China’s Personal Information Protection Law: A Comparison of the First Draft, the Second Draft, and the Final Document

Posted by Written by China Briefing Team Reading Time: 56 minutes

The long-waited Personal Information Protection Law of the People’s Republic of China (Chairman’s Order No. 91) (the PIPL) was finally passed on the 30th meeting of the Standing Committee of the 13th National People’s Congress of the People’s Republic of China on August 20, 2021. It will come into force on November 1, 2021.

As a fundamental law that equals to the General Data Protection Regulation (GDPR) made by European Union, the legislation of the PIPL has gained much attention with the release of the First Draft for comment in October 2020 and the Second Draft for comment in April 2021.

In addition to the Full English Translation, the China Briefing team has prepared the below table comparing the differences between the three documents. We will also produce a series of expert commentary and analytical articles on the law in the following weeks.

The PDF version of the comparison can be found here.

Note: The differences are highlighted in bold text. In the Second Draft, we bold and underline the differences from both the First Draft and the Final Version of the law.

Comments Sought on the Personal Information Protection Law (Draft) Comments Sought on the Personal Information Protection Law (Second Draft) The Personal Information Protection Law (Final)
Chapter I General Provisions Chapter I General Provisions Chapter I General Provisions
Article 1 This Law is enacted in order to protect personal information rights and interests, regulate the processing of personal information, ensure the orderly and free flow of personal information in accordance with the law and promote the reasonable use of personal information. Article 1 This Law is enacted in order to protect personal information rights and interests, regulate the processing of personal information, and promote the reasonable use of personal information. Article 1 This Law is enacted in accordance with the Constitution to protect personal information rights and interests, regulate the processing of personal information, and promote the reasonable use of personal information.
Article 2 The personal information of any natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of any natural person. Article 2 The personal information of any natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of any natural person. Article 2 The personal information of any natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of any natural person.
Article 3 This Law shall apply to the activities carried out by organizations and individuals in processing the personal information of natural persons within the territory of the People’s Republic of China.
This Law shall also apply to the activities carried out outside the territory of the People’s Republic of China to process the personal information of natural persons within the territory of the People’s Republic of China outside the territory of the People’s Republic of China under any of the following circumstances:
(I) where the purpose is to provide products or services to domestic natural persons;
(II) where the purpose is to analyze and evaluate the activities of domestic natural persons; and
(III) other circumstances provided by laws and administrative regulations.
Article 3 This Law shall apply to the activities carried out by organizations and individuals in processing the personal information of natural persons within the territory of the People’s Republic of China.
This Law shall also apply to the activities carried out outside the territory of the People’s Republic of China to process the personal information of natural persons within the territory of the People’s Republic of China outside the territory of the People’s Republic of China under any of the following circumstances:
(I) where the purpose is to provide products or services to domestic natural persons;
(II) where the purpose is to analyze and evaluate the activities of domestic natural persons; and
(III) other circumstances provided by laws and administrative regulations.
Article 3 This Law shall apply to the processing of the personal information of natural persons within the territory of the People’s Republic of China.
This Law shall also apply to the activities carried out outside the territory of the People’s Republic of China to process the personal information of natural persons within the territory of the People’s Republic of China outside the territory of the People’s Republic of China under any of the following circumstances:
(I) where the purpose is to provide products or services to domestic natural persons;
(II) where the purpose is to analyze and evaluate the activities of domestic natural persons; and
(III) other circumstances provided by laws and administrative regulations.
Article 4 Personal information refers to various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.
Processing of personal information includes the collection, storage, use, processing, transmission, provision and publication of personal information.
Article 4 Personal information refers to various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.
Processing of personal information includes the collection, storage, use, processing, transmission, provision and publication of personal information.
Article 4 Personal information refers to various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.
Processing of personal information includes the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information.
Article 5 Personal information shall be processed in a lawful and proper manner and in accordance with the principle of good faith. Personal information shall not be processed by fraud, misleading or other means. Article 5 Personal information shall be processed in a lawful and proper manner and in accordance with the principle of good faith. Personal information shall not be processed by fraud, misleading, coercion, or other means. Article 5 Personal information shall be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and shall not be processed by misleading, fraud, coercion, or other means.
Article 6 Processing of personal information shall be for a definite and reasonable purpose and limited to the minimum scope for achieving the purpose of processing. Personal information shall not be processed for any purpose irrelevant to the purpose of processing. Article 6 Processing of personal information shall be for a definite and reasonable purpose, limited to the minimum scope for achieving the purpose of processing, and in a way that has the least impact on individual rights and interests. Personal information shall not be processed for any purpose irrelevant to the purpose of processing. Article 6 Processing of personal information shall be for a definite and reasonable purpose, shall be directly related to the purpose of processing, and shall be processed in a manner that has the least impact on individual rights and interests.
Collection of personal information shall be limited to the minimum scope for the purpose of processing and shall not be excessively collected.
Article 7 Processing of personal information shall follow the principles of openness and transparency and expressly indicate the rules for processing personal information. Article 7 Processing of personal information shall follow the principles of openness and transparency, disclose the rules for processing personal information, and expressly indicate the purpose, manner, and scope of processing. Article 7 Processing of personal information shall follow the principles of openness and transparency, disclose the rules for processing personal information, and expressly indicate the purpose, manner, and scope of processing.
Article 8 To achieve the purpose of processing, the personal information processed shall be accurate and updated in a timely manner. Article 8 When processing personal information, the quality of personal information shall be ensured to avoid adverse effects on personal rights and interests caused by inaccurate and incomplete personal information. Article 8 When processing personal information, the quality of personal information shall be ensured to avoid adverse effects on personal rights and interests caused by inaccurate and incomplete personal information.
Article 9 Personal information processors shall be responsible for their processing of personal information and take necessary measures to ensure the security of the personal information processed. Article 9 Personal information processors shall be responsible for their processing of personal information and take necessary measures to ensure the security of the personal information processed. Article 9 Personal information processors shall be responsible for their processing of personal information and take necessary measures to ensure the security of the personal information processed.
Article 10 No organization or individual may process personal information in violation of laws and administrative regulations or engage in the processing of personal information that endangers national security or public interests. Article 10 No organization or individual may process personal information in violation of laws and administrative regulations or engage in the processing of personal information that endangers national security or public interests. Article 10 No organization or individual may illegally collect, use, process, or transmit other people’s personal information, or illegally trade, provide, or disclose other people’s personal information, or engage in the processing of personal information that endangers the national security or public interests.
Article 11 The State establishes a sound personal information protection system, prevent and punish the infringement of personal information rights and interests, strengthen the publicity and education on personal information protection, and promote the formation of a good environment for the government, enterprises, relevant industrial organizations and the public to jointly participate in personal information protection. Article 11 The State establishes a sound personal information protection system, prevent and punish the infringement of personal information rights and interests, strengthen the publicity and education on personal information protection, and promote the formation of a good environment for the government, enterprises, relevant industrial organizations and the public to jointly participate in personal information protection. Article 11 The State establishes a sound personal information protection system, prevent and punish the infringement of personal information rights and interests, strengthen the publicity and education on personal information protection, and promote the formation of a good environment for the government, enterprises, relevant social organizations and the public to jointly participate in personal information protection.
Article 12 The State actively participates in the formulation of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and drives the mutual recognition of the rules and standards for personal information protection with other countries, regions and international organizations. Article 12 The State actively participates in the formulation of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and drives the mutual recognition of the rules and standards for personal information protection with other countries, regions and international organizations. Article 12 The State actively participates in the formulation of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and drives the mutual recognition of the rules and standards for personal information protection with other countries, regions and international organizations.
Chapter II Rules for Processing Personal Information Chapter II Rules for Processing Personal Information Chapter II Rules for Processing Personal Information
Section 1 General Provisions Section 1 General Provisions Section 1 General Provisions
Article 13 Only under any of the following circumstances may a personal information processor process personal information:
(I) where the consent of the individual concerned is obtained;
(II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party;
(III) where it is necessary for the performance of statutory duties or statutory obligations;
(IV) where it is necessary for coping with public health emergencies or for the protection of the life, health and property safety of a natural person; and
(V) where processing personal information within a reasonable scope is to carry out such activities as news reporting and supervision by public opinions for the public interest; and
(VI) other circumstances provided by laws and administrative regulations.
Article 13 Only under any of the following circumstances may a personal information processor process personal information:
(I) where the consent of the individual concerned is obtained;
(II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party;
(III) where it is necessary for the performance of statutory duties or statutory obligations;
(IV) where it is necessary for coping with public health emergencies or for the protection of the life, health and property safety of a natural person;
(V) where the personal information has been made public and is processed within a reasonable range in accordance with the provisions of this Law;
(VI)where processing personal information within a reasonable scope is to carry out such activities as news reporting and supervision by public opinions for the public interest; and
(VII)other circumstances provided by laws and administrative regulations.Individual consent shall be obtained for the processing of personal information stipulated in the other clauses of this Law, but in the circumstances specified in the preceding paragraph from (II) to (VII), the individual’s consent is not required.
Article 13 Only under any of the following circumstances may a personal information processor process personal information:
(I) where the consent of the individual concerned is obtained;
(II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or to implement human resources management in accordance with labor rules and regulations formulated according to law and collective contracts concluded according to law;
(III) where it is necessary for the performance of statutory duties or statutory obligations;
(IV) where it is necessary for coping with public health emergencies or for the protection of the life, health and property safety of a natural person;
(V) where processing personal information within a reasonable scope is to carry out such activities as news reporting and supervision by public opinions for the public interest;
(VI)where the personal information disclosed by individuals themselves or other legally disclosed personal information is processed within a reasonable range in accordance with the provisions of this Law; and
(VII)other circumstances provided by laws and administrative regulations.Individual consent shall be obtained for the processing of personal information stipulated in the other clauses of this Law, but in the circumstances specified in the preceding paragraph from (II) to (VII), the individual’s consent is not required.
Article 14 The consent to process personal information of an individual shall be a clear and voluntary declaration of intent under the premise of full knowledge of the individual. If laws and administrative regulations provide that the processing of personal information shall be subject to the individual’s separate consent or written consent, such provisions shall prevail.
If the purpose or method of processing personal information or the type of personal information to be processed changes, the individual’s consent shall be obtained again.
Article 14 The consent to process personal information of an individual shall be under the premise of full knowledge of the individual. If laws and administrative regulations provide that the processing of personal information shall be subject to the individual’s separate consent or written consent, such provisions shall prevail.
If the purpose or method of processing personal information or the type of personal information to be processed changes, the individual’s consent shall be obtained again.
Article 14 Where the processing of personal information is based on the consent of the individual concerned, such consent shall be given by the individual concerned in a voluntary and explicit manner in the condition of full knowledge. If laws and administrative regulations provide that the processing of personal information shall be subject to the individual’s separate consent or written consent, such provisions shall prevail.
If the purpose or method of processing personal information or the type of personal information to be processed changes, the individual’s consent shall be obtained again.
Article 15 If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s guardian. Article 15 If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians. Article 31 If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians.
Personal information processors shall formulate special personal information processing rules for processing the personal information of minors under the age of 14.
Article 16 An individual has the right to withdraw his/her consent to the processing of personal information based on his/her consent. Article 16 Where the personal information processing activity is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent.
The personal information processor shall provide convenient means to withdraw consent.
The individual’s withdrawal of consent does not affect the validity of the personal information processing activities conducted prior to the withdrawal based on the individual’s consent.
Article 15 Where the processing of personal information is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent. The personal information processor shall provide convenient means to withdraw consent.
The individual’s withdrawal of consent does not affect the validity of the personal information processing activities conducted prior to the withdrawal based on the individual’s consent.
Article 17 A personal information processor shall not refuse to provide products or services on the grounds that the individual does not agree to process his/her personal information or withdraws his/her consent to process personal information, unless the processing of personal information is necessary for providing products or services. Article 17 A personal information processor shall not refuse to provide products or services on the grounds that the individual does not agree to process his/her personal information or withdraws his/her consent to process personal information, unless the processing of personal information is necessary for providing products or services. Article 16 A personal information processor shall not refuse to provide products or services on the grounds that the individual does not agree to process his/her personal information or withdraws his/her consent, unless the processing of personal information is necessary for providing products or services.
Article 18 Prior to processing personal information, a personal information processor shall inform the individual of the following matters in an eye-catching manner and with clear and understandable language:
(I) the identity and contact information of the personal information processor;
(II) the purpose and method of processing personal information, and the type and retention period of the processed personal information;
(III) the method and procedure for the individual to exercise the rights provided herein; and
(IV) other matters to be notified in accordance with the provisions of laws and administrative regulations.
If any of the matters provided in the preceding paragraph is changed, the individual shall be notified of such change.
If a personal information processor notifies the matters provided in Paragraph 1 by formulating rules for processing personal information, such rules shall be open to the public for easy access and storage.
Article 18 Prior to processing personal information, a personal information processor shall inform the individual of the following matters in an eye-catching manner and with clear and understandable language:
(I) the identity and contact information of the personal information processor;
(II) the purpose and method of processing personal information, and the type and retention period of the processed personal information;
(III) the method and procedure for the individual to exercise the rights provided herein; and
(IV) other matters to be notified in accordance with the provisions of laws and administrative regulations.
If any of the matters provided in the preceding paragraph is changed, the individual shall be notified of such change.
If a personal information processor notifies the matters provided in Paragraph 1 by formulating rules for processing personal information, such rules shall be open to the public for easy access and storage.
Article 17 Prior to processing personal information, a personal information processor shall truthfully, accurately, and completely inform the individual of the following matters in an eye-catching manner and with clear and understandable language:
(I) the name and contact information of the personal information processor;
(II) the purpose and method of processing personal information, and the type and retention period of the processed personal information;
(III) the method and procedure for the individual to exercise the rights provided herein; and
(IV) other matters to be notified in accordance with the provisions of laws and administrative regulations.
If any of the matters provided in the preceding paragraph is changed, the individual shall be notified of such change.
Article 19 When processing personal information, a personal information processor may not notify the individual of the matters provided for in laws and administrative regulations where confidentiality shall be kept, or it is not necessary to notify the individual of the matters provided for in the preceding Article.
In case of emergency, it is unable to timely inform the individual to protect the life, health and property safety of natural persons, the personal information processor shall inform the individual in time after elimination of emergency.
Article 19 When processing personal information, a personal information processor may not notify the individual of the matters provided for in laws and administrative regulations where confidentiality shall be kept, or it is not necessary to notify the individual of the matters provided for in the preceding Article.
In case of emergency, it is unable to timely inform the individual to protect the life, health and property safety of natural persons, the personal information processor shall inform the individual in time after elimination of emergency.
Article 18 When processing personal information, a personal information processor may not notify the individual of the matters provided for in laws and administrative regulations where confidentiality shall be kept, or it is not necessary to notify the individual of the matters provided for in Paragraph 1 of the preceding Article.
In case of emergency, it is unable to timely inform the individual to protect the life, health and property safety of natural persons, the personal information processor shall inform the individual in time after elimination of emergency.
Article 20 The retention period of personal information shall be the minimum period necessary for achieving the purpose of processing. Where the retention period of personal information is otherwise provided for in laws and administrative regulations, such provisions shall prevail. Article 20 The retention period of personal information shall be the minimum period necessary for achieving the purpose of processing. Where the retention period of personal information is otherwise provided for in laws and administrative regulations, such provisions shall prevail. Article 19 The retention period of personal information shall be the minimum period necessary for achieving the purpose of processing, except for where the retention period of personal information is otherwise provided for in laws and administrative regulations.
Article 21 Where two or more personal information processors jointly determine the purpose and method of processing personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual’s right to exercise the rights provided for in this Law against any of the personal information processors.
Where personal information processors jointly processing personal information infringes upon personal information rights and interests, they shall bear joint and several liabilities in accordance with the law.
Article 21 Where more than two personal information processors jointly determine the purpose and method of processing personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual’s right to exercise the rights provided for in this Law against any of the personal information processors.
Where personal information processors jointly processing personal information infringes upon personal information rights and interests, they shall bear joint and several liabilities.
Article 20 Where more than two personal information processors jointly determine the purpose and method of processing personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual’s right to exercise the rights provided for in this Law against any of the personal information processors.
Where personal information processors jointly processing personal information infringes upon personal information rights and interests and causes damages, they shall bear joint and several liabilities in accordance with the law.
Article 22 Where a personal information processor entrusts others to process personal information, it shall agree with the entrusted party on the purpose and method of entrusted processing, type and protection measures of personal information as well as the rights and obligations of both parties, and supervise the personal information processing activities of the entrusted party.
The entrusted party shall process personal information as agreed and shall not process personal information beyond the agreed purpose and method of processing and shall return personal information to the processor or delete personal information after the contract is performed or the entrustment relationship is rescinded.
Without the consent of the personal information processor, the entrusted party shall not re-entrust others to process personal information.
Article 22 Where a personal information processor entrusts others to process personal information, it shall agree with the entrusted party on the purpose, duration, and method of entrusted processing, type and protection measures of personal information as well as the rights and obligations of both parties, and supervise the personal information processing activities of the entrusted party.
The entrusted party shall process personal information as agreed and shall not process personal information beyond the agreed purpose and method of processing. If the contract is invalidated, invalid, revoked or terminated, the entrusted party shall return the personal information to the personal information processor or delete the personal information, and shall not retain the personal information.
Without the consent of the personal information processor, the entrusted party shall not re-entrust others to process personal information.
Article 21 Where a personal information processor entrusts others to process personal information, it shall agree with the entrusted party on the purpose, duration, and method of entrusted processing, type and protection measures of personal information as well as the rights and obligations of both parties, and supervise the personal information processing activities of the entrusted party.
The entrusted party shall process personal information as agreed and shall not process personal information beyond the agreed purpose and method of processing. If the contract is invalidated, invalid, revoked or terminated, the entrusted party shall return the personal information to the personal information processor or delete the personal information, and shall not retain the personal information.
Without the consent of the personal information processor, the entrusted party shall not re-entrust others to process personal information.
Article 23 Where a personal information processor needs to transfer personal information due to merger, division or other reasons, it shall inform the individual of the identity and contact information of the recipient. The recipient shall continue to perform its obligations as a personal information processor. Where the recipient changes the original purpose and method of processing, it shall inform the individual and obtain the individual’s consent anew in accordance with this Law. Article 23 Where a personal information processor needs to transfer personal information due to merger, division or other reasons, it shall inform the individual of the identity and contact information of the recipient. The recipient shall continue to perform its obligations as a personal information processor. Where the recipient changes the original purpose and method of processing, it shall obtain the individual’s consent anew in accordance with this Law. Article 22 Where a personal information processor needs to transfer personal information due to reasons such as merger, division, dissolution, or being declared bankrupt, it shall inform the individual of the name and contact information of the recipient. The recipient shall continue to perform its obligations as a personal information processor. Where the recipient changes the original purpose and method of processing, it shall obtain the individual’s consent anew in accordance with this Law.
Article 24 Where a personal information processor provides a third party with the personal information it processes, it shall inform the individual of the identity and contact information of the third party, purpose and method of processing and type of personal information, and shall obtain his/her separate consent. The third party receiving personal information shall process personal information within the scope of the above purpose and method of processing and type of personal information. Where the third party changes the original purpose and method of processing, it shall inform the individual and obtain his/her consent again in accordance with this Law.
Where a personal information processor provides anonymous information to a third party, the third party shall not re-identify the individual by such means as technology.
Article 24 Where a personal information processor provides others with the personal information it processes, it shall inform the individual of the identity and contact information of the third party, purpose and method of processing and type of personal information, and shall obtain his/her separate consent. The party receiving personal information shall process personal information within the scope of the above purpose and method of processing and type of personal information. Where the party receiving personal information changes the original purpose and method of processing, it shall inform the individual and obtain his/her consent again in accordance with this Law. Article 23 Where a personal information processor provides other personal information processors with the personal information it processes, it shall inform the individual of the name and contact information of the third party, purpose and method of processing and type of personal information, and shall obtain his/her separate consent. The party receiving personal information shall process personal information within the scope of the above purpose and method of processing and type of personal information. Where the party receiving personal information changes the original purpose and method of processing, it shall inform the individual and obtain his/her consent again in accordance with this Law.
Article 25 Where personal information is used to make automatic decisions, the transparency of decision-making and the fairness and reasonableness of processing results shall be ensured. Where an individual believes that automatic decision-making has a significant impact on his/her rights and interests, he/she has the right to require the personal information processor to give an explanation, and to reject the decision made by the personal information processor only through automatic decision-making.
Where business marketing and information push are carried out through automatic decision-making, options not based on his/her personal characteristics shall be provided at the same time.
Article 25 Where personal information is used to make automatic decisions, the transparency of decision-making and the fairness and reasonableness of processing results shall be ensured.
Where business marketing and information push are carried out through automatic decision-making, options not based on his/her personal characteristics shall be provided at the same time, or a way for individuals to reject shall be provided.
Where automatic decision-making has a significant impact on individual’s rights and interests, he/she has the right to require the personal information processor to give an explanation, and to reject the decision made by the personal information processor only through automatic decision-making.
Article 24 Where personal information processors use personal information to make automatic decisions, the transparency of decision-making and the fairness and justice of the results shall be ensured, and shall not impose unreasonable differential treatment on individuals in terms of transaction price and other transaction conditions.
Where business marketing and information push are carried out through automatic decision-making, options not based on his/her personal characteristics shall be provided at the same time, or a convenient way for individual’s to reject shall be provided.
Where automatic decision-making has a significant impact on individual’s rights and interests, he/she has the right to require the personal information processor to give an explanation, and to reject the decision made by the personal information processor only through automatic decision-making.
Article 26 A personal information processor shall not disclose the personal information it processes, unless the individual’s consent is obtained, or it is otherwise required by laws and administrative regulations. Article 26 A personal information processor shall not disclose the personal information it processes, unless the individual’s consent is obtained, or it is otherwise required by laws and administrative regulations. Article 25 A personal information processor shall not disclose the personal information it processes, unless the individual’s consent is obtained, or it is otherwise required by laws and administrative regulations.
Article 27 Image capturing and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with relevant provisions of the State, and conspicuous prompting signs shall be installed. Personal images and personal identity feature information collected may only be used for the purpose of maintaining public security, and may not be disclosed or provided to others, unless the individual’s consent is obtained, or it is otherwise required by laws and administrative regulations. Article 27 Image capturing and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with relevant provisions of the State, and conspicuous prompting signs shall be installed. Personal images and personal identity feature information collected may only be used for the purpose of maintaining public security, and may not be disclosed or provided to others, unless the individual’s consent is obtained. Article 26 Image capturing and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with relevant provisions of the State, and conspicuous prompting signs shall be installed. Personal images and personal identifiable information collected may only be used for the purpose of maintaining public security and shall not be used for other purposes, unless the individual’s consent is obtained.
Article 28 The processing of any disclosed personal information by a personal information processor shall conform to the purposes for which such personal information is disclosed; where such processing is beyond the reasonable scope relating to the purposes, the personal information processor shall inform the individual concerned and obtain his/her consent in accordance with this Law.
Where the purposes for which personal information is disclosed are not clear, the personal information processor shall process the disclosed personal information in a reasonable and prudent manner; where such personal information is used to engage in the activities that have great impact on the individual concerned, the personal information processor shall inform the individual and obtain his/her consent in accordance with this Law.
Article 28 The processing of any disclosed personal information by a personal information processor shall conform to the purposes for which such personal information is disclosed; where such processing is beyond the reasonable scope relating to the purposes, the personal information processor shall inform the individual concerned and obtain his/her consent in accordance with this Law.
Where the purposes for which personal information is disclosed are not clear, the personal information processor shall process the disclosed personal information in a reasonable and prudent manner;
where such personal information is used to engage in the activities that have great impact on the individual concerned, the personal information processor shall inform the individual and obtain his/her consent in accordance with this Law.
Article 27 Personal information processors may, within a reasonable range, process personal information that has been disclosed by individuals themselves or other lawfully disclosed personal information, except where the individual explicitly refuses. Personal information processors shall obtain the consent of individuals in accordance with the provisions of this Law if the processing of disclosed personal information has a major impact on the rights and interests of individuals.
Section 2 Rules for Processing Sensitive Personal Information Section 2 Rules for Processing Sensitive Personal Information Section 2 Rules for Processing Sensitive Personal Information
Article 29 A personal information processor may not process sensitive personal information unless it has a specific purpose and sufficient necessity.
Sensitive personal information refers to the personal information that may lead to discrimination or serious harm to personal or property safety once leaked or illegally used, including such information as race, ethnicity, religious belief, personal biological characteristics, medical health, financial accounts and personal whereabouts.
Article 29 A personal information processor may not process sensitive personal information unless it has a specific purpose and sufficient necessity.
Sensitive personal information refers to the personal information that may lead to discrimination or serious harm to personal or property safety once leaked or illegally used, including such information as race, ethnicity, religious belief, personal biological characteristics, medical health, financial accounts and personal whereabouts.
