每周数据法律资讯 Data Law Weekly（20250630-20250706）

1. 3项网络安全国家标准获批发布

7月4日，全国网络安全标准化技术委员会归口的3项国家标准正式发布，包括：《网络安全技术信息系统灾难恢复规范》（GB/T 20988-2025）、《网络安全技术信息安全管理体系要求》（GB/T 22080-2025）、《网络安全技术数字水印技术实现指南》（GB/T 45909-2025），以上标准将于2026年1月1日起实施。

【参见：

https://www.tc260.org.cn/front/postDetail.html?id=20250704092842&sessionid=-575752680】

Three National Cybersecurity Standards Approved for Publication

On July 4, three national standards under the jurisdiction of the National Cybersecurity Standardization Technical Committee were officially published, including “Cybersecurity Technology - Information System Disaster Recovery Specifications”《网络安全技术信息系统灾难恢复规范》 (GB/T 20988-2025), “Cybersecurity Technology - Information Security Management System Requirements”《网络安全技术信息安全管理体系要求》 (GB/T 22080-2025), and “Cybersecurity Technology - Digital Watermarking Technology Implementation Guidelines”《网络安全技术数字水印技术实现指南》 (GB/T 45909-2025). These standards will take effect on January 1, 2026.

[Reference:

https://www.tc260.org.cn/front/postDetail.html?id=20250704092842&sessionid=-575752680]

2. 上海市通管局通报162款侵害用户权益的APP

7月3日，上海市通信管理局发布《关于侵害用户权益行为APP的通报（2025年第五批）》，共涉162款APP（SDK）。这些APP（SDK）所涉问题包括：违规收集个人信息、自启动和关联启动行为、未妥善处理用户投诉、未明示个人信息处理规则、超范围收集个人信息、账户注销难、无法注销账户、未合理申请使用权限、APP强制、频繁、过度索取权限、欺骗误导强迫行为、未成年人保护措施缺乏年龄验证机制等。

【参见：

https://mp.weixin.qq.com/s/MBYr8VtM3XgThCOd2PZpsA】

【简评：

关于“未成年人保护措施缺乏年龄验证机制”的问题，此前通报中较少出现，值得关注。】

The Shanghai Communications Administration issued notice on 162 apps infringing on user rights

On July 3, the Shanghai Communications Administration released the “Notice on Apps Engaging in Activities that Infringe on User Rights (2025, Fifth Batch),” involving a total of 162 apps (SDKs).The issues identified in these apps (SDKs) include: illegal collection of personal information, unauthorized self-startup or associated startup behavior, failure to properly handle user complaints, failure to clearly disclose personal information processing rules, collection of personal information beyond the scope of necessity, difficulties in account cancellation, inability to cancel accounts, failure to reasonably request permission to use certain features, apps forcing, frequently, or excessively requesting permissions, deceptive or misleading behavior, and lack of age verification mechanisms in measures to protect minors.

[Reference:

https://mp.weixin.qq.com/s/MBYr8VtM3XgThCOd2PZpsA]

[Brief Comment:

The issue of "lack of age verification mechanism for protection measures for minors" is rarely mentioned in previous notification and deserves attention.]

3. 国家数据局、市场监管总局发布数据流通交易合同示范文本

7月2日，国家数据局综合司、市场监管总局办公厅联合发布《关于印发数据流通交易合同示范文本的通知》。示范文本共四份：一是《数据提供合同（示范文本）》，适用于数据提供方通过有偿交易、无偿共享、许可使用等方式将数据提供给数据接收方的活动，涵盖应用程序接口（API）、数据集等各种提供方式。二是《数据委托处理服务合同（示范文本）》，适用于数据委托方将其持有或控制的数据委托给受托方，由受托方按照委托方的指示和要求进行数据处理的活动。三是《数据融合开发合同（示范文本）》，适用于数据融合各参与方将其持有的数据向彼此开放共享或共同委托给特定处理方，用于共同创建数据平台、数据空间、数据池、衍生数据等情况，如合作建设人工智能数据训练专区、行业数据共享应用平台，以及共建联盟式数据资源池等。四是《数据中介服务合同（示范文本）》，适用于数据中介方为促成数据流通交易而提供市场推广、信息发布、客户对接、交易撮合、合同订立等的媒介服务活动。

【点击查阅示范文本：

https://www.nda.gov.cn/sjj/zwgk/zcfb/0704/20250704153908883080116_pc.html】

National Data Administration and SAMR issued Model Contract for Data Circulation and Transactions

