Personal Information Protection Law of the People's Republic of China
(Adopted at the 30th Session of the Standing Committee of the 13th National People's Congress on August 20, 2021)
Table of Contents
Chapter I: General Provisions
Chapter II: Rules for Handling Personal Information
Section 1: Ordinary Provisions
Section 2: Rules for the Handling of Sensitive Personal Information
Section 3: Special Provisions on the Handling of Personal Information by State Organs
Chapter III: Rules for Cross-Border Provision of Personal Information
Chapter IV: Individuals' Rights in Personal Information Handling Activities
Chapter V: Obligations of Personal Information Handlers
Chapter VI: Departments performing personal information protection duties
Chapter VII: Legal Responsibility
Chapter VIII Supplementary Provisions
Chapter I: General Provisions
Article 1: This Law is drafted on the basis of the Constitution so as to protect rights and interests in personal information, regulate personal information handling activities, and promote the rational use of personal information.
Article 2: The personal information of natural persons is protected by law, and no organization or individual must infringe upon the rights and interests of natural persons' personal information.
Article 3: This Law applies to the handling of natural persons' personal information within the mainland territory of the People's Republic of China.
This Law also applies to the handling of natural persons' personal information within the territory of the People's Republic of China outside the territory of the People's Republic of China in any of the following circumstances:
(1) For the purpose of providing products or services to natural persons in China;
(2) Analyzing and assessing the conduct of natural persons within the territory;
(3) Other circumstances provided for by laws and administrative regulations.
Article 4: Personal information refers to all kinds of information related to identified or identifiable natural persons recorded electronically or by other means, excluding anonymized information.
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.
Article 5: The handling of personal information shall follow the principles of legality, propriety, necessity, and good faith, and personal information must not be handled through methods such as misleading, fraud, or coercion.
Article 6: The handling of personal information shall have a clear and reasonable purpose, and shall be directly related to the purpose of the handling, employing methods that have the least impact on individual rights and interests.
The collection of personal information shall be limited to the minimum scope to achieve the purpose of processing, and personal information must not be excessively collected.
Article 7: The handling of personal information shall follow the principles of openness and transparency, disclosing rules for handling personal information, and clearly indicating the purpose, methods, and scope of handling.
Article 8: The handling of personal information shall ensure the quality of personal information, and avoid adverse impacts on individuals' rights and interests due to inaccurate or incomplete personal information.
Article 9: Personal information handlers shall be responsible for their personal information handling activities, and employ necessary measures to ensure the security of the personal information they handle.
Article 10: Organizations and individuals must not illegally collect, use, process, or transmit the personal information of others, must not illegally buy, sell, provide, or disclose the personal information of others, and must not engage in personal information handling activities that endanger national security or the public interest.
Article 11: The state is to establish and complete systems for the protection of personal information, to prevent and punish conduct that infringes on rights and interests in personal information, strengthen publicity and education on the protection of personal information, and promote the formation of a positive environment for governments, enterprises, relevant social organizations, and the public to jointly participate in the protection of personal information.
Article 12: The state actively participates in the drafting of international rules for the protection of personal information, promoting international exchanges and cooperation in the protection of personal information, and promoting mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations.
Chapter II: Rules for Handling Personal Information
Section 1: Ordinary Provisions
Article 13: In any of the following circumstances, personal information handlers may handle personal information:
(1) Obtaining the individual's consent;
(2) Where it is necessary for the conclusion or performance of a contract to which an individual is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with law and the collective contract signed in accordance with law;
(3) Where it is necessary to perform legally-prescribed duties or obligations;
(4) Where it is necessary to respond to a public health emergency, or to protect the life, health, or property safety of natural persons in an emergency;
(5) Carrying out conduct such as news reporting and public opinion oversight in the public interest, and handling personal information within a reasonable scope;
(6) In accordance with the provisions of this Law, handle personal information that individuals have disclosed on their own or that has already been lawfully disclosed within a reasonable scope;
(7) Other circumstances provided for by laws and administrative regulations.
In accordance with other relevant provisions of this Law, the individual's consent shall be obtained for the handling of personal information, but where there are circumstances provided for in items (2) through (7) of the preceding paragraph, the individual's consent is not required.
Article 14: Where personal information is handled on the basis of an individual's consent, that consent shall be made voluntarily and explicitly by the individual on the premise of being fully informed. Where laws and administrative regulations provide that the handling of personal information shall obtain the individual's separate consent or written consent, follow those provisions.
