Personal Information
Protection Law of the People’s Republic of China
(Adopted
at the 30th meeting of the Standing Committee of the 13th National People’s
Congress on August 20, 2021)
Chapter I General Provisions
Article 1
This Law is enacted in accordance with the Constitution to protect personal
information rights and interests, regulate the processing of personal
information, and promote the reasonable use of personal information.
Article 2 The
personal information of any natural person shall be protected by law, and no
organization or individual may infringe upon the personal information rights
and interests of any natural person.
Article 3
This Law shall apply to the processing of the personal information of natural
persons within the territory of the People’s Republic of China.
This Law
shall also apply to the activities carried out outside the territory of the
People’s Republic of China to process the personal information of natural
persons within the territory of the People’s Republic of China outside the
territory of the People’s Republic of China under any of the following
circumstances:
(I) where the
purpose is to provide products or services to domestic natural persons;
(II) where
the purpose is to analyze and evaluate the activities of domestic natural
persons; and
(III) other
circumstances provided by laws and administrative regulations.
Article 4
Personal information refers to various kinds of information related to
identified or identifiable natural persons recorded by electronic or other
means, excluding the information processed anonymously.
Processing of
personal information includes the collection, storage, use, processing,
transmission, provision, publication, and erasure of personal information.
Article 5
Personal information shall be processed in accordance with the principles of
legality, legitimacy, necessity, and good faith, and shall not be processed by
misleading, fraud, coercion, or other means.
Article 6
Processing of personal information shall be for a definite and reasonable
purpose, shall be directly related to the purpose of processing, and shall be
processed in a manner that has the least impact on individual rights and
interests.
Collection of
personal information shall be limited to the minimum scope for the purpose of
processing and shall not be excessively collected.
Article 7
Processing of personal information shall follow the principles of openness and
transparency, disclose the rules for processing personal information, and
expressly indicate the purpose, manner, and scope of processing.
Article 8
When processing personal information, the quality of personal information shall
be ensured to avoid adverse effects on personal rights and interests caused by
inaccurate and incomplete personal information.
Article 9
Personal information processors shall be responsible for their processing of
personal information and take necessary measures to ensure the security of the
personal information processed.
Article 10 No
organization or individual may illegally collect, use, process, or transmit
other people’s personal information, or illegally trade, provide, or disclose
other people’s personal information, or engage in the processing of personal
information that endangers the national security or public interests.
Article 11
The State establishes a sound personal information protection system, prevent
and punish the infringement of personal information rights and interests,
strengthen the publicity and education on personal information protection, and
promote the formation of a good environment for the government, enterprises,
relevant social organizations and the public to jointly participate in personal
information protection.
Article 12
The State actively participates in the formulation of international rules for
personal information protection, promotes the international exchange and
cooperation in personal information protection, and drives the mutual
recognition of the rules and standards for personal information protection with
other countries, regions, and international organizations.
Chapter II Rules for Processing Personal Information
Section 1
General Provisions
Article 13
Only under any of the following circumstances may a personal information
processor process personal information:
(I) where the
consent of the individual concerned is obtained;
(II) where it
is necessary for the conclusion or performance of a contract to which the
individual concerned is a party, or to implement human resources management in
accordance with labor rules and regulations formulated according to law and
collective contracts concluded according to law;
(III) where
it is necessary for the performance of statutory duties or statutory
obligations;
(IV) where it
is necessary for coping with public health emergencies or for the protection of
the life, health, and property safety of a natural person;
(V) where
processing personal information within a reasonable scope is to carry out such
activities as news reporting and supervision by public opinions for the public
interest;
(VI)where the
personal information disclosed by individuals themselves or other legally
disclosed personal information is processed within a reasonable range in
accordance with the provisions of this Law; and
(VII)other
circumstances provided by laws and administrative regulations.
Individual
consent shall be obtained for the processing of personal information stipulated
in the other clauses of this Law, but in the circumstances specified in the
preceding paragraph from (II) to (VII), the individual’s consent is not
required.
Article 14
Where the processing of personal information is based on the consent of the
individual concerned, such consent shall be given by the individual concerned
in a voluntary and explicit manner in the condition of full knowledge. If laws
and administrative regulations provide that the processing of personal
information shall be subject to the individual’s separate consent or written
consent, such provisions shall prevail.
If the
purpose or method of processing personal information or the type of personal
information to be processed changes, the individual’s consent shall be obtained
again.
Article 31 If
a personal information processor knows or should know that the personal
information it processes is the personal information of a minor below the age
of 14, it shall obtain the consent of the minor’s parent or other guardians.
Personal
information processors shall formulate special personal information processing
rules for handling the personal information of minors under the age of 14.
Article 15
Where the processing of personal information is based on the consent of the
individual concerned, the individual is entitled to withdraw his/her consent.
The personal information processor shall provide convenient means to withdraw
consent.
The
individual’s withdrawal of consent does not affect the validity of the personal
information processing activities conducted prior to the withdrawal based on
the individual’s consent.
Article 16 A
personal information processor shall not refuse to provide products or services
on the grounds that the individual does not agree to process his/her personal
information or withdraws his/her consent, unless the processing of personal
information is necessary for providing products or services.
Article 17
Prior to processing personal information, a personal information processor
shall truthfully, accurately, and completely inform the individual of the
following matters in an eye-catching manner and with clear and understandable
language:
(I) the name
and contact information of the personal information processor;
(II) the
purpose and method of processing personal information, and the type and
retention period of the processed personal information;
(III) the
method and procedure for the individual to exercise the rights provided herein;
and
(IV) other
matters to be notified in accordance with the provisions of laws and
administrative regulations.
If any of the
matters provided in the preceding paragraph is changed, the individual shall be
notified of such change.
Article 18
When processing personal information, a personal information processor may not
notify the individual of the matters provided for in laws and administrative
regulations where confidentiality shall be kept, or it is not necessary to
notify the individual of the matters provided for in Paragraph 1 of the
preceding Article.
In case of
emergency, it is unable to timely inform the individual to protect the life,
health and property safety of natural persons, the personal information processor
shall inform the individual in time after elimination of emergency.
Article 19
The retention period of personal information shall be the minimum period
necessary for achieving the purpose of processing, except for where the
retention period of personal information is otherwise provided for in laws and
administrative regulations.
Article 20
Where more than two personal information processors jointly determine the
purpose and method of processing personal information, their respective rights
and obligations shall be agreed upon. However, such agreement shall not affect
an individual’s right to exercise the rights provided for in this Law against
any of the personal information processors.
Where
personal information processors jointly processing personal information
infringes upon personal information rights and interests and cause damages,
they shall bear joint and several liabilities in accordance with the law.
Article 21
Where a personal information processor entrusts others to process personal
information, it shall agree with the entrusted party on the purpose, duration,
and method of entrusted processing, type and protection measures of personal
information as well as the rights and obligations of both parties, and
supervise the personal information processing activities of the entrusted
party.
The entrusted
party shall process personal information as agreed and shall not process
personal information beyond the agreed purpose and method of processing. If the
contract is invalidated, invalid, revoked or terminated, the entrusted party
shall return the personal information to the personal information processor or
delete the personal information, and shall not retain the personal information.
Without the
consent of the personal information processor, the entrusted party shall not
re-entrust others to process personal information.
Article 22
Where a personal information processor needs to transfer personal information
due to reasons such as merger, division, dissolution, or being declared bankrupt,
it shall inform the individual of the name and contact information of the
recipient. The recipient shall continue to perform its obligations as a
personal information processor. Where the recipient changes the original
purpose and method of processing, it shall obtain the individual’s consent anew
in accordance with this Law.
Article 23
Where a personal information processor provides other personal information
processors with the personal information it processes, it shall inform the
individual of the name and contact information of the third party, purpose and
method of processing and type of personal information, and shall obtain his/her
separate consent. The party receiving personal information shall process
personal information within the scope of the above purpose and method of
processing and type of personal information. Where the party receiving personal
information changes the original purpose and method of processing, it shall
inform the individual and obtain his/her consent again in accordance with this
Law.
Article 24
Where personal information processors use personal information to make
automatic decision, the transparency of decision-making and the fairness and
justice of the results shall be ensured, and shall not impose unreasonable differential
treatment on individuals in terms of transaction price and other transaction
conditions.
