- Chapter 1: General Provisions
- Chapter 2: Personal Information Processing Rules
- Chapter 3: Rules for Cross-Border Provision of Personal Information
- Chapter 4: Rights of Individuals in Personal Information Processing Activities
- Chapter 5: Obligations of Personal Information Processors
- Chapter 6: Departments that perform personal information protection duties
- Chapter 7: Legal Liability
- Chapter 8: Supplementary Provisions
- Closing
TLDR; Below is the English-translated version of the China PIPL (Personal Information Protection Law) in China, and it’s effective since November 1, 2021.
Chapter 1: General Provisions
Article 1 In order to protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information, this Law is formulated in accordance with the Constitution.
Article 2 The personal information of natural persons is protected by law, and no organization or individual may infringe upon the personal information rights and interests of natural persons.
Article 3 This Law shall apply to the processing of personal information of natural persons within the territory of the People’s Republic of China.
This Law is also applicable to any of the following circumstances in the processing of personal information of natural persons within the territory of the People’s Republic of China outside the People’s Republic of China:
(1) For the purpose of providing products or services to domestic natural persons;
(2) Analyzing and evaluating the behavior of domestic natural persons;
(3) Other circumstances prescribed by laws and administrative regulations.
Article 4 Personal information refers to all kinds of information related to identified or identifiable natural persons recorded electronically or in other ways, excluding anonymized information.
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.
Article 5 The processing of personal information shall follow the principles of legality, legitimacy, necessity and good faith, and personal information shall not be processed through misleading, fraudulent, coercive and other means.
Article 6 The processing of personal information shall have a clear and reasonable purpose, and shall be directly related to the purpose of processing, and adopt a method that has the least impact on personal rights and interests.
The collection of personal information shall be limited to the minimum scope to achieve the purpose of processing, and excessive collection of personal information shall not be allowed.
Article 7 Personal information processing shall follow the principles of openness and transparency, disclose personal information processing rules, and express the purpose, method and scope of processing.
Article 8 When handling personal information, the quality of personal information shall be guaranteed, and the adverse impact on personal rights and interests due to inaccuracy and incompleteness of personal information shall be avoided.
Article 9 Personal information processors shall be responsible for their personal information processing activities, and take necessary measures to ensure the security of the personal information they process.
Article 10: No organization or individual may illegally collect, use, process, or transmit other people’s personal information, nor illegally buy, sell, provide, or disclose other people’s personal information; and may not engage in personal information processing activities that endanger national security or public interests.
Article 11: The state establishes and improves personal information protection systems, prevents and punishes acts infringing on personal information rights and interests, strengthens publicity and education on personal information protection, and promotes the formation of a favorable environment for the government, enterprises, relevant social organizations, and the public to jointly participate in personal information protection.
Article 12: The state actively participates in the formulation of international personal information protection rules, promotes international exchanges and cooperation in personal information protection, and promotes mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations.
Chapter 2: Personal Information Processing Rules
Section 1 General Provisions
Article 13 Personal information processors may only process personal information under one of the following circumstances:
(1) Obtain the consent of the individual;
(2) Necessary for the conclusion and performance of a contract to which an individual is a party, or necessary for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and collective contracts signed in accordance with the law;
(3) It is necessary to perform legal duties or legal obligations;
(4) Necessary to respond to public health emergencies, or to protect the life, health and property safety of natural persons in emergencies;
(5) Conduct news reports, public opinion supervision and other acts for the public interest, and process personal information within a reasonable scope;
(6) In accordance with the provisions of this Law, within a reasonable scope, handle personal information that has been disclosed by individuals themselves or that has been legally disclosed;
(7) Other circumstances stipulated by laws and administrative regulations.
In accordance with other relevant provisions of this Law, personal consent shall be obtained for the processing of personal information, but under the circumstances specified in Items 2 to 7 of the preceding paragraph, individual consent is not required.
Article 14 Where the processing of personal information is based on an individual’s consent, the consent shall be voluntarily and explicitly given by the individual under the premise of full knowledge. Where laws and administrative regulations stipulate that individual consent or written consent shall be obtained for the processing of personal information, such provisions shall prevail.
If the purpose of processing personal information, the method of processing and the type of personal information processed are changed, the individual’s consent shall be obtained again.
Article 15 Where the processing of personal information is based on the individual’s consent, the individual has the right to withdraw his consent. Personal information processors should provide convenient ways to withdraw consent.
The individual’s withdrawal of consent does not affect the validity of the personal information processing activities that have been carried out based on the individual’s consent prior to the withdrawal.
Article 16: Personal information processors shall not refuse to provide products or services on the grounds that individuals do not consent to the processing of their personal information or withdraw their consent; unless processing personal information is necessary for the provision of products or services.
Article 17 Before processing personal information, personal information processors shall truthfully, accurately and completely inform individuals of the following matters in a conspicuous manner and in clear and understandable language:
(1) The name or name and contact information of the personal information processor;
(2) The purpose and method of processing personal information, the type of personal information processed, and the storage period;
(3) the ways and procedures for individuals to exercise their rights under this Law;
(4) Other matters that shall be notified as required by laws and administrative regulations.
If the items specified in the preceding paragraph are changed, the individual shall be notified of the changed part.
If a personal information processor informs the matters specified in paragraph 1 by formulating personal information processing rules, the processing rules shall be made public and be easy to consult and save.
Article 18: When personal information processors handle personal information, and there are circumstances in which laws and administrative regulations stipulate that they should be kept confidential or do not need to be notified, they may not notify individuals of the matters specified in the first paragraph of the preceding article.
If it is impossible to notify individuals in an emergency in order to protect the life, health and property safety of natural persons, the personal information processor shall notify in a timely manner after the emergency is eliminated.
Article 19 Unless otherwise stipulated by laws and administrative regulations, the retention period of personal information shall be the shortest time necessary to achieve the purpose of processing.
Article 20: Where two or more personal information processors jointly decide on the purpose and method of processing personal information, they shall agree on their respective rights and obligations. However, this agreement does not affect the individual’s request to any one of the personal information processors to exercise the rights stipulated in this law.
Where personal information processors jointly handle personal information and infringe upon the rights and interests of personal information and cause damage, they shall bear joint and several liability in accordance with the law.
Article 21 If a personal information processor entrusts the processing of personal information, it shall agree with the trustee on the purpose, time limit, processing method, type of personal information, protection measures, and the rights and obligations of both parties, etc. Supervision of personal information processing activities.
The trustee shall process personal information in accordance with the agreement, and shall not process personal information beyond the agreed processing purpose and method; if the entrustment contract is ineffective, invalid, revoked or terminated, the trustee shall return the personal information to the personal information processor or delete it , shall not be retained.
Without the consent of the personal information processor, the trustee shall not entrust others to process personal information.
Article 22 Where a personal information processor needs to transfer personal information due to merger, division, dissolution, declaration of bankruptcy, or other reasons, it shall inform the individual of the recipient’s name or name and contact information. The recipient shall continue to perform its obligations as a personal information processor. If the receiving party changes the original processing purpose and processing method, it shall obtain the personal consent again in accordance with the provisions of this Law.
Article 23 Where a personal information processor provides the personal information it handles to other personal information processors, it shall inform the individual of the recipient’s name or name, contact information, processing purpose, processing method and type of personal information, and obtain individual consent. The recipient shall process personal information within the scope of the above-mentioned processing purposes, processing methods and types of personal information. If the receiving party changes the original processing purpose and processing method, it shall obtain the personal consent again in accordance with the provisions of this Law.
Article 24 Personal information processors using personal information to make automated decision-making shall ensure the transparency of decision-making and the fairness and impartiality of the results, and shall not impose unreasonable differential treatment on individuals in terms of transaction prices and other transaction conditions.
Pushing information and commercial marketing to individuals through automated decision-making methods should also provide options that are not tailored to their personal characteristics, or provide individuals with a convenient way to refuse.
To make decisions that have a significant impact on personal rights and interests through automated decision-making, individuals have the right to require personal information processors to explain, and have the right to refuse personal information processors to make decisions only through automated decision-making.
Article 25: Personal information processors shall not disclose the personal information they process, unless they have obtained individual consent.
Article 26 The installation of image collection and personal identification equipment in public places shall be necessary to maintain public safety, comply with relevant state regulations, and set up prominent warning signs. The collected personal images and identification information can only be used for the purpose of maintaining public safety and shall not be used for other purposes; except for the individual consent.
Article 27: Personal information processors may, within a reasonable scope, process personal information that has been disclosed by individuals themselves or that have been legally disclosed; unless the individual explicitly refuses. Personal information handlers shall obtain personal consent in accordance with the provisions of this Law if the processing of personal information that has been disclosed has a significant impact on personal rights and interests.
Section 2 Rules for the Processing of Sensitive Personal Information
Article 28 Sensitive personal information is personal information that, once leaked or used illegally, is likely to cause damage to the personal dignity of natural persons or endanger personal and property safety, including biometric identification, religious beliefs, specific identities, medical care, financial accounts, Whereabouts and other information, as well as personal information of minors under the age of fourteen.
Personal information processors can only process sensitive personal information if they have a specific purpose and sufficient necessity and take strict protective measures.
Article 29: Individual consent shall be obtained for the processing of sensitive personal information; where laws and administrative regulations stipulate that the processing of sensitive personal information shall require written consent, such provisions shall prevail.
Article 30 When a personal information processor handles sensitive personal information, in addition to the matters stipulated in the first paragraph of Article 17 of this Law, it shall also inform individuals of the necessity of processing sensitive personal information and the impact on personal rights and interests; Except as provided by law that it is not necessary to notify individuals.
Article 31: Personal information processors processing the personal information of minors under the age of fourteen shall obtain the consent of the minors’ parents or other guardians.
When personal information processors handle the personal information of minors under the age of fourteen, they shall formulate special personal information processing rules.
Article 32: Where laws and administrative regulations stipulate that relevant administrative licenses should be obtained or other restrictions are imposed on the processing of sensitive personal information, such provisions shall prevail.
Section 3 Special Provisions on the Handling of Personal Information by State Organs
Article 33: The activities of state organs in handling personal information shall be governed by this Law; where there are special provisions in this section, the provisions in this section shall apply.
Article 34: State organs handle personal information in order to perform their statutory duties, and shall do so in accordance with the powers and procedures prescribed by laws and administrative regulations, and shall not exceed the scope and limits necessary to perform their statutory duties.
Article 35: State organs handle personal information in order to perform their statutory duties, and shall perform the obligation of notification in accordance with the provisions of this Law; except for the circumstances specified in Paragraph 1 of Article 18 of this Law, or where notification will hinder the state organs from performing their statutory duties.
Article 36: Personal information processed by state organs shall be stored within the territory of the People’s Republic of China; if it is really necessary to provide it overseas, a security assessment shall be conducted. Security assessments may require support and assistance from relevant departments.
Article 37: Organizations authorized by laws and regulations with functions to manage public affairs handle personal information in order to perform their statutory duties, and the provisions of this Law on the handling of personal information by state organs shall apply.
Chapter 3: Rules for Cross-Border Provision of Personal Information
Article 38 Where personal information processors really need to provide personal information outside the People’s Republic of China due to business needs, they shall meet one of the following conditions:
(1) Passing the security assessment organized by the national network information department in accordance with the provisions of Article 40 of this Law;
(2) Personal information protection certification conducted by a professional institution in accordance with the provisions of the national cybersecurity and informatization department;
(3) Entering into a contract with the overseas recipient in accordance with the standard contract formulated by the national cybersecurity and informatization department, stipulating the rights and obligations of both parties;
(4) Other conditions stipulated by laws, administrative regulations or the national network information department.
International treaties and agreements concluded or acceded to by the People’s Republic of China that stipulate the conditions for providing personal information outside the People’s Republic of China may be implemented in accordance with those regulations.
Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this Law.
Article 39 Where a personal information processor provides personal information outside the People’s Republic of China, it shall inform the individual of the overseas recipient’s name or name, contact information, processing purpose, processing method, type of personal information, and the individual’s information to the overseas recipient. matters such as the manner and procedure for exercising the rights provided for in this law, and obtain the individual consent of the individual.
Article 40: Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number specified by the national cybersecurity and informatization department shall store personal information collected and generated within the territory of the People’s Republic of China within the territory. If it is really necessary to provide it overseas, it shall pass the security assessment organized by the national cybersecurity and informatization department; where laws, administrative regulations, and the national cybersecurity and informatization department stipulate that security assessment may not be required, the provisions shall be followed.
Article 41: The competent authorities of the People’s Republic of China shall, in accordance with relevant laws and international treaties and agreements concluded or acceded to by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China. Without the approval of the competent authorities of the People’s Republic of China, personal information processors shall not provide personal information stored in the People’s Republic of China to foreign judicial or law enforcement agencies.
Article 42 If an overseas organization or individual engages in personal information processing activities that infringe upon the personal information rights and interests of citizens of the People’s Republic of China, or endanger the national security and public interests of the People’s Republic of China, the national cybersecurity and informatization department may list them as restricted or prohibited. Provide a list of personal information, announce it, and take measures such as restricting or prohibiting the provision of personal information to them.
Article 43 Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People’s Republic of China in the protection of personal information, the People’s Republic of China may take measures against that country or region according to the actual situation.
Chapter 4: Rights of Individuals in Personal Information Processing Activities
Article 44: Individuals have the right to know and make decisions about the processing of their personal information, and have the right to restrict or refuse the processing of their personal information by others, except as otherwise provided by laws and administrative regulations.
Article 45: Individuals have the right to consult and copy their personal information from personal information processors; except for the circumstances specified in the first paragraph of Article 18 and Article 35 of this Law.
Where an individual requests to view or copy his or her personal information, the personal information processor shall provide it in a timely manner.
Where an individual requests the transfer of personal information to the personal information processor designated by him and meets the conditions specified by the national cybersecurity and informatization department, the personal information processor shall provide a transfer channel.
Article 46: If an individual finds that his personal information is inaccurate or incomplete, he has the right to request the personal information processor to correct or supplement it.
Where an individual requests to correct or supplement his personal information, the personal information processor shall verify his personal information and correct or supplement it in a timely manner.
Article 47 Under any of the following circumstances, the personal information processor shall delete the personal information actively; if the personal information processor does not delete it, the individual has the right to request deletion:
(1) The purpose of processing has been achieved, cannot be achieved, or is no longer necessary to achieve the purpose of processing;
(2) The personal information processor stops providing products or services, or the storage period has expired;
(3) The individual withdraws his consent;
(4) Personal information processors handle personal information in violation of laws, administrative regulations or agreements;
(5) Other circumstances prescribed by laws and administrative regulations.
If the retention period stipulated by laws and administrative regulations has not expired, or it is technically difficult to delete personal information, the personal information processor shall stop processing other than storage and taking necessary security protection measures.
Article 48: Individuals have the right to require personal information processors to explain their personal information processing rules.
Article 49 When a natural person dies, their close relatives may exercise the rights to consult, copy, correct, delete, etc., as stipulated in this chapter, for the relevant personal information of the deceased for their own legitimate and legitimate interests, unless the deceased has made other arrangements before his death.
Article 50: Personal information processors shall establish a convenient application acceptance and processing mechanism for individuals to exercise their rights. If an individual’s request to exercise his rights is refused, the reasons shall be explained.
Where a personal information processor refuses an individual’s request to exercise their rights, the individual may file a lawsuit in a people’s court in accordance with the law.
Chapter 5: Obligations of Personal Information Processors
Article 51 Personal information processors shall take the following measures to ensure that personal information processing activities comply with laws and administrative regulations based on the purpose of processing personal information, processing methods, types of personal information, impact on personal rights, and possible security risks Regulations, and to prevent unauthorized access and disclosure, alteration, and loss of personal information:
(1) Formulating internal management systems and operating procedures;
(2) Implement classified management of personal information;
(3) Taking corresponding security technical measures such as encryption and de-identification;
(4) Reasonably determine the operational authority for personal information processing, and conduct security education and training for employees on a regular basis;
(5) Formulating and organizing the implementation of emergency plans for personal information security incidents;
(6) Other measures prescribed by laws and administrative regulations.
Article 52: Personal information processors whose processing of personal information reaches the number specified by the national cybersecurity and informatization department shall designate a person in charge of personal information protection, who is responsible for supervising personal information processing activities and the protection measures taken.
Personal information processors shall disclose the contact information of the person in charge of personal information protection, and submit the name and contact information of the person in charge of personal information protection to the department that performs personal information protection duties.
Article 53 Personal information processors outside of the People’s Republic of China as specified in the second paragraph of Article 3 of this Law shall establish specialized agencies or designated representatives within the territory of the People’s Republic of China to be responsible for handling matters related to personal information protection, and assign relevant agencies The name of the representative or the name and contact information of the representative should be submitted to the department performing the duties of personal information protection.
Article 54: Personal information processors shall regularly conduct compliance audits on their handling of personal information in compliance with laws and administrative regulations.
Article 55 Under any of the following circumstances, the personal information processor shall conduct a personal information protection impact assessment in advance, and record the processing situation:
(1) Handling sensitive personal information;
(2) Using personal information to make automated decision-making;
(3) Entrust the processing of personal information, provide personal information to other personal information processors, and disclose personal information;
(4) Provide personal information overseas;
(5) Other personal information processing activities that have a significant impact on personal rights and interests.
Article 56 The impact assessment of personal information protection shall include the following contents:
(1) Whether the purpose and method of processing personal information is legal, legitimate and necessary;
(2) Impact on personal rights and security risks;
(3) Whether the protective measures taken are legal, effective and commensurate with the degree of risk.
Personal information protection impact assessment reports and processing records shall be kept for at least three years.
Article 57 Where personal information leakage, tampering, or loss occurs or may occur, the personal information processor shall immediately take remedial measures and notify the departments and individuals performing personal information protection duties. The notice should include the following:
(1) The types of information that have occurred or may have been leaked, tampered with, or lost, and the causes and possible harms;
(2) Remedial measures taken by personal information processors and measures that individuals can take to mitigate harm;
(3) The contact information of the personal information processor.
If the personal information processor takes measures to effectively avoid the harm caused by information leakage, tampering, or loss, the personal information processor may not notify the individual; if the department performing personal information protection duties believes that harm may be caused, it has the right to require the personal information processor to notify the individual. .
Article 58 Personal information processors that provide important Internet platform services, have a huge number of users, and have complex business types shall perform the following obligations:
(1) Establish and improve the personal information protection compliance system in accordance with national regulations, and establish an independent organization mainly composed of external members to supervise the protection of personal information;
(2) Follow the principles of openness, fairness, and impartiality, formulate platform rules, and clarify the norms for the handling of personal information by product or service providers on the platform and the obligation to protect personal information;
(3) Stop providing services to product or service providers on the platform that seriously violate laws and administrative regulations to handle personal information;
(4) Regularly release personal information protection social responsibility reports and accept social supervision.
Article 59 The trustee who accepts the entrusted processing of personal information shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed, and assist the personal information processor in fulfilling the provisions of this Law. obligation.
Chapter 6: Departments that perform personal information protection duties
Article 60: The national cybersecurity and informatization department is responsible for overall planning and coordination of personal information protection work and related supervision and management work. Relevant departments of the State Council shall be responsible for the protection, supervision and management of personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
The personal information protection, supervision and management responsibilities of the relevant departments of the local people’s government at or above the county level shall be determined in accordance with relevant state regulations.
The departments specified in the preceding two paragraphs are collectively referred to as departments performing personal information protection duties.
Article 61: Departments performing personal information protection duties perform the following personal information protection duties:
(1) Carry out publicity and education on personal information protection, and guide and supervise personal information processors to carry out personal information protection work;
(2) Accept and handle complaints and reports related to personal information protection;
(3) Organizing the evaluation of the protection of personal information such as applications, and publishing the evaluation results;
(4) Investigate and handle illegal personal information processing activities;
(5) Other duties prescribed by laws and administrative regulations.
Article 62: The national cybersecurity and informatization department shall coordinate and coordinate relevant departments to promote the following personal information protection work in accordance with this Law:
(1) Formulating specific rules and standards for personal information protection;
(2) Formulating special personal information protection rules and standards for small personal information processors, processing sensitive personal information, and new technologies and applications such as face recognition and artificial intelligence;
(3) Support the research, development and promotion of safe and convenient electronic identity authentication technology, and promote the construction of network identity authentication public services;
(4) Promote the construction of a socialized service system for personal information protection, and support relevant institutions to carry out personal information protection assessment and certification services;
(5) Improve the working mechanism for personal information protection complaints and reports.
Article 63: Departments performing personal information protection duties may take the following measures when performing personal information protection duties:
(1) Inquire about relevant parties and investigate the situation related to personal information processing activities;
(2) Accessing and copying the contracts, records, account books and other relevant materials of the parties concerned with personal information processing activities;
(3) Implement on-site inspections and investigate suspected illegal personal information processing activities;
(4) Inspect equipment and items related to personal information processing activities; for equipment and items that have been proved to be used for illegal personal information processing activities, report in writing to the person in charge of the department and with approval, seal up or detain them.
Departments that perform personal information protection duties perform their duties in accordance with the law, and the parties should assist and cooperate, and must not refuse or obstruct.
