China’s ‘Equivalent’ to Europe’s GDPR – Personal Information Protection Law (PIPL) Comes into Effect 1 November
On 20th August 2021, China passed the Personal Information Protection Law which will come into effect on the 1st November 2021 and has a significant impact for most HR teams and their businesses. It is the first law that specifically focuses on the protection of personal information in China. The key issues covered by the PIPL include:
- Informing and obtaining consent for processing personal information
- Organisational governance and assurance
- Local storage and cross-border transfer of data
- Rights of the data subject
- Obligations of personal information processor
At a high level, the PIPL is often compared as China’s equivalent to the EU’s General Data Protection Regulation (GDPR) as it shares many similarities in terms of concepts and structure. The Personal Information Protection Law will have a significant impact on how HR and organisations handle personal information and you should ensure your business is compliant with this new piece of legislation.
Failure to comply with the requirements of the PIPL may result in authorities issuing an order for rectification, warnings, confiscating any unlawful income, and imposing fines up to RMB 50,000,000.
Ensure You Are Compliant with Our PIPL Checklist
While there is an exemption under Article 13 for carrying out HR management under an employment policy, guidance from the Government in respect of this exemption is still to be released. As such, legal and compliance advisors are recommending that HR teams comply with the PIPL in case they do not qualify for the exemption under Article 13 or the personal information is protected under other legislation (e.g., Civil Code Law). Accordingly, Links has created a standard checklist to cover all the main steps your business needs to take to be compliant with the PIPL:
1. Review the personal information your business collects and check whether the information is a requisite for the delivery of your services
Completed ☐
2. Identify any sensitive personal information collected
Sensitive personal information refers to information that can easily harm the dignity of natural persons, or serious damage to the safety of individuals and properties. This includes but is not limited to:
- Biometric Identification
- Healthcare
- Financial Account
- Specific Identities
- Religious Beliefs
Completed ☐
3. Check if your organisation is a Critical Information Infrastructure Operator (CIIO)
Any cross-border transfer of personal information collected and generated during the process of operation in China by a CIIO must go through a safety evaluation carried out by the Cyberspace Administration of China (CAC). (Companies enlisted as CIIO will be notified by relevant authorities).
Completed ☐
4. Informing any data subject (e.g., employees) regarding the use of their personal information processing
4.1. The individual should be informed of:
i. Name and contact of personal information user
ii. The purpose and way of personal information processing
iii. Scope of personal information being collected and processed, and length of storage
iv. Procedures of exercising the rights of the individual in respect of personal information processing
- Whether your business will further provide the personal information to any other data processor i.e., subcontractors. The subcontractor must also provide the information points i., ii., iii., and iv.
- Where sensitive personal information will be processed, the necessity of the processing and the impact on the individual’s interest must be informed
- Any overseas personal information recipient will need to provide information on points i., ii., iii., and iv
Completed ☐
5. Consent from data subject regarding the use of their personal information processing
This includes:
- Collection
- Storage
- Usage
- Procession
- Transmission
- Provision
- Publication
- Deletion
5.1. A separate consent will be required if:
- Personal information is provided to subcontractor
- Processing sensitive personal information
- Personal information is provided to an overseas recipient
5.2. If there are changes to personal information processing, the data subject must be informed by your business and a new consent must be obtained
Completed ☐
6. Impact evaluation for personal information protection
Under these scenarios:
- Personal information is provided to subcontractor
- Processing sensitive personal information
- Personal information is provided to an overseas recipient
An impact evaluation will need to be conducted regarding personal information protection and document the process. (The evaluation and its steps shall be kept for at least 3 years)
Completed ☐
7. A written agreement of statutory terms between your business and any subcontractors
Completed ☐
8. Take measures to ensure your business and overseas recipients or personal information meet the standards of protection under the PIPL
One of the following conditions must be met:
- Pass safety evaluation carried out by CAC
- Obtain certification of personal information protection from professional agency according to rules and regulations set by CAC
- Entered into contract with overseas recipient in substantially same form with the standard contract formulated by CAC
Completed ☐
9. Implement a mechanism that allows the data subject to:
- Revoke their consent
- Amend or delete their personal information
Completed ☐
*Note: It is also important for your business to take the initiative to delete personal information if any of the following circumstances arise:
- Purpose of processing the personal information has been achieved and information is no longer required
- The period of storage has expired
- Consent for personal information processing has been revoked
- Violation of agreement of personal information processing
Download a Copy of the Checklist Here:
*Please note that this is intended as a general guide. For more details, please visit the Government website or contact our team now!
Struggling to Keep Up with the Changes in China?
The Personal Information Protection Law, along with the Cybersecurity Law and Data Security Law will make up the framework of cybersecurity and data privacy regulations in China. With the PIPL coming into effect on 1 November 2021, there are still areas yet to be clearly clarified and potential for further updates.
To understand how the Personal Information Protection Law may impact your business or stay updated with the developments, contact us now for more information. Don’t forget to subscribe to our blog and read our Onboard publication to keep up with the latest developments in Asia or if you are looking for a hassle-free solution for staying compliant with new legislation, see why smart businesses choose to outsource their payroll. Links offers payroll outsourcing in 18 locations across Asia including China, contact us now to learn how we can assist your business.
Related Articles:
- What HR & IT Teams Need to Know About China’s New Data Security Law
- Onboard- APAC 2021 Q4 Legislation Update
- How Does the Labour Law in Hong Kong Compare with Mainland China?
- How to Find the Best Payroll Service Provider for You
Links International is an industry leader in innovative HR outsourcing with services such as payroll outsourcing, visa application, PEO/EOR Secondment, outplacement, recruitment and more! Contact us for more information on how we can help leverage your HR function.
