Global Data and Cyber Handbook

China

Select a Topic
Start Comparison
Key Definitions
Jump to
Key Definitions Start Comparison
Personal data

Last review date: 1 January 2024

Under the PIPL, "personal information" is expressly defined to include all kinds of information, recorded electronically or in other forms, that relate to identified or identifiable natural persons. Anonymized information is excluded from the definition.

Sensitive/special personal data (including personal data subject to additional protections/ restrictions/breach notification obligations)

Last review date: 13 January 2025

Sensitive data includes:

  • personal data revealing racial or ethnic origin
  • personal data revealing political opinions
  • personal data revealing religious or philosophical belief
  • personal data revealing trade / professional union or association membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person or biometric templates
  • data concerning health/medical information
  • data concerning a natural person's sex life or sexual orientation
  • financial information
  • government identity card or number information
  • passwords
  • personal data regarding an individual's criminal convictions or record
  • other

    Certain personal information is considered "sensitive" under the PIPL and other Chinese laws and regulations.

    According to the PIPL, "sensitive personal information" refers to personal information that, if leaked or used illegally, may easily cause harm to the dignity of natural persons or cause serious damage to the safety of individuals and their properties. A non-exhaustive list of examples of "sensitive personal information" (such as biometric data) is provided in the legislation.

    Other examples of sensitive personal information include:
    • Information about a person's specific identity
    • Information about an individual's location tracking
    • Personal information of minors under the age of 14
Controller vs Processor

Last review date: 13 January 2025

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

  • the controller/agent is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • the processor/agent is natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Yes

According to the PIPL, "personal information processor" is expressly defined to refer to any organization or individual that is able to make its own decision on the purpose, the means of processing and other matters relating to the processing of personal information, and this is akin to the concept of "controller."

"Entrusted processing party" refers to an individual or an organization being engaged or entrusted by other(s) to process personal information in accordance with its instructions and is akin to the concept of "processor."

The terms "controller" and "processor" used herein are for illustration purposes only.

{{ $store.state.loadingScreen.message }} ...