Summary
Overview & Analysis
The Personal Information Protection Law of the People's Republic of China (PIPL) is a landmark piece of legislation aimed at safeguarding the personal information rights of individuals, regulating personal information processing activities, and promoting the reasonable use of personal information. The law establishes principles for the legality, fairness, and necessity of personal information processing and outlines the fundamental rights of individuals, including the rights to be informed, consent, access, and delete their personal information.
Personal information processors must ensure the security of the data they handle, preventing leakage, misuse, or unauthorized access. The law imposes strict compliance requirements for the processing of sensitive information and cross-border data transfers, requiring companies to define responsibilities and ensure compliance with national standards. Violations of the law are subject to severe penalties.
In the AI context, the PIPL is crucial for all AI applications that involve personal data. AI projects often rely on large volumes of personal data to train and optimize models, and especially in the context of cross-border data flows and the handling of sensitive data, AI companies and multinational corporations must strictly adhere to the law's provisions to ensure data legality and security.
Relevant AI Scenarios
The PIPL is particularly important in AI contexts, especially when handling personal data, sensitive data, and cross-border data flows. Any AI project involving the collection, storage, or use of personal information must comply with the law's provisions.
1. Collecting & Using Personal Data in AI Projects
If AI projects involve the collection, storage, or processing of personal data, especially sensitive data, companies must follow the law's principles of legality and transparency. Companies must obtain clear consent from individuals before data collection and inform them of the purposes, methods, and storage duration.
2. Cross-Border Data in AI Training
For AI projects involving cross-border data transfers, companies must ensure the legality and security of the data and comply with the law's requirements. If sensitive personal information is involved, security assessments must be conducted to ensure that the data transfer does not pose risks to personal privacy.
3. Automated Decision-Making in AI
When using AI for automated decision-making — such as in personalized recommendations or credit evaluations — companies need to ensure transparency and fairness. Automated decisions cannot solely drive significant decisions, and individuals have the right to request an explanation and to refuse decisions made solely through automated processes.
4. Cross-Border AI Collaborations & Data Sharing
For multinational companies or AI projects involving cross-border collaborations, personal data transfers must comply with the law's provisions. Companies must conduct security assessments and obtain individual consent to ensure that personal information is not misused or leaked during transfer.
5. Processing Personal Data of Minors in AI Applications
When handling personal data of minors (especially children under 14) in AI projects, companies must obtain consent from their parents or guardians, particularly in AI applications in education, entertainment, or other fields aimed at minors.
Practical Advice for Managers at Multinational Companies
The PIPL provides multinational companies in China with a clear framework for data protection, especially in scenarios involving personal data. To ensure compliance and reduce legal risks, managers should integrate data protection requirements into the design and implementation of AI projects.
01
Legality & Transparency of Data Collection
Ensure all personal information collected has a clear and lawful processing purpose. Follow the principle of minimizing data collection. Inform individuals of how their data will be used and obtain clear consent before the project initiation stage.
02
Cross-Border Data Flow Compliance
Ensure cross-border data transfers comply with legal requirements. Perform compliance assessments and implement standard contracts, data protection certifications, or security assessments for cross-border flows involving personal or sensitive data.
03
Compliance Review & Internal Monitoring
Establish internal monitoring and compliance review mechanisms to regularly check data protection measures in AI projects. Through continuous audits, identify potential compliance risks early and take corrective measures. Ensure all employees receive regular compliance training.
04
Transparency & User Control
Ensure data processing activities in AI projects are transparent to users and allow them to control their personal data. Provide clear privacy policies and convenient permission management systems so users can easily manage their personal information and withdraw consent.
05
Fairness of Automated Decision-Making
When using AI for automated decision-making, ensure transparency and fairness and avoid imposing unreasonable differential treatment on individuals. Ensure transparency in the decision-making process, allowing users to challenge decisions and adjust based on their needs.
Multinational companies building or adopting AI solutions in China must comply with the PIPL and ensure that all data processing activities meet legal requirements. Through early planning, strict data protection measures, and cross-border data compliance management, companies can ensure the smooth implementation of AI projects while building global compliance trust and promoting the healthy development of AI technology.
Full Text
Complete Legislative Text
Table of Contents
- Chapter I — General Provisions
- Chapter II — Rules for the Processing of Personal Information
- Chapter III — Rules for Cross-Border Provision
- Chapter IV — Rights of Individuals
- Chapter V — Obligations of Personal Information Processors
- Chapter VI — Departments Performing Protection Duties
- Chapter VII — Legal Liability
- Chapter VIII — Supplementary Provisions
Chapter I — General Provisions
Article 1
This Law is enacted, in accordance with the Constitution, in order to protect personal information rights and interests, regulate personal information processing activities, and promote the reasonable use of personal information.
Article 2
The personal information of natural persons is protected by law. No organization or individual may infringe upon the personal information rights and interests of natural persons.
Article 3
This Law applies to activities involving the processing of the personal information of natural persons within the territory of the People's Republic of China.
This Law also applies to activities outside the territory of the PRC involving the processing of the personal information of natural persons within the territory under any of the following circumstances:
(1) where the purpose is to provide products or services to natural persons within the territory;
(2) where the purpose is to analyze or assess the conduct of natural persons within the territory;
(3) other circumstances as provided by laws and administrative regulations.
This Law also applies to activities outside the territory of the PRC involving the processing of the personal information of natural persons within the territory under any of the following circumstances:
(1) where the purpose is to provide products or services to natural persons within the territory;
(2) where the purpose is to analyze or assess the conduct of natural persons within the territory;
(3) other circumstances as provided by laws and administrative regulations.
Article 4
Personal information refers to all kinds of information, recorded electronically or by other means, related to identified or identifiable natural persons, excluding information that has been anonymized.
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information, among other activities.
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information, among other activities.
Article 5
The processing of personal information shall follow the principles of legality, legitimacy, necessity, and good faith, and personal information may not be processed through misleading, fraud, coercion, or other such means.
Article 6
The processing of personal information shall have a clear and reasonable purpose, be directly related to the purpose of processing, and adopt methods having the least impact on individual rights and interests.
The collection of personal information shall be limited to the minimum scope necessary to achieve the purpose of processing, and personal information may not be collected excessively.
The collection of personal information shall be limited to the minimum scope necessary to achieve the purpose of processing, and personal information may not be collected excessively.
Article 7
The processing of personal information shall follow the principles of openness and transparency, disclose the rules for processing personal information, and expressly indicate the purpose, method, and scope of processing.
Article 8
The processing of personal information shall ensure the quality of personal information and avoid adverse impacts on individual rights and interests caused by inaccurate or incomplete personal information.
Article 9
Personal information processors shall be responsible for their personal information processing activities and shall adopt necessary measures to ensure the security of the personal information they process.
Article 10
No organization or individual may illegally collect, use, process, or transmit the personal information of others, or illegally trade, provide, or disclose the personal information of others; nor may they engage in personal information processing activities that endanger national security or the public interest.
Article 11
The State establishes and improves the personal information protection system, prevents and punishes acts infringing personal information rights and interests, strengthens publicity and education on personal information protection, and promotes the formation of a sound environment in which the government, enterprises, relevant social organizations, and the public jointly participate in personal information protection.
Article 12
The State actively participates in the formulation of international rules on personal information protection, promotes international exchange and cooperation in personal information protection, and advances the mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations.
Chapter II — Rules for the Processing of Personal Information
Section 1 — General Provisions
Article 13
A personal information processor may process personal information only under any of the following circumstances:
(1) where the consent of the individual has been obtained;
(2) where it is necessary for the conclusion or performance of a contract to which the individual is a party, or where it is necessary for human resources management in accordance with lawfully formulated labor rules and regulations and lawfully concluded collective contracts;
(3) where it is necessary for the performance of statutory duties or statutory obligations;
(4) where it is necessary to respond to public health emergencies, or in emergency circumstances to protect the life, health, or property safety of natural persons;
(5) where personal information is processed within a reasonable scope for carrying out news reporting, public opinion supervision, or other such acts for the public interest;
(6) where personal information that has been disclosed by the individual or otherwise lawfully disclosed is processed within a reasonable scope in accordance with this Law;
(7) other circumstances as provided by laws and administrative regulations.
