Archivos de la etiqueta: Legislación Informática China

23Sep/21

Personal Information Protection Law of the People’s Republic of China

Personal Information Protection Law of the People’s Republic of China was adopted by the 30th meeting of the Standing Committee of the 13th National People’s Congress of the People’s Republic of China on August 20, 2021

Personal Information Protection Law of the People’s Republic of China (Adopted at the 30th meeting of the Standing Committee of the 13th National People’s Congress on August 20, 2021)

Chapter I.- General Provisions

Article 1

This Law is enacted in accordance with the Constitution to protect personal information rights and interests, regulate the processing of personal information, and promote the reasonable use of personal information.

Article 2

The personal information of any natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of any natural person.

Article 3

 This Law shall apply to the processing of the personal information of natural persons within the territory of the People’s Republic of China.

This Law shall also apply to the activities carried out outside the territory of the People’s Republic of China to process the personal information of natural persons within the territory of the People’s Republic of China under any of the following circumstances:

(I) where the purpose is to provide products or services to domestic natural persons;

(II) where the purpose is to analyze and evaluate the activities of domestic natural persons; and

(III) other circumstances provided by laws and administrative regulations.

Article 4

Personal information refers to various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.

Processing of personal information includes the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information.

Article 5

Personal information shall be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and shall not be processed by misleading, fraud, coercion, or other means.

Article 6

Processing of personal information shall be for a definite and reasonable purpose, shall be directly related to the purpose of processing, and shall be processed in a manner that has the least impact on individual rights and interests.

Collection of personal information shall be limited to the minimum scope for the purpose of processing and shall not be excessively collected.

Article 7

Processing of personal information shall follow the principles of openness and transparency, disclose the rules for processing personal information, and expressly indicate the purpose, manner, and scope of processing.

Article 8

When processing personal information, the quality of personal information shall be ensured to avoid adverse effects on personal rights and interests caused by inaccurate and incomplete personal information.

Article 9

Personal information processors shall be responsible for their processing of personal information and take necessary measures to ensure the security of the personal information processed.

Article 10

No organization or individual may illegally collect, use, process, or transmit other people’s personal information, or illegally trade, provide, or disclose other people’s personal information, or engage in the processing of personal information that endangers the national security or public interests.

Article 11

The State establishes a sound personal information protection system, prevent and punish the infringement of personal information rights and interests, strengthen the publicity and education on personal information protection, and promote the formation of a good environment for the government, enterprises, relevant social organizations and the public to jointly participate in personal information protection.

Article 12

The State actively participates in the formulation of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and drives the mutual recognition of the rules and standards for personal information protection with other countries, regions, and international organizations.

Chapter II.- Rules for Processing Personal Information

Section 1.- General Provisions

Article 13

Only under any of the following circumstances may a personal information processor process personal information:

(I) where the consent of the individual concerned is obtained;

(II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or to implement human resources management in accordance with labor rules and regulations formulated according to law and collective contracts concluded according to law;

(III) where it is necessary for the performance of statutory duties or statutory obligations;

(IV) where it is necessary for coping with public health emergencies or for the protection of the life, health, and property safety of a natural person;

(V) where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope;

(VI)where the personal information disclosed by individuals themselves or other legally disclosed personal information is processed within a reasonable scope in accordance with the provisions of this Law; and

(VII)other circumstances provided by laws and administrative regulations.

Individual consent shall be obtained for the processing of personal information stipulated in the other clauses of this Law, but in the circumstances specified in the preceding paragraph from (II) to (VII), the individual’s consent is not required.

Article 14

Where the processing of personal information is based on the consent of the individual concerned, such consent shall be given by the individual concerned in a voluntary and explicit manner in the condition of full knowledge. If laws and administrative regulations provide that the processing of personal information shall be subject to the individual’s separate consent or written consent, such provisions shall prevail.

If the purpose or method of processing personal information or the type of personal information to be processed changes, the individual’s consent shall be obtained again.

Article 31 If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians.

Personal information processors shall formulate special personal information processing rules for handling the personal information of minors under the age of 14.

Article 15

Where the processing of personal information is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent. The personal information processor shall provide convenient means to withdraw consent.

The individual’s withdrawal of consent does not affect the validity of the personal information processing activities conducted prior to the withdrawal based on the individual’s consent.

Article 16

A personal information processor shall not refuse to provide products or services on the grounds that the individual does not agree to process his/her personal information or withdraws his/her consent, unless the processing of personal information is necessary for providing products or services.

Article 17

Prior to processing personal information, a personal information processor shall truthfully, accurately, and completely inform the individual of the following matters in an eye-catching manner and with clear and understandable language:

(I) the name and contact information of the personal information processor;

(II) the purpose and method of processing personal information, and the type and retention period of the processed personal information;

(III) the method and procedure for the individual to exercise the rights provided herein; and

(IV) other matters to be notified in accordance with the provisions of laws and administrative regulations.

If any of the matters provided in the preceding paragraph is changed, the individual shall be notified of such change.

Article 18

When processing personal information, a personal information processor may not notify the individual of the matters provided for in laws and administrative regulations where confidentiality shall be kept, or it is not necessary to notify the individual of the matters provided for in Paragraph 1 of the preceding Article.

