to: Network Data Administration Bureau of the Cyberspace Administration of China, No. 15 Fucheng Road, Haidian District, Beijing, Postal Code 100048, and indicate on the envelope "Soliciting Opinions on the Personal Information Protection Compliance Audit Management Measures."
The deadline for feedback is September 2, 2023.
Attachment: Personal Information Protection Compliance Audit Management Measures (Draft for Comments)
State Internet Information Office
August 3, 2023
Personal Information Protection Compliance Audit Management Measures
(Draft for comments)
Article 1 is formulated in accordance with the "Personal Information Protection Law of the People's Republic of China" and other laws, administrative regulations and relevant national regulations to guide and standardize personal information protection compliance audit activities, improve the compliance level of personal information processing activities, and protect personal information rights and interests. this method.
Article 2 Personal information processors regularly conduct personal information protection compliance audits, or entrust professional institutions to conduct compliance audits of their personal information processing activities in accordance with the requirements of departments performing personal information protection responsibilities, and conduct compliance audits of personal information protection activities. These Measures shall apply to supervision and management.
Article 3 The term "personal information protection compliance audit" as mentioned in these Measures refers to supervisory activities that review and evaluate whether the personal information processing activities of personal information processors comply with laws and administrative regulations.
Article 4 Personal information processors that handle the personal information of more than 1 million people shall conduct a personal information protection compliance audit at least once a year; other personal information processors shall conduct a personal information protection compliance audit at least once every two years.
Article 5 Personal information processors may conduct personal information protection compliance audits on their own, which may be conducted by the organization's internal agencies or entrusted professional agencies in accordance with the requirements of these Measures based on actual circumstances.
Article 6 When performing their duties, departments performing personal information protection responsibilities discover that there are greater risks in personal information processing activities or that personal information occurs.information securityIn the event of an incident, the personal information processor may be required to entrust a professional organization to conduct a compliance audit of its personal information processing activities.
Article 7 If a personal information processor conducts a personal information protection compliance audit in accordance with the requirements of the department performing personal information protection responsibilities, it shall select a professional institution to conduct a personal information protection compliance audit as soon as possible after receiving the notice.
Article 8 If a personal information processor entrusts a professional institution to conduct a personal information protection compliance audit in accordance with the requirements of the department performing personal information protection responsibilities, it shall ensure that the professional institution can normally exercise the following powers:
(1) Request to provide or assist in accessing relevant documents or information;
(2) Entering places related to personal information processing activities;
(3) Observe personal information processing activities taking place in the premises;
(4) Investigate relevant business activities and the information systems they rely on;
(5) Inspect and test equipment and facilities related to personal information processing activities;
(6) Retrieve and review data or information related to personal information processing activities;
(7) Interviewing personnel related to personal information processing activities;
(8) Conduct investigations, inquiries and evidence collection on relevant issues;
(9) Other authorities necessary to carry out compliance audit work.
Article 9 If a personal information processor entrusts a professional institution to conduct a personal information protection compliance audit in accordance with the requirements of the department performing personal information protection responsibilities, it shall complete the personal information protection compliance audit within 90 working days; if the situation is complicated, the personal information processor shall report it to the performing individual It can be extended appropriately with the approval of the department responsible for information protection.
Article 10 If a personal information processor entrusts a professional institution to conduct a personal information protection compliance audit in accordance with the requirements of the department performing personal information protection responsibilities, it shall organize and implement a personal information protection compliance audit in accordance with the requirements of these Measures. After implementing the necessary compliance audit procedures, Timely submit the personal information protection compliance audit report issued by a professional organization to the department that performs personal information protection responsibilities. The personal information protection compliance audit report shall be signed by the person in charge of the compliance audit and the person in charge of the professional institution and stamped with the official seal of the professional institution.
Article 11 If a personal information processor entrusts a professional institution to conduct a personal information protection compliance audit in accordance with the requirements of the department performing personal information protection responsibilities, it shall make rectifications according to the rectification suggestions given by the professional institution, and report the rectification situation after review by the professional institution. Send it to the department that performs personal information protection duties.