(1) where the consent of the individual has been obtained;
(2) where it is necessary for the conclusion or performance of a contract to which the individual is a party, or where it is necessary for human resources management in accordance with lawfully formulated labor rules and regulations and lawfully concluded collective contracts;
(3) where it is necessary for the performance of statutory duties or statutory obligations;
(4) where it is necessary to respond to public health emergencies, or in emergency circumstances to protect the life, health, or property safety of natural persons;
(5) where personal information is processed within a reasonable scope for carrying out news reporting, public opinion supervision, or other such acts for the public interest;
(6) where personal information that has been disclosed by the individual or otherwise lawfully disclosed is processed within a reasonable scope in accordance with this Law;
(7) other circumstances as provided by laws and administrative regulations.
Article 14
Where personal information is processed based on individual consent, such consent shall be voluntarily and explicitly given by the individual on the basis of full knowledge. Where laws or administrative regulations provide that separate consent or written consent shall be obtained for processing personal information, such provisions shall prevail.
Where the purpose of processing, the method of processing, or the category of personal information to be processed changes, the individual's consent shall be obtained again.
Where the purpose of processing, the method of processing, or the category of personal information to be processed changes, the individual's consent shall be obtained again.
Article 15
Where personal information is processed based on individual consent, the individual has the right to withdraw consent. Personal information processors shall provide convenient means for individuals to withdraw consent.
The withdrawal of consent by an individual does not affect the validity of personal information processing activities already carried out on the basis of the individual's consent before the withdrawal.
The withdrawal of consent by an individual does not affect the validity of personal information processing activities already carried out on the basis of the individual's consent before the withdrawal.
Article 16
A personal information processor may not refuse to provide products or services on the ground that an individual does not consent to the processing of their personal information or withdraws consent, except where the processing of personal information is necessary for the provision of the products or services.
Article 17
Before processing personal information, a personal information processor shall truthfully, accurately, and completely inform the individual, in a conspicuous manner and in clear and easy-to-understand language, of the following matters:
(1) the name or personal name and contact information of the personal information processor;
(2) the purpose and method of processing personal information, the category of personal information to be processed, and the retention period;
(3) the methods and procedures by which the individual may exercise the rights provided in this Law;
(4) other matters that laws and administrative regulations require to be informed.
(1) the name or personal name and contact information of the personal information processor;
(2) the purpose and method of processing personal information, the category of personal information to be processed, and the retention period;
(3) the methods and procedures by which the individual may exercise the rights provided in this Law;
(4) other matters that laws and administrative regulations require to be informed.
Article 18
Where there are circumstances under which laws or administrative regulations provide that confidentiality shall be maintained or notification is not required, a personal information processor may refrain from informing the individual of the matters prescribed in Paragraph 1 of the preceding article.
Where, in emergency circumstances, it is impossible to promptly inform the individual in order to protect the life, health, or property safety of natural persons, the personal information processor shall inform the individual promptly after the emergency is eliminated.
Where, in emergency circumstances, it is impossible to promptly inform the individual in order to protect the life, health, or property safety of natural persons, the personal information processor shall inform the individual promptly after the emergency is eliminated.
Article 19
Unless otherwise provided by laws or administrative regulations, the retention period of personal information shall be the shortest time necessary to achieve the purpose of processing.
Article 20
Where two or more personal information processors jointly determine the purpose and method of processing personal information, they shall agree on their respective rights and obligations. However, such agreement does not affect an individual's right to request any one of those personal information processors to exercise the rights provided in this Law.
Where personal information is jointly processed by personal information processors and damage is caused by infringement of personal information rights and interests, they shall bear joint and several liability in accordance with law.
Where personal information is jointly processed by personal information processors and damage is caused by infringement of personal information rights and interests, they shall bear joint and several liability in accordance with law.
Article 21
Where a personal information processor entrusts another party to process personal information, it shall agree with the entrusted party on matters such as the purpose, period, method of entrusted processing, the categories of personal information, protection measures, and the rights and obligations of both parties, and shall supervise the personal information processing activities of the entrusted party.
The entrusted party shall process personal information in accordance with the agreement and may not process personal information beyond the agreed purpose or method of processing; where the entrustment contract does not take effect, is invalid, is revoked, or is terminated, the entrusted party shall return the personal information to the personal information processor or delete it, and may not retain it.
Without the consent of the personal information processor, the entrusted party may not re-entrust another party to process personal information.
The entrusted party shall process personal information in accordance with the agreement and may not process personal information beyond the agreed purpose or method of processing; where the entrustment contract does not take effect, is invalid, is revoked, or is terminated, the entrusted party shall return the personal information to the personal information processor or delete it, and may not retain it.
Without the consent of the personal information processor, the entrusted party may not re-entrust another party to process personal information.
Article 22
Where it is necessary to transfer personal information due to reasons such as merger, division, dissolution, or declaration of bankruptcy of a personal information processor, the individual shall be informed of the name or personal name and contact information of the recipient. The recipient shall continue to perform the obligations of the personal information processor. Where the recipient changes the original purpose or method of processing, the recipient shall obtain the individual's consent again in accordance with this Law.
Article 23
Where a personal information processor provides the personal information it processes to another personal information processor, it shall inform the individual of the name or personal name and contact information of the recipient, the purpose and method of processing, and the categories of personal information, and obtain the individual's separate consent. The recipient shall process personal information within the scope of the above-mentioned purpose, method, and categories of personal information. Where the recipient changes the original purpose or method of processing, it shall obtain the individual's consent again in accordance with this Law.
Article 24
Where a personal information processor uses personal information for automated decision-making, it shall ensure the transparency of decision-making and the fairness and impartiality of the results, and may not impose unreasonable differential treatment on individuals in transaction prices or other transaction conditions.
Where information is pushed to individuals or commercial marketing is conducted through automated decision-making, options not directed at their personal characteristics shall be provided at the same time, or convenient means for individuals to refuse shall be provided.
Where decisions that have a significant impact on individual rights and interests are made through automated decision-making, individuals have the right to require the personal information processor to explain the decision, and have the right to refuse decisions made solely through automated decision-making by the personal information processor.
Where information is pushed to individuals or commercial marketing is conducted through automated decision-making, options not directed at their personal characteristics shall be provided at the same time, or convenient means for individuals to refuse shall be provided.
Where decisions that have a significant impact on individual rights and interests are made through automated decision-making, individuals have the right to require the personal information processor to explain the decision, and have the right to refuse decisions made solely through automated decision-making by the personal information processor.
Article 25
A personal information processor may not disclose the personal information it processes, except where the individual's separate consent has been obtained.
Article 26
The installation of image collection and personal identity recognition equipment in public places shall be necessary for the maintenance of public security, comply with relevant State provisions, and prominent warning signs shall be installed. Collected personal images and identity recognition information may only be used for the purpose of maintaining public security and may not be used for other purposes, except where the individual's separate consent has been obtained.
Article 27
A personal information processor may process personal information that has been disclosed by the individual or otherwise lawfully disclosed within a reasonable scope, except where the individual expressly refuses. Where the processing of disclosed personal information has a significant impact on individual rights and interests, the personal information processor shall obtain the individual's consent in accordance with this Law.
Section 2 — Rules for the Processing of Sensitive Personal Information
Article 28
Sensitive personal information refers to personal information that, once leaked or illegally used, is likely to cause harm to the personal dignity of natural persons or endanger personal or property safety, including biometrics, religious beliefs, specific identity, medical health, financial accounts, whereabouts and tracks, and the personal information of minors under the age of fourteen.
A personal information processor may process sensitive personal information only where there is a specific purpose and sufficient necessity, and strict protective measures are taken.
A personal information processor may process sensitive personal information only where there is a specific purpose and sufficient necessity, and strict protective measures are taken.
Article 29
Separate consent of the individual shall be obtained for processing sensitive personal information; where laws and administrative regulations provide that written consent shall be obtained for processing sensitive personal information, such provisions shall prevail.
Article 30
Where a personal information processor processes sensitive personal information, in addition to the matters prescribed in Paragraph 1 of Article 17 of this Law, it shall also inform the individual of the necessity for processing sensitive personal information and the impact on individual rights and interests, except where this Law provides that notification need not be given to the individual.
Article 31
Where a personal information processor processes the personal information of minors under the age of fourteen, it shall obtain the consent of the minor's parents or other guardians.
Where a personal information processor processes the personal information of minors under the age of fourteen, it shall formulate special rules for the processing of personal information.
Where a personal information processor processes the personal information of minors under the age of fourteen, it shall formulate special rules for the processing of personal information.