Where there is a change in the purpose and method of handling personal information, or the type of personal information to be handled, the individual's consent shall be obtained anew.
Article 15: Where personal information is handled on the basis of an individual's consent, the individual has the right to withdraw his or her consent. Personal information handlers shall provide convenient ways to withdraw consent.
The withdrawal of consent by an individual shall not affect the validity of the personal information processing activities that have been carried out based on the individual's consent before the withdrawal.
Article 16: Personal information handlers must not refuse to provide products or services on the grounds that individuals do not consent to the handling of their personal information or withdraw their consent, except where the handling of personal information is necessary for the provision of products or services.
Article 17: Before handling personal information, personal information handlers shall truthfully, accurately, and completely inform individuals of the following matters in a conspicuous manner and in clear and understandable language:
(1) The name or contact information of the personal information handlers;
(2) The purpose and methods of handling personal information, the types of personal information handled, and the period for storing it;
(3) The methods and procedures for individuals to exercise the rights provided for in this Law;
(4) Other matters that laws and administrative regulations provide shall be notified.
Where there is a change in the matters provided for in the preceding paragraph, the individual shall be informed of the change.
Where personal information handlers inform the matters provided for in the first paragraph by formulating personal information handling rules, the handling rules shall be made public, and shall be convenient for access and preservation.
Article 18: Where personal information handlers handle personal information in circumstances where laws or administrative regulations provide that confidentiality shall be kept confidential or that they do not need to be notified, they may not notify individuals of the matters provided for in the first paragraph of the preceding article.
Where it is not possible to promptly inform individuals in an emergency situation in order to protect the safety of natural persons' lives, health, and property, the personal information handlers shall promptly notify them after the emergency is eliminated.
Article 19: Except as otherwise provided by laws and administrative regulations, the period for storing personal information shall be the shortest time necessary to achieve the purpose of handling.
Article 20: Where two or more personal information handlers jointly decide on the purposes and methods of handling personal information, they shall agree on their respective rights and obligations. However, this agreement does not affect the individual's request to any of the personal information processors to exercise the rights provided for in this Law.
Where personal information handlers jointly handle personal information and infringe on rights and interests in personal information and cause harm, they shall bear joint and several liability in accordance with law.
Article 21: Where personal information handlers entrust the handling of personal information, they shall agree with the entrusted person on the purpose, time period, methods of handling, types of personal information, protective measures, and the rights and obligations of both parties, and conduct oversight of the entrusted person's personal information handling activities.
Where the entrustment contract is not effective, invalid, revoked, or terminated, the entrusted person shall return the personal information to the personal information handler or delete it, and must not retain it.
Without the consent of the personal information processor, the entrusted person must not entrust others to handle personal information.
Article 22: Where personal information handlers need to transfer personal information due to merger, division, dissolution, declaration of bankruptcy, or other such reasons, they shall inform the individual of the name or contact information of the receiving party. The receiving party shall continue to perform the obligations of the personal information processor. Where the receiving party changes the original purpose or method of handling, it shall obtain the individual's consent anew in accordance with the provisions of this Law.
Article 23: Where personal information handlers provide personal information to other personal information handlers that they handle, they shall inform the individual of the recipient's name or contact information, the purpose of handling, the method of handling, and the type of personal information, and obtain the individual's separate consent. The recipient shall process personal information within the scope of the above-mentioned processing purposes, processing methods, and types of personal information. Where the receiving party changes the original purpose or method of handling, it shall obtain the individual's consent anew in accordance with the provisions of this Law.
Article 24: Personal information handlers using personal information to conduct automated decision-making shall ensure the transparency of the decision-making and the fairness and impartiality of the results, and must not carry out unreasonable differential treatment of individuals in terms of transaction prices and other transaction conditions.
Where information is pushed or commercially marketed to individuals through automated decision-making, options that are not targeted at their personal characteristics shall be provided at the same time, or individuals shall be provided with convenient methods to refuse.
Where decisions that have a significant impact on an individual's rights and interests are made through automated decision-making, individuals have the right to request explanations from the personal information processor, and have the right to refuse the personal information processors to make decisions solely through automated decision-making.
Article 25: Personal information handlers must not disclose the personal information they handle, except where separate consent has been obtained.
Article 26: The installation of image collection and personal identification equipment in public places shall be necessary to preserve public safety, comply with relevant state provisions, and set up conspicuous reminder signs. The personal images and identification information collected may only be used for the purpose of maintaining public safety, and must not be used for other purposes, except where the individual's separate consent has been obtained.
