National Standard China Data Protection Law
What is the China national Standard Privacy Law
China’s National Standards on Information Security Technology Personal Information Security Specification came into force May 1 2018 which changed the way many businesses manage, collect, and store data
What is the definition of Personal Data
Information, recorded electronically or otherwise, that can be used separately or in combination with other information to identify a particular natural person or to reflect a person’s activities.
Personal Information includes a person’s name, date of birth, ID number, personal biometric information, address, contact means, content of communication, account number and password, property information, credit information, whereabouts, residence, health and transaction information.
The Personal Information Specification also recognizes the category of “Personal Sensitive Information” which is any information which, if unlawfully disclosed, may endanger a person’s physical and mental wellbeing, their reputation and/or their property and/or lead to discrimination. This category of data is subject to tighter restrictions on collection and processing.
PI that, once leaked, illegally provided, or abused, can threaten personal and property security and/or easily cause personal reputational damage, physical and mental health damage, or discrimination.
Personal sensitive information includes identity card numbers, biometric information, bank account numbers, communication records and contents, property information, credit information, location data, accommodation information, health and physiological information, transaction data, and the PI of children 14 years of age or under.
Data Subjects Rights
The Personal Information National Standards further clarify the rights of personal information subjects, including the following:
Right to access
Personal information subjects shall have the right to access their personal information controlled by a personal information controller and obtain confirmation from the personal information controller where and for what purpose their personal information is being processed.
Right to rectification
Personal information subjects may request the personal information controller to either rectify the personal information or provide the means for the personal information subject to rectify their personal information when personal information subjects find that their personal information controlled by personal information controller is incorrect or incomplete.
Right to erasure (also known as the “right to be forgotten”)
Personal information subjects have the right to request the personal information controller to erase their personal information, cease further dissemination of the personal information and have the third parties halt processing of the personal information if the personal information controller terminates its service or products or if the processing of personal information by the personal information controller is against applicable laws and administrative regulations or the agreed scope with the personal information subjects.
Upon the request of a personal information subject, the personal information controller is required to provide the personal information subject with a copy of following personal information or, at the request of the personal information subject, transmit such copy to a third party provided it is technically feasible:
Personal basic information and personal identity information
Personal health and physiological information and personal education information.
Personal information controllers should have in place internal policies in place to handle requests made by personal information subjects when exercising such rights.
Requirements for PI controllers include
a) PI controllers should establish privacy policies with contents including but not limited to:
- the basic information of the PI controller, including the registered name and address, the usual place of business, the contact details of a person in charge, etc.;
- the purposes of the collection and use of PI, and the business functions covered by each purpose. For example, using PI to deliver commercial advertisements, or using PI to form direct user profiles, etc.;
- the PI collected respectively by each business function, the processing rules such as the manner and frequency of the PI collection, the storage location and the storage time limit, and the actual scope of the collection of PI;
- the purposes of sharing, transfer, and public disclosure of the PI, the types of the involved PI, the type of the third-party recipient, and the corresponding legal responsibilities;
- the basic principles followed for PI security, the data security capabilities, and the PI security measures taken;
- PI subjects’ rights and mechanisms to use them, such as the methods to access, correct, or delete data; to deactivate the account, to withdraw consent; to obtain a copy of the data; to restrain automated decision-making by the information system; etc.;
- the potential security risks after the provision of the PI, and the potential impact of not providing the PI;
- the channels and mechanism to handle requests and complaints by PI subjects, and the external organizations and contact details for dispute resolution.
What are the lawful bases for data processing?
7. Use of Personal Information
7.1 Personal Information Access Control Measures
Requirements for PI controllers include:
a) Internal data operations personnel authorized to access PI should, according to the principle of minimum authorization, only be able to access the minimum amount of PI necessary and have the minimum data operation privileges necessary to carry out their duties.
b) Set up internal approval processes for important PI operations such as such as batch modification, copying, download, etc.
c) Security managers, data operators, and auditors should be set up as separate personnel roles;
d) If it is truly necessary for work requirements to authorize specific personnel to exceed their privileges to process PI, the person responsible for PI protection or the PI protection work organization should conduct assessment and approval and make a record.
e) Regarding access, modification, or other action with personal sensitive information, on the foundation of privilege control by role, operational authorization is triggered based on business process requirements. For example, for those handling user complaints, only when processing user complaints can personnel access a given customer’s relevant information.
What are the penalties?
Companies that violate the CSL can face fines of between 50,000 and 500,000 RMB (7,500 – 75,000 USD) and the required termination of company website and revocation of business licenses or permits. Personnel that were directly in charge can receive individual fines of between 10,000 and 100,000 RMB (1,500 – 15,000 USD). Network operators are subject to imprisonment of 5 to 15 days for violating certain provisions. These monetary fines are significantly smaller than those of the GDPR, though the GDPR does not invoke imprisonment or penalties on individuals.
Relentless Your China National Standard Partner
Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity assessments to companies of all sizes. Unlike traditional compliance firms, we don’t have four or five layers of management. Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.
We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.
With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.
Relentless China National Standards Service What's Included?
Our China National Standard Service Includes the Following
- National Standard Data Assessment
- Dedicated DPO
- Unlimited Support Calls
- Unlimited Email Support
- Data Mapping
- Record of Processing Activities
- Subject Access Request Service
- Data Risk Assessments
- Data Breach Support
The GDPR also introduced new accountability and transparency requirements, meaning that processors must be able to show that they have a lawful basis for each processing operation, and must inform individuals which lawful basis if being relied upon. Furthermore, under GDPR the interpretation of legitimate interests is now broader, encompassing the interests of any third party, including wider societal benefits.