On July 2, the National Data Administration and the General Office of the State Administration for Market Regulation（SAMR）jointly issued the “Notice on Issuing the Model Contract for Data Circulation and Transactions.” The model contract consists of four documents: First, the “Data Provision Contract (Model Text),” which applies to activities where data providers provide data to data recipients through paid transactions, free sharing, or licensing, covering various provision methods such as application programming interfaces (APIs) and datasets. Second, the “Data Entrusted Processing Service Contract (Model Text),” which applies to activities where data processors entrust the data they hold or control to a data entrusted processor, who then processes the data in accordance with the processors' instructions and requirements. Third, the “Data Integration and Development Contract (Model Text)” applies to situations where all parties involved in data integration open and share the data they hold with each other or jointly entrust it to a specific processing party for the purpose of jointly creating data platforms, data spaces, data pools, derivative data, etc., such as cooperating in the construction of artificial intelligence data training zones, industry data sharing application platforms, and jointly building alliance-based data resource pools. Fourth, the “Data Brokerage Service Contract (Model Text)”, which applies to activities where a data broker provides intermediary services such as market promotion, information dissemination, client matching, transaction facilitation, and contract negotiation to facilitate data circulation and transactions.

[Click to view the model text:

https://www.nda.gov.cn/sjj/zwgk/zcfb/0704/20250704153908883080116_pc.html]

4. 国家网信办发布《涉企行政检查事项清单》

6月30日，国家网信办发布了《国家互联网信息办公室涉企行政检查事项清单》。清单共六个检查事项，一是“清朗”系列专项行动回头看相关监督检查；二是对网站平台落实信息内容管理主体责任情况的监督检查；三是对互联网新闻信息服务活动的监督检查；四是对外国机构提供金融信息服务的监督检查；五是对互联网新技术新应用进行安全评估和监督检查；六是对数据安全和个人信息保护的管理制度的建设、技术防护措施、数据出境合规等情况的检查评估。上述检查事项的频次均为每年一次。

【参见：

https://www.cac.gov.cn/2025-06/30/c_1752998718883876.htm】

The CAC released the List of Administrative Inspection Items for Enterprises

On June 30, the Cyberspace Administration of China（CAC） released “the List of Administrative Inspection Items for Enterprises.” The list includes six inspection items: first, follow-up supervision and inspection of the “Qinglang” series of special operations; second, supervision and inspection of the implementation of information content management responsibilities by website platforms; third, supervision and inspection of internet news information services; fourth, supervision and inspection of financial information services provided by foreign institutions; fifth, security assessment and supervision and inspection of new Internet technologies and applications; and sixth, inspection and assessment of the establishment of management systems, technical protection measures, and compliance with data export regulations for data security and personal information protection. The frequency of the above inspection items is once a year.

[Reference:

https://www.cac.gov.cn/2025-06/30/c_1752998718883876.htm]

5. 上海网信办发布新一期生成式人工智能服务登记信息公告

6月30日，上海网信办发布《上海市生成式人工智能服务登记信息公告（6月30日）》。公告显示，截至6月30日，上海市新增8款已完成登记的生成式人工智能服务，累计已完成95款生成式人工智能服务登记。已上线的生成式人工智能应用或功能，应在显著位置或产品详情页面标明所取得的上线编号。

【参见：

https://mp.weixin.qq.com/s/BbrOP7w0520sWjj3RAjPXQ】

The Cyberspace Administration of Shanghai Released New Announcement on Generative AI Service Registration Information

On June 30, the Cyberspace Administration of Shanghai released the “Announcement on the Registration Information of Generative Artificial Intelligence Services in Shanghai (June 30).” The announcement shows that as of June 30, Shanghai has added eight new generative artificial intelligence services that have completed registration, bringing the total number of registered generative artificial intelligence services to 95. Generative artificial intelligence applications or functions that have been launched should clearly indicate the launch number obtained in a prominent location or on the product details page.

[Reference: 

https://mp.weixin.qq.com/s/BbrOP7w0520sWjj3RAjPXQ]

6. 国家卫健委发布《关于进一步加强医疗机构电子病历信息使用管理的通知》

6月30日，国家卫健委发布《关于进一步加强医疗机构电子病历信息使用管理的通知》。《通知》强调，应规范相关人员使用权限和行为，医疗机构应当为电子病历系统操作人员提供专有的身份标识和识别手段，并设置相应权限。明确操作人员对本人身份标识的使用负责，不得违规收集、使用、传输、透露、买卖患者病历信息或通过网络渠道传播。医疗机构应当与提供信息系统维护和数据分析服务等业务的外部服务商签订严格的保密协议和授权协议，明确其访问电子病历系统的范围、目的和期限，并在服务过程中接受医疗机构监督，确保数据安全。

【参见：

https://www.nhc.gov.cn/yzygj/c100068/202506/c68abee7c54b4651a774cd533761780b.shtml】

The National Health Commission issued the “Notice on Further Strengthening the Management of Electronic Medical Record Information in Medical Institutions”（《关于进一步加强医疗机构电子病历信息使用管理的通知》）

