PIPL (English)

Personal Information Protection Law (English translation) 

个人信息保护法

Chapter 1 General Provisions

Article 1

This Law is enacted in accordance with the Constitution to protect personal information rights and interests, regulate the processing of personal information, and promote the reasonable use of personal information.

Article 2  

The personal information of natural persons is protected by law, and no organization or individual may infringe upon the personal information rights of any natural person.

Article 3 

This Law shall apply to the processing of the personal information of natural persons within the territory of the People’s Republic of China.

This Law shall also apply to the activities carried out outside the territory of the People’s Republic of China to process the personal information of natural persons within the territory of the People’s Republic of China under any of the following circumstances:

1. When the purpose is to provide products or services to domestic natural persons;

2. When the purpose is to analyze and evaluate the activities of domestic natural persons; and

3. Any other circumstances provided by laws and administrative regulations.

Article 4  

Personal information refers to various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.

Processing of personal information includes the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information.

Article 5

Personal information shall be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and shall not be processed by misleading, fraud, coercion, or other means.

Article 6

Processing of personal information shall be for a definite and reasonable purpose, shall be directly related to the purpose of processing, and shall be processed in a manner that has the least impact on individual rights and interests.

Collection of personal information shall be limited to the minimum scope for the purpose of processing and shall not be excessively collected.

Article 7 

Processing of personal information shall follow the principles of openness and transparency, disclose the rules for processing personal information, and expressly indicate the purpose, manner, and scope of processing.

Article 8 

When processing personal information, the quality of personal information shall be ensured to avoid adverse effects on personal rights and interests caused by inaccurate and incomplete personal information.

Article 9  

Personal information processors shall be responsible for their processing of personal information and take necessary measures to ensure the security of the personal information processed.

Article 10

No organization or individual may illegally collect, use, process, or transmit other people’s personal information, or illegally trade, provide, or disclose other people’s personal information, or engage in the processing of personal information that endangers the national security or public interests.

Article 11 

The State establishes a sound personal information protection system, prevent and punish the infringement of personal information rights and interests, strengthen the publicity and education on personal information protection, and promote the formation of a good environment for the government, enterprises, relevant social organizations and the public to jointly participate in personal information protection.

Article 12 

The State actively participates in the formulation of international rules for personal information protection, promotes the international exchange and cooperation in personal information protection, and drives the mutual recognition of the rules and standards for personal information protection with other countries, regions, and international organizations.

Chapter 2: Rules for Processing Personal Information

Section 1 General Provisions

Article 13

Personal information processors may process personal information only if one of the following circumstances is met:

(1) Personal consent is obtained;
(2) It is necessary for the conclusion and performance of a contract in which the individual is a party, or to implement human resource management in accordance with labor rules and regulations established in accordance with the law and the collective contract signed in accordance with the law;
(3) It is necessary to perform statutory duties or statutory obligations;
(4) It is necessary to respond to public health emergencies, or to protect the life, health and property safety of natural persons in an emergency;
(5) It is necessary to carry out news reports, public opinion supervision and other acts for the public interest, and handle personal information within a reasonable scope;
(6) The personal information is disclosed by individuals or other legally disclosed personal information is processed within a reasonable scope in accordance with the provisions of this Law; and
(7) other circumstances stipulated by laws and administrative regulations.

Individual consent shall be obtained for the processing of personal information stipulated in the other clauses of this Law, but in the circumstances specified in the preceding paragraph from 2 to 7, the individual’s consent is not required.

Article 14

Where the processing of personal information is based on the consent of the individual concerned, such consent shall be given by the individual concerned in a voluntary and explicit manner in the condition of full knowledge. If laws and administrative regulations provide that the processing of personal information shall be subject to the individual’s separate consent or written consent, such provisions shall prevail.

If the purpose or method of processing personal information or the type of personal information to be processed changes, the individual’s consent shall be obtained again.

Article 15

Where the processing of personal information is based on the individual's consent, the individual has the right to withdraw consent. The personal information processor shall provide convenient means to withdraw consent.
The withdrawal of an individual's consent will not affect the validity of personal information processing activities that have been carried out based on the individual's prior consent before withdrawal.

Article 16  

Personal information processors may not refuse to provide products or services on the grounds that individuals do not agree to the processing of their personal information or withdraw their consent; unless processing personal information is necessary for the provision of products or services.

