Javascript is required

Audit modelCompliance Checklist for China’s Personal Information Protection Law (PIPL)

The long-expected and widely concerned Personal Information Protection Law of China (the “PIPL”) was adopted on 20 August 2021 by the Standing Committee of National People’s Congress. This landmark data protection regulation has come into effect on November 1, 2021. As a basic law for personal information protection in China, the PIPL clarifies the rules for processing personal information, the obligations of personal information handlers, and the rights of personal information subjects. Notably, the PIPL provides serious punishment for violations of this law, which includes a fine of up to CNY 50 million (approx. USD 7.7 million) or 5% of annual turnover of the previous year. The following PIPL Checklist is to help companies grasp the important points and understand what they are suggested to do next to adapt to these rules more smoothly.

1. Application Scope and Extraterritorial Reach

1.1. Assess whether your organization is processing any personal information in mainland China.

Note: “personal information” under the PIPL refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized. Note: “processing” includes activities such as collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.

1.2. Assess whether your organization is conducting any below activities carried out outside the territory of China but involving processing personal information of individuals located within China:

1. where the purpose of the activity is to provide a product or service to individuals within China; or

2. where the purpose of the activity is to analyze or assess the behavior of individuals within China.

2. General Rules for Processing Personal Information

2.1. LAWFUL BASIS - The implementation of personal information processing should have a lawful basis, for example,

1. having obtained the consent from the individual;

2. it is necessary for the conclusion or performance of a contract to which the individual is a contracting party, or it is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded;

3. it is necessary for performing a statutory responsibility or statutory obligation;

4. it is necessary for responding to a public health emergency, or for protecting the life, health or property safety of a natural person in the case of an emergency;

5. the personal information is processed within a reasonable scope to carry out any news reporting, supervision by public opinions or any other activity for public interest purposes;

6. process the personal information, which has already been disclosed by the individual or otherwise legally disclosed, within a reasonable scope.

2.2. CONSENT - Consent should be based on the individual’s willing and explicit intent with full information of the processing
2.3. CONSENT - In the event of any change of the purpose or method of processing or the type of personal information to be processed, the consent shall be obtained again.
2.4. CONSENT - Do you provide a convenient method to withdraw consent ?
2.5. CONSENT - Do not refuse to provide a product or service to individuals on the grounds that they do not consent to processing their personal information or they withdraw their consent unless the processing of personal information is necessary for providing the product or service.
2.6. PRIVACY NOTICE - Use clear and easily understood language.
2.7. PRIVACY NOTICE - Include the name or personal name and contact method of the personal information handler;
2.8. PRIVACY NOTICE - Introduce the purpose of personal information processing and the processing methods, the categories of handled personal information, and the retention period;
2.9. PRIVACY NOTICE - Provide information on the method and procedure for individuals to make rights requests;
2.10. PRIVACY NOTICE - Notify Individuals about any changes of the notice.
2.11. PROVISION TO THIRD PARTY (DATA SHARING) - Notify individuals about the name or personal name of the data recipient, its contact information, the processing purpose and method, and personal information categories.
2.12. PROVISION TO THIRD PARTY (DATA SHARING) - Separate consent from the individual shall be obtained.
2.13. PROVISION TO THIRD PARTY (DATA SHARING) - If your organization needs to transfer personal information of any individual due to a merger, division, dissolution or declared bankruptcy, the individual shall be informed of the organizational or personal name and contact information of the receiving party.
2.14. AUTOMATED DECISION-MAKING - Guarantee the transparency of the decision-making and the fairness and justice of the processing result.

Note: “Automated decision-making” refers to the use of computer programs to automatically analyze or assess individual behaviors and habits, interests and hobbies, or situations relating to finance, health, or credit status, etc., and engage in decision-making activities.

2.15. AUTOMATED DECISION-MAKING - Do not engage in unreasonable differential treatment of individuals in trading conditions such as trade price, etc.
2.16. AUTOMATED DECISION-MAKING -Provide the option to NOT target an individual’s characteristics or provide the individual with a convenient method to opt-out when using automated decision-making for notifications or commercial marketing.
2.17. AUTOMATED DECISION-MAKING -Provide an opt-out channel if individuals demand to refuse decisions solely made through automated process when the use of automated decision-making produces decisions with a material influence on the rights and interests of the individual.
2.18. CCTV AND FACIAL RECOGNITION TECHNOLOGY - Ensure that the installation of image collection or personal identity recognition equipment (e.g. CCTV) in public venues shall be as required to safeguard public security and observe relevant laws.
2.19. CCTV AND FACIAL RECOGNITION TECHNOLOGY -Set up clear signs of such equipment.
2.20. CCTV AND FACIAL RECOGNITION TECHNOLOGY -Only use the collected personal images and identity recognition data for the purpose of safeguarding public security and not for other purpose except for based on individuals’ separate consent.

3. Processing Sensitive Personal Information

3.1. Scope of Sensitive Personal Information - Assess whether your organization is processing any sensitive personal information in China.

Note: “sensitive personal information” means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, speciallydesignated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.

3.2. Processing requirements - Have a specific purpose and sufficient necessity for processing sensitive personal information and take strict protection measures.
3.3. Processing requirements - Obtain the individual’s SEPARATE CONSENT if no other lawful basis can be relied.
3.4. Processing requirements - Conduct a personal information protection impact assessment (“PIPIA”) in advance and make records.
3.5. Children’s Data - Assess whether any personal information of minors under the age of 14 is processed.
3.6. Children’s Data -Obtain the consent of the parent or other guardian of the minor.
3.7. Children’s Data -Establish specialized personal information processing rules (e.g., Privacy Notice for Minors)

4. Data Governance: Personnel

4.1. Appointment of “Data Protection Officer” (DPO) - Appoint personal information protection officers, who is responsible for conducting supervision of personal information processing activities and protection measures, etc.
4.2. Appointment of “Data Protection Officer” (DPO) - Disclose the contact of the personal information protection officer (e.g., in the Privacy Notice)
4.3. Appointment of “Data Protection Officer” (DPO) - Report the name and contact of the officer to the authority.
4.4. Appointment of Representative - For personal information handlers subject to extraterritorial reach of the PIPL, they should establish a dedicated entity or appoint a representative within the borders of China to be responsible for matters related to the personal information you process.

