text:
With the increasing number of risk incidents and legislation in cyber security and data protection, when technology companies are going public, cyber security and data protection are increasingly being valued by securities regulators and investors. In the investment and financing business, especially the financing business after the C round on behalf of the company, we have encountered investors on many occasions to conduct detailed and strict special due diligence on data compliance.
In order to classify risks, we searched dozens of domestic and overseas listed company prospectuses, legal opinions, and inquiry letters, and summarized the issues that regulators require the issuer to specify or the risks disclosed by the company in accordance with relevant requirements. Organize. We believe that some issues are not legally accurate, but we try to keep them as they are.
Due to the large differences in information disclosure requirements at home and abroad, it is divided into two parts. This is a domestic part. The information comes from A-share listed companies, and the second part comes from US and Hong Kong listed companies.
Data source compliance
The source, method, authorization method and agreement of obtaining user data information, and whether the authorization is clear, legal and effective.
The specific system and related arrangements for collecting user information to obtain the user's consent, and whether the scope of the information collected and the purpose of use are clearly informed when the user information is collected.
In the case of purchasing user data from a third-party data provider, whether the third-party data provider has the ownership of the relevant data, whether the authorization of the target company to use the relevant data requires the consent of the end user or other third parties, and whether the authorization is legal and compliant.
Whether the process of obtaining user authorization through the APP and the user in the “User Agreement”, “Privacy Policy” and other agreements is legally complete, whether there is an explicit indication to the customer’s user, and the content of the relevant agreement has format clauses that are obviously detrimental to individual users. Whether it meets the requirements of relevant laws and regulations.
In the process of obtaining user authorization through the APP and the user in the “User Agreement”, “Privacy Policy” and other agreements, collect personal user information, push advertisements to individual users, etc., clearly inform the user of the purpose, method and scope of the collection and use of information.
Data ownership issues
The issuer obtains the ownership of the end-user data information, and whether there is ownership risk in its use.
The ownership and legal basis of the property rights of the relevant data and information involved in the procurement of the target company.
Use of data
Whether the issuer’s use of user data is legal and compliant.
After the company obtains the data, it is used for the compliance of commercial realization.
Whether the information is collected and used in accordance with the agreement with the user, and whether the use of authorized data (for Internet marketing or other business) exceeds the authorized scope.
Whether the use of the data exceeds the necessary limit.
Whether the use of personal information is involved in business development, and whether customer user data and personal information are retained.
Whether the target company has storage, recording or use of relevant information and data, if so, whether the relevant behavior complies with the requirements of laws, regulations, and industry standards; if not, whether the target company can be identified as a big data industry company.
Whether the target company has adopted corresponding risk control measures for the standardized use of data, and whether the relevant measures are standardized and effective.
Whether there is any illegal sale of personal information.
data sharing
Does the “relevant push function” in the “extension to XX so that it can obtain reasonable information necessary to realize the relevant push function” agreed with the APP developer “XX Use Agreement” include the use of the APP sharing link to send to other APP end users Notification, whether the APP end user is aware of sending other APP notifications through link sharing, and whether the APP end user’s consent or authorization has been obtained.
The “User Agreement” and “Privacy Policy” of the sample head APP products stated that they collect user data for the purpose of improving the service of this APP and share the data with a third party. Does the issuer link sharing belong to the “improvement of the service of this APP” Purpose”.
Data security protection system
Whether the target company has adopted corresponding risk control measures for the standardized use of data, and whether the relevant measures are standardized and effective. Ask lawyers and independent financial consultants to check and express clear opinions.
Data acquisition, use, processing, storage, and transmission supporting internal control systems and implementation status, effects, specific systems and related arrangements for avoiding or preventing leakage of user privacy, and whether there is a risk of leakage.
The user information protection technology system, especially the technical measures to prevent data leakage caused by external malware, viruses, hacker attacks and malicious insiders.
Pass the public security department’s information system security level protection evaluation.
The protection measures and methods for data security and personal privacy and their effectiveness, whether there have been personal information and privacy leaks, whether there is a risk of infringement, whether there are disputes or potential disputes, serious leaks, major lawsuits, and Treatment results and related rectification measures.
Measures taken to prevent leakage of personal information, national security information, national secrets, and confidential information in the process of providing products and services, as well as internal management systems and implementation effects to ensure network security, and whether state secrets, confidential information, and personal information have been leaked The risk of information leakage, whether related information leakage incidents have occurred, and whether they have been subject to administrative penalties for this reason.
Business and specific data services
State whether the issuer has obtained or is likely to obtain state secrets, confidential information, and personal information in the course of conducting business and daily operations.
Combining with the “Cyber Security Law”, “Interpretation on Several Issues Concerning the Handling of Criminal Cases of Infringement of Citizens’ Personal Information” and other regulations and judicial interpretations, explain whether there are any violations of customers, customer users, APP specific users, and other third parties in various businesses. Whether there are legal risks or potential legal risks in the circumstances of trade secrets, personal information security, and personal privacy.
Whether there are clauses in the business contract signed with the customer that may infringe the third party's trade secrets or personal information security.
Whether the business content clauses and confidentiality clauses of the business contracts signed with customers assist or disguisely assist customers or third parties to conduct acts that may infringe the third party's trade secrets or personal information security.
DMP (Data Management Platform) service:
The source of general customers of DMP services, service content, specific internal processes and control measures for the business development;
Details of the main DMP service items, sales policies, pricing methods, and settlement methods in each period of the reporting period.
technical problem
The source, formation process and legal compliance of related big data technologies and large-scale data storage technologies.
The list explains the inventors or main R&D personnel of the issuer's existing core technologies and their previous work units, the specific source and formation process of the core technologies, and whether the company's directors, supervisors, senior managers or other core personnel have worked in the previous work units Whether there is a risk of ownership disputes or potential disputes on the results of the job. The issuer is requested to supplement the research and development cycle of its main products, the process of channel promotion and user accumulation based on the relevant information of its core personnel having worked in other companies in the same industry, and whether there is any purchase of underlying data from a third party and on the basis of outsourcing data Continuous development, etc.
The impact of data legislation and regulation on business
What impact will the promulgation and implementation of the EU's General Data Protection Regulation (GDPR) have on the issuer's business, what rectification or response measures the issuer has, and whether there is a risk of punishment? GDPR will affect the issuer's future business Whether there is an impact on the operation.
Data supervision and personal privacy protection policy changes (whether the competent authority's standards for data privacy protection will continue to be upgraded) will affect the issuer's business in the future and the issuer's response measures.
Please add an explanation on whether the current situation of the target company’s collection, transmission, storage and application of user information meets the requirements of the “Information Security Technology Personal Information Security Specification”. If not, please fully remind the relevant risks and explain the follow-up rectification measures.
The issuer, in conjunction with the dispute with XX, supplementally explain whether the collection, storage, and use of personal information involved in its talent pool complies with the “Decision of the Standing Committee of the National People’s Congress on Strengthening the Protection of Network Information” and the “Network Security Law of the People’s Republic of China” “Provisions.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.