Chinese Privacy Law English Text





..., li 22.08.2021

http://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm

 

 

The Law of the People's Republic of China on the Protection of Personal Information

(adopted at the 30th meeting of the Standing Committee of the 13th National People's Congress on August 20, 2021)

 

Listings

 

Chapter 1 General

Chapter II Rules for the Processing of Personal Information

Section I General Provisions

Section II Rules for the Processing of Sensitive Personal Information

Section III Special provisions for the processing of personal information by state organs

Chapter III Rules for the Cross-Border Provision of Personal Information

Chapter 4 The rights of individuals in the processing of personal information

Chapter V The obligations of the person handling the personal information

Chapter 6 Departments that perform the duties of protecting personal information

Chapter 7 Legal Responsibility

Chapter 8 By-laws





Chapter 1 General

Article 1 This Law is enacted in accordance with the Constitution in order to protect the rights and interests of personal information, regulate the processing of personal information and promote the rational use of personal information.

Article 2 The personal information of natural persons shall be protected by law, and no organization or individual may infringe upon the rights and interests of natural persons.

Article 3 This Law shall apply to the processing of personal information of natural persons within the territory of the People's Republic of China.

This Law shall also apply to the processing of personal information of natural persons outside the People's Republic of China in one of the following circumstances:

(1) for the purpose of providing products or services to natural persons in China;

(2) Analyzing and evaluating the conduct of natural persons in the territory;

(3) Other circumstances as prescribed by laws and administrative regulations.

 

Article 4 Personal information is information recorded electronically or otherwise in relation to identified or identifiable natural persons, excluding information after anonymization.

The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion of personal information, etc.

 

Article 5 Personal information shall be handled in accordance with the principles of legality, legitimacy, necessity and good faith, and personal information shall not be processed through misleading, fraudulent or coercive means.

Article 6 The processing of personal information shall have a clear and reasonable purpose and shall be directly related to the purpose of processing, in a manner that has minimal impact on the rights and interests of individuals.

The collection of personal information shall be limited to the minimum extent for which it is processed and no excessive collection of personal information shall be permitted.

Article 7 The handling of personal information shall follow the principle of openness and transparency, disclose the rules for the processing of personal information, and express the purpose, manner and scope of processing.

Article 8 The handling of personal information shall ensure the quality of personal information and avoid adverse effects on the rights and interests of individuals due to inaccurate and incomplete personal information.

Article 9 The person handling personal information shall be responsible for the processing activities of his personal information and take necessary measures to ensure the security of the personal information processed.

Article 10 No organization or individual may illegally collect, use, process or transmit personal information of others, illegally trade in, provide or disclose personal information of others, or engage in the processing of personal information that endangers national security or the public interest.

Article 11 The State shall establish and improve the system for the protection of personal information, prevent and punish acts that infringe upon the rights and interests of personal information, strengthen publicity and education on the protection of personal information, and promote the formation of a favorable environment for governments, enterprises, relevant social organizations and the public to participate in the protection of personal information.

Article 12 The State shall actively participate in the formulation of international rules for the protection of personal information, promote international exchanges and cooperation in the protection of personal information, and promote mutual recognition of rules and standards for the protection of personal information with other countries, regions and international organizations.

Chapter II Rules for the Processing of Personal Information

Section I General Provisions

Article 13 The person handling the personal information may only process the personal information if one of the following circumstances is met:

(1) obtaining the consent of the individual;

(2) necessary for the conclusion and performance of an individual's contract as a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law;

(3) necessary to perform statutory duties or obligations;

(4) Necessary to respond to a public health emergency or, in an emergency, to protect the health of natural life and property;

(5) to carry out acts such as news reporting and supervision of public opinion for the public interest and to process personal information within a reasonable range;

(6) Handling personal information disclosed by individuals themselves or otherwise legally disclosed within reasonable limits in accordance with the provisions of this Law;

(7) Other circumstances as prescribed by laws and administrative regulations.

In accordance with other relevant provisions of this Law, the processing of personal information shall be subject to personal consent, but in case of the circumstances stipulated in the second to seventh paragraphs of the preceding paragraph, no personal consent shall be required.

Article 14 Where an individual consents to the processing of personal information, the consent shall be made voluntarily and explicitly by the individual with full knowledge. Where laws and administrative regulations stipulate that the processing of personal information should be handled with the individual's individual consent or written consent, the provisions shall be made.

If there is a change in the purpose, manner and type of personal information processed for personal information, the consent of the individual shall be re-obtained.

