Tuesday, March 29, 2022

中华人民共和国个人信息保护法 (Personal Information Protection Law of the People’s Republic of China): Translation from DigiChina


Pix Credit HERE


I thought it useful to share the Chinese and English translation of the 中华人民共和国个人信息保护法  Personal Information Protection Law of the People’s Republic of China. Great tanks to the folks at DigiChina for making this translation available. The original may be accessed HERE; another HERE (which includes the original Chinese).

It follows below:

Credits: This translation was produced by Rogier Creemers and Graham Webster on the basis of DigiChina's earlier translation of the of the second review draft of the law, which in turn was based on our translation of the first draft, produced by Rogier Creemers, Mingli Shi, Lauren Dudley, and Graham Webster.  [Updated Aug. 22, 2021, with a number of minor edits. Substantive changes include a new rendering of the Article 73 definition of automated decision-making and correction of the word "retaliatory" to the more appropriate "reciprocal" in Article 43. Thanks to Jamie Horsley for valuable comments and corrections. | Updated Sept. 3, 2021, to add the omitted word "collective" in Article 13, Item 2; thanks to Danping Yang for the correction. | Updated Sept. 7, 2021, to add the omitted phrase "and handling methods" to Article 73, Item 1; thanks to Mingli Shi for the correction. –Ed.]



Personal Information Protection Law of the People’s Republic of China



(Passed at the 30th meeting of the Standing Committee of the 13th National People'sCongress on August 20, 2021)


目  录

Table of Contents


第一章 总  则

Chapter I: GeneralProvisions

第二章 个人信息处理规则

Chapter II: PersonalInformation Handling Rules


Section 1: Common Provisions


Section 2: Rules for Handling Sensitive Personal Information


Section 3: Special Provisions on the Handling of PersonalInformation by State Organs

第三章 个人信息跨境提供的规则

Chapter III: Rules on the Cross-Border Provision of PersonalInformation

第四章 个人在个人信息处理活动中的权利

Chapter IV: Individuals’ Rights in Personal Information HandlingActivities

第五章 个人信息处理者的义务

Chapter V: Personal Information Handlers’ Duties

第六章 履行个人信息保护职责的部门

Chapter VI:Departments Fulfilling Personal InformationProtection Duties and Responsibilities

第七章 法律责任

Chapter VII: Legal Liability

第八章 附  则

Chapter VIII: Supplemental Provisions



第一章 总  则

Chapter I: GeneralProvisions



Article 1: This Law is formulated, on the basis of theConstitution, in order to protect personal information rights and interests,standardize personal information handling activities, and promote the rationaluse of personal information.



Article 2: Thepersonal information of natural persons receives legal protection; noorganization or individual may infringe upon natural persons’ personalinformation rights and interests.







Article 3: This Law applies to the activitiesof handling the personal information of natural persons inside the territory ofthe People’s Republic of China.

Where one of the following circumstances is present inhandling activities outside the territory of the People’s Republic of China ofpersonal information of natural persons inside the territoryof the People’sRepublic of China, this Law applies as well:

  1. Where the purpose is to provide products or services     to natural persons inside the territory;

  2. Where analyzing or assessing activities of natural     persons inside the territory;

  3. Other circumstances     provided in laws or administrative regulations.


第四条 个人信息是以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息,不包括匿名化处理后的信息。


Article 4: Personalinformation is all kinds of information, recorded by electronic or other means,related to identified or identifiable natural persons, not includinginformation after anonymization handling.

Personalinformation handling includes personal information collection, storage, use,processing, transmission, provision, publishing, deletion, etc.


第五条 处理个人信息应当遵循合法、正当、必要和诚信原则,不得通过误导、欺诈、胁迫等方式处理个人信息。

Article 5: Theprinciples of legality, propriety, necessity, and sincerity shall be observedfor personal information handling. It is prohibited to handle personalinformation in misleading, swindling, coercive, or other such ways.


第六条 处理个人信息应当具有明确、合理的目的,并应当与处理目的直接相关,采取对个人权益影响最小的方式。


Article 6: Personalinformation handling shall have a clear and reasonable purpose, and shall bedirectly related to the handling purpose, using a method with the smallestinfluence on individual rights and interests.

The collectionof personal information shall be limited to the smallest scope for realizingthe handling purpose, and excessive personal information collection isprohibited.


第七条 处理个人信息应当遵循公开、透明原则,公开个人信息处理规则,明示处理的目的、方式和范围。

Article 7: Theprinciples of openness and transparency shall be observed in the handling ofpersonal information, disclosing the rules for handling personal informationand clearly indicating the purpose, method, and scope of handling.


第八条 处理个人信息应当保证个人信息的质量,避免因个人信息不准确、不完整对个人权益造成不利影响。

Article 8: Thehandling of personal information shall ensure the quality of personalinformation, and avoid adverse effects on individual rights and interests frominaccurate or incomplete personal information.


第九条 个人信息处理者应当对其个人信息处理活动负责,并采取必要措施保障所处理的个人信息的安全。

Article 9: Personalinformation handlers shall bear responsibility for their personal informationhandling activities, and adopt the necessary measures to safeguard the securityof the personal information they handle.


第十条 任何组织、个人不得非法收集、使用、加工、传输他人个人信息,不得非法买卖、提供或者公开他人个人信息;不得从事危害国家安全、公共利益的个人信息处理活动。

Article 10: Noorganization or individual may illegally collect, use, process, or transmitother persons' personal information, or illegally sell, buy, provide, or discloseother persons' personal information, or engage in personal information handlingactivities harming national security or the public interest.


