Release Date: 2021-08-20
Effective Date: 2021-11-01
Source: http://www.npc.gov.cn/npc/c30834/202106/7c9af12f51334a73b56d7938f99a788a.shtml
Original Title: 中华人民共和国个人信息保护法
Presidential Decree No. 91
The Personal Information Protection Law of the People’s Republic of China, adopted at the 30th Session of the Standing Committee of the 13th National People’s Congress of the People’s Republic of China on August 20, 2021, is hereby promulgated, effective November 1, 2021.
Xi Jinping
President of the People’s Republic of China
August 20, 2021
(Adopted at the 30th Session of the Standing Committee of the 13th National People’s Congress on August 20, 2021)
Chapter 1 General Provisions
Article 1 This Law is enacted in accordance with the Constitution to protect the rights and interests of personal information, regulate the processing of personal information and promote the reasonable use of personal information.
Article 2 The personal information of a natural person shall be protected by law, and no organization or individual may infringe upon the personal information rights and interests of natural persons.
Article 3 This Law shall apply to the processing of the personal information of natural persons within the territory of the People’s Republic of China.This Law shall also apply to the processing of the personal information of natural persons within the territory of the People’s Republic of China outside the territory of the People’s Republic of China under any of the following circumstances:
(I) where the purpose is to provide domestic natural persons with products or services;
(II) where the activities of domestic natural persons are analyzed and evaluated; and
(III) other circumstances as prescribed by laws and administrative regulations.
Article 4 Personal information refers to all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure and deletion, etc. of personal information.
Article 5 The processing of personal information shall follow the principles of lawfulness, legitimacy, necessity and good faith, and it is not allowed to process personal information by misleading, fraud, coercion or otherwise.
Article 6 The processing of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of processing and shall be conducted in a way that minimizes the impact on personal rights and interests.The collection of personal information shall be limited to the minimum scope for achieving the purpose of processing and it is not allowed to excessively collect personal information.
Article 7 The processing of personal information shall follow the principles of openness and transparency, make public the rules for processing personal information and expressly indicate the purpose, method and scope of such processing.
Article 8 The quality of personal information shall be ensured in the processing of personal information to avoid the adverse impact on personal rights and interests caused by inaccurate or incomplete personal information.
Article 9 A personal information processor shall be responsible for its processing of personal information and take necessary measures to ensure the security of the personal information processed.
Article 10 No organization or individual may illegally collect, use, process or transmit the personal information of others, illegally buy or sell, provide or make public the personal information of others, or engage in the processing of personal information that endangers the national security or public interests.
Article 11 The State establishes a sound personal information protection system, prevents and punishes the infringement upon personal information rights and interests, strengthens the publicity and education on personal information protection, and promotes the formation of a good environment in which the government, enterprises, relevant social organizations and the public jointly participate in personal information protection.
Article 12 The State actively participates in the development of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and promotes the mutual recognition of the rules and standards for personal information protection with other countries, regions and international organizations.
Chapter 2 Rules for Processing Personal Information
Section 1 General Provisions
Article 13 Only under any of the following circumstances may a personal information processor process personal information:
(I) where the consent of the individual concerned is obtained;
(II) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law;
(III) where it is necessary for the performance of statutory duties or statutory obligations;
(IV) where it is necessary for the response to a public health emergency or for the protection of the life, health and property safety of a natural person;
(V) where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope;
(VI) where it is necessary to process the personal information disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of this Law; and
(VII) other circumstances prescribed by laws and administrative regulations.The processing of personal information shall be subject to the consent of the individual concerned in accordance with other relevant provisions of this Law, however, the consent of the individual concerned is not required under the circumstances set forth in Items (II) to (VII) of the preceding paragraph.
Article 14 Where the processing of personal information is based on the consent of the individual concerned, such consent shall be given by the individual concerned in a voluntary and explicit manner in the condition of full knowledge. Where laws and administrative regulations provide that the processing of personal information shall be subject to the separate consent or written consent of the individual concerned, such provisions shall prevail.Where the purpose or method of processing personal information or the type of personal information to be processed changes, the consent of the individual concerned shall be obtained again.
Article 15 Where the processing of personal information is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent. The personal information processor shall provide a convenient method for the individual to withdraw his/her consent.Withdrawal of consent by the individual concerned does not affect the validity of any personal information processing activity conducted based on the consent of the individual before such withdrawal.