Article 12 Professional institutions that perform personal information protection compliance audits shall maintain independence and objectivity, and shall not conduct more than three consecutive personal information protection compliance audits for the same audit target.
Article 13 The national cybersecurity and informatization department, together with the public security organs and other relevant departments of the State Council, shall establish a recommended directory of professional institutions for personal information protection compliance auditing in accordance with the principles of overall planning, rational layout, and merit-based recommendation, and organize and conduct an evaluation of professional institutions for personal information protection compliance auditing every year. Evaluation, and dynamically adjust the recommended directory of professional institutions for personal information protection compliance auditing based on the evaluation.
Personal information processors are encouraged to give priority to professional institutions in the recommended directory to carry out personal information protection compliance audit activities.
Article 14 When professional institutions engage in personal information protection compliance audit activities, they shall be honest and upright, and make professional compliance audit judgments fairly and objectively.
Professional institutions are not allowed to subcontract and entrust third parties to conduct personal information protection compliance audits.
The information obtained by professional institutions in performing personal information protection compliance audit responsibilities can only be used for the needs of personal information protection compliance audits and shall not be used for other purposes; professional institutions shall assume confidentiality responsibilities for the information obtained; professional institutions shall take Corresponding technical measures and other necessary measures to ensureData Security.
Professional institutions shall not maliciously interfere with the normal business activities of personal information processors when performing personal information protection compliance audit duties.
If professional institutions issue false or inaccurate reports or other violations, personal information processors and relevant parties may complain to the department that performs personal information protection responsibilities. If verified by the department that performs personal information protection responsibilities, they will be permanently banned from inclusion in personal information protection. Recommended directory of professional compliance auditing organizations.
Article 15 Violations of the provisions of these Measures will be dealt with in accordance with the "Personal Information Protection Law of the People's Republic of China" and other laws and regulations; if a crime is constituted, criminal liability will be pursued in accordance with the law.
Article 16 These Measures shall be interpreted by the Cyberspace Administration of China and shall come into effect on the date of the year.
Attachment: Reference points for personal information protection compliance audit
Reference points for personal information protection compliance audits
Article 1 These key points are formulated in accordance with the mandatory requirements of laws, administrative regulations and national standards such as the "Personal Information Protection Law of the People's Republic of China" and provide reference for conducting personal information protection compliance audits.
Article 2 Personal information protection compliance audits shall first examine the basic conditions for the legality of personal information processing activities, focusing on the following matters:
(1) Whether the individual’s consent is obtained for processing personal information, and whether the consent is made voluntarily and clearly with the full knowledge of the personal information subject;
(2) When processing personal information based on individual consent, if the purpose of processing personal information, processing methods and types of personal information processed change, whether to obtain the individual's consent again;
(3) When processing personal information based on individual consent, whether the individual is provided with a convenient way to withdraw consent;
(4) When processing personal information based on individual consent, whether operations with individual consent are recorded;
(5) When processing personal information based on individual consent, whether there is a situation in which the provision of products or services is refused on the grounds that the individual does not agree to the processing of his or her personal information or withdraws consent; unless the processing of personal information is necessary to provide products or services;
(6) Whether the processing of personal information without obtaining individual consent falls within the circumstances that do not require individual consent according to laws and administrative regulations.
Article 3 When auditing personal information processing rules, the following matters shall be focused on:
(1) Whether the name or name and contact information of the personal information processor is truthfully, accurately and completely informed;
(2) Whether the personal information collected and the purpose, method and scope of processing are listed in list form;
(3) Whether the storage period of personal information or the method for determining the storage period, the processing method after expiration, and the minimum time necessary to ensure that the storage period is necessary to achieve the purpose of processing are specified;
(4) Whether the channels and methods for individuals to access, copy, process, transfer, correct, supplement, delete, disclose, restrict the processing of personal information, cancel accounts, and withdraw consent are clear;
(5) When providing personal information to a third party, whether the name of the recipient, contact information, purpose of processing, processing method and type of personal information are clearly informed to the individual, and whether the individual's separate consent is obtained;
(6) Other matters stipulated in laws and administrative regulations.
