【弼兴法谈】中英对照 |《个人信息保护法》的域外适用及合规建议
2021-11-16 10:10:37
2021年8月20日,经第十三届全国人大常委会第三十次会议审议,《中华人民共和国个人信息保护法》(以下简称“《个人信息保护法》”)获得通过并公布,并将于2021年11月1日起生效实施。《个人信息保护法》的实施将对我国公民的个人信息权益及各组织的数据合规带来深远的影响,其作为我国第一部关于个人信息保护的专门立法,不仅引起了国内学术界和实务届的广泛讨论,在国际上也备受关注。本文拟针对个人信息保护法的域外适用提供相应的关注要点和合规建议。
Personal Information Protection Law of the People's Republic of China ("China’s Personal Information Protection Law" or “the Law”) was passed and promulgated through deliberation during the 30th meeting of The Standing Committee of the 13th National People's Congress on August 20, 2021, and will come into effect on November 1, 2021. The implementation of China’s Personal Information Protection Law will have a profound impact on the personal information rights of citizens and data compliance of organizations in China. As the first special legislation on personal information protection in China, the Law not only aroused extensive discussions in domestic academic and practical circles, but also attracted much attention in the international arena. In this paper, we would like to provide relative key points and suggestions on law compliance aiming at the extraterritorial application of China’s Personal Information Protection Law.
一、个人信息保护法在国际背景下的意义
I. The significance of China’s Personal Information Protection Law in aninternational context
一、个人信息保护法在国际背景下的意义
I. The significance of China’s Personal Information Protection Law in aninternational context
我国《个人信息保护法》采用了综合性立法模式,对所有的个人信息处理者都发生效力,适用于各行各业。在内容上,《个人信息保护法》确立的个人信息处理基本原则、数据处理合法性基础、个人信息的分类、数据处理者的义务等基本与国际立法相互兼容,但仍有不同之处,中国的《个人信息保护法》在同意机制、数据处理合法性基础、跨境提供等方面提出了比一般国际立法更高的要求。[1]为加强数据的国际流动,在保护我国个人信息合法权益的基础上顺应国际数据流动需求,本次《个人信息保护法》还引入了个人信息跨境提供、国际制裁措施[2]等规定。
China's Personal Information Protection Law adopts a comprehensive legislative model, which takes effect for all processors of personal information and applies to all industries. In terms of content, the basic principles of processing personal information, the basis of legality of data processing, the classification of personal information, and the obligations of data processors established by the Law are basically compatible with international legislation, but there are still differences, e.g., China's Personal Information Protection Law sets higher requirements than general international legislation in terms of provisions of mechanisms for consent obtaining, the basis of determining legality of data processing, and cross-border transmission, and so on.[1] In order to enhance the international flow of data and to respond to the needs of international data flow on the basis of protecting the legitimate rights and interests of personal information in China, China’s Personal Information Protection Law also introduces provisions such as cross-border provision of personal information and international sanctions[2].
由此可知,我国《个人信息保护法》虽顺应了国际立法趋势,在框架和理念上整体与国际接轨,但在具体机制上仍有差异。涉及个人信息跨境业务的国际企业和平台就中国《个人信息保护法》的具体规定仍需作出必要研究,在此基础上探讨自身的合规机制并采取操作规程,以减少个人信息处理对企业管理和运营的风险。
Although China's Personal Information Protection Law follows the international legislative trend and is generally in line with international standards in terms of framework and concept, there are still differences in the specific mechanisms. International enterprises and platforms involved in cross-border business of personal information still need to make necessary studies on the specific provisions of China's Personal Information Protection Law, and on this basis, explore their own compliance mechanisms and take measures to reduce the risks of personal information handling on enterprise management and operation.
二、域外适用个人信息保护法的关注要点
II. Key points of the extraterritorial application of China’s Personal Information Protection Law
根据《个人信息保护法》第三条,组织、个人在中华人民共和国境内处理自然人个人信息的活动适用中国《个人信息保护法》,即信息处理活动发生地在中国境内,此情况下的个人信息不限于中国境内自然人的个人信息。此外,在中国境外处理中华人民共和国境内自然人个人信息,且有以下情形之一的,也适用中国《个人信息保护法》:①以向境内自然人提供产品或服务为目的;②分析、评估境内自然人的行为;③法律、行政法规规定的其他情形。
根据《个人信息保护法》第三十八条、第三十九条、第五十五条及第五十六条的规定,对于一般的个人信息处理者(非关键信息基础设施的运营者及处理个人信息未达到国家网信部门规定数量的个人信息处理者),数据出境的具体要求包括:
取得个人的同意为处理个人信息的合法性基础之一。除《个人信息保护法》第十三条[6]列明的其他合法性基础,大多数情况下信息处理者在取得个人的同意后方可处理个人信息。
《个人信息保护法》针对违法处理个人信息的行为规定了全面且严苛的责任追究制度,涵盖了民事、行政和刑事层面。
1.《个人信息保护法》的域外适用范围
1. The Scope of extraterritorial application of China’s Personal Information Protection Law
根据《个人信息保护法》第三条,组织、个人在中华人民共和国境内处理自然人个人信息的活动适用中国《个人信息保护法》,即信息处理活动发生地在中国境内,此情况下的个人信息不限于中国境内自然人的个人信息。此外,在中国境外处理中华人民共和国境内自然人个人信息,且有以下情形之一的,也适用中国《个人信息保护法》:①以向境内自然人提供产品或服务为目的;②分析、评估境内自然人的行为;③法律、行政法规规定的其他情形。
According to Aticle 3 of the Law, the Law applies when organizations and individuals process personal information of natural persons within the territory of the People's Republic of China, i.e., the place where the information processing activities take place is within the territory of the People's Republic of China, and the personal information in this case is not limited to the personal information of domestic natural persons within the territory of the People's Republic of China. In addition, the Law also applies to the processing of personal information of domestic natural persons of the People's Republic of China outside the territory of the People's Republic of China under any of the following circumstances: (I) where the purpose is to provide domestic natural persons with products or services; (II) where the activities of domestic natural persons are analyzed and evaluated; and (III) where otherwise prescribed by laws and administrative regulations.
对于上述中国境外的个人信息处理者,根据第五十三条规定,应当在中国境内设立专门机构或者指定代表,负责处理个人信息保护相关事务,并将有关机构的名称或者代表的姓名、联系方式等报送履行个人信息保护职责的部门。
For the above mentioned processors of personal information outside China, according to Aticle 53, they shall establish a special agency or designate a representative within the territory of the People's Republic of China to be responsible for handling matters relating to personal information protection, and they shall submit the name and contact information of the relevant agency or the representative to the authorities performing duties of personal information protection.
2.个人信息的跨境转移
2. Cross-border provision of personal information
根据《个人信息保护法》第三十八条、第三十九条、第五十五条及第五十六条的规定,对于一般的个人信息处理者(非关键信息基础设施的运营者及处理个人信息未达到国家网信部门规定数量的个人信息处理者),数据出境的具体要求包括:
According to Aticles 38, 39, 55 and 56, for general personal information processors (non-critical information infrastructure operators and personal information processors whose quantity of processing of personal information does not reach that as prescribed by the Cyberspace Administration of China ("CAC")), specific requirements for cross-border data transmission include:
1)依本法要求,采取以下方式之一[3]:①通过国家网信部门的安全评估;②个人信息保护经专业机构认证;③与境外接收方订立标准合同,约定双方的权利和义务等;
2)保障接收方处理个人信息的活动达到本法规定的个人信息保护标准;
3)告知个人关于个人信息跨境传输的相关情况(包括接收方的名称或姓名、联系方式、处理目的、处理方式、个人信息的种类以及个人向境外接收方行使本法规定权利的方式和程序等事项)并取得个人的单独同意;
4)事先进行个人信息保护影响评估(是否满足个人信息处理基本原则、对个人权益的影响及安全风险以及安全保护措施有效性等进行评估),并对处理情况进行记录。个人信息保护影响评估报告和处理情况记录应当至少保存三年。
1) Passing the security assessment organized by the competent authorities, or being certified by specialized agencies, or signing standard contracts, and etc. in accordance with the Law.[3]
2) Ensuring that the activities of processing of personal information by the foreign recipient meet the protection standards under the Law.
3) Informing the individual about the cross-border transmission of personal information (including the name of the overseas recipient, contact information, purpose and method of processing, type of personal information and the method and procedure for the individual to exercise the rights) and obtaining the individual's separate consent.
4) Conducting an impact assessment on personal information protection beforehand and keep a record of the handling. The impact assessment shall include: ① whether the basic principles of personal information processing are met, ② the impact on personal rights and interests and security risks, ③ whether the protection measures taken are lawful, effective and commensurate with the degree of risks. The report on personal information protection impact assessment and records of handling shall be kept for at least three years.
同时根据《个人信息保护法》第四十条,关键信息基础设施的运营者和处理个人信息达到国家网信部门规定数量的个人信息处理者,原则上应当将在中华人民共和国境内收集和产生的个人信息存储在境内,确需向境外提供的,应当通过国家网信部门组织的安全评估[4]。
In addition, according to Aticle 40, Critical information infrastructure operators and personal information processors whose quantity of processing of personal information reaches that as prescribed by CAC shall store personal information collected and generated within the territory of the People's Republic of China within the territory of the People's Republic of China. Where it is necessary to provide such information and data to an overseas party, such provision shall pass the security evaluation organized by the CAC.[4]
3.处理个人信息的必要性原则
3. The principle of necessity for processing personal information
处理个人信息应当遵循合法、正当原则,具有明确、合理的目的,确保处理信息的过程公开、透明、准确。同时,根据《个人信息保护法》第六条、第十九条及其他相关规范[5],处理个人信息还应遵循必要性原则,具体体现如下:
It requires that the processing of personal information shall abide by the principles of legality, fairness, having a clear and reasonable purpose, ensuring openness, transparency and accuracy of information processing process. Meanwhile, according to Articles 6 and 19 of China’s Personal Protection Law and other relevant specifications[5], the processing of personal information shall also follow the principle of necessity, which is reflected as follows:
1)直接关联:收集的个人信息的应与提供产品或服务直接相联,即没有该信息时,无法实现产品或服务的功能。
2)最低频率:收集个人信息的频率应是实现产品或服务的业务功能所必需的最低频率。
3)最少数量:获取个人信息的数量应是实现产品或服务的业务功能所必需的最少数量。
4)最短时间:个人信息的保存期限应当为实现处理目的所必要的最短时间。
1) Direct association: The personal information collected should be directly associated to the products or services provided, namely, without such information, the functions of the products or services cannot be realized.
2) Minimum Frequency: The frequency of collecting personal information should be the minimum frequency necessary to realize the business functions of the products or services.
3) Minimum Amount: The amount of personal information obtained shall be the minimum amount necessary to realize the business functions of the products or services.
4) Minimum Period: The retention period of personal information shall be the minimum period necessary for achieving the purpose of processing.
4.取得单独同意的情形
4. Circumstances for obtaining separate consent
取得个人的同意为处理个人信息的合法性基础之一。除《个人信息保护法》第十三条[6]列明的其他合法性基础,大多数情况下信息处理者在取得个人的同意后方可处理个人信息。
Obtaining individuals’ consent is one of the legal basis for processing personal information. In addition to other legal basis listed in China’s Personal Information Protection Law in article 13[6], in most cases, the processor of personal information may process personal information only after obtaining the consent of individuals.
对于跨境提供个人信息的,根据《个人信息保护法》第三十九条应当取得个人信息主体的单独同意,具体方式为:采用个人信息主体不可绕过的方式(如弹窗等)单独地向个人信息主体告知个人信息处理者的主体信息、个人信息的处理目的、方式和范围、存储时间、安全措施等规则,并由个人信息主体对其单独进行明示同意(而非默示或者不作为)。
For cross-border provision of personal information, the separate consent of the individual concerned shall be obtained according to Article 39, for instance, to separately inform the individual of the information about the personal information processor, the purpose, the method and the scope of the processing of personal information, the storage time, the security measures and other rules by the way of individual cannot bypass (such as pop-up windows, etc.), and the individual shall give an express consent (not an implied consent or an inaction) in the condition of full knowledge of preceding matters.
另外,根据《个人信息保护法》第二十三条、第二十五条、第二十六条、第二十九条,在以下情形也需获得上述单独同意:1)向第三人提供其处理的个人信息;2)公开其处理的个人信息;3)为维护公共安全以外的目的收集个人图像、身份识别信息;4)处理敏感个人信息等。
In addition, according to Articles 23, 25, 26 and 29, separate consent is also required in the following circumstances: 1) To provide the personal information it processes to third party; 2) To disclose the personal information it processes; 3) To collect personal images and identifying information for purposes other than maintaining public security; 4) To process sensitive information.
5.自动化决策的限制
5. Limitations of automated decision making
个人信息处理者在处理个人信息时,不论出于何种目的,都不得滥用信息,应在必要的范围内收集信息,并满足本法规定的合法性要求。依照《个人信息保护法》第二十四条、第五十五条的规定,通过自动化决策方式向个人进行信息推送、商业营销的,需满足以下条件:
Personal information processors shall not abuse data processed for any purpose and shall collect information to the extent necessary and obtain the consent of the person whose data is being collected. According to articles 24 and 55, for information pushing and commercial marketing to individuals through automated decision-making, personal information processors shall:
1)不在交易价格等交易条件上设置不合理的差别待遇,保证自动化决策的透明度和结果的公平、公正;
2)提供便捷的拒绝方式,或提供不针对其个人特征的选项;
3)根据个人的要求,对自动化决策进行说明;
4)事前进行个人信息保护影响评估,并对处理情况进行记录。
1) Not impose unreasonable discriminatory treatment on individuals in respect of the transaction price and transaction conditions, and ensure the transparency of the decision-making and the fairness and impartiality of the results.
2) Provide a convenient way for individuals to withdraw the consent, or provide options that do not target the individual's personal characteristics.
3) Explain the automated decision-making to individuals upon their requirements.
4) Conduct an impact assessment on personal information protection beforehand and keep a record of the handling.
6.多层次追责制度
6. Multi-level accountability system
《个人信息保护法》针对违法处理个人信息的行为规定了全面且严苛的责任追究制度,涵盖了民事、行政和刑事层面。
China’s Personal Protection Law provides a comprehensive and stringent liability regime for the illegal processing of personal information, covering civil, administrative and criminal aspects.
在民事层面,《个人信息保护法》第六十九条确立了过错推定责任规则,当个人信息权益因个人信息处理活动受到侵害时,需由信息处理者证明其没有过错,此规定意在通过转移举证责任以更好的保护个人信息。
At the civil level, Article 69 of China’s Personal Information Protection Law establishes the rule of presumed fault, and when the rights and interests of personal information are infringed by personal information processing activities, the information processor shall bear liability for damages and other tort liabilities if it cannot prove that it is not at fault. This provision is intended to better protect personal information by shifting the burden of proof.
在行政和刑事层面,根据《个人信息保护法》第六十六条,对于“情节严重”的行为,违法处理者可能面临高额罚款(高达5000万元或上一年度营业额5%),暂停或者终止提供服务、吊销相关业务许可或者吊销营业执照的处罚,还可能追责到相关责任人(罚款或职业限制)。如涉嫌犯罪的,还可能受到刑事处罚。不过本法暂未对“情节严重”的范围未提出明确标准,留待执法部门出台更细致的裁量规则。
At the administrative and criminal level, according to Article 66, for any illegal act with “serious circumstances”, companies may face heavy fines (up to 50 million RMB or 5% of the company's previous year’s turnover), suspension or termination of relevant business for rectification, or revocation of the relevant business permit or business license, and the directly liable personnel may also be held accountable (fine or occupational restrictions). If suspected of committing a crime, they may also be subject to criminal penalties. However, the scope of "serious circumstances" is not yet clearly defined in the Law, leaving it to law enforcement authorities to issue more detailed discretionary rules.
三、我们的合规建议
III. Our General Advice for Data Compliance
新出台的《个人信息保护法》从监管层面对公司处理和保护个人信息提出了较高的合规要求。对需要处理中国境内自然人的个人信息的公司(包含境内及境外公司)以及包含有数据跨境业务的公司,我们建议主要考虑从以下方面搭建业务合规体系:
In general, the newly issued Personal Information Protection Law of China imposes higher compliance requirements on companies for processing and protecting personal information. For companies (both domestic and overseas companies) that need to process personal information of natural persons in the territory of the PRC and companies with data cross-border business, following aspects can be mainly considered when building business compliance systems:
1. 分类分级管理。对企业处理的个人信息进行全面排查梳理并进行分类、分级,对重要数据、敏感数据进行加密存储,保护数据安全。
1.Classified and graded management. Companies shall check and sort out, classify and grade the personal information comprehensively. Important and sensitive data should be stored in an encrypted manner to protect data security.
2. 脱敏流转。在个人信息的处理和流转过程,遵循最小使用原则,去标识,去隐私,降低流转过程的风险。
2.Data desensitization. Companies shall follow the principle of minimization, de-sensitization and de-identification (by taking corresponding technical security measures) to reduce possible risks of the processing and circulation of personal data.
