In order to implement the relevant provisions of the Personal Information Protection Law of People’s Republic of China (PRC), standardize personal information processing activities, and promote the rational use of personal information, according to the Regulations on Certification and Accreditation of People’s Republic of China (PRC), the State Administration of Market Supervision and the State Internet Information Office decided to implement personal information protection certification, encouraging personal information processors to enhance their personal information protection capabilities through certification. Certification institutions engaged in personal information protection certification shall carry out relevant certification activities after approval, and carry out certification in accordance with the Implementation Rules for Personal Information Protection Certification (see Annex).
It is hereby announced.
State Administration for Market Regulation
National Internet Information Office
November 4, 2022
Rules for the implementation of personal information protection certification
1 Scope of application
These Rules are formulated in accordance with the Regulations on Certification and Accreditation of People’s Republic of China (PRC), and stipulate the basic principles and requirements for the certification of personal information processors in their personal information collection, storage, use, processing, transmission, provision, disclosure, deletion and cross-border processing activities.
2 certification basis
Personal information processors shall meet the requirements of GB/T 35273 Information Security Technology Personal Information Security Specification.
For personal information processors who carry out cross-border processing activities, they should also meet the requirements of TC260-PG-20222A "Safety Certification Specification for Cross-border Processing Activities of Personal Information".
In principle, the latest version of the above standards and specifications shall be implemented.
3 authentication mode
The authentication mode of personal information protection authentication is:
Technical verification+on-site audit+post-certification supervision
4 certification implementation procedures
4.1 Certification entrustment
The certification body shall specify the requirements for certification entrustment materials, including but not limited to the basic materials of the certification client, the certification power of attorney, relevant supporting documents, etc.
The certification client shall submit the certification entrustment materials according to the requirements of the certification body, and the certification body shall timely feedback whether it is accepted or not after reviewing the certification entrustment materials.
The certification institution shall determine the certification scheme according to the certification entrustment data, including the type and quantity of personal information, the scope of personal information processing activities involved, the information of technical verification institutions, etc., and notify the certification principal.
4.2 Technical verification
Technical verification institutions shall carry out technical verification in accordance with the certification scheme, and issue technical verification reports to the certification institutions and certification clients.
4.3 on-site audit
Certification bodies conduct on-site audits and issue on-site audit reports to certification clients.
4.4 Evaluation and approval of certification results
The certification body makes a comprehensive evaluation according to the certification entrustment data, technical verification report, on-site audit report and other relevant information, and makes a certification decision. To meet the certification requirements, issue certification certificates; For those who do not meet the certification requirements temporarily, the certification client may be required to make rectification within a time limit, and if they still do not meet the requirements after rectification, the certification client shall be notified in writing to terminate the certification.
If it is found that the certification client or personal information processor has cheated, concealed information, intentionally violated the certification requirements and other acts that seriously affect the implementation of certification, the certification will not be passed.
4.5 Post-certification supervision
4.5.1 Frequency of supervision
Certification bodies shall, within the validity period of certification, continuously supervise certified personal information processors and reasonably determine the frequency of supervision.
4.5.2 Contents of supervision
Certification bodies should take appropriate measures to implement post-certification supervision to ensure that certified personal information processors continue to meet the certification requirements.
4.5.3 Evaluation of supervision results after obtaining the certificate
The certification body makes a comprehensive evaluation of the supervision conclusion and other relevant information after obtaining the certificate, and can continue to maintain the certification certificate if it passes the evaluation; If it fails, the certification body shall suspend or even revoke the certification certificate according to the corresponding circumstances.
4.6 Time limit for certification
The certification body shall clearly stipulate the time limit of each link of certification, and ensure that the relevant work is completed according to the time limit. The certification client shall actively cooperate with the certification activities.
5 certification certificate and certification mark
5.1 Certification Certificate
5.1.1 Maintenance of authentication certificate
The certificate is valid for 3 years. During the validity period, the validity of the certification certificate shall be maintained through the post-certification supervision of the certification body.
If the certificate needs to be used continuously upon expiration, the certification client shall submit the certification entrustment within 6 months before the expiration of the validity period. The certification body shall adopt the way of supervision after obtaining the certificate, and issue a new certificate for the entrustment that meets the certification requirements.
5.1.2 Change of certification certificate
During the validity period of the certification certificate, if the name, registered address, certification requirements and certification scope of the certified personal information processor change, the certification client shall submit a change entrustment to the certification body. According to the content of the change, the certification body evaluates the entrusted information of the change and determines whether the change can be approved. If technical verification and/or on-site audit are required, they should also be carried out before approving the change.
5.1.3 Cancellation, suspension and revocation of certification certificate
When the certified personal information processor no longer meets the certification requirements, the certification institution shall suspend the certification certificate in time until it is revoked. The authentication client may apply for suspension or cancellation of the authentication certificate within the validity period of the authentication certificate.
5.1.4 Publication of certification certificate
Certification bodies shall publicize the relevant information such as the issuance, alteration, suspension, cancellation and revocation of certification certificates in an appropriate way.
5.2 Certification mark
Personal information protection certification marks excluding cross-border processing activities are as follows:
Personal information protection certification marks including cross-border processing activities are as follows:
"ABCD" stands for certification body identification information.
5.3 Use of Certification Certificates and Certification Marks
Within the validity period of the certification certificate, the certified personal information processor shall correctly use the certification certificate and certification mark in advertisements and other publicity in accordance with relevant regulations, and shall not mislead the public.
6 detailed rules for the implementation of certification
Certification institutions shall, in accordance with the relevant requirements of these Rules, refine the implementation procedures of certification, formulate scientific, reasonable and operable implementation rules for certification, and publicize them for implementation.
7 certification responsibility
The certification body shall be responsible for the on-site audit conclusion and certification conclusion.
Technical verification institutions shall be responsible for the conclusion of technical verification.
The certification client shall be responsible for the authenticity and legality of the certification entrustment materials.