Article 52 A personal information processor that processes personal information up to the amount prescribed by the national cyberspace department shall designate a person in charge of personal information protection, who shall supervise the personal information processing activities of the processor as well as the protective measures taken thereby, among others.
The personal information processor shall disclose the contact information of the person in charge of personal information protection, and submit the said person's name, contact information, and other information to the departments with personal information protection duties.
Article 53 Personal information processors outside the territory of the People's Republic of China as specified in the second paragraph of Article 3 of this Law shall set up specialized agencies or designate representatives within the territory of the People's Republic of China to be responsible for handling personal information protection related matters, and shall submit the names, contact information, and other information of the agencies and representatives to the departments with personal information protection duties.
Article 54 Personal information processors shall regularly conduct compliance audits of their personal information processing activities with laws and administrative regulations.
Article 55 In any of the following circumstances, a personal information processor shall assess in advance the impact on personal information protection and keep a record of the course of the processing:
(1) processing sensitive personal information;
(2) using personal information to conduct automated decision making;
(3) entrusting personal information processing to another party, providing personal information for another party, or publicizing personal information;
(4) providing personal information for any party outside the territory of the People's Republic of China; or
(5) conducting other personal information processing activities which may have significant impacts on individuals.
Article 56 The assessment of impact on personal information protection shall include the following contents:
(1) whether the purposes and means of personal information processing, are legitimate, justified and necessary;
(2) the impact on individuals' rights and interests, and security risks; and
(3) whether the protection measures taken are legitimate, effective, and compatible with the degree of risks.
The report of the impact assessment on personal information protection and the processing record shall be retained for at least three years.
Article 57 Where the breach, tampering, or loss of personal information occurs or may occur, a personal information processor shall immediately take remedial measures and notify the departments with personal information protection duties and the relevant individuals. The notice shall include the following items:
(1) the categories of personal information that has been or may be breached, tampered with or lost, and the reasons and possible harm of the breach, tampering and loss;
(2) the remedial measures adopted by the personal information processor and the measures the individuals may take to mitigate the harm; and
(3) the contact information of the personal information processor.
Where the measures taken by the personal information processor can effectively avoid the harm caused by breach, tampering, or loss of personal information, the personal information processor is not required to notify individuals; where the departments with personal information protection duties consider that harm may be caused, they have the authority to request the personal information processor to notify individuals.
Article 58 A personal information processor that provides important internet platform services involving a huge number of users and complicated business types shall perform the following obligations:
(1) establishing and improving the personal information protection compliance system in accordance with the provisions of the state and establishing an independent organization mainly composed of external members to supervise the protection of personal information;
(2) following the principles of openness, fairness, and justice, formulating platform rules, and clarifying the norms and obligations that product or service providers within the platform should meet when processing personal information;
(3) stopping providing services for product or service providers within the platforms that process personal information in serious violation of laws and administrative regulations; and
(4) regularly publishing social responsibility reports on personal information protection for public supervision.
Article 59 The party entrusted with the processing of personal information shall, in accordance with this Law and relevant laws and administrative regulations, take the necessary measures to ensure the security of the personal information entrusted for processing, and assist the entrusting personal information processor in fulfilling the obligations provided by this Law.
Chapter VI
Departments with Personal Information Protection Duties
Article 60 The national cyberspace department shall be responsible for the overall planning and coordination of personal information protection and related supervision and administration. The relevant departments of the State Council shall, in accordance with this Law and other relevant laws and administrative regulations, be responsible for personal information protection and related supervision and administration within the scope of their respective duties.
The duties of personal information protection and related supervision and administration of the relevant departments of the local people's governments at or above the county level shall be determined in accordance with the relevant provisions of the state.
The departments provided in the preceding two paragraphs are collectively referred to as the departments with personal information protection duties.
Article 61 Departments with personal information protection duties shall perform the following personal information protection duties:
(1) conducting publicity and education on personal information protection, and guiding and supervising personal information processors in their protection of personal information;
(2) receiving and handling complaints and reports related to personal information protection;
(3) organizing evaluations on applications, etc. in terms of personal information protection and publish the results of such evaluations;
(4) investigating and handling illegal personal information processing activities; and
(5) other duties as provided by laws and administrative regulations.
Article 62 The national cyberspace department shall coordinate relevant departments to promote personal information protection through the following efforts in accordance with this Law:
(1) formulating specific rules and standards for personal information protection;
(2) developing special personal information protection rules and standards for small personal information processors, the processing of sensitive personal information, and new technologies and applications such as face recognition and artificial intelligence;
(3) supporting the research and development, and promoting the application of secure and convenient electronic identity authentication technology, and advancing the public services for network identity authentication;
(4) promoting the development of a personal information protection service system with the participation of various social sectors, and supporting relevant institutions in providing personal information protection assessment and certification services; and
(5) improving the complaint and reporting mechanism related to personal information protection .