第十一条 国家建立健全个人信息保护制度,预防和惩治侵害个人信息权益的行为,加强个人信息保护宣传教育,推动形成政府、企业、相关社会组织、公众共同参与个人信息保护的良好环境。

Article 11: The Stateestablishes a personal information protection structure, to prevent and punishacts harming personal information rights and interests, strengthen personalinformation protection propaganda and education, and promote the creation of agood environment for personal information protection, with jointparticipationfrom government, enterprise, relevant social organizations, andthe general public.


第十二条 国家积极参与个人信息保护国际规则的制定,促进个人信息保护方面的国际交流与合作,推动与其他国家、地区、国际组织之间的个人信息保护规则、标准等互认。

Article 12: The Statevigorously participates in the formulation of international rules for personalinformation protection, stimulates international exchange and cooperation inthe area of personal information protection, and promotes mutual recognition ofpersonal information protection rules, standards, etc., with other countries,regions, and international organizations.


第二章 个人信息处理规则

Chapter II: PersonalInformation Handling Rules



Section 1: CommonProvisions











Article 13: Personal information handlers mayonly handle personal information where they conform to one of the followingcircumstances:

  1. Obtaining individuals’ consent;

  2. Where necessary to conclude or fulfill a contract in     which the individual is an interested party, or where necessary to conduct     human resources management according to lawfully formulated labor rules     and regulations and lawfully concluded contracts;

  3. Where necessary to fulfill statutory duties and     responsibilities or statutory obligations;

  4. Where necessary to respond to sudden public health     incidents or protect natural persons’ lives and health, or the security of     their property, under emergency conditions;

  5. Handling personal information within a reasonable     scope to implement news reporting, public opinion supervision, and other     such activities for the public interest;

  6. When handling personal information already disclosed     by persons themselves or otherwise lawfully disclosed, within a reasonable     scope in accordance with the provisions of this Law;

  7. Other circumstances     provided in laws and administrative regulations.

In accordance with other relevant provisions of this Law,when handling personal information, individual consent shall be obtained.However, obtaining individual consent is not required under conditions in items2 through 7 above.


第十四条 基于个人同意处理个人信息的,该同意应当由个人在充分知情的前提下自愿、明确作出。法律、行政法规规定处理个人信息应当取得个人单独同意或者书面同意的,从其规定。


Article 14: Wherepersonal information is handled based on individual consent, said consent shallbe given by individuals under the precondition of full knowledge, and in avoluntary and explicit statement. Where laws or administrative regulationsprovide that separate consent or written consent shall be obtained to handle personalinformation,those provisions are to be followed.

Where a changeoccurs in the purpose of personal information handling, the handling method, orthe categories of handled personal information, the individual’s consent shallbe obtained again.


第十五条 基于个人同意处理个人信息的,个人有权撤回其同意。个人信息处理者应当提供便捷的撤回同意的方式。


Article 15: Wherepersonal information is handled based on individual consent, individuals havethe right to rescind their consent. Personal information handlers shall providea convenient way to withdraw consent.

If an individualrescinds consent, it does not affect the effectiveness of personal informationhandling activities undertaken on the basis of individual consent beforeconsent was rescinded.


第十六条 个人信息处理者不得以个人不同意处理其个人信息或者撤回同意为由,拒绝提供产品或者服务;处理个人信息属于提供产品或者服务所必需的除外。

Article 16: Personalinformation handlers may not refuse to provide products or services on thebasis that an individual does not consent to the handling of their personalinformation or rescinds their consent, except where handling personalinformation is necessary for the provision of products or services.


第十七条 个人信息处理者在处理个人信息前,应当以显著方式、清晰易懂的语言真实、准确、完整地向个人告知下列事项:







Article 17: Personal information handlersshall, before handling personal information, explicitly notify individualstruthfully, accurately, and fully of the following items using clear and easilyunderstood language:

  1. The name or personal name and contact method of the     personal information handler;

  2. The purpose of personal information handling and the     handling methods, the categories of handled personal information, and the     retention period;

  3. Methods and procedures for individuals to exercise     the rights provided in this Law;

  4. Other items that laws or     administrative regulations provide shall be notified. 

Where a change occurs in the matters provided in theprevious paragraph, individuals shall be notified about the change. 

Where personal information handlers notify the matters asprovided in Paragraph 1 through the method of formulating personal informationhandling rules, the handling rules shall be public and convenient to read andstore.


第十八条 个人信息处理者处理个人信息,有法律、行政法规规定应当保密或者不需要告知的情形的,可以不向个人告知前条第一款规定的事项。


Article 18: Personalinformation handlers handling personal information are permitted not to notifyindividuals about the items provided in Paragraph 1 of the previous Articleunder circumstances where laws or administrative regulations provide thatsecrecy shall be preserved or notification is not necessary. 

Under emergencycircumstances, where it is impossible to notify individuals in a timely mannerin order to protect natural persons’ lives, health, and the security of theirproperty, personal information handlers shall notify them after the conclusionof the emergency circumstances.


第十九条 除法律、行政法规另有规定外,个人信息的保存期限应当为实现处理目的所必要的最短时间。

Article 19: Exceptwhere laws or administrative regulations provide otherwise, personalinformation retention periods shall be the shortest period necessary to realizethe purpose of the personal information handling. 


第二十条 两个以上的个人信息处理者共同决定个人信息的处理目的和处理方式的,应当约定各自的权利和义务。但是,该约定不影响个人向其中任何一个个人信息处理者要求行使本法规定的权利。


Article 20: Where twoor more personal information handlers jointly decide on a personal informationhandling purpose and handling method, they shall agree on the rights andobligations of each. However, said agreement does not influence an individual’srights to demand any one personal information handler perform under this Law’sprovisions. 