Article 4 Personal information processors shall perform notification obligations when handling personal information, and shall focus on the following matters during audits:
(1) Before processing personal information, whether the personal information processor truly, accurately and completely informs the individual of the personal information processing rules in a conspicuous manner and in clear and understandable language;
(2) Whether the size, font and color of the notification text are convenient for individuals to fully read the notification;
(3) Whether offline notification fulfills notification obligations to individuals through various methods such as labels and explanations;
(4) Whether to provide text information in online notifications or fulfill notification obligations to individuals through appropriate means;
(5) If the personal information processing rules change, whether the changes will be notified to individuals in a timely manner.
Article 5 If a personal information processor jointly processes personal information with others, it shall focus on reviewing the following matters:
(1) Whether their respective rights and obligations have been agreed upon;
(2) Personal information protection measures taken by all parties;
(3) Personal information rights protection mechanism;
(4) Personal information security incident reporting mechanism;
(5) The responsibilities of all parties if the infringement of personal information rights causes damage;
(6) Rights and obligations that need to be agreed upon in other laws and administrative regulations.
Article 6 If a personal information processor is entrusted with processing personal information, it shall focus on reviewing the following matters:
(1) Whether the personal information processor conducts a personal information protection impact assessment before entrusting the processing of personal information;
(2) Whether the contract signed between the personal information processor and the trustee stipulates the purpose, period, method and type of personal information entrusted to process, the technical and management measures that the trustee should take, the rights and obligations of both parties, etc.;
(3) Whether the personal information processor adopts regular inspections and other methods to supervise the personal information processing activities of the trustee to ensure that the entrusted processing of personal information complies with legal regulations;
(4) Whether the trustee handles personal information in strict accordance with the terms of the entrustment contract, and whether the personal information is processed beyond the agreed processing purposes and methods;
(5) When the entrustment contract does not take effect, is invalid, is revoked or terminated, whether the trustee will return the personal information to the personal information processor or delete it;
(6) Whether the trustee entrusts others to process personal information, and whether the trustee has obtained the consent of the personal information processor.
Article 7 If a personal information processor needs to transfer personal information due to merger, reorganization, division, dissolution, bankruptcy, etc., it shall focus on reviewing the following matters:
(1) Whether the personal information processor informs the individual of the name or name and contact information of the recipient;
(2) Whether the receiving party continues to perform its obligations as a personal information processor;
(3) If the receiving party changes the original purpose and method of processing, whether it must obtain the individual's consent again in accordance with the relevant provisions of laws and administrative regulations.
Article 8 If a personal information processor provides personal information processed by it to other personal information processors, it shall focus on reviewing the following matters:
(1) Whether the individual’s separate consent is obtained;
(2) Whether the name of the recipient, contact information, purpose of processing, method of processing and type of personal information are notified to the individual;
(3) Whether the receiving party processes personal information within the scope of the processing purposes, processing methods and types of personal information agreed upon by both parties;
(4) If the purpose or method of processing is changed, whether the individual's consent is obtained again in accordance with laws and administrative regulations;
(5) Whether a personal information protection impact assessment has been conducted in advance.
Article 9 If a personal information processor uses automated decision-making to process personal information, the audit shall focus on evaluating the transparency of the automated decision-making and the fairness and impartiality of the results:
(1) Whether individuals are proactively informed in advance of the types of personal information processed by automated decision-making and the possible impacts;
(2) Whether the algorithm model has been safety assessed in advance and filed in accordance with relevant national regulations to minimize the defects of the automated decision-making algorithm model. When the application scenarios and main functions change, whether the algorithm model has been re-evaluated;
(3) Whether the algorithm model has been reviewed for scientific and technological ethics in advance;
(4) Whether a personal information protection impact assessment has been conducted in advance;
(5) Whether to provide users with a protection mechanism so that users can refuse in a convenient way to make decisions that have a significant impact on personal rights through automated decision-making, or require personal information processors to make decisions that have a significant impact on users’ personal rights through automated decision-making. explain the decision;
(6) Whether to provide users with the function of deleting or modifying user tags for their personal characteristics used for automated decision-making services;
(7) Whether necessary measures are taken to protect algorithms and parameter models;
(8) Whether manual operations in automated decision-making processes such as personal information processing, tag management, and model training are recorded to prevent malicious manipulation of automated decision-making information and results;
(9) When pushing information and commercial marketing to individuals, whether it also provides options that are not targeted at personal characteristics, or provides a convenient way to refuse automated decision-making services;
(10) Whether effective measures have been taken to prevent automated decision-making from imposing unreasonable differential treatment on individuals in terms of transaction conditions based on consumer preferences, transaction habits, etc.;
(11) Other matters that may affect the transparency of automated decision-making and the fairness and justice of the results.