Article 27: Personal information handlers may handle personal information that individuals have disclosed on their own or that have already been lawfully disclosed within a reasonable scope, except where individuals explicitly refuse. Where personal information handlers' handling of personal information that has already been disclosed has a major impact on individuals' rights and interests, they shall obtain the individual's consent in accordance with the provisions of this Law.
Section 2: Rules for the Handling of Sensitive Personal Information
Article 28: Sensitive personal information is personal information that, once leaked or illegally used, could easily lead to violations of a natural person's personal dignity or endangerment of their personal or property safety, including information such as biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts and tracks, as well as the personal information of minors under the age of 14.
Personal information processors may only process sensitive personal information when there is a specific purpose and sufficient necessity, and strict protection measures are taken.
Article 29: The handling of sensitive personal information shall be subject to the individual's separate consent;
Article 30: Where personal information handlers handle sensitive personal information, in addition to the matters provided for in the first paragraph of article 17 of this Law, they shall also inform individuals of the necessity of handling sensitive personal information and the impact on individuals' rights and interests;
Article 31: Where personal information handlers handle the personal information of minors under the age of 14, they shall obtain the consent of the minors' parents or other guardians.
Where personal information handlers handle the personal information of minors under the age of 14, they shall draft special rules for handling personal information.
Article 32: Where laws or administrative regulations provide that relevant administrative permits or other restrictions shall be obtained on the handling of sensitive personal information, follow those provisions.
Section 3: Special Provisions on the Handling of Personal Information by State Organs
Article 33: This Law applies to the activities of state organs handling personal information, and where there are special provisions in this section, apply the provisions of this section.
Article 34: The handling of personal information by state organs for the performance of legally-prescribed duties shall be carried out in accordance with the scope of authority and procedures provided for by laws and administrative regulations, and must not exceed the scope and limits necessary for the performance of legally-prescribed duties.
Article 35: State organs handling personal information in order to perform legally-prescribed duties shall perform the obligation to inform in accordance with the provisions of this Law, except where there are circumstances provided for in the first paragraph of article 18 of this Law, or where notification would obstruct the state organs' performance of legally-prescribed duties.
Article 36: Personal information handled by state organs shall be stored within the mainland territory of the People's Republic of China; The security assessment may require the support and assistance of the relevant authorities.
Article 37: The provisions of this Law on the handling of personal information by state organs apply to the handling of personal information by organizations authorized by laws or regulations to have public affairs management functions to perform their legally-prescribed duties.
Chapter III: Rules for Cross-Border Provision of Personal Information
Article 38: Where personal information handlers truly need to provide personal information outside the territory of the People's Republic of China due to business and other needs, they shall meet any of the following requirements:
(1) Pass a security assessment organized by the state internet information department in accordance with article 40 of this Law;
(2) In accordance with the provisions of the State Internet Information Department, personal information protection certification is carried out by a professional body;
(3) Conclude a contract with the overseas recipient in accordance with the standard contract formulated by the State Internet Information Department, stipulating the rights and obligations of both parties;
(4) Other requirements provided for by laws, administrative regulations, or the state internet information department.
Where international treaties and agreements concluded or participated in by the People's Republic of China have provisions on the requirements for providing personal information outside the territory of the People's Republic of China, they may be implemented in accordance with those provisions.
Personal information handlers shall employ necessary measures to ensure that the overseas recipient's handling of personal information meets the personal information protection standards provided for in this Law.
Article 39: Where personal information handlers provide personal information outside the territory of the People's Republic of China, they shall inform the individual of matters such as the name or contact information, the purpose and method of handling, the type of personal information, and the methods and procedures for individuals to exercise the rights provided for in this Law to the overseas recipient, and obtain the individual's separate consent.
Article 40: Critical information infrastructure operators and personal information handlers that handle personal information up to the amount provided for by the State Internet Information Department shall store personal information collected and produced within the territory of the People's Republic of China. Where it is truly necessary to provide it overseas, it shall pass a security assessment organized by the state internet information department, and where laws, administrative regulations, or the state internet information department provide that a security assessment may not be conducted, follow those provisions.
Article 41: The competent organs of the People's Republic of China are to handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored within the territory of China on the basis of relevant laws and international treaties and agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity. Without the approval of the competent authorities of the People's Republic of China, personal information handlers must not provide personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement agencies.
