Home / Publications / JunHe Legal Updates / details of junhe law review

80 Rules to follow for Self-Inspection to Comply with the new Personal Data Protection Law

2021.08.28 YANG, Jinwen、 GAO, Jian、 LI, Yuanyuan

The Personal Information Protection Law (hereinafter, the “PIPL”) was adopted after deliberation at the third session of the Standing Committee of the National People’s Congress on 20 August 2021, and will be implemented on 1 November 2021. China will then use the PIPL as the basic law for personal information protection.


The PIPL has eight chapters and 74 provisions (the main provisions and chapters are set out below), which ban “big data swindling”(“大数据杀熟”) in automated decision-making, impose heavy obligations on large internet platforms and tighten the requirements for cross-border data transfers. To follow the processing rules, processing processes, and the cyber security protection obligations of personal data processors as provided in Civil Code, Consumer Rights Protection Law, and Cyber Security Law, enterprises such as personal data processors should attach high importance to the various new regulatory requirements.



Main Provisions

Chapters

Application Scope and Basic Principles for Personal Information Processing

Chapter One General Provisions

Personal Information Processing Rules and Cross-Border Transfer Rules

Chapter Two Personal Information Processing Rules

Chapter Three Personal Information Cross-Border Transfer Rules

Rights and Obligations of Individuals, Enterprises, Regulatory Authorities and Other Participants

Chapter Four Data Subjects’ Rights in Personal Data Processing Activities

Chapter Five Data Subjects’ Rights in Personal Data Processing Activities of Personal Data Processors

Chapter Six Authorities Performing Personal Information Protection Duties

Legal Liabilities and Supplementary Provisions

Legal Liabilities and Supplementary Provisions

Chapter Seven Legal Liability

Chapter Eight Supplementary Provisions


In particular, penalties imposed by the PIPL for personal information illegal acts are unprecedented: Apps that illegally process personal information will be ordered to suspend or terminate the provision of their services; for serious illegal acts regarding personal data, the legislator states that the highest penalties in terms of fines will be 5% of the previous year’s revenue (or no more than RMB 50 million) as provided in the Anti-Monopoly Law.


Following the centralized action of four departments i.e. the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation, in July 2021, a well-known travel App was removed from distribution for rectification and has since faced a cybersecurity review after the candid photographing of faces. It is expected that the official implementation of the PIPL will open a new situation for the comprehensive supervision of personal data. Enterprises should carry out self-inspection and make rectification regarding personal data collection and processing rules in their existing Apps, webpages and offline business by making full use of the two month window before the PIPL comes into force on 1 November 2021. We have prepared the following self-inspection checklist to assist in complying with the new personal information protection law, and it can be used as a  reference by enterprises during their self-inspection and rectification. 


I.Corporate Rules and Regulations

1.Has the company established any internal personal information protection systems and operational procedures?

□ Yes

□  No

2.Is there a privacy protection policy formulated and published on the company’s website?

□ Yes

□  No

3.Has the company formulated and organized the implementation of an emergency response system for a personal data security incident or breach?

□ Yes

□  No

4.Has the company formulated an emergency response plan in a personal data security incident or breach and tested this on a regular basis?

□ Yes

□  No

5.Has the company established an authority to process personal information and conducted security education and training for employees on a regular basis?

□ Yes

□  No

6.Does the company undertake regular audits on its compliance with the laws and administrative regulations regarding the processing of personal information?

□ Yes

□  No

II.Personal Data Processing Full Process Management

General Rules for Each Processing (and Collection) Process

7.Have you obtained the individual’s consent before processing their personal data?

□ Yes

□  No

8.Have you exceeded the necessary scope in performing labor contracts and implementing human resource management in your collection and processing of employee information? 

□ Yes

□  No

9.In the event that the consent of an individual is not obtained, do you have in place the following conditions:

  • where it is necessary for the conclusion or performance of a contract to which the concerned individual is party;

  • where it is necessary to implement human resources management in accordance with the labor rules and regulations formulated according to the law and collective contracts concluded according to the law;

  • where the personal information is disclosed by individuals themselves or other legally disclosed personal information is processed within a reasonable range in accordance with the provisions of this Law; and

  • other circumstances.

□ Yes

□  No

10.Have you truthfully, accurately, and completely informed the individual of the following matters in an obvious manner and with clear and understandable language prior to processing their personal information?

  • The name and contact information of the personal information processor;

  • The purpose and method of processing the personal information, and the type and retention period of the processed personal information;

  • The method and procedure for the individual to exercise their rights provided in the PIPL.

□ Yes

□  No

11.Is there any circumstance of refusal to provide products or services on the grounds that individuals do not agree to the processing of  their personal information or withdraw their consent?

□ Yes

□  No

12.Is there any circumstance of obtaining individual consent by misleading conduct, fraud or coercion?

□ Yes

□  No

Use of Personal Information

13.Is the individual’s consent again obtained when the purpose or method of processing the personal information or the type of personal information to be processed changes?