Note: “Personal information handler” refers to organizations and individuals that, in personal information processing activities, autonomously determine processing purposes.

4.5. Appointment of Representative - Report the name of the relevant entity or the name and contact of the representative to the authority.

Note: “Personal information handler” refers to organizations and individuals that, in personal information processing activities, autonomously determine processing purposes.

5. Operation Security

5.1. Technical Measures - Adopt technical measures to ensure the security of personal information processing such as encryption and de-identification.
5.2. Technical Measures -Prevent unauthorized access as well as data breach, distortion, or loss.
5.3. Data retention - Retain personal information for the shortest period necessary to realize the purpose of the personal information processing
5.4. Education and Training - Conduct education and training on personal information security for employees on a regular basis (e.g., through an online training portal).
5.5. PIPIA - Conduct a personal information protection impact assessment (“PIPIA”) in advance and make records of data processing under the following circumstances:

1. processing sensitive personal information;

2. using personal information for automated decision-making;

3. entrusting others to process personal information, providing other handlers with personal information and publicly disclosed personal information;

4. transferring personal information overseas; and

5. conducting other personal information processing activities that have a significant impact on individuals’ rights.

5.6. PIPIA - The PIPIA shall cover three main aspects:

1. whether the purpose, manner and other aspects of processing personal information are legitimate, proper and necessary;

2. the impact on individuals’ right and the risk level; and

3. whether the security measures adopted are legitimate, effective and appropriate to the risk level.

5.7. PIPIA - The PIPIA reports and processing records shall be retained for at least 3 years.

6. Cross-border Transfer

6.1. General Requirements (Notice, Consent and PIPIA) - Notify the individual about the data importer’s name, contact method, processing purpose, processing methods, and personal information categories, as well as ways or procedures for individuals to exercise the rights.
6.2. General Requirements (Notice, Consent and PIPIA) - Obtain the individual’s SEPARATE CONSENT if no other lawful basis can be relied.
6.3. General Requirements (Notice, Consent and PIPIA) - Conduct a PIPIA in advance, and record the processing situation
6.4. Additional Requirements - In addition to the above general requirements, at least one of the following conditions shall also be met:

1. passing a security assessment organized (only applicable to critical information infrastructure operators (CIIO) and handlers processing personal information reaching a certain quantity threshold.);

2. undergoing personal information protection certification; or

3. concluding a contract with the data importer in accordance with a standard contract formulated by the state cyberspace administration.

6.5. Additional Requirements - Adopt necessary measures to ensure that the data importer’s processing activities reach the standard of personal information protection provided in PIPL.
6.6. Restrictions on Data Transfer to Foreign Authorities - Do not provide personal information stored within China to foreign judicial or law enforcement agencies without the approval of the competent Chinese authorities.

7. . Data Subject Rights and Procedures

7.1. Rights - Ensure individuals have the following rights:

1. the right to be informed;

2. the right to decision;

3. the right to restriction and objection;

4. the right to access and copy;

5. the right to rectification;

6. the right to deletion;

7. the right to data portability;

8. the right to refuse automated decision-making.

7.2. Response Procedures - Establish convenient mechanisms to deal with requests from individuals to exercise their rights.
7.3. Response Procedures - Provide explanation if it is needed to reject individuals’ rights request.

8. Compliant Contracting and Procurement

8.1. Engaging a Vendor

Sign a data processing agreement or contractual terms with the entrusted processor to agree on the purpose, period, and method of the contracted processing, the type of personal information to be processed, any protection measure to be taken, and the rights and obligations of both parties, etc.;

Supervise the activities of processing of personal information carried out by the entrusted processor (such as through data compliance audit);

and Conduct a PIPIA in advance and record the processing situation.

8.2. Obligations of vendors

Vendors accepting entrusted processing of personal information shall, according to the provisions of PIPL and relevant laws and administrative regulations, take necessary measures to safeguard the security of the personal information they process, and assist personal information handlers in fulfilling the obligations provided in PIPL.

9. Data Breach and Incident Response

9.1. Response plan

Formulate and organize the implementation of security incident response plans to ensure compliance.

Prevent unauthorized access as well as personal information leaks, distortion, or loss.

9.2. Notification to individuals and authority - When a personal information breach, distortion, or loss occurs or might have occurred, the competent authorities and individuals shall be immediately notified. The notification must include:

1. the categories of personal information, the reason and the damages that may be caused of what has or may have been leaked, tampered with or lost;

2. the remedial measures that are taken by the personal information handler and the measures available to an individual to mitigate the damages; and 3. the contact information of the handler

9.3. Notification to individuals and authority - If the measures adopted are able to effectively avoid harm created by information breach, distortion, or loss, individuals may not be notified; however, if the authority considersthat the harm may have been caused, it may still require notification to individuals.
Created at:2023-03-29T10:09:34.3143217

Updated on :2023-03-29T10:14:39.2235758

License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC AttributionPas d'utilisation commerciale

author :
Jérôme de Mercey
Jérôme de Mercey

Uses :2

Access all our audit templates

Try Dastra now to access all of our audit templates that you can customize for your organization.It's free and there's no obligation for the first 30 days (no credit card required)

Build my audit
Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.