Provisions on the Cyber Protection of Children s Personal Information
Document Number:Order No.4 of the Cyberspace Administration of China
Area of Law: Protection for the Elderly, Young, Women, and Disabled Network Security Management
Level of Authority: Departmental Rules
Issuing Authority: Cyberspace Administration of China
Date Issued:08-22-2019
Effective Date:10-01-2019
Status: Effective
国家互联网信息办公室令
Provisions on the Cyber Protection of Children's Personal Information
(第4号)
(No.4)
《儿童个人信息网络保护规定》已经国家互联网信息办公室室务会议审议通过,现予公布,自2019年10月1日起施行。
The Provisions on the Cyber Protection of Children's Personal Information, deliberated and adopted at the executive meeting of the Cyberspace Administration of China, are hereby issued and shall come into force on October 1, 2019.
主任 庄荣文
Director-General Zhuang Rongwen
2019年8月22日
August 22, 2019
儿童个人信息网络保护规定
Provisions on the Cyber Protection of Children's Personal Information
第一条 为了保护儿童个人信息安全,促进儿童健康成长,根据《中华人民共和国网络安全法》《中华人民共和国未成年人保护法》等法律法规,制定本规定。
Article 1 For the purpose of protecting the security of children's personal information and promoting the healthy growth of children, these Provisions are hereby developed in accordance with the Cybersecurity Law of the People's Republic of China, the Law of the People's Republic of China on the Protection of Minors and other laws and regulations.
Article 2 For the purpose of these Provisions, the term “child” means a minor under the age of 14.
第三条 在中华人民共和国境内通过网络从事收集、存储、使用、转移、披露儿童个人信息等活动,适用本规定。
Article 3 These Provisions shall apply to the collection, storage, use, transfer and disclosure of personal information from and about children through the Internet and other related activities within the territory of the People's Republic of China.
第四条 任何组织和个人不得制作、发布、传播侵害儿童个人信息安全的信息。
Article 4 No organization or individual may produce, release or disseminate information that infringes upon the security of children's personal information.
第五条 儿童监护人应当正确履行监护职责,教育引导儿童增强个人信息保护意识和能力,保护儿童个人信息安全。
Article 5 A child's guardian shall correctly perform his or her functions of guardianship, enhance the child's awareness and ability to protect personal information through education and guidance, and protect the security of personal information of the child.
第六条 鼓励互联网行业组织指导推动网络运营者制定儿童个人信息保护的行业规范、行为准则等,加强行业自律,履行社会责任。
Article 6 Internet industry associations shall be encouraged to guide and promote network operators in the development of industry rules and codes of conduct, among others, for the protection of children's personal information, enhance industry self-regulation, and perform social responsibilities.
第七条 网络运营者收集、存储、使用、转移、披露儿童个人信息的,应当遵循正当必要、知情同意、目的明确、安全保障、依法利用的原则。
Article 7 A network operator shall follow the principles of legitimacy, necessity, informed consent, clear purpose, security and legal use during the collection, storage, use, transfer or disclosure of any child's personal information.
第八条 网络运营者应当设置专门的儿童个人信息保护规则和用户协议,并指定专人负责儿童个人信息保护。
Article 8 A network operator shall develop specific rules and user agreements for the protection of children's personal information, and assign dedicated personnel responsible for protecting the children's personal information.
第九条 网络运营者收集、使用、转移、披露儿童个人信息的,应当以显著、清晰的方式告知儿童监护人,并应当征得儿童监护人的同意。
Article 9 A network operator collecting, using, transferring or disclosing any child's personal information shall notify the child's guardian in a conspicuous and clear manner, and obtain verified consent from the child's guardian for the collection, use, transfer or disclosure of personal information of the child.
第十条 网络运营者征得同意时,应当同时提供拒绝选项,并明确告知以下事项:
Article 10 A network operator obtaining consent shall provide the option of refusing to provide consent, and clearly notify the child's guardian of the following matters:
(一)收集、存储、使用、转移、披露儿童个人信息的目的、方式和范围;
(3) Security safeguards for children's personal information.
(4) The consequences of refusal to provide consent.
(5) Channels and methods for complaints and reports.
(6) Ways and means of modifying and deleting children's personal information.
(7) Other information that shall be notified.
