The purpose and necessity of legislation for personal information protection is simple and straightforward, that is, it is our right as individuals to have our personal information and privacy protected, especially given the speedily developing electronic world with widely used networks. Yet, the laws protecting personal information are not simple for us to digest; you may agree with the complexity if you have reviewed or studied, for example, the General Data Protection Regulation (“GDPR”) of the European Union.
Further complicating matters is the fact that personal information protection requires, first, legislation by the government, to be followed by a set of regulatory mechanisms as well as the establishment and adoption of practical and useful technical measures by personal information processors. Moreover, these mechanisms and technical measures cannot be “one-off” actions; instead, they need to be maintained and managed continuously for the long run, so as to observe the law’s requirements. For example, prompt reaction if there comes any request from individuals to review, rectify, or delete their personal data; timely action if the storage term expires; etc.
The draft of the PRC Personal Information Protection Law was released on October 21, 2020 (“PIPL Draft”) to seek comments from the public. Though the length of the PIPL Draft is much shorter than the GDPR (the English version of the PIPL Draft takes around 11 pages whereas the GDPR takes 88 pages), the articles of the PIPL Draft cover most of the core contents as under the GDPR.
To simplify matters, this article aims to help you understand the core requirements under the PIPL Draft from the perspective of an employer in the form of a Q&A (assuming that “we” are a corporate employer with managing employees).
A: We process our employees’ personal information. Personal information (“PI”), which is referred to as “personal identifiable information” (PII) in the U.S or “personal data” in EU, means various kinds of information related to any identified or identifiable natural persons recorded by electronic or other means, for example, our employee’s full name, date of birth, gender, address, resume, fingerprint, ID number, etc. As exception, the information processed anonymously does not count as PI.
A: Processing consists of types of behavior in relation to PI, including collection, storage, use, modification, transmission, provision and publication etc. of PI.
For example, when we ask our newly onboarded employees to fill in the onboarding form with their names, phone number, contact address, emergency contact person etc., we are “collecting” their PI. When we input the employees’ information onto our HR systems for efficient administration, we are “storing” their PI. When we provide their information to an insurance company for the purpose to purchase group insurance for our employees, we are “using” and “transmitting” their PI. From collection to deletion, this can be viewed as a “life cycle” of the PI. All these steps in the life cycle are collectively called “processing” of PI.
A: It depends on whether we process PI of individuals who are in the territory of China and for what purpose.
If we are processing PI of individuals who are in the territory of China for either of the purposes as follows, the PIPL shall be applicable to us even if we are registered and physically outside China: i) to provide products or services to individuals inside China; and ii) to analyze and evaluate the activities of individuals inside China. This stipulation is similar to the “long-arm jurisdiction” under GDPR.
Imagine we are a company registered in Singapore with only a representative office in China, we hire Chinese employees in China indirectly via a dispatch agency, and we use finger-print punch to supervise the employees’ attendance – such activities literally match the description “analyze and evaluate the activities of individuals inside China” in the PIPL Draft. In such a case, we (the Singapore company) will be governed by the PIPL, unless there comes up further interpretation of the law provision in contrast.
A: Under PIPL Draft, we are the “processor”, because we, as the employer, are the one to independently determine the purpose and method of processing etc. of our employees’ PI.
According to the PIPL Draft, PI processor refers to any organization or individual that independently determines the purpose and method of processing and other PI processing matters. This concept is similar as the “data controller” under GDPR.
A: With the role as PI processor, we shall be responsible for our behaviors to PI. Therefore, we must take necessary measures to ensure the security of PI throughout its “life cycle” to minimize our risk.
To be specific, our main obligations may be roughly divided into two aspects, one is from the organizational aspect and the other is from the technical aspect; some obligations may require both organizational and technical supports simultaneously (as illustrated below):
A: We briefly explain the respective grounds for collecting and use of employee’s personal information.
Prior to collection or any other step of processing, we must have a legal ground to do so. Legal ground mainly refers to any of the following:
(For example, the employee agrees to provide us his hometown address though it is not his current frequent address.)
(For example, for performance of the labor contract between the employee and us, they must provide their bank account number so that we can pay them their salary.)
(For example, our employee must provide us their ID number as we have the statutory duty to withhold and pay individual income tax for them as expected by the tax bureau.)
(For example, in case an employee suffers injury and falls in faint, when we send them to the hospital, we must provide their PI to the hospital without their consent.)
(For example, our employee in charge of marketing gave a presentation in a public event, we later on publish this news with their picture at the event on our website.)
When collecting PI, we shall make sure the PI we collect shall be limited to the minimum scope for achieving the purpose with applicable legal ground. We are not supposed to collect PI that is unnecessary or beyond the purpose. For example, when an employee is onboarded, their full name, ID number, contact details, bank account number, emergency contact person, and basic physical examination report could be sufficient for the purpose of concluding and performing the labor contract; it is unnecessary to collect irrelevant information, such as his family members’ names, unless we have additional purpose and legal ground to collect those PI.
In addition to having a legal ground, we shall also clearly inform our employees regarding the purpose, the type of PI to be processed, the processing manner, storage term, and other aspects of the processing of their PI. Such informing before processing is a must with exception that there is confidentiality obligation or emergency circumstances. To comply with this stipulation, we may want to include such details of informing into the labor contract from an overall perspective, to avoid future informing from time to time (unless specific informing is mandatorily required by law).
A: Keep in mind the following considerations:
The storage term of the PI must be as minimum as necessary for achieving the purpose.
The PIPL Draft grants the individuals rights with respect to their PI, that is, rights to know about the processing, rights to consent or reject the processing; rights to review, to copy their PI; rights to require rectification, supplement to their inaccurate PI; rights to require deletion of their PI; rights to request explanation regarding the processing rules; etc. As the PI processor, we should establish and maintain the mechanism for accepting our employees’ requests and exercise prompt reaction to their requests.
A: It should at least meet any of the following conditions:
In addition, we shall inform our employee, whose PI is being provided overseas, information regarding identity of the overseas recipient, contact details, purpose and method of processing, type of PI and the way for the individual to exercise his rights, and shall obtain his specific consent.
A: In theory, when the agreed storage period has expired or the purpose of processing the PI has been achieved, we shall proactively delete the PI. However, as we can foresee and based on experience, we may have to retain some of the PI of our employees for some time even after their labor relationship with us are ended, for multiple reasons. For example, to issue or re-issue separation certificate for the former employee, to provide background check per former employee’s new employer’s request, to prepare for potential labor dispute, etc. For all this possible post-termination storage of PI, we may want to specify them as exceptions in the relevant PI documents; for example, the notice where we inform our employees regarding our processing of their PI in the very beginning, ideally with their consent.
It may be easier for us to understand the law from the perspective of an employer, as most companies need to manage staff before managing relationships and transactions with customers and/or suppliers. Once we have understood the law requirements for employers, then we can easily apply the understanding and rationale when dealing with individual information of our customers and/or suppliers and/or other cooperative partners.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
We also maintain offices assisting foreign investors in Vietnam, Indonesia, Singapore, The Philippines, Malaysia, Thailand, United States, and Italy, in addition to our practices in India and Russia and our trade research facilities along the Belt & Road Initiative.
Previous Article « China’s Social Security System: An Explainer
Next Article 2021 Chinese New Year: How Foreign Businesses Should Prepare in the COVID Context »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
An Introduction to Doing Business in Hong Kong 2021 is designed to introduce the fundamentals of investing in ...
Since the formulation of the GBA Initiative in 2017, business communities have placed high expectation on the ...
Doing Business in China 2021 is designed to introduce the fundamentals of investing in China. Compiled by the ...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.