Personal Information Protection Law of the People's Republic of China
(Adopted at the 30th Meeting of the Standing Committee of the Thirteenth National People's Congress on August 20, 2021)
Contents
Chapter I General Provisions
Chapter II Personal Information Processing Rules
Section 1 General Rules
Section 2 Rules on Processing Sensitive Personal Information
Section 3 Special Provisions on the Processing of Personal Information by State Organs
Chapter III Rules on Provision of Personal Information Across Border
Chapter IV Individuals' Rights in Personal Information Processing Activities
Chapter V Obligations of Personal Information Processors
Chapter VI Departments with Personal Information Protection Duties
Chapter VII Legal Liability
Chapter VIII Supplementary Provisions
Chapter I
General Provisions
Article 1 This Law is enacted in accordance with the Constitution for the purposes of protecting the rights and interests on personal information, regulating personal information processing activities, and promoting reasonable use of personal information.
Article 2 The personal information of natural persons shall be protected by law. No organization or individual may infringe upon natural persons' rights and interests on their personal information.
Article 3 This Law shall apply to the processing of personal information of natural persons within the territory of the People's Republic of China.
This Law shall also apply to the processing outside the territory of the People's Republic of China of the personal information of natural persons within the territory of the People's Republic of China, under any of the following circumstances:
(1) for the purpose of providing products or services for natural persons inside the People's Republic of China;
(2) analyzing or evaluating the behaviors of natural persons within the territory of the People's Republic of China; and
(3) any other circumstance as provided by any law or administrative regulation.
Article 4 "Personal information" refers to various information related to an identified or identifiable natural person recorded electronically or by other means, but does not include anonymized information.
Personal information processing includes personal information collection, storage, use, processing, transmission, provision, disclosure and deletion, among others.
Article 5 Personal information shall be processed according to law when it is necessary, with justified reason, and in good faith, and the processing may not involve misguidance, fraud, coercion, and the like.
Article 6 Personal information processing shall be based on explicit and reasonable purposes and directly related to those purposes, and shall exert the minimum impacts on the rights and interests of individuals.
The collection of personal information shall be limited to the minimum scope required by the purpose of processing, and personal information may not be collected excessively.
Article 7 The principles of openness and transparency shall be observed in the processing of personal information, the rules for processing personal information shall be disclosed, and the purposes, means, and scope of processing shall be explicitly indicated.
Article 8 The quality of personal information shall be guaranteed in personal information processing, to avoid adverse impacts on the rights and interests of individuals caused by inaccurate and incomplete personal information.
Article 9 Personal information processors shall be responsible for their personal information processing activities and take necessary measures to ensure the security of the personal information they process.
Article 10 No organization or individual shall illegally collect, use, process, or transmit the personal information of other persons, or illegally trade, provide or disclose the personal information of other persons, or engage in personal information processing activities that endanger national security or harm public interests.
Article 11 The state shall establish and improve the personal information protection system to prevent and punish infringements upon the rights and interests on personal information, strengthen publicity and education on personal information protection, and promote a favorable environment for the government, enterprises, relevant industry organizations, and the public to jointly participate in personal information protection.
Article 12 The state will actively engage in the development of international rules on personal information protection, promote the international exchanges and cooperation in personal information protection, and encourage the mutual recognition of personal information protection rules and standards, among others, with other countries, regions, and international organizations.
Chapter II
Personal Information Processing Rules
Section 1
General Rules
Article 13 A personal information processor can process personal information of an individual only if one of the following circumstances exists:
(1) the individual's consent has been obtained;
(2) the processing is necessary for the conclusion or performance of a contract in which the individual is a party, or necessary for human resources management in accordance with the labor rules and regulations established in accordance with the law and the collective contracts signed in accordance with the law;
(3) the processing is necessary for the performance of statutory duties or obligations;
(4) the processing is necessary for the response to public health emergencies, or for the protection of life, health, and property safety of natural persons in emergencies;
(5) the personal information is reasonably processed for news reporting, media supervision, and other activities conducted in the public interest;
(6) the personal information disclosed by the individual himself or other legally disclosed personal information of the individual is reasonably processed in accordance with this Law; and
(7) other circumstances as provided by laws or administrative regulations.
Individual consent shall be obtained for processing personal information if any other relevant provisions of this Law so provide, except under the circumstances specified in Subparagraphs (2) to (7) of the preceding paragraph.