Article 17

Before processing personal information, personal information processors shall truthfully, accurately, and completely inform individuals of the following matters in a conspicuous manner and in clear and easy-to-understand language:

(1) The name or name and contact information of the personal information processor;
(2) Purpose of processing personal information, processing method, type of personal information processed, and retention period;
(3) Methods and procedures for individuals to exercise their rights under this law;
(4) Other matters that should be notified by laws and administrative regulations.
If there is a change in the matters specified in the preceding paragraph, the individual shall be notified of the change.

Article 18

When processing personal information in circumstances where laws and administrative regulations require confidentiality, processors may not notify individuals of the matters specified in the first paragraph of the preceding article.

In an emergency, if it is impossible to notify individuals in a timely manner to protect the life, health and property safety of natural persons, the personal information processor shall promptly notify the individual after the emergency is eliminated.

Article 19 

Unless otherwise provided by laws and administrative regulations, the retention period of personal information shall be the minimum necessary to achieve the processing purpose, except for where the retention period of personal information is otherwise provided for in laws and administrative regulations.

Article 20

Where two or more personal information processors jointly determine the purpose and method of processing personal information, they shall agree on their respective rights and obligations. However, this agreement does not affect the individual's request to any one of the personal information processors to exercise the rights stipulated in this law.
Where personal information processors jointly process personal information and infringe upon the rights and interests of personal information and cause damages, they shall bear joint and several liability in accordance with the law.

Article 21

If a personal information processor entrusts the processing of personal information to others, it shall agree with the entrusted party on the purpose, time limit, processing method, types of personal information, protection measures, and the rights and obligations of both parties, etc., and supervise the personal information processing activities of the entrusted party.

The entrusted party shall process personal information as agreed and shall not process personal information beyond the agreed purpose and method of processing. If the contract is invalidated, invalid, revoked or terminated, the entrusted party shall return the personal information to the personal information processor or delete the personal information, and shall not retain the personal information.

Without the consent of the personal information processor, the entrusted party shall not further delegate the processing of personal information to others.

Article 22

If a personal information processor needs to transfer personal information due to reasons such as merger, division, dissolution, or being declared bankrupt, it shall inform the individual of the name and contact information of the recipient. The recipient shall continue to perform its obligations as a personal information processor. Where the recipient changes the original purpose and method of processing, it shall obtain the individual’s consent anew in accordance with this Law.

Article 23

If a personal information processor provides other personal information processors with the personal information it processes, it shall inform the individual of the name and contact information of the third party, purpose and method of processing and type of personal information, and shall obtain his/her separate consent. The party receiving personal information shall process personal information within the scope of the above purpose and method of processing and type of personal information. Where the party receiving personal information changes the original purpose and method of processing, it shall inform the individual and obtain his/her consent again in accordance with this Law.

Article 24

Personal information processors who use personal information to make automated decision-making shall ensure the transparency of decision-making and the fairness and impartiality of the results, and shall not impose unreasonable differential treatment on individuals in terms of transaction prices and other transaction conditions.

Where business marketing and information push are carried out through automatic decision-making, options not based on his/her personal characteristics shall be provided at the same time, or a convenient way for individuals to reject shall be provided.

If automated decision-making methods are used to make decisions that have a major impact on personal rights and interests, individuals have the right to request personal information processors explain, and the right to refuse personal information processors making decisions only through automated decision-making methods.

Article 25  

A personal information processor shall not disclose the personal information it processes, unless the individual’s consent is obtained, or it is otherwise required by laws and administrative regulations.

Article 26

Image capturing and personal identification equipment installed in public places for maintaining public security, shall comply with relevant provisions of the State, and prominent signs shall be installed. Personal images and personal identifiable information collected may only be used for the purpose of maintaining public security and shall not be used for other purposes, unless the individual’s consent is obtained.

Article 27  

Personal information processors may, within a reasonable range, process personal information that has been disclosed by individuals themselves or other lawfully disclosed personal information, except where the individual explicitly refuses. Personal information processors shall obtain the consent of individuals in accordance with the provisions of this Law if the processing of disclosed personal information has a major impact on the rights and interests of individuals.