Article 28 Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.
Personal information processors can process sensitive personal information only when they have a specific purpose and sufficient necessity, and take strict protective measures.
Article 30 Where the processing of sensitive personal information of an individual is subject to the individual’s consent, the personal information processor shall obtain the individual’s consent. Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to written consent, such provisions shall prevail. Article 30 Where the processing of sensitive personal information of an individual is subject to the individual’s consent, the personal information processor shall obtain the individual’s consent. Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to written consent, such provisions shall prevail. Article 29 Individual consent should be obtained for processing sensitive personal information. Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to written consent, such provisions shall prevail.
Article 31 For the processing of sensitive personal information of an individual, the personal information processor shall inform the individual of the necessity of processing sensitive personal information and the impacts on the individual, in addition to the matters prescribed in Article 18 hereof. Article 31 For the processing of sensitive personal information of an individual, the personal information processor shall inform the individual of the necessity of processing sensitive personal information and the impacts on the individual, in addition to the matters prescribed in Paragraph 1 of Article 18 hereof. Article 30 For the processing of sensitive personal information of an individual, the personal information processor shall inform the individual of the necessity of processing sensitive personal information and the impacts on the individual’s right and interest, in addition to the matters prescribed in Paragraph 1 of Article 17 thereof, except those that may not be notified to individuals in accordance with the provisions of this Law.
 See Article 15  See Article 15 Article 31 If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians.
Personal information processors shall formulate special personal information processing rules for processing the personal information of minors under the age of 14.
Article 32 Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to relevant administrative permission or stricter restriction, such provisions shall prevail. Article 32 Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to relevant administrative permission or other restriction, such provisions shall prevail. Article 32 Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to relevant administrative permission or other restriction, such provisions shall prevail.
Section 3 Special Provisions on Processing Personal Information by State Organs Section 3 Special Provisions on Processing Personal Information by State Organs Section 3 Special Provisions on Processing Personal Information by State Organs
Article 33 This Law shall apply to the activities of a State organ to process personal information; where there are special provisions in this Section, the provisions of this Section shall apply. Article 33 This Law shall apply to the activities of a State organ to process personal information; where there are special provisions in this Section, the provisions of this Section shall apply. Article 33 This Law shall apply to the activities of a State organ to process personal information; where there are special provisions in this Section, the provisions of this Section shall apply.
Article 34 The processing of personal information by a State organ for the purpose of performing its statutory duties shall be under the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for performing its statutory duties. Article 34 The processing of personal information by a State organ for the purpose of performing its statutory duties shall be under the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for performing its statutory duties. Article 34 The processing of personal information by a State organ for the purpose of performing its statutory duties shall be under the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for performing its statutory duties.
Article 35 A State organ processing personal information for the purpose of performing its statutory duties shall inform the individual concerned and obtain his/her consent in accordance with this Law, unless laws and administrative regulations provide that confidentiality shall be maintained, or the notification and obtaining of consent will hinder the State organ from performing its statutory duties. Article 35 A State organ processing personal information for the purpose of performing its statutory duties shall inform the individual concerned and obtain his/her consent in accordance with this Law, unless laws and administrative regulations provide that confidentiality shall be maintained, or the notification and obtaining of consent will hinder the State organ from performing its statutory duties. Article 35 A State organ processing personal information for the purpose of performing its statutory duties shall perform the obligation of notification in accordance with this Law, except for circumstances prescribed in Paragraph 1 of Article 18, or the notification will hinder the State organ from performing its statutory duties.
Article 36 No State organ may disclose or provide others with the personal information it processes, unless laws and administrative regulations otherwise provide, or the consent of the individual is obtained. Article 36 The personal information processed by a State organ shall be stored within the territory of the People’s Republic of China; where it is necessary to provide such information to an overseas party, a risk assessment shall be conducted. Relevant departments may be required to provide support and assistance for risk assessment. Article 36 The personal information processed by a State organ shall be stored within the territory of the People’s Republic of China; where it is necessary to provide such information to an overseas party, a security assessment shall be conducted. Relevant departments may be required to provide support and assistance for security assessment.
Article 37 The personal information processed by a State organ shall be stored within the territory of the People’s Republic of China; where it is necessary to provide such information to an overseas party, a risk assessment shall be conducted. Relevant departments may be required to provide support and assistance for risk assessment. Article 37 The provisions of this law on personal information processed by State organs shall apply for personal information processing by organizations authorized by laws and regulations with the function of managing public affairs to perform statutory duties. Article 37 The provisions of this law on personal information processed by State organs shall apply for personal information processing by organizations authorized by laws and regulations with the function of managing public affairs to perform statutory duties.
Chapter III Rules for Cross-border Provision of Personal Information Chapter III Rules for Cross-border Provision of Personal Information Chapter III Rules for Cross-border Provision of Personal Information
Article 38 Where a personal information processor needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall at least meet any of the following conditions:
(I) where it has passed the security assessment organized by the State cyberspace administration in accordance with Article 40 hereof;
(II) where it has been certified by a specialized in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information;
(III) where it has concluded a contract with an overseas recipient specifying the rights and obligations of both parties and has supervised the recipient’s processing of personal information to ensure that the recipient’s processing meets the standards for the protection of personal information as prescribed herein; or
(IV) where it has satisfied other conditions prescribed by laws, administrative regulations or the State cyberspace administration.
Article 38 Where a personal information processor needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall at least meet any of the following conditions: (I) where it has passed the security assessment organized by the State cyberspace administration in accordance with Article 40 hereof;
(II) where it has been certified by a specialized in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information;
(III) where it has concluded a contract with an overseas recipient according to the standard contract formulated by the state cyberspace administration,  specifying the rights and obligations of both parties, and has supervised the recipient’s processing of personal information to ensure that the recipient’s processing meets the standards for the protection of personal information as prescribed herein; or
(IV) where it has satisfied other conditions prescribed by laws, administrative regulations or the State cyberspace administration.
Article 38 Where a personal information processor needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall meet any of the following conditions: (I) where it has passed the security assessment organized by the State cyberspace administration in accordance with Article 40 hereof;
(II) where it has been certified by a specialized in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information;
(III) where it has concluded a contract with an overseas recipient according to the standard contract formulated by the state cyberspace administration,  specifying the rights and obligations of both parties; or
(IV) where it has satisfied other conditions prescribed by laws, administrative regulations or the State cyberspace administration.Where the international treaties and agreements that the People’s Republic of China has concluded or participated in have provisions on the conditions for providing personal information outside the territory of the People’s Republic of China, such provisions may be complied with.
Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this law.
Article 39 Where a personal information processor provides personal information of an individual to a party outside the territory of the People’s Republic of China, it shall inform the individual of such matters as the identity of the overseas recipient, contact information, purpose and method of processing, type of personal information and the way for the individual to exercise the rights prescribed herein against the overseas recipient, and shall obtain the individual’s separate consent. Article 39 Where a personal information processor provides personal information of an individual to a party outside the territory of the People’s Republic of China, it shall inform the individual of such matters as the identity of the overseas recipient, contact information, purpose and method of processing, type of personal information and the way for the individual to exercise the rights prescribed herein against the overseas recipient, and shall obtain the individual’s separate consent. Article 39 Where a personal information processor provides personal information of an individual to a party outside the territory of the People’s Republic of China, it shall inform the individual of such matters as the name of the overseas recipient, contact information, purpose and method of processing, type of personal information and the way and procedure for the individual to exercise the rights prescribed herein against the overseas recipient, and shall obtain the individual’s separate consent.
Article 40 Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China. If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration; if laws, administrative regulations or the provisions of the State cyberspace administration provide that the security assessment is not required, such provisions shall prevail. Article 40 Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China. If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration; if laws, administrative regulations or the provisions of the State cyberspace administration provide that the security assessment is not required, such provisions shall prevail. Article 40 Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China. If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration; if laws, administrative regulations or the provisions of the State cyberspace administration provide that the security assessment is not required, such provisions shall prevail.