Article 10 If a personal information processor discloses the personal information it handles, it shall focus on reviewing the following matters:
(1) Whether the personal information processor obtains individual consent before disclosing the personal information it processes, whether the authorization is true and valid, and whether the personal information is disclosed against the individual's will;
(2) Whether the personal information processor has conducted a personal information protection impact assessment before disclosing personal information.
Article 11 If a personal information processor installs image collection or personal identification identification equipment in a public place, it shall focus on reviewing the legality of the installation of image collection or personal information identification equipment and the purpose of the collected personal information. Review content includes but is not limited to:
(1) Whether it is necessary to maintain public security, and whether the collected information is processed for commercial purposes;
(2) Whether there are conspicuous reminder signs;
(3) If the personal images and identification information collected by the personal information processor are used for purposes other than maintaining public security, whether separate consent from the individual is obtained.
Article 12 If a personal information processor handles disclosed personal information, the audit shall focus on whether the personal information processor has committed the following violations:
(1) Send information unrelated to the purpose of disclosure to the email address, mobile phone number, etc. in the disclosed personal information;
(2) Using disclosed personal information to engage in cyber violence;
(3) Process public personal information that the individual explicitly refuses to process;
(4) Processing of disclosed personal information without obtaining individual consent has a significant impact on individual rights and interests.
Article 13 If a personal information processor handles sensitive personal information, the following matters shall be focused on during the audit:
(1) Whether the individual’s separate consent is obtained in advance when processing sensitive personal information such as biometrics, religious beliefs, specific identities, medical health, financial accounts, and whereabouts;
(2) When processing the personal information of minors under the age of fourteen, whether the consent of the minor's parents or other guardians has been obtained in advance;
(3) Whether the purpose and method of processing sensitive personal information are legal, legitimate and necessary;
(4) Whether the processing of sensitive personal information is closely related to specific purposes such as providing goods or services, performing legal duties or obligations, and whether the processing is non-essential;
(5) Whether a personal information protection impact assessment is conducted beforehand and individuals are notified of the necessity of processing sensitive personal information and the impact on personal rights and interests;
(6) If written consent is required by laws and administrative regulations, whether written consent is obtained;
(7) Whether the process of handling sensitive personal information is recorded to ensure that the process of handling sensitive personal information is legal and compliant.
Article 14 If the business of a personal information processor involves processing the personal information of minors under the age of fourteen, the following matters shall be focused on during the audit:
(1) Whether to formulate special rules for handling minors’ personal information;
(2) Whether the minors and their guardians are informed of the purpose of processing the minor's personal information, the method of processing, the necessity of processing, the types of personal information processed, and the protective measures taken;
(3) Whether there is any behavior that compels minors or their guardians to consent to unnecessary processing of personal information.