Where
business marketing and information push are carried out through automatic
decision-making, options not based on his/her personal characteristics shall be
provided at the same time, or a convenient way for individuals to reject shall
be provided.
Where
automatic decision-making has a significant impact on individual’s rights and
interests, he/she has the right to require the personal information processor
to give an explanation, and to reject the decision made by the personal
information processor only through automatic decision-making.
Article 25 A
personal information processor shall not disclose the personal information it
processes, unless the individual’s consent is obtained, or it is otherwise
required by laws and administrative regulations.
Article 26
Image capturing and personal identification equipment installed in public
places shall be necessary for maintaining public security, comply with relevant
provisions of the State, and conspicuous prompting signs shall be installed.
Personal images and personal identifiable information collected may only be
used for the purpose of maintaining public security and shall not be used for
other purposes, unless the individual’s consent is obtained.
Article 27
Personal information processors may, within a reasonable range, process
personal information that has been disclosed by individuals themselves or other
lawfully disclosed personal information, except where the individual explicitly
refuses. Personal information processors shall obtain the consent of
individuals in accordance with the provisions of this Law if the processing of
disclosed personal information has a major impact on the rights and interests of
individuals.
Section 2
Rules for Processing Sensitive Personal Information
Article 28
Sensitive personal information refers to the personal information that can
easily lead to the infringement of the personal dignity or natural persons or
the harm of personal or property safety once leaked or illegally used,
including such information as biometrics, religious belief, specific
identities, medical health, financial accounts, and whereabouts, and the
personal information of minors under the age of 14.
Personal
information processors can process sensitive personal information only when
they have a specific purpose and sufficient necessity, and take strict
protective measures.
Article 29
Individual consent should be obtained for processing sensitive personal
information. Where laws and administrative regulations provide that the
processing of sensitive personal information shall be subject to written
consent, such provisions shall prevail.
Article 30
For the processing of sensitive personal information of an individual, the
personal information processor shall inform the individual of the necessity of
processing sensitive personal information and the impacts on the individual’s
right and interest, in addition to the matters prescribed in Paragraph 1 of Article
17 thereof, except those that may not be notified to individuals in accordance
with the provisions of this Law.
Article 31 If
a personal information processor knows or should know that the personal
information it processes is the personal information of a minor below the age
of 14, it shall obtain the consent of the minor’s parent or other guardians.
Personal
information processors shall formulate special personal information processing
rules for handling the personal information of minors under the age of 14.
Article 32
Where laws and administrative regulations provide that the processing of
sensitive personal information shall be subject to relevant administrative
permission or other restriction, such provisions shall prevail.
Section 3
Special Provisions on Processing Personal Information by State Organs
Article 33
This Law shall apply to the activities of a State organ to process personal
information; where there are special provisions in this Section, the provisions
of this Section shall apply.
Article 34
The processing of personal information by a State organ for the purpose of
performing its statutory duties shall be under the authority and procedures
prescribed by laws and administrative regulations and shall not exceed the
scope and limit necessary for performing its statutory duties.
Article 35 A
State organ processing personal information for the purpose of performing its
statutory duties shall perform the obligation of notification in accordance
with this Law, except for circumstances prescribed in Paragraph 1 of Article
18, or the notification will hinder the State organ from performing its
statutory duties.
Article 36
The personal information processed by a State organ shall be stored within the
territory of the People’s Republic of China; where it is necessary to provide
such information to an overseas party, a security assessment shall be
conducted. Relevant departments may be required to provide support and
assistance for security assessment.
Article 37
The provisions of this law on personal information processed by State organs
shall apply for personal information processing by organizations authorized by
laws and regulations with the function of managing public affairs to perform
statutory duties.
Chapter III Rules for Cross-border Provision of Personal Information
Article 38
Where a personal information processor needs to provide personal information
outside the territory of the People’s Republic of China due to business or
other needs, it shall meet any of the following conditions: (I) where it has
passed the security assessment organized by the State cyberspace administration
in accordance with Article 40 hereof;
(II) where it
has been certified by a specialized in accordance with the provisions of the
State cyberspace administration in respect of the protection of personal
information;
(III) where
it has concluded a contract with an overseas recipient according to the
standard contract formulated by the state cyberspace administration, specifying
the rights and obligations of both parties; or
(IV) where it
has satisfied other conditions prescribed by laws, administrative regulations,
or the State cyberspace administration.
