GB/T 35273-2020 PDF EnglishUS$405.00 · In stock · Download in 9 seconds
GB/T 35273-2020: Information security technology - Personal information security specification Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid GB/T 35273: Historical versions
Similar standardsGB/T 35273-2020: Information security technology - Personal information security specification---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT35273-2020NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 35273-2017 Information security technology - Personal information security specification Issued on. MARCH 06, 2020 Implemented on. OCTOBER 01, 2020 Issued by. State Administration for Market Regulation; Standardization Administration of PRC. Table of ContentsForeword... 5 Introduction... 7 1 Scope... 8 2 Normative references... 8 3 Terms and definitions... 8 4 Basic principles of personal information security... 12 5 Collection of personal information... 13 6 Storage of personal information... 19 7 Use of personal information... 20 8 Rights of personal information subjects... 24 9 Entrusted processing, sharing, transfer, public disclosure of personal information... 29 10 Handling of personal information security incidents... 35 11 Personal information security management requirements of the organization ... 37 Appendix A (Informative) Examples of personal information... 42 Appendix B (Informative) Determination of personal sensitive information... 44 Appendix C (Informative) Method for realizing self-intention of personal information subject... 46 Appendix D (Informative) Template of personal information protection policy 52 References... 631 ScopeThis standard specifies the principles and security requirements for carrying out personal information processing activities such as collection, storage, use, sharing, transfer, public disclosure, deletion, etc. This standard is applicable to regulate personal information processing activities of various organizations, as well as the supervision, management and evaluation of personal information processing activities by organizations such as competent regulatory authorities and third-party evaluation agencies.2 Normative referencesThe following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB/T 25069-2010 Information security technology - Glossary3 Terms and definitionsThe terms and definitions as defined in GB/T 25069-2010 as well as the following terms and definitions apply to this document. 3.1 Personal information Various information recorded electronically or in other ways that can identify the identity of a particular natural person or reflect the activities of a particular natural person, alone or in combination with other information. 3.2 Personal sensitive information Personal information that, once leaked, illegally provided or abused, may endanger personal and property security, be easy to cause personal reputation, physical and mental health damage or discriminatory treatment. 3.3 Personal information subject Natural persons identified or associated with personal information. 3.4 Personal information controller An organization or individual who has the ability to determine the purpose and method of processing personal information. 3.5 Collect The act of gaining control of personal information. Note 1.This includes activities such as being actively provided by personal 3.6 Explicit consent The personal information subject actively makes statements in paper or electronic form in written, oral, etc., or autonomously makes affirmative actions, to make explicit authorization for the specific processing of their personal information.4 Basic principles of personal information securityPersonal information controllers shall follow the legal, legitimate and necessary principles for carrying out personal information processing activities, including. a) Consistent rights and responsibilities - Take technical and other necessary measures to ensure the security of personal information; take responsibility for the damage caused by the personal information processing activities to the legitimate rights and interests of the personal information subject b) Clear purpose - It has definite, clear and specific personal information processing purpose. c) Choice on consent - Explain to personal information subjects the rules, purposes, methods, scope, etc. of personal information processing; seek their consent. d) Minimum necessary - Only process the minimum type and amount of personal information required to meet the purpose of the consent of the personal information subject. After the purpose is achieved, it shall delete the personal information in time. e) Openness and transparency - Disclose the scope, purpose, rules, etc. of processing the personal information in a clear, understandable and reasonable manner, meanwhile subject to external supervision.5 Collection of personal information5.1 Legality of collecting personal information Requirements for personal information controllers include. 5.3 Independent choice of multiple business functions When a product or service provides multiple business functions that require the collection of personal information, the personal information controller shall not violate the autonomous will of the personal information subject and force the personal information subject to accept the business function provided by the product or service and the corresponding personal information collection request. Requirements for personal information controllers include. 5.4 Consent on collecting personal information Requirements for personal information controllers include. 5.5 Personal information protection policy Requirements for personal information controllers include. 5.6 Exceptions with authorized consent In the following situations, the personal information controller does not need to obtain the consent of the personal information subject to collect and use personal information. a) Relevant to the personal information controller's performance of its obligations under laws and regulations; b) Directly related to national security and national defense security; c) Directly related to public security, public health, major public interests; d) Directly related to criminal investigation, prosecution, trial and judgment execution; e) Out of the protection of the important legal rights and interests of the personal information subject or other individuals' lives, property, etc., but it is difficult to obtain consent; f) The personal information involved is disclosed to the public by the personal information subject; g) Necessary to sign and perform the contract according to the requirements of the personal information subject; h) Collect personal information from legally publicly disclosed information, such as legal news reports, government information disclosure and other channels;6 Storage of personal information6.1 Minimal storage time of personal information Requirements for personal information controllers include. 