Comparison of Ten Compliance Points of Data Protection Laws in Ten Countries/Regions | #2 Personal Information Processing Rules and Special Precautions

Part II: Personal Information Processing Rules and Special Precautions

The principles of personal information processing and the specific rules for personal information processing are the most critical and core content of each national data protection act. By clarifying the legal basis for processing personal information and the corresponding specific rules in the act, to help enterprises and individuals When processing personal information, clarify the boundaries of rights and obligations. Enterprises and organizations should pay special attention to and pay attention to the specific rules and requirements on personal information processing when processing personal information activities.

(1) Interpretation of my country’s Personal Protection Law:

After the third review meeting, my country’s Personal Protection Law has been further refined and improved in terms of the principles and processing rules of personal information, which has drawn a clearer red line for enterprises and organizations to process personal information.

01 Principles of Personal Information Protection

Articles 5 to 11 of my country’s Personal Protection Law establish the principles that should be followed in the processing of personal information, emphasizing that the processing of personal information should follow the principles of legality, legitimacy, necessity and integrity, with clear and reasonable purposes and directly related to the purpose of processing. Take the method that has the least impact on personal rights and interests, limit it to the smallest scope to achieve the purpose of processing, disclose the processing rules, ensure the quality of information, and take security protection measures.

In summary, it can be understood as the main seven principles:


1. Principles of legality, legitimacy, necessity and good faith

It means that when processing personal information, on the one hand, it should have a legal basis (analyzed below), have justified reasons, and meet the requirements of necessity (the processing of personal information should be limited to those necessary to achieve the purpose of processing). On the other hand, the principle of good faith shall be observed, and personal information shall not be processed by means of misleading, fraud, coercion, etc.


2. The purpose is clear and reasonable

Compared with the “Second Review Draft”, the Personal Protection Law has added “adopting the method that has the least impact on personal rights and interests”, that is, the degree of impact on personal rights and interests is used as a clear and reasonable criterion for judging whether it is clear or not. It should be directly related to the purpose of processing, and should be limited to the smallest scope to achieve the purpose (the principle of minimum necessity, no excessive collection of personal information).


3. The principle of openness and transparency

It means that when processing personal information, on the one hand, it should disclose how companies and organizations handle users’ personal information; Purpose, method of processing and scope of processing.


4. Quality principle

Compared with the “Second Review Draft”, the Personal Protection Law has added the requirement of “guaranteeing the quality of personal information”. Its specific connotation means that in order to achieve the purpose of processing personal information, enterprises and organizations should Guaranteed to be accurate and updated in a timely manner when there are changes.


5. Principles of safety protection

Without the guarantee of data security, there will be no strong protection of data. Security is the key prerequisite for protection. Enterprises and organizations should be responsible for their personal information processing activities and take necessary measures to ensure the security of the personal information they process.


6. Principle of Prohibition of Unlawful Processing

The Personal Protection Law clearly lists 8 “prohibited sexual acts” and draws a clear red line for enterprises and individuals: no organization or individual may illegally collect, use, process or transmit other people’s personal information, and may not illegally buy, sell, provide or disclose others’ personal information. personal information; shall not engage in personal information processing activities that endanger national security and public interests.


7. Principles of Common Governance

Personal information protection is a matter that requires the cooperation and participation of individuals, enterprises, industry organizations, and regulatory authorities. On the other hand, it is also necessary to strengthen the publicity and education of personal information protection to promote the formation of a good environment for the government, enterprises, relevant industry organizations, and the public to participate in the protection of personal information.

02 “Inform-Consent” is the core rule

my country’s Personal Protection Law clarifies that “inform-consent” is the core rule of personal information protection in my country (the core legal basis). On the other hand, processing personal information with “consent” as a legitimate reason must give users the right to withdraw consent. This is very similar to the rules set for GDPR.

Regarding how to inform, the Personal Protection Law clarifies that enterprises must not only truthfully, accurately and completely inform individuals of various matters related to handling personal information (including the identity of the processor, contact information, processing purpose, processing method, information types, retention periods, ways and procedures for individuals to exercise their powers, etc.), it also needs to be done in a conspicuous and clear and understandable way, and when important matters change, the individual’s consent should be re-obtained, rather than “one-time” thing”.

As for how to obtain consent, it is required that individuals need to give voluntary and explicit consent under the premise of “fully informed”, rather than forced, unequal, or vague or unclear.

It is worth mentioning that this Personal Protection Law has added “necessary to human resources management” as one of the legitimate reasons for processing personal information in the lawful reasons for processing personal information, but when using this legal reason, It should be specially noted that this is conditional, and it can only be done if the “lawfully formulated labor rules and regulations” and “legally signed collective contract” are met, and what is “legally formulated” and “legally signed” is for the employer. 100% of enterprises have left practical space and compliance space worth studying when dealing with employees’ personal information, and they have also put forward further compliance requirements when dealing with employees’ personal information.

03 “Separate consent” is a special rule

At the same time, my country’s Personal Protection Law also sets up special separate consent rules for “special circumstances specified by laws, administrative regulations, etc.”.


Handling of sensitive personal information:

For example, when an enterprise handles personal sensitive information, in addition to informing users of the specific types of sensitive personal information, the necessity of processing, and the impact on individuals in the privacy policy, and taking strict protection measures, it is also necessary to take strict protection measures in this specific scenario. When triggered, inform the individual through means such as separate pop-up window, separate page Display, etc., and obtain the individual’s separate and expressly valid consent, which cannot be “general consent”, “package consent/bundled authorization”, let alone ” Agree by default”.


Processing of children’s personal information:

For example, in a scenario where an enterprise collects the personal information of minors under the age of 14, the enterprise should also obtain the consent of the minor’s parents or other guardians.


Circumstances of providing personal information to other personal information processors:

For example, in the scenario where an enterprise provides and transfers personal information to other third-party partners (other personal information processors), in addition to fulfilling the obligation of notification to individuals (the Personal Insurance Law stipulates statutory requirements for notification content), prior risk In addition to the assessment, the individual’s individual consent should also be obtained.

For the third-party partners who are the data recipients in the aforementioned cases, in addition to processing personal information within the scope notified to the individual by the transmitting party, they should also obtain the individual’s consent again when the recipient enterprise changes the original processing purpose and method.


Installation of image capture and personal identification equipment in public places:

This is a new addition to the Personal Protection Law. It is related to the current situation of a large number of companies abusing cameras to collect personal information, especially face recognition information. The Provisions on Several Issues Concerning the Application of Law in Civil Cases Related to the Processing of Personal Information by Recognition Technology” have the effect of echoing each other.

Enterprises related to this should pay special attention and pay attention. When installing image capture and personal identification equipment, they should:


is necessary to maintain public safety – restricted collection purposes;


While complying with the relevant state regulations, prominent prompt signs should also be set up – clear notification methods;


It is particularly important to note that the personal images and identification information collected by the enterprise can only be used for the purpose of maintaining public safety and shall not be used for other purposes; except for obtaining the individual consent of the individual – restricted processing purposes.


Circumstances in which personal information is disclosed:

The personal protection law clearly stipulates that in principle, it shall not be disclosed, except for the individual consent of the individual.

It is worth noting that in terms of the use of public personal information, my country’s Personal Protection Law refers to overseas data protection regulations and also provides “opt-out” provisions:


For personal information that has been disclosed by individuals themselves or that has been legally disclosed, unless the individual expressly refuses, the personal information processor can process it within a reasonable range;


For processing disclosed personal information that has a significant impact on personal rights and interests, personal information processors shall obtain personal consent.