Where the
international treaties and agreements that the People’s Republic of China has
concluded or participated in have provisions on the conditions for providing
personal information outside the territory of the People’s Republic of China,
such provisions may be complied with.
Personal
information processors shall take necessary measures to ensure that the
processing of personal information by overseas recipients meets the personal
information protection standards stipulated in this law.
Article 39
Where a personal information processor provides personal information of an
individual to a party outside the territory of the People’s Republic of China,
it shall inform the individual of such matters as the name of the overseas
recipient, contact information, purpose, and method of processing, type of
personal information and the way and procedure for the individual to exercise
the rights prescribed herein against the overseas recipient, and shall obtain
the individual’s separate consent.
Article 40
Critical information infrastructure operators and personal information
processors whose processing of personal information reaches the number
prescribed by the State cyberspace administration shall store the personal
information collected and generated within the territory of the People’s
Republic of China within the territory of China. If it is indeed necessary to provide
such information and data to overseas parties, it shall be subject to the
security assessment organized by the State cyberspace administration; if laws,
administrative regulations, or the provisions of the State cyberspace
administration provide that the security assessment is not required, such
provisions shall prevail.
Article 41
The competent authorities of the People’s Republic of China shall, in
accordance with relevant laws and international treaties and agreements
concluded or participated in by the People’s Republic of China, or in
accordance with the principle of equality and reciprocity, handle requests from
foreign judicial or law enforcement agencies for the provision of personal
information stored in China. Without the approval of the competent authority of
the People’s Republic of China, personal information processor shall not
provide the personal information stored within the territory of the People’s
Republic of China to judicial or law enforcement agencies outside of the
territory of the People’s Republic of China.
Article 42
For any overseas organization or individual whose personal information
processing activities damage the personal information rights and interests of
citizens of the People’s Republic of China, or endanger the national security
or public interests of the People’s Republic of China, the State cyberspace
administration may include such overseas organization or individual in the list
of restricted or prohibited provision of personal information, announce the
same, and take measures such as restricting or prohibiting the provision of
personal information to such overseas organization or individual.
Article 43
Where any country or region takes discriminatory prohibitive, restrictive or
other similar measures against the People’s Republic of China in respect of the
protection of personal information, the People’s Republic of China may, as the
case may be, take reciprocal measures against such country or region.
Chapter IV Rights of Individuals in Activities of Processing Personal
Information
Article 44 An
individual has the right to know and make decisions on the processing of
his/her personal information, and the right to restrict or refuse others to
process his/her personal information, unless otherwise provided for by laws and
administrative regulations.
Article 45 An
individual is entitled to consult or copy his/her personal information from a
personal information processor, except for the circumstances as prescribed in
Paragraph 1 of Article 18 and Article 35 herein.
Where an individual requests to consult or copy his/her personal
information, the personal information processor shall provide such information
in a timely manner.
Where an individual requests to transfer his/her personal information
to a personal information processor designated by him/her, the personal
information processor shall provide the means for such transfer if the
conditions prescribed by the State cyberspace administration are met.
Article 46
Where an individual finds that his/her personal information
is inaccurate or incomplete, he/she is entitled to request the personal
information processor to make corrections or supplements.
Where an individual requests for corrections or supplements to
his/her personal information, the personal information processor shall make
verification and make corrections or supplements to such information in a
timely manner.
Article 47
Under any of the following circumstances, a personal information processor
shall delete personal information on its own initiative; if the personal
information processor has not deleted it, the individual concerned shall have
the right to request deletion:
(I) where the
purpose of processing has been achieved, unable to achieve, or is no longer
necessary to achieve;
(II) where
the personal information processor stops providing products or services, or the
agreed storage period has expired;
(III) where
the individual withdraws his/her consent;
(IV) where
the personal information processor processes personal information in violation
of laws, administrative regulations, or the agreement; or
(V) any other
circumstance as prescribed by laws and administrative regulations.