Article 41 Where it is necessary to provide personal information outside the territory of the People’s Republic of China due to international judicial assistance or administrative enforcement assistance, an application shall be filed with the competent authority for approval in accordance with the law. Where the international treaties or agreements concluded or acceded to by the People’s Republic of China contain provisions on the provision of personal information outside the territory of the People’s Republic of China, such provisions shall prevail. Article 41 Personal information stored within the territory of the People’s Republic of China as required by judicial or law enforcement agencies outside of the territory of the People’s Republic of China shall not be provided without the approval of the competent authority of the People’s Republic of China; If there are provisions in international treaties or agreements concluded or acceded to by the People’s Republic of China, such provisions shall prevail. Article 41 The competent authorities of the People’s Republic of China shall, in accordance with relevant laws and international treaties and agreements concluded or participated in by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China. Without the approval of the competent authority of the People’s Republic of China, personal information processor shall not provide the personal information stored within the territory of the People’s Republic of China to judicial or law enforcement agencies outside of the territory of the People’s Republic of China.
Article 42 For any overseas organization or individual whose personal information processing activities damage the personal information rights and interests of citizens of the People’s Republic of China, or endanger the national security or public interests of the People’s Republic of China, the State cyberspace administration may include such overseas organization or individual in the list of restricted or prohibited provision of personal information, announce the same, and take measures such as restricting or prohibiting the provision of personal information to such overseas organization or individual. Article 42 For any overseas organization or individual whose personal information processing activities damage the personal information rights and interests of citizens of the People’s Republic of China, or endanger the national security or public interests of the People’s Republic of China, the State cyberspace administration may include such overseas organization or individual in the list of restricted or prohibited provision of personal information, announce the same, and take measures such as restricting or prohibiting the provision of personal information to such overseas organization or individual. Article 42 For any overseas organization or individual whose personal information processing activities damage the personal information rights and interests of citizens of the People’s Republic of China, or endanger the national security or public interests of the People’s Republic of China, the State cyberspace administration may include such overseas organization or individual in the list of restricted or prohibited provision of personal information, announce the same, and take measures such as restricting or prohibiting the provision of personal information to such overseas organization or individual.
Article 43 Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People’s Republic of China in respect of the protection of personal information, the People’s Republic of China may, as the case may be, take corresponding measures against such country or region. Article 43 Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People’s Republic of China in respect of the protection of personal information, the People’s Republic of China may, as the case may be, take reciprocal measures against such country or region. Article 43 Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People’s Republic of China in respect of the protection of personal information, the People’s Republic of China may, as the case may be, take reciprocal measures against such country or region.
Chapter IV Rights of Individuals in Activities of Processing Personal Information Chapter IV Rights of Individuals in Activities of Processing Personal Information Chapter IV Rights of Individuals in Activities of Processing Personal Information
Article 44 An individual has the right to know and make decisions on the processing of his/her personal information, and the right to restrict or refuse others to process his/her personal information, unless otherwise provided for by laws and administrative regulations. Article 44 An individual has the right to know and make decisions on the processing of his/her personal information, and the right to restrict or refuse others to process his/her personal information, unless otherwise provided for by laws and administrative regulations. Article 44 An individual has the right to know and make decisions on the processing of his/her personal information, and the right to restrict or refuse others to process his/her personal information, unless otherwise provided for by laws and administrative regulations.
Article 45 An individual is entitled to consult or copy his/her personal information from a personal information processor, except for the circumstances as prescribed in Paragraph 1 of Article 19 herein.
Where an individual requests to consult or copy his/her personal information, the personal information processor shall provide such information in a timely manner.
Article 45 An individual is entitled to consult or copy his/her personal information from a personal information processor, except for the circumstances as prescribed in Paragraph 1 of Article 19 herein.
Where an individual requests to consult or copy his/her personal information, the personal information processor shall provide such information in a timely manner.
Article 45 An individual is entitled to consult or copy his/her personal information from a personal information processor, except for the circumstances as prescribed in Paragraph 1 of Article 18 and Article 35 herein.
Where an individual requests to consult or copy his/her personal information, the personal information processor shall provide such information in a timely manner.
Where an individual requests to transfer his/her personal information to a personal information processor designated by him/her, the personal information processor shall provide the means for such transfer if the conditions prescribed by the State cyberspace administration are met.
Article 46 Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.
Where an individual requests for corrections or supplements to his/her personal information, the personal information processor shall make verification and make corrections or supplements to such information in a timely manner.
Article 46 Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.
Where an individual requests for corrections or supplements to his/her personal information, the personal information processor shall make verification and make corrections or supplements to such information in a timely manner.
Article 46 Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.
Where an individual requests for corrections or supplements to his/her personal information, the personal information processor shall make verification and make corrections or supplements to such information in a timely manner.
Article 47 Under any of the following circumstances, a personal information processor shall delete personal information on its own initiative or at the request of the individual concerned:
(I) where the agreed storage period has expired or the purpose of processing the personal information has been achieved;
(II) where the personal information processor stops providing products or services;
(III) where the individual withdraws his/her consent;
(IV) where the personal information processor processes personal information in violation of laws, administrative regulations or the agreement; or
(V) any other circumstance as prescribed by laws and administrative regulations.Where the storage period as prescribed by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information processor shall stop processing personal information.
Article 47 Under any of the following circumstances, a personal information processor shall delete personal information on its own initiative; if the personal information processor has not deleted it, the individual concerned shall have the right to request deletion: 
(I) where the purpose of processing has been achieved or is no longer necessary to achieve;
(II) where the personal information processor stops providing products or services, or the agreed storage period has expired;
(III) where the individual withdraws his/her consent;
(IV) where the personal information processor processes personal information in violation of laws, administrative regulations or the agreement; or
(V) any other circumstance as prescribed by laws and administrative regulations.Where the storage period as prescribed by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information processor shall stop processing personal information other than storage and taking necessary security measures.
Article 47 Under any of the following circumstances, a personal information processor shall delete personal information on its own initiative; if the personal information processor has not deleted it, the individual concerned shall have the right to request deletion:
(I) where the purpose of processing has been achieved, unable to achieve, or is no longer necessary to achieve;
(II) where the personal information processor stops providing products or services, or the agreed storage period has expired;
(III) where the individual withdraws his/her consent;
(IV) where the personal information processor processes personal information in violation of laws, administrative regulations or the agreement; or
(V) any other circumstance as prescribed by laws and administrative regulations.Where the storage period as prescribed by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information processor shall stop processing personal information other than storage and taking necessary security measures.
Article 48 An individual is entitled to request the personal information processor to explain the rules on the processing of personal information. Article 48 An individual is entitled to request the personal information processor to explain the rules on the processing of personal information. Article 48 An individual is entitled to request the personal information processor to explain the rules on the processing of personal information.
Article 49 In the event of the death of a natural person, the rights of the individual in the personal information processing activities prescribed in this Chapter shall be exercised by his near relatives. Article 49 In the event of the death of a natural person, his/her near relatives may, for their own lawful and legitimate interests, exercise the rights of consulting, copying, correcting, and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless the deceased had otherwise arranged before his/her death.
Article 49 A personal information processor shall establish a mechanism for accepting and processing applications for exercising personal rights by individuals. Where an individual’s request for exercising personal rights is rejected, the reasons shall be stated. Article 50 A personal information processor shall establish a mechanism for accepting and processing applications for exercising personal rights by individuals. Where an individual’s request for exercising personal rights is rejected, the reasons shall be stated. Article 50 A personal information processor shall establish a convenient mechanism for accepting and processing applications for exercising personal rights by individuals. Where an individual’s request for exercising personal rights is rejected, the reasons shall be stated.
Where the personal information processor refuses an individual’s request to exercise his rights, the individual may bring a lawsuit in a people’s court according to law.
Chapter V Obligations of Personal Information Processors Chapter V Obligations of Personal Information Processors Chapter V Obligations of Personal Information Processors
Article 50 A personal information processor shall, according to the purpose and method of processing personal information, type of personal information, impact on individual, and possible security risk, etc., take necessary measures to ensure the compliance of personal information processing activities with provisions of laws and administrative regulations, and prevent unauthorized visit, or leakage, theft, falsification and deletion of personal information:
(I) formulating internal management system and operational procedures;
(II) managing personal information by hierarchical classification;
(III) taking corresponding technical security measures such as encryption and de-identification;
(IV) reasonably determining the authority to process personal information and conduct security education and training for employees on a regular basis;
(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and
(VI) other measures as prescribed by laws and administrative regulations.
Article 51 A personal information processor shall, according to the purpose and method of processing personal information, type of personal information, impact on individual, and possible security risk, etc., take necessary measures to ensure the compliance of personal information processing activities with provisions of laws and administrative regulations, and prevent unauthorized visit, theft, falsification, and deletion of personal information:
(I) formulating internal management system and operational procedures;
(II) managing personal information by classification;
(III) taking corresponding technical security measures such as encryption and de-identification;
(IV) reasonably determining the authority to process personal information and conduct security education and training for employees on a regular basis;
(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and
(VI) other measures as prescribed by laws and administrative regulations.
