Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · DATA SECURITY CERTIFICATION ANNOUNCEMENT

Announcement of the State Administration for Market Regulation and the Cyberspace Administration of China on Carrying Out Data Security Management Certification.

国家市场监督管理总局、国家互联网信息办公室关于开展数据安全管理认证工作的公告

FILED UNDER · Data Security

Promulgated by: State Administration for Market Regulation; Cyberspace Administration of China.
Document No.: Announcement of the State Administration for Market Regulation and the Cyberspace Administration of China No. 18 of 2022.
Issued and effective June 5, 2022.


In accordance with the relevant provisions of the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and the Regulations of the People’s Republic of China on Certification and Accreditation, the State Administration for Market Regulation and the Cyberspace Administration of China have decided to carry out data security management certification, so as to encourage network operators to regulate network-data processing activities and strengthen network data security protection by means of certification. Certification bodies engaged in data security management certification activities shall be established in accordance with the law and shall implement certification in accordance with the Data Security Management Certification Implementation Rules (see Annex).

This Announcement is hereby made.

State Administration for Market Regulation; Cyberspace Administration of China

June 5, 2022


Annex: Data Security Management Certification Implementation Rules

1 Scope of Application

These Rules are formulated pursuant to the Regulations of the People’s Republic of China on Certification and Accreditation, and set out the basic principles and requirements for certifying the processing activities of network operators in collecting, storing, using, processing, transmitting, providing, disclosing and otherwise handling network data.

2 Certification Basis

GB/T 41479 Information security technology—Security requirements for network data processing and related standards and specifications.

In principle, the above standards shall be implemented in the latest version issued by the administrative department for standardization of the State.

3 Certification Mode

The certification mode for data security management certification is:

Technical verification + on-site audit + post-certification supervision.

4 Certification Implementation Procedure

4.1 Certification Entrustment

The certification body shall specify the requirements for certification-entrustment materials, including but not limited to the entrusting party’s basic materials, the certification entrustment letter, and relevant supporting documents.

The certification-entrusting party shall submit the certification-entrustment materials in accordance with the requirements of the certification body, and the certification body shall, after reviewing the certification-entrustment materials, promptly provide feedback on whether the entrustment is accepted.

The certification body shall, on the basis of the certification-entrustment materials, determine the certification scheme, including the type and quantity of data, the scope of the data-processing activities involved, and information on the technical-verification institution, and shall notify the certification-entrusting party.

4.2 Technical Verification

The technical-verification institution shall implement technical verification in accordance with the certification scheme, and shall issue a technical-verification report to the certification body and the certification-entrusting party.

4.3 On-Site Audit

The certification body shall conduct an on-site audit and issue an on-site audit report to the certification-entrusting party.

4.4 Evaluation and Approval of Certification Results

The certification body shall make a comprehensive evaluation and a certification decision on the basis of the certification-entrustment materials, the technical-verification report, the on-site audit report and other relevant materials and information. For those that meet the certification requirements, a certification certificate shall be issued; for those that do not yet meet the certification requirements, the certification-entrusting party may be required to carry out rectification within a time limit, and where, after rectification, the requirements are still not met, the certification-entrusting party shall be notified in writing of the termination of certification.

Where it is found that the certification-entrusting party or the network operator has engaged in conduct that seriously affects the implementation of certification, such as deception, concealment of information, or intentional violation of certification requirements, the certification shall not be passed.

4.5 Post-Certification Supervision

4.5.1 Frequency of Supervision

The certification body shall, within the validity period of the certification, conduct continuous supervision of the certified network operator, and reasonably determine the frequency of supervision.

4.5.2 Content of Supervision

The certification body shall implement post-certification supervision in an appropriate manner to ensure that the certified network operator continuously meets the certification requirements.

4.5.3 Evaluation of Post-Certification Supervision Results

The certification body shall make a comprehensive evaluation of the post-certification supervision conclusions and other relevant materials and information. Where the evaluation is passed, the certification certificate may continue to be maintained; where it is not passed, the certification body shall, according to the corresponding circumstances, suspend or even revoke the certification certificate.

4.6 Certification Time Limit

The certification body shall make clear provisions on the time limits for each stage of certification, and ensure that the relevant work is completed within the required time limits. The certification-entrusting party shall actively cooperate with the certification activities.

5 Certification Certificate and Certification Mark

5.1 Certification Certificate

5.1.1 Maintenance of the Certification Certificate

The validity period of the certification certificate is 3 years. Within the validity period, the validity of the certification certificate shall be maintained through the certification body’s post-certification supervision.

Where the certificate needs to be renewed for continued use upon expiry, the certification-entrusting party shall submit a certification entrustment within 6 months before the expiry of the validity period. The certification body shall, by means of post-certification supervision, issue a new certificate to those that meet the certification requirements.

5.1.2 Change of the Certification Certificate

Where, within the validity period of the certification certificate, the name or registered address of the certified network operator, or the certification requirements or certification scope, changes, the certification-entrusting party shall submit a change entrustment to the certification body. The certification body shall, according to the content of the change, evaluate the change-entrustment materials and determine whether the change may be approved. Where technical verification and/or on-site audit is required, it shall also be conducted before the change is approved.

5.1.3 Cancellation, Suspension and Revocation of the Certification Certificate

Where a certified network operator no longer meets the certification requirements, the certification body shall promptly suspend or even revoke the certification certificate. The certification-entrusting party may apply for the suspension or cancellation of the certification certificate within the validity period of the certificate.

The certification body shall, in an appropriate manner, publicly announce the certification certificates of network operators that have been suspended, cancelled or revoked.

5.2 Certification Mark

[Mark]

“ABCD” represents the identification information of the certification body.

5.3 Use of the Certification Certificate and Certification Mark

Within the validity period of the certification certificate, the certified network operator shall, in accordance with the relevant provisions, correctly use the certification certificate and certification mark in advertising and other publicity, and shall not mislead the public.

6 Detailed Certification Implementation Rules

The certification body shall, in accordance with the relevant requirements of these Rules, refine the certification implementation procedure, formulate scientific, reasonable and operable detailed certification implementation rules, and publicly announce and implement them.

7 Certification Responsibilities

The certification body shall be responsible for the on-site audit conclusions and the certification conclusions.

The technical-verification institution shall be responsible for the technical-verification conclusions.

The certification-entrusting party shall be responsible for the authenticity and legality of the certification-entrustment materials.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →