GB/T 40094.4-2021.Electronic commerce data transaction-Part 4: Privacy protection specification.
1 Scope
This part of GB/T 40094 specifies the general principles for privacy protection in e-commerce data transactions, the responsibilities and obligations of data providers, data demanders, transaction platform operators, and the requirements and verification methods for the rights of information subjects.
GB/T 40094.4 applies to privacy protection in e-commerce data transactions.
2 Normative references
The following documents are indispensable for the application of this document. For any dated referenced document, only the dated version applies to this document. For any undated referenced document, its latest version (including all amendments) applies to this document.
GB/T 40094.1-2021 Electronic Commerce Data Transaction Part 1: Guidelines
GB/T 40094.2-2021 Electronic Commerce Data Transaction Part 2: Data Description Specification
3 Terms and Definitions
GB/T 40094.1-2021, GB/T 40094.2-2021 and the following terms and definitions apply to this document.
3.1
Personal information
Various information that can identify a natural person alone or in combination with other information.
Note: Including but not limited to the name, date of birth, identity document number, personal biometric information, address and telephone number of a natural person.
3.2
Personal information subject
The natural person identified or associated with the personal information.
[GB/T 35273-2020, Definition 3.3]
This part specifies the general principles for privacy protection in e-commerce data transactions, the responsibilities and obligations of data providers, data demanders, transaction platform operators, and the requirements and verification methods for the rights of information subjects. This part applies to privacy protection in e-commerce data transactions.

ICS35.240.01
National Standard of the People's Republic of China
GB/T40094.4—2021
Electronic commerce data transaction
Part 4: Privacy protection specification
Electronic commerce data transactionPart 4:Privacy protection specificationPublished on 2021-05-21
State Administration for Market Regulation
National Standardization Administration
Implementation on 2021-12-01
Normative reference documents
Terms and definitions
Duties and obligations of data providers
Duties and obligations of data demanders
Duties and obligations of trading platform operators
Rights of information subjects
Verification methods
References
KaeerkAca-
GB/T40094.4—2021| |tt||(G13/T40094 "E-commerce Data Transaction" is divided into the following parts: Part 1: Guidelines;
Part 2: Data Capture Specifications;
Part 3: Data Interface Specifications;
Part 4: Privacy Protection Specifications.
This part is Part 4 of (F13/140094. This part is drafted in accordance with the rules given in GB/T1.12009. GB/T40094.4—2021
Please note that some of the contents of this document may involve patents. The issuing agency of this document does not assume the responsibility for identifying these patents. This part is drafted by the National Electronic Business Administration. The Standardization Technical Committee (SAC/TC83) proposed and approved this part. Drafting units of this part: Chengdu Zhongke Renqi Software Co., Ltd., Guangzhou Taihui Information Technology Co., Ltd., Hefei Gaowei Data Technology Co., Ltd., Beijing Zhonghui Mulai E-commerce Co., Ltd., Xiamen Youmai E-commerce Co., Ltd., Beijing Zhongpu Muxin Standardization Consulting Office, Guangdong Jicai Internet of Things Technology Co., Ltd., Fujian Dehua County Youyang Crafts Co., Ltd., China National Institute of Standardization, Guangdong Xinanhuai E-commerce Co., Ltd., Jiangmen Sijiulou E-commerce Co., Ltd., Beijing Wujie Standard Technology Co., Ltd., Zhejiang Gulin Technology Promotion Center, Foshan Rongshi Lighting Technology Co., Ltd., Foshan Jin Yulun Hardware Stationery Co., Ltd., Zhejiang Heye Health Technology Co., Ltd., Fujian Haixi Standardization Technical Service Office Co., Ltd., China Metrology Institute, Quanzhou Runwu Technology Co., Ltd., Zhongshi Beishan (Fujian) Wine Co., Ltd. Beijing Zhongjin Shuijiaren Data Technology Co., Ltd., Beijing Azhuang Dinghuoyiren Data Technology Co., Ltd. The drafters of this part are Zhou Daohua, Kou Hongyi, Li Yuanli, Tian Hui, Kou Haitao, Cao Yansong, Li Wuxian, Ma Jianhong, Liu Ying, Liang Xigou, Guo Tuncai, Chen Yehong, Chen Zhuqing, Chen Xuchao, Xi Changrong, Zhang Ke, Chen Yuchao, Chen Rongrui, Xiang Zi, Liang Runbin, Hu Jing, Hu Lijiang, Miao Xian, Hao Fengying, and Wang Jinlan.
rKaeerkAca-
1 Scope
E-commerce data transactions
Part 4: Privacy protection specifications
GB/T40094.4—2021
This part of GB/T40094 specifies the general principles of privacy protection in e-commerce data transactions, the responsibilities and obligations of data providers, data demanders, transaction platform operators, and the requirements and verification methods for the rights of information subjects. This part applies to privacy protection in e-commerce data transactions. 2 Normative references
The following documents are indispensable for the application of this document. For any referenced document with a date, only the version with the date applied to this document. For any referenced document without a date, the latest version (including all amendments) applies to this document G3/T40094.1-2020 E-commerce data transactions Part 2: Guidelines GB/T40094.2-2021 E-commerce data transactions Part 2: Data description specifications 3 Terms and definitions
The terms and definitions defined in GB/T40094.1-2021 and GB/T40094.2-2021 and the following terms and definitions apply to this document 3.1
Personal information personal information Various information that can identify a natural person alone or in combination with other information Note: including but not limited to a natural person's name, date of birth, ID number, personal identification information, address and telephone number, etc. 3.2
Personal information subject personalinformatian The natural person identified or associated with the personal information. [GB/T 35273—2020. Definition 3.3
Anonymization
The process of making the subject of personal information unidentifiable or unlinkable through technical processing of personal information, and the processed information cannot be restored.
Note: Information obtained after post-anonymization of personal information is not personal information. [GB/T35273-2020, Definition 3.14]
De-identification
The process of making the subject of personal information unidentifiable or unlinkable through technical processing of personal information without the help of additional information.
Note: De-identification is based on the individual 1. Retain the "individual granularity, use pseudonyms, encryption, hash functions and other technologies to replace the identification of personal information,
rKaeerkAca-
GB/T40094.4202
[GB/T35273—2020. Definition 3.15
4 General Provisions
Privacy Scope
The privacy scope of this part should include but is not limited to the following: Information on minors:
b) Property information:
c) Communication information:
d) Information on patients with diseases such as AIDS and infectious diseases; c)
Other information stipulated by national laws and regulations
2 Transaction data
Transaction data should comply with GB/T 40094.1-2021. 3 Transaction subjects
Transaction subjects shall comply with the provisions of 1.3 of GB/T10091.1-2021. 4 Trading platform operators
Platform operators shall comply with the provisions of 4.2 of GB/T40094.1-2021: 5 Responsibilities and obligations of data providers
The responsibilities and obligations of data providers for privacy protection in data transactions shall include but are not limited to: Implement relevant national laws, regulations and behavioral norms for personal information protection, and safeguard the legitimate rights and interests of individuals: a
b) Be responsible for the compliance of the circulation and use of all data provided by them: c) Ensure that all data provided does not involve information prohibited from being released or transmitted by national laws and regulations: d) Ensure that all data provided does not involve private information: e) )
When the data provided involves private information, it shall be anonymized, de-identified and other technical processes to ensure that the data does not involve hidden information and cannot be restored before it can enter the circulation link: f)
Clearly define the applicable scope, usage period and rights restriction policy of the data g)
Ensure the security of the data during storage, release and transmission, and prevent data leakage, collection and deletion, etc.: h) Bear the main responsibility for the behavior that causes harm to the personal information subject due to privacy leakage. 6
Responsibilities and obligations of the data demander
The responsibilities and obligations of the data demander for privacy protection in data transactions should include but are not limited to: a) Comply with relevant national laws, regulations and behavioral norms for personal information protection, and safeguard the legitimate rights and interests of the subject of personal information b)bZxz.net
The purchase demand complies with national laws Relevant provisions of laws and regulations: Use data legally and in compliance with the applicable scope, usage period and rights restrictions of the data defined by the data provider; c) Immediately report to the platform or report to the relevant competent authorities when private information is discovered during the use of data; d) Ensure the security of data during storage and use, prevent data leakage, modification and deletion, etc.; f) Take full responsibility for the consequences of the disclosure of private information due to the use of data; g) After the use is completed in the agreed manner or after the specified period, the purchased data shall be destroyed and cannot be restored. 7 Responsibilities and obligations of trading platform operators
The responsibilities and obligations of platform operators for privacy protection in data transactions should include but are not limited to: GB/T40094.4—2021
Implement relevant national laws, regulations and codes of conduct on personal information protection, safeguard the legitimate rights and interests of personal information subjects, a)
b) Formulate platform privacy policies in accordance with national laws and regulations to ensure the legitimate rights and interests of transaction subjects. Establish a privacy protection management department to be responsible for the daily management and implementation of platform privacy protection work; formulate a privacy protection management system, clarify the responsibilities and penalties of platform operators and transaction entities; establish a privacy protection management mechanism. Including but not limited to: e)
1. Data sales license mechanism: ensure that the transaction entity is allowed to participate in the transaction after obtaining the sales license qualification;
1. Data transfer registration mechanism: record and file data transaction information to ensure that each data transfer has a record to trace; Privacy leakage complaint reporting mechanism: actively respond to and resolve complaints and reports, clarify the complaint resolution path and reporting reward system; organize and carry out privacy protection publicity and training activities; f)
Strengthen data review management, and take necessary disposal measures in accordance with the law when discovering information that is prohibited from being released or transmitted by national laws and regulations, and g)
Report to the relevant competent authorities;
h) Actively cooperate with the relevant competent authorities in performing their duties in accordance with the law; 8 Rights of Information Subjects
The information subject in this section refers specifically to the personal information subject, and does not include other information subjects other than the personal information subject. The rights enjoyed by the subject of personal information in data trading to privacy protection include but are not limited to: a) the right to request the cancellation, deletion and cancellation of personal privacy information involved in the transaction; b) the right to protect rights in accordance with the law if the subject of personal information believes that the transaction activities violate the relevant national laws and regulations and infringe upon its legitimate rights and interests; and b) the right to request compensation if the subject of personal information is harmed due to the disclosure of privacy information. 9.1 The platform operator shall verify and check whether the qualification materials of the data providers and data demanders who conduct data transactions through the data trading platform meet the requirements of 4.3 of GB/T40094.1-2021. 9.2 The platform operator shall, on the basis of 9.1, submit to the (G The data providers required by 4.3 of B/T10091.1-2021 shall explain their responsibilities and obligations, and review the transaction data submitted by H to check whether it complies with the requirements of Chapter 5. The data providers who have passed the review are allowed to conduct data transactions through the data trading platform. 9.3 Based on 9.1, the platform operator shall explain its responsibilities and obligations to the data demanders in accordance with the requirements of GB/T40094.12021-4.3 to meet the requirements of Chapter 6 and sign a data security use agreement. 9.4 The competent department of e-commerce data transactions shall inspect and supervise the responsibilities and obligations of the trading platform operators in accordance with the requirements of Chapter 7. 40094.4—2021
GB/T 18391.1
GB/T34978—2017
GB/T 35273—2020
GB/T35408—2017
GB/T 36310
References
Information technology Metadata Registration System (MDR) Part 1: Framework
Information security technology Technical requirements for personal information protection of mobile intelligent terminals Personal information security specification
Information security technology
E-commerce quality management
E-commerce model specification
-rrKaeerkAca-
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.