Article 32
Where laws and administrative regulations provide that relevant administrative permission shall be obtained or other restrictions shall apply to the processing of sensitive personal information, such provisions shall prevail.
Section 3 — Special Provisions on the Processing of Personal Information by State Organs
Article 33
The activities of State organs in processing personal information are subject to this Law; where this Section contains special provisions, those provisions shall apply.
Article 34
Where State organs process personal information for the performance of statutory duties, they shall do so in accordance with the authority and procedures prescribed by laws and administrative regulations, and may not exceed the scope and limits necessary for the performance of statutory duties.
Article 35
Where State organs process personal information for the performance of statutory duties, they shall fulfill the obligation of notification in accordance with this Law, except under the circumstances prescribed in Paragraph 1 of Article 18 of this Law, or where notification would impede the performance by State organs of their statutory duties.
Article 36
Personal information processed by State organs shall be stored within the territory of the People's Republic of China; where it is truly necessary to provide it abroad, a security assessment shall be conducted. Relevant departments may be required to provide support and assistance in the security assessment.
Article 37
Where organizations authorized by laws or regulations with the function of administering public affairs process personal information for the performance of statutory duties, the provisions of this Law regarding the processing of personal information by State organs shall apply.
Chapter III — Rules for the Cross-Border Provision of Personal Information
Article 38
Where a personal information processor truly needs to provide personal information outside the territory of the People's Republic of China due to business or other needs, it shall satisfy one of the following conditions:
(1) passing the security assessment organized by the national cyberspace administration department in accordance with Article 40 of this Law;
(2) obtaining personal information protection certification from a professional institution in accordance with the provisions of the national cyberspace administration department;
(3) entering into a contract with the overseas recipient in accordance with the standard contract formulated by the national cyberspace administration department, stipulating the rights and obligations of both parties;
(4) other conditions provided by laws, administrative regulations, or the national cyberspace administration department.
Where international treaties or agreements concluded or acceded to by the People's Republic of China contain provisions on the conditions for providing personal information outside the territory, such provisions may be applied.
Personal information processors shall adopt necessary measures to ensure that the personal information processing activities of overseas recipients reach the personal information protection standards prescribed by this Law.
(1) passing the security assessment organized by the national cyberspace administration department in accordance with Article 40 of this Law;
(2) obtaining personal information protection certification from a professional institution in accordance with the provisions of the national cyberspace administration department;
(3) entering into a contract with the overseas recipient in accordance with the standard contract formulated by the national cyberspace administration department, stipulating the rights and obligations of both parties;
(4) other conditions provided by laws, administrative regulations, or the national cyberspace administration department.
Where international treaties or agreements concluded or acceded to by the People's Republic of China contain provisions on the conditions for providing personal information outside the territory, such provisions may be applied.
Personal information processors shall adopt necessary measures to ensure that the personal information processing activities of overseas recipients reach the personal information protection standards prescribed by this Law.
Article 39
Where a personal information processor provides personal information outside the territory of the People's Republic of China, it shall inform the individual of matters such as the name or personal name and contact information of the overseas recipient, the purpose and method of processing, the categories of personal information, and the methods and procedures for the individual to exercise the rights prescribed by this Law against the overseas recipient, and shall obtain the individual's separate consent.
Article 40
Operators of critical information infrastructure and personal information processors processing personal information reaching the quantity threshold prescribed by the national cyberspace administration department shall store within the territory of the People's Republic of China the personal information collected and generated within the territory. Where it is truly necessary to provide such information abroad, they shall pass the security assessment organized by the national cyberspace administration department.
Article 41
The competent authorities of the People's Republic of China shall handle requests from foreign judicial or law enforcement authorities for the provision of personal information stored within the territory in accordance with relevant laws and international treaties or agreements, or under the principle of equality and reciprocity. Without the approval of the competent authorities of the People's Republic of China, personal information processors may not provide personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities.
Article 42
Where overseas organizations or individuals engage in personal information processing activities that infringe upon the personal information rights and interests of citizens of the People's Republic of China, or endanger the national security or public interest of the People's Republic of China, the national cyberspace administration department may place them on a list restricting or prohibiting the provision of personal information, announce such list, and adopt measures such as restricting or prohibiting the provision of personal information to them.
Article 43
Where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People's Republic of China in the area of personal information protection, the People's Republic of China may take reciprocal measures against that country or region based on actual circumstances.
Chapter IV — Rights of Individuals in Personal Information Processing Activities
Article 44
Individuals have the right to know and the right to decide regarding the processing of their personal information, and have the right to restrict or refuse the processing of their personal information by others, except as otherwise provided by laws and administrative regulations.
Article 45
Individuals have the right to consult and copy their personal information from personal information processors, except under the circumstances prescribed in Paragraph 1 of Article 18 and Article 35 of this Law.
Where an individual requests to consult or copy their personal information, the personal information processor shall provide it in a timely manner.
Where an individual requests the transfer of personal information to a personal information processor designated by the individual, and the conditions prescribed by the national cyberspace administration department are met, the personal information processor shall provide a means for the transfer.
Where an individual requests to consult or copy their personal information, the personal information processor shall provide it in a timely manner.
Where an individual requests the transfer of personal information to a personal information processor designated by the individual, and the conditions prescribed by the national cyberspace administration department are met, the personal information processor shall provide a means for the transfer.
Article 46
Where an individual discovers that their personal information is inaccurate or incomplete, they have the right to request the personal information processor to correct or supplement it.
Where an individual requests correction or supplementation of their personal information, the personal information processor shall verify the personal information and correct or supplement it in a timely manner.
Where an individual requests correction or supplementation of their personal information, the personal information processor shall verify the personal information and correct or supplement it in a timely manner.
Article 47
Under any of the following circumstances, a personal information processor shall take the initiative to delete personal information; where the personal information processor has not deleted it, the individual has the right to request deletion:
(1) where the purpose of processing has been achieved, cannot be achieved, or the personal information is no longer necessary to achieve the purpose of processing;
(2) where the personal information processor ceases to provide products or services, or the retention period has expired;
(3) where the individual withdraws consent;
(4) where the personal information processor processes personal information in violation of laws, administrative regulations, or agreements;
(5) other circumstances provided by laws and administrative regulations.
(1) where the purpose of processing has been achieved, cannot be achieved, or the personal information is no longer necessary to achieve the purpose of processing;
(2) where the personal information processor ceases to provide products or services, or the retention period has expired;
(3) where the individual withdraws consent;
(4) where the personal information processor processes personal information in violation of laws, administrative regulations, or agreements;
(5) other circumstances provided by laws and administrative regulations.
Article 48
Individuals have the right to request personal information processors to explain the rules for processing their personal information.
Article 49
Where a natural person dies, their close relatives may, for their own lawful and legitimate interests, exercise the rights prescribed in this Chapter to consult, copy, correct, and delete the relevant personal information of the deceased, except where the deceased made other arrangements before death.
Article 50
Personal information processors shall establish convenient mechanisms for receiving and handling applications by individuals to exercise their rights. Where a request by an individual to exercise rights is refused, reasons shall be explained.
Where a personal information processor refuses an individual's request to exercise rights, the individual may bring a lawsuit before a people's court in accordance with law.
Where a personal information processor refuses an individual's request to exercise rights, the individual may bring a lawsuit before a people's court in accordance with law.
Chapter V — Obligations of Personal Information Processors
Article 51
Personal information processors shall, based on factors such as the purpose and method of processing personal information, the categories of personal information, the impact on individual rights and interests, and possible security risks, adopt the following measures to ensure that personal information processing activities comply with laws and administrative regulations and to prevent unauthorized access and personal information leakage, tampering, or loss:
(1) formulating internal management systems and operating procedures;
(2) implementing classified management of personal information;
(3) adopting corresponding security technical measures such as encryption and de-identification;
(4) reasonably determining operation permissions for personal information processing and regularly conducting security education and training for employees;
(5) formulating and organizing the implementation of emergency plans for personal information security incidents;
(6) other measures prescribed by laws and administrative regulations.
(1) formulating internal management systems and operating procedures;
(2) implementing classified management of personal information;
(3) adopting corresponding security technical measures such as encryption and de-identification;
(4) reasonably determining operation permissions for personal information processing and regularly conducting security education and training for employees;
(5) formulating and organizing the implementation of emergency plans for personal information security incidents;
(6) other measures prescribed by laws and administrative regulations.
