Xinhua News Agency, Beijing, August 20th, by wire
Personal Information Protection Law of the People’s Republic of China
(Adopted at the 30th meeting of the Standing Committee of the 13th National People’s Congress on August 20, 2021)
content
Chapter One General Provisions
Chapter II Personal Information Processing Rules
Section 1 General Provisions
Section 2 Processing Rules for Sensitive Personal Information
Section 3 Special Provisions on the Handling of Personal Information by State Organs
Chapter III Rules for Cross-border Provision of Personal Information
Chapter IV Rights of Individuals in Personal Information Processing Activities
Chapter V Obligations of Personal Information Processors
Chapter VI Departments Performing Personal Information Protection Duties
Chapter VII Legal Liability
Chapter 8 Supplementary Provisions
Chapter One General Provisions
Article 1 In order to protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information, this law is formulated in accordance with the Constitution.
Article 2 The personal information of natural persons is protected by law, and no organization or individual may infringe upon the personal information rights of natural persons.
Article 3 This law applies to the processing of personal information of natural persons within the territory of the People’s Republic of China.
This law also applies to the processing of personal information of natural persons within the territory of the People’s Republic of China outside the People’s Republic of China under any of the following circumstances:
(1) For the purpose of providing products or services to domestic natural persons;
(2) Analyze and evaluate the behavior of natural persons in the territory;
(3) Other circumstances stipulated by laws and administrative regulations.
Article 4 Personal information refers to various information related to identified or identifiable natural persons recorded electronically or by other means, excluding anonymized information.
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.
Article 5 The handling of personal information shall follow the principles of lawfulness, fairness, necessity and good faith, and shall not process personal information through misleading, fraudulent, coercive and other methods.
Article 6 The processing of personal information should have a clear and reasonable purpose, and should be directly related to the purpose of processing, and adopt a method that has the least impact on personal rights and interests.
The collection of personal information shall be limited to the minimum scope for the purpose of processing, and personal information shall not be collected excessively.
Article 7 The processing of personal information shall follow the principles of openness and transparency, disclose personal information processing rules, and clearly indicate the purpose, method, and scope of processing.
Article 8: When handling personal information, the quality of personal information shall be guaranteed, and the inaccuracy and incompleteness of personal information shall not adversely affect personal rights and interests.
Article 9: Personal information processors shall be responsible for their personal information processing activities and take necessary measures to ensure the safety of the personal information processed.
Article 10 No organization or individual may illegally collect, use, process, or transmit the personal information of others, or illegally buy or sell, provide, or disclose the personal information of others; and must not engage in personal information processing activities that endanger national security or public interest.
Article 11: The state establishes a sound personal information protection system, prevents and punishes acts that infringe on personal information rights and interests, strengthens personal information protection publicity and education, and promotes the formation of a good environment for the government, enterprises, relevant social organizations, and the public to participate in personal information protection.
Article 12 The state actively participates in the formulation of international rules for personal information protection, promotes international exchanges and cooperation in personal information protection, and promotes mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations.
Chapter II Personal Information Processing Rules
Section 1 General Provisions
Article 13 The personal information processor may process personal information only if one of the following circumstances is met:
(1) Obtain personal consent;
(2) It is necessary for the conclusion and performance of a contract in which the individual is a party, or necessary for the implementation of human resource management in accordance with the labor rules and regulations established in accordance with the law and the collective contract signed in accordance with the law;
(3) It is necessary to perform statutory duties or statutory obligations;
(4) It is necessary to respond to public health emergencies, or to protect the life, health and property safety of natural persons in an emergency;
(5) Carry out news reports, public opinion supervision and other acts for the public interest, and handle personal information within a reasonable scope;
(6) Processing personal information disclosed by individuals or other legally disclosed personal information within a reasonable scope in accordance with the provisions of this law;
(7) Other circumstances stipulated by laws and administrative regulations.
In accordance with other relevant provisions of this law, personal consent shall be obtained for the processing of personal information, but under the circumstances specified in items 2 to 7 of the preceding paragraph, no personal consent is required.
Article 14 Where the processing of personal information is based on the individual’s consent, the consent shall be made voluntarily and clearly by the individual with full knowledge. Where laws and administrative regulations stipulate that the individual consent or written consent of the individual should be obtained for the processing of personal information, those provisions shall be followed.
If the processing purpose, processing method, and type of personal information processed change, the individual’s consent shall be re-obtained.
Article 15 Where the processing of personal information is based on an individual’s consent, the individual has the right to withdraw his consent. The personal information processor shall provide a convenient way to withdraw consent.
The withdrawal of an individual’s consent does not affect the effectiveness of the personal information processing activities that have been carried out based on the individual’s consent before the withdrawal.
Article 16 Personal information processors shall not refuse to provide products or services on the grounds that individuals do not agree to the processing of their personal information or withdraw their consent; unless the processing of personal information is necessary for the provision of products or services.
Article 17 Before processing personal information, personal information processors shall truthfully, accurately and completely inform individuals of the following matters in a conspicuous manner and in clear and easy-to-understand language:
(1) The name or name and contact information of the personal information processor;
(2) Purpose of processing personal information, processing method, type of personal information processed, and retention period;
(3) Methods and procedures for individuals to exercise their rights under this law;
(4) Other matters that should be notified by laws and administrative regulations.
If there is a change in the matters specified in the preceding paragraph, the individual shall be notified of the changed part.
Where a personal information processor informs the matters specified in the first paragraph by formulating personal information processing rules, the processing rules shall be made public, and it shall be convenient for inspection and storage.
Article 18: Personal information processors may not inform individuals of the matters specified in the first paragraph of the preceding article if there are circumstances in which laws and administrative regulations require that personal information should be kept confidential or do not need to be notified when handling personal information.
In an emergency, if it is not possible to notify individuals in time to protect the life, health and property safety of natural persons, the personal information processor shall promptly notify the individual after the emergency is eliminated.
Article 19 Except as otherwise provided by laws and administrative regulations, the retention period of personal information shall be the shortest time necessary to achieve the processing purpose.
Article 20: Where two or more personal information processors jointly determine the purpose and method of processing personal information, they shall agree on their respective rights and obligations. However, this agreement does not affect the individual’s request to any one of the personal information processors to exercise the rights stipulated in this law.
Where personal information processors jointly process personal information and infringe upon the rights and interests of personal information and cause damage, they shall bear joint and several liability in accordance with the law.
Article 21: When a personal information processor entrusts the processing of personal information, it shall agree with the trustee the purpose, time limit, processing method, types of personal information, protection measures, and the rights and obligations of both parties, etc., and the trustee’s Supervise personal information processing activities.
The trustee shall process personal information in accordance with the agreement, and shall not process personal information beyond the agreed processing purpose, processing method, etc.; if the entrustment contract is not effective, invalid, revoked or terminated, the trustee shall return the personal information to the personal information processor or delete it , Shall not be retained.
Without the consent of the personal information processor, the trustee shall not delegate the processing of personal information to others.
Article 22: Where a personal information processor needs to transfer personal information due to merger, division, dissolution, or bankruptcy, etc., it shall inform the individual of the name or name and contact information of the recipient. The recipient shall continue to perform the obligations of the personal information processor. If the receiving party changes the original processing purpose or processing method, it shall obtain personal consent again in accordance with the provisions of this law.
Article 23: When a personal information processor provides personal information processed by other personal information processors, it shall inform the individual of the recipient’s name or name, contact information, processing purpose, processing method, and type of personal information, and obtain Individual consent. The recipient shall process personal information within the scope of the above-mentioned processing purpose, processing method, and types of personal information. If the receiving party changes the original processing purpose or processing method, it shall obtain personal consent again in accordance with the provisions of this law.
Article 24: Personal information processors who use personal information to make automated decision-making shall ensure the transparency of decision-making and the fairness and impartiality of the results, and shall not impose unreasonable differential treatment on individuals in terms of transaction prices and other transaction conditions.
Information push and commercial marketing to individuals through automated decision-making methods should also provide options that are not specific to their personal characteristics, or provide individuals with convenient ways to refuse.
To make decisions that have a significant impact on personal rights and interests through automated decision-making methods, individuals have the right to request personal information processors to explain, and have the right to refuse personal information processors to make decisions only through automated decision-making methods.
Article 25: Personal information processors shall not disclose the personal information they process, unless they have obtained individual individual consent.
Article 26 The installation of image collection and personal identification equipment in public places shall be necessary to maintain public safety, comply with relevant state regulations, and set up prominent reminders. The collected personal images and identification information can only be used for the purpose of maintaining public safety and shall not be used for other purposes; except for those with individual consent.
Article 27: Personal information processors may process personal information disclosed by individuals themselves or other personal information that has been legally disclosed within a reasonable scope, unless the individual expressly refuses. Where personal information processors process disclosed personal information that has a significant impact on personal rights and interests, they shall obtain personal consent in accordance with the provisions of this law.
Section 2 Processing Rules for Sensitive Personal Information
Article 28. Sensitive personal information is personal information that, once leaked or used illegally, can easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, Information such as whereabouts, as well as personal information of minors under the age of fourteen.
Personal information processors can process sensitive personal information only when they have a specific purpose and sufficient necessity, and take strict protective measures.
Article 29 The processing of sensitive personal information shall obtain individual consent; where laws and administrative regulations stipulate that the processing of sensitive personal information shall obtain written consent, the provisions shall be followed.
Article 30: When processing sensitive personal information, a personal information processor shall, in addition to the matters specified in the first paragraph of Article 17 of this Law, also inform individuals of the necessity of processing sensitive personal information and the impact on personal rights and interests; in accordance with this law The law stipulates that the individual may not be notified except.
Article 31: Personal information processors that process the personal information of minors under the age of fourteen shall obtain the consent of the minor’s parents or other guardians.
Personal information processors who process the personal information of minors under the age of fourteen shall formulate special personal information processing rules.
Article 32: Where laws and administrative regulations stipulate that the processing of sensitive personal information should obtain relevant administrative licenses or impose other restrictions, those provisions shall be followed.
Section 3 Special Provisions on the Handling of Personal Information by State Organs
Article 33: This law applies to the activities of state organs handling personal information; where there are special provisions in this section, the provisions of this section apply.
Article 34 In order to perform statutory duties, state agencies shall process personal information in accordance with the powers and procedures prescribed by laws and administrative regulations, and shall not exceed the scope and limits necessary for performing statutory duties.
Article 35 In order to perform statutory duties and handle personal information, state agencies shall perform the obligation of notification in accordance with the provisions of this law; except in the circumstances specified in the first paragraph of Article 18 of this law, or notifications that would hinder the performance of statutory duties by state agencies.
Article 36: Personal information processed by state agencies shall be stored within the territory of the People’s Republic of China; if it is really necessary to provide it overseas, a security assessment shall be conducted. The security assessment may require support and assistance from relevant departments.
Article 37: Organizations authorized by laws and regulations with the function of managing public affairs to perform statutory duties to process personal information shall apply the provisions of this law on the handling of personal information by state agencies.
Chapter III Rules for Cross-border Provision of Personal Information
Article 38 If a personal information processor really needs to provide personal information outside the People’s Republic of China due to business needs, it shall meet one of the following conditions:
(1) Pass the security assessment organized by the State Cyberspace Administration in accordance with the provisions of Article 40 of this Law;
(2) Conduct personal information protection certification by professional institutions in accordance with the regulations of the national cyberspace administration;
(3) Enter into a contract with the overseas recipient in accordance with the standard contract formulated by the national cyberspace administration department, stipulating the rights and obligations of both parties;
(4) Other conditions stipulated by laws, administrative regulations or the national cyberspace administration department.
Where the international treaties and agreements that the People’s Republic of China has concluded or participated in have provisions on the conditions for providing personal information outside of the People’s Republic of China, they may be implemented in accordance with those provisions.
Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this law.
Article 39: When a personal information processor provides personal information outside the People’s Republic of China, it shall inform the individual of the name or name of the overseas recipient, contact information, processing purpose, processing method, types of personal information, and personal information to the overseas recipient. The methods and procedures for exercising the rights stipulated in this law, and obtaining the individual’s individual consent.
Article 40: Critical information infrastructure operators and personal information processors that process personal information up to the number prescribed by the national cyberspace administration shall store personal information collected and generated within the territory of the People’s Republic of China. If it is really necessary to provide it overseas, it shall pass the security assessment organized by the national cybersecurity and informatization department; where laws, administrative regulations, and the national cybersecurity and informatization department stipulate that the security assessment may not be performed, follow their provisions.
Article 41 The competent authority of the People’s Republic of China shall, in accordance with relevant laws and international treaties and agreements concluded or acceded to by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, handle requests by foreign judicial or law enforcement agencies for the provision of personal information stored in the country. Without the approval of the competent authority of the People’s Republic of China, personal information processors shall not provide personal information stored in the territory of the People’s Republic of China to foreign judicial or law enforcement agencies.
Article 42: Where foreign organizations or individuals engage in personal information processing activities that infringe upon the personal information rights of citizens of the People’s Republic of China, or endanger the national security or public interests of the People’s Republic of China, the national cyberspace administration may restrict or prohibit them The list of personal information provided shall be announced, and measures such as restricting or prohibiting the provision of personal information shall be taken.
Article 43: Where any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People’s Republic of China in terms of personal information protection, the People’s Republic of China may take corresponding measures against the country or region based on actual conditions.
Chapter IV Rights of Individuals in Personal Information Processing Activities
Article 44: Individuals have the right to know and make decisions about the processing of their personal information, and the right to restrict or refuse the processing of their personal information by others; unless otherwise provided by laws and administrative regulations.
Article 45: Individuals have the right to consult and copy their personal information to personal information processors, except under the circumstances specified in Article 18, paragraph 1, and Article 35 of this law.
Where an individual requests to view or copy his or her personal information, the personal information processor shall provide it in a timely manner.
Individuals requesting the transfer of personal information to their designated personal information processor, and the personal information processor shall provide the means for the transfer if the conditions specified by the national cyberspace administration department are met.
Article 46: If an individual discovers that his personal information is inaccurate or incomplete, he has the right to request the personal information processor to correct or supplement it.
Where an individual requests correction or supplement of his personal information, the personal information processor shall verify his personal information and make corrections and supplements in a timely manner.
Article 47: In any of the following circumstances, the personal information processor shall take the initiative to delete personal information; if the personal information processor has not deleted, the individual has the right to request deletion:
(1) The processing purpose has been achieved, cannot be achieved, or is no longer necessary to achieve the processing purpose;
(2) The personal information processor ceases to provide products or services, or the retention period has expired;
(3) Individuals withdraw their consent;
(4) The personal information processor violates laws, administrative regulations or violates the agreement to handle personal information;
(5) Other circumstances stipulated by laws and administrative regulations.
If the retention period stipulated by laws and administrative regulations has not expired, or the deletion of personal information is technically difficult to achieve, the personal information processor shall stop processing other than storing and taking necessary security protection measures.
Article 48: Individuals have the right to request personal information processors to explain their personal information processing rules.
Article 49: In the event of a natural person’s death, his close relatives may exercise the rights of access, copy, correction, deletion, etc., to the relevant personal information of the deceased for their own legal and legitimate interests, unless otherwise arranged by the deceased.
Article 50: Personal information processors shall establish a convenient and convenient mechanism for the acceptance and processing of applications for individuals to exercise their rights. If an individual’s request to exercise his rights is rejected, the reasons shall be explained.
Where a personal information processor refuses an individual’s request to exercise his rights, the individual may file a lawsuit in a people’s court in accordance with the law.
Chapter V Obligations of Personal Information Processors
Article 51: Personal information processors shall take the following measures to ensure that personal information processing activities comply with laws and administrations in accordance with the processing purpose, processing methods, types of personal information, impact on personal rights and interests, possible security risks, etc. Regulations, and prevent unauthorized access and personal information leakage, tampering, and loss:
(1) Formulate internal management systems and operating procedures;
(2) Implement classified management of personal information;
(3) Adopt corresponding security technical measures such as encryption and de-identification;
(4) Reasonably determine the operating authority of personal information processing, and regularly conduct safety education and training for employees;
(5) Formulate and organize the implementation of emergency plans for personal information security incidents;
(6) Other measures stipulated by laws and administrative regulations.
Article 52: Personal information processors who process personal information up to the number prescribed by the national cybersecurity and informatization department shall appoint a person in charge of personal information protection who is responsible for supervising personal information processing activities and protective measures taken.
The personal information processor shall disclose the contact information of the person in charge of personal information protection, and submit the name and contact information of the person in charge of personal information protection to the department performing personal information protection duties.
Article 53: Personal information processors outside of the People’s Republic of China as specified in the second paragraph of Article 3 of this Law shall establish specialized agencies or designated representatives within the territory of the People’s Republic of The name or representative’s name, contact information, etc. shall be submitted to the department performing personal information protection duties.
Article 54: Personal information processors shall regularly conduct compliance audits of their handling of personal information in compliance with laws and administrative regulations.
Article 55: In any of the following circumstances, the personal information processor shall conduct a personal information protection impact assessment in advance and record the processing situation:
(1) Processing sensitive personal information;
(2) Using personal information to make automated decision-making;
(3) Entrust the processing of personal information, provide personal information to other personal information processors, and disclose personal information;
(4) Providing personal information abroad;
(5) Other personal information processing activities that have a significant impact on personal rights and interests.
Article 56: Personal information protection impact assessment shall include the following contents:
(1) Whether the processing purpose and processing method of personal information are legal, proper and necessary;
(2) Impact on personal rights and security risks;
(3) Whether the protective measures adopted are legal, effective and compatible with the degree of risk.
The personal information protection impact assessment report and processing record shall be kept for at least three years.
Article 57 Where personal information leakage, tampering, or loss occurs or may occur, the personal information processor shall immediately take remedial measures and notify the departments and individuals that perform personal information protection duties. The notice should include the following items:
(1) The types, reasons, and possible harms of personal information leakage, tampering, and loss occurred or may occur;
(2) Remedial measures taken by personal information processors and measures that individuals can take to reduce harm;
(3) Contact information of the personal information processor.
Where the personal information processor takes measures to effectively avoid the harm caused by information leakage, tampering, or loss, the personal information processor may not notify the individual; the department performing personal information protection duties believes that it may cause harm, it has the right to request the personal information processor to notify the individual .
Article 58: Personal information processors that provide important Internet platform services, a large number of users, and complex business types shall perform the following obligations:
(1) Establish and improve the personal information protection compliance system in accordance with national regulations, and establish an independent organization mainly composed of external members to supervise the protection of personal information;
(2) Follow the principles of openness, fairness, and justice, formulate platform rules, and clarify the standards for handling personal information by product or service providers on the platform and their obligations to protect personal information;
(3) Stop providing services to product or service providers in platforms that deal with personal information in serious violation of laws and administrative regulations;
(4) Regularly publish reports on social responsibility for personal information protection and accept social supervision.
Article 59 A trustee who accepts an entrustment to process personal information shall, in accordance with the provisions of this law and relevant laws and administrative regulations, take necessary measures to ensure the safety of the personal information processed, and assist the personal information processor in fulfilling the provisions of this law obligation.
Chapter VI Departments Performing Personal Information Protection Duties
Article 60: The national cybersecurity and informatization department is responsible for overall planning and coordination of personal information protection work and related supervision and management work. The relevant departments of the State Council shall be responsible for personal information protection and supervision and management within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
The personal information protection and supervision and management responsibilities of the relevant departments of the local people’s government at or above the county level shall be determined in accordance with relevant national regulations.
The departments specified in the preceding two paragraphs are collectively referred to as the departments performing personal information protection duties.
Article 61 Departments that perform personal information protection duties perform the following personal information protection duties:
(1) Carry out personal information protection publicity and education, and guide and supervise personal information processors to carry out personal information protection work;
(2) Accept and handle complaints and reports related to the protection of personal information;
(3) Organizing the evaluation of the protection of personal information such as applications, and publishing the evaluation results;
(4) Investigating and handling illegal personal information processing activities;
(5) Other duties stipulated by laws and administrative regulations.
Article 62: The State Cyberspace Administration shall coordinate relevant departments to promote the following personal information protection work in accordance with this Law:
(1) Formulate specific rules and standards for personal information protection;
(2) Formulating special personal information protection rules and standards for small personal information processors, processing sensitive personal information, and new technologies and applications such as face recognition and artificial intelligence;
(3) Support the research, development and promotion of safe and convenient electronic identity authentication technology, and promote the construction of public service for network identity authentication;
(4) Promote the construction of a social service system for personal information protection, and support relevant agencies to carry out personal information protection evaluation and certification services;
(5) Improve the working mechanism for personal information protection complaints and reports.
Article 63: Departments that perform personal information protection duties may take the following measures when performing personal information protection duties:
(1) Inquiring about relevant parties and investigating situations related to personal information processing activities;
(2) Consult and copy the parties’ contracts, records, account books and other relevant materials related to personal information processing activities;
(3) Conduct on-site inspections and investigate suspected illegal personal information processing activities;
(4) Inspect equipment and articles related to personal information processing activities; if there is evidence to prove that they are used in illegal personal information processing activities, report to the main person in charge of the department in writing and with approval, they may be sealed up or seized.
Departments that perform personal information protection duties perform their duties in accordance with the law, and the parties concerned shall provide assistance and cooperation, and shall not refuse or obstruct.
