Personal Information Protection Law of the People's Republic of China
Release Date: 2021-08-20
Effective Date: 2021-11-01
Source: https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm
Original Title: 中华人民共和国个人信息保护法
Personal Information Protection Law of the People's Republic of China
Chapter I: General Provisions
Article 1: This Law is formulated in accordance with the Constitution to protect personal information rights and interests, regulate personal information processing activities, and promote the reasonable use of personal information.
Article 2: The personal information of natural persons is protected by law. No organization or individual may infringe upon the personal information rights and interests of natural persons.
Article 3: This Law applies to the processing of personal information of natural persons within the territory of the People's Republic of China.
This Law also applies to the processing of personal information of natural persons within the territory of the People's Republic of China from outside the territory if one of the following circumstances is present:
(a) For the purpose of providing products or services to natural persons within the territory;
(b) Analyzing or evaluating the behavior of natural persons within the territory;
(c) Other circumstances as stipulated by laws and administrative regulations.
Article 4: Personal information refers to various types of information recorded electronically or otherwise that is related to an identified or identifiable natural person, excluding information that has been anonymized.
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.
Article 5: The processing of personal information shall adhere to the principles of legality, legitimacy, necessity, and good faith, and shall not be conducted through misleading, fraudulent, or coercive means.
Article 6: The processing of personal information shall have a clear and reasonable purpose, be directly related to the purpose of processing, and employ methods that have the least impact on personal rights and interests.
The collection of personal information shall be limited to the minimum scope necessary to achieve the purpose of processing, and excessive collection of personal information is prohibited.
Article 7: The processing of personal information shall adhere to the principles of openness and transparency, with clear disclosure of the rules for personal information processing, including the purpose, method, and scope of processing.
Article 8: The processing of personal information shall ensure the quality of personal information to avoid adverse impacts on personal rights and interests due to inaccurate or incomplete personal information.
Article 9: Personal information processors shall be responsible for their personal information processing activities and take necessary measures to ensure the security of the processed personal information.
Article 10: No organization or individual may illegally collect, use, process, transmit, buy, sell, provide, or disclose others' personal information, nor engage in personal information processing activities that endanger national security or public interest.
Article 11: The state shall establish and improve the personal information protection system, prevent and punish acts that infringe upon personal information rights and interests, strengthen personal information protection publicity and education, and promote the formation of a favorable environment for personal information protection involving government, enterprises, relevant social organizations, and the public.
Article 12: The state shall actively participate in the formulation of international rules for personal information protection, promote international exchanges and cooperation in personal information protection, and facilitate mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations.
Chapter II: Rules for Personal Information Processing
Section 1: General Provisions
Article 13: Personal information processors may process personal information under any of the following circumstances:
(a) Obtaining the consent of the individual;
(b) Necessity for the conclusion or performance of a contract to which the individual is a party, or for human resource management in accordance with legally established labor rules and legally signed collective contracts;
(c) Necessity for fulfilling statutory duties or obligations;
(d) Necessity for responding to public health emergencies or protecting the life, health, and property safety of natural persons in emergency situations;
(e) Necessity for public interest in news reporting, public opinion supervision, and other such activities within a reasonable scope;
(f) Processing personal information that has been publicly disclosed by the individual or otherwise legally disclosed within a reasonable scope in accordance with this Law;
(g) Other circumstances as stipulated by laws and administrative regulations.
According to other relevant provisions of this Law, personal information processing shall obtain the individual's consent, except in circumstances specified in items (b) to (g) of the preceding paragraph.
Article 14: Consent for processing personal information based on individual consent shall be voluntarily and explicitly given by the individual under the premise of full knowledge. Where laws and administrative regulations require individual consent or written consent for processing personal information, such provisions shall prevail.
If the purpose, method, or type of personal information processing changes, individual consent shall be obtained again.
Article 15: Individuals have the right to withdraw their consent for personal information processing. Personal information processors shall provide a convenient method for withdrawing consent.
Withdrawal of consent by the individual does not affect the validity of personal information processing activities conducted based on individual consent before the withdrawal.