Article 52
Personal information processors processing personal information reaching the quantity threshold prescribed by the national cyberspace administration department shall designate a person in charge of personal information protection, who shall be responsible for supervising personal information processing activities and the protective measures adopted.
Personal information processors shall disclose the contact information of the person in charge of personal information protection, and report the name and contact information of that person to the department performing personal information protection duties.
Personal information processors shall disclose the contact information of the person in charge of personal information protection, and report the name and contact information of that person to the department performing personal information protection duties.
Article 53
Personal information processors outside the territory of the People's Republic of China as provided in Paragraph 2 of Article 3 of this Law shall establish a dedicated institution or designate a representative within the territory of the People's Republic of China to be responsible for matters related to personal information protection, and shall report the name of the institution or the name and contact information of the representative to the department performing personal information protection duties.
Article 54
Personal information processors shall periodically conduct compliance audits of their processing of personal information for compliance with laws and administrative regulations.
Article 55
Under any of the following circumstances, a personal information processor shall conduct a personal information protection impact assessment in advance and keep records of the processing:
(1) processing sensitive personal information;
(2) using personal information for automated decision-making;
(3) entrusting the processing of personal information, providing personal information to other personal information processors, or disclosing personal information;
(4) providing personal information abroad;
(5) other personal information processing activities having a significant impact on individual rights and interests.
(1) processing sensitive personal information;
(2) using personal information for automated decision-making;
(3) entrusting the processing of personal information, providing personal information to other personal information processors, or disclosing personal information;
(4) providing personal information abroad;
(5) other personal information processing activities having a significant impact on individual rights and interests.
Article 56
A personal information protection impact assessment shall include the following:
(1) whether the purpose and method of processing personal information are lawful, legitimate, and necessary;
(2) the impact on individual rights and interests and the security risks;
(3) whether the protective measures adopted are lawful, effective, and appropriate to the degree of risk.
Personal information protection impact assessment reports and records of processing shall be retained for at least three years.
(1) whether the purpose and method of processing personal information are lawful, legitimate, and necessary;
(2) the impact on individual rights and interests and the security risks;
(3) whether the protective measures adopted are lawful, effective, and appropriate to the degree of risk.
Personal information protection impact assessment reports and records of processing shall be retained for at least three years.
Article 57
Where personal information leakage, tampering, or loss occurs or may occur, the personal information processor shall immediately take remedial measures and notify the department performing personal information protection duties and the individuals concerned. The notification shall include the following:
(1) the categories of personal information leaked, tampered with, or lost, or that may be leaked, tampered with, or lost, the cause thereof, and the possible harm that may be caused;
(2) the remedial measures taken by the personal information processor and measures that individuals may take to mitigate harm;
(3) the contact information of the personal information processor.
(1) the categories of personal information leaked, tampered with, or lost, or that may be leaked, tampered with, or lost, the cause thereof, and the possible harm that may be caused;
(2) the remedial measures taken by the personal information processor and measures that individuals may take to mitigate harm;
(3) the contact information of the personal information processor.
Article 58
Personal information processors that provide important internet platform services, have a huge number of users, and have complex business types shall perform the following obligations:
(1) establishing and improving, in accordance with State provisions, a compliance system for personal information protection, and establishing an independent body composed mainly of external members to supervise the protection of personal information;
(2) following the principles of openness, fairness, and impartiality, formulating platform rules, and clarifying the norms and obligations for providers of products or services within the platform to process personal information and protect personal information;
(3) ceasing to provide services to providers of products or services within the platform that seriously violate laws or administrative regulations in processing personal information;
(4) regularly publishing social responsibility reports on personal information protection and accepting public supervision.
(1) establishing and improving, in accordance with State provisions, a compliance system for personal information protection, and establishing an independent body composed mainly of external members to supervise the protection of personal information;
(2) following the principles of openness, fairness, and impartiality, formulating platform rules, and clarifying the norms and obligations for providers of products or services within the platform to process personal information and protect personal information;
(3) ceasing to provide services to providers of products or services within the platform that seriously violate laws or administrative regulations in processing personal information;
(4) regularly publishing social responsibility reports on personal information protection and accepting public supervision.
Article 59
An entrusted party that processes personal information upon entrustment shall, in accordance with this Law and the provisions of relevant laws and administrative regulations, adopt necessary measures to ensure the security of the personal information it processes and assist the personal information processor in performing the obligations prescribed by this Law.
Chapter VI — Departments Performing Personal Information Protection Duties
Article 60
The national cyberspace administration department is responsible for the overall planning and coordination of personal information protection work and related supervision and administration. Relevant departments of the State Council shall, in accordance with this Law and relevant laws and administrative regulations, be responsible for personal information protection and supervision and administration within the scope of their respective duties.
Article 61
The departments performing personal information protection duties shall perform the following duties in respect of personal information protection:
(1) conducting publicity and education on personal information protection, and guiding and supervising personal information processors in carrying out personal information protection work;
(2) accepting and handling complaints and reports related to personal information protection;
(3) organizing evaluations of personal information protection in applications and the like, and publishing the evaluation results;
(4) investigating and handling illegal personal information processing activities;
(5) other duties prescribed by laws and administrative regulations.
(1) conducting publicity and education on personal information protection, and guiding and supervising personal information processors in carrying out personal information protection work;
(2) accepting and handling complaints and reports related to personal information protection;
(3) organizing evaluations of personal information protection in applications and the like, and publishing the evaluation results;
(4) investigating and handling illegal personal information processing activities;
(5) other duties prescribed by laws and administrative regulations.
Article 62
The national cyberspace administration department shall coordinate relevant departments in promoting the following personal information protection work in accordance with this Law:
(1) formulating specific rules and standards for personal information protection;
(2) formulating special personal information protection rules and standards for small personal information processors, the processing of sensitive personal information, and new technologies and applications such as facial recognition and artificial intelligence;
(3) supporting the research, development, and promotion of secure and convenient electronic identity authentication technologies, and advancing the construction of public services for online identity authentication;
(4) advancing the construction of a socialized service system for personal information protection and supporting relevant institutions in carrying out personal information protection assessment and certification services;
(5) improving the complaint and reporting mechanisms for personal information protection.
(1) formulating specific rules and standards for personal information protection;
(2) formulating special personal information protection rules and standards for small personal information processors, the processing of sensitive personal information, and new technologies and applications such as facial recognition and artificial intelligence;
(3) supporting the research, development, and promotion of secure and convenient electronic identity authentication technologies, and advancing the construction of public services for online identity authentication;
(4) advancing the construction of a socialized service system for personal information protection and supporting relevant institutions in carrying out personal information protection assessment and certification services;
(5) improving the complaint and reporting mechanisms for personal information protection.
Article 63
The departments performing personal information protection duties may take the following measures in performing their personal information protection duties:
(1) interviewing relevant parties and investigating circumstances related to personal information processing activities;
(2) consulting and copying contracts, records, account books, and other relevant materials of the parties related to personal information processing activities;
(3) carrying out on-site inspections and investigating suspected illegal personal information processing activities;
(4) inspecting equipment and items related to personal information processing activities.
(1) interviewing relevant parties and investigating circumstances related to personal information processing activities;
(2) consulting and copying contracts, records, account books, and other relevant materials of the parties related to personal information processing activities;
(3) carrying out on-site inspections and investigating suspected illegal personal information processing activities;
(4) inspecting equipment and items related to personal information processing activities.
Article 64
Where, in the course of performing their duties, departments performing personal information protection duties discover relatively large risks in personal information processing activities or the occurrence of personal information security incidents, they may, in accordance with prescribed authority and procedures, conduct supervisory interviews with the legal representative or principal person in charge of the personal information processor, or require the personal information processor to entrust a professional institution to conduct a compliance audit of its personal information processing activities.
Article 65
Any organization or individual has the right to complain or report illegal personal information processing activities to the departments performing personal information protection duties. The department receiving the complaint or report shall handle it promptly in accordance with law and notify the complainant or informant of the handling result.
Departments performing personal information protection duties shall publish the means for receiving complaints and reports.
Departments performing personal information protection duties shall publish the means for receiving complaints and reports.
Chapter VII — Legal Liability
Article 66
Where personal information is processed in violation of this Law, or where the obligations for personal information protection prescribed by this Law are not fulfilled in processing personal information, the department performing personal information protection duties shall order correction, give a warning, confiscate illegal gains, and order applications illegally processing personal information to suspend or terminate the provision of services; where correction is refused, a fine of not more than RMB 1 million shall be imposed, and the directly responsible person in charge and other directly liable persons shall be fined not less than RMB 10,000 but not more than RMB 100,000.