Article 15 If an individual consents to the processing of personal information, the individual shall have the right to withdraw his or her consent. The person handling the personal information should provide a convenient way to withdraw consent.

The withdrawal of an individual's consent does not affect the effectiveness of the personal information processing activities that were conducted prior to the withdrawal based on the individual's consent.

Article 16 A person handling personal information may not refuse to provide products or services on the ground that he or she does not consent to the processing of his personal information or withdraws his or her consent;

Article 17 Before processing personal information, a person handling personal information shall inform the individual of the following in a clear and understandable manner, in a true, accurate and complete manner:

(1) the name or name and contact details of the person handling the personal information;

(2) the purpose and mode of processing of personal information, the type of personal information processed and the duration of storage;

(3) The manner and procedure by which individuals exercise their rights under this Law;

(4) Other matters that shall be communicated as stipulated in laws and administrative regulations.

If there is a change in the matters stipulated in the preceding paragraph, the individual shall be informed of the change.

Where a person dealing with personal information informs the first paragraph of the matters stipulated in paragraph 1 by formulating rules for the processing of personal information, the processing rules shall be made public and shall be easy to consult and preserve.

Article 18 If a person handling personal information handles personal information in a situation where laws and administrative regulations stipulate that it should be kept confidential or need not be informed, he may not inform the individual of the matters stipulated in the first paragraph of the preceding article.

If it is not possible to inform individuals in time in an emergency to protect the health of natural life and property, the person handling personal information shall inform them in a timely manner after the emergency has been eliminated.

Article 19 Unless otherwise provided by laws and administrative regulations, the period of preservation of personal information shall be the minimum necessary for the purpose of processing.

Article 20 Where more than two or more persons dealing with personal information jointly decide on the purpose and mode of processing of personal information, they shall agree on their respective rights and obligations. However, this agreement does not affect the right of an individual to request the exercise of the rights provided for in this Law from any of these personal information processors.

If a person who handles personal information jointly and causes damage to the rights and interests of personal information, he shall bear joint and several liabilities in accordance with the law.

Article 21 Where a person who is entrusted with the processing of personal information, he shall agree with the trustee on the purpose, duration, mode of processing, type of personal information, protective measures and the rights and obligations of both parties, and supervise the processing activities of the personal information of the trustee.

The trustee shall handle personal information in accordance with the agreement, and shall not process personal information beyond the agreed purpose or method of processing, etc.; if the entrustment contract is not effective, invalid, revoked or terminated, the trustee shall return the personal information to the person handling the personal information or delete it, and shall not retain it.

The trustee may not entrust personal information to another person without the consent of the person handling the personal information.

Article 22 If a person handling personal information needs to transfer personal information for reasons such as merger, separation, dissolution or declaration of bankruptcy, he shall inform the individual of the name or name and contact details of the recipient. The recipient shall continue to fulfill its obligations to the person handling the personal information. If the recipient changes the original purpose and manner of processing, it shall obtain the consent of the individual again in accordance with the provisions of this Law.

Article 23 Where a person who processes personal information provides personal information to other personal information processors, he shall inform the individual of the name or name of the recipient, the contact information, the purpose of processing, the mode of processing and the type of personal information, and obtain the individual's individual consent. The recipient shall process personal information within the above-mentioned purposes, methods of processing and types of personal information. If the recipient changes the original purpose and manner of processing, it shall obtain the consent of the individual again in accordance with the provisions of this Law.

Article 24 When using personal information for automated decision-making, personal information processors shall ensure that the transparency and results of decision-making are fair and just, and shall not treat individuals unreasonably differently in trading conditions such as transaction prices.

Pushing and marketing information to individuals through automated decision-making should also provide options that are not tailored to their personal characteristics, or provide individuals with convenient ways to reject them.

By making decisions that have a significant impact on the interests of individuals through automated decision-making, individuals have the right to request clarification from the person handling the personal information and the right to refuse the decision of the person handling the personal information only through automated decision-making.

Article 25 A person handling personal information may not disclose the personal information he or she processes, except with the individual's individual consent.

Article 26 The installation of image acquisition and personal identification equipment in public places shall be necessary to maintain public safety, abide by the relevant provisions of the State, and set up a prominent prompt identification. The personal images and identification information collected may only be used for the purpose of maintaining public safety and may not be used for other purposes, except with the individual's individual consent.