Article 51 A personal information processor shall, according to the purpose and method of processing personal information, type of personal information, impact on individual’s right and interest, and possible security risk, etc., take following measures to ensure the compliance of personal information processing activities with provisions of laws and administrative regulations, and prevent unauthorized visit, or leakage, falsification, and loss of personal information:
(I) formulating internal management system and operational procedures;
(II) managing personal information by classification;
(III) taking corresponding technical security measures such as encryption and de-identification;
(IV) reasonably determining the authority to process personal information and conduct security education and training for employees on a regular basis;
(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and
(VI) other measures as prescribed by laws and administrative regulations.
Article 51 Where the quantity of personal information processed by a processor reaches that specified by the state cyberspace administration, the processor shall designate a person in charge of personal information protection to be responsible for supervising the processing of personal information and the adopted protection measures.
A personal information processor shall make public the name and contact information of the person in charge of personal information protection and submit the same to the department performing duties of personal information protection.
Article 52 Where the quantity of personal information processed by a processor reaches that specified by the state cyberspace administration, the processor shall designate a person in charge of personal information protection to be responsible for supervising the processing of personal information and the adopted protection measures.
A personal information processor shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the department performing duties of personal information protection.
Article 52 Where the quantity of personal information processed by a processor reaches that specified by the state cyberspace administration, the processor shall designate a person in charge of personal information protection to be responsible for supervising the processing of personal information and the adopted protection measures.
A personal information processor shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the department performing duties of personal information protection.
Article 52 Any personal information processor outside the territory of the People’s Republic of China as prescribed in Paragraph 2, Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for relevant matters of personal information protection, and submit the name and contact information of relevant agency or the representative to the department performing duties of personal information protection. Article 53 Any personal information processor outside the territory of the People’s Republic of China as prescribed in Paragraph 2, Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for relevant matters of personal information protection, and submit the name and contact information of relevant agency or the representative to the department performing duties of personal information protection. Article 53 Any personal information processor outside the territory of the People’s Republic of China as prescribed in Paragraph 2, Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for relevant matters of personal information protection, and submit the name and contact information of relevant agency or the representative to the department performing duties of personal information protection.
Article 53 A personal information processor shall regularly audit whether its processing of personal information and the adopted protection measures are in compliance with provisions of laws and administrative regulations. The department performing duties of personal information protection is entitled to require any personal information processor to entrust a specialized agency to conduct audit. Article 54 A personal information processor shall regularly audit whether its personal information processing activity is in compliance with provisions of laws and administrative regulations. Article 54 A personal information processor shall regularly audit whether its processing of personal information is in compliance with provisions of laws and administrative regulations.
Article 54 A personal information processor shall assess the risks of the following personal information processing activities in advance and keep a record of the processing:
(I) processing sensitive personal information;
(II) making use of personal information to make automatic decisions;
(III) entrusting others to process personal information, providing third parties with personal information, and disclosing personal information;
(IV) providing personal information to overseas parties; and
(V) other personal information processing activities that have significant impact on individuals.
The risk assessment shall include:
(I) whether the purpose and method of processing personal information are legitimate, justifiable and necessary;
(II) impact on individuals and the degree of risks; and
(III) whether the security protection measures taken are legitimate, effective and appropriate to the degree of risks.
The risk assessment report and processing record shall be kept for at least three years.
Article 55 A personal information processor shall assess the risks of the following personal information processing activities in advance and keep a record of the processing:
(I) processing sensitive personal information;
(II) making use of personal information to make automatic decisions;
(III) entrusting others to process personal information, providing others with personal information, and disclosing personal information;
(IV) providing personal information to overseas parties; and
(V) other personal information processing activities that have significant impact on individuals.
The risk assessment shall include:
(I) whether the purpose and method of processing personal information are legitimate, justifiable and necessary;
(II) impact on individuals and the degree of risks; and
(III) whether the security protection measures taken are legitimate, effective and appropriate to the degree of risks.
The risk assessment report and processing record shall be kept for at least three years.
Article 55 A personal information processor shall conduct personal information protection impact assessment of the following circumstances in advance and keep a record of the processing:
(I) processing sensitive personal information;
(II) making use of personal information to make automatic decisions;
(III) entrusting others to process personal information, providing other personal information processors with personal information, and disclosing personal information;
(IV) providing personal information to overseas parties; and
(V) other personal information processing activities that have significant impact on individuals’ rights and interests.
Article 56 The personal information protection impact assessment shall include the following:
(I) whether the purpose and method of processing personal information are legitimate, justifiable and necessary;
(II) impact on individuals’ rights and interests and the security risks; and
(III) whether the security protection measures taken are legitimate, effective and appropriate to the degree of risks.
The personal information protection assessment report and processing record shall be kept for at least three years.
Article 55 Any personal information processor finding that personal information is leaked shall immediately take remedial measures and inform the department performing duties of personal information protection and the individuals concerned. The notice shall include the following particulars:
(I) reasons for the leakage of personal information;
(II) types of personal information leaked and possible harm;
(III) remedial measures taken;
(IV) measures that can be taken by the individuals to mitigate harm; and
(V) contact information of the personal information processor.
If the personal information processor has taken measures to effectively avoid damage caused by information leakage, it may opt not to notify the individuals; however, if the department performing duties of personal information protection believes that the leakage of personal information may cause damage to the individuals, it may require the personal information processor to notify the individuals thereof.
Article 56 Any personal information processor finding that personal information is leaked shall immediately take remedial measures and inform the department performing duties of personal information protection and the individuals concerned. The notice shall include the following particulars:
(I) reasons for the leakage of personal information;
(II) types of personal information leaked and possible harm;
(III) remedial measures taken;
(IV) measures that can be taken by the individuals to mitigate harm; and
(V) contact information of the personal information processor.
If the personal information processor has taken measures to effectively avoid damage caused by information leakage, it may opt not to notify the individuals; however, if the department performing duties of personal information protection believes that the leakage of personal information may cause damage to the individuals, it may require the personal information processor to notify the individuals thereof.
Article 57 Where personal information has been or may be leaked, falsified, or lost, the personal information processor shall immediately take remedial measures and inform the department performing duties of personal information protection and the individuals concerned. The notice shall include the following particulars:
(I) types and causes of personal information leakage, falsification, and loss that have occurred or may occur and the possible harm caused;
(II) remedial measures taken by personal information processors and measures taken by individuals to mitigate harm;
(III) contact information of the personal information processor.
If the personal information processor has taken measures to effectively avoid harm caused by information leakage, falsification, or loss, it may opt not to notify the individuals; however, if the department performing duties of personal information protection believes harm shall be caused, it may require the personal information processor to notify the individuals thereof.
Article 57 Personal information processors that provide basic Internet platform services with a large number of users and complex business types shall perform the following obligations:
(I) Establish an independent organization composed mainly of external members to supervise personal information processing activities;
(II) Stop providing services to the product or service providers on the platform that seriously violate laws and administrative regulations in processing personal information;
(III) Regular release of social responsibility report regarding personal information protection and subject to public supervision.
Article 58 Personal information processors that provide important Internet platform services with a large number of users and complex business types shall perform the following obligations:
(I) Establish and improve the compliance system for personal information protection in accordance with state regulations, and establish an independent organization composed mainly of external members to protect personal information;
(II) Formulate the rules of the platform in accordance with the principles of openness, fairness, and justice, to clarify the norms for the processing of personal information and the obligations of the product or service providers within the platform to protect personal information;
(III)Stop providing services to the product or service providers on the platform that seriously violate laws and administrative regulations in processing personal information;
(IV) Regular release of social responsibility report regarding personal information protection and subject to public supervision.
Article 58 The party entrusted to process personal information shall fulfill the relevant obligations prescribed in this Chapter and take necessary measures to ensure the security of the personal information processed. Article 59 The party entrusted to process personal information shall fulfill the relevant obligations prescribed by this Law and other relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed, and assist personal information processors to fulfill their obligations under this Law.
Chapter VI Departments Performing Duties of personal information protection Chapter VI Departments Performing Duties of personal information protection Chapter VI Departments Performing Duties of personal information protection
Article 56 The state cyberspace administration is responsible for coordinating the protection of personal information and relevant supervision and administration work; and relevant departments under the State Council are responsible for protecting, supervising and administering personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising and administering personal information shall be determined in accordance with relevant provisions of the State.
