Promulgated by: Standing Committee of the Shenzhen Municipal People’s Congress. Announcement No.: Announcement of the Standing Committee of the Shenzhen Municipal People’s Congress No. 10 (第十号). Passed at the Second Session of the Seventh Shenzhen Municipal People’s Congress Standing Committee on 29 June 2021. Published 6 July 2021. Effective 1 January 2022.
Chapter I General Provisions
Article 1. These Regulations are formulated in order to regulate data processing activities, protect the lawful rights and interests of natural persons, legal persons, and unincorporated organizations, promote data as a factor of production to flow openly and to be developed and utilized, and accelerate the building of a digital economy, digital society, and digital government, on the basis of the fundamental principles of the relevant laws and administrative regulations and in light of the actual conditions of the Shenzhen Special Economic Zone.
Article 2. The meanings of the following terms used in these Regulations:
(1) “Data” refers to any record of information in electronic or other form.
(2) “Personal data” refers to data that carries information capable of identifying a specific natural person, excluding data that has undergone anonymization.
(3) “Sensitive personal data” refers to personal data that, once leaked, unlawfully provided, or misused, could cause discrimination against a natural person or serious harm to the personal or property safety of a natural person; the specific scope shall be determined in accordance with the provisions of laws and administrative regulations.
(4) “Biometric data” refers to personal data derived from processing the biological, physiological, or behavioral characteristics of a natural person, capable of identifying that natural person’s unique identity, and includes data such as a natural person’s genes, fingerprints, voiceprints, palm prints, ear contours, irises, and facial recognition features.
(5) “Public data” refers to data generated and processed by public management and service institutions in the course of lawfully performing public management duties or providing public services.
(6) “Data processing” refers to activities such as the collection, storage, use, processing, transmission, provision, and disclosure of data.
(7) “Anonymization” refers to the process by which personal data, after processing, can no longer be used to identify a specific natural person and cannot be restored.
(8) “User profiling” refers to the activity of automated processing of personal data in order to evaluate certain conditions of a natural person, including automated processing carried out in order to evaluate a natural person’s work performance, economic circumstances, health status, personal preferences, interests, reliability, patterns of behavior, location, or movements.
(9) “Public management and service institutions” refers to the State organs, public institutions, and other organizations of this Municipality that manage public affairs in accordance with law, and organizations that provide education, health care, social welfare, water supply, electricity supply, gas supply, environmental protection, public transportation, and other public services.
Article 3. Natural persons enjoy the personality-rights interests in personal data as provided by laws, administrative regulations, and these Regulations.
The processing of personal data shall have a clear and reasonable purpose and shall follow the principles of minimum necessity and reasonable time limits.
Article 4. Natural persons, legal persons, and unincorporated organizations enjoy the property-rights interests in data products and services formed through their lawful processing of data, as provided by laws, administrative regulations, and these Regulations. However, such activities shall not endanger national security or the public interest, and shall not damage the lawful rights and interests of others.
Article 5. The processing of public data shall follow the principles of collection in accordance with law, centralized management, need-based sharing, orderly disclosure, and full utilization, and shall give full play to the positive role of public data resources in optimizing public management and services, raising the level of modernization of urban governance, and promoting economic and social development.
Article 6. The Municipal People’s Government shall establish and improve the data governance system and standards framework, and shall coordinate and advance work on personal data protection, sharing and disclosure of public data, cultivation of the data factor market, and oversight and management of data security.
Article 7. The Municipal People’s Government shall establish a Municipal Data Work Committee, which shall be responsible for studying and coordinating major matters arising in this Municipality’s data management work. The day-to-day work of the Municipal Data Work Committee shall be undertaken by the municipal government affairs service and data management department.
The Municipal Data Work Committee may establish a number of specialized committees.
Article 8. The municipal cyberspace authority shall be responsible for coordinating the relevant oversight and management work on personal data protection, network data security, and cross-border data flows in this Municipality.
The municipal government affairs service and data management department shall be responsible for the overall planning, guidance, coordination, and supervision of public data management in this Municipality.
The municipal development and reform, industry and information technology, public security, finance, human resources and social security, planning and natural resources, market supervision, audit, and national security departments and organs shall, in accordance with the relevant laws and regulations, perform the relevant functions for data oversight and management within the scope of their respective duties.
The various industry competent authorities of this Municipality shall be responsible for the overall planning, guidance, coordination, and supervision of data management work in their respective industries.
Chapter II Personal Data
Section 1 General Provisions
Article 9. The processing of personal data shall fully respect and safeguard the various lawful rights and interests of natural persons related to their personal data.
