Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.
Personal information processors can process sensitive personal information only when they have a specific purpose and sufficient necessity, and take strict protective measures.
Individual consent should be obtained for processing sensitive personal information. Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to written consent, such provisions shall prevail.
For the processing of sensitive personal information of an individual, the personal information processor shall inform the individual of the necessity of processing sensitive personal information and the impacts on the individual’s right and interest, in addition to the matters prescribed in Paragraph 1 of Article 17 thereof, except those that may not be notified to individuals in accordance with the provisions of this Law.
If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians.
Personal information processors shall formulate special personal information processing rules for handling the personal information of minors under the age of 14.
Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to relevant administrative permission or other restriction, such provisions shall prevail.