Article 16: Personal information processors shall not refuse to provide products or services on the grounds that the individual does not consent to the processing of their personal information or withdraws consent, except where processing personal information is necessary for providing products or services.
Article 17: Before processing personal information, personal information processors shall inform the individual of the following matters in a conspicuous manner and in clear and understandable language:
(a) The name or contact information of the personal information processor;
(b) The purpose, method, type, and retention period of personal information processing;
(c) The method and procedure for individuals to exercise their rights as stipulated by this Law;
(d) Other matters that should be informed as stipulated by laws and administrative regulations.
If there are changes to the matters specified in the preceding paragraph, the changes shall be informed to the individual.
If the personal information processor informs the individual of the matters specified in the first paragraph by formulating personal information processing rules, the processing rules shall be publicly available and easily accessible and stored.
Article 18: Personal information processors may not inform individuals of the matters specified in the first paragraph of the preceding article if laws and administrative regulations stipulate confidentiality or no need for notification.
In emergency situations where it is impossible to promptly inform the individual to protect the life, health, and property safety of natural persons, personal information processors shall inform the individual in a timely manner after the emergency situation is eliminated.
Article 19: Except as otherwise stipulated by laws and administrative regulations, the retention period for personal information shall be the shortest time necessary to achieve the purpose of processing.
Article 20: Where two or more personal information processors jointly decide the purpose and method of personal information processing, they shall agree on their respective rights and obligations. However, such agreement does not affect the individual's right to request the exercise of rights stipulated by this Law from any of the personal information processors.
If personal information processors jointly process personal information and infringe upon personal information rights and interests causing damage, they shall bear joint liability in accordance with the law.
Article 21: Personal information processors who entrust the processing of personal information shall agree with the entrusted party on the purpose, duration, method, type of personal information, protective measures, and the rights and obligations of both parties, and supervise the entrusted party's personal information processing activities.
The entrusted party shall process personal information in accordance with the agreement and shall not exceed the agreed purpose or method of processing personal information. If the entrustment contract is not effective, invalid, revoked, or terminated, the entrusted party shall return the personal information to the personal information processor or delete it and shall not retain it.
The entrusted party may not re-entrust others to process personal information without the consent of the personal information processor.
Article 22: Personal information processors who need to transfer personal information due to mergers, divisions, dissolution, or being declared bankrupt shall inform the individual of the name or contact information of the receiving party. The receiving party shall continue to fulfill the obligations of the personal information processor. If the receiving party changes the original purpose or method of processing, individual consent shall be obtained again in accordance with this Law.
Article 23: Personal information processors who provide processed personal information to other personal information processors shall inform the individual of the name or contact information, processing purpose, method, and type of personal information of the receiving party, and obtain the individual's separate consent. The receiving party shall process personal information within the scope of the aforementioned processing purpose, method, and type of personal information. If the receiving party changes the original purpose or method of processing, individual consent shall be obtained again in accordance with this Law.
Article 24: Personal information processors who use personal information for automated decision-making shall ensure the transparency of decisions and fairness and justice of results, and shall not implement unreasonable differential treatment in transaction prices or other transaction conditions.
When information is pushed or commercial marketing is conducted through automated decision-making methods, options not targeted at individual characteristics shall be provided, or a convenient refusal method shall be provided to the individual.
When significant decisions affecting personal rights and interests are made through automated decision-making methods, individuals have the right to request explanations from personal information processors and have the right to refuse decisions made solely through automated decision-making.
Article 25: Personal information processors may not publicly disclose processed personal information, except with the individual's separate consent.
Article 26: The installation of image collection and personal identification equipment in public places shall be necessary for maintaining public safety, comply with national regulations, and have conspicuous warning signs. Collected personal images and identification information may only be used for the purpose of maintaining public safety and not for other purposes, except with the individual's separate consent.
Article 27: Personal information processors may process personal information that is publicly disclosed by the individual or otherwise legally disclosed within a reasonable scope, except where the individual explicitly refuses. If processing publicly disclosed personal information has a significant impact on personal rights and interests, individual consent shall be obtained in accordance with this Law.