Where the
storage period as prescribed by laws and administrative regulations does not
expire, or the deletion of personal information is difficult to be realized
technically, the personal information processor shall stop processing personal
information other than storage and taking necessary security measures.
Article 48 An
individual is entitled to request the personal information processor to explain
the rules on the processing of personal information.
Article 49 In
the event of the death of a natural person, his/her near relatives may, for
their own lawful and legitimate interests, exercise the rights of consulting,
copying, correcting, and deleting the relevant personal information of the
deceased as prescribed in this Chapter, unless the deceased had otherwise
arranged before his/her death.
Article 50 A
personal information processor shall establish a convenient mechanism for
accepting and processing applications for exercising personal rights by
individuals. Where an individual’s request for exercising personal rights is
rejected, the reasons shall be stated.
Where the
personal information processor refuses an individual’s request to exercise his
rights, the individual may bring a lawsuit in a people’s court according to
law.
Chapter V Obligations of Personal Information Processors
Article 51 A
personal information processor shall, according to the purpose and method of
processing personal information, type of personal information, impact on
individual’s right and interest, and possible security risk, etc., take the
following measures to ensure the compliance of personal information processing
activities with provisions of laws and administrative regulations, and prevent
unauthorized visit, or leakage, falsification, and loss of personal
information:
(I)
formulating internal management system and operational procedures;
(II) managing
personal information by classification;
(III) taking
corresponding technical security measures such as encryption and
de-identification;
(IV)
reasonably determining the authority to process personal information and
conduct security education and training for employees on a regular basis;
(V)
formulating and organizing the implementation of emergency plans for personal
information security incidents; and
(VI) other
measures as prescribed by laws and administrative regulations.
Article 52
Where the quantity of personal information processed by a processor reaches
that specified by the state cyberspace administration, the processor shall
designate a person in charge of personal information protection to be
responsible for supervising the processing of personal information and the
adopted protection measures.
A personal
information processor shall make public the contact information of the person
in charge of personal information protection and submit the name and contact
information of the person in charge of personal information protection to the
department performing duties of personal information protection.
Article 53
Any personal information processor outside the territory of the People’s
Republic of China as prescribed in Paragraph 2, Article 3 hereof shall establish
a special agency or designate a representative within the territory of the
People’s Republic of China to be responsible for relevant matters of personal
information protection, and submit the name and contact information of relevant
agency or the representative to the department performing duties of personal
information protection.
Article 54 A
personal information processor shall regularly audit whether its processing of
personal information is in compliance with provisions
of laws and administrative regulations.
Article 55 A
personal information processor shall conduct personal information protection
impact assessment of the following circumstances in advance and keep a record
of the processing:
(I)
processing sensitive personal information;
(II) making
use of personal information to make automatic decisions;
(III)
entrusting others to process personal information, providing other personal
information processors with personal information, and disclosing personal
information;
(IV)
providing personal information to overseas parties; and
(V) other
personal information processing activities that have a significant impact on
individuals’ rights and interests.
Article 56
The personal information protection impact assessment shall include the following:
(I) whether
the purpose and method of processing personal information are legitimate,
justifiable, and necessary;
(II) impact
on individuals’ rights and interests and the security risks; and
(III) whether
the security protection measures taken are legitimate, effective, and
appropriate to the degree of risks.
The personal
information protection assessment report and processing record shall be kept
for at least three years.
Article 57
Where personal information has been or may be leaked, falsified, or lost, the
personal information processor shall immediately take remedial measures and
inform the department performing duties of personal information protection and
the individuals concerned. The notice shall include the following particulars:
(I) types and
causes of personal information leakage, falsification, and loss that have
occurred or may occur and the possible harm caused;
(II) remedial
measures taken by personal information processors and measures taken by
individuals to mitigate harm;
(III) contact
information of the personal information processor.
If the
personal information processor has taken measures to effectively avoid harm
caused by information leakage, falsification, or loss, it may opt not to notify
the individuals; however, if the department performing duties of personal
information protection believes harm shall be caused, it may require the
personal information processor to notify the individuals thereof.
