Rules for Processing Sensitive Personal Information Archives

Article 28

Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.

Personal information processors can process sensitive personal information only when they have a specific purpose and sufficient necessity, and take strict protective measures.

Article 30

For the processing of sensitive personal information of an individual, the personal information processor shall inform the individual of the necessity of processing sensitive personal information and the impacts on the individual’s right and interest, in addition to the matters prescribed in Paragraph 1 of Article 17 thereof, except those that may not be notified to individuals in accordance with the provisions of this Law.

Article 31

If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians.

Personal information processors shall formulate special personal information processing rules for handling the personal information of minors under the age of 14.

Article 32

Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to relevant administrative permission or other restriction, such provisions shall prevail.