On June 30, the National Health Commission issued the “Notice on Further Strengthening the Management of Electronic Medical Record Information in Medical Institutions.”（《关于进一步加强医疗机构电子病历信息使用管理的通知》）The Notice emphasizes that the use of electronic medical records by relevant personnel should be standardized, and medical institutions should provide dedicated identity identifiers and recognition methods for electronic medical record system operators and set corresponding permissions. Operators are responsible for the proper use of their own identity identifiers and must not illegally collect, use, transmit, disclose, or sell patient medical record information or disseminate such information through online channels. Medical institutions must enter into strict confidentiality agreements and authorization agreements with external service providers offering information system maintenance and data analysis services, clearly defining the scope, purpose, and duration of their access to electronic medical record systems, and ensuring that such providers are subject to supervision by the medical institutions during the provision of services to guarantee data security. 

[Reference:

https://www.nhc.gov.cn/yzygj/c100068/202506/c68abee7c54b4651a774cd533761780b.shtml]

1. 欧洲数据保护委员会（EDPB）发布一项关于简化GDPR合规流程的声明

7月3日，欧洲数据保护委员会（EDPB）发布了《关于加强清晰、支持和参与度的赫尔辛基声明：以基本权利为导向的创新与竞争力》，该声明旨在助力简化《通用数据保护条例》（GDPR）合规流程，加强与广泛利益相关方的对话，提升一致性，并在新型数字监管格局中发展跨监管合作。这些举措尤其能为微型、小型和中型组织提供便利，赋能负责任的创新，并增强欧洲的竞争力。声明提出了如下简化GDPR应用的方法：为组织提供一系列现成可用的模版、为数据保护机构设计数据泄露通知的通用模版、提供直接且易于应用的资源（如清单、操作指南、常见问题解答）帮助组织理解其关键义务。

【点击查看声明全文：

https://www.edpb.europa.eu/our-work-tools/our-documents/statements/helsinki-statement-enhanced-clarity-support-and-engagement_en】

The EDPB issued a statement on simplifying GDPR compliance processes

On July 3, the EDPB issued the Helsinki Statement on enhanced clarity, support and engagement：A fundamental rights approach to innovation and competitiveness, which aims to help simplify the General Data Protection Regulation (GDPR) compliance process, strengthen dialogue with a wide range of stakeholders, enhance consistency, and develop cross-regulatory cooperation in the new digital regulatory landscape. These measures are particularly beneficial for micro, small, and medium organizations, enabling responsible innovation and enhancing Europe's competitiveness. The statement proposes the following tools to simplify the application of the GDPR: providing organizations with a series of ready-to-use templates, designing a  common template for data breach notifications for Data Protection Authorities, and offering direct and easily-applicable resources (such as checklists, how-tos and FAQs) to help organizations understand their key obligations.

[Click here to view the full statement: 

https://www.edpb.europa.eu/our-work-tools/our-documents/statements/helsinki-statement-enhanced-clarity-support-and-engagement_en]

2. 越南发布核心数据和重要数据清单

7月2日，越南政府发布核心数据和重要数据清单。其中，核心数据包括国家机关收集、管理的未公开的国界、领土主权数据；国家机关未公开的国防、安全、核心领域科学技术发展战略、提案、项目数据；未公开的国防安全工业活动数据等26项。重要数据包括26项核心数据；国家机关收集、管理的未公开的监察、投诉举报处理及反腐败领域数据；国家机关收集、管理的未公开的犯罪侦查、斗争、国家安全防范及行政违法处理活动数据；国家机关收集、管理的未公开的内政领域数据等18项。核心数据与重要数据在认定时均会考虑数据被非法收集或使用时，对国防、安全、核心领域、对外关系、宏观经济、社会稳定及公共健康安全的影响。

【参见：

https://baochinhphu.vn/ban-hanh-danh-muc-du-lieu-cot-loi-du-lieu-quan-trong-102250702162908953.htm】

Vietnam released the list of Core Data and Important Data

On July 2, the Vietnamese government released a list of Core Data and Important data. The Core Data includes 26 items, such as unpublished data on national borders and territorial sovereignty collected and managed by state agencies; unpublished data on national defense, security, core scientific and technological development strategies, proposals, and projects; and unpublished data on national defense and security industrial activities. Important Data includes the 26 Core Data items; unpublished data on supervision, complaint handling, and anti-corruption activities collected and managed by state agencies; unpublished data on criminal investigations, counter-terrorism, national security prevention, and administrative violation handling activities collected and managed by state agencies; and unpublished data on internal affairs collected and managed by state agencies, among 18 other items. When determining Core Data and Important Data, consideration is given to the potential impact on national defense, security, core sectors, foreign relations, macroeconomic stability, social stability, and public health and safety if the data is illegally collected or used.

[Reference:

https://baochinhphu.vn/ban-hanh-danh-muc-du-lieu-cot-loi-du-lieu-quan-trong-102250702162908953.htm]