Where the illegal acts prescribed in the preceding paragraph are serious, the department performing personal information protection duties at or above the provincial level shall order correction, confiscate illegal gains, and impose a fine of not more than RMB 50 million or not more than 5 percent of the turnover of the preceding year, and may also order suspension of relevant business or suspension of business for rectification, and notify relevant competent departments to revoke relevant business permits or revoke the business license; the directly responsible person in charge and other directly liable persons shall be fined not less than RMB 100,000 but not more than RMB 1 million.
Where the illegal acts prescribed in the preceding paragraph are serious, the department performing personal information protection duties at or above the provincial level shall order correction, confiscate illegal gains, and impose a fine of not more than RMB 50 million or not more than 5 percent of the turnover of the preceding year, and may also order suspension of relevant business or suspension of business for rectification, and notify relevant competent departments to revoke relevant business permits or revoke the business license; the directly responsible person in charge and other directly liable persons shall be fined not less than RMB 100,000 but not more than RMB 1 million.
Article 67
Where there is an illegal act prescribed by this Law, it shall be entered into the credit archives in accordance with the provisions of relevant laws and administrative regulations and shall be publicly disclosed.
Article 68
Where a State organ fails to fulfill the obligations for personal information protection prescribed by this Law, its superior organ or the department performing personal information protection duties shall order correction; the directly responsible person in charge and other directly liable persons shall be given sanctions in accordance with law.
Article 69
Where the processing of personal information infringes upon personal information rights and interests and causes damage, and the personal information processor cannot prove that it was not at fault, it shall bear tort liability such as compensation for damages.
The liability for damages prescribed in the preceding paragraph shall be determined according to the loss suffered by the individual as a result thereof or the benefits obtained by the personal information processor therefrom; where the loss suffered by the individual and the benefits obtained by the personal information processor are difficult to determine, the amount of compensation shall be determined according to the actual circumstances.
The liability for damages prescribed in the preceding paragraph shall be determined according to the loss suffered by the individual as a result thereof or the benefits obtained by the personal information processor therefrom; where the loss suffered by the individual and the benefits obtained by the personal information processor are difficult to determine, the amount of compensation shall be determined according to the actual circumstances.
Article 70
Where a personal information processor processes personal information in violation of this Law, infringing the rights and interests of numerous individuals, the People's Procuratorate, consumer organizations prescribed by law, and organizations designated by the national cyberspace administration department may bring a lawsuit before a people's court in accordance with law.
Article 71
Where a violation of this Law constitutes a violation of public security administration, a public security administrative penalty shall be imposed in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law.
Chapter VIII — Supplementary Provisions
Article 72
This Law does not apply where a natural person processes personal information for personal or family affairs.
Where laws contain provisions on the processing of personal information in statistical and archives administration activities organized and implemented by people's governments at all levels and relevant departments thereof, such provisions shall apply.
Where laws contain provisions on the processing of personal information in statistical and archives administration activities organized and implemented by people's governments at all levels and relevant departments thereof, such provisions shall apply.
Article 73
The meanings of the following terms in this Law are:
(1) "personal information processor" refers to an organization or individual that independently determines the purpose and method of processing in personal information processing activities.
(2) "automated decision-making" refers to activities of automatically analyzing and assessing an individual's behavioral habits, interests and preferences, or economic, health, and credit status, and making decisions through computer programs.
(3) "de-identification" refers to the process by which personal information is processed so that it cannot identify a specific natural person without the aid of additional information.
(4) "anonymization" refers to the process by which personal information is processed so that it cannot identify a specific natural person and cannot be restored.
(1) "personal information processor" refers to an organization or individual that independently determines the purpose and method of processing in personal information processing activities.
(2) "automated decision-making" refers to activities of automatically analyzing and assessing an individual's behavioral habits, interests and preferences, or economic, health, and credit status, and making decisions through computer programs.
(3) "de-identification" refers to the process by which personal information is processed so that it cannot identify a specific natural person without the aid of additional information.
(4) "anonymization" refers to the process by which personal information is processed so that it cannot identify a specific natural person and cannot be restored.
Article 74
This Law shall come into force on November 1, 2021.
目 录
中华人民共和国个人信息保护法
(2021年8月20日第十三届全国人民代表大会常务委员会第三十次会议通过)
来源:中国人大网
第一章 总则
第一条
为了保护个人信息权益,规范个人信息处理活动,促进个人信息合理利用,根据宪法,制定本法。
第二条
自然人的个人信息受法律保护,任何组织、个人不得侵害自然人的个人信息权益。
第三条
在中华人民共和国境内处理自然人个人信息的活动,适用本法。
在中华人民共和国境外处理中华人民共和国境内自然人个人信息的活动,有下列情形之一的,也适用本法:
(一)以向境内自然人提供产品或者服务为目的;
(二)分析、评估境内自然人的行为;
(三)法律、行政法规规定的其他情形。
在中华人民共和国境外处理中华人民共和国境内自然人个人信息的活动,有下列情形之一的,也适用本法:
(一)以向境内自然人提供产品或者服务为目的;
(二)分析、评估境内自然人的行为;
(三)法律、行政法规规定的其他情形。
第四条
个人信息是以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息,不包括匿名化处理后的信息。
个人信息的处理包括个人信息的收集、存储、使用、加工、传输、提供、公开、删除等。
个人信息的处理包括个人信息的收集、存储、使用、加工、传输、提供、公开、删除等。
第五条
处理个人信息应当遵循合法、正当、必要和诚信原则,不得通过误导、欺诈、胁迫等方式处理个人信息。
第六条
处理个人信息应当具有明确、合理的目的,并应当与处理目的直接相关,采取对个人权益影响最小的方式。
收集个人信息,应当限于实现处理目的的最小范围,不得过度收集个人信息。
收集个人信息,应当限于实现处理目的的最小范围,不得过度收集个人信息。
第七条
处理个人信息应当遵循公开、透明原则,公开个人信息处理规则,明示处理的目的、方式和范围。
第八条
处理个人信息应当保证个人信息的质量,避免因个人信息不准确、不完整对个人权益造成不利影响。
第九条
个人信息处理者应当对其个人信息处理活动负责,并采取必要措施保障所处理的个人信息的安全。
第十条
任何组织、个人不得非法收集、使用、加工、传输他人个人信息,不得非法买卖、提供或者公开他人个人信息;不得从事危害国家安全、公共利益的个人信息处理活动。
第十一条
国家建立健全个人信息保护制度,预防和惩治侵害个人信息权益的行为,加强个人信息保护宣传教育,推动形成政府、企业、相关社会组织、公众共同参与个人信息保护的良好环境。
第十二条
国家积极参与个人信息保护国际规则的制定,促进个人信息保护方面的国际交流与合作,推动与其他国家、地区、国际组织之间的个人信息保护规则、标准等互认。
第二章 个人信息处理规则
第一节 一般规定
第十三条
符合下列情形之一的,个人信息处理者方可处理个人信息:
(一)取得个人的同意;
(二)为订立、履行个人作为一方当事人的合同所必需,或者按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理所必需;
(三)为履行法定职责或者法定义务所必需;
(四)为应对突发公共卫生事件,或者紧急情况下为保护自然人的生命健康和财产安全所必需;
(五)为公共利益实施新闻报道、舆论监督等行为,在合理的范围内处理个人信息;
(六)依照本法规定在合理的范围内处理个人自行公开或者其他已经合法公开的个人信息;
(七)法律、行政法规规定的其他情形。
(一)取得个人的同意;
(二)为订立、履行个人作为一方当事人的合同所必需,或者按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理所必需;
(三)为履行法定职责或者法定义务所必需;
(四)为应对突发公共卫生事件,或者紧急情况下为保护自然人的生命健康和财产安全所必需;
(五)为公共利益实施新闻报道、舆论监督等行为,在合理的范围内处理个人信息;
(六)依照本法规定在合理的范围内处理个人自行公开或者其他已经合法公开的个人信息;
(七)法律、行政法规规定的其他情形。
第十四条
基于个人同意处理个人信息的,该同意应当由个人在充分知情的前提下自愿、明确作出。法律、行政法规规定处理个人信息应当取得个人单独同意或者书面同意的,从其规定。
个人信息的处理目的、处理方式和处理的个人信息种类发生变更的,应当重新取得个人同意。
个人信息的处理目的、处理方式和处理的个人信息种类发生变更的,应当重新取得个人同意。
第十五条
基于个人同意处理个人信息的,个人有权撤回其同意。个人信息处理者应当提供便捷的撤回同意的方式。
个人撤回同意,不影响撤回前基于个人同意已进行的个人信息处理活动的效力。
个人撤回同意,不影响撤回前基于个人同意已进行的个人信息处理活动的效力。
第十六条
个人信息处理者不得以个人不同意处理其个人信息或者撤回同意为由,拒绝提供产品或者服务;处理个人信息属于提供产品或者服务所必需的除外。
第十七条
个人信息处理者在处理个人信息前,应当以显著方式、清晰易懂的语言真实、准确、完整地向个人告知下列事项:
(一)个人信息处理者的名称或者姓名和联系方式;
(二)个人信息的处理目的、处理方式,处理的个人信息种类、保存期限;
(三)个人行使本法规定权利的方式和程序;
(四)法律、行政法规规定应当告知的其他事项。
(一)个人信息处理者的名称或者姓名和联系方式;
(二)个人信息的处理目的、处理方式,处理的个人信息种类、保存期限;
(三)个人行使本法规定权利的方式和程序;
(四)法律、行政法规规定应当告知的其他事项。
第十八条
个人信息处理者处理个人信息,有法律、行政法规规定应当保密或者不需要告知的情形的,可以不向个人告知前条第一款规定的事项。
紧急情况下为保护自然人的生命健康和财产安全无法及时向个人告知的,个人信息处理者应当在紧急情况消除后及时告知。
紧急情况下为保护自然人的生命健康和财产安全无法及时向个人告知的,个人信息处理者应当在紧急情况消除后及时告知。
第十九条
除法律、行政法规另有规定外,个人信息的保存期限应当为实现处理目的所必要的最短时间。
第二十条
两个以上的个人信息处理者共同决定个人信息的处理目的和处理方式的,应当约定各自的权利和义务。但是,该约定不影响个人向其中任何一个个人信息处理者要求行使本法规定的权利。
个人信息处理者共同处理个人信息,侵害个人信息权益造成损害的,应当依法承担连带责任。
个人信息处理者共同处理个人信息,侵害个人信息权益造成损害的,应当依法承担连带责任。
第二十一条
个人信息处理者委托处理个人信息的,应当与受托人约定委托处理的目的、期限、处理方式、个人信息的种类、保护措施以及双方的权利和义务等,并对受托人的个人信息处理活动进行监督。