□ Yes

□  No

14.Joint Processing: Have you explicitly stipulated your respective rights and obligations by agreement when you and other personal information processors jointly determine the purpose and method of processing personal information?

□ Yes

□  No

15.Entrusted Processing 1: Have you agreed with the entrusted party in writing on the purpose, duration, and method of processing, the type of protection measures for the personal information as well as the rights and obligations of both parties when entrusting such party to process personal information?

□ Yes

□  No

16.Entrusted Processing 2: Have you supervised the personal information processing activities of the entrusted party during the performance of the entrustment contract so that the entrusted party shall not process personal information beyond the agreed purpose and method of processing?

□ Yes

□  No

17.Has a personal information protection impact assessment been conducted before entrusting others to process personal information and has a record of the processing been kept?

□ Yes

□  No

18.Have you made personal information protection impact assessment reports and records of the processing and kept them for at least three years?

□ Yes

□  No

Preservation and Disclosure of Personal Information

19.Does the retention period of personal information exceed the minimum period necessary for achieving the purpose of processing?

□ Yes

□  No

20.Is the individual’s separate consent obtained when the disclosure of personal information is processed?

□ Yes

□  No

21.Is a personal information protection impact assessment conducted before disclosing personal information and a record of the processing kept?

□ Yes

□  No

22.Have you made personal information protection impact assessment reports and records of the processing and kept them for at least three years?

□ Yes

□  No

Provision of Personal Information

23.In the case where an enterprise is the provider: Has the enterprise informed the individual of the name and contact information of the receiving party, the purpose and method of processing and the type of personal information, and obtained their separate consent?  

□ Yes

□  No

24.In the case where an enterprise is the receiving party: (1) Is there an agreement in respect to the purpose and method of processing and the type of personal information when it receives the personal information processed by another personal information processor?

□ Yes

□  No

25.In the case where an enterprise is the receiving party: (2) Is the personal information processed within the scope of the agreed purpose and method of the processing and the type of personal information?

□ Yes

□  No

26.In changing the original purpose and method of the processing, have you again obtained consent (which means informing such an individual the name, the contact information of the receiving party, the purpose and method of processing and the type of personal information again, and obtained separate consent from such an individual again) from the individual concerned according to the provisions of the PIPL?

□ Yes

□  No

27.Is a personal information protection impact assessment conducted before providing personal information to other personal information processors and a record of the processing kept?

□ Yes

□  No

28.Have you made personal information protection impact assessment reports and records of the processing and kept them for at least three years?

□ Yes

□  No

Automated Decision-making

29.Is a personal information protection impact assessment conducted before making automated decision-making on personal information and a record of the processing kept?

□ Yes

□  No

30.Have you made personal information protection impact assessment reports and records of the processing and kept them for at least three years?

□ Yes

□  No

31.Is there any unreasonable differential treatment imposed on individuals in terms of the transaction price and other transaction conditions when using personal information to undertake automated decision-making?

□ Yes

□  No

32.Is any option not based on personal characteristics or a convenient way for individuals to reject provided when business marketing and information push are carried out through automatic decision-making?

□ Yes

□  No

33.Is any explanation given as per the requirements of the individual concerned where automated decision-making has a significant impact on such an individual’s rights and interests?

□ Yes

□  No

Data Subject’s Rights

34.Is there a convenient means to withdraw consent provided by the personal information processor for the processing of personal information based on the consent of the individual concerned?

□ Yes

□  No

35.Is there a mechanism established for accepting and processing applications for exercising personal rights by individuals in an enterprise to timely respond to any request to exercise the rights of consulting, copying, correcting, and deleting personal information?

□ Yes

□  No

36.Are the conditions prescribed by the State cyberspace administration met where an individual requests to transfer their personal information to a personal information processor designated by them?

□ Yes

□  No

37.Is there a means of transfer provided to an individual concerned if the preceding rule is met?

□ Yes

□  No

38.Is any personal information deleted by a personal information processor on its own initiative in any of the following circumstances? 

where the purpose of processing has been achieved, is unable to be achieved, or is no longer necessary;

where the personal information processor stops providing products or services, or the agreed storage period has expired; or

where the individual withdraws their consent.

□ Yes

□  No

III.Special Circumstances

Cross-Border Transfer of Personal Information

39.Is an overseas recipient included on the list of restricted or prohibited providers of personal information by the State cyberspace administration?

□ Yes

□  No

40.Is a personal information protection impact assessment conducted before providing personal information to overseas parties and a record of the processing kept?

□ Yes

□  No

41.Have you made personal information protection impact assessment reports and records of the processing and kept them for at least three years?

□ Yes

□  No

42.Are you a critical information infrastructure operator and personal information processor whose processing of personal information reaches the amount prescribed by the State cyberspace administration?

□ Yes

□  No

43.If yes, have you passed the security assessment organized by the State cyberspace administration in respect of your provision of personal information to overseas parties?

□ Yes

□  No

44.Does the personal information fall within the circumstance that it may be transferred to overseas parties where it has been certified in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information?

□ Yes

□  No

45.If yes, has it been certified by a specialized agency in accordance with the provisions of the State cyberspace administration in respect to the protection of personal information?