Article 63 A department with personal information protection duties when fulfilling related duties may take the following measures:
(1) questioning relevant parties, and investigating circumstances related to personal information processing activities;
(2) consulting and duplicating the parties' contracts, records, account books and other relevant materials related to personal information processing activities;
(3) conducting on-site inspections, and investigating suspected illegal personal information processing activities; and
(4) inspecting equipment and articles related to personal information processing activities; and sealing up or seizing equipment and articles related to illegal personal information processing activities as proved by evidence after submitting written reports to and obtaining approval from the principal person in charge of the departments with personal information protection duties.
When departments with personal information protection duties carry out their duties in accordance with the law, the parties concerned shall cooperate and provide assistance, and shall not reject or obstruct them.
Article 64 Where a department with personal information protection duties finds, when performing its duties, relatively high risks in personal information processing activities or the occurrence of personal information security incidents, the department may hold an interview with the legal representative or the principal person in charge of the personal information processor according to the provided authority and procedures, or request the processor to entrust a professional institution to conduct compliance audits of the personal information processing activities. The personal information processor shall adopt measures to make rectification and eliminate potential risks as required.
Where a department with personal information protection duties, in performing its duties, finds an illegal personal information processing activity that may involve a crime, the department shall transfer the case to the public security organ in a timely manner in accordance with the law.
Article 65 Any organization or individual has the right to complain and report to a department with personal information protection duties about illegal personal information processing. The department that receives such a complaint or report shall handle it in a timely manner in accordance with the law, and notify the complainant or informant of the results.
Departments with personal information protection duties shall publish their contact information for receiving complaints and reports.
Chapter VII
Legal Liability
Article 66 Where personal information is processed in violation of the provisions of this Law or without fulfilling the personal information protection obligations provided in this Law, the departments with personal information protection duties shall order the violator to make corrections, give a warning, confiscate the illegal gains, and order the suspension or termination of provision of services by the applications that illegally process personal information; where the violator refuses to make corrections, a fine of not more than RMB one million yuan shall be imposed thereupon; and the directly liable persons in charge and other directly liable persons shall each be fined not less than RMB 10,000 yuan nor more than RMB 100,000 yuan.
In case of an illegal act as prescribed in the preceding paragraph and the circumstances are serious, the departments with personal information protection duties at or above the provincial level shall order the violator to make corrections, confiscate the illegal gains, impose a fine of not more than RMB 50 million yuan or not more than five percent of the previous year's turnover; may also order the suspension of relevant businesses, or order the suspension of all the business operations for an overhaul, and notify the competent authorities to revoke relevant business permits or license; shall impose a fine of not less than RMB 100,000 yuan but not more than RMB 1 million yuan upon each of the directly liable persons in charge and other directly liable persons, and may decide to prohibit the abovementioned persons from serving as directors, supervisors, senior managers, or the persons in charge of relevant companies within a specific period of time.
Article 67 Any violation of the provisions of this Law shall be entered in the relevant credit record and be published in accordance with the provisions of the relevant laws and administrative regulations.
Article 68 Where any state organ fails to fulfill the personal information protection obligations as provided in this Law, the organ at the higher level or the departments with personal information protection duties shall order it to make corrections, and discipline the directly liable person in charge and other directly liable persons in accordance with the law.
Where a staff member of a department with personal information protection duties neglects duties, abuses power, or practices favoritism, which does not constitute a crime, the staff member shall be subject to sanction in accordance with the law.
Article 69 Where a personal information processor infringes the rights or interests on personal information due to any personal information processing activity and cannot prove that the processor is not at fault, the processor shall assume the liability for damages and other tort liability.
The liability for damages prescribed in the preceding paragraph shall be determined based on the losses of individuals incurred thereby and the benefits acquired by the infringing personal information processor; and where it is difficult to determine the aforementioned losses or the benefits, the amount of damages shall be determined based on the actual circumstances.
Article 70 Where a personal information processor processes personal information in violation of the provisions of this Law and infringes the rights and interests of many individuals, the people's procuratorate, the consumer organizations specified by law, and the organization designated by the national cyberspace department may file a lawsuit with the people's court in accordance with the law.
Article 71 Any violation of this Law which constitutes a violation of public security administration shall be subject to public security administration penalty in accordance with the law. If the violation constitutes a crime, the violator shall be held criminally liable in accordance with the law.
Chapter VIII
Supplementary Provisions
Article 72 This Law is not applicable where a natural person processes personal information for personal or household affairs.
Where other laws provide personal information processing in statistical or archives management activities organized and conducted by the people's governments at all levels and their relevant departments, the provisions of such laws shall prevail.
Article 73 For purposes of this Law, the following terms shall have the following meanings:
(1) "A personal information processor" refers to an organization or individual that autonomously determines the purposes and means of personal information processing.
(2) "automated decision making" refers to the activities of automatically analyzing and evaluating personal behaviors, hobbies, or economic, health, and credit status, among others, through computer programs, and making decisions.
(3) "de-identification" refers to processing personal information to make it impossible to identify specific natural persons in the absence of the support of additional information.
(4) "anonymization" refers to the process of processing personal information to make it impossible to identify specific natural persons and impossible to restore.
Article 74 This Law shall come into force as of November 1st , 2021.