Article 64: In the performance of their duties, the department performing personal information protection duties finds that there is a greater risk in personal information processing activities or personal information security incidents, and may act as the legal representative of the personal information processor in accordance with the prescribed authority and procedures. The person or the main responsible person shall be interviewed, or the personal information processor shall be required to entrust a professional organization to conduct a compliance audit of its personal information processing activities. Personal information processors should take measures as required to make rectifications and eliminate hidden dangers.
In the performance of their duties, the departments performing personal information protection duties find that illegal handling of personal information is suspected of being a crime, and they shall promptly transfer them to the public security organs for handling in accordance with the law.
Article 65: Any organization or individual has the right to complain and report to the department performing personal information protection duties regarding illegal personal information processing activities. The department that receives the complaint or report shall deal with it in a timely manner in accordance with the law, and inform the complainant or informant of the handling result.
Departments performing personal information protection duties shall publish the contact information for receiving complaints and reports.
Chapter 7: Legal Liability
Article 66: Where personal information is handled in violation of the provisions of this Law, or the processing of personal information fails to fulfill the personal information protection obligations stipulated in this Law, the department performing personal information protection duties shall order corrections, give warnings, confiscate illegal gains, and deal with illegal processing. The application of personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than 1 million yuan shall be imposed; the directly responsible person in charge and other directly responsible personnel shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan.
If there is an illegal act specified in the preceding paragraph, if the circumstances are serious, the department at or above the provincial level that performs personal information protection duties shall order it to make corrections, confiscate the illegal income, and impose a fine of not more than 50 million yuan or not more than 5% of the previous year’s turnover, It can also be ordered to suspend relevant business or suspend business for rectification, notify the relevant competent department to revoke the relevant business license or revoke the business license; the directly responsible person in charge and other directly responsible personnel shall be fined not less than 100,000 yuan but not more than 1,000,000 yuan, and may decide to prohibit They serve as directors, supervisors, senior managers and personal information protection officers of related companies for a certain period of time.
Article 67: Anyone who commits any illegal act stipulated in this law shall be recorded in the credit file in accordance with the provisions of relevant laws and administrative regulations, and shall be made public.
Article 68: Where state organs fail to perform their personal information protection obligations as stipulated in this Law, their higher-level organs or departments performing personal information protection duties shall order corrections; the directly responsible persons in charge and other directly responsible persons shall be punished according to law.
If the staff of the department performing the duties of personal information protection neglects their duties, abuses their powers, or engages in malpractices for personal gain, if it does not constitute a crime, they shall be punished in accordance with the law.
Article 69: Where the processing of personal information infringes upon the rights and interests of personal information and causes damage, and the personal information processor cannot prove that he is not at fault, he shall bear tort liability such as compensation for damages.
The liability for damages stipulated in the preceding paragraph shall be determined according to the losses suffered by the individual or the benefits obtained by the personal information processor; if it is difficult to determine the loss suffered by the individual and the benefits obtained by the personal information processor, the amount of compensation shall be determined according to the actual situation.
Article 70: Where personal information processors handle personal information in violation of the provisions of this Law and infringe upon the rights and interests of numerous individuals, the people’s procuratorate, consumer organizations specified by law, and organizations determined by the national cybersecurity and informatization department may file a lawsuit in a people’s court in accordance with the law.
Article 71 Violation of the provisions of this Law, which constitutes a violation of public security management, shall be punished by public security management according to law; if a crime is constituted, criminal responsibility shall be investigated according to law.
Chapter 8: Supplementary Provisions
Article 72 This Law does not apply to natural persons who handle personal information due to personal or family affairs.
Where the law has provisions on the processing of personal information in the statistics and archives management activities organized and implemented by the people’s governments at all levels and their relevant departments, those provisions shall apply.
Article 73 The meanings of the following terms in this Law:
(1) Personal information processor refers to an organization or individual who independently decides the purpose and method of processing in personal information processing activities.
(2) Automated decision-making refers to the activity of automatically analyzing and evaluating an individual’s behavioral habits, interests, or economic, health, and credit status through computer programs, and making decisions.
(3) De-identification refers to the process in which personal information is processed so that it cannot identify a specific natural person without the aid of additional information.
(4) Anonymization refers to the process in which personal information cannot identify a specific natural person and cannot be recovered after processing.
Article 74 This Law shall come into force on November 1, 2021.
Closing
The original PIPL is written in Chinese; we translated it into English, which is what you read above. This document only serves the purpose of a quick understanding of the Law; use it at your own risk..
If you need further help from our team, contact us today, and our experts will explain to you all the secrets of making your site live in China!