Personal Information Protection Law of the People's Republic of China

Personal Information Protection Law of the People's Republic of China 中华人民共和国个人信息保护法 Order of the President of the People's Republic of China (No. 91) The Personal Information Protection Law of the People's Republic of China, as adopted at the 30th session of the Standing Committee of the Thirteenth National People's Congress of the People's Republic of China on August 20, 2021, is hereby issued, and shall come into force on November 1, 2021. Xi Jinping, President of the People's Republic of China August 20, 2021 Personal Information Protection Law of the People's Republic of China (Adopted at the 30th session of the Standing Committee of the Thirteenth National People's Congress on August 20, 2021) Contents Chapter I General Provisions Chapter II Personal Information Processing Rules Section 1 General Rules Section 2 Rules of Processing of Sensitive Personal Information Section 3 Specific Provisions on the Processing of Personal Information by State Organs Chapter III Rules of Cross-Border Provision of Personal Information Chapter IV Individuals' Rights in Personal Information Processing Activities Chapter V Obligations of Personal Information Processors Chapter VI Authorities Performing Personal Information Protection Functions Chapter VII Legal Liability Chapter VIII Supplemental Provisions Chapter I General Provisions Article 1 This Law is enacted in accordance with the Constitution for the purposes of protecting rights and interests relating to personal information, regulating personal information processing activities, and promoting the reasonable use of personal information. Article 2 The personal information of natural persons shall be protected by law. No organization or individual may infringe upon natural persons' rights and interests relating to personal information. Article 3 This Law shall apply to the processing within the territory of the People's Republic of China of the personal information of natural persons. This Law shall also apply to the processing outside the territory of the People's Republic of China of the personal information of natural persons located within the territory of the People's Republic of China if the information is processed: (1) for the purpose of providing products or services to natural persons located within China; (2) to analyze or assess the conduct of natural persons located within China; or (3) under any other circumstance as provided by any law or administrative regulation. Article 4 “Personal information” means all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, excluding information that has been anonymized. Personal information processing includes, but is not limited to, the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information. Article 5 Personal information shall be processed under the principles of lawfulness, legitimacy, necessity and good faith, and shall not be processed in a way that is misleading, fraudulent or coercive. Article 6 Personal information processing shall be for a clear and reasonable purpose, directly related to the processing purpose and in a manner that has the minimum impact on the rights and interests of individuals. Collection of personal information shall be limited to the minimum scope necessary for achieving the processing purpose and shall not be excessive. Article 7 Personal information shall be processed under the principles of openness and transparency, with the rules of processing of personal information disclosed, and the purposes, methods, and scope of processing expressly stated. Article 8 The quality of personal information shall be guaranteed in the processing of personal information to avoid adverse impacts on the rights and interests of individuals due to inaccuracy or incompleteness of the personal information. Article 9 Personal information processors shall be responsible for their personal information processing activities, and take necessary measures to guarantee the security of the personal information they process. Article 10 No organization or individual may illegally collect, use, process, or transmit the personal information of another person or illegally buy or sell, provide, or disclose the personal information of another person; or engage in personal information processing activities compromising national security or public interests. Article 11 The state shall establish and improve the personal information protection system to prevent and punish infringements of rights and interests relating to personal information, strengthen publicity and education on personal information protection, and promote the creation of a favorable environment for the government, enterprises, relevant social organizations, and the public to jointly participate in personal information protection. Article 12 The state shall vigorously participate in the development of international rules of personal information protection, boost international exchange and cooperation in terms of personal information protection, and promote the mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations. Chapter II Personal Information Processing Rules Section 1 General Rules Article 13 A personal information processor may not process personal information unless: (1) the individual's consent has been obtained; (2) the processing is necessary for the conclusion or performance of a contract to which the individual is a contracting party or for conducting human resource management under the labor rules and regulations developed in accordance with the law and a collective contract signed in accordance with the law; (3) the processing is necessary to fulfill statutory functions or statutory obligations; (4) the processing is necessary to respond to public health emergencies or protect the life, health or property safety of natural persons under emergency circumstances; (5) personal information is processed within a reasonable scope to conduct news reporting, public opinion-based supervision, or other activities in the public interest; (6) the personal information that has been disclosed by the individuals themselves or other personal information that has been legally disclosed is processed within a reasonable scope in accordance with this Law; or (7) under any other circumstance as provided by any law or administrative regulation. In accordance with other relevant provisions of this Law, an individual's consent shall be obtained for processing his or her personal information, except under the circumstances specified in subparagraphs (2) to (7) of the preceding paragraph. Article 14 Where personal information is processed based on an individual's consent, such consent shall be voluntarily and explicitly given by the individual on a fully informed basis. Where any law or administrative regulation provides that the individual's separate consent or written consent shall be obtained for processing personal information, such provision shall prevail. In the case of any change of the purpose or method of processing of personal information, or the category of personal information to be processed, the individual's consent shall be obtained anew. Article 15 Where personal information is processed based on an individual's consent, the individual shall have the right to withdraw his or her consent. The personal information processor shall provide a convenient way to withdraw the consent. The individual's withdrawal of his or her consent does not affect the effectiveness of personal information processing activities that have been conducted based on his or her consent before the withdrawal of such consent. Article 16 A personal information processor shall not refuse to provide products or services on the ground that the relevant individual does not consent to the processing of his or her personal information or withdraws consent, except that the processing of personal information is necessary for the provision of products or services. Article 17 A personal information processor shall, before processing personal information, truthfully, accurately and completely notify individuals of the following matters in a conspicuous way and in clear and easily understood language: (1) The name and contact information of the personal information processor. (2) Purposes and methods of processing of personal information, categories of personal information to be processed, and the retention periods. (3) Methods and procedures for individuals to exercise the rights provided in this Law. (4) Other matters that should be notified as provided by laws and administrative regulations. Where any matter as set forth in the preceding paragraph changes, the individuals shall be notified of the change. Where the personal information processor notifies the matters as set forth in paragraph 1 in the manner of developing personal information processing rules, the processing rules shall be disclosed and easy to consult and preserve. Article 18 Personal information processors processing personal information are not required to notify individuals of the matters as set forth in paragraph 1 of the preceding article if there are circumstances in which laws or administrative regulations provide that such processing shall be kept confidential or notification is not necessary. Where it is impossible to notify individuals in a timely manner for the protection of the life, health and property safety of natural persons under emergency circumstances, personal information processors shall notify them in a timely manner after the elimination of the emergency circumstances. Article 19 A retention period of personal information shall be the shortest time necessary to achieve the processing purpose, except as otherwise provided by any law or administrative regulation. Article 20 Where two or more personal information processors jointly decide on the purposes and methods of processing of personal information, they shall agree on their respective rights and obligations. However, such agreement does not affect an individual's request to any of the said personal information processors for exercising his or her rights as provided in this Law. Where personal information processors jointly processing personal information infringe upon the rights and interests relating to personal information and cause damage, they shall bear joint and several liability in accordance with the law. Article 21 A personal information processor commissioning the processing of personal information shall agree with the commissioned party on the purposes and period of the commissioned processing, processing methods, categories of personal information, protection measures, as well as the rights and obligations of both parties, among others, and oversee the personal information processing activities of the commissioned party. The commissioned party shall process personal information as agreed, and shall not process personal information beyond the agreed purposes or methods of processing, among others. Where the commission contract has not taken effect or is null and void, revoked, or rescinded, the commissioned party shall return personal information to the personal information processor or delete it, and shall not retain such information. Without the consent of the personal information processor, the commissioned party shall not commission the commissioned processing of personal information. Article 22 Where a personal information processor needs to transfer personal information due to combination, division, dissolution or declaration of bankruptcy, among others, it or he shall notify individuals of the name and contact information of the recipient. The recipient shall continue to perform the obligations of the personal information processor. If the recipient changes the original purposes or methods of processing, it or he shall obtain the individuals' consent anew in accordance with this Law. Article 23 A personal information processor that provides any other personal information processor with the personal information it or he processes shall notify individuals of the recipient's name, contact information, purposes and methods of processing, and categories of personal information, and obtain the individuals' separate consent. The recipient shall process personal information within the scope of the aforementioned purposes and methods of processing, and categories of personal information, among others. Where the recipient changes the original purposes or methods of processing, it or he shall obtain individuals' consent anew in accordance with this Law. Article 24 Where a personal information processor conducts automated decision-making by using personal information, it or he shall ensure the transparency of the decision-making and the fairness and impartiality of the result, and shall not give unreasonable differential treatment to individuals in terms of trading price or other tradi......