This standard regulates the principles and relevant security requirements which shall be followed by personal information processing activities like collection, preservation, use, sharing, transfer of control, public disclosure, etc.
This standard is applicable to the regulation of personal information processing activities of various organizations and also applicable to the supervision, management and evaluation of personal information processing activities by organizations such as competent supervision departments and third-party evaluation agencies.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069-2010 Information security technology - Glossary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069-2010 and the following apply.
3.1
personal information
various information recorded electronically or otherwise that can, either alone or in combination with other information, identify a particular natural person or reflect the activity of such a person
Note 1: Personal information includes name, date of birth, ID number, personal biometric identifying information, address, communication and contact information, communication record and content, account and password, property information, credit information, whereabouts, accommodation information, health and physiology information, transaction information.
Note 2: See Annex A for the scope and type of personal information.
3.2
personal sensitive information
personal information which, once disclosed, illegally provided or abused, will possibly endanger the personal and property safety and easily result in damages to personal reputation and physical and mental health or result in discriminatory treatment
Note 1: Personal sensitive information includes ID number, personal biometric identifying information, bank account, communication record and content, property information, credit information, whereabouts, accommodation information, health and physiology information, transaction information and personal information of children less than or equal to14 years old.
Note 2: See Annex B for the scope and type of personal sensitive information.
3.3
personal data subject
the natural person identified by personal information
3.4
personal data controller
organization or individual that has the right to determine the purpose, manner, etc. of the processing of the personal information
3.5
collect
behavior of obtaining the right of control over personal information, which includes positive collection through initiative provision by personal data subject, interaction with personal data subject or recording of personal information subject behavior as well as indirect acquisition through sharing, transfer of control and collection of public information
Note: If the product or service provider, who provides tools for use by the personal data subject, does not access personal information, it is not a collection behavior specified in this standard. For example, the offline navigation software, after obtaining the user location information from the terminal, does not return such information to the software provider, it is not a personal information collection behavior.
3.6
explicit consent
behavior, of a personal data subject, of explicit authorization in terms of the specific processing of his or her personal information through a written statement or making affirmative actions in an initiative manner
Note: Affirmative actions include statement, in either electronic or paper form, as well as selection of or click on "agree", "register", "send", "dial", etc. made by personal data subject in an initiative manner.
GB/T 35273-2017 The following standards are cited:
