China Personal Information Protection Law | China PIPL
Pointer

Data Protection Principles : The PIPL stipulates seven principles for personal information processing including.

Pointer

Lawfulness : Personal information must be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and not in any manner that is misleading, fraudulent, or coercive.

Pointer

Purpose Specification : Processing must be conducted.

  • For a specified and reasonable purpose.
  • For a purpose directly relevant to the purpose of processing.
  • In a way that has the least impact on personal rights and interests.
Pointer

Data Minimisation : The collection of personal information must be limited to the minimum scope necessary for achieving the purpose of processing and must not be excessive.

Pointer

Storage Limitation : The storage period of personal information must be the minimum period necessary for achieving the processing purpose, unless any applicable law or administrative regulation stipulates otherwise.

Pointer

Transparency : Processing must be conducted in accordance with the principles of openness and transparency (i.e., provision of notice, described above).

Pointer

Accuracy :Personal information handlers must ensure the quality of personal information processed, to avoid any negative impact on personal rights and interests due to the inaccuracy or incompleteness of the personal information processed.

Pointer

Data Security :Personal information handlers must take necessary measures to ensure the security of the personal information processed.

The Trust Challenge

Key obligations and consequences

The PIPL applies to identifiable natural persons and private/public organizations in China. In addition, the PIPL applies to processing activities outside of China relating to personal information of individuals in China if the purpose of the processing is to.

  • Offer goods or services to individuals in China.
  • Monitor and evaluate the activities of individuals in China.

Under Article 55 of the PIPL, a personal information handler must conduct a personal information PIA prior to.

  • Processing sensitive personal information.
  • Using personal information in automated decision-making.
  • Engaging an entrusted party to process personal information on the personal information handler's behalf.
  • Providing personal information to another personal information handler.
  • Disclosing personal information to the public.
  • Transferring personal information outside of China.
  • Any processing activity that will have a material impact on the personal rights and interests of an individual.

Article 13 of PIPL affords the following exceptions whereby personal information may be processed without the individual’s consent, when it is.

  • Necessary to enter into or perform a contract to which the individual is a party, or where necessary to conduct human resources management according to lawfully formulated internal labor policies and lawfully concluded collective labor contracts.
  • Necessary to perform legal responsibilities or obligations.
  • Necessary to respond to a public health emergency, or in an emergency to protect the safety of individuals’ health and property.
  • To a reasonable extent, for purposes of carrying out news reporting and media monitoring for public interests.
  • Personal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope in accordance with PIPL.
  • In other circumstances as required by laws.
The Trust Challenge

Key Challenges in brief:

The PIPL does not mandatorily require the personal information handler to retain data processing records. Nevertheless, if the personal information handler is required to conduct personal information protection impact assessments ('PIAs') for its processing activities, it shall retain the PIA report and relevant processing status records for three years. In addition, based on the Article 69 of PIPL, if the personal information handler could not prove it has no fault while processing personal information, it should be responsible for the damage caused by processing. Therefore, it is suggested for the personal information handler to retain the processing records for good practice and defend itself against third party claims.

Under the PIPL, in the event of a suspected or actual data breach, a personal information handler must immediately undertake remedial measures and notify affected individuals and relevant regulators. The PIPL requires specific content to be included in the notification, including.

  • The type(s) of personal information affected.
  • Any remedial measures taken by the personal information handler and measures individuals can adopt to mitigate harm.
  • The contact information of the personal information handler.

The PIPL does, however, provide a risk of harm threshold for notice to affected individuals. If the measures taken by a personal information handler can effectively mitigate the harm caused by the data breach, a personal information handler would not be required to notify affected individuals, unless a regulator determines otherwise.

Personal information retention periods will be the shortest period necessary to realize the purpose of the personal information handling, except where laws or administrative regulations provide otherwise.

In general, a processing entity that plans to transfer personal information to entities outside of China is required to.

  • Provide individuals with certain specific information about the transfers and obtain separate consent.
  • Carry out a personal information protection impact assessment.
  • Other processing entities can choose to obtain a personal information protection certification from a professional body recognized by the CAC, execute an agreement with the overseas recipient based on a standard contract to be released by the CAC for their transfers, pass the security assessment by the CAC, or meet other requirements as provided by relevant laws and regulations.

Key rights under China's PIPL are as follows.