Article 27 A person handling personal information may, within reasonable limits, handle personal information that has been disclosed by an individual on his own or otherwise legally disclosed; If the handling of personal information that has been disclosed by the person handling the personal information that has a significant impact on the rights and interests of the individual, the person shall obtain the consent of the individual in accordance with the provisions of this Law.

Section II Rules for the Processing of Sensitive Personal Information

Article 28 Sensitive personal information is personal information, including information on biometrics, religious beliefs, specific identities, medical health, financial accounts, tracks of travel, etc., and personal information of minors under the age of 14 who, once disclosed or illegally used, is likely to lead to infringement of the personal dignity of natural persons or endangering the safety of persons and property.

Personal information processors may only process sensitive personal information if it has a specific purpose and sufficient need and strict protective measures are in place.

Article 29 The processing of sensitive personal information shall be subject to the individual's individual consent; if laws and administrative regulations stipulate that the processing of sensitive personal information should be handled with written consent, the provisions there shall be no such article.

Article 30 Where a person handling personal information handles sensitive personal information, he shall, in addition to the matters stipulated in Article 17 (1) of this Law, inform the individual of the necessity of handling sensitive personal information and the impact on his or her rights and interests;

Article 31 Where a person handling personal information is dealing with a minor under the age of 14, he shall obtain the consent of the parents or other guardians of the minor.

Where a person handling personal information is a minor under the age of 14, he shall formulate special rules for the processing of personal information.

Article 32 Where laws or administrative regulations require relevant administrative permission or other restrictions on the handling of sensitive personal information, the provisions there shall be no provisions.

Section III Special provisions for the processing of personal information by state organs

Article 33 This Law shall apply to the activities of state organs in the processing of personal information; if there are special provisions in this section, the provisions of this section shall apply.

Article 34 In order to perform its statutory duties, state organs shall handle personal information in accordance with the powers and procedures prescribed by laws and administrative regulations, and shall not exceed the necessary scope and limits for the performance of their statutory duties.

Article 35 In order to perform its statutory duties, state organs shall perform their duty of notification in accordance with the provisions of this Law, except in cases provided for in Article 18 (1) of this Law, or where notification will prevent state organs from performing their statutory duties.

Article 36 Personal information processed by state organs shall be stored within the territory of the People's Republic of China; if it is necessary to be provided abroad, a security assessment shall be carried out. The safety assessment may require the support and assistance of the relevant authorities.

Article 37 Organizations with the function of managing public affairs authorized by laws and regulations shall apply the provisions of this Law on the processing of personal information by state organs in order to perform their statutory duties.

Chapter III Rules for the Cross-Border Provision of Personal Information

Article 38 If a person handling personal information is required to provide personal information outside the People's Republic of China due to business needs, he shall have one of the following conditions:

(1) To pass the safety assessment organized by the State Internet and Information Department in accordance with the provisions of Article 40 of this Law;

(2) In accordance with the provisions of the State Internet and Communications Department, by professional institutions for personal information protection certification;

(3) To conclude a contract with an overseas receiver in accordance with the standard contract formulated by the State Internet and Communications Department and to agree on the rights and obligations of both parties;

(4) Laws, administrative regulations or other conditions prescribed by the State Internet and Communications Department.

International treaties and agreements concluded or acceded to by the People's Republic of China that provide for the provision of personal information outside the People's Republic of China may be implemented in accordance with their provisions.

The processor of personal information shall take the necessary measures to ensure that the activities of overseas recipients in processing personal information meet the standards for the protection of personal information stipulated in this Law.

Article 39 Where a person who provides personal information outside the People's Republic of China to a person, he shall inform the individual of the name or name, contact details, purpose of processing, processing methods, types of personal information and the manner and procedures by which the person exercises his rights under this Law to the overseas receiver, and obtain the individual's individual consent.

Article 40 Operators of critical information infrastructure and processors of personal information that have reached the required amount of personal information stipulated by the State Internet and Communications Department shall store the personal information collected and generated within the territory of the People's Republic of China. If it is necessary to provide it to abroad, it shall pass the security assessment organized by the state online credit department, and if the law, administrative regulations and the state internet credit department stipulate that the security assessment may not be carried out, the provisions shall be taken from it.

Article 41 The competent authorities of the People's Republic of China shall, in accordance with the relevant laws and international treaties and agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in the territory. Without the approval of the competent authorities of the People's Republic of China, the processor of personal information may not provide personal information stored in the territory of the People's Republic of China to foreign judicial or law enforcement agencies.

