Chapter 1 General
Chapter II Rules for the Processing of Personal Information
Section I General Provisions
Section II Rules for the Processing of Sensitive Personal Information
Section III Special provisions for the processing of personal information by state organs
Chapter III Rules for the Cross-Border Provision of Personal Information
Chapter 4 The rights of individuals in the processing of personal information
Chapter V The obligations of the person handling the personal information
Chapter 6 Departments that perform the duties of protecting personal information
Chapter 7 Legal Responsibility
Chapter 8 By-laws
This Law is enacted in accordance with the Constitution in order to protect the rights and interests of personal information, regulate the processing of personal information and promote the rational use of personal information.
The personal information of natural persons shall be protected by law, and no organization or individual may infringe upon the rights and interests of natural persons.
This Law shall apply to the processing of personal information of natural persons within the territory of the People's Republic of China.
This Law shall also apply to the processing of personal information of natural persons outside the People's Republic of China in one of the following circumstances:
(1) for the purpose of providing products or services to natural persons in China;
(2) Analyzing and evaluating the conduct of natural persons in the territory;
(3) Other circumstances as prescribed by laws and administrative regulations.
Personal information is information recorded electronically or otherwise in relation to identified or identifiable natural persons, excluding information after anonymization.
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion of personal information, etc.
Personal information shall be handled in accordance with the principles of legality, legitimacy, necessity and good faith, and personal information shall not be processed through misleading, fraudulent or coercive means.
The processing of personal information shall have a clear and reasonable purpose and shall be directly related to the purpose of processing, in a manner that has minimal impact on the rights and interests of individuals.
The collection of personal information shall be limited to the minimum extent for which it is processed and no excessive collection of personal information shall be permitted.
The handling of personal information shall follow the principle of openness and transparency, disclose the rules for the processing of personal information, and express the purpose, manner and scope of processing.
The handling of personal information shall ensure the quality of personal information and avoid adverse effects on the rights and interests of individuals due to inaccurate and incomplete personal information.
The person handling personal information shall be responsible for the processing activities of his personal information and take necessary measures to ensure the security of the personal information processed.
No organization or individual may illegally collect, use, process or transmit personal information of others, illegally trade in, provide or disclose personal information of others, or engage in the processing of personal information that endangers national security or the public interest.
The State shall establish and improve the system for the protection of personal information, prevent and punish acts that infringe upon the rights and interests of personal information, strengthen publicity and education on the protection of personal information, and promote the formation of a favorable environment for governments, enterprises, relevant social organizations and the public to participate in the protection of personal information.
The State shall actively participate in the formulation of international rules for the protection of personal information, promote international exchanges and cooperation in the protection of personal information, and promote mutual recognition of rules and standards for the protection of personal information with other countries, regions and international organizations.
The person handling the personal information may only process the personal information if one of the following circumstances is met:
(1) obtaining the consent of the individual;
(2) necessary for the conclusion and performance of an individual's contract as a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law;
(3) necessary to perform statutory duties or obligations;
(4) Necessary to respond to a public health emergency or, in an emergency, to protect the health of natural life and property;
(5) to carry out acts such as news reporting and supervision of public opinion for the public interest and to process personal information within a reasonable range;
(6) Handling personal information disclosed by individuals themselves or otherwise legally disclosed within reasonable limits in accordance with the provisions of this Law;
(7) Other circumstances as prescribed by laws and administrative regulations.
In accordance with other relevant provisions of this Law, the processing of personal information shall be subject to personal consent, but in case of the circumstances stipulated in the second to seventh paragraphs of the preceding paragraph, no personal consent shall be required.
Where an individual consents to the processing of personal information, the consent shall be made voluntarily and explicitly by the individual with full knowledge. Where laws and administrative regulations stipulate that the processing of personal information should be handled with the individual's individual consent or written consent, the provisions shall be made.
If there is a change in the purpose, manner and type of personal information processed for personal information, the consent of the individual shall be re-obtained.
If an individual consents to the processing of personal information, the individual shall have the right to withdraw his or her consent. The person handling the personal information should provide a convenient way to withdraw consent.
The withdrawal of an individual's consent does not affect the effectiveness of the personal information processing activities that were conducted prior to the withdrawal based on the individual's consent.
A person handling personal information may not refuse to provide products or services on the ground that he or she does not consent to the processing of his personal information or withdraws his or her consent;
Before processing personal information, a person handling personal information shall inform the individual of the following in a clear and understandable manner, in a true, accurate and complete manner:
(1) the name or name and contact details of the person handling the personal information;
(2) the purpose and mode of processing of personal information, the type of personal information processed and the duration of storage;
(3) The manner and procedure by which individuals exercise their rights under this Law;
(4) Other matters that shall be communicated as stipulated in laws and administrative regulations.
If there is a change in the matters stipulated in the preceding paragraph, the individual shall be informed of the change.
Where a person dealing with personal information informs the first paragraph of the matters stipulated in paragraph 1 by formulating rules for the processing of personal information, the processing rules shall be made public and shall be easy to consult and preserve.