Personal information processors shall be responsible for their processing of personal information and take necessary measures to ensure the security of the personal information they process.
Tag: personal information processors
Article 17
Prior to processing personal information, a personal information processor shall truthfully, accurately, and completely inform the individual of the following matters in an eye-catching manner and with clear and understandable language:
(I) the name and contact information of the personal information processor;
(II) the purpose and method of processing personal information, and the type and retention period of the processed personal information;
(III) the method and procedure for the individual to exercise the rights provided herein; and
(IV) other matters to be notified in accordance with the provisions of laws and administrative regulations.
If any of the matters provided in the preceding paragraph is changed, the individual shall be notified of such change.
Article 18
When processing personal information, a personal information processor may not notify the individual of the matters provided for in laws and administrative regulations where confidentiality shall be kept, or it is not necessary to notify the individual of the matters provided for in Paragraph 1 of the preceding Article.
In case of emergency, it is unable to timely inform the individual to protect the life, health and property safety of natural persons, the personal information processor shall inform the individual in time after elimination of emergency.
Article 20
Where more than two personal information processors jointly determine the purpose and method of processing personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual’s right to exercise the rights provided for in this Law against any of the personal information processors.
Where personal information processors jointly processing personal information infringes upon personal information rights and interests and cause damages, they shall bear joint and several liabilities in accordance with the law.
Article 23
Where a personal information processor provides other personal information processors with the personal information it processes, it shall inform the individual of the name and contact information of the third party, purpose and method of processing and type of personal information, and shall obtain his/her separate consent. The party receiving personal information shall process personal information within the scope of the above purpose and method of processing and type of personal information. Where the party receiving personal information changes the original purpose and method of processing, it shall inform the individual and obtain his/her consent again in accordance with this Law.
Article 27
Personal information processors may, within a reasonable range, process personal information that has been disclosed by individuals themselves or other lawfully disclosed personal information, except where the individual explicitly refuses. Personal information processors shall obtain the consent of individuals in accordance with the provisions of this Law if the processing of disclosed personal information has a major impact on the rights and interests of individuals.
Article 28
Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.
Personal information processors can process sensitive personal information only when they have a specific purpose and sufficient necessity, and take strict protective measures.
Article 31
If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians.
Personal information processors shall formulate special personal information processing rules for handling the personal information of minors under the age of 14.
Article 40
Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China. If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration; if laws, administrative regulations, or the provisions of the State cyberspace administration provide that the security assessment is not required, such provisions shall prevail.
Article 51
A personal information processor shall, according to the purpose and method of processing personal information, type of personal information, impact on individual’s right and interest, and possible security risk, etc., take the following measures to ensure the compliance of personal information processing activities with provisions of laws and administrative regulations, and prevent unauthorized visit, or leakage, falsification, and loss of personal information:
(I) formulating internal management system and operational procedures;
(II) managing personal information by classification;
(III) taking corresponding technical security measures such as encryption and de-identification;
(IV) reasonably determining the authority to process personal information and conduct security education and training for employees on a regular basis;
(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and
(VI) other measures as prescribed by laws and administrative regulations.