The departments mentioned in the preceding two paragraphs are collectively referred to as the departments performing duties of personal information protection.
Article 59 The state cyberspace administration is responsible for coordinating the protection of personal information and relevant supervision and administration work; and relevant departments under the State Council are responsible for protecting, supervising and administering personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising and administering personal information shall be determined in accordance with relevant provisions of the State.
The departments mentioned in the preceding two paragraphs are collectively referred to as the departments performing duties of personal information protection.
Article 60 The state cyberspace administration is responsible for coordinating the protection of personal information and relevant supervision and administration work; and relevant departments under the State Council are responsible for protecting, supervising and administering personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising and administering personal information shall be determined in accordance with relevant provisions of the State.
The departments mentioned in the preceding two paragraphs are collectively referred to as the departments performing duties of personal information protection.
Article 57 Departments performing duties of personal information protection shall perform the following duties of personal information protection:
(I) carrying out publicity and education on personal information protection, and guiding and supervising personal information processors to protect personal information;
(II) accepting and processing complaints and reports relating to personal information protection;
(III) investigating and processing illegal personal information processing activities; and
(IV) other duties stipulated by laws and administrative regulations.
Article 60 Departments performing duties of personal information protection shall perform the following duties of personal information protection:
(I) carrying out publicity and education on personal information protection, and guiding and supervising personal information processors to protect personal information;
(II) accepting and processing complaints and reports relating to personal information protection;
(III) investigating and processing illegal personal information processing activities; and
(IV) other duties stipulated by laws and administrative regulations.
Article 61 Departments performing duties of personal information protection shall perform the following duties of personal information protection:
(I) carrying out publicity and education on personal information protection, and guiding and supervising personal information processors to protect personal information;
(II) accepting and processing complaints and reports relating to personal information protection;
(III) organizing the evaluation of the protection of personal information such as applications and publish the evaluation results;
(IV) investigating and processing illegal personal information processing activities; and
(V) other duties stipulated by laws and administrative regulations.
Article 58 The state cyberspace administration and relevant departments under the State Council shall, according to their duties and authorities, organize the formulation of relevant rules and standards for protecting personal information, promote the development of a socialized service system for protecting personal information, and support relevant organizations in carrying out assessment and certification services in respect of personal information protection. Article 61 The state cyberspace administration shall coordinate with the relevant departments in promoting the protection of personal information in accordance with this Law as follows:
(I) formulate specific rules and standards for the protection of personal information;
(II) formulate special personal information protection rules and standards for processing sensitive personal information and new technologies and applications such as face recognition and artificial intelligence;
(III) support research and development of secure and convenient electronic identity authentication technology;
(IV) promote the development of a socialized service system for protecting personal information and support relevant organizations in carrying out assessment and certification services in respect of personal information protection.
Article 62 The state cyberspace administration shall coordinate with the relevant departments in promoting the protection of personal information in accordance with this Law as follows:
(I) formulate specific rules and standards for the protection of personal information;
(II) formulate special personal information protection rules and standards for small personal information processors, sensitive personal information processing, and new technologies and applications such as face recognition and artificial intelligence;
(III) support research, development, and promotion of secure and convenient electronic identity authentication technology, and promote the construction of public services for online identity authentication;
(IV) promote the development of a socialized service system for protecting personal information and support relevant organizations in carrying out assessment and certification services in respect of personal information protection.(V) improve the mechanism for complaints and whistleblowing reports on personal information protection.
Article 59 Departments performing duties of personal information protection may take the following measures when performing the duties of personal information protection:
(I) inquiry of the parties concerned, and investigation of the circumstances relating to personal information processing activities;
(II) consulting and copying contracts, records, account books and other relevant materials relating to personal information processing activities of the parties concerned;
(III) carrying out on-site inspection and investigation activities relating to processing personal information suspected of violating laws; and
(IV) checking the equipment and Articles relating to personal information processing activities and may sealing up or seizing the equipment and Articles that are proved to be illegal personal information processing activities.
When departments performing duties of personal information protection perform duties in accordance with the law, the parties concerned shall provide assistance and cooperation, and shall not refuse or obstruct such performance.
Article 62 Departments performing duties of personal information protection may take the following measures when performing the duties of personal information protection:
(I) inquiry of the parties concerned, and investigation of the circumstances relating to personal information processing activities;
(II) consulting and copying contracts, records, account books and other relevant materials relating to personal information processing activities of the parties concerned;
(III) carrying out on-site inspection and investigation activities relating to processing personal information suspected of violating laws; and
(IV) checking the equipment and Articles relating to personal information processing activities and may sealing up or seizing the equipment and Articles that are proved to be illegal personal information processing activities upon reporting in writing to the principal of the department and getting approval.When departments performing duties of personal information protection perform duties in accordance with the law, the parties concerned shall provide assistance and cooperation, and shall not refuse or obstruct such performance.
Article 63 Departments performing duties of personal information protection may take the following measures when performing the duties of personal information protection:
(I) inquiry of the parties concerned, and investigation of the circumstances relating to personal information processing activities;
(II) consulting and copying contracts, records, account books and other relevant materials relating to personal information processing activities of the parties concerned;
(III) carrying out on-site inspection and investigation activities relating to processing personal information suspected of violating laws; and
(IV) checking the equipment and Articles relating to personal information processing activities and may sealing up or seizing the equipment and Articles that are proved to be illegal personal information processing activities upon reporting in writing to the principal of the department and getting approval.When departments performing duties of personal information protection perform duties in accordance with the law, the parties concerned shall provide assistance and cooperation, and shall not refuse or obstruct such performance.
Article 60 Where departments performing duties of personal information protection find in performing their duties of personal information protection that there are relatively high risks in personal information processing activities or personal information security incidents have occurred, they may interview the legal representative or person chiefly in charge of the personal information processor according to prescribed authority and procedures. The personal information processor shall take measures to make rectification and eliminate hidden dangers as required. Article 63 Where departments performing duties of personal information protection find in performing their duties of personal information protection that there are relatively high risks in personal information processing activities or personal information security incidents have occurred, they may interview the legal representative or person chiefly in charge of the personal information processor according to prescribed authority and procedures, or require the personal information processor to entrust professional institutions to conduct compliance audits of their personal information processing activities. The personal information processor shall take measures to make rectification and eliminate hidden dangers as required. Article 64 Where departments performing duties of personal information protection find in performing their duties of personal information protection that there are relatively high risks in personal information processing activities or personal information security incidents have occurred, they may interview the legal representative or person chiefly in charge of the personal information processor according to prescribed authority and procedures, or require the personal information processor to entrust professional institutions to conduct compliance audits of their personal information processing activities. The personal information processor shall take measures to make rectification and eliminate hidden dangers as required.
The department that performs the duty of personal information protection and discovers that the illegal processing of personal information is suspected of a crime in the course of performing its duty, shall promptly transfer the case to the public security organ for handling according to law.
Article 61 Any organization or individual has the right to complain or report illegal personal information processing activities to the departments performing duties of personal information protection. The departments receiving such complaints or reports shall promptly process them according to the law and notify the complainants or reporters of the results. The departments performing duties of personal information protection shall make public the contact information for accepting complaints or reports. Article 64 Any organization or individual has the right to complain or report illegal personal information processing activities to the departments performing duties of personal information protection. The departments receiving such complaints or reports shall promptly process them according to the law and notify the complainants or reporters of the results. The departments performing duties of personal information protection shall make public the contact information for accepting complaints or reports. Article 65 Any organization or individual has the right to complain or report illegal personal information processing activities to the departments performing duties of personal information protection. The departments receiving such complaints or reports shall promptly process them according to the law and notify the complainants or reporters of the results. The departments performing duties of personal information protection shall make public the contact information for accepting complaints or reports.