In case of emergency, it is unable to timely inform the individual to protect the life, health and property safety of natural persons, the personal information processor shall inform the individual in time after elimination of emergency.

Article 19

The retention period of personal information shall be the minimum period necessary for achieving the purpose of processing, except for where the retention period of personal information is otherwise provided for in laws and administrative regulations.

Article 20

Where more than two personal information processors jointly determine the purpose and method of processing personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual’s right to exercise the rights provided for in this Law against any of the personal information processors.

Where personal information processors jointly processing personal information infringes upon personal information rights and interests and cause damages, they shall bear joint and several liabilities in accordance with the law.

Article 21

Where a personal information processor entrusts others to process personal information, it shall agree with the entrusted party on the purpose, duration, and method of entrusted processing, type and protection measures of personal information as well as the rights and obligations of both parties, and supervise the personal information processing activities of the entrusted party.

The entrusted party shall process personal information as agreed and shall not process personal information beyond the agreed purpose and method of processing. If the contract is invalidated, invalid, revoked or terminated, the entrusted party shall return the personal information to the personal information processor or delete the personal information, and shall not retain the personal information.

Without the consent of the personal information processor, the entrusted party shall not re-entrust others to process personal information.

Article 22

Where a personal information processor needs to transfer personal information due to reasons such as merger, division, dissolution, or being declared bankrupt, it shall inform the individual of the name and contact information of the recipient. The recipient shall continue to perform its obligations as a personal information processor. Where the recipient changes the original purpose and method of processing, it shall obtain the individual’s consent anew in accordance with this Law.

Article 23

Where a personal information processor provides other personal information processors with the personal information it processes, it shall inform the individual of the name and contact information of the third party, purpose and method of processing and type of personal information, and shall obtain his/her separate consent. The party receiving personal information shall process personal information within the scope of the above purpose and method of processing and type of personal information. Where the party receiving personal information changes the original purpose and method of processing, it shall inform the individual and obtain his/her consent again in accordance with this Law.

Article 24

Where personal information processors use personal information to make automatic decision, the transparency of decision-making and the fairness and justice of the results shall be ensured, and shall not impose unreasonable differential treatment on individuals in terms of transaction price and other transaction conditions.

Where business marketing and information push are carried out through automatic decision-making, options not based on his/her personal characteristics shall be provided at the same time, or a convenient way for individuals to reject shall be provided.

Where automatic decision-making has a significant impact on individual’s rights and interests, he/she has the right to require the personal information processor to give an explanation, and to reject the decision made by the personal information processor only through automatic decision-making.

Article 25

A personal information processor shall not disclose the personal information it processes, unless the individual’s consent is obtained, or it is otherwise required by laws and administrative regulations.

Article 26

Image capturing and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with relevant provisions of the State, and conspicuous prompting signs shall be installed. Personal images and personal identifiable information collected may only be used for the purpose of maintaining public security and shall not be used for other purposes, unless the individual’s consent is obtained.

Article 27

Personal information processors may, within a reasonable range, process personal information that has been disclosed by individuals themselves or other lawfully disclosed personal information, except where the individual explicitly refuses. Personal information processors shall obtain the consent of individuals in accordance with the provisions of this Law if the processing of disclosed personal information has a major impact on the rights and interests of individuals.

Section 2.- Rules for Processing Sensitive Personal Information

Article 28

Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.

Personal information processors can process sensitive personal information only when they have a specific purpose and sufficient necessity, and take strict protective measures.

Article 29

Individual consent should be obtained for processing sensitive personal information. Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to written consent, such provisions shall prevail.

Article 30

For the processing of sensitive personal information of an individual, the personal information processor shall inform the individual of the necessity of processing sensitive personal information and the impacts on the individual’s right and interest, in addition to the matters prescribed in Paragraph 1 of Article 17 thereof, except those that may not be notified to individuals in accordance with the provisions of this Law.

Article 31

If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians.

Personal information processors shall formulate special personal information processing rules for handling the personal information of minors under the age of 14.

Article 32

Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to relevant administrative permission or other restriction, such provisions shall prevail.

Section 3.- Special Provisions on Processing Personal Information by State Organs

Article 33

This Law shall apply to the activities of a State organ to process personal information; where there are special provisions in this Section, the provisions of this Section shall apply.

Article 34

The processing of personal information by a State organ for the purpose of performing its statutory duties shall be under the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for performing its statutory duties.

Article 35

A State organ processing personal information for the purpose of performing its statutory duties shall perform the obligation of notification in accordance with this Law, except for circumstances prescribed in Paragraph 1 of Article 18, or the notification will hinder the State organ from performing its statutory duties.

Article 36

The personal information processed by a State organ shall be stored within the territory of the People’s Republic of China; where it is necessary to provide such information to an overseas party, a security assessment shall be conducted. Relevant departments may be required to provide support and assistance for security assessment.

Article 37

The provisions of this law on personal information processed by State organs shall apply for personal information processing by organizations authorized by laws and regulations with the function of managing public affairs to perform statutory duties.

Chapter III.- Rules for Cross-border Provision of Personal Information

Article 38

Where a personal information processor needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall meet any of the following conditions:

(I) where it has passed the security assessment organized by the State cyberspace administration in accordance with Article 40 hereof;

(II) where it has been certified by a specialized in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information;

(III) where it has concluded a contract with an overseas recipient according to the standard contract formulated by the state cyberspace administration, specifying the rights and obligations of both parties; or

(IV) where it has satisfied other conditions prescribed by laws, administrative regulations, or the State cyberspace administration.

Where the international treaties and agreements that the People’s Republic of China has concluded or participated in have provisions on the conditions for providing personal information outside the territory of the People’s Republic of China, such provisions may be complied with.

Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this law.

Article 39

Where a personal information processor provides personal information of an individual to a party outside the territory of the People’s Republic of China, it shall inform the individual of such matters as the name of the overseas recipient, contact information, purpose, and method of processing, type of personal information and the way and procedure for the individual to exercise the rights prescribed herein against the overseas recipient, and shall obtain the individual’s separate consent.

Article 40

Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China. If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration; if laws, administrative regulations, or the provisions of the State cyberspace administration provide that the security assessment is not required, such provisions shall prevail.

Article 41

The competent authorities of the People’s Republic of China shall, in accordance with relevant laws and international treaties and agreements concluded or participated in by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China. Without the approval of the competent authority of the People’s Republic of China, personal information processor shall not provide the personal information stored within the territory of the People’s Republic of China to judicial or law enforcement agencies outside of the territory of the People’s Republic of China.

Article 42

For any overseas organization or individual whose personal information processing activities damage the personal information rights and interests of citizens of the People’s Republic of China, or endanger the national security or public interests of the People’s Republic of China, the State cyberspace administration may include such overseas organization or individual in the list of restricted or prohibited provision of personal information, announce the same, and take measures such as restricting or prohibiting the provision of personal information to such overseas organization or individual.

Article 43

Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People’s Republic of China in respect of the protection of personal information, the People’s Republic of China may, as the case may be, take reciprocal measures against such country or region.

Chapter IV.- Rights of Individuals in Activities of Processing Personal Information

Article 44

An individual has the right to know and make decisions on the processing of his/her personal information, and the right to restrict or refuse others to process his/her personal information, unless otherwise provided for by laws and administrative regulations.

Article 45

An individual is entitled to consult or copy his/her personal information from a personal information processor, except for the circumstances as prescribed in Paragraph 1 of Article 18 and Article 35 herein.

Where an individual requests to consult or copy his/her personal information, the personal information processor shall provide such information in a timely manner.

Where an individual requests to transfer his/her personal information to a personal information processor designated by him/her, the personal information processor shall provide the means for such transfer if the conditions prescribed by the State cyberspace administration are met.

Article 46

Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.

Where an individual requests for corrections or supplements to his/her personal information, the personal information processor shall make verification and make corrections or supplements to such information in a timely manner.

Article 47

Under any of the following circumstances, a personal information processor shall delete personal information on its own initiative; if the personal information processor has not deleted it, the individual concerned shall have the right to request deletion:

(I) where the purpose of processing has been achieved, unable to achieve, or is no longer necessary to achieve;

(II) where the personal information processor stops providing products or services, or the agreed storage period has expired;

(III) where the individual withdraws his/her consent;

(IV) where the personal information processor processes personal information in violation of laws, administrative regulations, or the agreement; or

(V) any other circumstance as prescribed by laws and administrative regulations.

Where the storage period as prescribed by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information processor shall stop processing personal information other than storage and taking necessary security measures.

Article 48

An individual is entitled to request the personal information processor to explain the rules on the processing of personal information.

Article 49

In the event of the death of a natural person, his/her near relatives may, for their own lawful and legitimate interests, exercise the rights of consulting, copying, correcting, and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless the deceased had otherwise arranged before his/her death.

Article 50

A personal information processor shall establish a convenient mechanism for accepting and processing applications for exercising personal rights by individuals. Where an individual’s request for exercising personal rights is rejected, the reasons shall be stated.

Where the personal information processor refuses an individual’s request to exercise his rights, the individual may bring a lawsuit in a people’s court according to law.

Chapter V.- Obligations of Personal Information Processors

Article 51

A personal information processor shall, according to the purpose and method of processing personal information, type of personal information, impact on individual’s right and interest, and possible security risk, etc., take the following measures to ensure the compliance of personal information processing activities with provisions of laws and administrative regulations, and prevent unauthorized visit, or leakage, falsification, and loss of personal information:

(I) formulating internal management system and operational procedures;

(II) managing personal information by classification;

(III) taking corresponding technical security measures such as encryption and de-identification;

(IV) reasonably determining the authority to process personal information and conduct security education and training for employees on a regular basis;

(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and

(VI) other measures as prescribed by laws and administrative regulations.

Article 52

Where the quantity of personal information processed by a processor reaches that specified by the state cyberspace administration, the processor shall designate a person in charge of personal information protection to be responsible for supervising the processing of personal information and the adopted protection measures.

A personal information processor shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the department performing duties of personal information protection.

