Powered by Google www.ChineseStandard.net Database: 189760 (18 May 2024)

GB/T 41871-2022 PDF in English


GB/T 41871-2022 (GB/T41871-2022, GBT 41871-2022, GBT41871-2022)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 41871-2022English170 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Security requirements for processing of motor vhicle data Valid


Standards related to: GB/T 41871-2022

GB/T 41871-2022: PDF in English (GBT 41871-2022)

GB/T 41871-2022
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Information security technology - Security requirements for
processing of motor vehicle data
ISSUED ON: OCTOBER 12, 2022
IMPLEMENTED ON: MAY 01, 2023
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 General security requirements ... 6
5 Off-vehicle data security requirements ... 8
6 Cabin data security requirements ... 9
7 Management security requirements ... 10
8 Special cases ... 10
Information security technology - Security requirements for
processing of motor vehicle data
1 Scope
This document specifies the general security requirements, off-vehicle data security
requirements, cabin data security requirements and management security requirements
for motor vehicle data processors to collect and transmit motor vehicle data.
This document is applicable to motor vehicle data processing activities carried out by
motor vehicle data processors, to the design, production, sales, use, operation and
maintenance of automobiles, and also to the supervision, management and evaluation
of motor vehicle data processing activities by competent regulatory authorities and
third-party evaluation agencies.
2 Normative references
The following documents are normatively referenced in this document and are
indispensable for its application. For dated references, only the version corresponding
to that date is applicable to this document; for undated references, the latest version
(including all amendments) is applicable to this document.
GB/T 35273, Information security technology - Personal information security
specification
GB/T 40660, Information security technology - General requirements for biometric
information protection
3 Terms and definitions
The following terms and definitions are applicable to this document.
3.1 Motor vehicle data
Personal information data and important data involved in the process of motor vehicle
design, production, sales, use, operation and maintenance, etc.
3.2 Personal information
Various information related to identified or identifiable vehicle owners, drivers,
passengers, and people outside the vehicle, which are recorded electronically or
otherwise, excluding anonymized information.
4 General security requirements
4.1 The processing of personal information by the motor vehicle data processor shall
comply with the following requirements.
a) meet all the requirements in GB/T 35273.
b) notify the individual in at least one notable way when obtaining the consent of the
individual. Notable ways include prompts for separate chapters of the user manual,
voice playback, separate pop-up prompts on the vehicle display panel, interaction
with related applications for motor vehicle use, prompts for separate chapters of
the motor vehicle sales agreement, prompts for separate chapters of the
maintenance service agreement, or interaction with travel service applications,
etc.
c) explain to the personal information subject the specific circumstances and
necessity of collecting personal information in clear and understandable words.
d) be specific and clear when informing the personal information subject of the
storage period of various types of personal information, such as 30 days or 1 year.
e) make the location of the storage location accurate to the prefecture-level city and
inform all storage locations when notifying the personal information subject of
the storage location of their personal information.
f) provide personal information subject with personal information management
functions such as convenient viewing, copying, and deletion; when the products
or services provided support interactive operations, such as websites, vehicle-
mounted applications, or mobile communication terminal applications, etc.,
personal information management functions shall be interactive, and its
functional entrance shall be in a prominent position that is easily perceived by the
personal information subject.
4.2 The processing of sensitive personal information by the motor vehicle data
processor shall comply with the following requirements.
a) Separate consent shall be obtained from the personal information subject for each
sensitive personal information, and consent shall not be obtained for multiple
sensitive personal information or multiple processing activities at one time.
Note: The motor vehicle data processor needs to process the voice data to provide
the voice recognition function for the driver. A separate pop-up window
can be popped up to obtain the driver’s consent for this function;
alternatively, a separate option that can be checked for this function can
be set in the notification consent to obtain the driver’s consent.
b) When obtaining the individual consent of the personal information subject, the
consent period for processing sensitive personal information shall not be set to
“always allow” or “permanent”.
Note: The motor vehicle data processor needs to process voice data for the voice
recognition function. When obtaining the individual consent of the
personal information subject, it can provide the personal information
subject with options such as single, seven days, three months and one year.
c) In order to complete the deletion within ten working days after receiving the
request to delete personal information, in principle, a structured directory of
personal information shall be established to achieve traceable management of
personal information.
d) In principle, sensitive personal information shall not be processed for the purpose
of improving service quality, enhancing user experience, and developing new
products.
4.3 Continuous collection of sensitive personal information by motor vehicle data
processors shall comply with the following notification requirements.
