China
transmission, provision, disclosure, and deletion, etc. For a detailed description, please refer to the following section, “6. Requirements for Data Processing”. (2) Individual: Under the PIPL, an individual is entitled to a series of personal data subject rights. For a detailed description, please refer to the following section “6. Rights and duties of data providers/principals”. (3) Personal information protection officer (PIPO): A PIPO shall be responsible for supervising personal data processing activities and the protective measures taken. Meanwhile, a Personal Data Processor shall disclose a PIPO’s contact information and report a PIPO’s name and contact details to the municipal-level CAC in the city where it is located. Requirements for Data Processing 5 .1. Grounds for collection and processing 5.1.1. Consent Generally, personal data may only be collected and processed with the data subject’s informed, freely given, and explicit consent. In certain circumstances, separate consent is required. For instance, when processing sensitive personal data, sharing personal data with third parties, or transferring personal data across borders. Unlike “general consent”, which covers multiple purposes with a single approval, separate consent requires clear and specific authorization for each
individual processing activity. Nevertheless, the PIPL allows for limited exceptions where personal data may be processed without consent, such as when processing is necessary for the performance of a contract to which the data subject is a party, or when it is carried out for lawful HR management. Despite these exceptions, consent remains the primary legal basis for the collection and processing of personal data under PIPL. 5.1.2. Consent notice In addition to obtaining consent, a Personal Data Processor must provide a clear, comprehensive, and accessible privacy notice or policy. This notice must clearly explain how personal data is collected, processed, shared, and stored, specifying the purposes, scope, methods, and retention periods of each processing activity. It must also outline the full range of data subject rights, along with the procedures and methods to exercise those rights in practice. To ensure clarity and accessibility, the privacy notice should be written in concise and unambiguous language that is easy to understand. It must be made available to the data subject at the time consent is collected and remain continuously accessible. Furthermore, the notice should be promptly updated to reflect any material changes to the Personal Data Processor’s data processing practices, and additional consent should be sought if such changes affect the original scope or purpose of processing.
www.llinkslaw.com
Made with FlippingBook - PDF hosting