Article 42 If an organization or individual from abroad engages in the processing of personal information that infringes upon the rights and interests of citizens of the People's Republic of China, or endangers the national security or public interests of the People's Republic of China, the State Internet and Communications Department may include it in the list of restrictions or prohibitions on the provision of personal information, make public announcements, and take measures such as restricting or prohibiting the provision of personal information to them.

Article 43 If any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People's Republic of China in respect of the protection of personal information, the People's Republic of China may, in accordance with the actual situation, take re-equivalent measures against that country or region.

Chapter 4 The rights of individuals in the processing of personal information

Article 44 Individuals shall have the right to know and decide on the processing of their personal information, and shall have the right to restrict or refuse the processing of their personal information by others, unless otherwise provided by laws and administrative regulations.

Article 45 Individuals shall have the right to consult and copy their personal information to the processor of personal information, except in the case of the provisions of Article 18 (1) and Article 35 of this Law.

Where an individual requests to consult or copy his personal information, the person handling the personal information shall provide it in a timely manner.

If an individual requests the transfer of personal information to a person designated by him or her, who meets the conditions stipulated by the State Internet and Communications Department, the personal information processor shall provide a means of transfer.

Article 46 If an individual discovers that his personal information is inaccurate or incomplete, he or she shall have the right to request correction or supplement from the person handling the personal information.

If an individual requests to correct or supplement his personal information, the person handling the personal information shall verify his personal information and promptly correct or supplement it.

Article 47 If one of the following circumstances is the case, the person handling the personal information shall voluntarily delete the personal information; if the person handling the personal information is not deleted, the individual shall have the right to request the deletion:

(1) The processing purpose has been achieved, cannot be achieved or is no longer necessary to achieve the processing purpose;

(2) The person handling the personal information ceases to provide products or services, or the shelf life has expired;

(3) The individual withdraws his or her consent;

(4) The person handling personal information in violation of laws, administrative regulations or the agreement to process personal information;

(5) Other circumstances as prescribed by laws and administrative regulations.

If the period of preservation prescribed by laws and administrative regulations has not expired, or if the deletion of personal information is technically difficult to achieve, the person handling the personal information shall stop processing except for the storage and necessary security measures.

Article 48 Individuals shall have the right to request the processor of personal information to explain the rules governing the processing of personal information.

Article 49 If a natural person dies, his next of kin may, in the interest of his own lawful and legitimate interests, exercise the right to consult, copy, correct or delete the relevant personal information of the deceased as stipulated in this chapter;

Article 50 A person handling personal information shall establish a convenient mechanism for accepting and processing applications for the exercise of his or her rights. If an individual's request to exercise his or her rights is refused, the reasons shall be given.

If a person who refuses a request by an individual to exercise his rights, the individual may bring a suit in a people's court in accordance with the law.

Chapter V The obligations of the person handling the personal information

Article 51 A person handling personal information shall, in accordance with the purpose of processing personal information, the manner in which it is handled, the type of personal information and its impact on the rights and interests of individuals, and the possible security risks, take the following measures to ensure that the processing activities of personal information comply with the provisions of laws and administrative regulations, and to prevent unauthorized access and the disclosure, alteration or loss of personal information:

(1) to formulate internal management systems and operating procedures;

(2) to carry out the classification management of personal information;

(3) take corresponding security technical measures such as encryption and deconstrification;

(4) reasonably determine the operational authority for the processing of personal information, and conduct regular safety education and training for practitioners;

(5) To formulate and organize the implementation of emergency plans for personal information security incidents;

(6) Other measures prescribed by laws and administrative regulations.

Article 52 The person handling personal information that has reached the prescribed quantity by the State Internet and Communications Department shall designate the person in charge of the protection of personal information and shall be responsible for supervising the processing activities of personal information and the protective measures taken.

The person handling personal information shall disclose the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the department that performs the duty of personal information protection.

Article 53 A person handling personal information outside the People's Republic of China as stipulated in Article 3, paragraph 2, of this Law shall set up a specialized agency or designated representative within the territory of the People's Republic of China to handle matters related to the protection of personal information and submit the name of the relevant institution or the name or contact information of the representative to the department performing the duty of protecting personal information.

Article 54 A person handling personal information shall conduct a regular compliance audit of his or her handling of personal information in compliance with laws and administrative regulations.