Article 64: Departments that perform personal information protection duties, in performing their duties, find that personal information processing activities are at a greater risk or personal information security incidents occur, they may act as the legal representative of the personal information processor in accordance with the prescribed authority and procedures The person or the main person in charge conducts an interview, or requires the personal information processor to entrust a professional institution to conduct a compliance audit of its personal information processing activities. Personal information processors shall take measures in accordance with the requirements to carry out rectifications and eliminate hidden dangers.
Departments that perform personal information protection duties, in performing their duties, find that the illegal handling of personal information is suspected of being a crime, it shall promptly transfer it to the public security organ for handling in accordance with the law.
Article 65: Any organization or individual has the right to complain or report to the department performing personal information protection duties regarding illegal personal information processing activities. The department that receives the complaint or report shall handle it in a timely manner in accordance with the law, and notify the complainant or reporter of the results of the handling.
Departments performing personal information protection duties shall publish the contact information for accepting complaints and reports.
Chapter VII Legal Liability
Article 66: Where personal information is processed in violation of the provisions of this law, or the processing of personal information fails to fulfill the personal information protection obligations under this law, the department performing personal information protection duties shall order corrections, give warnings, confiscate the illegal gains, and deal with the violations. The application of personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of less than one million yuan shall be imposed; the directly responsible person in charge and other directly responsible persons shall be fined not less than 10,000 yuan but not more than 100,000 yuan.
If there is an illegal act as prescribed in the preceding paragraph and the circumstances are serious, the department performing personal information protection duties at or above the provincial level shall order it to make corrections, confiscate the illegal income, and impose a fine of less than 50 million yuan or less than 5% of the previous year’s turnover. It may also order the suspension of relevant business or suspend business for rectification, notify the relevant competent authority to revoke the relevant business permit or revoke the business license; impose a fine of 100,000 yuan up to 1 million yuan on the directly responsible person-in-charge and other directly responsible personnel, and may decide to prohibit He serves as a director, supervisor, senior manager and person in charge of personal information protection of related companies within a certain period of time.
Article 67 Where there is an illegal act as prescribed by this law, it shall be recorded in the credit file in accordance with the provisions of relevant laws and administrative regulations, and shall be publicized.
Article 68: If a state agency fails to perform its personal information protection obligations under this law, its superior agency or the department performing personal information protection duties shall order it to make corrections; the directly responsible persons in charge and other directly responsible persons shall be punished in accordance with the law.
If the staff of the department performing the personal information protection duties neglected their duties, abused their powers, practiced malpractices for personal gains, and did not constitute a crime, they shall be punished in accordance with the law.
Article 69: If the processing of personal information infringes upon the rights and interests of personal information and causes damages, and the personal information processor cannot prove that he is not at fault, he shall bear tort liability such as damages.
The liability for damages provided for in the preceding paragraph shall be determined in accordance with the loss suffered by the individual or the benefit obtained by the personal information processor; if it is difficult to determine the loss suffered by the individual and the benefit obtained by the personal information processor, the amount of compensation shall be determined according to the actual situation.
Article 70: Where personal information processors process personal information in violation of the provisions of this law and infringe on the rights and interests of many individuals, the people’s procuratorate, consumer organizations specified by the law, and organizations determined by the national cybersecurity and informatization department may file a lawsuit in the people’s court in accordance with the law.
Article 71 Anyone who violates the provisions of this law and constitutes a violation of public security management shall be given public security management penalties in accordance with law; if a crime is constituted, criminal responsibility shall be investigated in accordance with the law.
Chapter 8 Supplementary Provisions
Article 72: This law does not apply to natural persons handling personal information for personal or family affairs.
Where the law has provisions on the handling of personal information in statistics and archives management activities organized and implemented by the people’s governments at all levels and their relevant departments, those provisions shall apply.
Article 73 The meaning of the following terms in this law:
(1) Personal information processor refers to an organization or individual that autonomously determines the purpose and method of processing in personal information processing activities.
(2) Automated decision-making refers to the activities of automatically analyzing and evaluating personal behavior habits, hobbies, economic, health, and credit status through computer programs, and making decisions.
(3) De-identification refers to the process of processing personal information to make it impossible to identify a specific natural person without the help of additional information.
(4) Anonymization refers to the process in which personal information cannot be identified and cannot be restored after processing.
Article 74 This Law shall come into force on November 1, 2021.
.