Article 58
Personal information processors that provide important Internet platform
services with a large number of users and complex business types shall perform
the following obligations:
(I) Establish
and improve the compliance system for personal information protection in
accordance with state regulations, and establish an independent organization
composed mainly of external members to protect personal information;
(II)
Formulate the rules of the platform in accordance with the principles of
openness, fairness, and justice, to clarify the norms for the processing of personal
information and the obligations of the product or service providers within the
platform to protect personal information;
(III)Stop
providing services to the product or service providers on the platform that
seriously violate laws and administrative regulations in processing personal
information;
(IV) Regular
release of social responsibility report regarding personal information
protection and subject to public supervision.
Article 59
The party entrusted to process personal information shall fulfill the relevant
obligations prescribed by this Law and other relevant laws and administrative
regulations, take necessary measures to ensure the security of the personal
information processed, and assist personal information processors to fulfill their
obligations under this Law.
Chapter VI Departments Performing Duties of personal information
protection
Article 60
The state cyberspace administration is responsible for coordinating the
protection of personal information and relevant supervision and administration
work; and relevant departments under the State Council are responsible for
protecting, supervising, and administering personal information within the
scope of their respective duties in accordance with the provisions of this Law
and relevant laws and administrative regulations.
The duties of
relevant departments of local people’s governments at or above the county level
in protecting, supervising, and administering personal information shall be
determined in accordance with relevant provisions of the State.
The
departments mentioned in the preceding two paragraphs are collectively referred
to as the departments performing duties of personal information protection.
Article 61
Departments performing duties of personal information protection shall perform
the following duties of personal information protection:
(I) carrying
out publicity and education on personal information protection, and guiding and
supervising personal information processors to protect personal information;
(II)
accepting and processing complaints and reports relating to personal
information protection;
(III)
organizing the evaluation of the protection of personal information such as
applications and publish the evaluation results;
(IV)
investigating and processing illegal personal information processing
activities; and
(V) other
duties stipulated by laws and administrative regulations.
Article 62
The state cyberspace administration shall coordinate with the relevant
departments in promoting the protection of personal information in accordance
with this Law as follows:
(I) formulate
specific rules and standards for the protection of personal information;
(II)
formulate special personal information protection rules and standards for small
personal information processors, sensitive personal information processing, and
new technologies and applications such as face recognition and artificial
intelligence;
(III) support
research, development, and promotion of secure and convenient electronic
identity authentication technology, and promote the construction of public
services for online identity authentication;
(IV) promote
the development of a socialized service system for protecting personal
information and support relevant organizations in carrying out assessment and
certification services in respect of personal information protection.
(V) improve
the mechanism for complaints and whistleblowing reports on personal information
protection.
Article 63
Departments performing duties of personal information protection may take the
following measures when performing the duties of personal information
protection:
(I) inquiry
of the parties concerned, and investigation of the circumstances relating to
personal information processing activities;
(II)
consulting and copying contracts, records, account books, and other relevant
materials relating to personal information processing activities of the parties
concerned;
(III)
carrying out on-site inspection and investigation activities relating to
processing personal information suspected of violating laws; and
(IV) checking
the equipment and Articles relating to personal information processing
activities and may sealing up or seizing the equipment and Articles that are
proved to be illegal personal information processing activities upon reporting
in writing to the principal of the department and getting approval.
When
departments performing duties of personal information protection perform duties
in accordance with the law, the parties concerned shall provide
assistance and cooperation, and shall not refuse or obstruct such
performance.
Article 64
Where departments performing duties of personal information protection find in
performing their duties of personal information protection that there are
relatively high risks in personal information processing activities or personal
information security incidents have occurred, they may interview the legal
representative or person chiefly in charge of the personal information
processor according to prescribed authority and procedures, or require the
personal information processor to entrust professional institutions to conduct
compliance audits of their personal information processing activities. The
personal information processor shall take measures to make rectification and
eliminate hidden dangers as required.
The
department that performs the duty of personal information protection and
discovers that the illegal processing of personal information is suspected of a
crime in the course of performing its duty, shall promptly transfer the case to
the public security organ for handling according to law.