Article 16 A personal information processor shall not refuse to provide products or services for an individual on the grounds that the individual does not agree to process his/her personal information or withdraws his/her consent, unless the processing of personal information is necessary for providing products or services.
Article 17 Prior to the processing of an individual’s personal information, the personal information processor shall truthfully, accurately and completely inform the individual of the following matters in a conspicuous manner and in clear and understandable language:
(I) the title or name and contact information of the personal information processor;
(II) the purpose and method of processing personal information, and the type and retention period of the processed personal information;
(III) the method and procedure for the individual to exercise the rights provided for in this Law; and
(IV) other matters that shall be informed in accordance with the provisions of laws and administrative regulations.Where any of the matters specified in the preceding paragraph is changed, the individual shall be notified of such change.
Where a personal information processor informs individuals of the matters specified in the first Paragraph by formulating rules on processing personal information, such rules shall be open to the public for easy access and storage.
Article 18 A personal information processor is allowed not to inform the individual concerned of the matters prescribed in Paragraph 1 of the preceding article if there are circumstances in which the personal information should be kept confidential as required by laws or administrative regulations or does not need to be informed.Where it is unable to timely inform the individual concerned in an emergency for the purpose of protecting the life, health and property safety of natural persons, the personal information processor shall timely inform the individual after the elimination of the emergency.
Article 19 Unless otherwise stipulated by laws and administrative regulations, the retention period of personal information shall be the minimum period necessary for achieving the purpose of processing.
Article 20 Where two or more personal information processors jointly determine the purpose and method of processing personal information, their respective rights and obligations shall be agreed upon. However, such agreement shall not affect an individual’s request to any of the personal information processors to exercise the rights stipulated in this law.Where personal information processors who jointly process personal information, thus infringing upon personal information rights and interests and causing damage shall bear joint and several liability in accordance with the law.
Article 21 Where a personal information processor entrusts others with the processing of personal information, it shall agree with the agent on the purpose, time limit and method of entrusted processing, type of personal information and protection measures, as well as the rights and obligations of both parties, and supervise the personal information processing activities of the agent.The agent shall process personal information as agreed and shall not process personal information beyond the agreed purpose and method of processing; where the entrustment contract is not effective, invalid, revoked or terminated, the agent shall return personal information to the personal information processor or delete it, and shall not retain it.
Without the consent of the personal information processor, the agent shall not re-entrust others with the processing of personal information.
Article 22 Where a personal information processor needs to transfer personal information due to merger, division, dissolution or declaration of bankruptcy, etc., it shall inform the individual concerned of the name and contact information of the recipient. The recipient shall continue to fulfill its obligations as a personal information processor. Where the recipient changes the original purpose and method of processing, it shall obtain the consent of the individual concerned anew in accordance with this Law.
Article 23 Where a personal information processor provides other personal information processors with the personal information of an individual it processes, it shall inform the individual of the name and contact information of the recipient, purpose and method of processing and type of personal information, and shall obtain the individual’s separate consent. The recipient shall process personal information within the scope of the above purpose and method of processing and type of personal information. It shall obtain the consent of the individual anew in accordance with this Law in case of changes in the original purpose and method of processing.
Article 24 Where a personal information processor makes use of personal information to make automatic decision, it shall ensure the transparency of the decision-making and the fairness and impartiality of the results, and shall not impose unreasonable discriminatory treatment on individuals in respect of the transaction price and transaction conditions.Information pushing and commercial marketing to an individual through automated decision- making shall be accompanied by options that do not target the individual’s personal characteristics, or convenient rejection ways shall be provided to the individual.
Where a decision is made through automatic decision-making that has a significant impact on an individual’s rights and interests, the individual shall have the right to require the personal information processor to make an explanation and reject the decision made by the personal information processor only through automatic decision-making.
Article 25 A personal information processor shall not make public the personal information of an individual it processes, except with the individual’s separate consent.
Article 26 The image capturing, and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with the relevant provisions of the State, and conspicuous prompting signs shall be set up. An individual’s personal image and personal identification information collected may only be used for the purpose of maintaining public security and shall not be used for any other purpose, except with the individual’s separate consent.
