Where personal information is processed in violation of the provisions hereof, or personal information is processed without fulfilling the personal information protection obligations stipulated in this Law, the departments performing duties of personal information protection shall order the processor to make rectification, give a warning and confiscate its illegal gains, or order the application that illegally processing personal information to suspend or terminate the provision of services; if rectification is refused, a fine of not more than RMB 1 million shall be imposed concurrently on the processor; and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge of the processor and other directly liable persons. Where an illegal act specified in the preceding paragraph is committed and the circumstances are serious, the departments performing duties of personal information protection at or above the provincial level shall order the processor to make rectification, confiscate its illegal gains and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on the processor, and may also order the processor to suspend relevant business or to suspend business for rectification, and notify the relevant competent departments to revoke the relevant business permit or business license; and a fine of not less than RMB 100,000 but not more than RMB 1 million shall be imposed on the persons directly in charge and other directly liable persons, and such persons may also be prohibited from serving as directors, supervisors, senior managers, and persons in charge of personal information protection of relevant enterprises for a certain period of time.
Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of the relevant laws and administrative regulations and shall be disclosed to the public.
Where a State organ fails to perform its obligations of protecting personal information as specified in this Law, its superior organ or the department performing the duties of personal information protection shall order it to make rectification, and impose sanctions on the person directly in charge and other directly liable persons according to law.
Where the staff of departments responsible for personal information protection are guilty of dereliction of duties, abusing official powers, or malpractice for personal gain but yet to constitute a crime, they shall be punished pursuant to the law.
Where the right and interests of personal information are infringed upon due to personal information processing and cause damages, and the personal information processor cannot prove that it is not at fault, it shall bear the tort liability for damages.
Liability for damages prescribed in the preceding paragraph shall be borne in light of the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor; if the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor are difficult to be determined, the people’s court shall determine the amount of compensation according to the actual circumstances.
Where a personal information processor processes personal information in violation of the provisions of this Law, which infringes upon the rights and interests of a large number of individuals, the people’s procuratorate, the consumer organizations specified by law and the organization determined by the State cyberspace administration may file a lawsuit with the people’s court in accordance with the law.
Where a violation of the provisions of this Law constitutes a violation of public security administration, a public security administration punishment shall be imposed in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law.