每周数据法律资讯 Data Law Weekly（20250224-20250302）

1、首批13家企业获增值电信业务经营试点批复

工信部近日向北京、上海、海南、深圳四地13家外资企业发放增值电信业务经营试点批复。相关企业按照批复内容，可开展互联网接入、信息服务等增值电信业务。工信部此前于2024年4月8日发布了《工业和信息化部关于开展增值电信业务扩大对外开放试点工作的通告》，指出在北京、上海、海南、深圳四地开展试点，取消互联网数据中心（IDC）、内容分发网络（CDN）、互联网接入服务（ISP）、在线数据处理与交易处理，以及信息服务中信息发布平台和递送服务（互联网新闻信息、网络出版、网络视听、互联网文化经营除外）、信息保护和处理服务业务的外资股比限制。

【点击查阅首批13家企业名单：

https://www.miit.gov.cn/jgsj/xgj/scgl/art/2025/art_d2d765309fa545bb9109cf4dc9047bf5.html】

1. The first 13 companies to receive approval to operate value-added telecommunications services

The Ministry of Industry and Information Technology (MIIT) recently issued approvals to 13 foreign-invested companies in Beijing, Shanghai, Hainan and Shenzhen to operate value-added telecommunications services. According to the content of the approvals, the companies concerned may carry out value-added telecommunications services such as Internet access and information services. The MIIT previously issued the Notice of the Ministry of Industry and Information Technology on Launching the Pilot Work of Expanding the Opening Up of Value-added Telecommunications Services（《工业和信息化部关于开展增值电信业务扩大对外开放试点工作的通告》） on April 8, 2024, pointing out that the pilot will be carried out in the four places of Beijing, Shanghai, Hainan and Shenzhen, and the restrictions on the proportion of foreign shares in Internet data centres (IDCs), content distribution networks (CDNs), Internet access services (ISPs), online data processing and transaction processing, as well as information services such as information publishing platforms and delivery services (excluding Internet news information, online publishing, online audio-visual, and Internet cultural operations), and information protection and processing services will be lifted.

[Click to view the list of the first 13 companies:

https://www.miit.gov.cn/jgsj/xgj/scgl/art/2025/art_d2d765309fa545bb9109cf4dc9047bf5.html]

2、工信部、市场监管总局发布《关于进一步加强智能网联汽车产品准入、召回及软件在线升级管理的通知》 

2月28日，工信部、市场监管总局联合发布了《关于进一步加强智能网联汽车产品准入、召回及软件在线升级管理的通知》，以及《智能网联汽车产品准入、召回及软件在线升级管理与技术指南》、《车辆产品主要技术参数（新增）》、《智能网联汽车产品事件事故报告主要内容》等三个附件。《通知》要求企业要落实智能网联汽车产品生产一致性和质量安全主体责任，持续确保汽车产品符合网络安全和密码应用安全、数据安全和个人信息保护等国家有关规定，严格履行OTA升级活动管理要求，规范营销宣传行为，健全产品售后服务管理体系。

【全文链接：

https://mp.weixin.qq.com/s/DmCQ6YJzK05kl-qe700FPw】

【点击查阅官方解读：

https://mp.weixin.qq.com/s/S63xYFEnNg0rK7XcExcLyg】

2. The Ministry of Industry and Information Technology and the State Administration for Market Regulation issued the Notice on Further Strengthening the Administration of Intelligent Connected Vehicle Product Access, Recall and Online Software Upgrade（《关于进一步加强智能网联汽车产品准入、召回及软件在线升级管理的通知》）

On February 28, the Ministry of Industry and Information Technology and the State Administration for Market Regulation jointly issued the Notice on Further Strengthening the Administration of Intelligent Connected Vehicle Product Access, Recall and Online Software Upgrade, together with three attachments: the Administrative and Technical Guidelines for Intelligent Connected Vehicle Product Access, Recall and Online Software Upgrade（《智能网联汽车产品准入、召回及软件在线升级管理与技术指南》）, the Main Technical Parameters of Vehicle Products (new additions), and the Main Content of the Intelligent Connected Vehicle Product Incident and Accident Report. The Notice requires enterprises to implement the main responsibility for the consistency and quality and safety of intelligent connected vehicle product production, continue to ensure that automotive products comply with national regulations on cybersecurity and cryptographic application security, data security and personal information protection, strictly fulfil the requirements for the management of OTA upgrade activities, regulate marketing and promotional activities, and improve the product after-sales service management system.