Where personalinformation handlers jointly handling personal information harm personalinformation rights and interests, resulting in damages, they bear jointliability according to the law.


第二十一条 个人信息处理者委托处理个人信息的,应当与受托人约定委托处理的目的、期限、处理方式、个人信息的种类、保护措施以及双方的权利和义务等,并对受托人的个人信息处理活动进行监督。



Article 21: Wherepersonal information handlers entrust the handling of personal information,they shall conclude an agreement with the entrusted person on the purpose forentrusted handling, the time limit, the handling method, categories of personalinformation, protection measures, as well as the rights and duties of bothsides, etc., and conduct supervision of the personal information handlingactivities of the entrusted person.

Entrustedpersons shall handle personal information according to the agreement; they maynot handle personal information for handling purposes or in handling methods,etc., in excess of the agreement. If the entrusting contract does not takeeffect, is void, has been cancelled, or has been terminated, the entrustedperson shall return the personal information to the personal informationhandler or delete it, and may not retain it.

Without theconsent of the personal information handler, an entrusted person may notfurther entrust personal information handling to other persons.


第二十二条 个人信息处理者因合并、分立、解散、被宣告破产等原因需要转移个人信息的,应当向个人告知接收方的名称或者姓名和联系方式。接收方应当继续履行个人信息处理者的义务。接收方变更原先的处理目的、处理方式的,应当依照本法规定重新取得个人同意。

Article22: Personal information handlers shall, where it isnecessary to transfer personal information due to mergers, separations,dissolution, declaration of bankruptcy, and other such reasons, notifyindividuals about the receiving party’s name or personal name and contactmethod. The receiving party shall continue to fulfill the personal informationhandler’s duties. Where the receiving party changes the original handlingpurpose or handling method, they shall notify the individual again as providedin this Law.


第二十三条 个人信息处理者向其他个人信息处理者提供其处理的个人信息的,应当向个人告知接收方的名称或者姓名、联系方式、处理目的、处理方式和个人信息的种类,并取得个人的单独同意。接收方应当在上述处理目的、处理方式和个人信息的种类等范围内处理个人信息。接收方变更原先的处理目的、处理方式的,应当依照本法规定重新取得个人同意。

Article 23: Wherepersonal information handlers provide other personal information handlers withthe personal information they handle, they shall notify individuals about thename or personal name of the receiving party, their contact method, thehandling purpose, handling method, and personal information categories, andobtain separate consent from the individual. Receiving parties shall handlepersonal information within the above mentioned scope of handling purposes,handling methods, personal information categories, etc. Where receiving partieschange the original handling purpose or handling methods, they shall againobtain the individual’s consent.


第二十四条 个人信息处理者利用个人信息进行自动化决策,应当保证决策的透明度和结果公平、公正,不得对个人在交易价格等交易条件上实行不合理的差别待遇。



Article 24: Whenpersonal information handlers use personal information to conduct automateddecision-making, the transparency of the decision-making and the fairness andjustice of the handling result shall be guaranteed, and they may not engage inunreasonable differential treatment of individuals in trading conditions suchas trade price, etc. 

Those conductinginformation push delivery or commercial sales to individuals through automateddecision-making methods shall simultaneously provide the option to not targetan individual’s characteristics, or provide the individual with a convenientmethod to refuse. 

When the use ofautomated decision-making produces decisions with a major influence on therights and interests of the individual, they have the right to require personalinformation handlers to explain the matter, and they have the right to refusethat personal information handlers make decisions solely through automateddecision-making methods.


第二十五条 个人信息处理者不得公开其处理的个人信息,取得个人单独同意的除外。

Article 25: Personalinformation handlers may not disclose the personal information they handle;except where they obtain separate consent.


第二十六条 在公共场所安装图像采集、个人身份识别设备,应当为维护公共安全所必需,遵守国家有关规定,并设置显著的提示标识。所收集的个人图像、身份识别信息只能用于维护公共安全的目的,不得用于其他目的;取得个人单独同意的除外。

Article 26: The installationof image collection or personal identity recognition equipment in public venuesshall occur as required to safeguard public security and observe relevant Stateregulations, and clear indicating signs shall be installed. Collected personalimages and personal distinguishing identity characteristic information can onlybe used for the purpose of safeguarding public security; it may not be used forother purposes, ; except where individuals’ separate consent is obtained.


第二十七条 个人信息处理者可以在合理的范围内处理个人自行公开或者其他已经合法公开的个人信息;个人明确拒绝的除外。个人信息处理者处理已公开的个人信息,对个人权益有重大影响的,应当依照本法规定取得个人同意。

Article 27: Personalinformation handlers may, within a reasonable scope, handle personalinformation that has already been disclosed by the person themselves orotherwise lawfully disclosed, except where the person clearly refuses. Personalinformation handlers handling already disclosed personal information, wherethere is a major influence on individual rights and interests, shall obtainpersonal consent in accordance with the provisions of this Law.


第二节  敏感个人信息的处理规则

Section 2: Rules for Handling Sensitive PersonalInformation


第二十八条 敏感个人信息是一旦泄露或者非法使用,容易导致自然人的人格尊严受到侵害或者人身、财产安全受到危害的个人信息,包括生物识别、宗教信仰、特定身份、医疗健康、金融账户、行踪轨迹等信息,以及不满十四周岁未成年人的个人信息。


Article 28: Sensitivepersonal information means personal information that, once leaked or illegallyused, may easily cause harm to the dignity of natural persons or grave harm topersonal or property security, including information on biometriccharacteristics, religious beliefs, specially-designated status, medicalhealth, financial accounts, individual location tracking, etc., as well as thepersonal information of minors under the age of 14.

