In 2019, the Office of the Central Cybersecurity and Information Technology Commission of the Communist Party of China (the "Cyberspace Office"), the Ministry of Industry and Information Technology (the "Ministry of Industry and Information Technology"), in conjunction with the Ministry of Public Security and the State Administration for Market Regulation, formulated the "Identification Method for the Illegal and Illegal Collection and Use of Personal Information on Apps" to guide law enforcement departments such as local Cyberspace Offices and Information Management Bureaus (i.e. the branches of the Ministry of Industry and Information Technology located in various regions) to implement the "Rules for the Unpublished Collection and Use of Apps" Law enforcement work is carried out in a disorderly manner, such as "not explicitly stating the purpose, method, and scope of collecting and using personal information" and "collecting and using personal information without the user's consent". At the same time, entrusted by four departments, the National Information Security Standardization Technical Committee ("Information Security Standardization Committee"), the China Consumers Association, the China Internet Association, and the China Cyberspace Security Association have established a special governance working group for illegal collection and use of personal information on apps ("App Special Governance Working Group") to specifically promote the law enforcement work of illegal collection and use of personal information on apps.
Since 2019, Methods for Identifying the Behavior of Illegal and Illegal Collection and Use of Personal Information on Apps, Guidelines for Self Assessment of Illegal and Illegal Collection and Use of Personal Information on Apps, Guidelines for Application and Use of App System Permissions, Guidelines for Network Security Practice - Essential Information Specification for Basic Business Functions of Mobile Internet Applications, Guidelines for Network Security Practice - Guidelines for Security of Software Development Kits (SDKs) Used in Mobile Internet Applications (Apps) The "Information Security Technology Mobile Internet Application (App) SDK Security Guide" and other documents have been successively released, providing reference for the App Special Governance Working Group to identify the illegal collection and use of personal information by apps. It also provides guidance for self inspection and self correction by app developers, operators, SDK providers, and other entities.
In the process of law enforcement work, the Ministry of Industry and Information Technology has issued multiple "App notifications on infringement of user rights and interests" to carry out law enforcement work against the illegal collection, use, and sharing of personal information by apps. The Cyberspace Office has also carried out multiple special law enforcement activities such as the "Qinglang Action" and "Jianwang Action" to crack down on the illegal collection, use, and sharing of personal information by apps. It can be foreseen that with the formulation and implementation of basic laws in the field of personal information protection such as the Personal Information Protection Law and the Data Security Law, the frequency of personal information protection law enforcement activities will gradually increase.
In the process of conducting online verification business, Minivision will transmit the data and verification results to downstream customers (collectively referred to as "you") through API. In order to facilitate you to have a clearer understanding and understanding of the compliance and security measures adopted by Minivision's online verification business in personal information protection, and to guide you in legally and compliant cooperation with Minivision in providing online verification business, we have compiled this "Xiaoshi's Online Verification Business Compliance and Security Guide" (the "Guide") for your reference.
To avoid ambiguity, the "compliance requirements", "precautions" and other contents in this Guide are drafted by Minivision based on its own understanding of relevant national laws, regulations, policies, and standards. They are provided to you as reference only and do not constitute or should be considered as authoritative interpretations, legal opinions, or legal suggestions for any laws, regulations, policies, and standards, nor do they constitute any commitment or guarantee from Minivision to the outside world. At the same time, Xiaoshi does not guarantee or guarantee whether the apps or other products you develop and operate comply with the compliance requirements in this Guide. On the basis of reading this guide in its entirety, we strongly recommend that you have a thorough understanding of existing and potentially updated laws, regulations, policies, standards, and enforcement inspection requirements related to personal information protection.
It should be noted that our downstream customers are divided into two categories. One type of customer operates apps or provides products mainly aimed at end users ("direct customers"), and the other type of customer operates apps or provides products mainly aimed at corporate and other legal users ("non direct customers"). The "Guide" will provide different compliance recommendations for the characteristics of the two types of customers.
This guide mainly includes the following three aspects. If you have any questions, please contact us via email【 email@example.com 】Contact Minivision:
1、 As a personal information processor, the compliance points for personal information protection that you need to pay attention to when operating apps or providing other products;
2、 In the process of conducting online verification business cooperation with Minivision, you need to pay attention to the compliance points of personal information protection, mainly including the self inspection work you should carry out and the review requirements that Minivision may propose;
3、 The personal information protection capabilities of Minivision include the internal control system for personal information protection established by Minivision, and the protective measures taken.
This section mainly focuses on the personal information protection obligations that you, as an independent personal information processor, need to fulfill when developing or operating apps or other products. If you need to use the online verification services provided by Minivision, the content includes how to obtain authorization for personal information processing activities, how to fulfill the obligation to inform the personal information subject, etc. Please note that this section does not cover all compliance points in applicable laws and regulations such as the Personal Information Protection Law. You also need to pay attention to other compliance points in the process of processing personal information to mitigate related risks.
（1） Compliance points that direct customers need to pay attention to
1. Compliance documents that need to be displayed to end users for apps or other products
Appendix A: Example of Personal Information
Appendix B: Examples of Sensitive Personal Information
Appendix C: How to Protect the Option of Personal Information Subject
2. The Personal Information Sharing List requires disclosure of Xiaoshi's information
Before sharing user personal information with Minivision, you need to inform the user of Minivision's name, contact information, purpose of processing personal information, processing method, and personal information fields. Based on our observation of general market practices, we suggest that you choose one of the following two methods in the "Personal Information Sharing List": disclosing personal information sharing between users and Xiaoshi.
