Chapter 1 General Provisions Article 1 In order to regulate data processing activities, protect the legitimate rights and interests of natural persons, legal persons and unincorporated organizations, promote the open flow and development and utilization of data as a factor of production, and accelerate the construction of a digital economy and digital society , Digital Government, this Regulation is formulated in accordance with the basic principles of relevant laws and administrative regulations, and in combination with the actual conditions of the Shenzhen Special Economic Zone. Article 2 The meanings of the following terms in these Regulations:
(1) Data refers to any record of information in electronic or other ways.
(2) Personal data refers to data containing information that can identify specific natural persons, excluding anonymized data.
(3) Sensitive personal data refers to personal data that, once leaked, illegally provided or abused, may cause discrimination against natural persons or serious harm to personal and property safety. The specific scope shall be in accordance with the provisions of laws and administrative regulations. Sure.
(4) Biometric data refers to personal data that can identify a natural person’s unique identity and is obtained by processing a natural person’s physical, physiological, behavioral and other biological characteristics, including the natural person’s genes, fingerprints, and voice. fingerprints, palmprints, auricles, iris, facial recognition features and other data.
(5) Public data refers to the data generated and processed by public data management and service agencies in the process of performing public data management duties or providing public data services in accordance with the law.
(6) Data processing refers to the collection, storage, use, processing, transmission, provision, opening and other activities of data.
(7) Anonymization refers to the process in which personal data is processed so that a specific natural person cannot be identified and cannot be recovered.
(8) User profiling refers to activities that automatically process personal data in order to evaluate certain conditions of a natural person, including the purpose of evaluating a natural person’s work performance, economic status, health status, personal preferences, and interests. , reliability, behavior, location, whereabouts, etc. for automated processing.
(9) Public administration and service agencies refer to the city’s state agencies, institutions and other organizations that manage public affairs in accordance with the law, as well as provide education, health, social welfare, Organization of water supply, electricity, gas supply, environmental protection, public transportation and other public services. Article 3: Natural persons have the personality rights and interests stipulated in laws, administrative regulations and these regulations regarding personal data.
Processing of personal data should have a clear and reasonable purpose and follow the principles of minimum necessity and reasonable period. Article 4: Natural persons, legal persons and unincorporated organizations shall enjoy the property rights and interests stipulated in laws, administrative regulations and these Regulations in the data products and services produced by their legal processing of data. However, you must not endanger national security and public interests, or harm the legitimate rights and interests of others. Article 5 The principles of collecting public data in accordance with the law, overall management, sharing on demand, orderly opening, and full utilization shall be followed when handling public data, and public data resources shall be fully utilized to optimize public management and services. , It plays a positive role in improving the modernization level of urban governance and promoting economic and social development. Article 6 The Municipal People's Government shall establish and improve the data governance system and standard system, and coordinate the promotion of personal data protection, public data sharing and openness, data element market cultivation, and data security supervision and management. Article 7 The Municipal People's Government shall establish a Municipal Data Working Committee to be responsible for researching and coordinating major matters in the city's data management work. The daily work of the Municipal Data Working Committee is undertaken by the Municipal Affairs Service Data Management Department.
The Municipal Data Working Committee may establish several professional committees. Article 8: The municipal cybersecurity and informatization department is responsible for coordinating the city’s personal data protection, network data security, cross-border data circulation and other related supervision and management work.
The municipal government service data management department is responsible for the overall planning, guidance, coordination and supervision of public data management in this city.
The municipal development and reform, industry and information technology, public security, finance, human resources security, planning and natural resources, market supervision, auditing, national security and other departments shall perform within the scope of their respective responsibilities in accordance with relevant laws and regulations Data supervision and management related functions.
The municipal competent departments of various industries are responsible for the overall planning, guidance, coordination and supervision of data management work in their respective industries. Chapter 2 Personal Data Section 1 General Provisions Article 9 The processing of personal data shall fully respect and protect the legitimate rights and interests of natural persons related to personal data. Article 10 The processing of personal data shall meet the following requirements:
(1) The purpose of processing personal data is clear and reasonable, and the method is legal and proper;
(2) It shall be limited to the realization of the purpose of processing. To the minimum extent necessary and in a manner that has the least impact on personal rights and interests, personal data shall not be processed that is unrelated to the purpose of processing;
(3) Inform the type, scope, purpose, method, etc. of personal data processing in accordance with the law, and obtain consent in accordance with the law;
(4) Ensure the accuracy and necessary completeness of personal data to avoid damage to the parties caused by inaccurate and incomplete personal data;
( 5) Ensure the security of personal data and prevent personal data from being leaked, damaged, lost, tampered with and illegally used.
Article 11 The term “second paragraph” of Article 10 of these Regulations shall be limited to the minimum scope necessary to achieve the purpose of processing and in a manner that has the least impact on personal rights and interests, including but not limited to the following situations:
(1) The type and scope of processing personal data should be directly related to the purpose of processing. Without processing the personal data, the purpose of processing cannot be achieved;
(2) The amount of personal data processed should be the minimum necessary to achieve the purpose of processing. Quantity;
(3) The frequency of processing personal data should be the minimum frequency necessary to achieve the purpose of processing;
(4) The storage period of personal data should be as long as necessary to achieve the purpose of processing. minimum time. If the storage period is exceeded, personal data should be deleted or anonymized, unless otherwise provided by laws and regulations or with the consent of the natural person;
(5) Establish a minimally authorized access control policy to ensure that Persons authorized to access personal data only have access to the minimum amount of personal data necessary to fulfill their duties and have only the minimum data processing rights necessary to fulfill their duties.