Article 15 If a personal information processor provides personal information overseas, it shall focus on reviewing the following matters:
(1) Whether the personal information provided overseas by critical information infrastructure operators and personal information processors that handle the personal information of more than 1 million people has undergone a security assessment organized by the national cybersecurity and informatization department;
(2) Whether a personal information processor that has provided personal information of 100,000 people or sensitive personal information of 10,000 people abroad since January 1 of the previous year has undergone a security assessment organized by the national cyberspace department;
(3) Whether there is any provision of personal information stored in the territory of the People's Republic of China to foreign judicial or law enforcement agencies, and if so, whether it has been approved by the competent authority of the People's Republic of China;
(4) If the international treaties or agreements concluded or acceded to by the People's Republic of China stipulate the conditions for providing personal information outside the territory of the People's Republic of China, whether the provisions shall be followed;
(5) Whether in accordance with the regulations of the national cyberspace department, personal information protection certification has been conducted by a professional organization or a contract has been signed with an overseas recipient in accordance with the standard contract formulated by the national cyberspace department, or it has complied with laws, administrative regulations, or the provisions of the national cyberspace department. Other conditions;
(6) Whether you understand the personal information protection policies and policies of the country or region where the overseas recipient is locatedcyber securityThe impact of the environment on outbound personal information;
(7) Whether there are any violations in providing personal information to organizations and individuals that are included in the list of restricted or prohibited personal information provision.
Article 16 Personal information processors that provide personal information overseas shall take necessary measures to ensure that the overseas recipient's personal information processing activities meet the personal information protection standards stipulated in the Personal Information Protection Law of the People's Republic of China. The audit should focus on examining the effectiveness of the supervisory measures taken by personal information processors on overseas recipients, including but not limited to:
(1) Whether the situation of the overseas recipient is known and understood, especially whether the recipient has the necessary personal information protection capabilities;
(2) Whether the overseas recipient is informed of the requirements of my country’s laws and administrative regulations for the protection of personal information, and whether the overseas recipient is required to take corresponding protective measures;
(3) Whether the overseas recipients are urged to effectively fulfill their personal information protection obligations through signing of agreements, regular inspections, etc.
Article 17 When auditing the protection of the right to deletion of personal information, the deletion of personal information in the following circumstances shall be focused on:
(1) The purpose of personal information processing has been achieved, cannot be achieved, or is no longer necessary to achieve the purpose of processing;
(2) Stop providing products or services, or cancel your account;
(3) The storage period agreed with the individual is reached;
(4) Withdrawal of consent by an individual;
(5) Due to the use of automated collection technology, etc., it is impossible to avoid collecting unnecessary personal information or personal information without consent;
(6) Personal information processors process personal information in violation of laws, administrative regulations or agreements.
If the retention period stipulated in laws and administrative regulations has not expired, or deletion of personal information is technically difficult to achieve, the personal information processor shall stop processing other than storage and taking necessary security measures.
Article 18 Personal information processors shall protect individuals’ rights to exercise personal information rights, and shall focus on the following matters during audits:
(1) Whether an application acceptance mechanism for individuals to exercise their rights has been established;
(2) Whether it provides individuals with convenient methods to access, copy, transfer, correct, supplement, and delete personal information;
(3) Whether it responds to an individual's application to exercise rights in a timely manner, and whether it provides timely, complete and accurate notification of processing opinions or execution results.
Article 19 Personal information processors shall respond to individual applications and explain their personal information processing rules. During audits, they shall focus on evaluating the following content:
(1) Whether the personal information processor provides convenient ways and means to accept and process individuals’ requests for explanations of personal information processing rules;
(2) After receiving the individual's request, whether the personal information processor explains its personal information processing rules in plain and understandable language within a reasonable time.
Article 20 Personal information processors bear the main responsibility for the protection of personal information. During the audit, the focus should be on evaluating the performance of personal information processors' main responsibilities, including but not limited to the following matters:
(1) The adaptability of the formulation, organizational structure, and management procedures of the personal information protection system to the nature, scale, complexity, and risk of processing personal information;
(2) Whether the division of responsibilities for personal information protection is reasonable, whether responsibilities are clear, and whether reporting relationships are clear;
(3) The compatibility of the human, financial, and material protection provided by the personal information processor for personal information protection with the enterprise's business scale, operation plan, and personal information compliance risk management.