[https://mp.weixin.qq.com/s/DmCQ6YJzK05kl-qe700FPw]

[Click to view the official interpretation:

3、上海市网信办依法约谈一批App运营者，聚焦保护“个人信息删除权”问题

根据2月19日公开发布的《国家网信办依法集中查处一批侵害个人信息权益的违法违规App》通报，上海属地有十余款App存在未按法律规定提供删除或更正个人信息功能问题。为落实国家网信办工作要求，2月26日，上海市网信办依法约谈了相应在沪App运营者，针对通报中指出的无用户账号注销功能等问题，提出整改指导意见，要求企业立即改正相关问题，切实保障好用户个人信息删除权。

【全文链接：

https://mp.weixin.qq.com/s/QQv0y89hHgfdrRUk7NHLNQ】

【合规提示：

建议企业自查自身在保障用户“个人信息删除权”方面是否存在合规问题，重点关注是否设置了有效的用户账号注销功能、是否为用户账号注销设置了不合理条件、用户账号注销承诺时限是否超出15个工作日、是否在承诺时限内完成用户账号注销。】

3. The Shanghai Cyberspace Administration interviewed a number of App operators in accordance with the law, focusing on the issue of protecting the right to delete personal information

According to the notice ‘The Cyberspace Administration of China has investigated and dealt with a number of illegal and irregular Apps that infringe on personal information rights in accordance with the law’（ 《国家网信办依法集中查处一批侵害个人信息权益的违法违规App》） released on February 19, more than ten Apps in Shanghai failed to provide the function to delete or correct personal information as required by law. In order to implement the requirements of the CAC, on February 26, the Shanghai Cyberspace Administration interviewed the relevant App operators in Shanghai in accordance with the law, and proposed rectification guidance in response to issues such as the lack of a function to cancel user accounts, as pointed out in the notice, requiring companies to immediately rectify related issues and effectively protect the right of users to delete their personal information.

[https://mp.weixin.qq.com/s/QQv0y89hHgfdrRUk7NHLNQ]

[Compliance Reminder:

It is recommended that companies conduct self-inspections to determine whether there are any compliance issues in terms of protecting users' right to delete personal information. The focus should be on whether an effective user account cancellation function has been set up, whether unreasonable conditions have been set for user account cancellation, whether the promised time limit for user account cancellation exceeds 15 working days, and whether user account cancellation is completed within the promised time limit.]

4、国家网信办举办欧盟在华企业数据跨境流动政策座谈会

2月25日，国家网信办在京举办欧盟在华企业数据跨境流动政策座谈会，介绍中国数据跨境流动政策法规及中欧数据跨境流动交流机制有关情况，回答欧盟在华企业关于数据跨境流动的有关问题，23家欧盟在华企业和中国欧盟商会相关负责人参加座谈。

【全文链接：

https://mp.weixin.qq.com/s/sYx-3epGZFA3GnUHtuDz5g】

4. The CAC held a policy symposium on cross-border data flows of European Union companies in China

On February 25, the CAC held a policy symposium on cross-border data flows of European Union companies in China in Beijing. The symposium introduced China's policies and regulations on cross-border data flows and the China-EU exchange mechanism on cross-border data flows, and answered questions from European Union companies in China about cross-border data flows. Representatives from 23 European Union companies in China and the European Union Chamber of Commerce in China attended the symposium.

[https://mp.weixin.qq.com/s/sYx-3epGZFA3GnUHtuDz5g]

5、网信办通报2024年执法情况

2024年，全国网信系统严厉打击各类网络违法违规行为，聚焦打击侵害未成年人身心健康、网络暴力、扰乱传播秩序、破坏网络生态等违法违规行为，加大网络安全、数据安全和个人信息保护等领域执法力度。包括针对未履行网络安全、数据安全保护义务等问题依法查处违法违规企业。针对部分App未明示个人信息处理规则、未提供账号注销功能等个人信息保护领域违法违规问题采取处置处罚措施。针对部分具有舆论属性或动员能力的App、小程序未经安全评估即上线提供生成式人工智能服务问题，依法采取下架、下线功能等处置措施。