Article 10. The processing of personal data shall comply with the following requirements:
(1) the purpose of processing personal data is clear and reasonable, and the method is lawful and legitimate;
(2) it is limited to the minimum scope necessary to achieve the processing purpose and adopts the method with the least impact on individual rights and interests, and shall not carry out any personal data processing unrelated to the processing purpose;
(3) the individual is notified of the type, scope, purpose, and method of personal data processing in accordance with law, and consent is obtained in accordance with law;
(4) the accuracy and necessary completeness of personal data is ensured so as to avoid causing harm to the parties concerned due to inaccuracy or incompleteness of personal data; and
(5) the security of personal data is ensured, and the leaking, damaging, loss, tampering, or unlawful use of personal data is prevented.
Article 11. The phrase “limited to the minimum scope necessary to achieve the processing purpose, adopting the method with the least impact on individual rights and interests” referred to in item (2) of Article 10 of these Regulations includes, but is not limited to, the following circumstances:
(1) the type and scope of personal data processed shall have a direct connection with the processing purpose, and if that personal data is not processed the processing purpose cannot be achieved;
(2) the quantity of personal data processed shall be the minimum quantity necessary to achieve the processing purpose;
(3) the frequency of personal data processing shall be the minimum frequency necessary to achieve the processing purpose;
(4) the storage period for personal data shall be the shortest time necessary to achieve the processing purpose; personal data that has exceeded the storage period shall be deleted or anonymized, except where otherwise provided by laws or regulations or where the natural person has consented; and
(5) a minimum-authorization access control policy shall be established, so that persons authorized to access personal data can only access the minimum personal data necessary to complete their duties and have only the minimum data processing permissions necessary to complete their duties.
Article 12. A data processor shall not refuse to provide a natural person with the relevant core functions or services on the ground that the natural person has not consented to the processing of personal data, except where that personal data is necessary for the provision of the relevant core functions or services.
Article 13. The municipal cyberspace authority shall, together with the municipal industry and information technology, public security, market supervision, and other departments and the relevant industry competent authorities, establish and improve a joint working mechanism for oversight and management of personal data protection, and shall strengthen the overall planning and guidance of personal data protection and the related oversight and management work; and shall establish a mechanism for handling complaints and reports on personal data protection, and shall handle the relevant complaints and reports in accordance with law.
Section 2 Notice and Consent
Article 14. Prior to processing personal data, a data processor shall disclose the following matters to the natural person in a manner that is plain, clear, specific, and easily accessible, completely, truthfully, and accurately:
(1) the name or title and contact details of the data processor;
(2) the type and scope of personal data to be processed;
(3) the purpose and method of processing personal data;
(4) the period for which personal data will be stored;
(5) the security risks that may exist in the processing of personal data and the security protection measures adopted for the personal data;
(6) the relevant rights enjoyed by the natural person in accordance with law, and the means and procedure for exercising those rights; and
(7) other matters that laws and regulations require to be disclosed.
Where sensitive personal data is to be processed, a more prominent label or highlighted form shall be used in accordance with the preceding paragraph to disclose the necessity of processing the sensitive personal data and the possible impact on the natural person.
Article 15. In an emergency where prior notice as required by Article 14 of these Regulations cannot be given in order to protect major lawful rights and interests of a natural person such as personal safety and property safety, notice shall be given promptly after the emergency has been resolved.
The requirement in Article 14 of these Regulations shall not apply where there is a situation in which laws or administrative regulations provide that personal data processing shall be kept confidential or need not be disclosed.
Article 16. A data processor shall obtain the natural person’s consent before processing personal data and shall process personal data within the scope of that consent, except where otherwise provided by laws, administrative regulations, or these Regulations.
Where any matter that is required to be consented to under the preceding paragraph undergoes a change, consent shall be obtained again.
Article 17. A data processor shall not obtain consent through misleading, deceptive, coercive, or other means that violate the natural person’s genuine intentions.
Article 18. Where sensitive personal data is to be processed, the explicit consent of the natural person shall be obtained prior to processing.
Article 19. Where biometric data is to be processed, an alternative solution for processing other non-biometric data shall be offered at the same time as the natural person’s explicit consent is sought. However, this shall not apply where the processing of biometric data is necessary for the personal data processing purpose and cannot be replaced by other personal data.
Where biometric data has been processed for a specific purpose, it shall not be used for other purposes without the explicit consent of the natural person.
Specific measures for the administration of biometric data shall be separately formulated by the Municipal People’s Government.
Article 20. Where the personal data of a minor under the age of 14 is to be processed, the relevant provisions on the processing of sensitive personal data shall apply, and the explicit consent of the minor’s guardian shall be obtained prior to processing.