Section 2: Rules for Processing Sensitive Personal Information
Article 28: Sensitive personal information refers to personal information that, once leaked or illegally used, can easily lead to infringement of the dignity of natural persons or harm to personal and property safety, including biometric, religious beliefs, specific identities, medical health, financial accounts, whereabouts, and information of minors under the age of fourteen.
Personal information processors may process sensitive personal information only under specific purposes and sufficient necessity, and with strict protective measures.
Article 29: Processing sensitive personal information shall obtain the individual's separate consent; where laws and administrative regulations require written consent for processing sensitive personal information, such provisions shall prevail.
Article 30: Personal information processors who process sensitive personal information shall inform the individual of the necessity of processing sensitive personal information and its impact on personal rights and interests, in addition to the matters specified in the first paragraph of Article 17; except where notification is not required in accordance with this Law.
Article 31: Personal information processors who process personal information of minors under the age of fourteen shall obtain the consent of the minor's parents or other guardians.
Personal information processors who process personal information of minors under the age of fourteen shall formulate special personal information processing rules.
Article 32: Where laws and administrative regulations stipulate that administrative licenses or other restrictions must be obtained for processing sensitive personal information, such provisions shall prevail.
Section 3: Special Provisions for State Organs Processing Personal Information
Article 33: The processing of personal information by state organs shall be governed by this Law; where special provisions are provided in this section, those provisions shall apply.
Article 34: State organs shall process personal information to fulfill statutory duties in accordance with the authority and procedures stipulated by laws and administrative regulations, and shall not exceed the scope and limits necessary for fulfilling statutory duties.
Article 35: State organs shall fulfill the obligation to inform individuals when processing personal information to fulfill statutory duties in accordance with this Law; except in circumstances specified in the first paragraph of Article 18, or where notification would hinder the fulfillment of statutory duties by state organs.
Article 36: Personal information processed by state organs shall be stored within the territory of the People's Republic of China; if it needs to be provided abroad, a security assessment shall be conducted. Relevant departments may be required to provide support and assistance for the security assessment.
Article 37: Organizations authorized by laws and regulations to manage public affairs shall process personal information to fulfill statutory duties in accordance with the provisions of this Law regarding the processing of personal information by state organs.
Chapter III: Rules for Cross-border Provision of Personal Information
Article 38: Personal information processors who need to provide personal information abroad for business purposes shall meet one of the following conditions:
(a) Passing the security assessment organized by the national cyberspace administration in accordance with the provisions of Article 40 of this Law;
(b) Undergoing personal information protection certification by a professional institution in accordance with the provisions of the national cyberspace administration;
(c) Signing a contract with the overseas recipient in accordance with the standard contract formulated by the national cyberspace administration, stipulating the rights and obligations of both parties;
(d) Other conditions stipulated by laws, administrative regulations, or the national cyberspace administration.
Where international treaties or agreements concluded or participated in by the People's Republic of China stipulate conditions for providing personal information abroad, such provisions may be followed.
Personal information processors shall take necessary measures to ensure that overseas recipients' personal information processing activities meet the personal information protection standards stipulated by this Law.
Article 39: Personal information processors who provide personal information abroad shall inform the individual of the name or contact information, processing purpose, method, type of personal information, and the method and procedure for exercising rights stipulated by this Law to the overseas recipient, and obtain the individual's separate consent.
Article 40: Operators of critical information infrastructure and personal information processors who process personal information reaching the quantity stipulated by the national cyberspace administration shall store collected and generated personal information within the territory of the People's Republic of China. If it needs to be provided abroad, a security assessment organized by the national cyberspace administration shall be conducted; where laws, administrative regulations, and provisions of the national cyberspace administration allow for not conducting a security assessment, such provisions shall prevail.
Article 41: The competent authorities of the People's Republic of China shall handle requests from foreign judicial or law enforcement agencies for providing personal information stored within the territory of the People's Republic of China in accordance with relevant laws and international treaties or agreements concluded or participated in by the People's Republic of China, or based on the principle of equality and reciprocity. Without approval from the competent authorities of the People's Republic of China, personal information processors may not provide personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement agencies.