04Notice of exemption as an exception to the rule

This personal protection law not only makes further detailed requirements on the content of notification and the form of notification, but also establishes two notification situations where personal information processors can be exempted:


1. Waiver based on confidentiality obligations:

When there are laws and administrative regulations that require confidentiality or do not need to be notified, the name or name and contact information of the personal information processor may not be notified to individuals.


2. Exemptions based on emergency situations:

If it is impossible to notify individuals in time to protect the life, health and property safety of natural persons, it may not be notified when an emergency occurs, but it should be notified in a timely manner after the emergency is eliminated.

05 Joint handling and joint liability rules

This personal protection law formally defines the concept of co-processors (who jointly decide the purpose and method of processing personal information), which is also one of the new additions.

Different from the EU GDPR and the previous personal information regulations, the Personal Protection Law does not conceptually distinguish between personal information controllers and processors, but clearly stipulates that “when personal information is jointly processed, damage caused by infringement of personal information rights and interests is caused.” In the case of individual data subjects, they shall bear joint and several liability in accordance with the law”, which establishes that the co-processors jointly and severally bear the joint and several liability for the personal data subject.

Enterprises should be reminded that in the case of joint processing, they should clearly agree with the third party on the rights and obligations of both parties through a contract, clarify their respective responsibilities, and require the third party to jointly meet the requirements of personal information security. Effective notification to personal data subjects is required.

06 Automated decision-making should ensure transparency and fairness

Fair and empowered rule of refusal

This may be one of the highlights of this personal security law that has received the most attention and has received the most heated discussions. It clarifies the regulation of automated decision-making that the majority of users are concerned about, that is, it should “ensure the transparency of decision-making and the fairness and impartiality of results” and “should not be responsible for personal transactions in transactions.” Unreasonable differential treatment in terms of price and other transaction conditions”.

Enterprises are required to provide individuals with “options that are not tailored to their personal characteristics” or “provide individuals with a convenient way to refuse” in the most common application scenarios for automated decision-making, “information push, commercial marketing”.

In particular, for situations that have a significant impact on the personal rights and interests of users, the law clearly provides the individual owner with the right to ask for a clear explanation and the right to expressly refuse.

The appearance of this article, in practice, has attracted the attention of many companies related to personalized recommendation, especially the industry companies of precision advertising. In the next practical application, I believe that there will be more practical problems. But from the most basic compliance considerations, companies can focus on the following basic compliance logic:


To fully, comprehensively and clearly inform the user, and obtain the user’s personal consent as the legal basis, which ensures that the consent is voluntary and clear;


Lawyers for legal aid organized by legal aid institutions established by the government or legal organizations established by non-government law.


When automated decision-making is used for information push or commercial advertisement promotion, users should be provided with a way to exit and the option not to push personal characteristics;


If a decision that has a significant impact on personal rights and interests is made only through automated decision-making, when the user requests an explanation, or the user expressly refuses, the realization of its rights mechanism should be guaranteed, and ways to increase manual decision-making should be considered.

(2) Comparison of major overseas personal information protection laws:

In view of the fact that the rules of personal information processing is a relatively complex analytical matter, on the one hand, the data protection laws of different countries will have different regulations, not only have different concepts and classifications for special types of personal information, but also different special types of personal information. On the other hand, in the process of a large number of practical operations, it is necessary to comprehensively consider specific business scenarios, preconditions and various dimensions. Due to the limited space, in the following table, we only briefly compare the definition and processing requirements of personal sensitive information and some special points. If there are any imperfections, please correct me.

In general

The specific rules for the processing of personal information are very worthy of attention in the data protection laws of each country. The data protection laws and regulations of most countries will propose special processing rules for special types of data (for example, general individuals will be treated separately. Information, sensitive personal information, health information, biometric information are conceptually classified, and different processing rules are stipulated) to better protect the rights and interests of personal data subjects, and also become a business, organization and individual when processing personal information. compass and judgment basis for distinguishing compliance red lines.

The Links:   PM450CLA120 TPS51363RVER