3. 权限管控。针对不同访问需求,规范数据访问权限,并严格记录访问情况;根据业务处理需要对不同工作岗位接触、处理数据的权限进行限制,实现前台与后台的数据有效控制与监管。
3.Permissions control. Companies shall standardize data access rights based on different access requirements and strictly record the access situations. The permission to access and process data for different work positions should be controlled in a hierarchical manner according to business needs, to achieve effective control and supervision of data both front and back-end.
4. 监管稽核。建立有效的内部数据安全合规监管体系,从数据产生,到场景化使用,进行流向监控、精准分析,实现有效监管;对处理敏感个人信息、自动化决策、委托处理、跨境提供等对个人权益有重大影响的个人信息处理活动进行定期评估。
4.Supervision and assessment. Companies shall establish an effective internal data security compliance system, monitoring and analyzing the circulation of data covering the generation to scenario-based use. Companies shall also conduct regular assessments of personal information processing activities that have a significant impact on the rights and interests of individuals, such as sensitive personal information processing activities, automated decision-making and cross-border data provision.
5. 入侵防御。建立、检查数据库防火墙,以便对外部攻击进行有效防护,同时也对内部数据库漏洞进行有效防护,防止漏洞被违规利用。
5.Intrusion Prevention. Companies shall establish and examine the database firewall for effective protection against external attacks, and also for preventing illegal exploitation of databases due to internal database vulnerabilities.
6. 应急处置机制。一旦发生安全事件,确保企业有完善的应急预案和应对处理机制,防止事态进一步扩大。
6.Emergency disposal mechanism. Companies shall ensure that they have a comprehensive contingency plan and response mechanism in place to prevent further expansion in the event of a data security incident.
7. 权利主体响应机制。依法响应个人信息主体的撤回同意、查询、复制、转移、更正、删除、获得解释等权利请求;依法响应死者的近亲属为了自身的合法、正当利益,对死者的相关个人信息行使查阅、复制、更正、删除等权利请求。
7.Response mechanism to individual. Companies shall respond to individual’s requests for withdrawal of consent, inquires, copy, transmission, correction, deletion and obtaining explanation and other requests in accordance with the Law, also shall respond to the deceased’s close relatives’ requests for consulting, copy, correction and deletion the relevant personal information of the deceased and other rights for the purpose of their own lawful and legitimate interests.
四、结语
IV. Conclusion
《个人信息保护法》的实施,将深刻影响到掌握并处理个人信息的各个行业,尤其针对涉及个人信息跨境业务的境内外企业,其不仅要遵循一般的个人信息处理规则,还要遵循相应的跨境提供和境内外主体全面合规要求。企业应按照《个人信息保护法》及相关规定的要求,尽快完善、优化或建立自身的个人信息处理合规和保护安全体系,以降低个人信息处理所带来的法律风险。
The implementation of China’s Personal Information Protection Law will profoundly affect various industries that hold and process personal information, especially for domestic and foreign enterprises involved in cross-border business of personal information, which shall not only follow the general personal information processing rules, but also follow the corresponding cross-border provision and comprehensive compliance requirements for domestic and foreign subjects. Enterprises should improve, optimize or establish their own personal information processing compliance and protection security system as soon as possible in accordance with the requirements of China’s Personal Information Protection Law and related regulations in order to reduce legal risks in personal information processing.
[1] 例如,中国的《个人信息保护法》区分了同意、单独同意、书面同意的情形:在向他人提供个人信息,公开其所处理的个人信息,所收集的个人图像、身份识别信息用于维护公共安全以外的目的,处理敏感个人信息,向境外提供个人信息的都需要获得个人的单独同意;而法律、行政法规规定应当取得书面同意的情况下应当取得书面同意。而欧盟的《通用数据保护条例》(GDPR)和美国的《加州消费者隐私法案》(CCPA)等并未对同意类型作出如此细致的规定。
[1] For example, China's Personal Information Protection Law distinguishes between consent, separate consent, and written consent: separate consent is required when providing personal information to others, disclosing the personal information that one processes, using the collected personal images and identifying information for purposes other than maintaining public safety, processing sensitive personal information, and providing personal information to overseas parties; Where laws and administrative regulations provide that the processing of personal information shall be subject to the written consent, such provisions shall prevail. However, the GDPR and the U.S. California Consumer Privacy Act, for example, do not provide such detailed regulations on the type of consent.