Article 42: If overseas organizations or individuals engage in personal information processing activities that infringe upon the personal information rights and interests of citizens of the People's Republic of China or endanger the national security or public interest of the People's Republic of China, the national cyberspace administration may include them in the list of restricted or prohibited personal information providers, announce the list, and take measures such as restricting or prohibiting the provision of personal information to them.
Article 43: If any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People's Republic of China in terms of personal information protection, the People's Republic of China may take reciprocal measures against that country or region based on actual circumstances.
Chapter IV: Rights of Individuals in Personal Information Processing Activities
Article 44: Individuals have the right to be informed and make decisions regarding the processing of their personal information, and have the right to restrict or refuse others from processing their personal information, except as otherwise stipulated by laws and administrative regulations.
Article 45: Individuals have the right to access and copy their personal information from personal information processors, except in circumstances specified in the first paragraph of Article 18 and Article 35.
Personal information processors shall promptly provide access and copies of personal information upon request from individuals.
If individuals request the transfer of their personal information to designated personal information processors, personal information processors shall provide a transfer method that meets the conditions stipulated by the national cyberspace administration.
Article 46: If individuals find their personal information inaccurate or incomplete, they have the right to request correction or supplementation from personal information processors.
Personal information processors shall verify personal information and promptly correct or supplement it upon request from individuals.
Article 47: Personal information processors shall proactively delete personal information under any of the following circumstances; if not deleted, individuals have the right to request deletion:
(a) The processing purpose has been achieved, cannot be achieved, or is no longer necessary to achieve;
(b) Personal information processors cease to provide products or services, or the retention period has expired;
(c) Individuals withdraw consent;
(d) Personal information processors violate laws, administrative regulations, or agreements in processing personal information;
(e) Other circumstances stipulated by laws and administrative regulations.
If the retention period stipulated by laws and administrative regulations has not expired, or if it is technically difficult to delete personal information, personal information processors shall cease processing other than storage and take necessary security protection measures.
Article 48: Individuals have the right to request explanations from personal information processors regarding their personal information processing rules.
Article 49: If a natural person dies, their close relatives may exercise the rights of access, copying, correction, and deletion of the deceased's relevant personal information stipulated by this chapter for their own legitimate and lawful interests, except where the deceased made other arrangements during their lifetime.
Article 50: Personal information processors shall establish a convenient mechanism for individuals to apply for exercising their rights and process such applications. If requests for exercising rights are refused, reasons shall be provided.
If personal information processors refuse requests for exercising rights, individuals may file lawsuits with the people's court in accordance with the law.
Chapter V: Obligations of Personal Information Processors
Article 51: Personal information processors shall take the following measures to ensure that personal information processing activities comply with laws and administrative regulations and prevent unauthorized access, leakage, tampering, or loss of personal information, based on the purpose, method, type of personal information, impact on personal rights and interests, and potential security risks:
(a) Formulate internal management systems and operating procedures;
(b) Implement classified management of personal information;
(c) Adopt corresponding security technical measures such as encryption and de-identification;
(d) Reasonably determine the operational authority for personal information processing and regularly conduct security education and training for employees;
(e) Formulate and implement emergency plans for personal information security incidents;
(f) Other measures stipulated by laws and administrative regulations.
Article 52: Personal information processors who process personal information reaching the quantity stipulated by the national cyberspace administration shall designate a personal information protection officer responsible for supervising personal information processing activities and protective measures.
Personal information processors shall disclose the contact information of the personal information protection officer and report the name, contact information, etc., of the officer to the department responsible for personal information protection.
Article 53: Personal information processors outside the territory of the People's Republic of China as stipulated in the second paragraph of Article 3 of this Law shall establish a special agency or designate a representative within the territory of the People's Republic of China to handle matters related to personal information protection and report the name or contact information of the agency or representative to the department responsible for personal information protection.
Article 54: Personal information processors shall regularly conduct compliance audits on their adherence to laws and administrative regulations in personal information processing.
Article 55: Personal information processors shall conduct personal information protection impact assessments and record processing activities in advance under any of the following circumstances:
(a) Processing sensitive personal information;
(b) Using personal information for automated decision-making;
(c) Entrusting the processing of personal information, providing personal information to other personal information processors, or disclosing personal information;
(d) Providing personal information abroad;
(e) Other personal information processing activities that have a significant impact on personal rights and interests.