Only where thereis a specific purpose and sufficient necessity, and under circumstances wherestrict protection measures are taken, may personal information handlers handlesensitive personal information.


第二十九条 处理敏感个人信息应当取得个人的单独同意;法律、行政法规规定处理敏感个人信息应当取得书面同意的,从其规定。

Article 29: To handlesensitive personal information, the individual's separate consent shall beobtained. Where laws or administrative regulations provide that written consentshall be obtained for handling sensitive personal information, those provisionsare to be followed.


第三十条 个人信息处理者处理敏感个人信息的,除本法第十七条第一款规定的事项外,还应当向个人告知处理敏感个人信息的必要性以及对个人权益的影响;依照本法规定可以不向个人告知的除外。

Article 30: Personalinformation handlers handling sensitive personal information, in addition tothe items set out in Paragraph 1 ofArticle 17 of this Law, shall also notifyindividuals of the necessity and effects on the individual's rights andinterests of handling the sensitive personal information, except where this Lawprovides that it is permitted not to notify the individual.


第三十一条 个人信息处理者处理不满十四周岁未成年人个人信息的,应当取得未成年人的父母或者其他监护人的同意。


Article31: Where personal information handlers handle the personalinformation of minors under the age of 14, they shall obtain the consent of theparent or other guardian of the minor.

Where personalinformation handlers handle the personal information of minors under the age of14, they shall establish specialized personal information handling rules.


第三十二条 法律、行政法规对处理敏感个人信息规定应当取得相关行政许可或者作出其他限制的,从其规定。

Article 32: Where lawsor administrative regulations provide that relevant administrative licensesshall be obtained or other restrictions apply to the handling of sensitivepersonal information, those provisions are to be followed.




Section 3: Specific Provisionson the Handling of Personal


第三十三条 国家机关处理个人信息的活动,适用本法;本节有特别规定的,适用本节规定。

Article 33: This Lawapplies to State organs’ activities of handling personal information; wherethis Section contains specific provisions, the provisions of this Section apply.


第三十四条 国家机关为履行法定职责处理个人信息,应当依照法律、行政法规规定的权限、程序进行,不得超出履行法定职责所必需的范围和限度。

Article 34: Stateorgans handling personal information to fulfill their statutory duties andresponsibilities shall conduct them according to the powers and proceduresprovided in laws or administrative regulations; they may not exceed the scopeor extent necessary to fulfill their statutory duties and responsibilities.


第三十五条 国家机关为履行法定职责处理个人信息,应当依照本法规定履行告知义务;有本法第十八条第一款规定的情形,或者告知将妨碍国家机关履行法定职责的除外。

Article 35: Stateorgans handling personal information for the purpose of fulfilling statutoryduties and responsibilities shall fulfill notification duties, except wherecircumstances as provided in Paragraph 1 of Article 18 of this Law exist, orwhere notification will impede State organs’ fulfillment of their statutoryduties and responsibilities.


第三十六条 国家机关处理的个人信息应当在中华人民共和国境内存储;确需向境外提供的,应当进行安全评估。安全评估可以要求有关部门提供支持与协助。

Article 36: Personalinformation handled by State organs shall be stored inside the territory of thePeople’s Republic of China. If it is necessary to provide it abroad, a securityassessment shall be undertaken. Relevant authorities may be requested tosupport and assist with security assessment.


第三十七条 法律、法规授权的具有管理公共事务职能的组织为履行法定职责处理个人信息,适用本法关于国家机关处理个人信息的规定。

Article 37: Theprovisions of this Law regarding personal information handling by State organsapply to organizations handling personal information in order to fulfill theirduties while performing functions related to managing public affairs asauthorized by laws and administrative regulations.



Chapter III: Rules on the Cross-Border Provision of Personal Information


第三十八条 个人信息处理者因业务等需要,确需向中华人民共和国境外提供个人信息的,应当具备下列条件之一:







Article 38: Where personal informationhandlers need to provide personal information outside the territory of thePeople’s Republic of China for business or other such requirements, they shallmeet one of the following conditions:

  1. Passing a security assessment organized by the national     cyberspace authority according to Article 40 of this Law;

  2. Undergoing personal information protection     certification conducted by a specialized body according to provisions by     the national cyberspace authority;

  3. Concluding a contract with the overseasreceiving party     in accordance with a standard contract formulated by the national     cyberspace authority, agreeing upon the rights and responsibilities of     both sides;

  4. Other conditions provided     in laws or administrative regulations or by the national cyberspace     authority.

Where treaties or international agreements that thePeople's Republic of China has concluded or acceded to contain provisions suchas conditions on providing personal data outside the territory of the People'sRepublic of China, it is permitted to act according to those provisions.

Personal information handlers shall adopt necessarymeasures to ensure that the personal information handling activities of overseasreceivingparties reach the standard of personal information protection provided in thisLaw.


第三十九条 个人信息处理者向中华人民共和国境外提供个人信息的,应当向个人告知境外接收方的名称或者姓名、联系方式、处理目的、处理方式、个人信息的种类以及个人向境外接收方行使本法规定权利的方式和程序等事项,并取得个人的单独同意。

Article 39: Wherepersonal information handlers provide personal information outside of theterritory of the People’s Republic of China, they shall notify the individualabout the overseas receiving party’s name or personal name, contact method,handling purpose, handling methods, and personal information categories, aswell as ways or procedures for individuals to exercise the rights provided inthis Law with the overseasreceiving party, and other such matters, and obtainindividuals’ separate consent.


