China
5.1.3. Withdrawal of consent Where the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw such consent at any time. The Personal Data Processor must provide a convenient and accessible method for the data subject to exercise this right. Upon withdrawal of consent, the Processor must delete the relevant personal data, either proactively or upon the data subject’s request. 5.2. Data storage and retention timelines Unless otherwise required by applicable laws or administrative regulations, personal data should only be retained for the minimum period necessary to fulfill the purpose for which it was collected. Once that purpose has been achieved, or the agreed retention period has expired, the personal data must be deleted. Exceptions are where laws and regulations provide for a minimum retention period for certain types of personal data; such requirements shall be followed. 5.3. Data correction, completion, update, or erasure Data subjects have the right to ensure their personal data is accurate, complete, and up-to-date. Personal Data Processors are legally required to address such requests promptly, reasonably, and effectively. For instance, upon receiving a valid request for data deletion, the Personal Data Processor
must promptly erase the relevant personal data, unless retention is necessary to fulfill legal obligations. A detailed outline of the rights of data subjects is provided in section “6. Rights and Duties of Data Providers/Principals.” 5.4. Data protection and security practices and procedures 5.4.1. Organizational measures (1) Internal management systems and operational procedures Personal Data Processors must implement clear internal policies and procedures that outline processing workflows and authorization protocols. High-risk operations— including bulk data deletion, copying, or downloading—require formal approval. All unauthorized activities must be logged and reviewed. (2) Data categorization and risk- based management Personal data shall be classified based on sensitivity levels and potential impact severity, with differential safeguards implemented according to each classification tier. (3) Personnel training All staff with access to personal data must complete role-specific security training at least annually. The training program should cover both general data protection principles and job-specific responsibilities.
www.llinkslaw.com
Made with FlippingBook - PDF hosting