Where the personal data of an adult who lacks civil capacity or has limited civil capacity is to be processed, the explicit consent of that adult’s guardian shall be obtained prior to processing.
Article 21. Where any of the following circumstances exist in the processing of personal data, consent need not be obtained from the natural person prior to processing:
(1) personal data that the natural person has disclosed on their own initiative, or that has been lawfully disclosed by others, is processed for a purpose consistent with the purpose for which the personal data was disclosed;
(2) it is necessary for the conclusion or performance of a contract to which the natural person is a party;
(3) it is necessary for a data processor, within a reasonable scope, to process the personal data of its employees for the purposes of human resources management or protection of trade secrets;
(4) it is necessary for a public management and service institution to perform public management duties in accordance with law or to provide public services; or
(5) it is necessary for a news organization to carry out news reporting in accordance with law; or
(6) other circumstances provided by laws or administrative regulations.
Article 22. A natural person has the right to withdraw part or all of their consent to the processing of their personal data.
Where a natural person withdraws their consent, the data processor shall not continue processing the personal data within the scope of the withdrawn consent. However, this shall not affect the lawful data processing that the data processor carried out based on consent before the natural person withdrew consent. Where laws or regulations otherwise provide, those provisions shall govern.
Article 23. The processing of personal data shall provide the natural person, in an easily accessible manner, with a means to withdraw their consent, and shall not use service agreements or technical or other means to impose unreasonable restrictions on the natural person’s withdrawal of consent or attach unreasonable conditions.
Section 3 Processing of Personal Data
Article 24. Where personal data is inaccurate or incomplete, the data processor shall, upon the request of the natural person, promptly supplement and correct it.
Article 25. In any of the following circumstances, the data processor shall promptly delete the personal data:
(1) the storage period provided by laws or regulations, or agreed upon, has expired;
(2) the purpose for which the personal data was processed has been achieved, or the personal data is no longer necessary for the processing purpose;
(3) the natural person withdraws consent and requests deletion of the personal data;
(4) the data processor processes data in violation of laws, regulations, or the agreement between the parties, and the natural person requests deletion; or
(5) other circumstances provided by laws or regulations.
Where the circumstances described in items (1) and (2) of the preceding paragraph exist but laws or regulations otherwise provide, or the natural person has consented, the data processor may retain the relevant personal data.
Where a data processor deletes personal data pursuant to paragraph 1 of this article, it may retain evidence of disclosure and consent, but shall not retain such evidence beyond what is necessary for fulfilling statutory obligations or resolving disputes.
Article 26. Where a data processor provides personal data it has processed to another party, it shall de-identify the personal data so that the provided personal data cannot identify a specific natural person without the aid of other data. Where laws or regulations, or an agreement between the natural person and the data processor, require anonymization, the data processor shall carry out anonymization in accordance with the laws, regulations, or the agreement between the parties.
Article 27. Where a data processor provides personal data it has processed to another party in any of the following circumstances, it may refrain from de-identification:
(1) where it is provided in response to a written request of a public management and service institution in order to meet the institution’s needs for lawfully performing public management duties or providing public services;
(2) where it is provided to another party based on the natural person’s consent;
(3) where it is necessary for the conclusion or performance of a contract to which the natural person is a party; or
(4) other circumstances provided by laws or administrative regulations.
Article 28. A natural person may request a data processor to allow them to view and copy their personal data, and the data processor shall, in accordance with the relevant provisions, provide access promptly and free of charge.
Article 29. Where a data processor, for the purpose of improving product or service quality, carries out user profiling of a natural person, it shall disclose to the natural person the specific use and principal rules of the user profiling.
A natural person may refuse a data processor’s user profiling of them in accordance with the preceding paragraph or the recommendation of personalized products or services based on user profiling, and the data processor shall provide an effective and easily accessible means of refusal.
Article 30. A data processor shall not carry out user profiling for the purpose of recommending personalized products or services to minors under the age of 14. However, this shall not apply where the purpose is to protect the minor’s lawful rights and interests and the explicit consent of the guardian has been obtained.
Article 31. A data processor shall establish a mechanism for handling requests from natural persons to exercise their relevant rights and for complaints and reports, and shall provide effective channels in an easily accessible manner.
Upon receipt of a request to exercise a right, or a complaint or report, the data processor shall accept it promptly and take corresponding processing measures in accordance with law; where a request or complaint is refused, reasons shall be given.
Chapter III Public Data
Section 1 General Provisions
Article 32. The Municipal Data Work Committee shall establish a Public Data Specialized Committee, which shall be responsible for studying and coordinating major matters in public data management work.
