What China’s Personal Information Protection Law (PIPL) Means for HR teams? – An HR PIPL Compliance Checklist

China’s ‘Equivalent’ to Europe’s GDPR – Personal Information Protection Law (PIPL) Comes into Effect 1 November

On 20th August 2021, China passed the Personal Information Protection Law which will come into effect on the 1st November 2021 and has a significant impact for most HR teams and their businesses. It is the first law that specifically focuses on the protection of personal information in China. The key issues covered by the PIPL include:

  • Informing and obtaining consent for processing personal information
  • Organisational governance and assurance
  • Local storage and cross-border transfer of data
  • Rights of the data subject
  • Obligations of personal information processor

At a high level, the PIPL is often compared as China’s equivalent to the EU’s General Data Protection Regulation (GDPR) as it shares many similarities in terms of concepts and structure. The Personal Information Protection Law will have a significant impact on how HR and organisations handle personal information and you should ensure your business is compliant with this new piece of legislation.

Failure to comply with the requirements of the PIPL may result in authorities issuing an order for rectification, warnings, confiscating any unlawful income, and imposing fines up to RMB 50,000,000.

Ensure You Are Compliant with Our PIPL Checklist

While there is an exemption under Article 13 for carrying out HR management under an employment policy, guidance from the Government in respect of this exemption is still to be released. As such, legal and compliance advisors are recommending that HR teams comply with the PIPL in case they do not qualify for the exemption under Article 13 or the personal information is protected under other legislation (e.g., Civil Code Law). Accordingly, Links has created a standard checklist to cover all the main steps your business needs to take to be compliant with the PIPL:


1. Review the personal information your business collects and check whether the information is a requisite for the delivery of your services

Completed

2. Identify any sensitive personal information collected

Sensitive personal information refers to information that can easily harm the dignity of natural persons, or serious damage to the safety of individuals and properties. This includes but is not limited to:

  • Biometric Identification
  • Healthcare
  • Financial Account
  • Specific Identities
  • Religious Beliefs

Completed

3. Check if your organisation is a Critical Information Infrastructure Operator (CIIO)

Any cross-border transfer of personal information collected and generated during the process of operation in China by a CIIO must go through a safety evaluation carried out by the Cyberspace Administration of China (CAC). (Companies enlisted as CIIO will be notified by relevant authorities).

Completed

4. Informing any data subject (e.g., employees) regarding the use of their personal information processing

4.1. The individual should be informed of:

i. Name and contact of personal information user
ii. The purpose and way of personal information processing
iii. Scope of personal information being collected and processed, and length of storage
iv. Procedures of exercising the rights of the individual in respect of personal information processing

  • Whether your business will further provide the personal information to any other data processor i.e., subcontractors. The subcontractor must also provide the information points i., ii., iii., and iv.
  • Where sensitive personal information will be processed, the necessity of the processing and the impact on the individual’s interest must be informed
  • Any overseas personal information recipient will need to provide information on points i., ii., iii., and iv

Completed

5. Consent from data subject regarding the use of their personal information processing

This includes:

  • Collection
  • Storage
  • Usage
  • Procession
  • Transmission
  • Provision
  • Publication
  • Deletion

5.1. A separate consent will be required if:

  • Personal information is provided to subcontractor
  • Processing sensitive personal information
  • Personal information is provided to an overseas recipient

5.2. If there are changes to personal information processing, the data subject must be informed by your business and a new consent must be obtained

Completed

6. Impact evaluation for personal information protection

Under these scenarios:

  • Personal information is provided to subcontractor
  • Processing sensitive personal information
  • Personal information is provided to an overseas recipient

An impact evaluation will need to be conducted regarding personal information protection and document the process. (The evaluation and its steps shall be kept for at least 3 years)

Completed

7. A written agreement of statutory terms between your business and any subcontractors

Completed

8. Take measures to ensure your business and overseas recipients or personal information meet the standards of protection under the PIPL

One of the following conditions must be met:

  • Pass safety evaluation carried out by CAC
  • Obtain certification of personal information protection from professional agency according to rules and regulations set by CAC
  • Entered into contract with overseas recipient in substantially same form with the standard contract formulated by CAC

Completed

9. Implement a mechanism that allows the data subject to:

  • Revoke their consent
  • Amend or delete their personal information

Completed

*Note: It is also important for your business to take the initiative to delete personal information if any of the following circumstances arise:

  • Purpose of processing the personal information has been achieved and information is no longer required
  • The period of storage has expired
  • Consent for personal information processing has been revoked
  • Violation of agreement of personal information processing

Download a Copy of the Checklist Here:

*Please note that this is intended as a general guide. For more details, please visit the Government website or contact our team now!

Struggling to Keep Up with the Changes in China?

The Personal Information Protection Law, along with the Cybersecurity Law and Data Security Law will make up the framework of cybersecurity and data privacy regulations in China. With the PIPL coming into effect on 1 November 2021, there are still areas yet to be clearly clarified and potential for further updates.

To understand how the Personal Information Protection Law may impact your business or stay updated with the developments, contact us now for more information. Don’t forget to subscribe to our blog and read our Onboard publication to keep up with the latest developments in Asia or if you are looking for a hassle-free solution for staying compliant with new legislation, see why smart businesses choose to outsource their payroll. Links offers payroll outsourcing in 18 locations across Asia including China, contact us now to learn how we can assist your business.

Related Articles:


Links International is an industry leader in innovative HR outsourcing with services such as payroll outsourcingvisa applicationPEO/EOR Secondmentoutplacementrecruitment and more! Contact us for more information on how we can help leverage your HR function.