personal information processor Archives

Article 38

Where a personal information processor needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall meet any of the following conditions:

(I) where it has passed the security assessment organized by the State cyberspace administration in accordance with Article 40 hereof;

(II) where it has been certified by a specialized in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information;

(III) where it has concluded a contract with an overseas recipient according to the standard contract formulated by the State cyberspace administration, specifying the rights and obligations of both parties; or

(IV) where it has satisfied other conditions prescribed by laws, administrative regulations, or the State cyberspace administration.

Where the international treaties and agreements that the People’s Republic of China has concluded or participated in have provisions on the conditions for providing personal information outside the territory of the People’s Republic of China, such provisions may be complied with.

Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this law.

Article 41

The competent authorities of the People’s Republic of China shall, in accordance with relevant laws and international treaties and agreements concluded or participated in by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China. Without the approval of the competent authority of the People’s Republic of China, [a] personal information processor shall not provide the personal information stored within the territory of the People’s Republic of China to judicial or law enforcement agencies outside of the territory of the People’s Republic of China.

Article 45

An individual is entitled to consult or copy his/her personal information from a personal information processor, except for the circumstances as prescribed in Paragraph 1 of Article 18 and Article 35 herein.

Where an individual requests to consult or copy his/her personal information, the personal information processor shall provide such information in a timely manner.

Where an individual requests to transfer his/her personal information to a personal information processor designated by him/her, the personal information processor shall provide the means for such transfer if the conditions prescribed by the State cyberspace administration are met.

Article 46

Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.

Where an individual requests for corrections or supplements to his/her personal information, the personal information processor shall make verification and make corrections or supplements to such information in a timely manner.

Article 47

Under any of the following circumstances, a personal information processor shall delete personal information on its own initiative; if the personal information processor has not deleted it, the individual concerned shall have the right to request deletion:

(I) where the purpose of processing has been achieved, unable to achieve, or is no longer necessary to achieve;

(II) where the personal information processor stops providing products or services, or the agreed storage period has expired;

(III) where the individual withdraws his/her consent;

(IV) where the personal information processor processes personal information in violation of laws, administrative regulations, or the agreement; or

(V) any other circumstance as prescribed by laws and administrative regulations.

Where the storage period as prescribed by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information processor shall stop processing personal information other than storage and taking necessary security measures.

Article 48

An individual is entitled to request the personal information processor to explain the rules on the processing of personal information.

Article 50

A personal information processor shall establish a convenient mechanism for accepting and processing applications for exercising personal rights by individuals. Where an individual’s request for exercising personal rights is rejected, the reasons shall be stated.

Where the personal information processor refuses an individual’s request to exercise his rights, the individual may bring a lawsuit in a people’s court according to law.

Article 52

Where the quantity of personal information processed by a processor reaches that specified by the State cyberspace administration, the processor shall designate a person in charge of personal information protection to be responsible for supervising the processing of personal information and the adopted protection measures.

A personal information processor shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the department performing duties of personal information protection.