前款规定的告知事项发生实质性变化的,应当再次征得儿童监护人的同意。
第十一条 网络运营者不得收集与其提供的服务无关的儿童个人信息,不得违反法律、行政法规的规定和双方的约定收集儿童个人信息。
Article 11 No network operator shall collect any child's personal information irrelevant to the services provided by it, or collect such information in violation of laws, administrative regulations or the agreement of both parties.
第十二条 网络运营者存储儿童个人信息,不得超过实现其收集、使用目的所必需的期限。
Article 12 The storage of children's personal information by a network operator shall not exceed the time limit necessary for the purpose of its collection and use.
第十三条 网络运营者应当采取加密等措施存储儿童个人信息,确保信息安全。
Article 13 A network operator shall take measures such as encryption to store children's personal information, so as to ensure information security.
第十四条 网络运营者使用儿童个人信息,不得违反法律、行政法规的规定和双方约定的目的、范围。因业务需要,确需超出约定的目的、范围使用的,应当再次征得儿童监护人的同意。
Article 14 A network operater shall not use any child's personal information in violation of the provisions of any law or administrative regulation or beyond the purpose or scope agreed upon by both parties. If it is indeed necessary to use such information beyond the agreed purpose or scope due to business requirements, the network operator shall obtain verified consent from the child's guardian anew.
第十五条 网络运营者对其工作人员应当以最小授权为原则,严格设定信息访问权限,控制儿童个人信息知悉范围。工作人员访问儿童个人信息的,应当经过儿童个人信息保护负责人或者其授权的管理人员审批,记录访问情况,并采取技术措施,避免违法复制、下载儿童个人信息。
Article 15 A network operator shall, under the principle of minimum authorization, set information access permissions for its staff members in a strict manner, and control the scope of access to children's personal information. A staff member who gains access to children's personal information shall obtain the approval of the person in charge of the protection of children's personal information or the administrator authorized by such person, and the network operator shall keep a record of his or her access, and take technical measures to avoid the illegal copying or downloading of children's personal information.
第十六条 网络运营者委托第三方处理儿童个人信息的,应当对受委托方及委托行为等进行安全评估,签署委托协议,明确双方责任、处理事项、处理期限、处理性质和目的等,委托行为不得超出授权范围。
Article 16 A network operator that entrusts a third party with processing children's personal information shall conduct a security assessment on the entrustee and such entrustment, among others, and enter into an authorization agreement to specify the responsibilities of both parties, processing matters, processing period, and processing nature and purpose, among others. The entrustment shall not exceed the scope of authorization.
The entrustee as prescribed in the preceding paragraph shall fulfill the following obligations:
(一)按照法律、行政法规的规定和网络运营者的要求处理儿童个人信息;
(2) Assisting the network operator in responding to requests filed by children's guardians.
(三)采取措施保障信息安全,并在发生儿童个人信息泄露安全事件时,及时向网络运营者反馈;
(5) Being prohibited from subcontracting the entrustment.
(6) Other obligations to protect children's personal information as required by the law.
第十七条 网络运营者向第三方转移儿童个人信息的,应当自行或者委托第三方机构进行安全评估。
Article 17 A network operator that intends to transfer children's personal information to a third party shall conduct a security assessment on its own or authorize a third-party agency to do so.
第十八条 网络运营者不得披露儿童个人信息,但法律、行政法规规定应当披露或者根据与儿童监护人的约定可以披露的除外。
Article 18 A network operator shall not disclose any child's personal information, except for those circumstances where such information shall be disclosed in accordance with the provisions of laws and administrative regulations or may be disclosed as agreed to by the child's guardian.
第十九条 儿童或者其监护人发现网络运营者收集、存储、使用、披露的儿童个人信息有错误的,有权要求网络运营者予以更正。网络运营者应当及时采取措施予以更正。
Article 19 Where a child or his or her guardian discovers that the child's personal information collected, stored, used or disclosed by a network operator is erroneous, he or she shall have the right to require the network operator to correct the information. The network operator shall take measures to correct the information in a timely manner.
第二十条 儿童或者其监护人要求网络运营者删除其收集、存储、使用、披露的儿童个人信息的,网络运营者应当及时采取措施予以删除,包括但不限于以下情形:
Article 20 Where a child or his or her guardian requires a network operator to delete the child's personal information collected, stored, used or disclosed by it, the network operator shall take measures to delete such information in a timely manner, including, but not limited to, the following circumstances:
(一)网络运营者违反法律、行政法规的规定或者双方的约定收集、存储、使用、转移、披露儿童个人信息的;
(二)超出目的范围或者必要期限收集、存储、使用、转移、披露儿童个人信息的;
(3) The child's guardian withdraws his or her consent.
