On August 20, 2021, the Personal Information Protection Law (hereinafter referred to as PIPL) was officially promulgated and will come into force on November 1, 2021. As a special legislation in the personal information protection field, the PIPL puts forward more detailed obligations on employers – as personal information processors – by incorporating special chapters and clauses.
Given this, based on our previous experience in the information protection compliance field, we would like to share some of our suggestions on employer’s responsibilities regarding processing employees’ personal information during the employment relationship.
Employer’s role under the PIPL
Under the PIPL, employers are “personal information processors”, because they “independently decide the purpose and method of processing and other personal information processing matters” of the employees’ personal information. This concept is similar to the “data controller” under the European Union’s General Data Protection Regulation (GDPR).
What is considered personal information in China?
Personal information, which is referred to as “personal identifiable information” in the US or “personal data” in the EU, pertains to various kinds of information that is related to any identified or identifiable natural persons as recorded by electronic or other means. For example, the employee’s full name, date of birth, gender, address, resume, fingerprint, ID number, etc. The exception in this regard is that information processed anonymously will not count as personal information.
What is considered personal information processing under Chinese law?
The processing of personal information refers to types of behaviors in relation to personal information, including the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information.
In employment scenarios, for example, when the employer asks newly onboarded employees to fill in the onboarding form with their names, phone number, contact address, emergency contact person etc., they are “collecting” their personal information. When the employer inputs the employees’ information onto the HR systems for eﬃcient administration, they are “storing” their personal information. When the employer provides the employee’s information to an insurance company for the purpose to purchase group insurance for our employees, they are “using” and “transmitting” their personal information. From collection to deletion, this can be viewed as a “life cycle” of the personal information. All these steps in the life cycle are collectively called “processing” of personal information.
Are employers outside of China subject to PIPL compliance obligations?
To be noted, even if the employer is registered outside of China, the entity may still be subject to the PIPL in the below two circumstances:
- Where the company provides products or services to individuals inside China; and
- Where the company analyzes and evaluates the activities of individuals inside China.
This stipulation is similar to the “long-arm jurisdiction” under the EU’s GDPR.
Three basic principles in processing employees’ personal information
When processing employees’ personal information, employers must follow three basic principles:
- Processing of personal information shall follow the principles of lawfulness, legitimacy, necessity, and good faith.
- Processing of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of processing, and shall be conducted in a way that minimizes the impact on personal rights and interests; excessive or intrusive collection of personal information is not allowed.
- Processing of personal information shall follow the principles of openness and transparency, making public the rules for processing personal information, and expressly indicating the purpose, method, and scope of such processing.
Among all the principles, the ‘principle of necessity’ and the ‘principle of minimum’ might be the two that are most difficult to manage and where disputes are easy to arise in human resources (HR) management.
For example, in sick leave management, it is not uncommon that employers ask the employee to provide medical records in addition to the treatment registration slip and the sick leave recommendation note signed by the doctor. Does this belong to excessive collection and violate the minimum principle? As there are no precedents at the moment, there might be different interpretations among the judge panel towards the matter and thus lead to different judicial results. Employers are suggested to take a cautious approach, review their current policy, and manage the information collection to reduce exposure to PIPL compliance risks.
How to legitimately process employees’ personal information
When processing employees’ personal information, the following conditions must be duly fulfilled by employers:
- Employee’s consent must be obtained;
- Employee’s consent must be given in a voluntary and explicit manner in the condition of full knowledge; and
- Employer must clearly notify employee about purpose, processing method, type, and the retention period of the personal information to be collected.
In practice, to standardize the internal HR management process and control the human resources management cost, more employers are choosing to outsource their HR management issues to a third-party HR service agent. In doing so, the HR service agent will have access to employees’ personal information.
According to relevant provisions of the PIPL, the employer shall agree with the HR agent on the purpose, time limit, and method of entrusted processing, type of personal information and protection measures, as well as the rights and obligations of both parties and supervise the personal information processing activities of the HR agent. The agent shall process personal information as agreed and shall not process personal information beyond the agreed purpose and method of processing; where the entrustment contract is not effective, invalid, revoked, or terminated, the HR agent shall return the personal information to employer or delete it, and shall not retain it. Without the consent of the employer, the HR agent shall not re-entrust others with the processing of personal information.
Accordingly, when the cooperation of the employer with the third-party firm involves personal information processing, the employer should comply with its notification obligation and obtain separate consent from employee. Besides, the employer should conduct careful due diligence of the third party to guarantee its security and compliance before cooperating with it. Moreover, the employer should make corresponding provisions in the commercial contract with the third party to clarify the matters related to personal information processing.
Processing of sensitive personal information
The PIPL defines the sensitive personal information as “the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14.”
PRC National Standard GB/T 35273-2020: Information Security Technology – Personal Information Security Specification, which was released on March 6, 2020 and came into force on October 1, 2020, provides more detailed standards for sensitive personal information:
According to the PIPL, an employer could process its employees’ sensitive personal information only for a specific purpose and sufficient necessity, and only if strict protection measures have been taken.
Furthermore, the processing of sensitive personal information of an employee shall be subject to employee’s separate consent; where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to the written consent, such provisions shall prevail.
Moreover, the employer shall, in addition to clearly notifying employees about necessary information such as purpose, processing method, type, and the retention period of the personal information to be collected, also inform employees of the necessity of processing their sensitive personal information and the impact on their personal rights and interests.
Providing personal information to overseas stakeholders
In practice, for the purpose of HR management integration, many Chinese employers transmit their employee’s personal information to their overseas headquarters (HQ) or allow their overseas HQ access to their database to get their employees’ personal information. Such transmission or allowing access to the database are defined as “cross-border provision of personal information” by the PIPL. According to the PIPL, if a Chinese employer engages in cross-border provision of its employees’ personal information, anyone of the following pre-conditions must be fulfilled:
- it shall have been certified by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China; or
- it shall enter into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China, specifying the rights and obligations of both parties.
Where the international treaties or agreements concluded or acceded to by the People’s Republic of China contain provisions on the conditions for provision of personal information outside the territory of the People’s Republic of China, such provisions may prevail.
The Chinese employer shall take necessary measures to ensure that the activities of processing personal information by its overseas HQ meets the standards for protection of personal information as prescribed herein.
In addition, to provide the employees’ personal information to overseas HQ outside the territory of the People’s Republic of China, the Chinese employer shall inform the employee of such matters as the name of the overseas HQ, contact information, purpose and method of processing, type of personal information, and the method and procedure for the employee to exercise the rights stipulated herein against the overseas HQ, and shall obtain the employee’s separate consent.
Practical tips on getting prepared for PIPL compliance
In view of the impact of the PIPL on employment management, employers should conduct a comprehensive review and evaluation of their employment management measures. This will enable employers to identify the possible legal risk management measures and formulate and adopt appropriate solutions and strategies within the organization, in keeping with the specific requirements of the PIPL.
Below we provide a checklist for employers to start with:
For more information on employers’ compliance requirements under the Personal Information Protection Law, please refer to Page 136-146 of our Human Resources and Payroll in China 2021-2022.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.