Article 21 Personal information processors shall formulate internal management systems and operating procedures in accordance with the provisions of laws and administrative regulations, clarify organizational structure and job responsibilities, establish work processes, improve internal control systems, and ensure compliance and security of personal information processing. During the audit, the focus should be on reviewing the personal information processor's internal management system and operating procedures for personal information protection, including but not limited to:
(1) Whether the policies, objectives, and principles of personal information protection work comply with laws and administrative regulations;
(2) Whether the personal information protection organizational structure, staffing, behavioral norms, and management responsibilities are consistent with the personal information protection responsibilities that should be fulfilled;
(3) Whether the personal information is classified according to the type, source, sensitivity, purpose, etc. of the personal information, and targeted management or security technical measures are taken;
(4) Whether an emergency response mechanism for personal information security incidents has been established;
(5) Whether a personal information protection impact assessment and compliance audit system has been established;
(6) Whether a smooth process for accepting complaints and reports on personal information protection has been established;
(7) Whether to formulate and implement personal information protection security education and training plans;
(8) Whether a performance evaluation system for the person in charge of personal information protection and relevant personnel has been established;
(9) Whether a personal information violation handling or violation responsibility system for personnel involved in personal information processing has been established and effectively implemented;
(10) Other contents stipulated by laws and administrative regulations.
Article 22 Personal information processors shall adopt security technical measures that are appropriate to the scale and type of personal information processed, and evaluate the effectiveness of the technical measures taken by personal information processors. The evaluation content includes but is not limited to:
(1) Whether it refers to relevant national standards or technical requirements and adopts corresponding security technical measures to achieve the confidentiality, integrity, and availability of personal information;
(2) Whether security technical measures such as encryption and de-identification are adopted to ensure that the identifiable nature of personal information is eliminated or reduced without the use of additional information;
(3) Whether the security technical measures adopted can reasonably determine the operating permissions of relevant personnel to access, copy, transmit, etc. personal information, and reduce the risk of unauthorized access and abuse of personal information during the processing process.
Article 23 When auditing the formulation and implementation of education and training plans for personal information processors, the following matters should be focused on evaluating:
(1) Whether corresponding safety education and training is carried out for management personnel, technical personnel, operators, and all employees as planned, and whether the personal information protection awareness and skills of corresponding personnel are assessed;
(2) Whether the training content, training methods, training objects, training frequency, etc. can meet the needs of personal information protection.
Article 24 Personal information processors that handle the amount of personal information required by the national cybersecurity and informatization department shall designate a person in charge of personal information protection who shall be responsible for the compliance of personal information processing activities. During the audit, the following matters should be focused on:
(1) Whether the person in charge of personal information protection has relevant work experience and professional knowledge, and is familiar with laws and administrative regulations related to personal information protection;
(2) Whether the person in charge of personal information protection has clear and clear responsibilities, and whether he has been given sufficient authority to coordinate the relevant departments and personnel related to personal information processing within the organization;
(3) Whether the person in charge of personal information protection has the right to nominate the person in charge of the personal information protection team and maintain smooth communication and contact with them;
(4) Whether the person in charge of personal information protection has the right to put forward relevant opinions and suggestions before making decisions on major matters related to the processing of personal information;
(5) Whether the person in charge of personal information protection has the authority to stop non-compliant operations in the organization's internal processing of personal information and take necessary corrective measures;
(6) Whether the personal information processor discloses the contact information of the person in charge of personal information protection, and reports the name, contact information, etc. of the person in charge of personal information protection to the department that performs personal information protection responsibilities.
Article 25 When auditing the personal information protection impact assessment carried out by personal information processors, the review shall focus on the implementation and content of the impact assessment:
(1) Whether in accordance with the provisions of laws and administrative regulations, it has passed a personal information protection impact assessment before carrying out personal information processing activities that have a significant impact on personal rights and interests;
(2) Whether the legality, legitimacy and necessity of personal processing activities have been analyzed and evaluated, and whether there is excessive collection of personal information;
(3) Whether there has been an analysis and assessment of safety risks such as restricting an individual's right to independent decision-making, causing differential treatment, causing damage to personal reputation or suffering mental stress, causing damage to personal property;
(4) Whether the legality, effectiveness, and adaptability of the protective measures taken have been analyzed and evaluated;
(5) Whether personal information protection impact assessment reports and processing records are kept for at least three years.
