What China’s PIPL (Personal Information Protection Law) Means for HR teams? – An HR PIPL Compliance Checklist

China’s ‘Equivalent’ to Europe’s GDPR – Personal Information Protection Law (PIPL) Came into Effect 1 November 2021. Standard Contract as a Measure for Cross-Border Information Transfer Came into Operation on 1 June 2023 with a grace period to comply of 30 November 2023.

On the 20th of August 2021, China passed the Personal Information Protection Law (PIPL) which came into effect on the 1st of November 2021 and carries a significant impact for most HR teams and their businesses. It is the first law that specifically focuses on the protection of personal information in China.

In addition, the Measures on the Standard Contract for Cross-border Transfers of Personal Information that was announced by the Cyberspace Administration of China took effect on 1 June 2023. These measures aim to act as stronger safeguards for personal information that is transferred out of China. Companies that are impacted are expected to use the template set in the measures when drafting contracts with the data recipient. Companies will be given a 6-month grace period – up to 30 November 2023 – to follow up on non-compliant cross-border personal information transfers that have been carried out before the Measures came into effect. According to the Measures, the signed standard contract and personal information protection impact assessment report shall be filed with the local cyberspace administration authority at the provincial level within 10 working days of the effective date of the contract.

The key issues covered by the PIPL include:

  • Informing and obtaining consent for processing personal information
  • Organisational governance and assurance
  • Local storage and cross-border transfer of data
  • Rights of the data subject
  • Obligations of personal information processor

At a high level, the PIPL is often compared as China’s equivalent to the EU’s General Data Protection Regulation (GDPR) as it shares many similarities in terms of concepts and structure. The Personal Information Protection Law will have a significant impact on how HR and organisations handle personal information and you should ensure your business is compliant with this new piece of legislation.

Failure to comply with the requirements of the PIPL may result in authorities issuing an order for rectification, warnings, confiscating any unlawful income, and imposing fines up to RMB 50,000,000.

Read also: 2023 China Labour Law Updates

Ensure You Are Compliant with Our PIPL Checklist

While there is an exemption under Article 13 for carrying out HR management under an employment policy, guidance from the Government in respect of this exemption is still to be released. As such, legal and compliance advisors are recommending that HR teams comply with the PIPL in case they do not qualify for the exemption under Article 13 or the personal information is protected under other legislation (e.g., Civil Code Law). Accordingly, Links has created a standard checklist to cover all the main steps your business needs to take to be compliant with the PIPL:

1. Review the personal information your business collects and check whether the information is a requisite for the delivery of your services

2. Identify any sensitive personal information collected

Sensitive personal information refers to information that can easily harm the dignity of natural persons, or serious damage to the safety of individuals and properties. This includes but is not limited to:

  • Biometric Identification
  • Healthcare
  • Financial Account
  • Specific Identities
  • Religious Beliefs
  • Whereabouts Track
  • Personal Information of Minors Under 14 Years of Age

3. Check if your organisation is required to go through a safety evaluation carried out by the Cyberspace Administration of China (CAC) if you need to cross-border transfer any personal information

  • i. A Critical Information Infrastructure Operator (CIIO)
  • ii. Personal information processors whose personal information processing reaches the amount prescribed by the State Department of Cyberspace

4. Informing any data subject (e.g., employees) regarding the use of their personal information processing

4.1. The individual should be informed of:

  • i. Name and contact of personal information user
  • ii. The purpose and way of personal information processing
  • iii. Scope of personal information being collected and processed, and length of storage
  • iv. Procedures of exercising the rights of the individual in respect of personal information processing

    • Whether your business will further provide the personal information to any other data processor i.e., subcontractors. The subcontractor must also provide the information points i., ii., iii., and iv.
    • Where sensitive personal information will be processed, the necessity of the processing and the impact on the individual’s interest must be informed
    • Any overseas personal information recipient will need to provide information on points i., ii., iii., and iv

5. Consent from data subject regarding the use of their personal information processing

This includes:

  • Collection
  • Storage
  • Usage
  • Procession
  • Transmission
  • Provision
  • Publication
  • Deletion

5.1. A separate consent will be required if:

  • Personal information is provided to subcontractor
  • Processing sensitive personal information
  • Personal information is provided to an overseas recipient
  • A personal information processor shall disclose the personal information it processes

5.2. If there are changes to personal information processing, i.e. changes purpose, way, scope, the data subject must be informed by your business and a new consent must be obtained

6. Impact evaluation for personal information protection

Under these scenarios:

  • Personal information is provided to subcontractor
  • Processing sensitive personal information
  • Personal information is provided to an overseas recipient
  • Automated decision using personal information

An impact evaluation will need to be conducted regarding personal information protection and document the process. (The evaluation and its steps shall be kept for at least 3 years)

7. A written agreement of statutory terms between your business and any subcontractors

8. Take measures to ensure your business and overseas recipients or personal information meet the standards of protection under the PIPL

One of the following conditions must be met:

  • Pass safety evaluation carried out by CAC
  • Obtain certification of personal information protection from professional agency according to rules and regulations set by CAC
  • Entered into contract with overseas recipient in substantially same form with the standard contract formulated by CAC

9. Using standard contract to provide personal information to overseas recipients

  • Where the personal information processor is not an operator of critical information infrastructure;
  • Where the personal information processor which transfers personal information out of the Mainland processes personal information of not more than one million persons (in aggregate);
  • Where the personal information processor which transfers out personal information has cumulatively made outbound transfers of personal information of not more than 100,000 persons (in aggregate) since 1 January of the preceding year; and
  • Where the personal information processor which transfers out personal information has cumulatively made outbound transfers of sensitive personal information of not more than 10,000 persons since 1 January of the preceding year.

10. Implement a mechanism that allows the data subject to:

  • Revoke their consent
  • Amend or delete their personal information

*Note: It is also important for your business to take the initiative to delete personal information if any of the following circumstances arise:

  • Purpose of processing the personal information has been achieved, or the purpose is not able to be achieved, or information is no longer required
  • The personal information processor ceases to provide products or services
  • The period of storage has expired
  • Consent for personal information processing has been revoked
  • Violation of agreement of personal information processing

Download a Copy of the Checklist Here:

*Please note that this is intended as a general guide. For more details, please visit the Government website or contact our team now!

Struggling to Keep Up with the Changes in China?

The Personal Information Protection Law, along with the Cybersecurity Law and Data Security Law will make up the framework of cybersecurity and data privacy regulations in China.

To understand how the Personal Information Protection Law may impact your business or stay updated with the developments, contact us now for more information. Don’t forget to subscribe to our blog and read our Onboard publication to keep up with the latest developments in Asia or if you are looking for a hassle-free solution for staying compliant with new legislation, see why smart businesses choose to outsource their payroll. Links offers payroll outsourcing in 19 locations across Asia Pacific including China, contact us now to learn how we can assist your business.

Related Articles:

Relevant Links:

Links International is an industry leader in innovative HR outsourcing with services such as payroll outsourcingvisa applicationPEO/EOR Secondmentoutplacementrecruitment and more! Contact us for more information on how we can help leverage your HR function.