Article 55 In any of the following cases, the person handling the personal information shall conduct an assessment of the impact of the protection of personal information in advance and record the processing situation:

(1) handling sensitive personal information;

(2) Using personal information for automated decision-making;

(3) entrusting the processing of personal information, providing personal information to other personal information processors, and disclosing personal information;

(4) providing personal information abroad;

(5) Other personal information processing activities that have a significant impact on the rights and interests of individuals.

Article 56 The impact assessment of the protection of personal information shall include the following:

(1) whether the purpose, manner, etc. of the processing of personal information is lawful, justified or necessary;

(2) The impact on the rights and interests of individuals and security risks;

(3) Whether the protective measures taken are lawful, effective and commensurate with the degree of risk.

Personal information protection impact assessment reports and records of processing should be kept for at least three years.

Article 57 If a personal information disclosure, alteration or loss of personal information occurs or may occur, the person handling the personal information shall immediately take remedial measures and notify the departments and individuals performing the duty of protecting personal information. The notification should include the following:

(1) the types, causes and possible harms of information that may occur or may occur as a result of the disclosure, alteration or loss of personal information;

(2) The remedial measures taken by the person handling the personal information and the measures that the individual may take to mitigate the harm;

(3) The contact information of the person handling the personal information.

If a person who takes measures to effectively avoid the disclosure, alteration or loss of information causing harm, the person handling personal information may not notify the individual; if the department performing the duty of personal information protection believes that it may cause harm, it shall have the right to require the person handling the personal information to notify the individual.

Article 58 Handlers of personal information that provide important Internet platform services, have a large number of users and have complex business types shall perform the following obligations:

(1) To establish and improve the system of personal information protection and compliance in accordance with the provisions of the State, and to set up an independent body composed mainly of external members to supervise the protection of personal information;

(2) To follow the principles of openness, fairness and impartiality, formulate rules for the platform, clarify the norms for the handling of personal information by products or service providers within the platform and the obligation to protect personal information;

(3) To stop providing services to products or service providers within the platforms that handle personal information in serious violation of laws and administrative regulations;

(4) Regularly issue reports on social responsibility for the protection of personal information and accept social supervision.

Article 59 Trustees who accept entrustments to process personal information shall, in accordance with this Law and the provisions of relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed and assist the processor of personal information in fulfilling their obligations under this Law.

Chapter 6 Departments that perform the duties of protecting personal information

Article 60 The State Internet and Communications Department shall be responsible for coordinating and coordinating the protection of personal information and related supervision and management. The relevant departments of the State Council shall be responsible for the protection and supervision and management of personal information within the scope of their respective duties in accordance with this Law and the relevant laws and administrative regulations.

The duties of personal information protection and supervision and management of the relevant departments of the local people's governments at or above the county level shall be determined in accordance with the relevant provisions of the State.

The departments specified in the preceding two paragraphs are collectively referred to as those that perform the duties of protecting personal information.

Article 61 The departments that perform the duties of protecting personal information perform the following duties of personal information protection:

(1) to carry out publicity and education on the protection of personal information, and to guide and supervise the processors of personal information to carry out the work of protecting personal information;

(2) Accepting and handling complaints and reports related to the protection of personal information;

(3) to organize an evaluation of the protection of personal information such as applications and publish the results of the evaluation;

(4) Investigating and handling illegal personal information processing activities;

(5) Other duties as prescribed by laws and administrative regulations.

Article 62 The State Internet and Communications Department shall coordinate the work of the relevant departments in promoting the protection of the following personal information in accordance with this Law:

(1) To formulate specific rules and standards for the protection of personal information;

(2) To formulate special rules and standards for the protection of personal information for small personal information processors, the handling of sensitive personal information, and new technologies and applications such as face recognition and artificial intelligence;

(iii) To support research and development and promote the application of secure and convenient electronic authentication technology, and to promote the construction of public services for network authentication;

(4) To promote the construction of a socialized service system for the protection of personal information, and to support relevant institutions in carrying out the assessment and certification services for the protection of personal information;

(5) Improve the mechanism for protecting complaints and reporting of personal information.

Article 63 Departments that perform the duty of protecting personal information may take the following measures to fulfill their duty of personal information protection:

(1) To inquire about the parties concerned and investigate the situation related to the processing of personal information;

(2) to consult and copy the contracts, records, books and other relevant information related to the processing activities of personal information of the parties;

(3) carrying out on-site inspections and investigating the handling of personal information suspected of being illegal;

(4) To inspect the equipment and articles related to the processing activities of personal information; to report in writing to the principal person in charge of the department and with approval, the equipment and articles that have evidence of being used in the processing activities of illegal personal information may be seized or seized.

