Last review date: 13 January 2025
Yes
The following are potential legal bases for processing personal data:
- the data subject has provided consent to the processing for the identified purposes
- the personal data is necessary to perform a contract with the data subject
- the personal data is necessary to comply with a legal obligation
- the personal data is necessary to protect the vital interests of a natural person
- the personal data is necessary for a public interest
- other
In addition to the potential legal bases stated above, processing of personal information is permitted when the personal information concerned has been disclosed publicly by the data subject himself/herself or otherwise legally disclosed, and the processing is within a reasonable scope.
Last review date: 13 January 2025
Yes
The following are potential legal bases for processing special categories of personal data:
- the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
Consent from the data subject or the parents/legal guardians (if the data subject is under the age of 14) is generally viewed as the default (if not the only) legal basis for the processing of sensitive personal data. Whether any of the non-consent legal bases can be used for processing sensitive personal data remains to be tested and clarified in practice.
Last review date: 13 January 2025
Yes
A minor within the meaning of data privacy laws is a person below the age of 14.
Consent from the data subject or the parents/legal guardians (if the data subject is under the age of 14) is generally viewed as the default (if not the only) legal basis for the processing of sensitive personal data. Whether any of the non-consent legal bases can be used for processing sensitive personal data remains to be tested and clarified in practice. For online service providers that provide services to minors who are below the age of 18, they must not compel minors or their guardians to consent to the processing of non-necessary personal information and must not refuse basic functions and services to minors due to their or their guardians' refusal to consent to the processing of non-necessary personal information or withdrawal of consent.
Last review date: 13 January 2025
Generally
Last review date: 13 January 2025
- consent must be given or authorized by the parent/ guardian of the minor
- additional data security requirements apply
Under the PIPL, personal information of minors under the age of 14 is classified as "sensitive personal information." The following requirements therefore apply:
Prior to processing sensitive personal information, personal information processors should carry out a personal information protection impact assessment. It is stipulated that the relevant records should be retained for at least three years. Personal information processors should only process sensitive personal information if there is a specific purpose and sufficient necessity and when stringent protective measures are implemented. Specific rules contained in privacy notices or policies concerning the processing of minors' personal information should be formulated and published. Further, separate consent should be obtained from the parents or legal guardians of minors.
For online service providers that provide services to minors who are below the age of 18, they must not refuse basic functions and services to minors due to their or their guardians' refusal to consent to the processing of non-necessary personal information or withdrawal of consent.
- other
As far as children's personal information is concerned, the privacy notice should also set forth the following matters:- The purpose, method and scope of the collection, storage, use, transfer or disclosure of personal information of children
- The storage place and term of the information collected and the disposal method after the storage term expires
- Measures for guaranteeing the security of personal information of children
- The consequences of refusal
- Channels and methods for lodging complaints and reports
- Ways and means of correcting and deleting personal information of children
- Other matters that shall be notified
If a network operator entrusts a third party with processing children's personal information, the network operator is additionally required to: (i) conduct a security assessment of the entrusted third party and the entrusted processing activity and (ii) enter into an entrustment agreement, which must set out the entrusted matter, term, and nature and purpose of entrusting. Further, sub-entrustment of the processing of children's personal information is strictly prohibited.
The network operator should designate a person in charge of the protection of children's personal information.
For online service providers that provide services to minors who are below the age of 18, they shall apply the principle of least privilege to their staff, strictly setting information access permissions to control the scope of access to minors' personal information, and their staff's access to minors' personal information shall be subject to the approval by the relevant person in charge or their authorized manager, with the access process recorded, and technical measures employed to prevent unlawful processing of minors' personal information.
Online service providers that provide services to minors who are below the age of 18 shall conduct annual compliance audits regarding their compliance with laws and administrative regulations in the processing of minors' personal information, either by themselves or by an appointed professional institution, and report the audit results to the cyberspace and other authorities in a timely manner.