Article 14 Where personal information processing is based on individual consent, the individual consent shall be voluntary, explicit, and fully informed. Where any other law or administrative regulation provides that an individual's separate consent or written consent must be obtained for processing personal information, such provisions shall apply.
In the case of any change of the purposes or means of personal information processing, or the category of processed personal information, a new consent shall be obtained from the individual.
Article 15 Where personal information processing is based on individual consent, an individual shall have the right to withdraw his consent. Personal information processors shall provide convenient ways for individuals to withdraw their consents.
The withdrawal of consent shall not affect the validity of the processing activities conducted based on consent before it is withdrawn.
Article 16 A personal information processor shall not refuse to provide products or services for an individual on the grounds that the individual withholds his consent for the processing of his personal information or has withdrawn his consent for the processing of personal information, except where the processing of personal information is necessary for the provision of products or services.
Article 17 A personal information processor shall, before processing personal information, truthfully, accurately and fully inform an individual of the following matters in a easy-to-notice manner and in clear and easy-to-understand language:
(1) the name and contact information of the personal information processor;
(2) the purposes and means of personal information processing, and the categories and storage periods of the personal information to be processed;
(3) the methods and procedures for the individual to exercise his rights as provided in this Law; and
(4) other matters that the individual should be notified of as provided by laws and administrative regulations.
Where any matter as set forth in the preceding paragraph changes, the individual shall be informed of the change.
Where the personal information processor informs an individual of the matters specified in the first paragraph by formulating personal information processing rules, the processing rules shall be made public and be easy to consult and save.
Article 18 When processing personal information, personal information processors are permitted not to inform individuals of the matters specified in the first paragraph of the preceding article where laws or administrative regulations require confidentiality or provide no requirement for such notification.
Where it is impossible to notify individuals in a timely manner in a bid to protect natural persons' life, health and property safety in case of emergency, the personal information processors shall notify them without delay after the emergency is removed.
Article 19 Except as otherwise provided by laws and administrative regulations, the storage period of personal information shall be the minimum time necessary to achieve the purpose of processing.
Article 20 Where two or more personal information processors jointly determine the purposes and means of processing certain personal information, they shall reach an agreement on their respective rights and obligations in processing the personal information. However, this agreement shall not affect an individual's request to any one of them to exercise his rights as provided in this Law.
Where, in jointly processing certain personal information, a processor infringes the rights and interests on personal information and causes damages, other personal information processors shall bear joint and several liability in accordance with law.
Article 21 A personal information processor entrusting the processing of certain personal information to a party shall reach an agreement with the entrusted party on the purposes, period and means of processing, the categories of personal information to be processed and the protection measures, as well as the rights and obligations of both parties, among others, and shall supervise the personal information processing activities of the entrusted party.
The entrusted party shall process personal information in accordance with the agreement and may not process personal information beyond the purposes, means and other conditions as agreed upon. Where the entrustment contract has not taken effect, or is invalid, or is revoked or terminated, the entrusted party shall return the personal information in question to the personal information processor or delete it and shall not retain the personal information.
Without the consent of the personal information processor, the entrusted party may not sub-contract the processing of personal information to any other party.
Article 22 Where a personal information processor needs to transfer personal information due to a merger, division, dissolution, or bankruptcy or for other reasons, the processor shall inform the individuals of the name and contact information of the recipient of the transferred personal information. The recipient shall continue to perform the obligations of the said personal information processor. Any change of the original purposes or means of processing by the recipient shall be subject to individual consent in accordance with this Law.
Article 23 To provide personal information for any other processor, a personal information processor shall inform the individuals of the recipient's name and contact information, the purposes and means of processing and the categories of personal information to be processed, and shall obtain the individuals' separate consent. The recipient shall process personal information within the scope of the purposes, means, and categories of personal information mentioned above. Any change of the purposes or means of processing by the recipient shall be subject to individual consent in accordance with this Law.
Article 24 Personal information processors using personal information for automated decision making shall ensure the transparency of the decision making and the fairness and impartiality of the results, and may not apply unreasonable differential treatment to individuals in terms of transaction prices and other transaction conditions.
Information push and commercial marketing to individuals based on automated decision making shall be simultaneously accompanied by options not specific to their personal characteristics or with convenient means for individuals to refuse.
Where a decision that may have a significant impact on an individual's rights and interests is made through automated decision making, the individual shall have the right to request clarification from the personal information processor and the right to refuse the processor for making the decision only through automated decision making.
Article 25 Personal information processors shall not disclose the personal information they process, except where separate consents has been obtained from the individuals.