The municipal government affairs service and data management department shall undertake the day-to-day work of the Municipal Public Data Specialized Committee, and shall be responsible for coordinating the overall public data management work of this Municipality, establishing and improving the public data resources management framework, and advancing the sharing, disclosure, and utilization of public data.
District government affairs service and data management departments shall, under the guidance of the municipal government affairs service and data management department, be responsible for coordinating the public data management work of their respective districts.
Article 33. The Municipal People’s Government shall establish a City Big Data Center, establish and improve the mechanisms for its construction and operational management, and achieve the centralized, intensive, secure, and efficient management of the public data resources of the entire Municipality.
District-level people’s governments may, in accordance with the overall municipal plan, establish sub-centers of the City Big Data Center and bring the public data resources of their districts under the centralized management of the City Big Data Center.
The City Big Data Center encompasses public data resources and the software and hardware infrastructure supporting their management.
Article 34. The municipal government affairs service and data management department shall be responsible for promoting the aggregation of public data into the City Big Data Center, and shall organize public management and service institutions to carry out sharing, disclosure, and utilization of public data in reliance on the City Big Data Center.
Article 35. A classified management system for public data shall be implemented.
The municipal government affairs service and data management department shall be responsible for the overall planning, construction, and management of the public data resources framework of this Municipality as a whole, and shall, together with the relevant departments, build and manage basic databases on population, legal persons, housing, natural resources and spatial geography, electronic licenses, and public credit.
The various industry competent authorities shall, in accordance with the overall planning of the public data resources framework and the requirements of the relevant institutional norms, plan the public data resources framework for their respective industries, and shall build and manage the relevant thematic databases.
Public management and service institutions shall, in accordance with the overall planning of the public data resources framework, the sectoral specialized plans, and the requirements of the relevant institutional norms, build and manage the business databases of their own institutions.
Article 36. A catalogue management system for public data shall be implemented.
The municipal government affairs service and data management department shall be responsible for establishing a unified public data resources catalogue system for the entire Municipality, formulating specifications for compiling public data resources catalogues, and organizing public management and service institutions to compile catalogues and process all types of public data in accordance with the catalogue compilation specifications, specifying the departments from which the data originate and the management responsibilities.
Public management and service institutions shall carry out catalogue management of their public data in accordance with the public data resources catalogue compilation specifications.
Article 37. Public management and service institutions shall collect data in compliance with the following requirements:
(1) it is necessary for the lawful performance of public management duties or the provision of public services, and falls within the scope of the public management duties they perform or the public services they provide;
(2) the type and scope of data collected is appropriate to the public management duties they lawfully perform or the public services they provide; and
(3) the collection procedure complies with the relevant provisions of laws and regulations.
Public management and service institutions shall not separately collect data from natural persons, legal persons, and unincorporated organizations if that data can be obtained through sharing.
Article 38. Public management and service institutions shall retain processing records for public data in accordance with the relevant provisions.
Article 39. The municipal government affairs service and data management department shall organize the formulation of public data quality management systems and standards, establish and improve quality monitoring and evaluation systems, and organize their implementation.
Public management and service institutions shall, in accordance with public data quality management systems and standards, establish and improve their own institutional data quality management frameworks, strengthen data quality management, and ensure that data is authentic, accurate, complete, timely, and usable.
The Municipal Public Data Specialized Committee shall regularly evaluate the data management work of public management and service institutions and shall report the evaluation results to the Municipal Data Work Committee.
Article 40. The Municipal People’s Government shall strengthen institutional mechanism and technology innovation in public data sharing, disclosure, and utilization, and shall continuously improve the quality and efficiency of public data sharing, disclosure, and utilization.
Section 2 Sharing of Public Data
Article 41. Public data shall be shared as the principle, with non-sharing as the exception.
The municipal government affairs service and data management department shall establish a demand-matching mechanism and related management system for public data sharing, based on the public data resources catalogue system.
Article 42. Public data included in the public data sharing catalogue shall, in accordance with the relevant provisions, be shared promptly and accurately among public management and service institutions that have a need for it through the public data sharing platform of the City Big Data Center, except where otherwise provided by laws or regulations.
The public data sharing catalogue shall be separately formulated by the municipal government affairs service and data management department and shall be adjusted in a timely manner.
Article 43. Public management and service institutions may, in accordance with the needs of lawfully performing public management duties or providing public services, submit applications for sharing public data, specifying the basis, purpose, scope, and method of data use and the relevant requirements, and shall, in accordance with the requirements of the government affairs service and data management department at the same level and the data-providing department, strengthen the management of the use of shared data and shall not use data beyond the specified scope or for other purposes.
