Law of the People’s Republic of China on the Protection of Personal Information

(Adopted at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021)

Table of Contents

Chapter I General Provisions

Chapter II Personal Information Processing Rules

Section I General Provisions

Section II rules for handling sensitive personal information

Section III Special Rules for Handling Personal Information by State Organs

Chapter III Rules for Cross-border Provision of Personal Information

Chapter IV Rights of Individuals in Personal Information Processing Activities

Chapter V Obligations of Personal Information Processors

Chapter VI Departments Performing Personal Information Protection Duties

Chapter VII Legal Liability

Chapter 8 By-laws

Chapter 1 General Provisions

Article 1 In order to protect the rights and interests of personal information, regulate personal information processing activities, and promote the reasonable use of personal information, in accordance with the Constitution, the enactment of this Law.

Article 2 Personal information of natural persons are protected by law, any organization or individual shall not infringe upon the rights and interests of personal information of natural persons.

Article 3 In the People’s Republic of China in the processing of personal information of natural persons, the activities of this Law shall apply.

Activities outside the People’s Republic of China to deal with personal information of natural persons in the People’s Republic of China, one of the following circumstances, this Law shall also apply.

(A) for the purpose of providing products or services to natural persons in the territory.

(B) analysis and evaluation of the behavior of natural persons within the territory.

(C) other circumstances specified in the laws and administrative regulations.

Article 4 Personal information is recorded electronically or in other ways with a variety of information related to identified or identifiable natural persons, excluding anonymized information after processing.

Handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.

Article 5 The handling of personal information shall follow the principles of legality, legitimacy, necessity and good faith, and shall not handle personal information through misleading, fraudulent, coercive and other means.

Article 6 The processing of personal information shall have a clear and reasonable purpose, and shall be directly related to the purpose of processing, taking the least impact on the rights and interests of individuals.

The collection of personal information shall be limited to the minimum scope to achieve the purpose of processing, and shall not be excessive collection of personal information.

Article 7 The processing of personal information shall follow the principles of openness and transparency, public personal information processing rules, express the purpose, manner and scope of processing.

Article 8 The processing of personal information shall ensure the quality of personal information, to avoid inaccurate and incomplete personal information to the detriment of the rights and interests of individuals.

Article 9 The personal information processor shall be responsible for its personal information processing activities, and take the necessary measures to protect the security of the personal information handled.

Article 10 No organization or individual shall illegally collect, use, process or transmit personal information of others, shall not illegally trade, provide or disclose personal information of others; shall not engage in personal information processing activities that endanger national security and public interests.

Article 11 The State to establish and improve the system of personal information protection, prevention and punishment of infringement of the rights and interests of personal information, to strengthen the protection of personal information publicity and education, and promote the formation of the government, enterprises, relevant social organizations, the public to participate in the protection of personal information in a good environment.

Article 12 The State actively participate in the development of international rules for the protection of personal information, promote international exchanges and cooperation in the protection of personal information, and promote the mutual recognition of personal information protection rules, standards and so on with other countries, regions and international organizations.

Chapter II Personal Information Processing Rules

Section I General Provisions

Article 13 The handler of personal information may handle personal information only if one of the following circumstances is met.

(i) Obtaining the consent of the individual

(ii) Necessary for the conclusion or performance of a contract to which the individual is a party, or for the implementation of human resources management in accordance with the labor rules and regulations established by law and the collective contract signed by law

(iii) Necessary for the performance of statutory duties or legal obligations

(iv) necessary to respond to public health emergencies, or to protect the life, health and property of natural persons in emergency situations

(v) for the public interest in the implementation of news reporting, public opinion monitoring and other acts, within a reasonable range of personal information handling

(vi) in accordance with the provisions of this Law within a reasonable range to deal with personal information disclosed by the individual himself or herself or other personal information that has been lawfully disclosed.

(vii) other circumstances specified in laws and administrative regulations.

In accordance with other relevant provisions of this Law, the handler of personal information shall obtain the consent of the individual, but the second to the seventh paragraph of the preceding paragraph, do not need the consent of the individual.

Article 14 based on individual consent to deal with personal information, the consent shall be made by the individual in a fully informed and voluntary, clear. Laws and administrative regulations shall obtain the individual’s consent or written consent to the processing of personal information, from its provisions.

If the purpose of processing personal information, the manner of processing and the type of personal information processed is changed, the consent of the individual shall be obtained again.

Article 15 based on the individual’s consent to the processing of personal information, the individual has the right to withdraw his or her consent. The personal information processor shall provide a convenient way to withdraw consent.

Withdrawal of consent by the individual shall not affect the validity of the personal information processing activities that have been carried out based on the individual’s consent before the withdrawal.

Article 16 The personal information handler shall not refuse to provide products or services on the grounds without the consent to the processing of his personal information or withdrawal of consent by the individual; except for the processing of personal information is necessary to provide products or services.

Article 17 The personal information handler shall, before processing personal information, in a prominent manner and in clear and understandable language true, accurate and complete information to the individual of the following matters.

(A) the name or name and contact information of the personal information handler.

(B) the purpose of processing personal information, the manner of processing, the type of personal information processed, and the retention period.

(C) the manner and procedures for individuals to exercise their rights under this law

(D) laws and administrative regulations shall be informed of other matters.

If the matters specified in the preceding paragraph are changed, the individual shall be informed of the changes.

If the personal information processor informs the matters specified in the first paragraph by formulating the personal information processing rules, the processing rules shall be public and easily accessible and preserved.

Article 18 Personal information processor processing personal information, there are laws and administrative regulations shall be confidential or do not need to inform the circumstances, you can not inform the individual of the matters specified in the first paragraph of the preceding article.

Emergency to protect the life and health of natural persons and property security can not be informed in a timely manner to the individual, the personal information processor shall be informed in a timely manner after the elimination of the emergency.

Article 19 Unless otherwise provided by laws and administrative regulations, the retention period of personal information shall be the shortest time necessary to achieve the purpose of processing.

Article 20 Two or more personal information processors jointly decide the purpose of processing personal information and the manner of processing, shall agree on their respective rights and obligations. However, the agreement shall not affect the individual’s right to request any one of the personal information processors to exercise the rights stipulated in this Law.

Personal information processors jointly handle personal information, infringement of the rights and interests of personal information causing damage, shall bear joint and several liability in accordance with law.

Article 21 If the personal information processor is entrusted with the processing of personal information, shall agree with the trustee to entrust the purpose, duration, processing methods, types of personal information, protection measures and the rights and obligations of both parties, and the supervision of the trustee’s personal information processing activities.

The trustee shall handle personal information in accordance with the agreement and shall not handle personal information beyond the agreed purpose and manner of processing; if the entrustment contract is not effective, invalid, revoked or terminated, the trustee shall return the personal information to the personal information processor or delete it and shall not retain it.

Without the consent of the personal information processor, the trustee shall not subcontract others to handle personal information.

Article 22 If the personal information processor needs to transfer personal information due to merger, separation, dissolution, bankruptcy and other reasons it shall inform the individual the name or name and contact information of the recipient. The receiving party shall continue to perform the obligations of the personal information processor. The receiving party to change the original purpose of processing, processing methods, shall be in accordance with the provisions of this Law to obtain the consent of the individual again.

Article 23 The personal information processor to other personal information processors to provide its processing of personal information, shall inform the individual the name or name of the recipient, contact information, processing purposes, processing methods and types of personal information, and obtain the individual’s individual consent. The receiving party shall handle personal information within the scope of the above-mentioned processing purposes, processing methods and types of personal information. The receiving party to change the original purpose of processing, processing methods, in accordance with the provisions of this Law shall re-obtain the consent of the individual.

Article 24 If the personal information processor uses personal information for automated decision-making,  it shall ensure the transparency of the decision and the results are fair and just, and it shall not impose unreasonable differential treatment of individuals in terms of transaction prices and other trading conditions.

Through the automated decision-making method to individuals for information push, commercial marketing, should be accompanied by options that do not target their personal characteristics, or provide individuals with a convenient way to refuse.

Through the automated decision-making method to make decisions that have a significant impact on the rights and interests of individuals, individuals have the right to request the personal information processor to explain, and the right to refuse the personal information processor to make decisions only through automated decision-making method.

Article 25 The personal information processor shall not disclose the personal information processed by it, except for obtaining the individual’s separate consent.

Article 26 The installation of image collection, personal identification equipment in public places, should be necessary to maintain public safety, comply with relevant state regulations, and set up a prominent reminder of the logo. The collected personal images, identification information can only be used for the purpose of maintaining public security, shall not be used for other purposes; except for obtaining the individual’s separate consent.

Article 27 The personal information processor may, within a reasonable range, deal with personal information that has been disclosed by the individual or other lawful disclosure; except where the individual expressly refuses. Personal information processor to deal with personal information that has been made public and has a significant impact on the rights and interests of individuals, shall obtain the consent of the individual in accordance with the provisions of this Law.