6.2 De-identification After collecting personal information, the personal information controller should immediately carry out de-identification and take technical and management measures, to store the information that can be used to recover personal identification separately from the de-identified information and strengthen access and use rights management. 6.3 Transmission and storage of personal sensitive information Requirements for personal information controllers include. 6.4 Personal information controller ceases operations When the personal information controller stops operating its products or services, it shall.7 Use of personal information7.1 Access control measures for personal information Requirements for personal information controllers include. 7.2 Restrictions on the display of personal information Involving the display of personal information through the interface (such as display screen, paper), the personal information controller should take measures to de-identify the personal information to be displayed, to reduce the risk of personal information disclosure in the display link. For example, in the display of personal information, prevent unauthorized personnel and other persons than the personal information subject from unauthorized access to personal information. 7.3 Restrictions on the purpose of using personal information Requirements for personal information controllers include. 7.4 Restrictions on the use of user profiling Requirements for personal information controllers include. 7.5 Use of personalized displays Requirements for personal information controllers include. 7.6 Convergence and fusion of personal information collected for different business purposes Requirements for personal information controllers include. 7.7 Use of information system’s automatic decision-making mechanism The information system used by the personal information controller's business operations shall, when it has an automatic decision-making mechanism and can significantly affect the rights of personal information subjects (for example, automatic determination of personal credit and loan quotas, or automated screening for interviewers, etc.).8 Rights of personal information subjects8.1 Inquiry of personal information The personal information controller shall provide the personal information subject with a method to query the following information. 8.2 Correction of personal information If the personal information subject finds that the personal information held by the personal information controller is wrong or incomplete, the personal information controller shall provide him with a method for requesting correction or supplementary information. 8.3 Deletion of personal information Requirements for personal information controllers include. 8.4 Personal information subject withdraws consent Requirements for personal information controllers include. 8.5 Personal information subject cancels account Requirements for personal information controllers include. 8.6 Personal information subject obtains a copy of personal information According to the request of the personal information subject, the personal information controller should provide the personal information subject with a method to obtain a copy of the following type of personal information, or directly transfer the copy of the following type of personal information to a third party designated by the personal information subject under the technically feasible conditions. 8.7 Responding to requests from personal information subjects Requirements for personal information controllers include. 8.6 in a timely manner. It shall, within 30 days or within the time limit prescribed by laws and regulations, make a response and reasonable explanation; meanwhile notify the personal information subject of the resolution of external disputes. 8.8 Complaint management The personal information controller shall establish a complaint management mechanism and complaint tracking process; respond to complaints within a reasonable time.9 Entrusted processing, sharing, transfer, public disclosure of personal information9.1 Entrusted processing When a personal information controller entrusts a third party to process personal information, it shall meet the following requirements. 9.2 Sharing and transfer of personal information When personal information controllers share and transfer personal information, they shall pay full attention to risks. The sharing and transfer of personal information, not due to acquisition, merger, reorganization, or bankruptcy, shall meet the following requirements. 9.3 Transfer of personal information during acquisition, merger, reorganization, bankruptcy When the personal information controller is subject to changes such as acquisition, merger, reorganization, bankruptcy, etc., the requirements for the personal information controller include. 9.4 Public disclosure of personal information In principle, personal information shall not be publicly disclosed. When the personal information controller is authorized by law or has reasonable grounds for public disclosure, it shall meet the following requirements. 9.5 Exceptions to prior consent obtained when sharing, transferring or publicly disclosing personal information In the following circumstances, the personal information controller does not need to obtain the prior authorization of the personal information subject to share, transfer, or publicly disclose personal information. 9.6 Joint personal information controller Requirements for personal information controllers include. 9.7 Third-party access management When a personal information controller accesses a third-party product or service with the function of collecting personal information in its products or services and 9.1 and 9.6 are not applicable, the requirements for the personal information controller include. 9.8 Cross-border transmission of personal information If the personal information collected and generated during operations within the People’s Republic of China is provided overseas, the personal information controller shall comply with the relevant national regulations and standards. ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 35273-2020 be delivered?Answer: The full copy PDF of English version of GB/T 35273-2020 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 35273-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 35273-2020_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 35273-2020 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.Question 5: Should I purchase the latest version GB/T 35273-2020?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 35273-2020 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.How to buy and download a true PDF of English version of GB/T 35273-2020?A step-by-step guide to download PDF of GB/T 35273-2020_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 35273-2020". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |
