Personal Information Protection Law of the People’s Republic of China

(Adopted at the 30th meeting of the Standing Committee of the 13th National People’s Congress on August 20, 2021)

 

 

Chapter I General Provisions

 

Article 1 This Law is enacted in accordance with the Constitution to protect personal information rights and interests, regulate the processing of personal information, and promote the reasonable use of personal information.

 

Article 2 The personal information of any natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of any natural person.

 

Article 3 This Law shall apply to the processing of the personal information of natural persons within the territory of the People’s Republic of China.

 

This Law shall also apply to the activities carried out outside the territory of the People’s Republic of China to process the personal information of natural persons within the territory of the People’s Republic of China outside the territory of the People’s Republic of China under any of the following circumstances:

 

(I) where the purpose is to provide products or services to domestic natural persons;

 

(II) where the purpose is to analyze and evaluate the activities of domestic natural persons; and

 

(III) other circumstances provided by laws and administrative regulations.

 

Article 4 Personal information refers to various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.

 

Processing of personal information includes the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information.

 

Article 5 Personal information shall be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and shall not be processed by misleading, fraud, coercion, or other means.

 

Article 6 Processing of personal information shall be for a definite and reasonable purpose, shall be directly related to the purpose of processing, and shall be processed in a manner that has the least impact on individual rights and interests.

 

Collection of personal information shall be limited to the minimum scope for the purpose of processing and shall not be excessively collected.

 

Article 7 Processing of personal information shall follow the principles of openness and transparency, disclose the rules for processing personal information, and expressly indicate the purpose, manner, and scope of processing.

 

Article 8 When processing personal information, the quality of personal information shall be ensured to avoid adverse effects on personal rights and interests caused by inaccurate and incomplete personal information.

 

Article 9 Personal information processors shall be responsible for their processing of personal information and take necessary measures to ensure the security of the personal information processed.

 

Article 10 No organization or individual may illegally collect, use, process, or transmit other people’s personal information, or illegally trade, provide, or disclose other people’s personal information, or engage in the processing of personal information that endangers the national security or public interests.

 

Article 11 The State establishes a sound personal information protection system, prevent and punish the infringement of personal information rights and interests, strengthen the publicity and education on personal information protection, and promote the formation of a good environment for the government, enterprises, relevant social organizations and the public to jointly participate in personal information protection.

 

Article 12 The State actively participates in the formulation of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and drives the mutual recognition of the rules and standards for personal information protection with other countries, regions, and international organizations.

 

Chapter II Rules for Processing Personal Information

 

Section 1 General Provisions

 

Article 13 Only under any of the following circumstances may a personal information processor process personal information:

 

(I) where the consent of the individual concerned is obtained;

 

(II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or to implement human resources management in accordance with labor rules and regulations formulated according to law and collective contracts concluded according to law;

 

(III) where it is necessary for the performance of statutory duties or statutory obligations;

 

(IV) where it is necessary for coping with public health emergencies or for the protection of the life, health, and property safety of a natural person;

 

(V) where processing personal information within a reasonable scope is to carry out such activities as news reporting and supervision by public opinions for the public interest;

 

(VI)where the personal information disclosed by individuals themselves or other legally disclosed personal information is processed within a reasonable range in accordance with the provisions of this Law; and

 

(VII)other circumstances provided by laws and administrative regulations.

 

Individual consent shall be obtained for the processing of personal information stipulated in the other clauses of this Law, but in the circumstances specified in the preceding paragraph from (II) to (VII), the individual’s consent is not required.

 

Article 14 Where the processing of personal information is based on the consent of the individual concerned, such consent shall be given by the individual concerned in a voluntary and explicit manner in the condition of full knowledge. If laws and administrative regulations provide that the processing of personal information shall be subject to the individual’s separate consent or written consent, such provisions shall prevail.

 

If the purpose or method of processing personal information or the type of personal information to be processed changes, the individual’s consent shall be obtained again.

 

Article 31 If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians.

 

Personal information processors shall formulate special personal information processing rules for handling the personal information of minors under the age of 14.

 

Article 15 Where the processing of personal information is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent. The personal information processor shall provide convenient means to withdraw consent.

 

The individual’s withdrawal of consent does not affect the validity of the personal information processing activities conducted prior to the withdrawal based on the individual’s consent.

 

Article 16 A personal information processor shall not refuse to provide products or services on the grounds that the individual does not agree to process his/her personal information or withdraws his/her consent, unless the processing of personal information is necessary for providing products or services.

 

Article 17 Prior to processing personal information, a personal information processor shall truthfully, accurately, and completely inform the individual of the following matters in an eye-catching manner and with clear and understandable language:

 

(I) the name and contact information of the personal information processor;

 

(II) the purpose and method of processing personal information, and the type and retention period of the processed personal information;

 

(III) the method and procedure for the individual to exercise the rights provided herein; and

 

(IV) other matters to be notified in accordance with the provisions of laws and administrative regulations.

 

If any of the matters provided in the preceding paragraph is changed, the individual shall be notified of such change.

 

Article 18 When processing personal information, a personal information processor may not notify the individual of the matters provided for in laws and administrative regulations where confidentiality shall be kept, or it is not necessary to notify the individual of the matters provided for in Paragraph 1 of the preceding Article.

 

In case of emergency, it is unable to timely inform the individual to protect the life, health and property safety of natural persons, the personal information processor shall inform the individual in time after elimination of emergency.

 

Article 19 The retention period of personal information shall be the minimum period necessary for achieving the purpose of processing, except for where the retention period of personal information is otherwise provided for in laws and administrative regulations.

 

Article 20 Where more than two personal information processors jointly determine the purpose and method of processing personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual’s right to exercise the rights provided for in this Law against any of the personal information processors.

 

Where personal information processors jointly processing personal information infringes upon personal information rights and interests and cause damages, they shall bear joint and several liabilities in accordance with the law.

 

Article 21 Where a personal information processor entrusts others to process personal information, it shall agree with the entrusted party on the purpose, duration, and method of entrusted processing, type and protection measures of personal information as well as the rights and obligations of both parties, and supervise the personal information processing activities of the entrusted party.

 

The entrusted party shall process personal information as agreed and shall not process personal information beyond the agreed purpose and method of processing. If the contract is invalidated, invalid, revoked or terminated, the entrusted party shall return the personal information to the personal information processor or delete the personal information, and shall not retain the personal information.

 

Without the consent of the personal information processor, the entrusted party shall not re-entrust others to process personal information.

 

Article 22 Where a personal information processor needs to transfer personal information due to reasons such as merger, division, dissolution, or being declared bankrupt, it shall inform the individual of the name and contact information of the recipient. The recipient shall continue to perform its obligations as a personal information processor. Where the recipient changes the original purpose and method of processing, it shall obtain the individual’s consent anew in accordance with this Law.

 

Article 23 Where a personal information processor provides other personal information processors with the personal information it processes, it shall inform the individual of the name and contact information of the third party, purpose and method of processing and type of personal information, and shall obtain his/her separate consent. The party receiving personal information shall process personal information within the scope of the above purpose and method of processing and type of personal information. Where the party receiving personal information changes the original purpose and method of processing, it shall inform the individual and obtain his/her consent again in accordance with this Law.

 

Article 24 Where personal information processors use personal information to make automatic decision, the transparency of decision-making and the fairness and justice of the results shall be ensured, and shall not impose unreasonable differential treatment on individuals in terms of transaction price and other transaction conditions.

 

Where business marketing and information push are carried out through automatic decision-making, options not based on his/her personal characteristics shall be provided at the same time, or a convenient way for individuals to reject shall be provided.

 

Where automatic decision-making has a significant impact on individual’s rights and interests, he/she has the right to require the personal information processor to give an explanation, and to reject the decision made by the personal information processor only through automatic decision-making.

 

Article 25 A personal information processor shall not disclose the personal information it processes, unless the individual’s consent is obtained, or it is otherwise required by laws and administrative regulations.

 

Article 26 Image capturing and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with relevant provisions of the State, and conspicuous prompting signs shall be installed. Personal images and personal identifiable information collected may only be used for the purpose of maintaining public security and shall not be used for other purposes, unless the individual’s consent is obtained.

 

Article 27 Personal information processors may, within a reasonable range, process personal information that has been disclosed by individuals themselves or other lawfully disclosed personal information, except where the individual explicitly refuses. Personal information processors shall obtain the consent of individuals in accordance with the provisions of this Law if the processing of disclosed personal information has a major impact on the rights and interests of individuals.

 

Section 2 Rules for Processing Sensitive Personal Information

 

Article 28 Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.

 

Personal information processors can process sensitive personal information only when they have a specific purpose and sufficient necessity, and take strict protective measures.

 

Article 29 Individual consent should be obtained for processing sensitive personal information. Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to written consent, such provisions shall prevail.

 

Article 30 For the processing of sensitive personal information of an individual, the personal information processor shall inform the individual of the necessity of processing sensitive personal information and the impacts on the individual’s right and interest, in addition to the matters prescribed in Paragraph 1 of Article 17 thereof, except those that may not be notified to individuals in accordance with the provisions of this Law.

 

Article 31 If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians.

 

Personal information processors shall formulate special personal information processing rules for handling the personal information of minors under the age of 14.

 

Article 32 Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to relevant administrative permission or other restriction, such provisions shall prevail.

 

Section 3 Special Provisions on Processing Personal Information by State Organs

 

Article 33 This Law shall apply to the activities of a State organ to process personal information; where there are special provisions in this Section, the provisions of this Section shall apply.

 

Article 34 The processing of personal information by a State organ for the purpose of performing its statutory duties shall be under the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for performing its statutory duties.

 

Article 35 A State organ processing personal information for the purpose of performing its statutory duties shall perform the obligation of notification in accordance with this Law, except for circumstances prescribed in Paragraph 1 of Article 18, or the notification will hinder the State organ from performing its statutory duties.

 

Article 36 The personal information processed by a State organ shall be stored within the territory of the People’s Republic of China; where it is necessary to provide such information to an overseas party, a security assessment shall be conducted. Relevant departments may be required to provide support and assistance for security assessment.

 

Article 37 The provisions of this law on personal information processed by State organs shall apply for personal information processing by organizations authorized by laws and regulations with the function of managing public affairs to perform statutory duties.

 

Chapter III Rules for Cross-border Provision of Personal Information

 

Article 38 Where a personal information processor needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall meet any of the following conditions: (I) where it has passed the security assessment organized by the State cyberspace administration in accordance with Article 40 hereof;

 

(II) where it has been certified by a specialized in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information;

 

(III) where it has concluded a contract with an overseas recipient according to the standard contract formulated by the state cyberspace administration, specifying the rights and obligations of both parties; or

 

(IV) where it has satisfied other conditions prescribed by laws, administrative regulations, or the State cyberspace administration.

 

Where the international treaties and agreements that the People’s Republic of China has concluded or participated in have provisions on the conditions for providing personal information outside the territory of the People’s Republic of China, such provisions may be complied with.

 

Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this law.

 

Article 39 Where a personal information processor provides personal information of an individual to a party outside the territory of the People’s Republic of China, it shall inform the individual of such matters as the name of the overseas recipient, contact information, purpose, and method of processing, type of personal information and the way and procedure for the individual to exercise the rights prescribed herein against the overseas recipient, and shall obtain the individual’s separate consent.

 

Article 40 Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China. If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration; if laws, administrative regulations, or the provisions of the State cyberspace administration provide that the security assessment is not required, such provisions shall prevail.

 

Article 41 The competent authorities of the People’s Republic of China shall, in accordance with relevant laws and international treaties and agreements concluded or participated in by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China. Without the approval of the competent authority of the People’s Republic of China, personal information processor shall not provide the personal information stored within the territory of the People’s Republic of China to judicial or law enforcement agencies outside of the territory of the People’s Republic of China.

 

Article 42 For any overseas organization or individual whose personal information processing activities damage the personal information rights and interests of citizens of the People’s Republic of China, or endanger the national security or public interests of the People’s Republic of China, the State cyberspace administration may include such overseas organization or individual in the list of restricted or prohibited provision of personal information, announce the same, and take measures such as restricting or prohibiting the provision of personal information to such overseas organization or individual.

 

Article 43 Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People’s Republic of China in respect of the protection of personal information, the People’s Republic of China may, as the case may be, take reciprocal measures against such country or region.

 

Chapter IV Rights of Individuals in Activities of Processing Personal Information

 

Article 44 An individual has the right to know and make decisions on the processing of his/her personal information, and the right to restrict or refuse others to process his/her personal information, unless otherwise provided for by laws and administrative regulations.

 

Article 45 An individual is entitled to consult or copy his/her personal information from a personal information processor, except for the circumstances as prescribed in Paragraph 1 of Article 18 and Article 35 herein.

 

Where an individual requests to consult or copy his/her personal information, the personal information processor shall provide such information in a timely manner.

 

Where an individual requests to transfer his/her personal information to a personal information processor designated by him/her, the personal information processor shall provide the means for such transfer if the conditions prescribed by the State cyberspace administration are met.

 

Article 46 Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.

 

Where an individual requests for corrections or supplements to his/her personal information, the personal information processor shall make verification and make corrections or supplements to such information in a timely manner.

 

Article 47 Under any of the following circumstances, a personal information processor shall delete personal information on its own initiative; if the personal information processor has not deleted it, the individual concerned shall have the right to request deletion:

 

(I) where the purpose of processing has been achieved, unable to achieve, or is no longer necessary to achieve;

 

(II) where the personal information processor stops providing products or services, or the agreed storage period has expired;

 

(III) where the individual withdraws his/her consent;

 

(IV) where the personal information processor processes personal information in violation of laws, administrative regulations, or the agreement; or

 

(V) any other circumstance as prescribed by laws and administrative regulations.

 

Where the storage period as prescribed by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information processor shall stop processing personal information other than storage and taking necessary security measures.

 

Article 48 An individual is entitled to request the personal information processor to explain the rules on the processing of personal information.

 

Article 49 In the event of the death of a natural person, his/her near relatives may, for their own lawful and legitimate interests, exercise the rights of consulting, copying, correcting, and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless the deceased had otherwise arranged before his/her death.

 

Article 50 A personal information processor shall establish a convenient mechanism for accepting and processing applications for exercising personal rights by individuals. Where an individual’s request for exercising personal rights is rejected, the reasons shall be stated.

 

Where the personal information processor refuses an individual’s request to exercise his rights, the individual may bring a lawsuit in a people’s court according to law.

 

Chapter V Obligations of Personal Information Processors

 

Article 51 A personal information processor shall, according to the purpose and method of processing personal information, type of personal information, impact on individual’s right and interest, and possible security risk, etc., take the following measures to ensure the compliance of personal information processing activities with provisions of laws and administrative regulations, and prevent unauthorized visit, or leakage, falsification, and loss of personal information:

 

(I) formulating internal management system and operational procedures;

 

(II) managing personal information by classification;

 

(III) taking corresponding technical security measures such as encryption and de-identification;

 

(IV) reasonably determining the authority to process personal information and conduct security education and training for employees on a regular basis;

 

(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and

 

(VI) other measures as prescribed by laws and administrative regulations.

 

Article 52 Where the quantity of personal information processed by a processor reaches that specified by the state cyberspace administration, the processor shall designate a person in charge of personal information protection to be responsible for supervising the processing of personal information and the adopted protection measures.

 

A personal information processor shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the department performing duties of personal information protection.

 

Article 53 Any personal information processor outside the territory of the People’s Republic of China as prescribed in Paragraph 2, Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for relevant matters of personal information protection, and submit the name and contact information of relevant agency or the representative to the department performing duties of personal information protection.

 

Article 54 A personal information processor shall regularly audit whether its processing of personal information is in compliance with provisions of laws and administrative regulations.

 

Article 55 A personal information processor shall conduct personal information protection impact assessment of the following circumstances in advance and keep a record of the processing:

 

(I) processing sensitive personal information;

 

(II) making use of personal information to make automatic decisions;

 

(III) entrusting others to process personal information, providing other personal information processors with personal information, and disclosing personal information;

 

(IV) providing personal information to overseas parties; and

 

(V) other personal information processing activities that have a significant impact on individuals’ rights and interests.

 

Article 56 The personal information protection impact assessment shall include the following:

 

(I) whether the purpose and method of processing personal information are legitimate, justifiable, and necessary;

 

(II) impact on individuals’ rights and interests and the security risks; and

 

(III) whether the security protection measures taken are legitimate, effective, and appropriate to the degree of risks.

 

The personal information protection assessment report and processing record shall be kept for at least three years.

 

Article 57 Where personal information has been or may be leaked, falsified, or lost, the personal information processor shall immediately take remedial measures and inform the department performing duties of personal information protection and the individuals concerned. The notice shall include the following particulars:

 

(I) types and causes of personal information leakage, falsification, and loss that have occurred or may occur and the possible harm caused;

 

(II) remedial measures taken by personal information processors and measures taken by individuals to mitigate harm;

 

(III) contact information of the personal information processor.

 

If the personal information processor has taken measures to effectively avoid harm caused by information leakage, falsification, or loss, it may opt not to notify the individuals; however, if the department performing duties of personal information protection believes harm shall be caused, it may require the personal information processor to notify the individuals thereof.

 

Article 58 Personal information processors that provide important Internet platform services with a large number of users and complex business types shall perform the following obligations:

 

(I) Establish and improve the compliance system for personal information protection in accordance with state regulations, and establish an independent organization composed mainly of external members to protect personal information;

 

(II) Formulate the rules of the platform in accordance with the principles of openness, fairness, and justice, to clarify the norms for the processing of personal information and the obligations of the product or service providers within the platform to protect personal information;

 

(III)Stop providing services to the product or service providers on the platform that seriously violate laws and administrative regulations in processing personal information;

 

(IV) Regular release of social responsibility report regarding personal information protection and subject to public supervision.

 

Article 59 The party entrusted to process personal information shall fulfill the relevant obligations prescribed by this Law and other relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed, and assist personal information processors to fulfill their obligations under this Law.

 

Chapter VI Departments Performing Duties of personal information protection

Article 60 The state cyberspace administration is responsible for coordinating the protection of personal information and relevant supervision and administration work; and relevant departments under the State Council are responsible for protecting, supervising, and administering personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.

 

The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising, and administering personal information shall be determined in accordance with relevant provisions of the State.

 

The departments mentioned in the preceding two paragraphs are collectively referred to as the departments performing duties of personal information protection.

 

Article 61 Departments performing duties of personal information protection shall perform the following duties of personal information protection:

 

(I) carrying out publicity and education on personal information protection, and guiding and supervising personal information processors to protect personal information;

 

(II) accepting and processing complaints and reports relating to personal information protection;

 

(III) organizing the evaluation of the protection of personal information such as applications and publish the evaluation results;

 

(IV) investigating and processing illegal personal information processing activities; and

 

(V) other duties stipulated by laws and administrative regulations.

 

Article 62 The state cyberspace administration shall coordinate with the relevant departments in promoting the protection of personal information in accordance with this Law as follows:

 

(I) formulate specific rules and standards for the protection of personal information;

 

(II) formulate special personal information protection rules and standards for small personal information processors, sensitive personal information processing, and new technologies and applications such as face recognition and artificial intelligence;

 

(III) support research, development, and promotion of secure and convenient electronic identity authentication technology, and promote the construction of public services for online identity authentication;

 

(IV) promote the development of a socialized service system for protecting personal information and support relevant organizations in carrying out assessment and certification services in respect of personal information protection.

 

(V) improve the mechanism for complaints and whistleblowing reports on personal information protection.

 

Article 63 Departments performing duties of personal information protection may take the following measures when performing the duties of personal information protection:

 

(I) inquiry of the parties concerned, and investigation of the circumstances relating to personal information processing activities;

 

(II) consulting and copying contracts, records, account books, and other relevant materials relating to personal information processing activities of the parties concerned;

 

(III) carrying out on-site inspection and investigation activities relating to processing personal information suspected of violating laws; and

 

(IV) checking the equipment and Articles relating to personal information processing activities and may sealing up or seizing the equipment and Articles that are proved to be illegal personal information processing activities upon reporting in writing to the principal of the department and getting approval.

 

When departments performing duties of personal information protection perform duties in accordance with the law, the parties concerned shall provide assistance and cooperation, and shall not refuse or obstruct such performance.