The department performing the duty of protecting personal information shall perform its duties in accordance with the law, and the parties concerned shall assist and cooperate, and shall not refuse or obstruct it.

Article 64 If a department performing the duty of protecting personal information discovers that there is a greater risk in the processing of personal information or that a personal information security incident has occurred, it may interview the legal representative or principal person in charge of the personal information processor in accordance with the prescribed authority and procedures, or request the personal information processor to entrust a professional institution to conduct a compliance audit of his personal information processing activities. The person handling personal information shall take measures in accordance with the requirements to carry out rectification and eliminate hidden dangers.

In carrying out the duties of personal information protection, the department that performs the duties of personal information shall promptly transfer to the public security organ for handling according to law if it discovers that the illegal handling of personal information is suspected of a crime.

Article 65 Any organization or individual shall have the right to lodge a complaint or report to the department performing the duty of protecting personal information in violation of the law. The department that receives the complaint or report shall deal with the complaint and report in a timely manner according to law, and inform the complaint and the whistleblower of the result of the handling.

The department that performs the duty of protecting personal information shall publish the contact information for receiving complaints and reporting.

Chapter 7 Legal Responsibility

Article 66 Anyone who, in violation of the provisions of this Law, handles personal information or fails to fulfill the obligation to protect personal information as stipulated in this Law shall be ordered to make corrections, give warnings, confiscate illegal income, and suspend or terminate the provision of services to applications that illegally process personal information;

If there is an illegal act as stipulated in the preceding paragraph, if the circumstances are serious, the department performing the duty of protecting personal information at or above the provincial level shall order it to correct it, confiscate the illegal income, and impose a fine of not more than 50 million yuan or less than 5 percent of the turnover of the previous year, and may order the suspension of the relevant business or the suspension of business for rectification, notify the relevant competent department to revoke the relevant business license or revoke the business license; It may also be decided to prohibit him from serving as a director, supervisor, senior manager and person in charge of the protection of personal information of the relevant enterprise within a certain period of time.

Article 67 Any illegal act prescribed in this Law shall be recorded in the credit file and made public in accordance with the provisions of the relevant laws and administrative regulations.

Article 68 If a state organ fails to fulfill its obligation to protect personal information as stipulated in this Law, its higher authorities or the departments that perform the duties of personal information protection shall order it to make corrections;

If the staff member of the department performing the duty of protecting personal information neglects his duties, abuses his power or engages in fraud for personal gain, which does not constitute a crime, he shall be punished according to law.

Article 69 If the handling of personal information causes damage to the rights and interests of personal information, and the person handling personal information fails to prove that he is not at fault, he shall bear tort liability such as damages.

The liability for damages stipulated in the preceding paragraph shall be determined on the basis of the loss suffered by the individual or the benefits thus obtained by the person handling the personal information, and if the loss suffered by the individual and the benefits thus obtained by the person handling the personal information are difficult to determine, the amount of compensation shall be determined according to the actual situation.

Article 70 If a person handling personal information, in violation of the provisions of this Law, handles personal information and infringes upon the rights and interests of many individuals, the People's Procuratorate, the consumer organizations prescribed by law and the organizations determined by the State Internet and Communications Department may bring a suit in a people's court in accordance with the law.

Article 71 If a violation of the provisions of this Law constitutes a violation of public security administration, the public security administration shall be punished according to law; if it constitutes a crime, criminal responsibility shall be investigated in accordance with the law.

Chapter 8 By-laws

Article 72 This Law shall not apply to the handling of personal information by natural persons as a result of personal or family affairs.

Where the law provides for the processing of personal information in statistical and archives management activities organized by the people's governments at all levels and their relevant departments, the provisions shall apply.

Article 73 The meaning of the following terms in this Law:

(1) The person handling personal information refers to the organization or individual who decides on his own purpose and mode of processing in the processing activities of personal information.

(2) Automated decision-making refers to the activities of automatically analyzing and evaluating an individual's behavior, hobbies or economic, health, credit status, etc. through computer programs, and making decisions.

(3) De-identification refers to the process by which personal information is processed so that it cannot identify a particular natural person without the help of additional information.

(4) Anonymization refers to the process by which personal information is processed to identify a particular natural person and cannot be recovered.

Article 74 This Law shall come into effect on November 1, 2021.

 

"La formazione del personale è la soluzione più economica per ottenere maggiore sicurezza informatica" - dott. V. Spataro