受托人应当按照约定处理个人信息,不得超出约定的处理目的、处理方式等处理个人信息;委托合同不生效、无效、被撤销或者终止的,受托人应当将个人信息返还个人信息处理者或者予以删除,不得保留。
未经个人信息处理者同意,受托人不得转委托他人处理个人信息。
受托人应当按照约定处理个人信息,不得超出约定的处理目的、处理方式等处理个人信息;委托合同不生效、无效、被撤销或者终止的,受托人应当将个人信息返还个人信息处理者或者予以删除,不得保留。
未经个人信息处理者同意,受托人不得转委托他人处理个人信息。
第二十二条
个人信息处理者因合并、分立、解散、被宣告破产等原因需要转移个人信息的,应当向个人告知接收方的名称或者姓名和联系方式。接收方应当继续履行个人信息处理者的义务。接收方变更原先的处理目的、处理方式的,应当依照本法规定重新取得个人同意。
第二十三条
个人信息处理者向其他个人信息处理者提供其处理的个人信息的,应当向个人告知接收方的名称或者姓名、联系方式、处理目的、处理方式和个人信息的种类,并取得个人的单独同意。接收方应当在上述处理目的、处理方式和个人信息的种类等范围内处理个人信息。接收方变更原先的处理目的、处理方式的,应当依照本法规定重新取得个人同意。
第二十四条
个人信息处理者利用个人信息进行自动化决策,应当保证决策的透明度和结果公平、公正,不得对个人在交易价格等交易条件上实行不合理的差别待遇。
通过自动化决策方式向个人进行信息推送、商业营销,应当同时提供不针对其个人特征的选项,或者向个人提供便捷的拒绝方式。
通过自动化决策方式作出对个人权益有重大影响的决定,个人有权要求个人信息处理者予以说明,并有权拒绝个人信息处理者仅通过自动化决策的方式作出决定。
通过自动化决策方式向个人进行信息推送、商业营销,应当同时提供不针对其个人特征的选项,或者向个人提供便捷的拒绝方式。
通过自动化决策方式作出对个人权益有重大影响的决定,个人有权要求个人信息处理者予以说明,并有权拒绝个人信息处理者仅通过自动化决策的方式作出决定。
第二十五条
个人信息处理者不得公开其处理的个人信息,取得个人单独同意的除外。
第二十六条
在公共场所安装图像采集、个人身份识别设备,应当为维护公共安全所必需,遵守国家有关规定,并设置显著的提示标识。所收集的个人图像、身份识别信息只能用于维护公共安全的目的,不得用于其他目的;取得个人单独同意的除外。
第二十七条
个人信息处理者可以在合理的范围内处理个人自行公开或者其他已经合法公开的个人信息;个人明确拒绝的除外。个人信息处理者处理已公开的个人信息,对个人权益有重大影响的,应当依照本法规定取得个人同意。
第二节 敏感个人信息的处理规则
第二十八条
敏感个人信息是一旦泄露或者非法使用,容易导致自然人的人格尊严受到侵害或者人身、财产安全受到危害的个人信息,包括生物识别、宗教信仰、特定身份、医疗健康、金融账户、行踪轨迹等信息,以及不满十四周岁未成年人的个人信息。
只有在具有特定的目的和充分的必要性,并采取严格保护措施的情形下,个人信息处理者方可处理敏感个人信息。
只有在具有特定的目的和充分的必要性,并采取严格保护措施的情形下,个人信息处理者方可处理敏感个人信息。
第二十九条
处理敏感个人信息应当取得个人的单独同意;法律、行政法规规定处理敏感个人信息应当取得书面同意的,从其规定。
第三十条
个人信息处理者处理敏感个人信息的,除本法第十七条第一款规定的事项外,还应当向个人告知处理敏感个人信息的必要性以及对个人权益的影响;依照本法规定可以不向个人告知的除外。
第三十一条
个人信息处理者处理不满十四周岁未成年人个人信息的,应当取得未成年人的父母或者其他监护人的同意。
个人信息处理者处理不满十四周岁未成年人个人信息的,应当制定专门的个人信息处理规则。
个人信息处理者处理不满十四周岁未成年人个人信息的,应当制定专门的个人信息处理规则。
第三十二条
法律、行政法规对处理敏感个人信息规定应当取得相关行政许可或者作出其他限制的,从其规定。
第三节 国家机关处理个人信息的特别规定
第三十三条
国家机关处理个人信息的活动,适用本法;本节有特别规定的,适用本节规定。
第三十四条
国家机关为履行法定职责处理个人信息,应当依照法律、行政法规规定的权限、程序进行,不得超出履行法定职责所必需的范围和限度。
第三十五条
国家机关为履行法定职责处理个人信息,应当依照本法规定履行告知义务;有本法第十八条第一款规定的情形,或者告知将妨碍国家机关履行法定职责的除外。
第三十六条
国家机关处理的个人信息应当在中华人民共和国境内存储;确需向境外提供的,应当进行安全评估。安全评估可以要求有关部门提供支持与协助。
第三十七条
法律、法规授权的具有管理公共事务职能的组织为履行法定职责处理个人信息,适用本法关于国家机关处理个人信息的规定。
第三章 个人信息跨境提供的规则
第三十八条
个人信息处理者因业务等需要,确需向中华人民共和国境外提供个人信息的,应当具备下列条件之一:
(一)依照本法第四十条的规定通过国家网信部门组织的安全评估;
(二)按照国家网信部门的规定经专业机构进行个人信息保护认证;
(三)按照国家网信部门制定的标准合同与境外接收方订立合同,约定双方的权利和义务;
(四)法律、行政法规或者国家网信部门规定的其他条件。
(一)依照本法第四十条的规定通过国家网信部门组织的安全评估;
(二)按照国家网信部门的规定经专业机构进行个人信息保护认证;
(三)按照国家网信部门制定的标准合同与境外接收方订立合同,约定双方的权利和义务;
(四)法律、行政法规或者国家网信部门规定的其他条件。
第三十九条
个人信息处理者向中华人民共和国境外提供个人信息的,应当向个人告知境外接收方的名称或者姓名、联系方式、处理目的、处理方式、个人信息的种类以及个人向境外接收方行使本法规定权利的方式和程序等事项,并取得个人的单独同意。
第四十条
关键信息基础设施运营者和处理个人信息达到国家网信部门规定数量的个人信息处理者,应当将在中华人民共和国境内收集和产生的个人信息存储在境内。确需向境外提供的,应当通过国家网信部门组织的安全评估。
第四十一条
中华人民共和国主管机关根据有关法律和中华人民共和国缔结或者参加的国际条约、协定,或者按照平等互惠原则,处理外国司法或者执法机构关于提供存储于境内个人信息的请求。非经中华人民共和国主管机关批准,个人信息处理者不得向外国司法或者执法机构提供存储于中华人民共和国境内的个人信息。
第四十二条
境外的组织、个人从事侵害中华人民共和国公民的个人信息权益,或者危害中华人民共和国国家安全、公共利益的个人信息处理活动的,国家网信部门可以将其列入限制或者禁止个人信息提供清单,予以公告,并采取限制或者禁止向其提供个人信息等措施。
第四十三条
任何国家或者地区在个人信息保护方面对中华人民共和国采取歧视性的禁止、限制或者其他类似措施的,中华人民共和国可以根据实际情况对该国家或者地区对等采取措施。
第四章 个人在个人信息处理活动中的权利
第四十四条
个人对其个人信息的处理享有知情权、决定权,有权限制或者拒绝他人对其个人信息进行处理;法律、行政法规另有规定的除外。
第四十五条
个人有权向个人信息处理者查阅、复制其个人信息;有本法第十八条第一款、第三十五条规定情形的除外。
个人请求查阅、复制其个人信息的,个人信息处理者应当及时提供。
个人请求将个人信息转移至其指定的个人信息处理者,符合国家网信部门规定条件的,个人信息处理者应当提供转移的途径。
个人请求查阅、复制其个人信息的,个人信息处理者应当及时提供。
个人请求将个人信息转移至其指定的个人信息处理者,符合国家网信部门规定条件的,个人信息处理者应当提供转移的途径。
第四十六条
个人发现其个人信息不准确或者不完整的,有权请求个人信息处理者更正、补充。
个人请求更正、补充其个人信息的,个人信息处理者应当对其个人信息予以核实,并及时更正、补充。
个人请求更正、补充其个人信息的,个人信息处理者应当对其个人信息予以核实,并及时更正、补充。
第四十七条
有下列情形之一的,个人信息处理者应当主动删除个人信息;个人信息处理者未删除的,个人有权请求删除:
(一)处理目的已实现、无法实现或者为实现处理目的不再必要;
(二)个人信息处理者停止提供产品或者服务,或者保存期限已届满;
(三)个人撤回同意;
(四)个人信息处理者违反法律、行政法规或者违反约定处理个人信息;
(五)法律、行政法规规定的其他情形。
(一)处理目的已实现、无法实现或者为实现处理目的不再必要;
(二)个人信息处理者停止提供产品或者服务,或者保存期限已届满;
(三)个人撤回同意;
(四)个人信息处理者违反法律、行政法规或者违反约定处理个人信息;
(五)法律、行政法规规定的其他情形。
第四十八条
个人有权要求个人信息处理者对其个人信息处理规则进行解释说明。
第四十九条
自然人死亡的,其近亲属为了自身的合法、正当利益,可以对死者的相关个人信息行使本章规定的查阅、复制、更正、删除等权利;死者生前另有安排的除外。
第五十条
个人信息处理者应当建立便捷的个人行使权利的申请受理和处理机制。拒绝个人行使权利的请求的,应当说明理由。
个人信息处理者拒绝个人行使权利的请求的,个人可以依法向人民法院提起诉讼。
个人信息处理者拒绝个人行使权利的请求的,个人可以依法向人民法院提起诉讼。
第五章 个人信息处理者的义务
第五十一条
个人信息处理者应当根据个人信息的处理目的、处理方式、个人信息的种类以及对个人权益的影响、可能存在的安全风险等,采取下列措施确保个人信息处理活动符合法律、行政法规的规定,并防止未经授权的访问以及个人信息泄露、篡改、丢失:
(一)制定内部管理制度和操作规程;
(二)对个人信息实行分类管理;
(三)采取相应的加密、去标识化等安全技术措施;
(四)合理确定个人信息处理的操作权限,并定期对从业人员进行安全教育和培训;
(五)制定并组织实施个人信息安全事件应急预案;
(六)法律、行政法规规定的其他措施。
(一)制定内部管理制度和操作规程;
(二)对个人信息实行分类管理;
(三)采取相应的加密、去标识化等安全技术措施;
(四)合理确定个人信息处理的操作权限,并定期对从业人员进行安全教育和培训;
(五)制定并组织实施个人信息安全事件应急预案;
(六)法律、行政法规规定的其他措施。
第五十二条
处理个人信息达到国家网信部门规定数量的个人信息处理者应当指定个人信息保护负责人,负责对个人信息处理活动以及采取的保护措施等进行监督。
个人信息处理者应当公开个人信息保护负责人的联系方式,并将个人信息保护负责人的姓名、联系方式等报送履行个人信息保护职责的部门。