Article 53

Any personal information processor outside the territory of the People’s Republic of China as prescribed in Paragraph 2, Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for relevant matters of personal information protection, and submit the name and contact information of relevant agency or the representative to the department performing duties of personal information protection.

Article 54

A personal information processor shall regularly audit whether its processing of personal information is in compliance with provisions of laws and administrative regulations.

Article 55

A personal information processor shall conduct personal information protection impact assessment of the following circumstances in advance and keep a record of the processing:

(I) processing sensitive personal information;

(II) making use of personal information to make automatic decisions;

(III) entrusting others to process personal information, providing other personal information processors with personal information, and disclosing personal information;

(IV) providing personal information to overseas parties; and

(V) other personal information processing activities that have a significant impact on individuals’ rights and interests.

Article 56

The personal information protection impact assessment shall include the following:

(I) whether the purpose and method of processing personal information are legitimate, justifiable, and necessary;

(II) impact on individuals’ rights and interests and the security risks; and

(III) whether the security protection measures taken are legitimate, effective, and appropriate to the degree of risks.

The personal information protection assessment report and processing record shall be kept for at least three years.

Article 57

Where personal information has been or may be leaked, falsified, or lost, the personal information processor shall immediately take remedial measures and inform the department performing duties of personal information protection and the individuals concerned. The notice shall include the following particulars:

(I) types and causes of personal information leakage, falsification, and loss that have occurred or may occur and the possible harm caused;

(II) remedial measures taken by personal information processors and measures taken by individuals to mitigate harm;

(III) contact information of the personal information processor.

If the personal information processor has taken measures to effectively avoid harm caused by information leakage, falsification, or loss, it may opt not to notify the individuals; however, if the department performing duties of personal information protection believes harm shall be caused, it may require the personal information processor to notify the individuals thereof.

Article 58

Personal information processors that provide important Internet platform services with a large number of users and complex business types shall perform the following obligations:

(I) Establish and improve the compliance system for personal information protection in accordance with state regulations, and establish an independent organization composed mainly of external members to protect personal information;

(II) Formulate the rules of the platform in accordance with the principles of openness, fairness, and justice, to clarify the norms for the processing of personal information and the obligations of the product or service providers within the platform to protect personal information;

(III)Stop providing services to the product or service providers on the platform that seriously violate laws and administrative regulations in processing personal information;

(IV) Regular release of social responsibility report regarding personal information protection and subject to public supervision.

Article 59

The party entrusted to process personal information shall fulfill the relevant obligations prescribed by this Law and other relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed, and assist personal information processors to fulfill their obligations under this Law.

Chapter VI.- Departments Performing Duties of personal information protection

Article 60

The state cyberspace administration is responsible for coordinating the protection of personal information and relevant supervision and administration work; and relevant departments under the State Council are responsible for protecting, supervising, and administering personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.

The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising, and administering personal information shall be determined in accordance with relevant provisions of the State.

The departments mentioned in the preceding two paragraphs are collectively referred to as the departments performing duties of personal information protection.

Article 61

Departments performing duties of personal information protection shall perform the following duties of personal information protection:

(I) carrying out publicity and education on personal information protection, and guiding and supervising personal information processors to protect personal information;

(II) accepting and processing complaints and reports relating to personal information protection;

(III) organizing the evaluation of the protection of personal information such as applications and publish the evaluation results;

(IV) investigating and processing illegal personal information processing activities; and

(V) other duties stipulated by laws and administrative regulations.

Article 62

The state cyberspace administration shall coordinate with the relevant departments in promoting the protection of personal information in accordance with this Law as follows:

(I) formulate specific rules and standards for the protection of personal information;

(II) formulate special personal information protection rules and standards for small personal information processors, sensitive personal information processing, and new technologies and applications such as face recognition and artificial intelligence;

(III) support research, development, and promotion of secure and convenient electronic identity authentication technology, and promote the construction of public services for online identity authentication;

(IV) promote the development of a socialized service system for protecting personal information and support relevant organizations in carrying out assessment and certification services in respect of personal information protection.

(V) improve the mechanism for complaints and whistleblowing reports on personal information protection.

Article 63

Departments performing duties of personal information protection may take the following measures when performing the duties of personal information protection:

(I) inquiry of the parties concerned, and investigation of the circumstances relating to personal information processing activities;

(II) consulting and copying contracts, records, account books, and other relevant materials relating to personal information processing activities of the parties concerned;

(III) carrying out on-site inspection and investigation activities relating to processing personal information suspected of violating laws; and

(IV) checking the equipment and Articles relating to personal information processing activities and may sealing up or seizing the equipment and Articles that are proved to be illegal personal information processing activities upon reporting in writing to the principal of the department and getting approval.

When departments performing duties of personal information protection perform duties in accordance with the law, the parties concerned shall provide assistance and cooperation, and shall not refuse or obstruct such performance.

Article 64

Where departments performing duties of personal information protection find in performing their duties of personal information protection that there are relatively high risks in personal information processing activities or personal information security incidents have occurred, they may interview the legal representative or person chiefly in charge of the personal information processor according to prescribed authority and procedures, or require the personal information processor to entrust professional institutions to conduct compliance audits of their personal information processing activities. The personal information processor shall take measures to make rectification and eliminate hidden dangers as required.