 

Article 64 Where departments performing duties of personal information protection find in performing their duties of personal information protection that there are relatively high risks in personal information processing activities or personal information security incidents have occurred, they may interview the legal representative or person chiefly in charge of the personal information processor according to prescribed authority and procedures, or require the personal information processor to entrust professional institutions to conduct compliance audits of their personal information processing activities. The personal information processor shall take measures to make rectification and eliminate hidden dangers as required.

 

The department that performs the duty of personal information protection and discovers that the illegal processing of personal information is suspected of a crime in the course of performing its duty, shall promptly transfer the case to the public security organ for handling according to law.

 

Article 65 Any organization or individual has the right to complain or report illegal personal information processing activities to the departments performing duties of personal information protection. The departments receiving such complaints or reports shall promptly process them according to the law and notify the complainants or reporters of the results. The departments performing duties of personal information protection shall make public the contact information for accepting complaints or reports.

 

Chapter VII Legal Liability

 

Article 66 Where personal information is processed in violation of the provisions hereof, or personal information is processed without fulfilling the personal information protection obligations stipulated in this Law, the departments performing duties of personal information protection shall order the processor to make rectification, give a warning and confiscate its illegal gains, or order the application that illegally processing personal information to suspend or terminate the provision of services; if rectification is refused, a fine of not more than RMB 1 million shall be imposed concurrently on the processor; and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge of the processor and other directly liable persons. Where an illegal act specified in the preceding paragraph is committed and the circumstances are serious, the departments performing duties of personal information protection at or above the provincial level shall order the processor to make rectification, confiscate its illegal gains and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on the processor, and may also order the processor to suspend relevant business or to suspend business for rectification, and notify the relevant competent departments to revoke the relevant business permit or business license; and a fine of not less than RMB 100,000 but not more than RMB 1 million shall be imposed on the persons directly in charge and other directly liable persons, and such persons may also be prohibited from serving as directors, supervisors, senior managers, and persons in charge of personal information protection of relevant enterprises for a certain period of time.

 

Article 67 Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of the relevant laws and administrative regulations and shall be disclosed to the public.

 

Article 68 Where a state organ fails to perform its obligations of protecting personal information as specified in this Law, its superior organ or the department performing the duties of personal information protection shall order it to make rectification, and impose sanctions on the person directly in charge and other directly liable persons according to law.

 

Where the staff of departments responsible for personal information protection guilty of dereliction of duties, abusing official powers, or malpractice for personal gain but yet to constitute a crime, they shall be punished pursuant to the law.

 

Article 69 Where the right and interests of personal information are infringed upon due to personal information processing and cause damages, and the personal information processor cannot prove that it is not at fault, it shall bear the tort liability for damages.

 

Liability for damages prescribed in the preceding paragraph shall be borne in light of the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor; if the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor are difficult to be determined, the people’s court shall determine the amount of compensation according to the actual circumstances.

 

Article 70 Where a personal information processor processes personal information in violation of the provisions of this Law, which infringes upon the rights and interests of a large number of individuals, the people’s procuratorate, the consumer organizations specified by law and the organization determined by the state cyberspace administration may file a lawsuit with the people’s court in accordance with the law.

 

Article 71 Where a violation of the provisions of this Law constitutes a violation of public security administration, a public security administration punishment shall be imposed in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law.

 

Chapter VIII Supplementary Provisions

 

Article 72 This Law shall not be applicable to the processing of personal information by a natural person by virtue of his/her personal or family affairs. Where there are legal provisions on the processing of personal information in the statistical and archive administration organized and implemented by the people’s governments at all levels and the relevant departments thereof, such provisions shall apply.

 

Article 73 For the purposes of this Law, the following terms are defined as follows:

 

(I) A personal information processor refers to any organization or individual that independently determines the purpose and method of processing in personal information processing activities.

 

(II) An automatic decision-making refers to an activity to automatically analyze and evaluate a person’s behavior habits, hobbies or economic, health or credit status through computer programs and make decisions.

 

(III) De-identification refers to the process in which personal information is processed so that it is impossible to identify certain natural persons without the use of additional information.

 

(IV) Anonymization refers to the process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be recovered.

 

Article 74 This Law shall come into force as of November 1, 2021.