1
/
von
7
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 41819-2022 English PDF (GBT41819-2022)
GB/T 41819-2022 English PDF (GBT41819-2022)
Normaler Preis
$180.00 USD
Normaler Preis
Verkaufspreis
$180.00 USD
Grundpreis
/
pro
Versand wird beim Checkout berechnet
Verfügbarkeit für Abholungen konnte nicht geladen werden
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 41819-2022
Historical versions: GB/T 41819-2022
Preview True-PDF (Reload/Scroll if blank)
GB/T 41819-2022: Information security technology -- Security requirements of face recognition data
GB/T 41819-2022
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Information security technology - Security requirements of
face recognition data
ISSUED ON. OCTOBER 12, 2022
IMPLEMENTED ON. MAY 01, 2023
Issued by. State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword... 3
1 Scope... 4
2 Normative references... 4
3 Terms and definitions... 4
4 Overview... 5
5 General security requirements... 5
6 Requirements for face recognition data collection... 9
7 Requirements for face recognition data storage... 9
8 Requirements for the use of face recognition data... 10
9 Requirements for face recognition data transmission... 10
10 Provision and disclosure requirements for face recognition data... 10
11 Requirements for face recognition data deletion... 11
References... 13
Information security technology - Security requirements of
face recognition data
1 Scope
This document stipulates the general security requirements for face recognition data, as
well as the security requirements for specific processing activities such as collection,
storage, use, transmission, provision, disclosure, deletion.
This document is suitable for data processors to securely carry out face recognition data
processing activities.
2 Normative references
The contents of the following documents constitute essential provisions of this
document through normative references in the text. Among them, for dated reference
documents, only the version corresponding to the date applies to this document; for
undated reference documents, the latest version (including all amendments) applies to
this document.
GB/T 35273 Information security technology - Personal information security
specification
GB/T 37988 Information security technology - Data security capability maturity
model
GB/T 39335 Information security technology - Guidance for personal information
security impact assessment
GB/T 40660 Information security technology - General requirements for biometric
information protection
GB/T 41479 Information security technology - Network data processing security
requirements
3 Terms and definitions
The terms and definitions defined in GB/T 35273 GB/T 40660, as well as the following
terms and definitions, apply to this document.
3.1
b) Face recognition shall only be used for identity recognition, when it is more secure
or convenient than non-face recognition methods. Both face recognition and non-
face recognition methods shall be provided at the same time, for the natural
person to choose.
Example. When performing identity verification at airports and train stations, the use of
non-face recognition methods will lead to a significant decrease in the convenience of
related services.
c) Natural persons shall not be induced to use face recognition methods, including
but not limited to using face recognition as the preferred or default method of
identity recognition, setting up obstacles to make it difficult for natural persons
to choose to use non-face recognition methods, etc.
d) After a natural person refuses to use the face recognition method, frequent
prompts shall not be made to obtain the natural person's consent to the face
recognition method, for example, more than one prompt within 48 hours.
e) It shall comply with the requirements of GB/T 35273, GB/T 40660, GB/T 41479,
as well as the requirements specified in GB/T 37988 for data security capability
maturity level 3.
f) Before processing face recognition data, it shall conduct a personal information
protection impact assessment yourself or entrust a third-party agency, in
accordance with the requirements of GB/T 39335.The assessment content
includes but is not limited to.
1) Whether it complies with the mandatory requirements of laws, administrative
regulations, national standards; whether it complies with public order and good
customs;
2) Whether it has a specific purpose and sufficient necessity;
3) Whether it has the accuracy and precision requirements required to achieve the
purpose;
4) Whether security protection measures appropriate to the security risks faced
are taken to prevent security risks such as face recognition data leakage,
tampering, loss, damage, or illegal acquisition or illegal use;
5) Whether measures have been taken to effectively reduce possible damage and
adverse effects on the rights and interests of data subjects.
g) When the following circumstances occur, the personal information protection
impact assessment shall be re-conducted.
1) The purpose and method of processing face recognition data change;
2) Security incidents such as leakage, tampering, loss, damage, or illegal
acquisition or illegal use of face recognition data indicate that existing security
measures are unable to effectively prevent security risks.
h) If face recognition is used to identify minors under the age of fourteen, separate
consent from their guardians shall be obtained; special personal information
protection rules and user agreements for minors shall be set up; a dedicated person
responsible for the minors shall be designated for the protection of personal
information of minors.
i) Face recognition data shall not be used to evaluate or predict the data subject,
including but not limited to evaluating or predicting the data subject's work
performance, economic status, health status, preferences, interests, consumption
behavior, activity trajectories, etc., unless otherwise agreed by the data subject
separately or in writing.
j) Face images shall not be stored except with the separate consent or written consent
of the data subject.
k) Face recognition data's protection requirements shall be clarified in the personal
information security management system, including but not limited to.
1) Management regulations and operating procedures for face recognition data;
2) Processing rules for face recognition data;
3) Permission to process face recognition data, as well as regular security
education and training for relevant personnel;
4) Security protection measures taken to prevent security risks such as face
recognition data leakage, tampering, loss, damage, or illegal acquisition or
illegal use.
l) For data processors that handle face recognition data of more than 100000 people,
a special personal information protection agency and personal information
protection personnel shall be set up to conduct security background checks on
personal information protection personnel and key personnel; make the contact
information of the person in charge of personal information protection public.
m) Face recognition data's processing rules shall include but not be limited to.
1) The purpose, method, scope of collecting, using, storing face recognition data,
as well as the storage period of face recognition data;
2) Possible damage and adverse effects on the rights and interests of data subjects,
as well as the consequences of refusing to provide;
6 Requirements for face recognition data collection
The requirements for data processors to collect face recognition data are as follows.
a) When collecting face recognition data, the data subject shall be informed of the
relevant matters of the face recognition data, including but not limited to the name
and contact information of the data processor, the name and contact information
of the person in charge of pers...