a) The collection status shall be prompted by means of the icon on the vehicle display
panel or the flashing or constant light of the indicator light of the signal device.
b) When continuously prompting to collect sensitive personal information, clear and
understandable prompts shall be set according to different types of information.
Note: The camera icon flashes or stays on to indicate that in-vehicle video data is
being collected, the recording icon flashes or stays on to indicate that in-
vehicle voice data is being collected, and the diagonally upward triangle
icon flashes or stays on to indicate that location data is being collected.
4.4 The processing of biometric feature information such as face, voiceprint or
fingerprint by the motor vehicle data processor shall comply with the following
requirements.
a) The purpose and sufficient necessity of enhancing driving safety shall be
evaluated.
Note: The purpose of enhancing driving safety includes identity verification and
driver status monitoring.
b) All the requirements in GB/T 40660 shall be met.
4.5 The contact person for user rights affairs set up by the motor vehicle data processor
in terms of personal information protection shall meet the following requirements.
deleting or partially contouring these areas, other processing such as face
comparison, gait analysis, and speech recognition shall not be performed.
d) After the anonymization process is completed, the process data shall be deleted
immediately and shall not be provided outside the vehicle.
6 Cabin data security requirements
6.1 Unless voluntarily set by the motor vehicle driver, the motor vehicle shall be set to
the state of not collecting cabin data by default, including not turning on the camera,
microphone, infrared sensor, fingerprint sensor and other components in the motor
vehicle. The collection can only start after the driver actively selects through physical
buttons or touch buttons, and the motor vehicle can keep the state selected by the driver
or restore the default state according to the driver’s settings.
6.2 The motor vehicle shall not provide cabin data to the outside of the vehicle, except
for the following circumstances.
a) In order to realize the voice recognition function to judge the motor vehicle control
commands in real time, process the voice command data outside the vehicle,
obtain the consent of the personal information subject, and immediately delete
the original data and processing results after the function is realized.
b) In order to realize the remote viewing of the situation in the vehicle or the cloud
storage function, provide data to the user, obtain the consent of the personal
information subject, and take security measures so that other organizations and
individuals other than the user cannot access it.
c) Transmission of data from road transport vehicles to the monitoring platform of
the transport company, the public management platform and the regulatory
agency in accordance with relevant regulations.
d) Transmission of data from operational vehicles such as taxis and buses to
supervisory authorities.
e) Transmission of data as required by law enforcement agencies after a road traffic
accident occurs.
6.3 Motor vehicle data processors shall provide convenient ways to terminate the
collection of cabin data, including physical buttons, voice control, touch buttons, and
motor vehicle use-related applications, etc. In the case of ensuring driving safety and
personal safety, the driver, after choosing to terminate the collection, shall turn off the
components that collect cabin data such as the microphone and camera in the motor
vehicle. In order to ensure driving safety and personal safety, the relevant components
may not be turned off in the following situations:
a) Road transport vehicles that are providing road operation services continue to
collect cabin data;
b) Buses that are providing travel services continue to collect cabin data.
7 Management security requirements
7.1 Motor vehicle data processors shall carry out motor vehicle data risk assessments.
The assessment content generally includes motor vehicle data identification, data
processing activity identification, motor vehicle data security risk identification, risk
analysis and evaluation, etc., which can be carried out in the form of self-assessment or
third-party assessment.
7.2 The safety manager of motor vehicle data shall be the main person in charge of the
vehicle data processor or the person in charge of data security, and shall be familiar
with data security and personal information protection policies and regulations in China,
and have work experience in security management.
7.3 Motor vehicle data processors shall establish and improve the emergency response
mechanism for security incidents, carry out emergency drills at least once a year, and
should support evidence collection analysis after security incidents through
mechanisms such as vehicle data storage and vehicle data traceability.
7.4 The motor vehicle data processors shall accept the motor vehicle data security
complaints by means of telephone or instant messaging platform, and generally
complete the processing within 10 working days after receiving the complaints, and
make a complete record of the processing process and processing results.
7.5 Motor vehicle manufacturers shall have a comprehensive grasp of the data
collection and transmission of the components contained in the complete vehicles they
produce, and restrict and supervise the behavior of component suppliers in processing
vehicle data. The complete situation of the external transmission of motor vehicle data
shall be disclosed to users every year or when there is a major change.
8 Special cases
Unless necessary, the requirements of this document do not apply to the following data
processing activities:
a) motor vehicle data processing activities when police cars, fire trucks, ambulances,
and engineering emergency vehicles perform emergency tasks;
b) motor vehicle data processing activities when operating vehicles equipped with
special equipment or appliances are engaged in operating activities in closed
places;
......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.