Public data-providing departments shall, within the stipulated time, respond to the sharing requirements of public data-using departments and provide the necessary guidance on data use and technical support.
Article 44. Where the data needed by a public management and service institution for the lawful performance of public management duties or the provision of public services cannot be obtained through sharing via the public data sharing platform, the Municipal People’s Government may organize centralized procurement from outside sources, and the relevant data shall be included in the public data sharing catalogue in accordance with the relevant provisions; the specific work shall be coordinated by the municipal government affairs service and data management department.
Section 3 Disclosure of Public Data
Article 45. For the purposes of these Regulations, “disclosure of public data” refers to the activity of public management and service institutions providing machine-readable public data to society through the public data disclosure platform.
Article 46. The disclosure of public data shall follow the principles of classification and grading, demand orientation, and security and controllability, and shall be disclosed to the maximum extent permitted by laws and regulations.
Article 47. No fee shall be charged for disclosing public data in accordance with laws and regulations. Where laws or administrative regulations otherwise provide, those provisions shall govern.
Article 48. Public data is divided into three categories by disclosure conditions: unconditional disclosure, conditional disclosure, and non-disclosure.
Unconditionally disclosed public data refers to public data that shall be disclosed to natural persons, legal persons, and unincorporated organizations without conditions; conditionally disclosed public data refers to public data that is to be disclosed equally to natural persons, legal persons, and unincorporated organizations in a specified manner; non-disclosed public data refers to public data that involves national security, trade secrets, or personal privacy, or that laws and regulations provide shall not be disclosed.
Article 49. The municipal government affairs service and data management department shall establish a public data disclosure management system based on the public data resources catalogue system, compile a public data disclosure catalogue, and adjust it in a timely manner.
For conditionally disclosed public data, the method of disclosure, requirements for use, and security measures shall be specified when compiling the public data disclosure catalogue.
Article 50. The municipal government affairs service and data management department shall, in reliance on the City Big Data Center, build a unified and efficient public data disclosure platform, and shall organize public management and service institutions to disclose public data to society through that platform.
The public data disclosure platform shall, according to the type of public data being disclosed, provide multiple data disclosure services such as data downloading, application programming interfaces, and a secure and trusted environment for the comprehensive development and utilization of data.
Section 4 Utilization of Public Data
Article 51. The Municipal People’s Government shall accelerate the advancement of digital government construction, deepen the application of data in economic regulation, market supervision, social management, public services, and ecological environment protection, establish and improve institutional rules for governance through data, innovate government decision-making, regulatory, and service models, and realize proactive, precise, holistic, and intelligent public management and services.
Article 52. The Municipal People’s Government shall, in reliance on the City Big Data Center, build a business hub, data hub, and capability hub based on a unified architecture, forming a unified urban intelligent hub platform system to provide unified and comprehensive digital services for public management and services as well as for regional and industry applications, and to promote the integration of technology, business, and data.
The Municipal People’s Government may, in reliance on the urban intelligent hub platform, build a government management and services command center, and shall establish and improve its operational management mechanism, to promote the overall digital transformation of government, deepen data sharing and business collaboration across levels, regions, systems, departments, and business lines, and build a unified, coordinated, intelligent, precise, scientific, and efficient government operation system.
The various industry competent authorities shall, in reliance on the urban intelligent hub platform, build management and service platforms for their respective industries, to promote the comprehensive digitalization of management and services in their respective industries.
The district-level people’s governments shall, in reliance on the urban intelligent hub platform, with the goal of serving the grassroots, integrate data resources, optimize business processes, and innovate management models, to advance the scientification, refinement, and intelligentization of grassroots governance and services.
Article 53. The Municipal People’s Government shall, in reliance on the urban intelligent hub platform, promote business integration and process reengineering, and shall deepen innovation of the holistic government services model of unified front-end reception, coordinated back-end approval, and integrated operation throughout the Municipality.
The municipal government affairs service and data management department shall promote public management and service institutions to strengthen the innovative application of public data in the course of public management and services, streamline handling materials and steps, optimize handling procedures; for matters in which an approval decision can be made through data comparison, it may carry out unattended intelligent approval.
Article 54. The Municipal People’s Government shall, in reliance on the urban intelligent hub platform, strengthen the aggregation and sharing of supervisory data and credit data, make full use of public data and supervisory systems in various fields, promote new supervisory models such as off-site supervision, credit-based supervision, and risk early warning, and improve the level of supervision.
Article 55. The municipal government affairs service and data management department may organize the construction of a data-integrated application services platform, to provide society with a secure and trusted environment for the comprehensive development and utilization of data, and jointly carry out smart city application innovation.
