Skip to product information
1 of 7

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 41871-2022 English PDF (GBT41871-2022)

GB/T 41871-2022 English PDF (GBT41871-2022)

Regular price $185.00 USD
Regular price Sale price $185.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 41871-2022 to get it for Purchase Approval, Bank TT...

GB/T 41871-2022: Information security technology -- Security requirements for processing of motor vhicle data

This document specifies the general security requirements, off-vehicle data security requirements, cabin data security requirements and management security requirements for motor vehicle data processors to collect and transmit motor vehicle data. This document is applicable to motor vehicle data processing activities carried out by motor vehicle data processors, to the design, production, sales, use, operation and maintenance of automobiles, and also to the supervision, management and evaluation of motor vehicle data processing activities by competent regulatory authorities and third-party evaluation agencies.
GB/T 41871-2022
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Information security technology - Security requirements for
processing of motor vehicle data
ISSUED ON: OCTOBER 12, 2022
IMPLEMENTED ON: MAY 01, 2023
Issued by: State Administration for Market Regulation;
Standardization Administration of the PEOPLE Republic of China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 General security requirements ... 6
5 Off-vehicle data security requirements ... 8
6 Cabin data security requirements ... 9
7 Management security requirements ... 10
8 Special cases ... 10
Information security technology - Security requirements for
processing of motor vehicle data
1 Scope
This document specifies the general security requirements, off-vehicle data security requirements, cabin data security requirements and management security requirements for motor vehicle data processors to collect and transmit motor vehicle data. This document is applicable to motor vehicle data processing activities carried out by motor vehicle data processors, to the design, production, sales, use, operation and maintenance of automobiles, and also to the supervision, management and evaluation of motor vehicle data processing activities by competent regulatory authorities and third-party evaluation agencies.
2 Normative references
The following documents are normatively referenced in this document and are indispensable for its application. For dated references, only the version corresponding to that date is applicable to this document; for undated references, the latest version (including all amendments) is applicable to this document.
GB/T 35273, Information security technology - Personal information security specification
GB/T 40660, Information security technology - General requirements for biometric information protection
3 Terms and definitions
The following terms and definitions are applicable to this document.
3.1 Motor vehicle data
Personal information data and important data involved in the process of motor vehicle design, production, sales, use, operation and maintenance, etc.
3.2 Personal information
Various information related to identified or identifiable vehicle owners, drivers, passengers, and people outside the vehicle, which are recorded electronically or otherwise, excluding anonymized information.
4 General security requirements
4.1 The processing of personal information by the motor vehicle data processor shall comply with the following requirements.
a) meet all the requirements in GB/T 35273.
b) notify the individual in at least one notable way when obtaining the consent of the individual. Notable ways include prompts for separate chapters of the user manual, voice playback, separate pop-up prompts on the vehicle display panel, interaction with related applications for motor vehicle use, prompts for separate chapters of the motor vehicle sales agreement, prompts for separate chapters of the maintenance service agreement, or interaction with travel service applications, etc.
c) explain to the personal information subject the specific circumstances and necessity of collecting personal information in clear and understandable words. d) be specific and clear when informing the personal information subject of the storage period of various types of personal information, such as 30 days or 1 year. e) make the location of the storage location accurate to the prefecture-level city and inform all storage locations when notifying the personal information subject of the storage location of their personal information.
f) provide personal information subject with personal information management functions such as convenient viewing, copying, and deletion; when the products or services provided support interactive operations, such as websites, vehicle- mounted applications, or mobile communication terminal applications, etc., personal information management functions shall be interactive, and its functional entrance shall be in a prominent position that is easily perceived by the personal information subject.
4.2 The processing of sensitive personal information by the motor vehicle data processor shall comply with the following requirements.
a) Separate consent shall be obtained from the personal information subject for each sensitive personal information, and consent shall not be obtained for multiple sensitive personal information or multiple processing activities at one time. Note: The motor vehicle data processor needs to process the voice data to provide the voice recognition function for the driver. A separate pop-up window can be popped up to obtain the driver?€?s consent for this function;
alternatively, a separate option that can be checked for this function can be set in the notification consent to obtain the driver?€?s consent.
b) When obtaining the individual consent of the personal information subject, the consent period for processing sensitive personal information shall not be set to ?€?always allow?€? or ?€?permanent?€?.
Note: The motor vehicle data processor needs to process voice data for the voice recognition function. When obtaining the individual consent of the
personal information subject, it can provide the personal information
subject with options such as single, seven days, three months and one year. c) In order to complete the deletion within ten working days after receiving the request to delete personal information, in principle, a structured directory of personal information shall be established to achieve traceable management of personal information.