The department that performs the duty of personal information protection and discovers that the illegal processing of personal information is suspected of a crime in the course of performing its duty, shall promptly transfer the case to the public security organ for handling according to law.

Article 65

Any organization or individual has the right to complain or report illegal personal information processing activities to the departments performing duties of personal information protection. The departments receiving such complaints or reports shall promptly process them according to the law and notify the complainants or reporters of the results. The departments performing duties of personal information protection shall make public the contact information for accepting complaints or reports.

Chapter VII.- Legal Liability

Article 66

Where personal information is processed in violation of the provisions hereof, or personal information is processed without fulfilling the personal information protection obligations stipulated in this Law, the departments performing duties of personal information protection shall order the processor to make rectification, give a warning and confiscate its illegal gains, or order the application that illegally processing personal information to suspend or terminate the provision of services; if rectification is refused, a fine of not more than RMB 1 million shall be imposed concurrently on the processor; and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge of the processor and other directly liable persons. Where an illegal act specified in the preceding paragraph is committed and the circumstances are serious, the departments performing duties of personal information protection at or above the provincial level shall order the processor to make rectification, confiscate its illegal gains and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on the processor, and may also order the processor to suspend relevant business or to suspend business for rectification, and notify the relevant competent departments to revoke the relevant business permit or business license; and a fine of not less than RMB 100,000 but not more than RMB 1 million shall be imposed on the persons directly in charge and other directly liable persons, and such persons may also be prohibited from serving as directors, supervisors, senior managers, and persons in charge of personal information protection of relevant enterprises for a certain period of time.

Article 67

Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of the relevant laws and administrative regulations and shall be disclosed to the public.

Article 68

Where a state organ fails to perform its obligations of protecting personal information as specified in this Law, its superior organ or the department performing the duties of personal information protection shall order it to make rectification, and impose sanctions on the person directly in charge and other directly liable persons according to law.

Where the staff of departments responsible for personal information protection guilty of dereliction of duties, abusing official powers, or malpractice for personal gain but yet to constitute a crime, they shall be punished pursuant to the law.

Article 69

Where the right and interests of personal information are infringed upon due to personal information processing and cause damages, and the personal information processor cannot prove that it is not at fault, it shall bear the tort liability for damages.

Liability for damages prescribed in the preceding paragraph shall be borne in light of the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor; if the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor are difficult to be determined, the people’s court shall determine the amount of compensation according to the actual circumstances.

Article 70

Where a personal information processor processes personal information in violation of the provisions of this Law, which infringes upon the rights and interests of a large number of individuals, the people’s procuratorate, the consumer organizations specified by law and the organization determined by the state cyberspace administration may file a lawsuit with the people’s court in accordance with the law.

Article 71

Where a violation of the provisions of this Law constitutes a violation of public security administration, a public security administration punishment shall be imposed in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law.

Chapter VIII.- Supplementary Provisions

Article 72

This Law shall not be applicable to the processing of personal information by a natural person by virtue of his/her personal or family affairs. Where there are legal provisions on the processing of personal information in the statistical and archive administration organized and implemented by the people’s governments at all levels and the relevant departments thereof, such provisions shall apply.

Article 73

For the purposes of this Law, the following terms are defined as follows:

(I) A personal information processor refers to any organization or individual that independently determines the purpose and method of processing in personal information processing activities.

(II) An automatic decision-making refers to an activity to automatically analyze and evaluate a person’s behavior habits, hobbies or economic, health or credit status through computer programs and make decisions.

(III) De-identification refers to the process in which personal information is processed so that it is impossible to identify certain natural persons without the use of additional information.

(IV) Anonymization refers to the process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be recovered.

Article 74

This Law shall come into force as of November 1, 2021.

23Sep/21

Data Security Law of the People’s Republic of China. (DSL)

Data Security Law of the People’s Republic of China. (DSL). China´s National People´s Congress Standing Committee, June 10, 2021 

Chapter I.- General Provisions

Article 1

This Law is formulated in order to standardize data handling activities, ensure data security, promote data development and use, protect the lawful rights and interests of individuals and organizations, and safeguard national sovereignty, security, and development interests.

Article 2

This Law applies to data handling activities and their security regulation within the mainland territory of the People’s Republic of China (PRC).

When data handling activities outside the mainland territory of the PRC harm the national security, the public interest, or the lawful rights and interests of citizens or organizations of the PRC, legal liability is to be pursued according to the law.

Article 3

As used in this Law, “data” refers to any information record in electronic or other form.

“Data handling” includes the collection, storage, use, processing, transmission, provision, disclosure, etc., of data.

“Data security” refers to ensuring data is in a state of effective protection and lawful use through adopting necessary measures, and to possessing the capacity to ensure a persistent state of security.

Article 4

In safeguarding data security, the overall national security concept shall be upheld, data security governance systems established and completed, and data security protection capacities increased.