Article 56: Personal information protection impact assessments shall include the following:
(a) Whether the purpose and method of personal information processing are legal, legitimate, and necessary;
(b) The impact on personal rights and interests and security risks;
(c) Whether the protective measures taken are legal, effective, and commensurate with the level of risk.
Personal information protection impact assessment reports and records of processing activities shall be retained for at least three years.
Article 57: When personal information leakage, tampering, or loss occurs or is likely to occur, personal information processors shall immediately take remedial measures and notify the department responsible for personal information protection and individuals. The notification shall include the following:
(a) The type, cause, and possible harm of the leaked, tampered, or lost personal information;
(b) The remedial measures taken by the personal information processor and measures individuals can take to mitigate harm;
(c) The contact information of the personal information processor.
If personal information processors can effectively prevent harm from information leakage, tampering, or loss by taking measures, they may not notify individuals; if the department responsible for personal information protection believes harm may occur, it has the right to require personal information processors to notify individuals.
Article 58: Personal information processors who provide important internet platform services, have a large number of users, or have complex business types shall fulfill the following obligations:
(a) Establish and improve a personal information protection compliance system in accordance with national regulations, and set up an independent agency mainly composed of external members to supervise personal information protection;
(b) Formulate platform rules following the principles of openness, fairness, and justice, and clarify the norms for processing personal information and the obligations to protect personal information for product or service providers within the platform;
(c) Stop providing services to product or service providers within the platform who seriously violate laws and administrative regulations in processing personal information;
(d) Regularly publish personal information protection social responsibility reports and accept social supervision.
Article 59: Entrusted parties who process personal information shall take necessary measures to ensure the security of processed personal information in accordance with this Law and relevant laws and administrative regulations and assist personal information processors in fulfilling the obligations stipulated by this Law.
Chapter VI: Departments Responsible for Personal Information Protection
Article 60: The national cyberspace administration is responsible for coordinating personal information protection work and related supervision and management. Relevant departments of the State Council shall be responsible for personal information protection and supervision and management within their respective responsibilities in accordance with this Law and relevant laws and administrative regulations.
The personal information protection and supervision and management responsibilities of relevant departments of local people's governments at or above the county level shall be determined in accordance with national regulations.
The departments specified in the preceding two paragraphs are collectively referred to as the departments responsible for personal information protection.
Article 61: The departments responsible for personal information protection shall perform the following personal information protection duties:
(a) Conduct personal information protection publicity and education, and guide and supervise personal information processors in carrying out personal information protection work;
(b) Accept and handle complaints and reports related to personal information protection;
(c) Organize evaluations of personal information protection in applications and other areas and publish evaluation results;
(d) Investigate and handle illegal personal information processing activities;
(e) Other duties stipulated by laws and administrative regulations.
Article 62: The national cyberspace administration shall coordinate relevant departments to promote the following personal information protection work in accordance with this Law:
(a) Formulate specific rules and standards for personal information protection;
(b) Formulate special rules and standards for personal information protection for small personal information processors, sensitive personal information processing, and new technologies and applications such as facial recognition and artificial intelligence;
(c) Support the research, development, and promotion of safe and convenient electronic identity authentication technology, and promote the construction of public services for network identity authentication;
(d) Promote the construction of a socialized service system for personal information protection and support relevant institutions in conducting personal information protection assessments and certification services;
(e) Improve the complaint and report mechanism for personal information protection.
Article 63: The departments responsible for personal information protection may take the following measures in performing personal information protection duties:
(a) Inquire about relevant parties and investigate matters related to personal information processing activities;
(b) Review and copy contracts, records, books, and other materials related to personal information processing activities;
(c) Conduct on-site inspections and investigate suspected illegal personal information processing activities;
(d) Inspect equipment and items related to personal information processing activities; if there is evidence proving that equipment and items are used for illegal personal information processing activities, a written report shall be submitted to the main responsible person of the department and, upon approval, they may be sealed or seized.
In performing personal information protection duties in accordance with the law, relevant parties shall assist and cooperate and may not refuse or obstruct.