Method 1: Table format
Shared Field Type
Minivision Technology (Jiangsu) Co., Ltd
|Supplement the types of shared personal information fields according to the actual situation
Supplement the purpose of sharing personal information according to the actual situation
How to supplement and share personal information according to the actual situation
Method 2: Text Form
You can also inform users of personal information sharing through text. It should be clarified that the content you inform users in written form should be consistent with the table.
If you wish to inform users of Minivision's personal information protection strategy and measures taken, you can refer to the third part of this guide, "Minivision's Personal Information Protection Capability.
4. How do you obtain authorization for personal information sharing from users
（2） Compliance points that non direct customers need to pay attention to
1. Revise the cooperation agreement signed between you and the personal information provider
Considering that you will indirectly collect user personal information from the personal information provider, we suggest adding the following clauses to the contract signed with the personal information provider to require them to make a commitment to the legality of the source of personal information and clearly require them to obtain authorization from the personal information subject for collecting personal information for verification services:
[Note: In the following terms, Party A is the personal information provider and Party B is you. The specific expression can be adjusted according to the signing of the agreement]
The first party promises that the data it provides to the second party comes from legitimate channels, and at the same time, the first party shall ensure that the personal information subject authorizes the first party to provide the personal information provided by the personal information subject to the second party and the partners (including the second party's partners) who cooperate or entrust due to the necessity of the service, and provide data verification services for the personal information subject.
2. Review the authorization obtained by the personal information provider for personal information sharing
In addition to revising the cooperation agreement signed between you and the personal information provider, we also recommend that you conduct a substantive review of whether the personal information provider solicits authorization from individuals for personal information sharing, in order to avoid assuming liability for fault under Article 69 of the Personal Information Protection Law if the personal information provider shares personal information without authorization. The review strategies you can adopt include:
(1) Arrange for your employees to test the personal information provider's App or other products to determine whether they have obtained the user's separate consent for personal information sharing;
(2) Request the personal information provider to provide you with the user's operation log statistics in their app or other products, in order to determine whether the user has checked the "Personal Information Sharing List" to authorize personal information sharing activities;
(3) Require personal information providers to provide IT audit reports issued by third-party audit companies.
1. Self inspection of compliance ability before using Minivision online verification service
(2) Comply with and will continue to comply with applicable laws, regulations, and regulatory requirements, including but not limited to developing and publishing relevant policies related to personal information protection;
(3) Provide easy to operate selection mechanisms to end users, explain how and when they can exercise their choice rights, and explain how and when they can modify or withdraw the choice after exercising their choice rights;
(4) Provide feasible and convenient ways for end users to exercise their personal information related rights.
2. Minivision's compliance review of you
Please be aware that in order to ensure that you effectively obtain authorization from end users and that you have met the clear requirements mentioned above, Minivision may conduct necessary data compliance due diligence and risk assessment on you, depending on the specific situation, before entering into an agreement, conducting cooperation, or during the cooperation process, including but not limited to:
(1) Require you to provide proof of the legitimate source of the shared personal information;
(2) Refer to text files such as user agreements/service terms and privacy policies available on your official website and other public channels;
(3) Try your app to review and approve authorization and notification mechanisms. If Minivision discovers non-compliance, you may be required to add or supplement relevant compliance measures. If you fail to add or supplement on time, Minivision has the right to refuse your use of the service.
Please be aware that such due diligence and risk assessment are necessary compliance procedures within Xiaoshi and do not constitute any form of commitment or guarantee, and do not have legal effect on external counterparties.
Minivision attaches great importance to the protection of your personal information and has taken different measures to ensure data security at various stages of the data lifecycle, as follows:
1. Data collection security
In the process of conducting verification business, Minivision will indirectly collect multiple data from downstream customers. When indirectly collecting data, Minivision adheres to the principle of minimum necessity and requires downstream customers to make a commitment to the legality of the data source. At the same time, Minivision will review whether downstream customers have solicited separate consent from users for personal information sharing.
2. Data encryption and isolation security
After Minivision completes data collection, it will take physical isolation measures between the collected facial information and non facial information. In addition, non facial information is stored on Alibaba Cloud ECS servers after being desensitized and encrypted using an irreversible algorithm (sha256 encryption). Facial information is encrypted using reversible algorithms (AES encryption) and stored on Alibaba Cloud OSS servers, with keys stored on Alibaba Cloud ECS servers.
3. Data disaster recovery backup security
During the process of conducting online verification services, Minivision stores the collected data on Alibaba Cloud and regularly backs up accounting data to prevent potential consequences such as data loss, damage, and computer system damage that may result in data quality degradation.
4. Computer Information System Security
The AIOT system currently running by Minivision has commissioned a professional organization to conduct computer information system grading evaluation, and the evaluation results have been submitted to the public security department to complete the three-level guarantee filing of the computer information system.
5. Construction of internal control system
Minivision has established numerous internal control systems to regulate its data processing behavior, including but not limited to:
|Data security protection system
Data Lifecycle Security Protection System
|Network security protection system
|Management Measures for Network Information Security
|Emergency system for network security incidents
|Emergency Management System for Network Security and Data Information Security Events
|Information Security Accountability System
|Information Security Accountability Management System
|Data Security Training System
|Data Security Education and Training System