Article 5

The central leading institution for national security is responsible for: policy-making, deliberation, and coordination in national data security work; researching, formulating, and guiding the implementation of national data security strategy and related major directives and policies; comprehensively coordinating major matters and important work in national data security; and establishing a national data security work coordination mechanism.

Article 6

Each locality and department is responsible for data collected and created, as well as data security, in the respective locality or department’s work.

Departments in charge of such sectors as industry, telecommunications, transportation, finance, natural resources, hygiene and health, education, and technology are to undertake data security regulatory duties in their respective field.

Public security authorities and national security authorities, etc., are to undertake data security regulatory duties within the scope of their respective duties, in accordance with the provisions of this Law and relevant laws and administrative regulations.

The national cybersecurity and informatization department is responsible for the comprehensive coordination of network data security and related regulatory work, in accordance with the provisions of this Law and relevant laws and administrative regulations.

Article 7

The State is to protect the data-related rights and interests of individuals and organizations; encourage lawful, reasonable, and effective data use; ensure the lawful and orderly free flow of data; and promote the development of the digital economy with data as a key factor.

Article 8

In the conduct of data handling activities, laws and regulations shall be followed, social public morals and ethics respected, business ethics and professional ethics observed, honesty and trustworthiness [practiced], data security protection obligations fulfilled, and social responsibility assumed; national security and the public interest must not be endangered; and the lawful rights and interests of individuals and organizations must not be harmed.

Article 9

The State is to support the launch of data security knowledge propagation and popularization; raising the entire society’s consciousness and level of data security protection; pushing relevant departments, industry organizations, scientific research institutions, enterprises, individuals, etc., to jointly participate in data security protection work; and forming a positive environment for the entire society to jointly safeguard data security and promote development.

Article 10

Relevant industry organizations, in accordance with their charters, are to formulate data security standards of conduct and group standards, strengthen industry self-discipline, guide members to strengthen data security protection, raise data security protection levels, and promote the healthy development of the industry.

Article 11

The State is to actively engage in international exchanges and cooperation in fields such as data security governance and data development and use, participating in the formulation of international rules and standards related to data security, and promoting the secure and free flow of data across borders.

Article 12

Any organization or individual has the right to file a complaint about or report acts violating the provisions of this Law to the relevant department in charge. Departments receiving complaints or reports shall handle them promptly and in accordance with law.

Relevant departments shall preserve the confidentiality of information related to persons filing complaints or reports and protect the lawful rights and interests of persons filing complaints or reports.

Chapter II.- Data Security and Development

Article 13

The State is to coordinate overall development and security, persist in the promotion of data security through data development and use and industrial development, and ensure the development and use of data and industrial development through data security.

Article 14

The State is to implement a big data strategy, advancing data infrastructure construction, and encouraging and supporting the innovative application of data in all industries and all fields.

Provincial-level and higher people’s governments shall include digital economy development in their respective level’s people’s economic and social development plans, and formulate digital economy development plans as needed.

Article 15

The State is to support the development and use of data to increase the intelligentization level of public services. When providing intelligentized public services, the needs of elderly people and people with disabilities shall be fully considered, to avoid creating obstacles in the daily lives of elderly people and people with disabilities.

Article 16

The State is to support research into data development and use and data security technology, encourage dissemination and commercial innovation of technology in fields such as data development and use and data security, and foster and develop products and industrial systems for data development and use and data security.

Article 17

The State shall promote the construction of technical and data security standards systems for data development and use. The administrative department for standardization under the State Council and the relevant departments of the State Council shall, in accordance with their respective duties, organize the formulation and timely revision of standards relating to data development and use technologies, products, and data security. The State is to support the participation of enterprises, social organizations, and educational or scientific research institutions in the formulation of standards.

Article 18

The State is to promote the development of services such as data security testing and assessment, certification, etc., and to support specialized institutions for data security testing and assessment, certification, etc., to carry out service activities in accordance with law.

The State is to support relevant departments, industry organizations, enterprises, educational or scientific research institutions, relevant professional bodies, etc., in carrying out collaboration in areas such as assessment, prevention, and handling of data security risks.

Article 19

The State is to establish and complete data transaction management systems, standardize data transaction behavior, and cultivate a data transaction market.

Article 20

The State is to support education and scientific research institutions, enterprises, etc., to carry out education and training in data development and use technologies and data security, adopting diverse methods to cultivate professional talent in data development and use technology and data security, and promoting talent exchanges.

Chapter III.- Data Security Systems

Article 21

The State is to establish a categorized and graded protection system for data, implementing categorized and graded protection according to the data’s degree of importance in economic and social development, as well as the degree of danger to national security, public interests, or the lawful rights and interests of individuals or organizations brought about if it is altered, destroyed, leaked, or illegally obtained or used. The national data security work coordination mechanism is to comprehensively coordinate relevant departments in formulating catalogs of important data and strengthen the protection of important data.

Data related to national security, the lifelines of the national economy, important aspects of people’s livelihoods, major public interests, etc., constitute core national data, for which a stricter management system is to be implemented.

Each region and department, in accordance with the categorical and graded protection system for data, shall determine a specific catalog of important data for the respective region, department, or relevant industry, and engage in special protection of data listed in the catalog.

