China’s Personal Data Protection Law (PDPL)

The first draft of the PDPL was unveiled in October 2020. Resembling GDPR, it upgraded China’s CyberSecurity Law with a focus on offshore data privacy and protection rules and regulations. The draft contains various data protection principles, stressing transparency, fairness, purpose limitation, data minimization, limited retention, data accuracy, and accountability.

Personal Information Protection Law (PIPL)

Although China had two laws in place, with regard to data protection—the CyberSecurity Law and the Data Protection Law—in November 2021 the country passed the Personal Information Protection Law (PIPL) designed to regulate online data and protect personal information. PIPL draws inspiration from the European Union’s General Data Protection Regulation (GDPR) and is enforced and administered by the Cyberspace Administration of China and relevant state and local government departments. The framework consists of 8 chapters and more than 70 articles. It levies heavy penalties of either $7.7 million or 5% of the previous year’s global profit. The legislation is applicable to all types of business activities relating to data—from the collection, storage, management and usage to the provision, transmission, disclosure, and deletion. All organizations outside the country that provide services and products in China, or organizations and individuals that analyze consumer behavior in the country, must abide by PIPL.

Key Definitions

Personal Information

Personal Information

Broadly defined to include “any information (such as video, voice, or image data) relating to any identified or identifiable natural person, notwithstanding whether it is in an electronic form or any other form, exclusive of any anonymized information.”

Sensitive Personal Information

Sensitive Personal Information

Includes “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14.”

6 Data Protection Principles of PIPL

Collection Purpose and Means

Collection Purpose and Means

Personal data must be collected by lawful and fair means. Data subjects must be notified about the purpose of data collection and the classes of persons to whom the data will be transferred. Also, only necessary data must be collected.

Accuracy and Retention

Accuracy and Retention

Steps should be taken to ensure the personal data is accurate and isn’t stored for longer than necessary.

Use

Use

The data must only be used for the purpose it is collected unless explicit and voluntary consent is given by data subjects.

Security

Security

Data users must take steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss or use.

Openness

Openness

Data users must take necessary measures to share and adhere to personal data policies and practices known to the public about the data they hold and how they intend to use it. .

Data Access and Correction

Data Access and Correction

Data subjects must be given access to their personal data and must be allowed to make corrections whenever they think that data is inaccurate.

Regarding Consent

An individual’s consent to process their personal information is required when:

  • DotSensitive personal information is processed
  • DotThe personal information is provided by the processor to another processor
  • DotPersonal information is transferred outside of China

Article 13 of PIPL allows the following exceptions, allowing personal information to be processed without the individual’s consent when it is:

  • DotNecessary to enter into or perform a contract to which the individual is a party, or where necessary to conduct human resources management according to lawfully formulated internal labor policies and lawfully concluded collective labor contracts.
  • DotNecessary to perform legal responsibilities or obligations
  • DotNecessary to respond to a public health emergency, or in an emergency to protect the safety of individuals’ health and property.
  • DotNecessary to a reasonable extent for purposes of carrying out news reporting and media monitoring for public interests.
  • DotPersonal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope in accordance with PIPL.
  • DotNecessary in other circumstances as required by laws.
Regarding Consent
Key Principles of PIPL

Key Principles of PIPL

  • DotUnlike GDPR, China’s PIPL focuses more on personal data processing activities.
  • DotPIPL doesn’t allow the collection and handling of sensitive personal information unless the intended purpose is specified. Only where there is a specific purpose can personal data handlers handle sensitive data, under strict protection measures. (‘Handling’ under PIPL refers to collecting, using, sharing, storing, transmitting, or transferring).
  • DotData handlers need to clearly and specifically disclose why they need the data and how they intend to use it.
  • DotUnder PIPL, individuals have the right to withdraw their consent to share their personal information at any time. Organizations cannot discriminate against individuals for exercising their right to withdraw their consent.
  • DotIndividuals have the right to be informed about why their data is being collected and for how long it will be stored. Individuals also have the right to know they can exercise their rights whenever they want along with the contact details of the organization that is collecting their data.
  • DotIndividuals can also request their personal data from an organization via email, pdf format, or any other feasible means.
  • DotIndividuals must have control over their data and PIPL gives them the right to decide who has access to their data.
  • DotIndividuals also have the right to opt-out and not share their personal information.
  • DotUnder PIPL, individuals have the right to request data deletion as well as correct and modify their data.

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

See Loyalty in Action

Be inspired with endless ways to make every customer interaction rewarding.

GET A DEMO

We Can Help

Let's explore how loyalty can help you become one of your customers' most beloved brands.

CONTACT US

©2021 All Rights Reserved. AnnexCloud