The State cyberspace administration is responsible for coordinating the protection of personal information and relevant supervision and administration work; and relevant departments under the State Council are responsible for protecting, supervising, and administering personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising, and administering personal information shall be determined in accordance with relevant provisions of the State.
The departments mentioned in the preceding two paragraphs are collectively referred to as the departments performing duties of personal information protection.
Departments performing duties of personal information protection shall perform the following duties of personal information protection:
(I) carrying out publicity and education on personal information protection, and guiding and supervising personal information processors to protect personal information;
(II) accepting and processing complaints and reports relating to personal information protection;
(III) organizing the evaluation of the protection of personal information such as applications and publish the evaluation results;
(IV) investigating and processing illegal personal information processing activities; and
(V) other duties stipulated by laws and administrative regulations.
The State cyberspace administration shall coordinate with the relevant departments in promoting the protection of personal information in accordance with this Law as follows:
(I) formulate specific rules and standards for the protection of personal information;
(II) formulate special personal information protection rules and standards for small personal information processors, sensitive personal information processing, and new technologies and applications such as face recognition and artificial intelligence;
(III) support research, development, and promotion of secure and convenient electronic identity authentication technology, and promote the construction of public services for online identity authentication;
(IV) promote the development of a socialized service system for protecting personal information and support relevant organizations in carrying out assessment and certification services in respect of personal information protection.
(V) improve the mechanism for complaints and whistleblowing reports on personal information protection.
Where departments performing duties of personal information protection find in performing their duties of personal information protection that there are relatively high risks in personal information processing activities or personal information security incidents have occurred, they may interview the legal representative or person chiefly in charge of the personal information processor according to prescribed authority and procedures, or require the personal information processor to entrust professional institutions to conduct compliance audits of their personal information processing activities. The personal information processor shall take measures to make rectification and eliminate hidden dangers as required.
The department that performs the duty of personal information protection and discovers that the illegal processing of personal information is suspected of a crime in the course of performing its duty, shall promptly transfer the case to the public security organ for handling according to law.
Any organization or individual has the right to complain or report illegal personal information processing activities to the departments performing duties of personal information protection. The departments receiving such complaints or reports shall promptly process them according to the law and notify the complainants or reporters of the results. The departments performing duties of personal information protection shall make public the contact information for accepting complaints or reports.
Where a State organ fails to perform its obligations of protecting personal information as specified in this Law, its superior organ or the department performing the duties of personal information protection shall order it to make rectification, and impose sanctions on the person directly in charge and other directly liable persons according to law.
Where the staff of departments responsible for personal information protection are guilty of dereliction of duties, abusing official powers, or malpractice for personal gain but yet to constitute a crime, they shall be punished pursuant to the law.