Article 64: If the departments responsible for personal information protection find significant risks in personal information processing activities or personal information security incidents while performing their duties, they may interview the legal representative or main responsible person of the personal information processor or require the personal information processor to entrust a professional institution to conduct a compliance audit of their personal information processing activities in accordance with stipulated authority and procedures. Personal information processors shall take measures as required, make rectifications, and eliminate hidden dangers.
If the departments responsible for personal information protection find that illegal personal information processing is suspected of a crime while performing their duties, they shall promptly transfer the case to public security organs for legal handling.
Article 65: Any organization or individual has the right to complain or report illegal personal information processing activities to the departments responsible for personal information protection. Departments receiving complaints or reports shall promptly handle them in accordance with the law and inform the complainant or reporter of the handling results.
The departments responsible for personal information protection shall publish contact information for receiving complaints and reports.
Chapter VII: Legal Liability
Article 66: If personal information is processed in violation of the provisions of this Law, or if personal information processors fail to fulfill the personal information protection obligations stipulated by this Law, the departments responsible for personal information protection shall order corrections, issue warnings, confiscate illegal gains, and order the suspension or termination of services for applications that illegally process personal information; if corrections are refused, a fine of up to 1 million yuan may be imposed; the directly responsible person in charge and other directly responsible personnel may be fined between 10,000 and 100,000 yuan.
If the illegal behavior specified in the preceding paragraph is serious, the departments responsible for personal information protection at or above the provincial level shall order corrections, confiscate illegal gains, and impose a fine of up to 50 million yuan or 5% of the previous year's business revenue; they may order the suspension of relevant business or rectification, notify relevant competent authorities to revoke relevant business licenses or business licenses; the directly responsible person in charge and other directly responsible personnel may be fined between 100,000 and 1 million yuan and may be prohibited from serving as directors, supervisors, senior management personnel, and personal information protection officers of relevant enterprises for a certain period.
Article 67: Illegal behavior specified in this Law shall be recorded in the credit file and publicly disclosed in accordance with relevant laws and administrative regulations.
Article 68: If state organs fail to fulfill the personal information protection obligations stipulated by this Law, their superior organs or the departments responsible for personal information protection shall order corrections; the directly responsible person in charge and other directly responsible personnel shall be punished in accordance with the law.
If staff of the departments responsible for personal information protection neglect their duties, abuse their power, or engage in malpractice for personal gain, and do not constitute a crime, they shall be punished in accordance with the law.
Article 69: If personal information processing infringes upon personal information rights and interests causing damage, and the personal information processor cannot prove that they were not at fault, they shall bear liability for damages and other tort liabilities.
The liability for damages specified in the preceding paragraph shall be determined based on the individual's losses or the benefits obtained by the personal information processor; if the individual's losses and the benefits obtained by the personal information processor are difficult to determine, the amount of compensation shall be determined based on actual circumstances.
Article 70: If personal information processors violate the provisions of this Law and infringe upon the rights of numerous individuals, the people's procuratorates, consumer organizations stipulated by law, and organizations designated by the national cyberspace administration may file lawsuits with the people's court in accordance with the law.
Article 71: If violations of the provisions of this Law constitute violations of public security management, public security management penalties shall be imposed in accordance with the law; if they constitute a crime, criminal responsibility shall be pursued in accordance with the law.
Chapter VIII: Supplementary Provisions
Article 72: This Law does not apply to natural persons processing personal information for personal or family affairs.
Where laws stipulate the processing of personal information in statistical and archive management activities organized by people's governments at various levels and their relevant departments, such provisions shall apply.
Article 73: The meanings of the following terms in this Law:
(a) Personal information processor refers to organizations or individuals that independently decide the purpose and method of processing personal information in personal information processing activities.
(b) Automated decision-making refers to activities that automatically analyze and evaluate individuals' behavior habits, interests, or economic, health, and credit status through computer programs and make decisions.
(c) De-identification refers to the process by which personal information is processed so that it cannot identify specific natural persons without the aid of additional information.
(d) Anonymization refers to the process by which personal information is processed so that it cannot identify specific natural persons and cannot be restored.
Article 74: This Law shall come into effect on November 1, 2021.