Article 29 of the Data Security Law of People's Republic of China (PRC) should strengthen risk monitoring when carrying out data processing activities, and take remedial measures immediately when discovering risks such as data security defects and loopholes; When a data security incident occurs, measures should be taken immediately to inform users in time and report to the relevant competent departments in accordance with regulations.
Thirtieth important data processors shall regularly assess the risk of their data processing activities in accordance with the provisions, and submit the risk assessment report to the relevant competent departments.
The risk assessment report shall include the type and quantity of important data processed, data processing activities, data security risks faced and countermeasures.
Article 31 The provisions of the Cyber Security Law of the People's Republic of China shall apply to the exit security management of important data collected and generated by key information infrastructure operators in People's Republic of China (PRC); Measures for the administration of exit safety of important data collected and generated by other data processors in People's Republic of China (PRC) shall be formulated by the competent national network information department in conjunction with relevant departments of the State Council.
Article 32 Any organization or individual shall collect data in a lawful and proper way, and shall not steal or obtain data by other illegal means.
Where laws and administrative regulations stipulate the purpose and scope of data collection and use, data shall be collected and used within the purpose and scope stipulated by laws and administrative regulations.
Thirty-third institutions engaged in data transaction intermediary services shall require data providers to explain the source of data, audit the identities of both parties to the transaction, and keep audit and transaction records.