Article 27 A personal information processor may, within a reasonable scope, process the personal information that is disclosed by the individual concerned himself/herself or other personal information that has been legally publicized, unless the individual expressly refuses such processing. A personal information processor shall obtain the consent of an individual in accordance with the provisions of this Law if the processing of the individual’s disclosed personal information has a major impact on the rights and interests of the individual.
Section 2 Rules for Processing Sensitive Personal Information
Article 28 Sensitive personal information refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14.Only for a specific purpose and sufficient necessity, and strict protection measures have been taken, may a personal information processor process sensitive personal information.
Article 29 The processing of sensitive personal information of an individual shall be subject to the individual’s separate consent; where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to the written consent, such provisions shall prevail.
Article 30 For the sensitive personal information of an individual, the personal information processor shall, in addition to the matters specified in Paragraph 1 of Article 17 hereof, inform the individual of the necessity of processing his/her sensitive personal information and the impact on his/her personal rights and interests, except for the circumstances that may be exempted from informing the individual of such information in accordance with this Law.
Article 31 To process the personal information of a minor under the age of 14, a personal information processor shall obtain the consent of the minor’s parents or other guardians.To process the personal information of minors under the age of 14, a personal information processor shall formulate specialized rules for processing personal information.
Article 32 Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to the relevant administrative license or other restrictions, such provisions shall prevail.
Section 3 Special Provisions on Processing Personal Information by State Organs
Article 33 This Law shall apply to the activities of a State organ to process personal information; where there are special provisions in this Section, such provisions shall apply.
Article 34 A State organ shall process personal information for the purpose of performing its statutory duties in accordance with the authority and procedures prescribed by laws and administrative regulations and shall not exceed the scope and limit necessary for the performance of its statutory duties.
Article 35 A State organ processing personal information for the purpose of performing its statutory duties shall perform its obligation of informing in accordance with this Law, except for the circumstances stipulated in Paragraph 1 of Article 18 hereof, or the informing will hinder the State organ from performing its statutory duties.
Article 36 The personal information processed by a State organ shall be stored within the territory of the People’s Republic of China; where it is necessary to provide such information to an overseas party, a security evaluation shall be conducted. Relevant authorities may be required to provide support and assistance for the security evaluation.
Article 37 Where organizations with functions of administering public affairs as authorized by laws and regulations process personal information for the purpose of performing their statutory duties, the provisions of this Law on processing personal information by State organs shall apply.
Chapter 3 Rules for Cross-border Provision of Personal Information
Article 38 Where a personal information processor really needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall meet any of the following conditions:
(I) it shall pass the security evaluation organized by the Cyberspace Administration of China in accordance with the provisions of Article 40 hereof;
(II) it shall have been certified by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China;
(III) it shall enter into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China, specifying the rights and obligations of both parties; and
(IV) it shall meet other conditions prescribed by laws, administrative regulations or the Cyberspace Administration of China.Where the international treaties or agreements concluded or acceded to by the People’s Republic of China contain provisions on the conditions for provision of personal information outside the territory of the People’s Republic of China, such provisions may prevail.
The personal information processor shall take necessary measures to ensure that the activities of processing personal information by the overseas recipient meet the standards for protection of personal information as prescribed herein.
Article 39 To provide the personal information of an individual to an overseas recipient outside the territory of the People’s Republic of China, the personal information processor shall inform the individual of such matters as the name of the overseas recipient, contact information, purpose and method of processing, type of personal information and the method and procedure for the individual to exercise the rights stipulated herein against the overseas recipient, and shall obtain the individual’s separate consent.
Article 40 Critical information infrastructure operators and personal information processors whose quantity of processing of personal information reaches that as prescribed by the Cyberspace Administration of China (“CAC”) shall store personal information collected and generated within the territory of the People’s Republic of China within the territory of the People’s Republic of China. Where it is necessary to provide such information and data to an overseas party, such provision shall pass the security evaluation organized by the CAC; where the laws, administrative regulations and the provisions of the CAC stipulate that security evaluation is not required, such stipulation shall prevail.
Article 41 The competent authorities of the People’s Republic of China shall, in accordance with the relevant laws and the international treaties and agreements concluded or acceded to by the People’s Republic of China or under the principles of equality and mutual benefit, handle the requests made by foreign judicial or law enforcement authorities for providing the personal information stored within the territory of China. Without the approval of the competent authorities of the People’s Republic of China, no personal information processor may provide the personal information stored within the territory of the People’s Republic of China to foreign judicial or law enforcement authorities.