Article 26 Personal information processors shall formulate emergency plans for personal information security incidents. During the audit, the comprehensiveness, effectiveness, and enforceability of the emergency response plan shall be evaluated, including but not limited to the following:
(1) Whether it has made a systematic assessment and prediction of the personal information security risks it faces based on the actual business conditions;
(2) Whether the guiding ideology, basic strategies, organizational structure, personnel, technology, material support, command and handling procedures, emergency and support measures, etc. are sufficient to deal with the predicted risks;
(3) Whether emergency plan training is provided to relevant personnel and emergency plan drills are conducted regularly.
Article 27 When evaluating the emergency response and handling of personal information security incidents by personal information processors, the following factors should be mainly considered:
(1) Whether the impact, scope and possible harm of the personal information security incident have been promptly identified in accordance with the emergency plan and operating procedures, analyzed and determined the cause of the incident, and proposed measures to prevent the expansion of the harm;
(2) Whether a notification channel has been established, and whether departments and individuals performing personal information protection responsibilities can be notified within 72 hours after the incident occurs;
(3) Whether corresponding measures have been taken to minimize the losses and possible harm risks caused by personal information security incidents.
Article 28 Large-scale Internet platform operators should establish an independent organization composed mainly of external members to supervise the protection of personal information. During the audit, the independence, duty performance capabilities, supervisory role, etc. of the independent agency should be evaluated.
(1) Evaluate the independence of independent institutions in supervising personal information protection, focusing on examining whether external members have relationships with personal information processors and their major shareholders that may hinder their independent and objective judgment;
(2) Evaluate the ability of external members to perform their duties, focusing on examining whether external members have corresponding professional knowledge, abilities and experience, and whether they can supervise and guide the personal information protection of personal information processors and issue objective and impartial opinions and suggestions;
(3) Evaluate the supervisory role of independent institutions, focusing on the role played by independent institutions in the construction of compliance systems for personal information processors, formulation of platform rules, handling of major personal information security incidents, and urging companies to fulfill their social responsibilities.
Article 29 Regarding the rules of large-scale Internet platforms, the following matters should be focused on auditing:
(1) Evaluate the legality and compliance of the platform rules and whether they conflict with laws and administrative regulations;
(2) Evaluate the fairness and impartiality of the platform rules, whether there is malicious competition, impact on consumer rights and other content that violates the principles of fair competition, good faith, public order and good customs;
(3) Evaluate the effectiveness of the personal information protection provisions of the platform rules, whether the personal information protection rights and obligations of the platform, products or service providers on the platform are reasonably defined, and whether the handling of personal information by operators on the platform is regulated. Whether the operator’s personal information protection obligations are clear;
(4) Check the implementation of the platform rules and verify whether the platform rules are effectively implemented through sampling and other methods.
Article 30 Large-scale Internet platform operators shall supervise the personal information processing activities of product or service providers on their platforms. During the audit, the following matters should be focused on:
(1) Whether the legality and rationality of the personal information processing rules of products or service providers on the platform are regularly reviewed;
(2) Whether the platform's products or service providers' compliance with laws and administrative regulations in handling personal information are regularly reviewed;
(3) Whether the platform promptly stops providing services to product or service providers that seriously violate laws and administrative regulations in handling personal information.
Article 31 Large-scale Internet platform operators shall publish a personal information protection social responsibility report every year. During the audit, the disclosure of the following contents of the social responsibility report should be focused on:
(1) Personal information protection organizational structure and internal management;
(2) Construction of personal information protection capabilities;
(3) Personal information protection measures and effectiveness;
(4) The acceptance of applications for individuals to exercise their rights;
(5) Performance of duties by independent supervision agencies;
(6) Handling of major personal information security incidents;
(7) Other situations stipulated by laws and administrative regulations.
Original article by Compliance Requirements, if reproduced, please credit https://cncso.com/en/personal-information-protection-compliance-audit-management-html