Section 2: Rules for handling sensitive personal information

Article 28

Sensitive personal information is personal information that, once leaked or used illegally, can easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, Information such as whereabouts, as well as personal information of minors under the age of fourteen.
Personal information processors can process sensitive personal information only when they have a specific purpose and sufficient necessity, and take strict protective measures.

Article 29

Individual consent should be obtained for processing sensitive personal information. Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to written consent, such provisions shall prevail.

Article 30

When processing sensitive personal information, personal information processors shall inform the individual of the necessity of processing sensitive personal information and the impacts on the individual’s right and interest, in addition to the matters prescribed in Paragraph 1 of Article 17 thereof, except those that may not be notified to individuals in accordance with the provisions of this Law.

Article 31

If a personal information processor knows or should know that the personal information it processes is the personal information of a minor below the age of 14, it shall obtain the consent of the minor’s parent or other guardians

Personal information processors who process the personal information of minors under the age of fourteen shall formulate special personal information processing rules.

Article 32

Where laws and administrative regulations stipulate that the processing of sensitive personal information should obtain relevant administrative licenses or impose other restrictions, those provisions shall be followed.

Section 3 Special Provisions on the Handling of Personal Information by State Organs

Article 33

This Law shall apply to the activities of a State organ to process personal information; where there are special provisions in this Section, the provisions of this Section shall apply.

Article 34

In order to perform statutory duties, state agencies shall process personal information in accordance with the powers and procedures prescribed by laws and administrative regulations, and shall not exceed the scope and limits necessary to perform statutory duties.

Article 35 

State agencies shall perform their notification obligations in accordance with the provisions of this Law when processing personal information in order to perform their statutory duties; except under the circumstances specified in the first paragraph of Article 18 of this Law, or if notification would prevent the state agencies from performing their statutory duties.

Article 36  

Personal information processed by state agencies shall be stored within the territory of the People's Republic of China; where it is necessary to provide such information to an overseas party, a security assessment shall be conducted. Relevant departments may be required to provide support and assistance for security assessment.

Article 37

The provisions of this law on personal information processed by State agencies shall apply for personal information processing by organizations authorized by laws and regulations with the function of managing public affairs to perform statutory duties.

Chapter 3: Rules for Cross-border Provision of Personal Information

Article 38 

If a personal information processor really needs to provide personal information outside the People’s Republic of China due to business needs, it shall meet one of the following conditions:
(1) Pass the security assessment organized by the State Cyberspace Administration in accordance with the provisions of Article 40 of this Law;
(2) Conduct personal information protection certification by a professional organization in accordance with the regulations of the national cyberspace administration;
(3) Enter into a contract with the overseas recipient in accordance with the standard contract formulated by the national cyberspace administration department, stipulating the rights and obligations of both parties;
(4) Other conditions stipulated by laws, administrative regulations or the national cyberspace administration department.

Where the international treaties and agreements that the People’s Republic of China has concluded or participated in have provisions on the conditions for providing personal information outside the territory of the People’s Republic of China, such provisions may be complied with.

Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this law.

Article 39

When a personal information processor provides personal information outside the territory of the People’s Republic of China, it shall inform the individual of such matters as the name or name of the overseas recipient, contact information, processing purpose, processing method, types of personal information, and the way and procedure for the individual to exercise the rights prescribed herein against the overseas recipient, and shall obtain the individual’s separate consent.

Article 40

Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China. If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration; if laws, administrative regulations, or the provisions of the State cyberspace administration provide that the security assessment is not required, such provisions shall prevail.

Article 41

The competent authorities of the People’s Republic of China shall, in accordance with relevant laws and international treaties and agreements concluded or participated in by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China. Without the approval of the competent authority of the People’s Republic of China, personal information processor shall not provide the personal information stored within the territory of the People’s Republic of China to judicial or law enforcement agencies outside of the territory of the People’s Republic of China.

Article 42

For any overseas organization or individual whose personal information processing activities damage the personal information rights and interests of citizens of the People’s Republic of China, or endanger the national security or public interests of the People’s Republic of China, the State cyberspace administration may include such overseas organization or individual in the list of restricted or prohibited provision of personal information, announce the same, and take measures such as restricting or prohibiting the provision of personal information to such overseas organization or individual.

Article 43

Where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the People’s Republic of China in respect of the protection of personal information, the People’s Republic of China may, as the case may be, take reciprocal measures against such country or region.

Chapter 4: Individual's Rights in Personal Information Processing Activities

Article 44  

Individuals have the right to know and make decisions regarding the processing of their personal information, and the right to restrict or refuse the processing of their personal information by others; unless otherwise provided by laws and administrative regulations.

Article 45 

Individuals have the right to consult and copy their personal information from personal information processors; except in the circumstances specified in Article 18, paragraph 1, and Article 35 of this law.
When an individual requests to view or copy his personal information, the personal information processor shall provide it in a timely manner.
Individuals requesting the transfer of personal information to their designated personal information processor, and the personal information processor shall provide the means for the transfer if the conditions specified by State cyberspace administration are met.

Article 46 

If an individual discovers that his personal information is inaccurate or incomplete, he has the right to request the personal information processor to correct or supplement it.
Where an individual requests correction or supplement of his personal information, the personal information processor shall verify his personal information and make corrections and supplements in a timely manner.

Article 47

In any of the following circumstances, the personal information processor shall take the initiative to delete personal information; if the personal information processor has not deleted, the individual has the right to request deletion:
(1) The processing purpose has been achieved, cannot be achieved, or is no longer necessary to achieve the processing purpose;
(2) The personal information processor ceases to provide products or services, or the retention period has expired;
(3) An individual withdraws their consent;
(4) The personal information processor violates laws, administrative regulations, or violates the agreement to handle personal information;
(5) any other circumstance stipulated by laws and administrative regulations.
If the retention period stipulated by laws and administrative regulations has not expired, or the deletion of personal information is technically difficult to achieve, the personal information processor shall stop processing other than storing and adopting necessary security protection measures.

Article 48 

Individuals have the right to request personal information processors to explain their personal information processing rules.

Article 49 

In the event of a natural person's death, his close relatives may, for their own lawful and legitimate interests, exercise the rights of consulting, copying, correcting, and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless the deceased had otherwise arranged before his/her death.

Article 50  

Personal information processors shall establish a convenient and convenient mechanism for the acceptance and processing applications by individuals to exercise their rights. If an individual's request to exercise his rights is rejected, the reasons shall be explained.
Where a personal information processor refuses an individual’s request to exercise his rights, the individual may file a lawsuit in a people’s court in accordance with the law.

Chapter 5: Personal Information Processor’s Obligations

Article 51

A personal information processor shall take the following measures to ensure that personal information processing activities comply with laws and administrations in accordance with the processing purposes, processing methods, types of personal information, impact on personal rights and interests, and possible security risks, etc. Regulations, and prevent unauthorized access and personal information leakage, tampering, and loss:
(1) Formulate internal management systems and operating procedures;
(2) Implement classified management of personal information;
(3) Adopt corresponding security technical measures such as encryption and de-identification;
(4) Reasonably determine the operating authority for personal information processing, and regularly conduct safety education and training for practitioners;
(5) Formulate and organize the implementation of emergency plans for personal information security incidents;
(6) other measures stipulated by laws and administrative regulations.

Article 52

When the quantity of personal information processed by a processor reaches that specified by the state cyberspace administration, the processor should designate a person in charge of personal information protection to be responsible for supervising personal information and the adopted protection measures.
The personal information processor shall disclose the contact information of the person in charge of personal information protection, and submit the name and contact information of the person in charge of personal information protection to the department performing personal information protection duties.

Article 53 

Personal information processors outside of the People’s Republic of China as specified in the second paragraph of Article 3 of this Law shall establish specialized agencies or designated representatives within the territory of the People’s Republic of China. The name or representative’s name, contact information, etc. shall be submitted to the department performing personal information protection duties.

Article 54  

Personal information processors shall regularly conduct compliance audits of their processing of personal information in compliance with laws and administrative regulations.

Article 55

In any of the following circumstances, the personal information processor shall conduct a personal information protection impact assessment in advance and record the processing situation:
(1) When processing sensitive personal information;
(2) When using personal information to make automated decision-making;
(3) When entrusting the processing of personal information, provide personal information to other personal information processors, and disclose personal information;
(4) When providing personal information abroad;
(5) When other personal information processing activities that have a significant impact on personal rights and interests.

Article 56

The personal information protection impact assessment shall include the following:
(1) Whether the processing purpose and processing method of personal information are legal, proper and necessary;
(2) Impact on personal rights and security risks;
(3) Whether the protective measures adopted are legal, effective and compatible with the degree of risk.
The personal information protection impact assessment report and processing record shall be kept for at least three years.

Article 57

If personal information leakage, tampering, or loss occurs or may occur, the personal information processor shall immediately take remedial measures and notify the departments and individuals that perform personal information protection duties. The notice should include the following items:
(1) The types, reasons, and possible harms of personal information leakage, tampering, or loss occurred or may occur;
(2) Remedial measures taken by personal information processors and measures that individuals can take to mitigate harm;
(3) Contact information of the personal information processor.

If the personal information processor has taken measures to effectively avoid harm caused by information leakage, falsification, or loss, it may opt not to notify the individuals; however, if the department performing duties of personal information protection believes harm shall be caused, it may require the personal information processor to notify the individuals thereof.

Article 58

Personal information processors that provide large Internet platform services, have a large number of users, and a complex type of personal information shall perform the following obligations:
(1) Establish and improve the personal information protection compliance system in accordance with national regulations, and establish an independent organization mainly composed of external members to supervise the protection of personal information;
(2) Follow the principles of openness, fairness, and justice, formulate platform rules, and clarify the standards for the processing of personal information by product or service providers on the platform and their obligations to protect personal information;
(3) Stop providing services to product or service providers in platforms that deal with personal information in serious violation of laws and administrative regulations;
(4) Regularly publish social responsibility reports on personal information protection and accept social supervision.

Article 59

The party entrusted to process personal information shall fulfill the relevant obligations prescribed by this Law and other relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed, and assist personal information processors to fulfill their obligations under this Law.

Chapter 6: Departments Performing Personal Information Protection Duties

Article 60

The state cyberspace administration is responsible for coordinating the protection of personal information and relevant supervision and administration work; and relevant departments under the State Council are responsible for protecting, supervising, and administering personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.

The duties of relevant departments of local people’s governments at or above the county level in protecting, supervising, and administering personal information shall be determined in accordance with relevant provisions of the State.

The departments mentioned in the preceding two paragraphs are collectively referred to as the departments performing duties of personal information protection.

Article 61

Departments that perform personal information protection duties shall perform the following:
(1) Carry out personal information protection publicity and education, guide and supervise personal information processors to carry out personal information protection work;
(2) Accept and process complaints and reports related to the protection of personal information;
(3) Organize the evaluation of the protection of personal information such as applications, and publishing the evaluation results;
(4) Investigate and handle illegal personal information processing activities;
(5) Other duties stipulated by laws and administrative regulations.

Article 62

The state cyberspace administration shall coordinate relevant departments to promote the following personal information protection work in accordance with this Law as follows:
(1) Formulate specific rules and standards for personal information protection;
(2) Formulate special personal information protection rules and standards for small personal information processors, processing sensitive personal information, and new technologies and applications such as face recognition and artificial intelligence;
(3) Support the research, development and promotion of safe and convenient electronic identity authentication technology, and promote the construction of public services for network identity authentication;
(4) Promote the construction of a social service system for personal information protection, and support relevant agencies to carry out personal information protection evaluation and certification services;
(5) Improve the working mechanism for personal information protection complaints and reports.

Article 63

Departments that perform personal information protection duties may take the following measures when performing these duties:
(1) Inquire about relevant parties and investigating situations related to personal information processing activities;
(2) Consult and copy the parties' contracts, records, account books and other relevant materials related to personal information processing activities;
(3) Conduct on-site inspections and investigate suspected illegal personal information processing activities;
(4) Inspect equipment and articles related to personal information processing activities; if there is evidence to prove that they are used for illegal personal information processing activities, a written report shall be submitted to the principal responsible person of the department and approved, and they may be sealed up or seized.
Departments performing personal information protection duties will perform their duties in accordance with the law, and the parties concerned shall provide assistance and cooperation, and shall not refuse or obstruct.

Article 64

Departments that perform personal information protection duties, in performing their duties, find that personal information processing activities are at a high risk or if personal information security incidents occur, they may act as the legal representative of the personal information processor in accordance with the prescribed authority and procedures. The person or the main person in charge conducts an interview, or requires the personal information processor to entrust professional institutions to conduct a compliance audit of its personal information processing activities. Personal information processors shall take measures as required to carry out rectifications and eliminate hidden dangers.
Departments that perform personal information protection duties, in performing their duties, find that the illegal handling of personal information is suspected of committing a crime, it shall promptly transfer it to the public security agency for handling in accordance with the law.

Article 65

Any organization or individual has the right to lodge a complaint or report on illegal personal information processing activities to the department performing personal information protection duties. The department that receives the complaint or report shall handle it in a timely manner in accordance with the law, and notify the complaint or reporter of the results of the handling.
Departments performing personal information protection duties shall publish the contact information for accepting complaints and reports.

Chapter 7: Legal Liability

Article 66 

Where personal information is processed in violation of the provisions hereof, or personal information is processed without fulfilling the personal information protection obligations stipulated in this Law, the departments performing duties of personal information protection shall order the processor to make rectification, give a warning and confiscate its illegal gains, or order the application that illegally processing personal information to suspend or terminate the provision of services; if rectification is refused, a fine of not more than RMB 1 million shall be imposed concurrently on the processor; and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge of the processor and other directly liable persons.

If an illegal act specified in the preceding paragraph is committed and the circumstances are serious, the departments performing duties of personal information protection at or above the provincial level shall order the processor to make rectification, confiscate its illegal gains and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on the processor, and may also order the processor to suspend relevant business or to suspend business for rectification, and notify the relevant competent departments to revoke the relevant business permit or business license; and a fine of not less than RMB 100,000 but not more than RMB 1 million shall be imposed on the persons directly in charge and other directly liable persons, and such persons may also be prohibited from serving as directors, supervisors, senior managers, and persons in charge of personal information protection of relevant enterprises for a certain period of time.

Article 67 

Any illegal act specified in this Law shall be recorded in the credit archives in accordance with the provisions of the relevant laws and administrative regulations and shall be disclosed to the public.

Article 68

Where a state organ fails to perform its obligations of protecting personal information as specified in this Law, its superior organ or the department performing the duties of personal information protection shall order it to make rectification, and impose sanctions on the person directly in charge and other directly liable persons according to law.

Where the staff of departments responsible for personal information protection guilty of dereliction of duties, abusing official powers, or malpractice for personal gain but yet to constitute a crime, they shall be punished pursuant to the law.

Article 69

If the right and interests of personal information are infringed upon due to personal information processing and cause damages, and the personal information processor cannot prove that it is not at fault, it shall bear the tort liability for damages.

Liability for damages prescribed in the preceding paragraph shall be borne in light of the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor; if the losses thus caused to the individuals concerned or the benefits thus obtained by the personal information processor are difficult to be determined, the people’s court shall determine the amount of compensation according to the actual circumstances.

Article 70

If a personal information processor processes personal information in violation of the provisions of this Law, which infringes upon the rights and interests of a large number of individuals, the people’s procuratorate, the consumer organizations specified by law and the organization determined by the state cyberspace administration may file a lawsuit with the people’s court in accordance with the law.

Article 71

Where a violation of the provisions of this Law constitutes a violation of public security administration, a public security administration punishment shall be imposed in accordance with the law; if a crime is constituted, criminal liability shall be investigated in accordance with the law.

Chapter 8 Supplementary Provisions

Article 72 

This law does not apply to natural persons handling personal information for personal or family affairs.
Where the law has provisions on the handling of personal information in statistics and archives management activities organized and implemented by the people's governments at all levels and their relevant departments, those provisions shall apply.

Article 73 

For the purposes of this Law, the following terms are defined as follows:

(1) A personal information processor is any organization or individual that independently determines the purpose and method of processing in personal information processing activities.
(2) Automated decision-making refers to the activities of automatically analyzing and evaluating personal behavior habits, hobbies, or economic, health, and credit status through computer programs, and making decisions.
(3) De-identification refers to the process of processing personal information in such a way as to make it impossible to identify a specific natural person without resorting to additional information.
(4) Anonymization refers to the process in which personal information is made impossible to identify with a natural person and cannot be restored.

Article 74

This law shall come into force as of November 1, 2021.

Still need help? Contact Us Contact Us