Article 42 Where an overseas organization or individual engages in the personal information processing activities infringing upon the personal information rights and interests of citizens of the People’s Republic of China or endangering the national security and public interests of the People’s Republic of China, the CAC may include such organization or individual in the list of subjects to whom provision of personal information is restricted or prohibited, announce the same, and take measures such as restricting or prohibiting provision of personal information to such organization or individual.
Article 43 Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People’s Republic of China in terms of protection of personal information, the People’s Republic of China may take reciprocal measures against such country or region as the case may be.
Chapter 4 Rights of Individuals in Activities of Processing Personal Information
Article 44 An individual has the right to know and make decisions on the processing of his/her personal information, and the right to restrict or refuse others to process his/her personal information, unless otherwise provided for by laws and administrative regulations.
Article 45 An individual is entitled to consult or copy his/her personal information from a personal information processor, except for the circumstances stipulated in Paragraph 1 of Article 18 and Article 35 hereof.Where an individual requests to consult or copy his/her personal information, the personal information processor shall provide such information in a timely manner.
Where an individual requests to transfer his/her personal information to a personal information processor designated by him/her, which meets the conditions stipulated by the CAC, the personal information processor shall provide a way for the transfer.
Article 46 Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.Where an individual requests for corrections or supplements to his/her personal information, the personal information processor shall make verification and make corrections or supplements to such information in a timely manner.
Article 47 Under any of the following circumstances, a personal information processor shall take the initiative to delete personal information; if the personal information processor fails to delete such information, the individual concerned is entitled to request the deletion of such information:
(I) where the purpose of handling has been achieved, it is impossible to achieve such purpose, or it is no longer necessary to achieve such purpose;
(II) where the personal information processor ceases to provide products or services, or the storage period has expired;
(III) where the individual withdraws his/her consent;
(IV) where the personal information processor processes personal information in violation of laws, administrative regulations or the agreement; or
(V) other circumstances stipulated by laws and administrative regulations.Where the storage period as stipulated by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information processor shall stop the processing other than storage and necessary security protection measures.
Article 48 Individuals are entitled to request a personal information processor to explain its processing rules for personal information.
Article 49 Where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as consulting, copying, correcting and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless otherwise arranged by the deceased prior to his/her death.
Article 50 A personal information processor shall establish a convenient mechanism for accepting and handling applications from individuals to exercise their rights. If an individual’s request for exercising his/her rights is rejected, the reasons shall be stated.Where the personal information processor refuses an individual’s request for exercising his/her rights, the individual may file a lawsuit with a people’s court in accordance with the law.
Chapter 5 Obligations of Personal Information Processors
Article 51 A personal information processor shall, according to the purpose and method of processing personal information, types of personal information, impacts on personal rights and interests and possible security risks, take the following measures to ensure the compliance of personal information processing activities with provisions of laws and administrative regulations and prevent unauthorized access and divulgence, falsification and loss of personal information:
(I) formulating internal management systems and operating procedures;
(II) implementing category-based management of personal information;
(III) taking corresponding technical security measures such as encryption and de-identification;
(IV) reasonably determining the authority to process personal information and conducting security education and training for relevant employees on a regular basis;
(V) formulating and organizing the implementation of emergency plans for personal information security incidents; and
(VI) other measures stipulated by laws and administrative regulations.
Article 52 Where the quantity of personal information processed reaches that specified by the CAC, the personal information processor shall designate a person in charge of personal information protection to be responsible for supervising the activities of processing of personal information and the adopted protection measures.The personal information processor shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the authorities performing duties of personal information protection.
Article 53 Any personal information processor outside the territory of the People’s Republic of China as prescribed in Paragraph 2 of Article 3 hereof shall establish a special agency or designate a representative within the territory of the People’s Republic of China to be responsible for handling matters relating to personal information protection, and submit the name and contact information of the relevant agency or the representative to the authorities performing duties of personal information protection.
Article 54 A personal information processor shall regularly conduct compliance audits on its processing of personal information in accordance with laws and administrative regulations.
Article 55 Under any of the following circumstances, a personal information processor shall conduct an impact assessment on personal information protection beforehand and keep a record of the handling:
(I) processing sensitive personal information;
(II) making use of personal information to make automatic decision-making;
(III) entrusting others to process personal information, providing other personal information processors with personal information and publicizing personal information;
(IV) providing personal information to overseas parties; or
(V) other personal information processing activities that have significant impact on personal rights and interests.
