China
(3)National Standards Non-mandatory national standards and guidelines also contribute as valuable references for personal data protection practices, such as the national standard Information security technology—Personal information security specification (GB/T 35273-2020). Scope of Application 3.1. Legislative Scope 3.1.1. Definition of personal data According to Article 4 of the PIPL, personal data/data refers to information related to identified or identifiable natural persons recorded by electronic or other means, excluding information that has been anonymized. 3.1.2. Definition of different categories of personal data Under the PIPL, sensitive personal data is a special category of personal data that requires a higher level of protection. Sensitive personal data is defined as personal information/data that is likely to result in damage to the personal dignity of any natural person or damage to his/her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts, as well as the personal data of minors under the age of 14.
Certain national standards provide specific examples of sensitive personal data, such as location information and criminal records. However, these examples are only for reference. To identify whether certain information will be considered as sensitive personal data, one shall always focus on the processing context, the impact on personal data subjects, and conduct a case-by- case analysis. 3.1.3. Treatment of data and its different categories (1) Regulation of personal and non- personal data Among the Three Fundamental Laws, the PIPL specifically regulates personal data, setting forth principles and requirements that apply to the processing (collection, storage, use, processing, transmission, provision, disclosure, and deletion) of personal data. For example, under the PIPL, informed consent is the primary basis for processing personal data. Before processing an individual’s personal data, the Personal Data Processor shall ensure that the individual clearly agrees to the processing after having been fully informed. Separate consent is required in certain situations, which means a consent must be given explicitly for a specific activity (e.g., processing sensitive personal data, collecting data from minors under 14) rather than being part of a general consent. Besides, the PIPL does allow for some other legal basis to process personal data without consent.
www.llinkslaw.com
Made with FlippingBook - PDF hosting