Get QUOTATION in 1-minute: Click GB/T 41819-2022
Historical versions: GB/T 41819-2022
Preview True-PDF (Reload/Scroll if blank)
GB/T 41819-2022: Information security technology -- Security requirements of face recognition data
GB/T 41819-2022
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Information security technology - Security requirements of
face recognition data
ISSUED ON. OCTOBER 12, 2022
IMPLEMENTED ON. MAY 01, 2023
Issued by. State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword... 3
1 Scope... 4
2 Normative references... 4
3 Terms and definitions... 4
4 Overview... 5
5 General security requirements... 5
6 Requirements for face recognition data collection... 9
7 Requirements for face recognition data storage... 9
8 Requirements for the use of face recognition data... 10
9 Requirements for face recognition data transmission... 10
10 Provision and disclosure requirements for face recognition data... 10
11 Requirements for face recognition data deletion... 11
References... 13
Information security technology - Security requirements of
face recognition data
1 Scope
This document stipulates the general security requirements for face recognition data, as
well as the security requirements for specific processing activities such as collection,
storage, use, transmission, provision, disclosure, deletion.
This document is suitable for data processors to securely carry out face recognition data
processing activities.
2 Normative references
The contents of the following documents constitute essential provisions of this
document through normative references in the text. Among them, for dated reference
documents, only the version corresponding to the date applies to this document; for
undated reference documents, the latest version (including all amendments) applies to
this document.
GB/T 35273 Information security technology - Personal information security
specification
GB/T 37988 Information security technology - Data security capability maturity
model
GB/T 39335 Information security technology - Guidance for personal information
security impact assessment
GB/T 40660 Information security technology - General requirements for biometric
information protection
GB/T 41479 Information security technology - Network data processing security
requirements
3 Terms and definitions
The terms and definitions defined in GB/T 35273 GB/T 40660, as well as the following
terms and definitions, apply to this document.
3.1
b) Face recognition shall only be used for identity recognition, when it is more secure
or convenient than non-face recognition methods. Both face recognition and non-
face recognition methods shall be provided at the same time, for the natural
person to choose.
Example. When performing identity verification at airports and train stations, the use of
non-face recognition methods will lead to a significant decrease in the convenience of
related services.
c) Natural persons shall not be induced to use face recognition methods, including
but not limited to using face recognition as the preferred or default method of
identity recognition, setting up obstacles to make it difficult for natural persons
to choose to use non-face recognition methods, etc.
d) After a natural person refuses to use the face recognition method, frequent
prompts shall not be made to obtain the natural person's consent to the face
recognition method, for example, more than one prompt within 48 hours.
e) It shall comply with the requirements of GB/T 35273, GB/T 40660, GB/T 41479,
as well as the requirements specified in GB/T 37988 for data security capability
maturity level 3.
f) Before processing face recognition data, it shall conduct a personal information
protection impact assessment yourself or entrust a third-party agency, in
accordance with the requirements of GB/T 39335.The assessment content
includes but is not limited to.
1) Whether it complies with the mandatory requirements of laws, administrative
regulations, national standards; whether it complies with public order and good
customs;
2) Whether it has a specific purpose and sufficient necessity;
3) Whether it has the accuracy and precision requirements required to achieve the
purpose;
4) Whether security protection measures appropriate to the security risks faced
are taken to prevent security risks such as face recognition data leakage,
tampering, loss, damage, or illegal acquisition or illegal use;
5) Whether measures have been taken to effectively reduce possible damage and
adverse effects on the rights and interests of data subjects.
g) When the following circumstances occur, the personal information protection
impact assessment shall be re-conducted.
1) The purpose and method of processing face recognition data change;
2) Security incidents such as leakage, tampering, loss, damage, or illegal
acquisition or illegal use of face recognition data indicate that existing security
measures are unable to effectively prevent security risks.
h) If face recognition is used to identify minors under the age of fourteen, separate
consent from their guardians shall be obtained; special personal information
protection rules and user agreements for minors shall be set up; a dedicated person
responsible for the minors shall be designated for the protection of personal
information of minors.
i) Face recognition data shall not be used to evaluate or predict the data subject,
including but not limited to evaluating or predicting the data subject's work
performance, economic status, health status, preferences, interests, consumption
behavior, activity trajectories, etc., unless otherwise agreed by the data subject
separately or in writing.
j) Face images shall not be stored except with the separate consent or written consent
of the data subject.
k) Face recognition data's protection requirements shall be clarified in the personal
information security management system, including but not limited to.
1) Management regulations and operating procedures for face recognition data;
2) Processing rules for face recognition data;
3) Permission to process face recognition data, as well as regular security
education and training for relevant personnel;
4) Security protection measures taken to prevent security risks such as face
recognition data leakage, tampering, loss, damage, or illegal acquisition or
illegal use.
l) For data processors that handle face recognition data of more than 100000 people,
a special personal information protection agency and personal information
protection personnel shall be set up to conduct security background checks on
personal information protection personnel and key personnel; make the contact
information of the person in charge of personal information protection public.
m) Face recognition data's processing rules shall include but not be limited to.
1) The purpose, method, scope of collecting, using, storing face recognition data,
as well as the storage period of face recognition data;
2) Possible damage and adverse effects on the rights and interests of data subjects,
as well as the consequences of refusing to provide;
6 Requirements for face recognition data collection
The requirements for data processors to collect face recognition data are as follows.
a) When collecting face recognition data, the data subject shall be informed of the
relevant matters of the face recognition data, including but not limited to the name
and contact information of the data processor, the name and contact information
of the person in charge of pers...
Share