Article 56 An impact assessment on personal information protection shall include the following contents:
(I) whether the purpose and method of processing personal information are lawful, legitimate, and necessary;
(II) impact on personal rights and interests and security risks; and
(III) whether the protection measures taken are lawful, effective and commensurate with the degree of risks.The report on personal information protection impact assessment and records of handling shall be kept for at least three years.
Article 57 Where personal information has been or may be divulged, tampered with or lost, the personal information processor shall immediately take remedial measures and notify the authorities performing duties of personal information protection and the individuals concerned. The notice shall include the following matters:
(I) the types, reasons and possible harm of the information that has been involved or may be involved in the divulgence, tampering with or loss of personal information;
(II) the remedial measures taken by the personal information processor and the measures that can be taken by the individuals to mitigate harm; and
(III) the contact information of the personal information processor.Where the personal information processor has taken measures to effectively avoid harm caused by divulgence, tampering with or loss of information, the personal information processor may opt not to notify the individuals concerned; if the authorities performing duties of personal information protection believe that harm may be caused, they may require the personal information processor to notify the individuals concerned.
Article 58 Any personal information processor that provides important Internet platform services with a large number of users and complicated business type shall perform the following obligations:
(I) establishing a sound compliance system for personal information protection in accordance with the provisions of the State and setting up an independent agency mainly composed of external members to supervise personal information protection;
(II) following the principles of openness, fairness and impartiality, formulating platform rules specifying the standards for the processing of personal information by product or service providers on the platform and their obligations to protect personal information;
(III) ceasing to provide services to product or service providers on the platform that process personal information in serious violation of laws and administrative regulations; and
(IV) regularly releasing social responsibility reports on personal information protection for social supervision.
Article 59 The agent that accepts the entrustment of a personal information processor to process personal information shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed and assist the personal information processor to perform the obligations stipulated in this Law.
Chapter 6 Authorities Performing Duties of Personal Information Protection
Article 60 The CAC is responsible for coordinating the protection of personal information and relevant supervision and administration work. Relevant departments of the State Council are responsible for protecting, supervising and administering the protection of personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising and administering the protection of personal information shall be determined in accordance with relevant provisions of the State.
The departments mentioned in the preceding two paragraphs are collectively referred to as the authorities performing duties of personal information protection.
Article 61 Authorities performing duties of personal information protection shall perform the following duties of personal information protection:
(I) carrying out publicity and education on personal information protection, and guiding and supervising personal information processors to protect personal information;
(II) accepting and handling complaints and reports related to personal information protection;
(III) organizing the evaluation of applications and other organizations on the protection of personal information, and disclosing the evaluation results;
(IV) investigating and handling illegal personal information processing activities; and
(V) other duties stipulated by laws and administrative regulations.
Article 62 The CAC shall make overall planning and coordinate relevant authorities to promote the following work of personal information protection in accordance with this Law:
(I) formulating specific rules and standards for personal information protection;
(II) formulating specialized rules and standards for personal information protection for small personal information processors, processing sensitive personal information and new technologies and applications such as face recognition and artificial intelligence;
(III) supporting the research, development and popularization of secure and convenient electronic identity authentication technologies, and promoting the development of public services for network identity authentication;
(IV) promoting the development of a socialized service system for personal information protection, and supporting relevant organizations in carrying out evaluation and authentication services on personal information protection; and
(V) improving the mechanism for complaints and whistleblowing reports on personal information protection.
Article 63 Authorities performing duties of personal information protection may take the following measures when performing such duties:
(I) inquiring the parties concerned and investigating the circumstances relating to personal information processing activities;
(II) consulting and copying contracts, records, account books and other relevant materials relating to personal information processing activities of the parties concerned;
(III) carrying out on-site inspection and investigation of personal information processing activities suspected of violating laws; and
(IV) checking the equipment and articles relating to personal information processing activities; and the equipment and articles that are proved to be used for illegal personal information processing activities may be seized or detained upon written reports to and approval by the person chiefly in charge of the authority concerned.The parties concerned shall provide assistance and cooperation in the performance of duties of personal information protection by the authorities concerned in accordance with the law and shall not refuse or obstruct such performance.