Article 22

The State is to establish a centralized and integrated, highly effective, and authoritative mechanism for data security risk assessment, reporting, information sharing, monitoring, and early warning. The national data security work coordinating mechanism is to comprehensively coordinate relevant departments to strengthen data security risk information acquisition, analysis, determination, and early warning work.

Article 23

The State is to establish data security emergency response mechanism. When data security incidents occur, relevant departments in charge shall activate emergency response plans in accordance with law, taking corresponding emergency response and handling measures to prevent further harm and eliminate security gaps, and promptly release warning information relevant to the public.

Article 24

The State is to establish a data security review system and conduct national security reviews for data handling activities that affect or may affect national security.

Security review decisions made according to law are final decisions.

Article 25

The State is to implement export controls in accordance with law for data belonging to controlled categories in order to safeguard national security and interests and fulfill international obligations.

Article 26

When any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the PRC relevant to investment, trade, etc., in data, data development and use technology, etc., the PRC may take reciprocal measures against that country or region based on the actual circumstances.

Chapter IV.- Data Security Protection Obligations

Article 27

The conduct of data handling activities shall be in compliance with the provisions of laws and administrative regulations, establishing and completing a data security management system for the entire workflow, organizing and conducting data security education and training, and adopting corresponding technical measures and other necessary measures to ensure data security. The conduct of data handling activities using the Internet or other such information networks shall perform the data security protection obligations described above on the basis of the cybersecurity Multi-Level Protection System.

Important data handlers shall clearly designate persons responsible for data security, and management bodies to implement data security protection responsibilities.

Article 28

The conduct of data handling activities and research and development of new data technologies shall be beneficial to promoting economic and social development, enhance the people’s well-being, and conform to social morals and ethics.

Article 29

The conduct of data handling activities shall strengthen risk monitoring, and when data security shortcomings, leaks, or other such risks are discovered, remedial measures shall be taken immediately; when data security incidents occur, methods to address them shall be taken immediately, promptly notifying users and reporting to relevant departments in charge as provided.

Article 30

Those handling important data shall periodically conduct risk assessments of such data handling activities as provided and submit risk assessment reports to the relevant departments in charge.

Risk assessment reports shall include the type and amount of important data being handled, the circumstances of the data handling activities, the data security risks faced and measures to address them, etc.

Article 31

The provisions of the Cybersecurity Law of the PRC apply to the outbound security management of important data collected or produced by critical information infrastructure operators operating within the mainland territory of the PRC; outbound security management measures for other data handlers collecting or producing important data within the mainland territory of the PRC are to be jointly formulated by the national cybersecurity and informatization department and relevant departments of the State Council.

Article 32

Any organization or individual collecting data shall adopt lawful and proper methods and must not steal or otherwise obtain data through illegal methods.

Where laws or administrative regulations have provisions on the purpose or scope of data collection and use, data shall be collected and used for the purpose and within the scope provided for by those laws and administrative regulations.

Article 33

When institutions engaged in data transaction intermediary services provide services, they shall require the party providing the data to explain the source of the data, examine and verify the identities of both parties to the transactions, and retain verification and transaction records.

Article 34

Where laws and administrative regulations provide that administrative permits shall be acquired for the provision of services related to data handling, service providers shall obtain permits in accordance with law.

Article 35

Where public security authorities and national security authorities obtain data as necessary to safeguard national security or investigate crimes in accordance with law, they shall undergo strict approval procedures according to relevant State provisions and proceed in accordance with law, and relevant organizations and individuals shall cooperate.

Article 36

The competent authorities of the PRC are to handle foreign justice or law enforcement institution requests for the provision of data, according to relevant laws and treaties or agreements concluded or participated in by the PRC, or in accordance with the principle of equality and reciprocity. Domestic organizations and individuals must not provide data stored within the mainland territory of the PRC to the justice or law enforcement institutions of foreign countries without the approval of the competent authorities of the PRC.

Chapter V.- Security and Openness of Government Data

Article 37

The State is to forcefully advance the construction of e-government; increase the scientific nature, accuracy, and efficacy of government data; and enhance capabilities to use data in service of economic and social development.

Article 38

State authorities that need to collect or use data to perform their legally-prescribed duties shall do so within the scope of their legally-prescribed duties and in accordance with the conditions and procedures provided by law and administrative regulations; they shall preserve the confidentiality, in accordance with law, of data such as personal private [data], personal information, commercial secrets, and confidential commercial information; and they must not divulge or illegally provide it to others.

Article 39

State authorities shall, in accordance with the provisions of laws and administrative regulations, establish and complete data security management systems, implement data security protection responsibilities, and ensure government data security.

Article 40

State authorities entrusting others to construct or maintain e-government systems, or to store or process government data, shall undergo strict approval procedures, and shall supervise entrusted parties’ performance of data security protection obligations. Entrusted parties shall perform data security protection obligations according to the provisions of laws, administrative regulations, and contractual agreements, and must not retain, use, divulge, or provide others with government data without authorization.

Article 41

State authorities shall abide by the principles of fairness, impartiality, and convenience for the people and promptly and accurately disclose government data according to provisions, except that which according to law is not to be disclosed.