第四十条 关键信息基础设施运营者和处理个人信息达到国家网信部门规定数量的个人信息处理者,应当将在中华人民共和国境内收集和产生的个人信息存储在境内。确需向境外提供的,应当通过国家网信部门组织的安全评估;法律、行政法规和国家网信部门规定可以不进行安全评估的,从其规定。

Article 40: Criticalinformation infrastructure operators and personal information handlers whohandle personal information up to the amount provided by thenational cyberspaceauthority shall store personal information collected and produced inside theterritory of the People’s Republic of China domestically. Where it istrulynecessary to provide it abroad, they shall pass a security assessment organizedby the national cyberspace authority; where laws or administrative regulationsandprovisions of thenational cyberspace authority provide that securityassessment is acceptable to not be conducted, those provisions are to befollowed.


第四十一条 中华人民共和国主管机关根据有关法律和中华人民共和国缔结或者参加的国际条约、协定,或者按照平等互惠原则,处理外国司法或者执法机构关于提供存储于境内个人信息的请求。非经中华人民共和国主管机关批准,个人信息处理者不得向外国司法或者执法机构提供存储于中华人民共和国境内的个人信息。

Article 41: Competentauthorities of the People's Republic of China, according to relevant laws andtreaties or international agreements that the People's Republic of China hasconcluded or acceded to, or according to the principle of equality and mutualbenefit, are to handle foreign judicial or law enforcement authorities'requests regarding the provision of personal information stored domestically.Without the approval of the competent authorities of the People's Republic ofChina, personal information handlers may not provide personal informationstored inside the territory of the People's Republic of China to foreignjudicial or law enforcement agencies.


第四十二条 境外的组织、个人从事侵害中华人民共和国公民的个人信息权益,或者危害中华人民共和国国家安全、公共利益的个人信息处理活动的,国家网信部门可以将其列入限制或者禁止个人信息提供清单,予以公告,并采取限制或者禁止向其提供个人信息等措施。

Article 42: Where overseasorganizations or individuals engage in personal information handling actsviolating personal information rights and interests of citizens of the People’sRepublic of China, or harming the national security or public interest of thePeople’s Republic of China, the national cyberspace authoritymay put them on alist limiting or prohibiting personal information provision, issue a warning,and adopt measures such as limiting or prohibiting the provision of personalinformation to them, etc.


第四十三条 任何国家或者地区在个人信息保护方面对中华人民共和国采取歧视性的禁止、限制或者其他类似措施的,中华人民共和国可以根据实际情况对该国家或者地区对等采取措施。

Article 43: Where anycountry or region adopts discriminatory prohibitions, limitations or othersimilar measures against the People’s Republic of China in the area of personalinformation protection, the People’s Republic of China may adopt retaliatorymeasures against said country or region on the basis of actual circumstances.


第四章 个人在个人信息处理活动中的权利

Chapter IV: Individuals’Rights in Personal Information Handling Activities


第四十四条 个人对其个人信息的处理享有知情权、决定权,有权限制或者拒绝他人对其个人信息进行处理;法律、行政法规另有规定的除外。

Article 44: Individualshave the right to know and the right to decide relating to their personalinformation, and have the right to limit or refuse the handling of theirpersonal information by others, unless laws or administrative regulationsstipulate otherwise.


第四十五条 个人有权向个人信息处理者查阅、复制其个人信息;有本法第十八条第一款、第三十五条规定情形的除外。



Article 45: Individualshave the right to access and copy their personal information from personalinformation handlers, except in circumstances provided in Article 18, Paragraph1, or Article 35 of this Law.

Whereindividuals request to access or copy their personal information, personalinformation handlers shall provide it in a timely manner.

Whereindividuals request that their personal information be transferred to apersonal information handler they designate, meeting conditions of the nationalcyberspace authority, personal information handlers shall provide a channel totransfer it.


第四十六条 个人发现其个人信息不准确或者不完整的,有权请求个人信息处理者更正、补充。


Article 46: Whereindividuals discover their personal information is incorrect or incomplete,they have the right to request personal information handlers correct orcomplete their personal information.

Whereindividuals request to correct or complete their personal information, personalinformation handlers shall verify the personal information and correct orcomplete it in a timely manner.


第四十七条 有下列情形之一的,个人信息处理者应当主动删除个人信息;个人信息处理者未删除的,个人有权请求删除:







Article 47: Personalinformation handlers shall actively delete personal information where one ofthe following circumstances occurs; if the personal information handler has notdeleted, individuals have the right to request deletion:

  1. The handling purpose has been achieved, is     impossible to achieve, or [the personal information] is no longer     necessary to achieve the handling purpose;

  2. Personal information handlers cease the provision of     products or services, or the retention period has expired;

  3. The individual rescinds consent;

  4. Personal information handlers handled personal     information in violation of laws, administrative regulations, or     agreements;

  5. Other circumstances     provided by laws or administrative regulations.

Where theretention period provided by laws or administrative regulations has notexpired, or personal information deletion is technically hard to realize,personal information handlers shall cease personal information handling exceptfor storage and taking necessary security protective measures.


第四十八条 个人有权要求个人信息处理者对其个人信息处理规则进行解释说明。

Article 48: Individualshave the right to request personal information handlers explain personalinformation handling rules.