  • Right to Access: Individuals have the right to access and copy their personal information from personal information handlers.
  • Right to Correction: Where individuals discover their personal information is incorrect or incomplete, they have the right to request personal information handlers correct or complete their personal information.
  • Right to Information/limit/refuse: Individuals have the right to know and the right to decide relating to their personal information and have the right to limit or refuse the handling of their personal information by others.
  • Right to Deletion: Individuals have the right to request personal information handlers to delete their personal information if the agreed retention period has expired, or individuals rescind their consent, or personal information is being handled in violation of the law, or where the personal information handlers cease the provision of services or products.
  • Right to portability: Individuals have the right to request their personal information from data handlers. There are specific conditions for porting this data which will be determined by state cybersecurity and information departments.
  • Right to Explanation: Individuals also have the right to request personal information handlers to explain personal information handling rules.
Win-Win Situation

Solutions

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

The Trust Challenge

Key Obligations & Consequences

Pointer

Applicability

The PIPL applies to identifiable natural persons and private/public organizations in China. In addition, the PIPL applies to processing activities outside of China relating to personal information of individuals in China if the purpose of the processing is to.

  • Offer goods or services to individuals in China.
  • Monitor and evaluate the activities of individuals in China.
Pointer

Data Protection Impact Assessment

Under Article 55 of the PIPL, a personal information handler must conduct a personal information PIA prior to.

  • Processing sensitive personal information.
  • Using personal information in automated decision-making.
  • Engaging an entrusted party to process personal information on the personal information handler's behalf.
  • Providing personal information to another personal information handler.
  • Disclosing personal information to the public.
  • Transferring personal information outside of China.
  • Any processing activity that will have a material impact on the personal rights and interests of an individual.
Pointer

Consent Requirement

Article 13 of PIPL affords the following exceptions whereby personal information may be processed without the individual’s consent, when it is.

  • Necessary to enter into or perform a contract to which the individual is a party, or where necessary to conduct human resources management according to lawfully formulated internal labor policies and lawfully concluded collective labor contracts.
  • Necessary to perform legal responsibilities or obligations.
  • Necessary to respond to a public health emergency, or in an emergency to protect the safety of individuals’ health and property.
  • To a reasonable extent, for purposes of carrying out news reporting and media monitoring for public interests.
  • Personal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope in accordance with PIPL.
  • In other circumstances as required by laws.
The Trust Challenge

Key Challenges in brief:

Pointer

Data Processing Records

The PIPL does not mandatorily require the personal information handler to retain data processing records. Nevertheless, if the personal information handler is required to conduct personal information protection impact assessments ('PIAs') for its processing activities, it shall retain the PIA report and relevant processing status records for three years. In addition, based on the Article 69 of PIPL, if the personal information handler could not prove it has no fault while processing personal information, it should be responsible for the damage caused by processing. Therefore, it is suggested for the personal information handler to retain the processing records for good practice and defend itself against third party claims.

Pointer

Data Breach Notification

Under the PIPL, in the event of a suspected or actual data breach, a personal information handler must immediately undertake remedial measures and notify affected individuals and relevant regulators. The PIPL requires specific content to be included in the notification, including.

  • The type(s) of personal information affected.
  • Any remedial measures taken by the personal information handler and measures individuals can adopt to mitigate harm.
  • The contact information of the personal information handler.

The PIPL does, however, provide a risk of harm threshold for notice to affected individuals. If the measures taken by a personal information handler can effectively mitigate the harm caused by the data breach, a personal information handler would not be required to notify affected individuals, unless a regulator determines otherwise.

Pointer

Data Retention

Personal information retention periods will be the shortest period necessary to realize the purpose of the personal information handling, except where laws or administrative regulations provide otherwise.

Pointer

Cross-Border Transfer of Personal Information

In general, a processing entity that plans to transfer personal information to entities outside of China is required to.

  • Provide individuals with certain specific information about the transfers and obtain separate consent.
  • Carry out a personal information protection impact assessment.
  • Other processing entities can choose to obtain a personal information protection certification from a professional body recognized by the CAC, execute an agreement with the overseas recipient based on a standard contract to be released by the CAC for their transfers, pass the security assessment by the CAC, or meet other requirements as provided by relevant laws and regulations.
Pointer

Fulfillment of Data Subject Rights

Key rights under China's PIPL are as follows.

  • Right to Access: Individuals have the right to access and copy their personal information from personal information handlers.
  • Right to Correction: Where individuals discover their personal information is incorrect or incomplete, they have the right to request personal information handlers correct or complete their personal information.
  • Right to Information/limit/refuse: Individuals have the right to know and the right to decide relating to their personal information and have the right to limit or refuse the handling of their personal information by others.
  • Right to Deletion: Individuals have the right to request personal information handlers to delete their personal information if the agreed retention period has expired, or individuals rescind their consent, or personal information is being handled in violation of the law, or where the personal information handlers cease the provision of services or products.
  • Right to portability: Individuals have the right to request their personal information from data handlers. There are specific conditions for porting this data which will be determined by state cybersecurity and information departments.
  • Right to Explanation: Individuals also have the right to request personal information handlers to explain personal information handling rules.
Win-Win Situation

Solutions

Pointer

Privacy Process Automation: TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to Erasure with Assured Deletion : With TurtleShield RTBF (Right to Erasure with Assured Deletion) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Pointer

Consent Management: TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us