【全文链接：

https://mp.weixin.qq.com/s/nuvWo8RolVkDioDALo5BYQ】

5. The Cyberspace Administration announced the law enforcement situation in 2024

In 2024, the Cyberspace Administration system cracked down on all kinds of network violations, focusing on violations that harm the physical and mental health of minors, online violence, disrupting the order of dissemination, and destroying the online ecosystem. It also increased law enforcement in the fields of cybersecurity, data security, and personal information protection. This includes investigating and punishing enterprises that violate the law for failing to fulfil their obligations to protect cybersecurity and data security. It also took punitive measures against violations in the field of personal information protection, such as some Apps not clearly stating the rules for processing personal information and not providing an account cancellation function. For some Apps and mini-programs with public opinion attributes or mobilisation capabilities that had been launched without undergoing security assessments and providing generative AI services, disposal measures such as being taken offline or having offline functions had been taken in accordance with the law.

[https://mp.weixin.qq.com/s/nuvWo8RolVkDioDALo5BYQ]

1、马来西发布DPO任命和数据泄露通知指南

2月25日，马来西亚个人数据保护部（PDP）发布了第1/2025号和第2/2025号通告，其中包含有关数据保护官（DPO）任命和数据泄露通知的指南。其中DPO任命指南规定了DPO的职责和任命方法、DPO与数据主体相关的责任等。数据泄露通知指南规定了构成数据泄露的事件示例，以及有关向PDP发出通知、向受影响的数据主体通报数据泄露情况的相关流程等要求。

【全文链接：

https://www.pdp.gov.my/ppdpv1/garis-panduan-dan-pekeliling-perlindungan-data-peribadi-pelantikan-pegawai-perlindungan-data-dpo-dan-pemberitahuan-pelanggaran-data/】

1. Malaysia issued guidelines on DPO appointment and data breach notification

On February 25, the Department of Personal Data Protection (PDP) of Malaysia issued Circulars No. 1/2025 and No. 2/2025, which contain guidelines on the appointment of data protection officers (DPOs) and data breach notification. The guidelines on the appointment of DPOs stipulate the responsibilities and appointment methods of DPOs, the responsibilities of DPOs in relation to data subjects, etc. The data breach notification guidelines set out examples of events that constitute a data breach and requirements for notifying the PDP and informing affected data subjects about the data breach, as well as the relevant procedures.

[https://www.pdp.gov.my/ppdpv1/garis-panduan-dan-pekeliling-perlindungan-data-peribadi-pelantikan-pegawai-perlindungan-data-dpo-dan-pemberitahuan-pelanggaran-data/]

2、土耳其发布《特殊个人数据处理指南》

2 月 26 日，土耳其个人数据保护局（KVKK）发布了《特殊个人数据处理指南》，该指南旨在确保遵守土耳其第7499号法律的最新修订，第7499号法律修改了土耳其《个人数据保护法》第6条的规定。《个人数据保护法》第6条原先规定了处理特殊类别个人数据的条件，第7499号法律取消了原先规定中关于处理不同特殊类别个人数据的区别，并引入了处理这些数据的新条件。该指南旨在帮助数据控制者开展数据处理活动，并履行其根据法律处理特殊类别个人数据的义务。

【全文链接：

https://kvkk.gov.tr/Icerik/8184/Ozel-Nitelikli-Kisisel-Verilerin-Islenmesine-Iliskin-Rehber】

2. Turkey published guide on processing of special personal data

On February 26, the Personal Data Protection Authority (KVKK) of Turkey published a guide on the processing of special personal data. The guide aims to ensure compliance with Law No. 7499, which modified Article 6 of the Law on Protection of Personal Data. Article 6 of the Law on Protection of Personal Data regulates the conditions for processing special categories of personal data. Law No. 7499 abolished the previous distinction between the processing of different special categories of personal data and introduced new conditions for the processing of such data. This guide is intended to help data controllers carry out data processing activities and fulfil their obligations under the law for the processing of special categories of personal data.

