Global Data and Cyber Handbook

China

Select a Topic
Start Comparison
Information Requirements, Data Subject Rights, Accountability and Governance
Jump to
Information Requirements, Data Subject Rights, Accountability and Governance Start Comparison
What information needs to be included in a privacy notice to data subjects?

Last review date: 13 January 2025

  • the identity and the contact details of the controller and, where applicable, of the controller's representative
  • the contact details of the data protection officer, where applicable
  • the purposes of the processing for which the personal data is intended
  • the legal basis for the processing
  • the categories of personal data concerned
  • the recipients or categories of recipients of the personal data, if any
  • information regarding data transfers to third countries, where applicable, and reference to appropriate or suitable safeguards and the means by which by to obtain a copy of them or where they have been made available
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
  • the existence of data subjects' rights, such as the right to access, rectification, erasure, data portability, etc.
  • the existence of the right to withdraw consent if processing is based on consent
  • how the data is held
  • the right to lodge a complaint with a supervisory authority
  • if applicable, information regarding automated decision making, including profiling

In addition to the items listed above, the regulators are empowered to request other information to be included in privacy notices.

Further, additional information is required if the personal information processor is to process sensitive personal information, provide personal information to another personal information processor, or transfer personal information overseas.

In the Network Data Security Regulations, it is stipulated that when informing individuals of the collection and provision of personal data and sharing such data with other network data processors, a network data processor shall specify the purpose, method, and type regarding the processing of relevant personal information, as well as the information on the data recipient, in the form of a list. A literal reading of this provision means that a personal information processor in China needs to include two lists in its privacy statement/notice/policy: one that lists the types of personal information that it collects and processes, and another that lists the third parties with whom the relevant personal information will be shared. This is often referred to as the "dual list" requirement, which stemmed from the requirement stipulated by MIIT, for companies operating public-facing mobile apps in China. It remains to be seen as to whether CAC will enforce this cumbersome requirement on a sweeping manner as the Network Data Security Regulations just became effective very recently.

Do data subjects have specific privacy rights that must be operationalized?

Last review date: 13 January 2025

Yes

Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:

  • right to access the data subject's own personal data
  • right to rectify/correct the data subject's own personal data where inaccurate or incomplete
  • right to erasure of personal data
  • right to restrict data processing
  • right to data portability
  • right to object to the processing of personal data
  • right to withdraw consent
  • other (including the right to lodge a complaint)
Are there accountability and governance requirements?

Last review date: 13 January 2025

Yes

There are accountability and governance requirements to:

  • take privacy by default and design measures for all processing of personal data
  • perform and document data protection impact assessments (DPIAs) for high-risk processing:
  • maintain a record of processing activities (according to the PIPL, both the record of the personal information protection impact assessments and the processing activities shall be maintained for at least three years)
  • implement appropriate measures to comply with data privacy and security
  • demonstrate compliance with data privacy and security
  • provide training to employees
  • audit or supervise data processors
  • appoint a local representative in the jurisdiction (if the controller or processor is not located in the jurisdiction)
  • other

According to the Network Data Security Regulations, a large-scale network platform service provider (i.e., a network platform with more than 50 million registered users or more than 10 million monthly active users, having complex types of businesses, and conducting network data processing activities that have an important impact on national security, economic operation, and national economy and people's livelihood) shall issue a social responsibility report on personal information protection every year. The contents of the report should cover personal information protection measures and effectiveness, acceptance of applications for the exercise of rights by individuals, and fulfillment of the duties of the personal information protection supervisory body, which will be mainly composed of external members.

{{ $store.state.loadingScreen.message }} ...