个人信息处理者应当公开个人信息保护负责人的联系方式,并将个人信息保护负责人的姓名、联系方式等报送履行个人信息保护职责的部门。
第五十三条
本法第三条第二款规定的中华人民共和国境外的个人信息处理者,应当在中华人民共和国境内设立专门机构或者指定代表,负责处理个人信息保护相关事务,并将有关机构的名称或者代表的姓名、联系方式等报送履行个人信息保护职责的部门。
第五十四条
个人信息处理者应当定期对其处理个人信息遵守法律、行政法规的情况进行合规审计。
第五十五条
有下列情形之一的,个人信息处理者应当事前进行个人信息保护影响评估,并对处理情况进行记录:
(一)处理敏感个人信息;
(二)利用个人信息进行自动化决策;
(三)委托处理个人信息、向其他个人信息处理者提供个人信息、公开个人信息;
(四)向境外提供个人信息;
(五)其他对个人权益有重大影响的个人信息处理活动。
(一)处理敏感个人信息;
(二)利用个人信息进行自动化决策;
(三)委托处理个人信息、向其他个人信息处理者提供个人信息、公开个人信息;
(四)向境外提供个人信息;
(五)其他对个人权益有重大影响的个人信息处理活动。
第五十六条
个人信息保护影响评估应当包括下列内容:
(一)个人信息的处理目的、处理方式等是否合法、正当、必要;
(二)对个人权益的影响及安全风险;
(三)所采取的保护措施是否合法、有效并与风险程度相适应。
个人信息保护影响评估报告和处理情况记录应当至少保存三年。
(一)个人信息的处理目的、处理方式等是否合法、正当、必要;
(二)对个人权益的影响及安全风险;
(三)所采取的保护措施是否合法、有效并与风险程度相适应。
个人信息保护影响评估报告和处理情况记录应当至少保存三年。
第五十七条
发生或者可能发生个人信息泄露、篡改、丢失的,个人信息处理者应当立即采取补救措施,并通知履行个人信息保护职责的部门和个人。通知应当包括下列事项:
(一)发生或者可能发生个人信息泄露、篡改、丢失的信息种类、原因和可能造成的危害;
(二)个人信息处理者采取的补救措施和个人可以采取的减轻危害的措施;
(三)个人信息处理者的联系方式。
(一)发生或者可能发生个人信息泄露、篡改、丢失的信息种类、原因和可能造成的危害;
(二)个人信息处理者采取的补救措施和个人可以采取的减轻危害的措施;
(三)个人信息处理者的联系方式。
第五十八条
提供重要互联网平台服务、用户数量巨大、业务类型复杂的个人信息处理者,应当履行下列义务:
(一)按照国家规定建立健全个人信息保护合规制度体系,成立主要由外部成员组成的独立机构对个人信息保护情况进行监督;
(二)遵循公开、公平、公正的原则,制定平台规则,明确平台内产品或者服务提供者处理个人信息的规范和保护个人信息的义务;
(三)对严重违反法律、行政法规处理个人信息的平台内的产品或者服务提供者,停止提供服务;
(四)定期发布个人信息保护社会责任报告,接受社会监督。
(一)按照国家规定建立健全个人信息保护合规制度体系,成立主要由外部成员组成的独立机构对个人信息保护情况进行监督;
(二)遵循公开、公平、公正的原则,制定平台规则,明确平台内产品或者服务提供者处理个人信息的规范和保护个人信息的义务;
(三)对严重违反法律、行政法规处理个人信息的平台内的产品或者服务提供者,停止提供服务;
(四)定期发布个人信息保护社会责任报告,接受社会监督。
第五十九条
接受委托处理个人信息的受托人,应当依照本法和有关法律、行政法规的规定,采取必要措施保障所处理的个人信息的安全,并协助个人信息处理者履行本法规定的义务。
第六章 履行个人信息保护职责的部门
第六十条
国家网信部门负责统筹协调个人信息保护工作和相关监督管理工作。国务院有关部门依照本法和有关法律、行政法规的规定,在各自职责范围内负责个人信息保护和监督管理工作。
第六十一条
履行个人信息保护职责的部门履行下列个人信息保护职责:
(一)开展个人信息保护宣传教育,指导、监督个人信息处理者开展个人信息保护工作;
(二)接受、处理与个人信息保护有关的投诉、举报;
(三)组织对应用程序等个人信息保护情况进行测评,并公布测评结果;
(四)调查、处理违法个人信息处理活动;
(五)法律、行政法规规定的其他职责。
(一)开展个人信息保护宣传教育,指导、监督个人信息处理者开展个人信息保护工作;
(二)接受、处理与个人信息保护有关的投诉、举报;
(三)组织对应用程序等个人信息保护情况进行测评,并公布测评结果;
(四)调查、处理违法个人信息处理活动;
(五)法律、行政法规规定的其他职责。
第六十二条
国家网信部门统筹协调有关部门依据本法推进下列个人信息保护工作:
(一)制定个人信息保护具体规则、标准;
(二)针对小型个人信息处理者、处理敏感个人信息以及人脸识别、人工智能等新技术、新应用,制定专门的个人信息保护规则、标准;
(三)支持研究开发和推广应用安全、方便的电子身份认证技术,推进网络身份认证公共服务建设;
(四)推进个人信息保护社会化服务体系建设,支持有关机构开展个人信息保护评估、认证服务;
(五)完善个人信息保护投诉、举报工作机制。
(一)制定个人信息保护具体规则、标准;
(二)针对小型个人信息处理者、处理敏感个人信息以及人脸识别、人工智能等新技术、新应用,制定专门的个人信息保护规则、标准;
(三)支持研究开发和推广应用安全、方便的电子身份认证技术,推进网络身份认证公共服务建设;
(四)推进个人信息保护社会化服务体系建设,支持有关机构开展个人信息保护评估、认证服务;
(五)完善个人信息保护投诉、举报工作机制。
第六十三条
履行个人信息保护职责的部门履行个人信息保护职责,可以采取下列措施:
(一)询问有关当事人,调查与个人信息处理活动有关的情况;
(二)查阅、复制当事人与个人信息处理活动有关的合同、记录、账簿以及其他有关资料;
(三)实施现场检查,对涉嫌违法的个人信息处理活动进行调查;
(四)检查与个人信息处理活动有关的设备、物品。
(一)询问有关当事人,调查与个人信息处理活动有关的情况;
(二)查阅、复制当事人与个人信息处理活动有关的合同、记录、账簿以及其他有关资料;
(三)实施现场检查,对涉嫌违法的个人信息处理活动进行调查;
(四)检查与个人信息处理活动有关的设备、物品。
第六十四条
履行个人信息保护职责的部门在履行职责中,发现个人信息处理活动存在较大风险或者发生个人信息安全事件的,可以按照规定的权限和程序对该个人信息处理者的法定代表人或者主要负责人进行约谈,或者要求个人信息处理者委托专业机构对其个人信息处理活动进行合规审计。
第六十五条
任何组织、个人有权对违法个人信息处理活动向履行个人信息保护职责的部门进行投诉、举报。收到投诉、举报的部门应当依法及时处理,并将处理结果告知投诉、举报人。
履行个人信息保护职责的部门应当公布接受投诉、举报的联系方式。
履行个人信息保护职责的部门应当公布接受投诉、举报的联系方式。
第七章 法律责任
第六十六条
违反本法规定处理个人信息,或者处理个人信息未履行本法规定的个人信息保护义务的,由履行个人信息保护职责的部门责令改正,给予警告,没收违法所得,对违法处理个人信息的应用程序,责令暂停或者终止提供服务;拒不改正的,并处一百万元以下罚款;对直接负责的主管人员和其他直接责任人员处一万元以上十万元以下罚款。
有前款规定的违法行为,情节严重的,由省级以上履行个人信息保护职责的部门责令改正,没收违法所得,并处五千万元以下或者上一年度营业额百分之五以下罚款,并可以责令暂停相关业务或者停业整顿、通报有关主管部门吊销相关业务许可或者吊销营业执照;对直接负责的主管人员和其他直接责任人员处十万元以上一百万元以下罚款,并可以决定禁止其在一定期限内担任相关企业的董事、监事、高级管理人员和个人信息保护负责人。
有前款规定的违法行为,情节严重的,由省级以上履行个人信息保护职责的部门责令改正,没收违法所得,并处五千万元以下或者上一年度营业额百分之五以下罚款,并可以责令暂停相关业务或者停业整顿、通报有关主管部门吊销相关业务许可或者吊销营业执照;对直接负责的主管人员和其他直接责任人员处十万元以上一百万元以下罚款,并可以决定禁止其在一定期限内担任相关企业的董事、监事、高级管理人员和个人信息保护负责人。
第六十七条
有本法规定的违法行为的,依照有关法律、行政法规的规定记入信用档案,并予以公示。
第六十八条
国家机关不履行本法规定的个人信息保护义务的,由其上级机关或者履行个人信息保护职责的部门责令改正;对直接负责的主管人员和其他直接责任人员依法给予处分。
第六十九条
处理个人信息侵害个人信息权益造成损害,个人信息处理者不能证明自己没有过错的,应当承担损害赔偿等侵权责任。
前款规定的损害赔偿责任按照个人因此受到的损失或者个人信息处理者因此获得的利益确定;个人因此受到的损失和个人信息处理者因此获得的利益难以确定的,根据实际情况确定赔偿数额。
前款规定的损害赔偿责任按照个人因此受到的损失或者个人信息处理者因此获得的利益确定;个人因此受到的损失和个人信息处理者因此获得的利益难以确定的,根据实际情况确定赔偿数额。
第七十条
个人信息处理者违反本法规定处理个人信息,侵害众多个人的权益的,人民检察院、法律规定的消费者组织和由国家网信部门确定的组织可以依法向人民法院提起诉讼。
第七十一条
违反本法规定,构成违反治安管理行为的,依法给予治安管理处罚;构成犯罪的,依法追究刑事责任。
第八章 附则
第七十二条
自然人因个人或者家庭事务处理个人信息的,不适用本法。
法律对各级人民政府及其有关部门组织实施的统计、档案管理活动中的个人信息处理有规定的,适用其规定。
法律对各级人民政府及其有关部门组织实施的统计、档案管理活动中的个人信息处理有规定的,适用其规定。
第七十三条
本法下列用语的含义:
(一)个人信息处理者,是指在个人信息处理活动中自主决定处理目的、处理方式的组织、个人。
(二)自动化决策,是指通过计算机程序自动分析、评估个人的行为习惯、兴趣爱好或者经济、健康、信用状况等,并进行决策的活动。
(三)去标识化,是指个人信息经过处理,使其在不借助额外信息的情况下无法识别特定自然人的过程。
(四)匿名化,是指个人信息经过处理无法识别特定自然人且不能复原的过程。
(一)个人信息处理者,是指在个人信息处理活动中自主决定处理目的、处理方式的组织、个人。
(二)自动化决策,是指通过计算机程序自动分析、评估个人的行为习惯、兴趣爱好或者经济、健康、信用状况等,并进行决策的活动。
(三)去标识化,是指个人信息经过处理,使其在不借助额外信息的情况下无法识别特定自然人的过程。
(四)匿名化,是指个人信息经过处理无法识别特定自然人且不能复原的过程。
第七十四条
本法自2021年11月1日起施行。