Chapter IV Data Factor Market
Section 1 General Provisions
Article 56. The Municipal People’s Government shall coordinate planning and accelerate the cultivation of the data factor market, promote the building of a data factor market system encompassing data collection, processing, sharing, disclosure, trading, and application, and promote the orderly and efficient flow and utilization of data resources.
Article 57. Market entities engaging in data processing activities shall implement their primary responsibility for data management, establish and improve the data governance organizational structure, management systems, and self-evaluation mechanisms, implement classified and hierarchical protection and management of data, and strengthen data quality management to ensure the authenticity, accuracy, completeness, and timeliness of data.
Article 58. Market entities may lawfully make autonomous use of, obtain income from, and dispose of data products and services formed through their lawful processing of data.
Article 59. Where a market entity discloses or provides the use of personal data to a third party, it shall comply with the relevant provisions of Chapter II of these Regulations; where it discloses to a specific third party, entrusts processing to, or provides the use of personal data to a specific third party, it shall execute a relevant agreement.
Article 60. Where the use, transmission, or entrusted processing of another market entity’s data products and services involves personal data, the provisions of Chapter II of these Regulations and the provisions of the relevant agreement shall be observed.
Section 2 Market Cultivation
Article 61. The Municipal People’s Government shall organize the formulation of local standards for data processing activity compliance, data products and services standards, data quality standards, data security standards, data value assessment standards, and data governance evaluation standards.
Data-related industry organizations shall be supported in formulating group standards and industry norms, providing information, technology, training, and other services, and guiding and supervising market entities to regulate their data behavior, to promote the healthy development of the industry.
Market entities shall be encouraged to formulate enterprise standards related to data, and to participate in the formulation of relevant local standards and group standards.
Article 62. A data processor may commission a third-party institution to carry out data quality assessment and certification; a third-party institution shall carry out data quality assessment and certification activities in accordance with the principles of independence, openness, and impartiality.
Article 63. Data value assessment institutions are encouraged to explore the construction of a data asset pricing index system from dimensions such as real-time nature, time span, sample coverage, completeness, data type grade, and data mining potential, and to promote the formulation of data value assessment guidelines.
Article 64. The municipal statistics department shall explore the establishment of a statistical accounting system for data as a factor of production, clarifying the scope, indicators, and methods of statistics, accurately reflecting the asset value of data as a factor of production, and promoting the inclusion of data as a factor of production in the national economic accounting system.
Article 65. The Municipal People’s Government shall promote the establishment of data trading platforms, and shall guide market entities to carry out data trading through data trading platforms.
Market entities may carry out data trading through data trading platforms established in accordance with law, or may carry out trading directly between the two trading parties in accordance with law.
Article 66. Data trading platforms shall build a secure, trusted, controllable, and traceable data trading environment, formulate rules for data trading, information disclosure, and self-regulatory supervision, and shall adopt effective measures to protect personal data, trade secrets, and important data as prescribed by the State.
Article 67. Data products and services formed through the lawful processing of data by market entities may be traded in accordance with law. However, the following circumstances are excepted:
(1) the data products and services to be traded contain personal data that has not been authorized in accordance with law;
(2) the data products and services to be traded contain public data that has not been disclosed in accordance with law; or
(3) other circumstances in which laws or regulations prohibit trading.
Section 3 Fair Competition
Article 68. Market entities shall observe the principle of fair competition and shall not engage in the following conduct that damages the lawful rights and interests of other market entities:
(1) obtaining data of other market entities through unlawful means;
(2) providing substitute products or services using data of other market entities collected unlawfully; or
(3) other conduct prohibited by laws or regulations.
Article 69. Market entities shall not use data analysis to implement differential treatment of trading counterparties in the same trading conditions, except in any of the following circumstances:
(1) implementing different trading conditions in accordance with the actual needs of the trading counterparty and in compliance with legitimate trading customs and industry practices;
(2) conducting promotional activities for new users within a reasonable time limit;
(3) implementing random transactions based on fair, reasonable, and non-discriminatory rules; or
(4) other circumstances provided by laws or regulations.
The phrase “trading counterparties in the same trading conditions” in the preceding paragraph refers to trading counterparties between whom there is no material difference in transaction security, transaction costs, credit status, transaction stage, and duration of the transaction.
Article 70. Market entities shall not eliminate or restrict competition by entering into monopoly agreements, abusing a dominant position in the data factor market, or unlawfully implementing concentrations of undertakings.
