State cyberspace administration Archives

Article 38

Where a personal information processor needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall meet any of the following conditions:

(I) where it has passed the security assessment organized by the State cyberspace administration in accordance with Article 40 hereof;

(II) where it has been certified by a specialized in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information;

(III) where it has concluded a contract with an overseas recipient according to the standard contract formulated by the State cyberspace administration, specifying the rights and obligations of both parties; or

(IV) where it has satisfied other conditions prescribed by laws, administrative regulations, or the State cyberspace administration.

Where the international treaties and agreements that the People’s Republic of China has concluded or participated in have provisions on the conditions for providing personal information outside the territory of the People’s Republic of China, such provisions may be complied with.

Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this law.

Article 40

Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China. If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration; if laws, administrative regulations, or the provisions of the State cyberspace administration provide that the security assessment is not required, such provisions shall prevail.

Article 42

For any overseas organization or individual whose personal information processing activities damage the personal information rights and interests of citizens of the People’s Republic of China, or endanger the national security or public interests of the People’s Republic of China, the State cyberspace administration may include such overseas organization or individual in the list of restricted or prohibited provision of personal information, announce the same, and take measures such as restricting or prohibiting the provision of personal information to such overseas organization or individual.

Article 45

An individual is entitled to consult or copy his/her personal information from a personal information processor, except for the circumstances as prescribed in Paragraph 1 of Article 18 and Article 35 herein.

Where an individual requests to consult or copy his/her personal information, the personal information processor shall provide such information in a timely manner.

Where an individual requests to transfer his/her personal information to a personal information processor designated by him/her, the personal information processor shall provide the means for such transfer if the conditions prescribed by the State cyberspace administration are met.

Article 52

Where the quantity of personal information processed by a processor reaches that specified by the State cyberspace administration, the processor shall designate a person in charge of personal information protection to be responsible for supervising the processing of personal information and the adopted protection measures.

A personal information processor shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the department performing duties of personal information protection.

Article 60

The State cyberspace administration is responsible for coordinating the protection of personal information and relevant supervision and administration work; and relevant departments under the State Council are responsible for protecting, supervising, and administering personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.

The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising, and administering personal information shall be determined in accordance with relevant provisions of the State.

The departments mentioned in the preceding two paragraphs are collectively referred to as the departments performing duties of personal information protection.

Article 62

The State cyberspace administration shall coordinate with the relevant departments in promoting the protection of personal information in accordance with this Law as follows:

(I) formulate specific rules and standards for the protection of personal information;

(II) formulate special personal information protection rules and standards for small personal information processors, sensitive personal information processing, and new technologies and applications such as face recognition and artificial intelligence;

(III) support research, development, and promotion of secure and convenient electronic identity authentication technology, and promote the construction of public services for online identity authentication;

(IV) promote the development of a socialized service system for protecting personal information and support relevant organizations in carrying out assessment and certification services in respect of personal information protection.

(V) improve the mechanism for complaints and whistleblowing reports on personal information protection.

Article 70

Where a personal information processor processes personal information in violation of the provisions of this Law, which infringes upon the rights and interests of a large number of individuals, the people’s procuratorate, the consumer organizations specified by law and the organization determined by the State cyberspace administration may file a lawsuit with the people’s court in accordance with the law.