Article 42: Where foreign organizations or individuals engage in personal information handling activities that infringe upon the personal information rights and interests of citizens of the People's Republic of China, or endanger the national security or public interest of the People's Republic of China, the state internet information departments may enter them into the list of restrictions or prohibitions on the provision of personal information, make a public announcement, and employ measures such as restricting or prohibiting the provision of personal information to them.
Article 43: Where any country or region employs discriminatory prohibitions, restrictions, or other similar measures against the People's Republic of China in the protection of personal information, the People's Republic of China may employ reciprocal measures against that country or region on the basis of actual circumstances.
Chapter IV: Individuals' Rights in Personal Information Handling Activities
Article 44: Individuals enjoy the right to know and make decisions on the handling of their personal information, and have the right to restrict or refuse others to handle their personal information, except as otherwise provided by laws and administrative regulations.
Article 45: Individuals have the right to access and copy their personal information from personal information handlers, except in the circumstances provided for in the first paragraph of article 18 and article 35 of this Law.
Where individuals request access to or reproduction of their personal information, the personal information handlers shall promptly provide it.
Where individuals request to transfer personal information to their designated personal information handlers, and the requirements provided by the State Internet Information Department are met, the personal information handlers shall provide channels for the transfer.
Article 46: Where individuals discover that their personal information is inaccurate or incomplete, they have the right to request that personal information handlers make corrections or supplements.
Where individuals request corrections or supplements of their personal information, personal information handlers shall verify their personal information and promptly correct or supplement it.
Article 47: In any of the following circumstances, personal information handlers shall proactively delete personal information, and where personal information handlers have not deleted it, individuals have the right to request deletion:
(1) The purpose of the handling has already been achieved, cannot be achieved, or is no longer necessary to achieve the purpose of the handling;
(2) Personal information handlers have stopped providing products or services, or the retention period has expired;
(3) the individual withdraws consent;
(4) Personal information handlers handle personal information in violation of laws, administrative regulations, or agreements;
(5) Other circumstances provided for by laws and administrative regulations.
Where the retention period provided for by laws or administrative regulations has not been completed, or where it is technically difficult to delete personal information, personal information handlers shall stop handling it other than storing it and employing necessary security protection measures.
Article 48: Individuals have the right to request that personal information handlers explain their personal information handling rules.
Article 49: Where a natural person is deceased, their close relatives may, for their own lawful and legitimate interests, exercise rights such as those provided for in this chapter to access, reproduce, correct, or delete the deceased's personal information;
Article 50: Personal information handlers shall establish convenient mechanisms for accepting and handling applications for individuals exercising their rights. Where an individual's request to exercise their rights is refused, the reasons shall be explained.
Where personal information handlers refuse an individual's request to exercise their rights, the individual may file a lawsuit in the people's court in accordance with law.
Chapter V: Obligations of Personal Information Handlers
Article 51: Based on the purpose and method of handling personal information, the type of personal information, the impact on individuals' rights and interests, and possible security risks, personal information handlers shall employ the following measures to ensure that personal information handling activities comply with the provisions of laws and administrative regulations, and prevent unauthorized access, leakage, alteration, or loss of personal information:
(1) Formulate internal management systems and operating procedures;
(2) Carry out categorical management of personal information;
(3) Employ corresponding technical security measures such as encryption and de-identification;
(4) Reasonably determine the scope of operational authority for the handling of personal information, and periodically conduct security education and training for employees;
(5) Draft and organize the implementation of emergency response plans for personal information security incidents;
(6) Other measures provided for by laws and administrative regulations.
Article 52: Where the handling of personal information reaches the amount provided for by the State Internet Information Department, personal information handlers shall designate a person responsible for personal information protection, responsible for oversight of personal information handling activities and protective measures employed.
Personal information handlers shall disclose the contact information of the person responsible for personal information protection, and report the name and contact information of the person responsible for personal information protection to the department performing personal information protection duties.
Article 53: Personal information handlers outside the territory of the People's Republic of China as provided for in paragraph 2 of article 3 of this Law shall establish a specialized body or designate a representative within the mainland territory of the People's Republic of China to be responsible for handling matters related to the protection of personal information, and report the name of the relevant body or the name and contact information of the representative to the department performing personal information protection duties.
Article 54: Personal information handlers shall periodically conduct compliance audits of their handling of personal information in compliance with laws and administrative regulations.
Article 55: In any of the following circumstances, personal information handlers shall conduct a personal information protection impact assessment in advance, and make a record of the disposition:
(1) Handling sensitive personal information;
(2) Using personal information to conduct automated decision-making;
(3) Entrusting the handling of personal information, providing personal information to other personal information handlers, or disclosing personal information;
(4) Providing personal information overseas;
(5) Other personal information handling activities that have a major impact on individuals' rights and interests.
Article 56: Personal information protection impact assessments shall include the following content:
(1) Whether the purposes and methods of handling personal information are lawful, just, or necessary;
(2) The impact on personal rights and interests and security risks;
(3) Whether the protective measures adopted are lawful, effective, and commensurate with the degree of risk.
Personal information protection impact assessment reports and records of disposition shall be stored for at least three years.
Article 57: Where leaks, alterations, or losses of personal information occur or might occur, personal information handlers shall immediately employ remedial measures and notify the departments and individuals performing personal information protection duties. The notice shall include the following matters:
(1) The types of information that has occurred or might occur in the leakage, alteration, or loss of personal information, the causes, and the harm that might be caused;
(2) The remedial measures employed by the personal information handlers and the measures that individuals may employ to mitigate harm;
(3) Contact information for personal information handlers.
Where personal information handlers can effectively avoid harm caused by information leakage, alteration, or loss, personal information handlers may not notify individuals, and where departments performing personal information protection duties find that harm might be caused, they have the right to request that personal information handlers notify individuals.
Article 58: Personal information handlers providing important internet platform services, with a huge number of users, or complex business types, shall perform the following obligations:
(1) Establish and complete personal information protection compliance systems in accordance with state provisions, and establish an independent body composed primarily of external members to conduct oversight of the protection of personal information;
(2) Follow the principles of openness, fairness, and impartiality, draft platform rules, and clarify the norms for the handling of personal information by product or service providers on the platform and their obligations to protect personal information;
(3) Stop providing services to product or service providers on the platform that handle personal information in serious violation of laws or administrative regulations;
(4) Periodically publish reports on social responsibility for the protection of personal information, and accept social oversight.
Article 59: Entrusted persons entrusted with the handling of personal information shall employ necessary measures to ensure the security of the personal information they handle in accordance with the provisions of this Law and relevant laws and administrative regulations, and assist personal information handlers in performing the obligations provided for in this Law.
Chapter VI: Departments performing personal information protection duties
Article 60: The State Internet Information Department is responsible for the overall planning and coordination of personal information protection efforts and related oversight and management efforts. In accordance with the provisions of this Law and relevant laws and administrative regulations, the relevant departments of the State Council are responsible for personal information protection and oversight and management efforts within the scope of their respective duties.
The personal information protection and oversight and management duties of the relevant departments of local people's governments at the county level or above are to be determined in accordance with relevant state provisions.
The departments provided for in the preceding two paragraphs are collectively referred to as the departments performing personal information protection duties.
Article 61: Departments performing personal information protection duties are to perform the following personal information protection duties:
(1) Carry out publicity and education on the protection of personal information, guiding and supervising personal information handlers in carrying out efforts on the protection of personal information;
(2) Accepting and handling complaints and reports related to the protection of personal information;
(3) Organize assessments of the protection of personal information such as for applications, and publish the results of the assessments;
(4) Investigating and handling illegal personal information handling activities;
(5) Other duties provided for by laws and administrative regulations.
Article 62: The State Internet Information Department is to coordinate the following personal information protection efforts on the basis of this Law:
(1) Formulate specific rules and standards for the protection of personal information;
(2) Draft special rules and standards for the protection of personal information for small personal information processors, the handling of sensitive personal information, and new technologies and applications such as facial recognition and artificial intelligence;
(3) Support the research, development, and popularization of the application of secure and convenient electronic identity authentication technologies, and advance the establishment of online identity authentication public services;
(4) Advance the establishment of a socialized service system for the protection of personal information, and support relevant institutions in carrying out personal information protection assessment and certification services;
(5) Improve working mechanisms for complaints and reports on the protection of personal information.
Article 63: Departments performing personal information protection duties may employ the following measures in the performance of personal information protection duties:
(1) Questioning relevant parties and investigating circumstances related to personal information handling activities;
(2) Consult and copy parties' contracts, records, account books, and other relevant materials related to personal information handling activities;
(3) Carry out on-site inspections and conduct investigations into suspected illegal personal information handling activities;
(4) Inspect equipment and items related to personal information handling activities; Equipment or items that have evidence showing that they were used in illegal personal information handling activities may be sealed or seized upon written reporting to the principal responsible person for that department, and upon approval.
Departments performing personal information protection duties are to perform their duties in accordance with law, and the parties shall assist and cooperate, and must not refuse or obstruct them.
Article 64: Where, in the course of performing their duties, departments performing personal information protection duties discover that there are relatively large risks in personal information handling activities or that personal information security incidents have occurred, they may follow the scope of authority and procedures provided to give the personal information handlers' legally-designated representative or principle responsible person a talk, or request that the personal information handlers retain a professional body to conduct compliance audits of their personal information handling activities. Personal information handlers shall employ measures as required to carry out corrections and eliminate potential risks.
Where, in the course of performing their duties, departments performing personal information protection duties discover that the illegal handling of personal information is suspected of a crime, they shall promptly transfer it to the public security organs for handling in accordance with law.
Article 65: All organizations and individuals have the right to make complaints or reports about illegal personal information handling activities to the departments performing personal information protection duties. Departments receiving complaints or reports shall promptly handle them in accordance with law, and inform the complainant or informant of the outcome.
Departments performing personal information protection duties shall publish contact information for receiving complaints and reports.
Chapter VII: Legal Responsibility
Article 66: Where the provisions of this Law are violated in the handling of personal information, or where the handling of personal information fails to perform the personal information protection obligations provided for in this Law, the department performing personal information protection duties is to order corrections, give warnings, confiscate unlawful gains, and order the suspension or termination of the provision of services for applications that illegally handle personal information;
Where there is illegal conduct provided for in the preceding paragraph, and the circumstances are serious, the department performing personal information protection duties at the provincial level or above is to order corrections, confiscate unlawful gains, and give a concurrent fine of up to 50 million RMB or up to 5% of the previous year's turnover, and may also order a suspension of relevant operations or suspension of operations for rectification. Notify the relevant competent departments to revoke relevant business permits or revoke business licenses, and give directly responsible managers and other directly responsible personnel a fine of between 100,000 and 1,000,000 RMB, and may decide to prohibit them from serving as directors, supervisors, senior managers, or persons in charge of personal information protection of relevant enterprises for a set period of time.
Article 67: Where there is illegal conduct provided for in this Law, it is to be recorded in the credit archives in accordance with the provisions of relevant laws and administrative regulations, and it is to be announced.
Article 68: Where state organs do not perform their obligations to protect personal information as provided for in this Law, the organ at the level above or the department performing personal information protection duties is to order corrections, and the directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.
Where the staff of departments performing personal information protection duties neglect their duties, abuse their authority, or twist the law for personal gain, and it does not constitute a crime, sanctions are to be given in accordance with law.
Article 69: Where the handling of personal information infringes upon rights and interests in personal information and causes harm, and personal information handlers cannot prove that they are not at fault, they shall bear tort liability such as compensation for damages.
Liability for damages provided for in the preceding paragraph is to be determined on the basis of the losses suffered by individuals or the benefits obtained by personal information handlers as a result; Where it is difficult to determine the losses suffered by individuals and the benefits received by personal information handlers as a result, the amount of compensation is to be determined on the basis of the actual circumstances.
Article 70: Where personal information handlers handle personal information in violation of the provisions of this Law, infringing on the rights and interests of a large number of individuals, the people's procuratorates, consumer organizations provided for by law, and organizations designated by the state internet information department may lawfully initiate litigation in the people's courts.
Article 71: Where a violation of the provisions of this Law constitutes a violation of the administration of public security, a public security administrative sanction shall be given in accordance with law;
Chapter VIII Supplementary Provisions
Article 72: This Law does not apply to natural persons' handling of personal information for personal or family matters.
Where the law has provisions on the handling of personal information in statistical and archives management activities organized and carried out by all levels of people's government and their relevant departments, apply those provisions.
Article 73: The meanings of the following terms in this Law:
(1) "Personal information handlers" refers to organizations and individuals that independently decide on the purposes and methods of handling personal information in personal information handling activities.
(2) "Automated decision-making" refers to activities that use computer programs to automatically analyze and assess an individual's behavioral habits, interests, hobbies, or economic, health, or credit status, and to make decisions.
(3) "De-identification" refers to the process by which personal information is processed so that it cannot be used to identify a specific natural person without the help of additional information.
(4) "Anonymization" refers to the process by which personal information cannot be identified as a specific natural person and cannot be restored after processing.
Article 74: This Law takes effect on November 1, 2021.
Source: Changjiang Cloud News
!["4.15" National Security Laws and Regulations Prize Answering Competition[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)