[2] 《个人信息保护法》第四十二条规定:境外的组织、个人从事侵害中华人民共和国公民的个人信息权益,或者危害中华人民共和国国家安全、公共利益的个人信息处理活动的,国家网信部门可以将其列入限制或者禁止个人信息提供清单,予以公告,并采取限制或者禁止向其提供个人信息等措施。
[2] Article 42 Where an overseas organization or individual engages in the personal information processing activities infringing upon the personal information rights and interests of citizens of the People's Republic of China or endangering the national security and public interests of the People's Republic of China, the Cyberspace Administration of China( “CAC”) may include such organization or individual in the list of subjects to whom provision of personal information is restricted or prohibited, announce the same, and take measures such as restricting or prohibiting provision of personal information to such organization or individual.
[3] 有关数据出境应采取的方式,其具体实施标准有待相关部门进一步细化,《个人信息保护法》第六十二条亦规定,应由国家网信部门协调相关部门制定个人信息保护具体规则、标准。
[3] The specific standards of imlpementation need further guidance from the relevant authorities. Article 62 also provides that the CAC shall coordinate relevant authorities to formulate specific rules and standards for personal information protection in accordance with the Law.
[4] 安全评估的内容和标准有待后续具体规则加以明确,但参照以往国家互联网信息办公室发布的《个人信息出境安全评估办法(征求意见稿)》,以及全国信息安全标准化技术委员会发布的《信息安全技术数据出境安全评估指南(草案)》等,个人信息出境安全评估的内容大致可包括个人信息的情况、个人信息出境的必要性、个人信息接收方的安全保护措施、个人信息接收方所在国或地区的网络安全环境、个人信息出境的风险等,且针对不同的个人信息出境主体(如,是否为关键信息基础设施的运营者、是否为处理个人信息达到国家网信部门规定数量的个人信息处理者),个人信息出境安全评估的具体要求也可能有所不同。
[4] The objects and standards of the security assessment need further guidance by subsequent specific rules. However, with reference to the "Measures for Personal Information Cross-Border Transfer Security Assessment(Draft for Public Comments)" issued by the National Internet Information Office, as well as the "Information Security Technology- Guidelines for Data Cross-Border Transfer Security Assessment (Draft)" issued by the National Information Security Standardization Technical Committee and other rules have been issued, the objects of the personal information cross-border transfer security assessment may generally include the character of personal information, the necessity of personal information cross-border transfer, the security measures taken by recipient of the personal information, the cyber security environment of the country or region where the recipient of the personal information is located, the risk of the personal information cross-border transfer, etc. Moreover, the criteria for assessing the security of the personal information cross-border transfer may differ for different personal information providers. For example, the sepecific requirements of the assessment may differ depending on whether the provider is a critical information infrastructure operator or whether the quantity of processing personal information of the provider reaches that as prescribed by CAC.
[5] 《信息安全技术 个人信息安全规范》第5.2条等规定
[5] Article 5.2 of Information Security Technology—Personal Information Security Specification and etc.
[6] 根据《个人信息保护法》第十三条,个人信息处理的合法性基础包括:
(一)取得个人的同意;
(二)为订立、履行个人作为一方当事人的合同所必需,或者按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理所必需;
(三)为履行法定职责或者法定义务所必需;
(四)为应对突发公共卫生事件,或者紧急情况下为保护自然人的生命健康和财产安全所必需;
(五)为公共利益实施新闻报道、舆论监督等行为,在合理的范围内处理个人信息;
(六)依照本法规定在合理的范围内处理个人自行公开或者其他已经合法公开的个人信息;
(七)法律、行政法规规定的其他情形。
[6] According to Article 13 of the Law, the legal basis of personal information processing includes:
1) Obtaining the consent of the individual concerned;
2) Where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law;
3) Where it is necessary for the performance of statutory duties or statutory obligations;
4) Where it is necessary for the response to a public health emergency or for the protection of the life, health and property safety of a natural person;
5) Where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope;
6) Where it is necessary to process the personal information disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of this Law; and
7) Other circumstances prescribed by laws and administrative regulations.
声明:文章仅代表作者观点,不视为弼兴律师事务所正式法律意见或建议。如需转载或引用请注明出处。如有任何问题,欢迎与本所联系。
Statement: This article represents the views of the authors and is not to be regarded as formal legal advice or suggestions by Beshining Law Firm. Please cite the source when reproducing or quoting. If you have any questions, please feel free to contact us.