Article 42

The State is to: formulate government data openness catalogs; build a uniform and standard, interconnected and interactive, secure and controllable government data openness platform; and promote the use of open government data.

Article 43

The provisions of this Chapter apply to the conduct of data handling activities in the performance of legally prescribed duties by organizations authorized by laws and administrative regulations to have public affairs management duties.

Chapter VI.- Legal Liability

Article 44

Where relevant departments in charge, in the course of performing data security supervision and management duties, discover the existence of relatively major risks in data handling activities, they may arrange talks with relevant organizations and individuals in accordance with the limits of authority and procedures provided, and require relevant organizations and individuals to adopt measures to carry out reforms or eliminate risks.

Article 45

Where organizations or individuals conducting data handling activities do not perform the data security protection obligations provided for in Articles 27, 29, and 30 of this Law, the relevant departments in charge are to order corrections and give warnings, and may also impose a fine of between 50,000 and 500,000 yuan, and a fine of between 10,000 and 100,000 yuan on directly responsible management personnel and other directly responsible personnel. Those who refuse to make corrections or caused serious consequences such as a large-scale data leak are to be fined between 500,000 and 2,000,000 yuan and may be ordered to suspend relevant operations, suspend operations for rectification, or have relevant business permits or licenses revoked; directly responsible management personnel and other directly responsible personnel are to be fined between 50,000 and 200,000 yuan.

Where core national data management systems are violated, endangering national sovereignty, security, or development interests, relevant departments in charge are to impose a fine of between 2,000,000 and 10,000,000 yuan and, according to the circumstances, order a suspension of relevant operations, suspension of operations for rectification, or the revocation of relevant business permits or licenses; where a crime is constituted, criminal liability is to be pursued in accordance with law.

Article 46

Where important data is provided abroad in violation of the provisions of Article 31 of this Law: relevant departments in charge are to order corrections and give warning; a a fine of between 100,000 and 1,000,000 yuan may be imposed; a suspension of relevant operations, suspension of operations for rectification, or revocation of relevant business permits or licenses may be ordered; and directly responsible management personnel and other directly responsible personnel are to be fined between 100,000 and 1,000,000 yuan.

Article 47

Where institutions engaged in data transaction intermediary services fail to perform obligations provided by Article 33 of this Law: relevant departments in charge are to order corrections, confiscate unlawful gains, and impose a fine of between the amount of the unlawful gains and 10 times the amount of the unlawful gains; where there are no unlawful gains or the unlawful gains are less than 100,000 yuan, a fine of between 100,000 and 1,000,000 yuan is to be imposed; a suspension of relevant operations, a suspension of business for rectification, or the revocation of relevant business permits or licenses may be ordered; and directly responsible management personnel and other directly responsible personnel are to be fined between 10,000 and 100,000 yuan.

Article 48

Where the provisions of Article 35 of this Law are violated through refusal to cooperate with the obtaining of data, the relevant departments in charge are to order correction, give warnings, impose a fine of between 50,000 and 500,000 yuan, and fine directly responsible management personnel and other directly responsible personnel between 10,000 and 100,000 yuan.

Where the provisions of Article 36 of this Law are violated through the provision of data to foreign justice or law enforcement institutions without the approval of managing authorities, relevant departments in charge are to order corrections, may impose a fine of between 100,000 and 1,000,000 yuan, and may impose a fine of between 10,000 and 100,000 yuan on directly responsible management personnel and other directly responsible personnel; where serious consequences result, a fine of between 1,000,000 and 5,000,000 yuan is to be imposed, and a suspension of relevant operations, a suspension of business for rectification, or the revocation of relevant business permits or licenses may be ordered, and directly responsible management personnel and other directly responsible personnel are to be fined between 50,000 and 500,000 yuan.

Article 49

Where State authorities do not perform data security protection obligations provided by this Law, the directly responsible management personnel and other directly responsible personnel are to be sanctioned according to law.

Article 50

Where State personnel with data security regulatory duties are derelict, abuse their authority, or abuse their position for private gain, they are to be sanctioned according to law.

Article 51

Where data is obtained through theft or other illegal means, or the conduct of data handling activities eliminates or restricts competition or harms the lawful rights and interests of individuals or organizations, punishment is to be given in accordance with the provisions of relevant laws and administrative regulations.

Article 52

Where violations of the provisions of this Law harm others, civil liability is to be borne in accordance with law.

Where violations of the provisions of this Law constitute a violation of public security management, public security administrative sanctions are to be given in accordance with law; where a crime is constituted, criminal liability is to be pursued in accordance with law.

Chapter VII.- Supplementary Provisions

Article 53

The provisions of the Law of the PRC on the Protection of State Secrets and other laws and administrative regulations apply when conducting data handling activities involving state secrets.

The conduct of data handling activities in statistical or archival work, and the conduct of data handling activities that involve personal information, shall also comply with the provisions of relevant laws and administrative regulations.

Article 54

Measures for military data security protection are to be formulated by the Central Military Commission according to provisions separate from this Law.

Article 55

This Law is to be implemented beginning Sept. 1, 2021.