HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (15 Sep 2024)

GB/T 40094.4-2021 PDF in English


GB/T 40094.4-2021 (GB/T40094.4-2021, GBT 40094.4-2021, GBT40094.4-2021)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 40094.4-2021English170 Add to Cart 0-9 seconds. Auto-delivery. Electronic commerce data transaction - Part 4: Privacy protection specification Valid
Standards related to: GB/T 40094.4-2021
PDF Preview

GB/T 40094.4-2021: PDF in English (GBT 40094.4-2021)

GB/T 40094.4-2021 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.240.01 A 10 Electronic commerce data transaction - Part 4: Privacy protection specification ISSUED ON: MAY 21, 2021 IMPLEMENTED ON: DECEMBER 1, 2021 Issued by: State Administration for Market Regulation; Standardization Administration of PRC. Table of Contents Foreword ... 3 1 Scope ... 4 2 Normative references ... 4 3 Terms and definitions ... 4 4 General rules ... 5 5 Responsibilities and obligations of data providers ... 6 6 Responsibilities and obligations of data demanders ... 6 7 Responsibilities and obligations of transaction platform operators ... 7 8 Information subject rights ... 8 9 Verification method ... 8 References ... 10 Electronic commerce data transaction - Part 4: Privacy protection specification 1 Scope This part of GB/T 40094 specifies the general principles of privacy protection in e- commerce data transactions, the responsibilities and obligations of data providers, the responsibilities and obligations of data demanders, the responsibilities and obligations of transaction platform operators, and the requirements and verification methods for the rights of the information subject. This part applies to privacy protection in e-commerce data transactions. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) is applicable to this standard. GB/T 40094.1-2021 Electronic commerce data transaction - Part 1: Criteria GB/T 40094.2-2021 Electronic commerce data transaction - Part 2: Data description specification 3 Terms and definitions The terms and definitions defined in GB/T 40094.1-2021, GB/T 40094.2-2021, and the following apply to this document. 3.1 personal information Various information that can be used for the identification of a natural person’s personal identity alone or in combination with other information. Note: It includes but is not limited to a natural person’s name, date of birth, ID number, personal biometric information, address, telephone number, etc. 3.2 personal information subject The natural person identified by or associated with the personal information. [GB/T 35273-2020, definition in 3.3] 3.3 anonymization The process in which the technical processing of personal information makes the personal information subject cannot be identified or associated, and the processed information cannot be restored. Note: The information obtained after the anonymization of personal information does not belong to personal information. [GB/T 35273-2020, definition in 3.14] 3.4 de-identification The process in which the personal information subject cannot be identified or associated without the assistance of additional information through the technical processing of personal information. Note: De-identification is based on the individual, retains the individual granularity, and uses technical means such as pseudonyms, encryption, and hash functions to replace the identification of personal information. [GB/T 35273-2020, definition in 3.15] 4 General rules 4.1 Scope of privacy The scope of privacy in this part shall include but not be limited to the following: a) Information on minors; b) Property information; c) Communication information; d) Information on patients with AIDS, infectious diseases, and other diseases; e) Other information specified by national laws and regulations. 4.2 Transaction data Transaction data shall comply with the provisions of Chapter 5 of GB/T 40094.1-2021. information protection, and consciously safeguard the legitimate rights and interests of personal information subjects; b) The purchase requirements comply with the relevant provisions of national laws and regulations; c) The use of the data shall be legal and compliant according to the scope of application of data, period of use, and restriction of rights defined by the data providers; d) Immediately report to the platform or report to the relevant competent authority when private information is found during data use; e) Ensure the security of data during storage and use, and prevent data leakage, tampering, deletion, etc.; f) Take primary responsibility for the consequences of the disclosure of private information due to the use of data; g) After the completion of use in accordance with the agreed method or the end of the specified period, the purchased data shall be destroyed and cannot be restored. 7 Responsibilities and obligations of transaction platform operators The platform operators’ responsibilities and obligations for privacy protection in data transactions shall include but are not limited to: a) Implement national laws, regulations, and codes of conduct related to personal information protection, and consciously safeguard the legitimate rights and interests of personal information subjects. b) Formulate platform privacy policies in accordance with national laws and regulations to ensure the legitimate rights and interests of transaction subjects. c) Set up a privacy protection management department to be responsible for the daily management and implementation of the platform’s privacy protection work. d) Formulate a privacy protection management system to clarify the responsibilities, obligations of platform operators and transaction subjects, and punishment measures. e) Establish a privacy protection management mechanism that includes but is not limited to: --- Data sales permission mechanism: Ensure that only after a transaction subject obtains the sales permission qualification can it be allowed to participate in the transaction; --- Data transfer registration mechanism: Implement the recording and filing of data transaction information to ensure that each data transfer has a traceable record; --- Privacy leakage complaints and reporting mechanism: Actively respond to and resolve complaints and reports, clarify complaint resolution channels and report reward system. f) Organize privacy protection publicity and training activities. g) Strengthen data audit management; when information prohibited by national laws and regulations from publishing or transmitting is found, take necessary disposal measures according to the law and report to relevant competent authorities. h) Actively cooperate with relevant competent authorities in various tasks that are carried out when they perform their duties in accordance with the law. 8 Information subject rights The information subject in this part specifically refers to the personal information subject and does not include other information subjects except the personal information subject. The rights enjoyed by personal information subjects regarding privacy protection in data transactions shall include but not be limited to: a) Have the right to propose revocation, deletion, and destruction of personal privacy information involved in the transaction; b) If personal information subjects believe that the transaction activities violate the relevant national laws and regulations and infringe on their legitimate rights and interests, they have the right to protect their rights in accordance with the law; c) If a personal information subject is harmed due to the leakage of private information, the personal information subject has the right to file a claim for compensation. 9 Verification method 9.1 The platform operators shall review the qualification materials of the data providers and the data demanders who conduct data transactions through the data transaction platform, and check whether they meet the requirements in 4.3 of GB/T 40094.1-2021. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.