Chapter V Data Security
Section 1 General Provisions
Article 71. Data security management shall follow the principles of government supervision, primary responsibility of responsible entities, proactive defense, and comprehensive prevention; shall adhere to placing equal importance on security and development; shall encourage the research and development of data security technology; and shall ensure the security of data across its entire life cycle.
The Municipal People’s Government shall coordinate data security management work across the entire Municipality and shall establish and improve a comprehensive data security governance system.
Article 72. Data processors shall, in accordance with the provisions of laws and regulations, establish and improve security management systems covering data classification and grading, risk monitoring, security assessment, and security education, implement protective measures, continuously improve technical means, and ensure data security.
Where a data processor undergoes a change due to merger, division, acquisition, or other events, the data processor after the change shall continue to implement the data security management responsibilities.
Article 73. Where sensitive personal data or important data prescribed by the State is to be processed, a data security management body shall be established and a data security management officer shall be specified in accordance with the relevant provisions, and special technical protection shall be implemented.
Article 74. The municipal cyberspace authority shall, together with the relevant competent departments and industry competent authorities, coordinate in accordance with the State’s data classification and grading protection system to formulate specific catalogues of important data for their respective departments and industries, and shall give priority protection to the data listed in the catalogues.
Section 2 Data Security Management
Article 75. Data processors shall keep records of the entire flow of their data processing, and shall ensure that data sources are lawful and that the entire processing flow is clear and traceable.
Article 76. Data processors shall, in accordance with the provisions of laws and regulations and the requirements of national standards, carry out de-identification or anonymization of the personal data they collect, and shall store it separately from data that can be used to restore identification of a specific natural person.
Data processors shall formulate and implement security measures such as de-identification or anonymization for sensitive personal data and important data prescribed by the State.
Article 77. Data processors shall implement domain-classified and graded management of data storage, selecting storage media whose security performance and protection grade match the security grade; for sensitive personal data and important data prescribed by the State, encrypted storage, authorized access, or other stricter security protection measures shall also be adopted.
Article 78. Data processors shall implement security technical protection in the course of data processing, and shall establish a disaster recovery backup system for important systems and core data.
Article 79. Where data processors share or disclose data, they shall establish a data sharing and disclosure security management system, and shall establish and improve a security management mechanism for external data interfaces.
Article 80. Data processors shall establish a data destruction procedure and shall effectively destroy data that needs to be destroyed.
Where a data processor terminates or dissolves and there is no data successor, it shall promptly and effectively destroy the data under its control, except where otherwise provided by laws or regulations.
Article 81. Where a data processor commissions another party to process data on its behalf, it shall execute a data security protection contract with that party, specifying the security protection responsibilities of both parties.
After completing the processing task, the entrusted party shall promptly and effectively destroy the data it has stored, except where otherwise provided by laws or regulations or otherwise agreed upon by the parties.
Article 82. Where a data processor provides personal data or important data prescribed by the State to parties outside the territory of China, it shall apply for a data export security assessment and undergo a national security review in accordance with the relevant provisions.
Article 83. Data processors shall implement monitoring and early warning measures commensurate with the data security protection level, and shall monitor and provide early warning for abnormal situations such as data leakage, damage, loss, and tampering.
Upon detecting that a data security incident such as data leakage, damage, loss, or tampering has occurred or may occur, the data processor shall immediately take remedial and preventive measures.
Article 84. Where sensitive personal data or important data prescribed by the State is processed, risk assessments shall be conducted periodically in accordance with the relevant provisions, and risk assessment reports shall be submitted to the relevant competent authorities.
Article 85. Data processors shall establish a data security emergency response mechanism and formulate data security emergency response plans. Data security emergency response plans shall grade data security incidents according to factors such as the degree of harm and scope of impact, and shall specify the corresponding emergency response measures.
Article 86. Where a data security incident occurs, such as data leakage, damage, loss, or tampering, the data processor shall immediately activate the emergency response plan, take the corresponding emergency response measures, promptly notify the relevant rights holders, and shall report to the municipal cyberspace authority, public security authority, and the relevant industry competent authorities in accordance with the relevant provisions.
Section 3 Data Security Supervision
Article 87. The municipal cyberspace authority shall, in accordance with the relevant laws, administrative regulations, and the provisions of these Regulations, be responsible for coordinating data security and the related supervision work, and shall, together with the municipal public security, national security, and other departments and the relevant industry competent authorities, establish and improve a data security supervision mechanism, and shall organize data security supervision and inspection.
Article 88. The municipal cyberspace authority shall, together with the relevant competent authorities, strengthen the analysis, forecasting, and assessment of data security risks and gather relevant information; upon discovering circumstances that may lead to a data security incident of data leakage, damage, loss, or tampering affecting a larger scope, it shall promptly issue early warning information, propose preventive and responsive measures, and guide and supervise data processors in their data security protection work.