(四)儿童或者其监护人通过注销等方式终止使用产品或者服务的。
第二十一条 网络运营者发现儿童个人信息发生或者可能发生泄露、毁损、丢失的,应当立即启动应急预案,采取补救措施;造成或者可能造成严重后果的,应当立即向有关主管部门报告,并将事件相关情况以邮件、信函、电话、推送通知等方式告知受影响的儿童及其监护人,难以逐一告知的,应当采取合理、有效的方式发布相关警示信息。
Article 21 In the event that a network operator finds that children's personal information has been or is likely to be divulged, damaged or lost, the network operator shall immediately initiate its emergency response plan and take remedial measures; if any serious consequence is or may be caused, it shall immediately report to the relevant competent authority, and notify the affected children and their guardians of the relevant information by such means as emails, letters, phone calls or push notifications. Where it is difficult to notify one by one, the relevant warning information shall be released in a reasonable and effective manner.
第二十二条 网络运营者应当对网信部门和其他有关部门依法开展的监督检查予以配合。
Article 22 Network operators shall cooperate in the supervision and examination conducted by cyberspace administrations and other relevant departments in accordance with the law.
第二十三条 网络运营者停止运营产品或者服务的,应当立即停止收集儿童个人信息的活动,删除其持有的儿童个人信息,并将停止运营的通知及时告知儿童监护人。
Article 23 A network operator that suspends the operation of products or services shall immediately cease the collection of personal information of children, delete the children's personal information held by it, and notify the children's guardians of the suspension of operation in a timely manner.
第二十四条 任何组织和个人发现有违反本规定行为的,可以向网信部门和其他有关部门举报。
Article 24 Any organization or individual that finds any violation of these Provisions may report it to the cyberspace administration and other relevant departments.
网信部门和其他有关部门收到相关举报的,应当依据职责及时进行处理。
第二十五条 网络运营者落实儿童个人信息安全管理责任不到位,存在较大安全风险或者发生安全事件的,由网信部门依据职责进行约谈,网络运营者应当及时采取措施进行整改,消除隐患。
Article 25 Where a network operator fails to perform its responsibilities for security management of children's personal information, causing any relatively high security risk or security incident, the cyberspace administration shall hold an interview with the network operator according to the functions, and the network operator shall take measures to make rectification and eliminate hidden risks in a timely manner.
第二十六条 违反本规定的,由网信部门和其他有关部门依据职责,根据《中华人民共和国网络安全法》《互联网信息服务管理办法》等相关法律法规规定处理;构成犯罪的,依法追究刑事责任。
Article 26 Where a network operator violates these Provisions, the cyberspace administration and other relevant departments shall, according to their respective functions, punish the violator in accordance with the provisions of the Cybersecurity Law of the People's Republic of China, the Measures for the Administration of Internet Information Services and other relevant laws and regulations; and where it is criminally punishable, the violator shall be held criminally liable according to the law.
第二十七条 违反本规定被追究法律责任的,依照有关法律、行政法规的规定记入信用档案,并予以公示。
Article 27 Where a network operator violates these Provisions and is held liable, such violation shall be recorded in credit archives in accordance with the provisions of relevant laws and administrative regulations and be published.
第二十八条 通过计算机信息系统自动留存处理信息且无法识别所留存处理的信息属于儿童个人信息的,依照其他有关规定执行。
Article 28 Where the information automatically preserved and processed through the computer information system that is unable to be identified falls within children's personal information, it shall be governed by other relevant provisions.
Article 29 These Provisions shall come into force on October 1, 2019.
©Pkulaw:(www.pkulaw.com) provides various professional solutions in such fields as legal information, law knowledge and legal software. Pkulaw provides you with abundant reference materials. When you invoke articles of laws and regulations, please check them with the standard texts. You are welcome to view all our products and services.
Pkulaw Express: How to quickly find information you need? What are the new features of Pkulaw V6?
Scan QR Code for instant access to the original text
Original Link: https://www.pkulaw.com/en_law/cadd4cd663d8d2b4bdfb.html