□ Yes

□  No

46.Does the personal information fall within the circumstance that it may be transferred to overseas parties whereby a contract has been concluded with an overseas recipient according to the standard contract formulated by the State cyberspace administration?

□ Yes

□  No

47.If yes, have you entered into a contract according to the standard contract formulated by the State cyberspace administration with the overseas recipient stipulating the rights and obligations of the parties?

□ Yes

□  No

48.Is the individual concerned informed of such matters as the name of the overseas recipient, the contact information, the purpose and method of processing, the type of personal information and the way and procedure for the individual to exercise the rights prescribed herein against the overseas recipient?

□ Yes

□  No

49.Has the individual’s separate consent been obtained?

□ Yes

□  No

50.Are there any necessary measures to be taken to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in the PIPL?

□ Yes

□  No

51.Have you been required by any foreign judicial or enforcement agencies to provide any personal information stored in China? 

□ Yes

□  No

52.Has approval from the competent authority been obtained in respect to the foregoing matters?

□ Yes

□  No

Special Protection of Sensitive Personal Information

53.Is there any circumstance for processing sensitive personal information (such as biometrics, religious beliefs, specific identities, medical health, financial accounts, and whereabouts, and the personal information) of minors under the age of 14?

□ Yes

□  No

54.Is there any specific purpose or necessity for processing sensitive personal information? 

□ Yes

□  No

55.Are strict protective measures taken when processing sensitive personal information?

□ Yes

□  No

56.Has individual consent been obtained for processing sensitive personal information?

□ Yes

□  No

57.Has individual consent been obtained for processing sensitive personal information if written consent shall be obtained as required by law?

□ Yes

□  No

58.Has a personal information protection impact assessment been conducted before processing sensitive personal information and a record of the processing kept? 

□ Yes

□  No

59.Have you made personal information protection impact assessment reports and records of the processing and kept them for at least three years?

□ Yes

□  No

60.Has the individual concerned been told the name and contact information of the personal information processor, the necessity of processing sensitive personal information and the impact on their personal rights and interests?

□ Yes

□  No

61.Has there been any processing personal information of minors under the age of 14?

□ Yes

□  No

62.In the case of processing the personal information of minors under the age of 14, has the consent of the parents or guardians of such minors been obtained?

□ Yes

□  No

63.Are there any special personal information processing rules that have been formulated for handling the personal information of minors under the age of 14?

□ Yes

□  No

Large Personal Information Processors

64.Are you a personal information processor whose processing of personal information reaches the amount prescribed by the State cyberspace administration?

□ Yes

□  No

65.Have you appointed a person in charge of personal information protection if you are a personal information processor whose processing of personal information reaches the amount prescribed by the State cyberspace administration?

□ Yes

□  No

66.Have you made public the contact information of the person in charge of personal information protection?

□ Yes

□  No

67.Have you submitted the name and contact information of the person in charge of personal information protection to the department that is performing the duties of personal information protection?

□ Yes

□  No

Important Internet Platforms

68.Have you established and improved the compliance system for personal information protection in accordance with state regulations?

□ Yes

□  No

69.Is any independent organization composed mainly of external members established to supervise over personal information protection?

□ Yes

□  No

70.Are the platform rules formulated considering the principles of openness, fairness and justice, to clarify the norms for the processing of personal information and the obligations of the product or service providers on the platform to protect personal information?

□ Yes

□  No

71.Have you stopped providing services to the product or service providers on the platform that have seriously violated the laws and administrative regulations in processing personal information?

□ Yes

□  No

72.Do you make a regular release of social responsibility reports regarding personal information protection?

□ Yes

□  No

Personal Information Processors in China

73.Do you process the personal information of natural persons that reside within the territory of the PRC outside the territory of the PRC for the purpose of providing products or services to domestic natural persons?

□ Yes

□  No

74.Do you process the personal information of natural persons within the territory of the PRC outside the territory of the PRC for the purpose of analyzing and evaluating the activities of domestic natural persons?

□ Yes

□  No

75.Does a personal information processor outside the territory of PRC who satisfies either circumstances of the foregoing rules 73 and 74 establish a special agency or designate a representative within the territory of PRC to be responsible for the matters of personal information protection?

□ Yes

□  No

76.Has the said personal information processor submitted the name and contact information of the relevant agency or the representative to the department performing the duties of personal information protection?

□ Yes

□  No

App Compliance Management (Key Point)

77.Has the existing privacy protection policy been amended according to the PIPL?

□ Yes

□  No

78.Has the existing User Agreement been amended according to the PIPL?

□ Yes

□  No

79.Have the personal information processing rules been adjusted according to the PIPL?

□ Yes

□  No

80.Is the personal data subject’s rights protected under the PIPL?

□ Yes

□  No


JunHe is the only Chinese law firm to be admitted as a member of Lex Mundi and Multilaw, two international networks of independent law firms. JunHe and selected top law firms in major European and Asian jurisdictions are “best friends.” Through these connections, we provide high quality legal services to clients doing business throughout the world.