Workflow
《个人信息出境认证办法》公布,明年1月起施行
第一财经·2025-10-17 10:32

Core Viewpoint - The newly released "Personal Information Outbound Certification Measures" aims to regulate the outbound transfer of personal information, ensuring the protection of personal data rights and promoting safe cross-border data flow, effective from January 1, 2026 [1][2]. Group 1: Certification Applicability and Requirements - The certification applies to non-critical information infrastructure operators that provide personal information to overseas entities, specifically those that have cumulatively provided information to over 100,000 but less than 1 million individuals, or less than 10,000 individuals for sensitive information, without including important data [1]. - Personal information processors must apply for certification through professional certification agencies, which are required to follow basic certification norms and personal information protection rules. The validity of the certification is set for three years [2]. Group 2: Obligations of Certification Agencies - Professional certification agencies must report certification-related information to the national certification and accreditation information public service platform. If a certified entity's outbound activities do not align with the certification scope, the agency must suspend or revoke the certification [2]. - Agencies are also required to report any violations of laws or regulations regarding outbound personal information activities to the relevant national departments [2]. Group 3: Supervision and Management - Certification agencies must file with the national internet information department within 10 working days of obtaining certification qualifications. The national market supervision and internet information departments will oversee the certification activities [2]. - Provincial-level internet departments can conduct interviews with certified entities if significant risks or personal information security incidents are identified [2]. Group 4: Legal Responsibilities - The measures outline legal responsibilities for violations of the certification rules and specify the applicability of the regulations [3].