[https://kvkk.gov.tr/Icerik/8184/Ozel-Nitelikli-Kisisel-Verilerin-Islenmesine-Iliskin-Rehber]

3、法国CNIL宣布2025年智能网联汽车的优先事项

2月26日，法国数据保护机构（CNIL）宣布了2025年网联汽车的工作计划。CNIL于2023年4月成立了网联汽车和个人数据工作组。CNIL强调，网联汽车工作组将重点关注位置数据和行车记录仪。CNIL表示其将很快发布一份关于网联汽车位置数据使用的建议草案。CNIL指出它计划与行业利益相关者协商，就行车记录仪的使用提出建议。然而，工作组的工作将不包括拍摄车内乘客的摄像头。

【全文链接：

https://www.cnil.fr/fr/club-conformite-vehicules-connectes-programme-de-travail-2025-cnil】

3. CNIL announced priorities for connected vehicles in 2025

On February 26, the French data protection authority (CNIL) announced its work program for connected vehicles in 2025. CNIL established a working group on connected vehicles and personal data in April 2023. CNIL highlighted that the working group on connected vehicles will focus on location data and dashcams. CNIL stated that it will soon release a draft recommendation on the use of location data for connected vehicles. CNIL noted it plans to develop recommendations on the use of dashcams in consultation with sector stakeholders. However, the working group's work will not cover cameras filming the interior of vehicle passenger compartments.

[https://www.cnil.fr/fr/club-conformite-vehicules-connectes-programme-de-travail-2025-cnil]

4、爱尔兰DPC提交关于TikTok的调查决定草案

2月24日，爱尔兰数据保护委员会（DPC）宣布已向欧盟其他监管机构提交了对TikTok的调查决定草案。DPC特别强调，该调查于2021年9月开始，针对TikTok将其平台用户的个人数据从欧盟/欧洲经济区传输到中国，以及TikTok在这方面是否遵守了GDPR。该决定草案还关注TikTok是否在此类数据传输方面遵守了对用户的透明度义务。根据GDPR的规定，DPC将决定草案发送给其他相关监管机构，该等监管机构有一个月的时间向DPC反馈相关意见。

【全文链接：

https://dataprotection.ie/en/news-media/latest-news/irish-data-protection-commission-submits-article-60-draft-decision-inquiry-tiktok】

4. The Data Protection Commission (DPC) of Ireland submitted a draft decision on an inquiry into TikTok

On February 24, the DPC announced that it had submitted a draft decision in an inquiry into TikTok to other supervisory authorities across the EU. In particular, the DPC highlighted that the inquiry was commenced on September 2021 and considers transfers by TikTok of the personal data of users of its platform from the EU/EEA to China and whether TikTok is complying with the GDPR in that respect. The draft decision also considers whether TikTok is complying with its transparency obligations to users insofar as such data transfers are concerned. Under the GDPR, the DPC sends draft decisions to other relevant regulators, who have one month to provide feedback to the DPC.

[https://dataprotection.ie/en/news-media/latest-news/irish-data-protection-commission-submits-article-60-draft-decision-inquiry-tiktok]

5、沙特发布《向沙特境外传输个人数据风险评估指南》

2月24日，沙特数据和人工智能管理局（SDAIA）发布了其关于向沙特境外转移个人数据的风险评估指南。该指南将数据传输风险评估分为四个主要阶段，包括准备阶段；评估个人数据处理阶段的负面影响和潜在风险；向沙特境外实体传输或披露数据的风险评估；以及确定与分析对沙特切身利益影响的相关因素。该指南指出，如果评估仍然表明高风险和短期内对个人或社区利益的不可逆影响，数据控制者应探索替代方法，例如重新评估处理活动或采取更高效和有效的措施。

【全文链接：

https://sdaia.gov.sa/en/SDAIA/about/Documents/RisksTransferringDataOutsideKingdomEn.pdf】

5. Saudi Arabia published transfer risk assessment guideline

On February 24, the Saudi Data & Artificial Intelligence Authority (SDAIA) published its Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom. The guideline divides the data transfer risk assessment into four main phases: preparation phase; assessing the negative impacts and potential risks of personal data processing phase; risk assessment for data transfer or disclosure to entities outside Saudi Arabia; and identifying factors related to the analysis of implications for the vital interests of Saudi Arabia. The guideline notes that if the evaluation still indicates high levels of risk and irreversible impacts in the short term on the interests of individuals or the community, the data controller should explore alternative methods, such as reassessing the processing activity or adopting more efficient and effective measures.

[https://sdaia.gov.sa/en/SDAIA/about/Documents/RisksTransferringDataOutsideKingdomEn.pdf]