Chapter VII Legal Liability Chapter VII Legal Liability Chapter VII Legal Liability
Article 62 Where personal information is processed in violation of the provisions hereof, or necessary security protection measures are not taken in processing personal information, the departments performing duties of personal information protection shall order the processor to make rectification, confiscate its illegal gains and give a warning to the processor; if rectification is refused, a fine of not more than RMB 1 million shall be imposed concurrently on the processor; and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge of the processor and other directly liable persons. Where an illegal act specified in the preceding paragraph is committed and the circumstances are serious, the departments performing duties of personal information protection shall order the processor to make rectification, confiscate its illegal gains and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on the processor, and may also order the processor to suspend relevant business or to suspend business for rectification, and notify the relevant competent departments to revoke the relevant business permit or business license; and a fine of not less than RMB 100,000  but not more than RMB 1 million shall be imposed on the persons directly in charge and other directly liable persons. Article 65 Where personal information is processed in violation of the provisions hereof, or necessary security protection measures are not taken in processing personal information, the departments performing duties of personal information protection shall order the processor to make rectification, give a warning to the processor and confiscate its illegal gains; if rectification is refused, a fine of not more than RMB 1 million shall be imposed concurrently on the processor; and a fine of not less than RMB 10,000  but not more than RMB 100,000 shall be imposed on the person directly in charge of the processor and other directly liable persons. Where an illegal act specified in the preceding paragraph is committed and the circumstances are serious, the departments performing duties of personal information protection shall order the processor to make rectification, confiscate its illegal gains and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on the processor, and may also order the processor to suspend relevant business or to suspend business for rectification, and notify the relevant competent departments to revoke the relevant business permit or business license; and a fine of not less than RMB 100,000 but not more than RMB 1 million shall be imposed on the persons directly in charge and other directly liable persons. Article 66 Where personal information is processed in violation of the provisions hereof, or personal information is processed without fulfilling the personal information protection obligations stipulated in this Law, the departments performing duties of personal information protection shall order the processor to make rectification, give a warning to the processor and confiscate its illegal gains, or order the application that illegally processing personal information to suspend or terminate the provision of services; if rectification is refused, a fine of not more than RMB 1 million shall be imposed concurrently on the processor; and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge of the processor and other directly liable persons. Where an illegal act specified in the preceding paragraph is committed and the circumstances are serious, the departments performing duties of personal information protection at or above the provincial level shall order the processor to make rectification, confiscate its illegal gains and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on the processor, and may also order the processor to suspend relevant business or to suspend business for rectification, and notify the relevant competent departments to revoke the relevant business permit or business license; and a fine of not less than RMB 100,000 but not more than RMB 1 million shall be imposed on the persons directly in charge and other directly liable persons, and such persons may also be prohibited from serving as directors, supervisors, senior managers, and persons in charge of personal information protection of relevant enterprises for a certain period of time.
Article 63 Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of the relevant laws and administrative regulations and shall be disclosed to the public. Article 66 Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of the relevant laws and administrative regulations and shall be disclosed to the public. Article 67 Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of the relevant laws and administrative regulations and shall be disclosed to the public.
Article 64 Where a state organ fails to perform its obligations of protecting personal information as specified in this Law, its superior organ or the department performing the duties of personal information protection shall order it to make rectification, and impose sanctions on the person directly in charge and other directly liable persons according to law. Article 67 Where a state organ fails to perform its obligations of protecting personal information as specified in this Law, its superior organ or the department performing the duties of personal information protection shall order it to make rectification, and impose sanctions on the person directly in charge and other directly liable persons according to law. Article 68 Where a state organ fails to perform its obligations of protecting personal information as specified in this Law, its superior organ or the department performing the duties of personal information protection shall order it to make rectification, and impose sanctions on the person directly in charge and other directly liable persons according to law.
Where the staff of departments responsible for personal information protection guilty of dereliction of duties, abusing official powers, or malpractice for personal gain but yet to constitute a crime, they shall be punished pursuant to the law.
Article 65 Where the rights and interests of personal information are infringed upon due to personal information processing, the compensation liability shall be borne in light of the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor; if the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor are difficult to be determined, the people’s court shall determine the amount of compensation according to the actual circumstances. If the personal information processor can prove that it is not at fault, its liability may be mitigated or exempted. Article 68 Where the right and interests of personal information are infringed upon due to personal information processing, and the personal information processor cannot prove that it is not at fault, it shall bear the tort liability for damages.
Liability for damages prescribed in the preceding paragraph shall be borne in light of the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor; if the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor are difficult to be determined, the people’s court shall determine the amount of compensation according to the actual circumstances.
Article 69 Where the right and interests of personal information are infringed upon due to personal information processing and cause damages, and the personal information processor cannot prove that it is not at fault, it shall bear the tort liability for damages.
Liability for damages prescribed in the preceding paragraph shall be borne in light of the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor; if the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor are difficult to be determined, the people’s court shall determine the amount of compensation according to the actual circumstances.
Article 66 Where a personal information processor processes personal information in violation of the provisions of this Law, which infringes upon the rights and interests of a large number of individuals, the people’s procuratorate, the department performing the duties of personal information protection and the organization determined by the state cyberspace administration may file a lawsuit with the people’s court in accordance with the law. Article 69 Where a personal information processor processes personal information in violation of the provisions of this Law, which infringes upon the rights and interests of a large number of individuals, the people’s procuratorate, the department performing the duties of personal information protection and the organization determined by the state cyberspace administration may file a lawsuit with the people’s court in accordance with the law. Article 70 Where a personal information processor processes personal information in violation of the provisions of this Law, which infringes upon the rights and interests of a large number of individuals, the people’s procuratorate, the consumer organizations specified by law and the organization determined by the state cyberspace administration may file a lawsuit with the people’s court in accordance with the law.
Article 67 Where a violation of the provisions of this Law constitutes a violation of public security administration, a public security administration punishment shall be imposed in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. Article 70 Where a violation of the provisions of this Law constitutes a violation of public security administration, a public security administration punishment shall be imposed in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law. Article 71 Where a violation of the provisions of this Law constitutes a violation of public security administration, a public security administration punishment shall be imposed in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law.
Chapter VIII Supplementary Provisions Chapter VIII Supplementary Provisions Chapter VIII Supplementary Provisions
Article 68 This Law shall not be applicable to the processing of personal information by a natural person by virtue of his/her personal or family affairs. Where there are legal provisions on the processing of personal information in the statistical and archive administration organized and implemented by the people’s governments at all levels and the relevant departments thereof, such provisions shall apply. Article 71 This Law shall not be applicable to the processing of personal information by a natural person by virtue of his/her personal or family affairs. Where there are legal provisions on the processing of personal information in the statistical and archive administration organized and implemented by the people’s governments at all levels and the relevant departments thereof, such provisions shall apply. Article 72 This Law shall not be applicable to the processing of personal information by a natural person by virtue of his/her personal or family affairs. Where there are legal provisions on the processing of personal information in the statistical and archive administration organized and implemented by the people’s governments at all levels and the relevant departments thereof, such provisions shall apply.
Article 69 For the purposes of this Law, the following terms are defined as follows:
(I) A personal information processor refers to any organization or individual that independently determines the purpose and method of processing and other personal information processing matters.
(II) An automatic decision-making refers to an activity in which personal information is used to automatically analyze and evaluate a person’s behavior habits, hobbies or economic, health or credit status through computer programs and make decisions.
(III) De-identification refers to the process in which personal information is processed so that it is impossible to identify certain natural persons without the use of additional information.
(IV) Anonymization refers to the process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be recovered.
Article 72 For the purposes of this Law, the following terms are defined as follows:
(I) A personal information processor refers to any organization or individual that independently determines the purpose and method of processing and other personal information processing matters.
(II) An automatic decision-making refers to an activity in which personal information is used to automatically analyze and evaluate a person’s behavior habits, hobbies or economic, health or credit status through computer programs and make decisions.
(III) De-identification refers to the process in which personal information is processed so that it is impossible to identify certain natural persons without the use of additional information.
(IV) Anonymization refers to the process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be recovered.
Article 73 For the purposes of this Law, the following terms are defined as follows:
(I) A personal information processor refers to any organization or individual that independently determines the purpose and method of processing in personal information processing activities.
(II) An automatic decision-making refers to an activity to automatically analyze and evaluate a person’s behavior habits, hobbies or economic, health or credit status through computer programs and make decisions.
(III) De-identification refers to the process in which personal information is processed so that it is impossible to identify certain natural persons without the use of additional information.
(IV) Anonymization refers to the process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be recovered.
Article 70 This Law shall come into force as of MM/DD/YY. Article 73 This Law shall come into force as of MM/DD/YY. Article 74 This Law shall come into force as of November 1, 2021.

 

Disclaimer: The translation was produced by the China Briefing team for general information purposes only. No liability is assumed for the accuracy of the content. For advice on your specific business queries, please contact a qualified professional advisor. You are welcome to consult our experts at Dezan Shira & Associates by emailing us at China@dezshira.com.


About Us

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.

Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.