Article 65
Any organization or individual has the right to complain or report illegal
personal information processing activities to the departments performing duties
of personal information protection. The departments receiving such complaints
or reports shall promptly process them according to the law and notify the
complainants or reporters of the results. The departments performing duties of
personal information protection shall make public the contact information for
accepting complaints or reports.
Chapter VII Legal Liability
Article 66
Where personal information is processed in violation of the provisions hereof,
or personal information is processed without fulfilling the personal information
protection obligations stipulated in this Law, the departments performing
duties of personal information protection shall order the processor to make
rectification, give a warning and confiscate its illegal gains, or order the
application that illegally processing personal information to suspend or
terminate the provision of services; if rectification is refused, a fine of not
more than RMB 1 million shall be imposed concurrently on the processor; and a
fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed
on the person directly in charge of the processor and other directly liable
persons. Where an illegal act specified in the preceding paragraph is committed
and the circumstances are serious, the departments performing duties of
personal information protection at or above the provincial level shall order
the processor to make rectification, confiscate its illegal gains and impose a
fine of not more than RMB 50 million or not more than 5% of its turnover of the
previous year on the processor, and may also order the processor to suspend
relevant business or to suspend business for rectification, and notify the
relevant competent departments to revoke the relevant business permit or
business license; and a fine of not less than RMB 100,000 but not more than RMB
1 million shall be imposed on the persons directly in charge and other directly
liable persons, and such persons may also be prohibited from serving as
directors, supervisors, senior managers, and persons in charge of personal
information protection of relevant enterprises for a certain period of time.
Article 67
Any illegal act specified in this Law shall be recorded in the credit archives
in accordance with the provisions of the relevant laws and administrative
regulations and shall be disclosed to the public.
Article 68
Where a state organ fails to perform its obligations of protecting personal
information as specified in this Law, its superior organ or the department
performing the duties of personal information protection shall order it to make
rectification, and impose sanctions on the person directly in charge and other
directly liable persons according to law.
Where the
staff of departments responsible for personal information protection guilty of
dereliction of duties, abusing official powers, or malpractice for personal
gain but yet to constitute a crime, they shall be punished pursuant to the law.
Article 69
Where the right and interests of personal information are infringed upon due to
personal information processing and cause damages, and the personal information
processor cannot prove that it is not at fault, it shall bear the tort
liability for damages.
Liability for
damages prescribed in the preceding paragraph shall be borne in light of the
losses thus caused to the individuals concerned or the benefits thus obtained
by the personal information processor; if the losses thus caused to the
individuals concerned or the benefits thus obtained by the personal information
processor are difficult to be determined, the people’s court shall determine
the amount of compensation according to the actual circumstances.
Article 70
Where a personal information processor processes personal information in
violation of the provisions of this Law, which infringes upon the rights and
interests of a large number of individuals, the people’s procuratorate,
the consumer organizations specified by law and the organization determined by
the state cyberspace administration may file a lawsuit with the people’s court
in accordance with the law.
Article 71
Where a violation of the provisions of this Law constitutes a violation of
public security administration, a public security administration punishment
shall be imposed in accordance with the law; if a crime is constituted, criminal
liability shall be investigated in accordance with the law.
Chapter VIII Supplementary Provisions
Article 72
This Law shall not be applicable to the processing of personal information by a
natural person by virtue of his/her personal or family affairs. Where there are
legal provisions on the processing of personal information in the statistical
and archive administration organized and implemented by the people’s
governments at all levels and the relevant departments thereof, such provisions
shall apply.
Article 73
For the purposes of this Law, the following terms are defined as follows:
(I) A
personal information processor refers to any organization or individual that
independently determines the purpose and method of processing in personal
information processing activities.
(II) An
automatic decision-making refers to an activity to automatically analyze and
evaluate a person’s behavior habits, hobbies or economic, health or credit
status through computer programs and make decisions.
(III)
De-identification refers to the process in which personal information is
processed so that it is impossible to identify certain natural persons without
the use of additional information.
(IV)
Anonymization refers to the process in which the personal information is processed
so that it is impossible to identify a certain natural person and unable to be
recovered.
Article 74
This Law shall come into force as of November 1, 2021.