Article 64 Where authorities performing duties of personal information protection find in their performance of such duties that there are high risks in personal information processing activities or personal information security incidents have occurred, they may, according to prescribed authority and procedures, have an interview with the legal representative or person chiefly in charge of the personal information processor concerned, or require such processor to entrust a specialized agency to conduct a compliance audit on its personal information processing activities. The personal information processor shall take measures to make rectification and eliminate hidden dangers as required.Where authorities performing duties of personal information protection find in their performance of such duties that illegal processing of personal information is suspected of constituting crimes, they shall timely refer the case to the public security authorities for handling in accordance with the law.
Article 65 Any organization or individual shall have the right to complain or report illegal personal information processing activities to the authorities performing duties of personal information protection. The said authorities receiving such complaints or reports shall timely handle them in accordance with the law and notify the complainants or reporters of the handling results.Authorities performing duties of personal information protection shall make public the contact information for accepting complaints or reports.
Chapter 7 Legal Liability
Article 66 In the event that personal information is processed in violation of the provisions of this Law, or that personal information is processed without performing the obligation of protecting personal information as stipulated in this Law, the authorities performing duties of personal information protection shall order the party concerned to make corrections, give a warning to it and confiscate its illegal gains. Any application that illegally processes personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than 1 million yuan shall be imposed on it concurrently; and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the person directly in charge and other directly liable persons.For any illegal act specified in the preceding paragraph with serious circumstances, the authorities performing duties of personal information protection at or above the provincial level shall order the party concerned to make corrections, confiscate its illegal gains, and impose a fine of not more than 50 million yuan or not more than 5% of its turnover of the previous year on it, and may also order it to suspend relevant business or suspend business for rectification, and inform the relevant competent authorities to revoke the relevant business permit or business license; a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises within a certain period of time.
Article 67 Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of relevant laws and administrative regulations and shall be disclosed to the public.
Article 68 Where a State organ fails to perform its obligation of protecting personal information as stipulated in this Law, its superior organ or the authorities performing duties of personal information protection shall order it to make corrections; and impose sanctions on the person directly in charge and other directly liable persons in accordance with the law.Where any staff member of the authorities performing duties of personal information protection neglects his/her duty, abuses his/her power, plays favoritism and commits irregularities, which does not constitute a crime, sanctions shall be imposed on him/her in accordance with the law.
Article 69 Where the processing of personal information infringes upon personal information rights and interests and causes damage, the personal information processor concerned shall bear liability for damages and other tort liabilities if it cannot prove that it is not at fault.The liability for damages specified in the preceding paragraph shall be determined based on the losses thus suffered by the individual concerned or the benefits thus obtained by the personal information processor; if the losses thus suffered by the individual concerned or the benefits thus obtained by the personal information processor are difficult to be determined, the amount of damages shall be determined in accordance with the actual circumstances.
Article 70 Where any personal information processor processes personal information in violation of this Law, which infringes upon the rights and interests of a large number of individuals, the People’s Procuratorate, the consumer organizations specified by law and the organizations determined by the CAC may bring a lawsuit to a people’s court in accordance with the law.Where any violation of the provisions hereof constitutes a violation of public security administration, a public security administrative punishment shall be imposed in accordance with the law; and if a crime is constituted, criminal liability shall be investigated in accordance with the law.
Chapter 8 Supplementary Provisions
Article 72 This Law shall not apply to the processing of personal information by a natural person for his or her personal or family affairs.Where there are legal provisions on the processing of personal information in the statistical and archive administration organized and implemented by the people’s governments at all levels and the relevant departments thereof, such provisions shall apply.
Article 73 For the purposes of this Law, the following terms shall have the following meanings:
(I) “Personal information processor” refers to an organization or individual that independently determines the purpose and method of the processing in the processing of personal information.
(II) “Automatic decision-making” refers to the activities of automatically analyzing and evaluating an individual’s behavior habits, hobbies or economic, health or credit status through computer programs and making decisions.
(III) “De-identification” refers to the process in which personal information is processed so that it is impossible to identify certain natural persons without the aid of additional information.
(IV) “Anonymization” refers to the process in which personal information is processed so that it is impossible to identify certain natural persons and that it cannot be recovered.
Article 74 This Law shall come into force as of November 1, 2021.