Powered by Google www.ChineseStandard.net Database: 189760 (25 May 2024)

GB/T 40094.4-2021 PDF in English


GB/T 40094.4-2021 (GB/T40094.4-2021, GBT 40094.4-2021, GBT40094.4-2021)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 40094.4-2021English170 Add to Cart 0-9 seconds. Auto-delivery. Electronic commerce data transaction - Part 4: Privacy protection specification Valid


Standards related to: GB/T 40094.4-2021

GB/T 40094.4-2021: PDF in English (GBT 40094.4-2021)

GB/T 40094.4-2021
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.240.01
A 10
Electronic commerce data transaction - Part 4: Privacy
protection specification
ISSUED ON: MAY 21, 2021
IMPLEMENTED ON: DECEMBER 1, 2021
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 General rules ... 5
5 Responsibilities and obligations of data providers ... 6
6 Responsibilities and obligations of data demanders ... 6
7 Responsibilities and obligations of transaction platform operators ... 7
8 Information subject rights ... 8
9 Verification method ... 8
References ... 10
Electronic commerce data transaction - Part 4: Privacy
protection specification
1 Scope
This part of GB/T 40094 specifies the general principles of privacy protection in e-
commerce data transactions, the responsibilities and obligations of data providers, the
responsibilities and obligations of data demanders, the responsibilities and obligations
of transaction platform operators, and the requirements and verification methods for the
rights of the information subject.
This part applies to privacy protection in e-commerce data transactions.
2 Normative references
The following documents are essential to the application of this document. For the dated
documents, only the versions with the dates indicated are applicable to this document;
for the undated documents, only the latest version (including all the amendments) is
applicable to this standard.
GB/T 40094.1-2021 Electronic commerce data transaction - Part 1: Criteria
GB/T 40094.2-2021 Electronic commerce data transaction - Part 2: Data description
specification
3 Terms and definitions
The terms and definitions defined in GB/T 40094.1-2021, GB/T 40094.2-2021, and the
following apply to this document.
3.1 personal information
Various information that can be used for the identification of a natural person’s personal
identity alone or in combination with other information.
Note: It includes but is not limited to a natural person’s name, date of birth, ID number, personal biometric
information, address, telephone number, etc.
3.2 personal information subject
The natural person identified by or associated with the personal information.
[GB/T 35273-2020, definition in 3.3]
3.3 anonymization
The process in which the technical processing of personal information makes the
personal information subject cannot be identified or associated, and the processed
information cannot be restored.
Note: The information obtained after the anonymization of personal information does not belong to
personal information.
[GB/T 35273-2020, definition in 3.14]
3.4 de-identification
The process in which the personal information subject cannot be identified or associated
without the assistance of additional information through the technical processing of
personal information.
Note: De-identification is based on the individual, retains the individual granularity, and uses technical
means such as pseudonyms, encryption, and hash functions to replace the identification of personal
information.
[GB/T 35273-2020, definition in 3.15]
4 General rules
4.1 Scope of privacy
The scope of privacy in this part shall include but not be limited to the following:
a) Information on minors;
b) Property information;
c) Communication information;
d) Information on patients with AIDS, infectious diseases, and other diseases;
e) Other information specified by national laws and regulations.
4.2 Transaction data
Transaction data shall comply with the provisions of Chapter 5 of GB/T 40094.1-2021.
information protection, and consciously safeguard the legitimate rights and
interests of personal information subjects;
b) The purchase requirements comply with the relevant provisions of national laws
and regulations;
c) The use of the data shall be legal and compliant according to the scope of
application of data, period of use, and restriction of rights defined by the data
providers;
d) Immediately report to the platform or report to the relevant competent authority
when private information is found during data use;
e) Ensure the security of data during storage and use, and prevent data leakage,
tampering, deletion, etc.;
f) Take primary responsibility for the consequences of the disclosure of private
information due to the use of data;
g) After the completion of use in accordance with the agreed method or the end of
the specified period, the purchased data shall be destroyed and cannot be restored.
7 Responsibilities and obligations of transaction platform
operators
The platform operators’ responsibilities and obligations for privacy protection in data
transactions shall include but are not limited to:
a) Implement national laws, regulations, and codes of conduct related to personal
information protection, and consciously safeguard the legitimate rights and
interests of personal information subjects.
b) Formulate platform privacy policies in accordance with national laws and
regulations to ensure the legitimate rights and interests of transaction subjects.
c) Set up a privacy protection management department to be responsible for the daily
management and implementation of the platform’s privacy protection work.
d) Formulate a privacy protection management system to clarify the responsibilities,
obligations of platform operators and transaction subjects, and punishment
measures.
e) Establish a privacy protection management mechanism that includes but is not
limited to:
--- Data sales permission mechanism: Ensure that only after a transaction subject
obtains the sales permission qualification can it be allowed to participate in the
transaction;
--- Data transfer registration mechanism: Implement the recording and filing of
data transaction information to ensure that each data transfer has a traceable
record;
--- Privacy leakage complaints and reporting mechanism: Actively respond to and
resolve complaints and reports, clarify complaint resolution channels and
report reward system.
f) Organize privacy protection publicity and training activities.
g) Strengthen data audit management; when information prohibited by national laws
and regulations from publishing or transmitting is found, take necessary disposal
measures according to the law and report to relevant competent authorities.
h) Actively cooperate with relevant competent authorities in various tasks that are
carried out when they perform their duties in accordance with the law.
8 Information subject rights
The information subject in this part specifically refers to the personal information
subject and does not include other information subjects except the personal information
subject. The rights enjoyed by personal information subjects regarding privacy
protection in data transactions shall include but not be limited to:
a) Have the right to propose revocation, deletion, and destruction of personal privacy
information involved in the transaction;
b) If personal information subjects believe that the transaction activities violate the
relevant national laws and regulations and infringe on their legitimate rights and
interests, they have the right to protect their rights in accordance with the law;
c) If a personal information subject is harmed due to the leakage of private
information, the personal information subject has the right to file a claim for
compensation.
9 Verification method
9.1 The platform operators shall review the qualification materials of the data providers
and the data demanders who conduct data transactions through the data transaction
platform, and check whether they meet the requirements in 4.3 of GB/T 40094.1-2021.
......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.