Ministry of Industry and Information Technology of the People's Republic of China

第24号

 The Regulation on the Protection of Personal Information of Telecommunications and Internet Users has2013年6月28The Ministry of Industry and Information Technology of the People's Republic of China2Deliberated and adopted by the sub-ministerial meeting, it is hereby promulgated2013年9月1With immediate effect。

部长 苗圩

2013年7月16日

Regulations on the protection of personal information of telecommunications and Internet users

Act 1 总则

Article one In order to protect the legitimate rights and interests of telecommunications and Internet users and maintain network information security, these Provisions are formulated in accordance with the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection, the Telecommunications Regulations of the People's Republic of China and the Measures for the Administration of Internet Information Services and other laws and administrative regulations。

Article 2 These Provisions shall apply to the activities of collecting and using users' personal information in the course of providing telecommunications services and Internet information services within the territory of the People's Republic of China。

Article 3 The Ministry of Industry and Information Technology and the Communications Administration of all provinces, autonomous regions and municipalities directly under the Central Government (hereinafter referred to as the telecommunications regulatory authorities) shall supervise and administer the protection of personal information of telecommunications and Internet users according to law。

Article 4 The term "User personal information" is used in these Regulations，It refers to the user's name, date of birth, ID number, address, telephone number, account number and password collected by telecommunication service operators and Internet information service providers in the process of providing services, which can identify users individually or in combination with other information, as well as the user's time and place of use of services。

Article 5 Telecommunications business operators and Internet information service providers shall, in the process of providing services, collect and use users' personal information in accordance with the principles of legality, legitimacy and necessity。

 Article 6 Telecommunications business operators and Internet information service providers shall be responsible for the security of users' personal information collected and used in the course of providing services。

Article 7 The State encourages the telecommunications and Internet industries to self-regulate the protection of users' personal information。

Act 2 Information collection and use specifications

 Article VIII Telecommunications business operators and Internet information service providers shall formulate rules for the collection and use of users' personal information and publish them on their business or service sites and websites。

The ninth article Without the consent of users, telecommunications business operators and Internet information service providers shall not collect or use users' personal information。

Where telecommunications business operators and Internet information service providers collect and use users' personal information, they shall clearly inform users of the purpose, method and scope of the collection and use of information, channels for querying and correcting information, and consequences of refusing to provide information。

Telecommunications business operators and Internet information service providers shall not collect users' personal information other than necessary for the provision of services, or use the information for purposes other than the provision of services, and shall not collect or use information in ways that deceive, mislead or coerce, or in violation of laws, administrative regulations and agreements between the two parties。

Telecommunications business operators and Internet information service providers shall stop the collection and use of users' personal information after users terminate the use of telecommunications services or Internet information services, and provide users with services to cancel their numbers or accounts。

Where laws or administrative regulations provide otherwise for the circumstances provided for in paragraphs 1 to 4 of this article, such provisions shall prevail。

Article ten Telecommunications business operators, Internet information service providers and their staff shall keep strictly confidential the personal information of users collected and used in the course of providing services, and shall not disclose, alter or destroy, sell or illegally provide to others。

Article 11 Telecommunications business operators and Internet information service providers entrust others to act as agents for marketing and technical services and other services directly facing users，Involving the collection and use of users' personal information，The agent shall supervise and manage the protection of user personal information，Agents who do not meet the requirements of the Provisions on the protection of users' personal information shall not be entrusted with relevant services。

Article 12 Telecommunications business operators and Internet information service providers shall establish a user complaint handling mechanism, publish effective contact information, accept complaints related to the protection of user personal information, and reply to the complainant within 15 days from the date of receipt of the complaint。

Act 3 Security measures

Article 13 Telecommunications business operators and Internet information service providers shall take the following measures to prevent the disclosure, damage, tampering or loss of users' personal information:

(a) determine the departments, posts and branches of the user's personal information security management responsibilities;

(b) to establish the user's personal information collection, use and related activities of the work flow and security management system;

(3) enforce authority management on staff and agents, review the export, copy and destruction of information in bulk, and take measures to prevent leaks;

(4) Properly keep paper media, optical media, electromagnetic media and other carriers that record users' personal information, and take appropriate safety storage measures;

(5) Conduct access review of information systems storing users' personal information, and take anti-intrusion, anti-virus and other measures;

(6) Record the personnel, time, place, events and other information that operate the user's personal information;

(7) To carry out communications network security protection in accordance with the provisions of the telecommunications regulatory authority;

(8) Other necessary measures prescribed by the telecommunications regulatory authority。

Article 14 The personal information of users kept by telecommunications business operators or Internet information service providers has been or may be leaked, damaged or lost，Remedial measures should be taken immediately;Causing or likely to cause serious consequences，It shall immediately report to the telecommunication regulatory authority that has granted the license or filed the record，Cooperate with relevant departments to investigate and handle。

The telecommunications regulatory authority shall assess the impact of reported or discovered possible violations of these provisions;If the impact is particularly significant, the relevant provinces, autonomous regions and municipalities shall report to the Ministry of Industry and Information Technology。Before making a decision on handling in accordance with these Provisions, the telecommunication regulatory authority may request the telecommunication business operators and Internet information service providers to suspend the relevant behavior, and the telecommunication business operators and Internet information service providers shall implement it。

Article 15 Telecommunications business operators and Internet information service providers shall train their staff on knowledge, skills and security responsibilities related to the protection of users' personal information。

Article 16 Telecommunications business operators and Internet information service providers shall conduct self-checks on the protection of users' personal information at least once a year, record self-checks, and promptly eliminate security risks found in self-checks。

Act Four Supervision and inspection

Article 17 The telecommunications regulatory authority shall supervise and inspect the protection of users' personal information by telecommunications business operators and Internet information service providers。

When conducting supervision and inspection, the telecommunications regulatory authority may require telecommunications business operators and Internet information service providers to provide relevant materials, enter their production and business sites to investigate the situation, and telecommunications business operators and Internet information service providers shall cooperate。

When conducting supervision and inspection, the telecommunication regulatory authority shall record the supervision and inspection, shall not impede the normal operation or service activities of telecommunication business operators and Internet information service providers, and shall not charge any fees。

Article 18 The telecommunications regulatory authority and its staff shall keep confidential the personal information of users that they have come to know in the course of performing their duties, and shall not disclose, alter or destroy, sell or illegally provide to others。

Article 19 When the telecom regulatory agency implements the annual inspection of the telecom business license and business license, it shall review the protection of users' personal information。

Article 20 The telecom regulatory authority shall record the behaviors of telecom business operators and Internet information service providers in violation of these provisions into their social credit files and publish them。

Article 21 Encourage telecommunications and Internet industry associations to formulate a self-regulatory management system for the protection of users' personal information in accordance with the law, guide members to strengthen self-regulatory management, and improve the level of protection of users' personal information。

Chapter Five Legal responsibility

Article 22 Telecommunications business operators and Internet information service providers who violate the provisions of Article 8 and 12 of these provisions shall be ordered by the telecommunications regulatory authority according to its functions and powers to make corrections within a time limit, give a warning, and may also impose a fine of less than 10,000 yuan。

Article 23 Telecommunications business operators and Internet information service providers violate the provisions of Article 9 to 11, 13 to 16, and Article 17, paragraph 2，The telecommunication regulatory authority shall order rectification within a time limit according to its functions and powers，Give a warning，A fine of not less than 10,000 yuan but not more than 30,000 yuan may be imposed，Make public announcements;criminal，Criminal responsibility shall be investigated according to law。

Article 24 Any staff member of the telecommunications regulatory authority who neglects his duty, abuses his power or engages in malpractice for personal gain in the course of supervision and management of the protection of users' personal information shall be dealt with according to law;If the case constitutes a crime, criminal responsibility shall be investigated according to law。

Act 6 附则

 Article 25 This provision comes from2013年9月1With immediate effect。