Article 51

A personal information processor shall, according to the purpose and method of processing personal information, type of personal information, impact on individual’s right and interest, and possible security risk, etc., take the following measures to ensure the compliance of personal information processing activities with provisions of laws and administrative regulations, and prevent unauthorized visit, or leakage, falsification, and loss of personal information:

(I) formulating internal management system and operational procedures;

(II) managing personal information by classification;

(III) taking corresponding technical security measures such as encryption and de-identification;

(IV) reasonably determining the authority to process personal information and conduct security education and training for employees on a regular basis;

(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and

(VI) other measures as prescribed by laws and administrative regulations.