第四十九条 自然人死亡的,其近亲属为了自身的合法、正当利益,可以对死者的相关个人信息行使本章规定的查阅、复制、更正、删除等权利;死者生前另有安排的除外。

Article 49: When anatural person is deceased, their next of kin may, for the sake of their ownlawful, legitimate interests, exercise the rights provided in this Chapter toaccess, copy, correct, delete, etc., the personal information of the deceased,except where the deceased has arranged otherwise before their death.


第五十条 个人信息处理者应当建立便捷的个人行使权利的申请受理和处理机制。拒绝个人行使权利的请求的,应当说明理由。


Article 50: Personalinformation handlers shall establish convenient mechanisms to accept and handleapplications from individuals to exercise their rights. Where they rejectindividuals’ requests to exercise their rights, they shall explain the reason.

Where personalinformation handlers reject individuals' requests to exercise their rights,individuals may file a lawsuit with a People's Court according to the law.


第五章 个人信息处理者的义务

Chapter V: PersonalInformation Handlers’ Duties


第五十一条 个人信息处理者应当根据个人信息的处理目的、处理方式、个人信息的种类以及对个人权益的影响、可能存在的安全风险等,采取下列措施确保个人信息处理活动符合法律、行政法规的规定,并防止未经授权的访问以及个人信息泄露、篡改、丢失:







Article 51: Personalinformation handlers shall, on the basis of the personal information handlingpurpose, handling methods, personal information categories, as well as the influenceon individuals' rights and interests, possibly existing security risks, etc.,adopt the following measures to ensure personal information handling conformsto the provisions of laws and administrative regulations, and preventunauthorized access as well as personal information leaks, distortion, or loss:

  1. Formulating internal management structures and     operating rules;

  2. Implementing categorized management of personal     information;

  3. Adopting corresponding technical security measures     such as encryption, de-identification, etc.;

  4. Reasonably determining operational limits for     personal information handling, and regularly conducting security education     and training for employees;

  5. Formulating and organizing the implementation of     personal information security incident response plans;

  6. Other measures provided     in laws or administrative regulations.


第五十二条 处理个人信息达到国家网信部门规定数量的个人信息处理者应当指定个人信息保护负责人,负责对个人信息处理活动以及采取的保护措施等进行监督。


Article 52: Personalinformation handlers who handle personal information reaching quantitiesprovided by the national cyberspace authority shall appoint personalinformation protection officers, responsible for conducting supervision ofpersonal information handling activities as well as adopted protectionmeasures, etc. 

Personalinformation handlers shall disclose the methods of contacting personalinformation protection officers, and report the names of the officers andcontact methods to the departments fulfilling personal information protectionduties and responsibilities.


第五十三条 本法第三条第二款规定的中华人民共和国境外的个人信息处理者,应当在中华人民共和国境内设立专门机构或者指定代表,负责处理个人信息保护相关事务,并将有关机构的名称或者代表的姓名、联系方式等报送履行个人信息保护职责的部门。

Article 53: Personalinformation handlers outside the territory of the People’s Republic of China,as provided in Article 3, Paragraph II, of this Law, shall establish adedicated entity or appoint a representative inside the territory of thePeople’s Republic of China to be responsible for matters related to thepersonal information they handle, and are to report the name of the relevantentity or the name and contact method, etc., of the representative to thedepartments fulfilling personal information protection duties and responsibilities.


第五十四条 个人信息处理者应当定期对其处理个人信息遵守法律、行政法规的情况进行合规审计。

Article 54: Personalinformation handlers shall regularly engage in audits of their personalinformation handling and compliance with laws and administrative regulations.


第五十五条 有下列情形之一的,个人信息处理者应当事前进行个人信息保护影响评估,并对处理情况进行记录:






Article 55: When oneof the following circumstances is present, personal information handlers shall conducta personal information protection impact assessment in advance, and record thehandling situation:

  1. Handling sensitive personal information;

  2. Using personal information to conduct automated     decision-making;

  3. Entrusting personal information handling, providing     personal information to other personal information handlers, or disclosing     personal information;

  4. Providing personal information abroad;

  5. Other personal     information handling activities with a major influence on individuals.


第五十六条 个人信息保护影响评估应当包括下列内容:





Article56: The content of the personal information protection impactassessment shall include:

  1. Whether or not the personal information handling     purpose, handling method, etc., are lawful, legitimate, and necessary;

  2. The influence on individuals' rights and interests,     and the security risks;

  3. Whether protective     measures undertaken are legal, effective, and suitable to the degree of     risk. 

Personalinformation protection impact assessment reports and handling status recordsshall be preserved for at least three years.


第五十七条 发生或者可能发生个人信息泄露、篡改、丢失的,个人信息处理者应当立即采取补救措施,并通知履行个人信息保护职责的部门和个人。通知应当包括下列事项:





Article 57: Where apersonal information leak, distortion, or loss occurs or might have occurred,personal information handlers shall immediately adopt remedial measures, andnotify the departments fulfilling personal information protection duties andresponsibilities and the individuals. The notification shall include thefollowing items:

  1. The information categories, causes, and possible     harm caused by the leak, distortion, or loss that occurred or might have     occurred;

  2. The remedial measures taken by the personal     information handler and measures individuals can adopt to mitigate harm;

  3. Contact method of the     personal information handler.

Where personalinformation handlers adopt measures that are able to effectively avoid harmcreated by information leaks, distortion, or loss, personal informationhandlers are permitted to not notify individuals; however, where departmentsfulfilling personal information protection protection duties andresponsibilities believe harm may have been created, they may require personalinformation handlers to notify individuals.


