impact assessment Archives

Article 55

A personal information processor shall conduct personal information protection impact assessment of the following circumstances in advance and keep a record of the processing:

(I) processing sensitive personal information;

(II) making use of personal information to make automatic decisions;

(III) entrusting others to process personal information, providing other personal information processors with personal information, and disclosing personal information;

(IV) providing personal information to overseas parties; and

(V) other personal information processing activities that have a significant impact on individuals’ rights and interests.

Article 56

The personal information protection impact assessment shall include the following:

(I) whether the purpose and method of processing personal information are legitimate, justifiable, and necessary;

(II) impact on individuals’ rights and interests and the security risks; and

(III) whether the security protection measures taken are legitimate, effective, and appropriate to the degree of risks.

The personal information protection assessment report and processing record shall be kept for at least three years.