d) In principle, sensitive personal information shall not be processed for the purpose of improving service quality, enhancing user experience, and developing new products.
4.3 Continuous collection of sensitive personal information by motor vehicle data processors shall comply with the following notification requirements.
a) The collection status shall be prompted by means of the icon on the vehicle display panel or the flashing or constant light of the indicator light of the signal device. b) When continuously prompting to collect sensitive personal information, clear and understandable prompts shall be set according to different types of information. Note: The camera icon flashes or stays on to indicate that in-vehicle video data is being collected, the recording icon flashes or stays on to indicate that in- vehicle voice data is being collected, and the diagonally upward triangle icon flashes or stays on to indicate that location data is being collected. 4.4 The processing of biometric feature information such as face, voiceprint or fingerprint by the motor vehicle data processor shall comply with the following requirements.
a) The purpose and sufficient necessity of enhancing driving safety shall be evaluated.
Note: The purpose of enhancing driving safety includes identity verification and driver status monitoring.
b) All the requirements in GB/T 40660 shall be met.
4.5 The contact person for user rights affairs set up by the motor vehicle data processor in terms of personal information protection shall meet the following requirements. deleting or partially contouring these areas, other processing such as face comparison, gait analysis, and speech recognition shall not be performed. d) After the anonymization process is completed, the process data shall be deleted immediately and shall not be provided outside the vehicle.
6 Cabin data security requirements
6.1 Unless voluntarily set by the motor vehicle driver, the motor vehicle shall be set to the state of not collecting cabin data by default, including not turning on the camera, microphone, infrared sensor, fingerprint sensor and other components in the motor vehicle. The collection can only start after the driver actively selects through physical buttons or touch buttons, and the motor vehicle can keep the state selected by the driver or restore the default state according to the driver?€?s settings.
6.2 The motor vehicle shall not provide cabin data to the outside of the vehicle, except for the following circumstances.
a) In order to realize the voice recognition function to judge the motor vehicle control commands in real time, process the voice command data outside the vehicle, obtain the consent of the personal information subject, and immediately delete the original data and processing results after the function is realized. b) In order to realize the remote viewing of the situation in the vehicle or the cloud storage function, provide data to the user, obtain the consent of the personal information subject, and take security measures so that other organizations and individuals other than the user cannot access it.
c) Transmission of data from road transport vehicles to the monitoring platform of the transport company, the public management platform and the regulatory agency in accordance with relevant regulations.
d) Transmission of data from operational vehicles such as taxis and buses to supervisory authorities.
e) Transmission of data as required by law enforcement agencies after a road traffic accident occurs.
6.3 Motor vehicle data processors shall provide convenient ways to terminate the collection of cabin data, including physical buttons, voice control, touch buttons, and motor vehicle use-related applications, etc. In the case of ensuring driving safety and personal safety, the driver, after choosing to terminate the collection, shall turn off the components that collect cabin data such as the microphone and camera in the motor vehicle. In order to ensure driving safety and personal safety, the relevant components may not be turned off in the following situations:
a) Road transport vehicles that are providing road operation services continue to collect cabin data;
b) Buses that are providing travel services continue to collect cabin data. 7 Management security requirements
7.1 Motor vehicle data processors shall carry out motor vehicle data risk assessments. The assessment content generally includes motor vehicle data identification, data processing activity identification, motor vehicle data security risk identification, risk analysis and evaluation, etc., which can be carried out in the form of self-assessment or third-party assessment.
7.2 The safety manager of motor vehicle data shall be the main person in charge of the vehicle data processor or the person in charge of data security, and shall be familiar with data security and personal information protection policies and regulations in China, and have work experience in security management.
7.3 Motor vehicle data processors shall establish and improve the emergency response mechanism for security incidents, carry out emergency drills at least once a year, and should support evidence collection analysis after security incidents through mechanisms such as vehicle data storage and vehicle data traceability.
7.4 The motor vehicle data processors shall accept the motor vehicle data security complaints by means of telephone or instant messaging platform, and generally complete the processing within 10 working days after receiving the complaints, and make a complete record of the processing process and processing results. 7.5 Motor vehicle manufacturers shall have a comprehensive grasp of the data collection and transmission of the components contained in the complete vehicles they produce, and restrict and supervise the behavior of component suppliers in processing vehicle data. The complete situation of the external transmission of motor vehicle data shall be disclosed to users every year or when there is a major change. 8 Special cases
Unless necessary, the requirements of this document do not apply to the following data processing activities:
a) motor vehicle data processing activities when police cars, fire trucks, ambulances, and engineering emergency vehicles perform emergency tasks;
b) motor vehicle data processing activities when operating vehicles equipped with special equipment or appliances are engaged in operating activities in closed places;

View full details