Any personal information processor outside the territory of the People’s Republic of China as prescribed in Paragraph 2, Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for relevant matters of personal information protection, and submit the name and contact information of relevant agency or the representative to the department performing duties of personal information protection.
Tag: personal information processor
Article 54
A personal information processor shall regularly audit whether its processing of personal information is in compliance with provisions of laws and administrative regulations.
Article 55
A personal information processor shall conduct personal information protection impact assessment of the following circumstances in advance and keep a record of the processing:
(I) processing sensitive personal information;
(II) making use of personal information to make automatic decisions;
(III) entrusting others to process personal information, providing other personal information processors with personal information, and disclosing personal information;
(IV) providing personal information to overseas parties; and
(V) other personal information processing activities that have a significant impact on individuals’ rights and interests.
Article 57
Where personal information has been or may be leaked, falsified, or lost, the personal information processor shall immediately take remedial measures and inform the department performing duties of personal information protection and the individuals concerned. The notice shall include the following particulars:
(I) types and causes of personal information leakage, falsification, and loss that have occurred or may occur and the possible harm caused;
(II) remedial measures taken by personal information processors and measures taken by individuals to mitigate harm;
(III) contact information of the personal information processor.
If the personal information processor has taken measures to effectively avoid harm caused by information leakage, falsification, or loss, it may opt not to notify the individuals; however, if the department performing duties of personal information protection believes harm shall be caused, it may require the personal information processor to notify the individuals thereof.
Article 73
For the purposes of this Law, the following terms are defined as follows:
(I) A personal information processor refers to any organization or individual that independently determines the purpose and method of processing in personal information processing activities.
(II) An automatic decision-making refers to an activity to automatically analyze and evaluate a person’s behavior habits, hobbies or economic, health or credit status through computer programs and make decisions.
(III) De-identification refers to the process in which personal information is processed so that it is impossible to identify certain natural persons without the use of additional information.
(IV) Anonymization refers to the process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be recovered.