Article 89. The municipal cyberspace authority and other departments performing data security supervision duties may commission third-party institutions to, in accordance with the provisions of laws and regulations and the requirements of relevant standards, conduct data security management certification and data security assessment for data processors, and to assign them security grades.
Article 90. The municipal cyberspace authority and other departments performing data security supervision duties shall, upon discovering in the course of fulfilling their duties that a data processor has failed to implement security management responsibilities in accordance with the provisions, conduct a regulatory interview (yuetan) with the data processor in accordance with the provisions and urge it to rectify the situation.
Article 91. The municipal cyberspace authority and other data oversight and management departments and their staff shall strictly keep confidential any personal data, trade secrets, and other data requiring confidentiality that they learn about in the course of fulfilling their duties, and shall not disclose, sell, or unlawfully provide such data to others.
Chapter VI Legal Liability
Article 92. Where personal data is processed in violation of the provisions of these Regulations, punishment shall be imposed in accordance with the relevant laws and regulations on personal information protection.
Article 93. Where a public management and service institution violates the relevant provisions of these Regulations, the superior competent department or the relevant competent department shall order it to make corrections; where it refuses to make corrections or causes serious consequences, legal liability shall be pursued in accordance with law; where losses are caused to natural persons, legal persons, or unincorporated organizations as a result, compensation liability shall be borne in accordance with law.
Article 94. Where data is traded in violation of Article 67 of these Regulations, the municipal market supervision and administration department or the relevant industry competent authority shall, in accordance with their duties, order corrections, confiscate illegal gains; where the transaction amount is less than RMB 10,000, a fine of not less than RMB 50,000 and not more than RMB 200,000 shall be imposed; where the transaction amount is RMB 10,000 or more, a fine of not less than RMB 200,000 and not more than RMB 1,000,000 shall be imposed; and other administrative penalties as provided by laws or administrative regulations may also be imposed in accordance with law. Where laws or administrative regulations otherwise provide, those provisions shall govern.
Article 95. Where a market entity violates Articles 68 and 69 of these Regulations and damages the lawful rights and interests of other market entities or consumers, the municipal market supervision and administration department or the relevant industry competent authority shall, in accordance with their duties, order corrections and confiscate illegal gains; where it refuses to make corrections, a fine of not less than RMB 50,000 and not more than RMB 500,000 shall be imposed; where the circumstances are serious, a fine of not more than 5% of the prior year’s revenue shall be imposed, up to a maximum of RMB 50,000,000; and other administrative penalties as provided by laws or administrative regulations may also be imposed in accordance with law. Where laws or administrative regulations otherwise provide, those provisions shall govern.
Where a market entity violates Article 70 of these Regulations and engages in unfair competition conduct or monopolistic conduct, punishment shall be imposed in accordance with the relevant laws and regulations on unfair competition or anti-monopoly.
Article 96. Where a data processor violates the provisions of these Regulations and fails to fulfill its data security protection responsibilities, punishment shall be imposed in accordance with the relevant laws and regulations on data security.
Article 97. Where departments performing data oversight and management duties, and public management and service institutions, fail to perform or incorrectly perform the duties provided by these Regulations, the directly responsible supervisory personnel and other directly responsible persons shall be given a disciplinary sanction in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law.
Article 98. Where data is processed in violation of the provisions of these Regulations and national interests or public interests are damaged as a result, organizations as provided by laws and regulations may bring a civil public-interest lawsuit in accordance with law. Where an organization as provided by laws and regulations brings a civil public-interest lawsuit, the People’s Procuratorate may, where it considers it necessary, support the action.
Where no organization as provided by laws and regulations brings a civil public-interest lawsuit, the People’s Procuratorate may bring a civil public-interest lawsuit in accordance with law.
Where the People’s Procuratorate discovers in the course of fulfilling its duties that a department performing data oversight and management duties is unlawfully exercising its powers or is failing to act, and national interests or public interests are thereby damaged, it shall submit procuratorial recommendations to the relevant administrative organ; where the administrative organ fails to perform its duties in accordance with law, the People’s Procuratorate may bring an administrative public-interest lawsuit in accordance with law.
Article 99. Where a data processor violates the provisions of these Regulations in processing data and causes damage to others, it shall bear civil liability in accordance with law; where the conduct constitutes a violation of public security administration, a public security administrative penalty shall be imposed in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law.
Chapter VII Supplementary Provisions
Article 100. These Regulations shall come into force on 1 January 2022.