Yes.

According to the Guidelines for the Information Technology Risk Management of Commercial Banks (Yin Jian Fa [2009] No. 19), when a bank's IT outsourcing involves its customers' materials, the bank must notify the relevant customers (whether institutional or individual customers). In terms of those institutional customers, whether the customers' authorization or consent is required depends on the bank's relevant policies and on confidentiality or other agreements with the clients.

From a general personal information protection law perspective, the PRC Personal Information Protection Law ("PIPL") does not require a personal information processor ("PIP", akin to a controller in EU terminology) (e.g., a financial institution) in China to obtain standalone consent from relevant individuals if the PIP merely entrusts a person (e.g., a cloud service provider) with processing relevant personal information pursuant to the agreed processing purpose, duration, method and other terms, provided that the entrusted processing falls within the scope of the original consent that the PIP obtained from relevant individuals. Moreover, the PIP will remain responsible for the processing activities. Use of cloud services may involve such entrusted processing of personal information because cloud service providers generally do not have discretion to decide the processing purposes and methods for personal information stored on their servers.

However, in relation to cross-border/outbound provision or transfer of personal information to an overseas recipient (whether it is a PIP or an entrusted processor), the PIPL requires the PIP in China to obtain the relevant data subjects' separate and informed consent. The data subjects must be informed of the overseas recipient's name, contact details, personal information processing purposes and methods, categories of personal information provided abroad, and the methods and procedures for the data subjects to exercise their rights under the PIPL, etc.

The consent should be revocable. After consent is revoked by a data subject, the financial institution would have to cease processing the data subject's personal information, unless such processing is based on a stipulated legal ground other than the data subject's consent such that it is necessary to conclude or perform a contract to which the individual is a party.