第五十八条 提供重要互联网平台服务、用户数量巨大、业务类型复杂的个人信息处理者,应当履行下列义务:





第五十九条 接受委托处理个人信息的受托人,应当依照本法和有关法律、行政法规的规定,采取必要措施保障所处理的个人信息的安全,并协助个人信息处理者履行本法规定的义务。

Article 58: Personalinformation handlers providing important Internet platform services, who have alarge number of users, and whose business models are complex shall fulfill thefollowing obligations:

  1. Establish and complete personal information     protection compliance structures and systems according to State     regulations, and establish an independent body composed mainly of outside     members to supervise personal information protection circumstances;

  2. Abide by the principles of openness, fairness, and     justice; formulate platform rules; and clarify the standards for     intra-platform product or service providers' handling of personal     information and their personal information protection duties;

  3. Stop providing services to product or service     providers on the platform that seriously violate laws or administrative     regulations in handling personal information;

  4. Regularly release     personal information protection social responsibility reports, and accept     society’s supervision.


第六章 履行个人信息保护职责的部门

Chapter VI: DepartmentsFulfilling Personal Information Protection Duties and Responsibilities.


第六十条 国家网信部门负责统筹协调个人信息保护工作和相关监督管理工作。国务院有关部门依照本法和有关法律、行政法规的规定,在各自职责范围内负责个人信息保护和监督管理工作。



Article 60: The nationalcyberspace authority is responsible for comprehensive planning and coordinationof personal information protection work and related supervision and managementwork. Relevant State Council departments are responsible for personalinformation protection, supervision, and management work within theirrespective scope of duties and responsibilities, according to the provisions ofthis Law and relevant laws and administrative regulations.

County-level andhigher People’s Governments’ relevant departments’ personal informationprotection, supervision, and management duties and responsibilities aredetermined according to relevant State regulations.

Departmentsprovided in the previous two Paragraphs are jointly named departmentsfulfilling personal information protection duties and responsibilities.


第六十一条 履行个人信息保护职责的部门履行下列个人信息保护职责:






Article 61: Departmentsfulfilling personal information protection duties and responsibilities fulfillthe following personal information protection duties and responsibilities:

  1. Conducting personal information protection     propaganda and education, and guiding and supervising personal information     handlers’ conduct of personal information protection work;

  2. Accepting and handling personal information     protection-related complaints and reports;

  3. Organizing monitoring of the personal information     protection situation within their application programs, etc., and     publishing the monitoring results;

  4. Investigating and handling unlawful personal     information handling activities;

  5. Other duties and responsibilities     provided in laws or administrative regulations.


第六十二条 国家网信部门统筹协调有关部门依据本法推进下列个人信息保护工作:






Article 62: The nationalcyberspace authority coordinates overall the following personal informationprotection work by the relevant departments:

  1. Formulate concrete personal information protection     rules and standards;

  2. Formulate specialized personal information     protection rules and standards for small-scale personal information     handlers, new technologies and new applications regarding sensitive     personal information, facial recognition, artificial intelligence, etc.;

  3. Support the research, development, and broad     adoption of secure and convenient electronic identity authentication     technology, and promote the construction of public online identity     authentication services;

  4. Advance the construction of service systems to socialize     personal information protection, and support relevant organizations to     launch personal information protection evaluation and certification     services;

  5. Perfect personal     information protection complaint and reporting work mechanisms.


第六十三条 履行个人信息保护职责的部门履行个人信息保护职责,可以采取下列措施:






Article 63: When departmentsfulfilling personal information protection duties and responsibilities fulfillpersonal information protection duties and responsibilities, they may adopt thefollowing measures:

  1. Interviewing relevant concerned parties, and     investigating circumstances related to personal information handling     activities;

  2. Consulting and reproducing a concerned party’s     contracts, records, receipts as well as other relevant material related to     personal information handling activities;

  3. Conducting on-site inspections, and conducting     investigations of suspected unlawful personal information handling     activities;

  4. Inspecting equipment and     articles relevant to personal information handling activities; and when     there is evidence the equipment or articles are used to engage in illegal     personal information handling activities, after reporting to their     department’s main person responsible in writing and receiving approval,     they may seal or confiscate it.

Wheredepartments fulfilling personal information protection duties and responsibilitiesfulfill their duties and responsibilities according to the law, concernedparties shall provide assistance and cooperation, and they may not obstruct orimpede them.


第六十四条 履行个人信息保护职责的部门在履行职责中,发现个人信息处理活动存在较大风险或者发生个人信息安全事件的,可以按照规定的权限和程序对该个人信息处理者的法定代表人或者主要负责人进行约谈,或者要求个人信息处理者委托专业机构对其个人信息处理活动进行合规审计。个人信息处理者应当按照要求采取措施,进行整改,消除隐患。


Article 64: Wheredepartments fulfilling personal information protection duties andresponsibilities discover relatively large risks exist in personal informationhandling activities or personal information security incidents occur, they mayconduct a talk with the personal information handler’s legal representative ormain person responsible according to regulatory powers and procedures, orrequire personal information handlers to entrust specialized institutions toconduct compliance audits of their personal information handling activities.Personal information handlers shall adopt measures according to requirements tocorrect the matter and eliminate the vulnerability.

Wheredepartments fulfilling personal information protection duties andresponsibilities discover in the course of their duties discover unlawfulhandling of personal information that is suspected of being involved in acrime, they shall promptly transfer the matter to public security authoritiesfor handling according to the law.


第六十五条 任何组织、个人有权对违法个人信息处理活动向履行个人信息保护职责的部门进行投诉、举报。收到投诉、举报的部门应当依法及时处理,并将处理结果告知投诉、举报人。


Article 65: Anyorganization or individual has the right to file a complaint or report aboutunlawful personal information handling activities with departments fulfillingpersonal information protection duties and responsibilities. Departmentsreceiving complaints or reports shall handle them promptly according to thelaw, and notify the complaining or reporting person of the handling outcome.

Departmentsfulfilling personal information protection duties and responsibilities shallpublish contact methods to accept complaints and reports.




Chapter VII: Legal Liability


第六十六条 违反本法规定处理个人信息,或者处理个人信息未履行本法规定的个人信息保护义务的,由履行个人信息保护职责的部门责令改正,给予警告,没收违法所得,对违法处理个人信息的应用程序,责令暂停或者终止提供服务;拒不改正的,并处一百万元以下罚款;对直接负责的主管人员和其他直接责任人员处一万元以上十万元以下罚款。


Article 66: Wherepersonal information is handled in violation of this Law or personalinformation is handled without fulfilling personal information protectionduties in accordance with the provisions of this Law, the departmentsfulfilling personal information protection duties and responsibilities are toorder correction, issue a warning, confiscate unlawful income, and order thesuspension or termination of service provision of the application programsunlawfully handling personal information; where correction is refused, a fineof not more than 1 million Yuan is additionally imposed; the directlyresponsible person in charge and other directly responsible person are finedbetween 10,000 and 100,000 Yuan.

Where thecircumstances of the unlawful acts mentioned in the preceding Paragraph aregrave, the provincial- or higher-level departments fulfilling personalinformation protection duties and responsibilities order correction, confiscateunlawful income, and impose a fine of not more than 50 million Yuan, or 5% of annualrevenue. They may also order the suspension of related business activities orcessation of business for rectification, and report to the relevant competentdepartment for cancellation of corresponding professional licenses orcancellation of business permits. The directly responsible person in charge andother directly responsible person are fined between 100,000 and 1 million Yuan,and it may also be decided to prohibit them from holding positions of director,supervisor, high-level manager, or personal information protection officer fora certain period.


第六十七条 有本法规定的违法行为的,依照有关法律、行政法规的规定记入信用档案,并予以公示。

Article 67: Whereunlawful acts as mentioned in this law occur, they will be entered into creditfiles as provided by relevant laws and administrative regulations, and bepublished. 


第六十八条 国家机关不履行本法规定的个人信息保护义务的,由其上级机关或者履行个人信息保护职责的部门责令改正;对直接负责的主管人员和其他直接责任人员依法给予处分。


Article 68: WhereState organs fail to fulfill personal information protection duties as providedin this Law, their superior organs or the departments fulfilling personalinformation protection duties and responsibilities shall order correction; thedirectly responsible person in charge and other directly responsible personsare to be disciplined according to the law.

Where the personof departments fulfilling personal information protection duties commitdereliction of duties, abuse their power, or engage in favouritism, but not yetconstituting a crime, they shall be disciplined according to the law.


第六十九条 处理个人信息侵害个人信息权益造成损害,个人信息处理者不能证明自己没有过错的,应当承担损害赔偿等侵权责任。


Article 69: Where thehandling of personal information infringes upon personal information rights andinterests and results in harm, and personal information handlers cannot provethey are not at fault, they shall take responsibility for the infringementthrough compensation, etc. 

In the aboveclause, the responsibility to compensate for infringement shall be determinedaccording to the resulting loss to the individual orthe resulting gains of thepersonal information handler. Where the loss to the individual and the gains tothe personal information handle are difficult to determine, compensation shallbe determined according to practical conditions.


第七十条 个人信息处理者违反本法规定处理个人信息,侵害众多个人的权益的,人民检察院、法律规定的消费者组织和由国家网信部门确定的组织可以依法向人民法院提起诉讼。

Article 70: Wherepersonal information handlers handle personal information in violation of theprovisions of this Law, infringing on the rights and benefits of manyindividuals, the People’s Procuratorates, statutorily designated consumerorganizations, and organizations designated by the national cyberspaceauthority may file a lawsuit with a People’s Court according to the law.


第七十一条 违反本法规定,构成违反治安管理行为的,依法给予治安管理处罚;构成犯罪的,依法追究刑事责任。

Article 71: Where aviolation of the provisions of this Law constitutes a violation of publicsecurity management, public security management punishment shall be imposedaccording to the law; where it constitutes a crime, criminal liability is to beinvestigated according to the law.



第八章附  则

Chapter VIII: Supplemental Provisions


第七十二条 自然人因个人或者家庭事务处理个人信息的,不适用本法。


Article 72: This lawdoes not apply to natural persons handling personal information for personal orfamily affairs. 

Where lawcontains provisions on personal information handling by People’s Governments atall levels and relevant departments and organizations implementing statisticaland archival management activities, those provisions apply.


第七十三条 本法下列用语的含义:





Article 73: Thefollowing terms of this Law are defined as follows:

  1. “Personal information handler” refers to     organizations and individuals that, in personal information handling     activities, autonomously determine handling purposes and handling methods.

  2. “Automated decision-making” refers to the use of     computer programs to automatically analyze or assess individual behaviors     and habits, interests and hobbies, or situations relating to finance,     health, or credit status, etc., and engage in decision-making activities.

  3. “De-identification” refers to the process of     personal information undergoing handling to ensure it is impossible to identify     specific natural persons without the support of additional information.

  4. “Anonymization” refers to     the process of personal information undergoing handling to make it     impossible to identify specific natural persons and impossible to restore.


第七十四条 本法自2021111日起施行。

Article 74: This Law shall enter into force on November 1, 2021.

No comments: