Personal Information Protection Law of the People's Republic of China
Document Number:Order No. 91 of the President of the People's Republic of China
Area of Law: Personal Rights Crimes of Infringing upon Rights of the Person and the Democratic Rights of Citizens
Level of Authority: Laws
Issuing Authority: Standing Committee of the National People's Congress
Date Issued:08-20-2021
Effective Date:11-01-2021
Status: Effective
Topic: Artificial Intelligence
中华人民共和国主席令
Order of the President of the People's Republic of China
(第九十一号)
(No. 91)
《中华人民共和国个人信息保护法》已由中华人民共和国第十三届全国人民代表大会常务委员会第三十次会议于2021年8月20日通过,现予公布,自2021年11月1日起施行。
The Personal Information Protection Law of the People's Republic of China, as adopted at the 30th session of the Standing Committee of the Thirteenth National People's Congress of the People's Republic of China on August 20, 2021, is hereby issued, and shall come into force on November 1, 2021.
中华人民共和国主席 习近平
Xi Jinping, President of the People's Republic of China
2021年8月20日
August 20, 2021
中华人民共和国个人信息保护法
Personal Information Protection Law of the People's Republic of China
(2021年8月20日第十三届全国人民代表大会常务委员会第三十次会议通过)
(Adopted at the 30th session of the Standing Committee of the Thirteenth National People's Congress on August 20, 2021)
目 录
Contents
第一章 总 则
Chapter I General Provisions
第二章 个人信息处理规则
Chapter II Personal Information Processing Rules
第一节 一般规定
Section 1 General Rules
第二节 敏感个人信息的处理规则
Section 2 Rules of Processing of Sensitive Personal Information
第三节 国家机关处理个人信息的特别规定
Section 3 Specific Provisions on the Processing of Personal Information by State Organs
第三章 个人信息跨境提供的规则
Chapter III Rules of Cross-Border Provision of Personal Information
第四章 个人在个人信息处理活动中的权利
Chapter IV Individuals' Rights in Personal Information Processing Activities
第五章 个人信息处理者的义务
Chapter V Obligations of Personal Information Processors
第六章 履行个人信息保护职责的部门
Chapter VI Authorities Performing Personal Information Protection Functions
第七章 法律责任
Chapter VII Legal Liability
第八章 附 则
Chapter VIII Supplemental Provisions
第一条 为了保护个人信息权益,规范个人信息处理活动,促进个人信息合理利用,根据宪法,制定本法。
Article 1 This Law is enacted in accordance with the Constitution for the purposes of protecting rights and interests relating to personal information, regulating personal information processing activities, and promoting the reasonable use of personal information.
第二条 自然人的个人信息受法律保护,任何组织、个人不得侵害自然人的个人信息权益。
Article 2 The personal information of natural persons shall be protected by law. No organization or individual may infringe upon natural persons' rights and interests relating to personal information.
第三条 在中华人民共和国境内处理自然人个人信息的活动,适用本法。
Article 3 This Law shall apply to the processing within the territory of the People's Republic of China of the personal information of natural persons.
在中华人民共和国境外处理中华人民共和国境内自然人个人信息的活动,有下列情形之一的,也适用本法:
(1) for the purpose of providing products or services to natural persons located within China;
(2) to analyze or assess the conduct of natural persons located within China; or
(3) under any other circumstance as provided by any law or administrative regulation.
第四条 个人信息是以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息,不包括匿名化处理后的信息。
Article 4 “Personal information” means all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, excluding information that has been anonymized.
个人信息的处理包括个人信息的收集、存储、使用、加工、传输、提供、公开、删除等。
第五条 处理个人信息应当遵循合法、正当、必要和诚信原则,不得通过误导、欺诈、胁迫等方式处理个人信息。
Article 5 Personal information shall be processed under the principles of lawfulness, legitimacy, necessity and good faith, and shall not be processed in a way that is misleading, fraudulent or coercive.
第六条 处理个人信息应当具有明确、合理的目的,并应当与处理目的直接相关,采取对个人权益影响最小的方式。
Article 6 Personal information processing shall be for a clear and reasonable purpose, directly related to the processing purpose and in a manner that has the minimum impact on the rights and interests of individuals.
收集个人信息,应当限于实现处理目的的最小范围,不得过度收集个人信息。
第七条 处理个人信息应当遵循公开、透明原则,公开个人信息处理规则,明示处理的目的、方式和范围。
Article 7 Personal information shall be processed under the principles of openness and transparency, with the rules of processing of personal information disclosed, and the purposes, methods, and scope of processing expressly stated.
第八条 处理个人信息应当保证个人信息的质量,避免因个人信息不准确、不完整对个人权益造成不利影响。
Article 8 The quality of personal information shall be guaranteed in the processing of personal information to avoid adverse impacts on the rights and interests of individuals due to inaccuracy or incompleteness of the personal information.
第九条 个人信息处理者应当对其个人信息处理活动负责,并采取必要措施保障所处理的个人信息的安全。
Article 9 Personal information processors shall be responsible for their personal information processing activities, and take necessary measures to guarantee the security of the personal information they process.
第十条 任何组织、个人不得非法收集、使用、加工、传输他人个人信息,不得非法买卖、提供或者公开他人个人信息;不得从事危害国家安全、公共利益的个人信息处理活动。
Article 10 No organization or individual may illegally collect, use, process, or transmit the personal information of another person or illegally buy or sell, provide, or disclose the personal information of another person; or engage in personal information processing activities compromising national security or public interests.
第十一条 国家建立健全个人信息保护制度,预防和惩治侵害个人信息权益的行为,加强个人信息保护宣传教育,推动形成政府、企业、相关社会组织、公众共同参与个人信息保护的良好环境。
Article 11 The state shall establish and improve the personal information protection system to prevent and punish infringements of rights and interests relating to personal information, strengthen publicity and education on personal information protection, and promote the creation of a favorable environment for the government, enterprises, relevant social organizations, and the public to jointly participate in personal information protection.
第十二条 国家积极参与个人信息保护国际规则的制定,促进个人信息保护方面的国际交流与合作,推动与其他国家、地区、国际组织之间的个人信息保护规则、标准等互认。
Article 12 The state shall vigorously participate in the development of international rules of personal information protection, boost international exchange and cooperation in terms of personal information protection, and promote the mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations.
Chapter II Personal Information Processing Rules
第十三条 符合下列情形之一的,个人信息处理者方可处理个人信息:
Article 13 A personal information processor may not process personal information unless:
(1) the individual's consent has been obtained;
(二)为订立、履行个人作为一方当事人的合同所必需,或者按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理所必需;
(3) the processing is necessary to fulfill statutory functions or statutory obligations;
(四)为应对突发公共卫生事件,或者紧急情况下为保护自然人的生命健康和财产安全所必需;
(五)为公共利益实施新闻报道、舆论监督等行为,在合理的范围内处理个人信息;
(六)依照本法规定在合理的范围内处理个人自行公开或者其他已经合法公开的个人信息;
(7) under any other circumstance as provided by any law or administrative regulation.
依照本法其他有关规定,处理个人信息应当取得个人同意,但是有前款第二项至第七项规定情形的,不需取得个人同意。
第十四条 基于个人同意处理个人信息的,该同意应当由个人在充分知情的前提下自愿、明确作出。法律、行政法规规定处理个人信息应当取得个人单独同意或者书面同意的,从其规定。
Article 14 Where personal information is processed based on an individual's consent, such consent shall be voluntarily and explicitly given by the individual on a fully informed basis. Where any law or administrative regulation provides that the individual's separate consent or written consent shall be obtained for processing personal information, such provision shall prevail.
个人信息的处理目的、处理方式和处理的个人信息种类发生变更的,应当重新取得个人同意。
第十五条 基于个人同意处理个人信息的,个人有权撤回其同意。个人信息处理者应当提供便捷的撤回同意的方式。
Article 15 Where personal information is processed based on an individual's consent, the individual shall have the right to withdraw his or her consent. The personal information processor shall provide a convenient way to withdraw the consent.
个人撤回同意,不影响撤回前基于个人同意已进行的个人信息处理活动的效力。
第十六条 个人信息处理者不得以个人不同意处理其个人信息或者撤回同意为由,拒绝提供产品或者服务;处理个人信息属于提供产品或者服务所必需的除外。
Article 16 A personal information processor shall not refuse to provide products or services on the ground that the relevant individual does not consent to the processing of his or her personal information or withdraws consent, except that the processing of personal information is necessary for the provision of products or services.
第十七条 个人信息处理者在处理个人信息前,应当以显著方式、清晰易懂的语言真实、准确、完整地向个人告知下列事项:
Article 17 A personal information processor shall, before processing personal information, truthfully, accurately and completely notify individuals of the following matters in a conspicuous way and in clear and easily understood language:
(1) The name and contact information of the personal information processor.
(二)个人信息的处理目的、处理方式,处理的个人信息种类、保存期限;
(3) Methods and procedures for individuals to exercise the rights provided in this Law.
(4) Other matters that should be notified as provided by laws and administrative regulations.
个人信息处理者通过制定个人信息处理规则的方式告知第一款规定事项的,处理规则应当公开,并且便于查阅和保存。
第十八条 个人信息处理者处理个人信息,有法律、行政法规规定应当保密或者不需要告知的情形的,可以不向个人告知前条第一款规定的事项。
Article 18 Personal information processors processing personal information are not required to notify individuals of the matters as set forth in paragraph 1 of the preceding article if there are circumstances in which laws or administrative regulations provide that such processing shall be kept confidential or notification is not necessary.
紧急情况下为保护自然人的生命健康和财产安全无法及时向个人告知的,个人信息处理者应当在紧急情况消除后及时告知。
第十九条 除法律、行政法规另有规定外,个人信息的保存期限应当为实现处理目的所必要的最短时间。
Article 19 A retention period of personal information shall be the shortest time necessary to achieve the processing purpose, except as otherwise provided by any law or administrative regulation.
第二十条 两个以上的个人信息处理者共同决定个人信息的处理目的和处理方式的,应当约定各自的权利和义务。但是,该约定不影响个人向其中任何一个个人信息处理者要求行使本法规定的权利。
Article 20 Where two or more personal information processors jointly decide on the purposes and methods of processing of personal information, they shall agree on their respective rights and obligations. However, such agreement does not affect an individual's request to any of the said personal information processors for exercising his or her rights as provided in this Law.
个人信息处理者共同处理个人信息,侵害个人信息权益造成损害的,应当依法承担连带责任。
第二十一条 个人信息处理者委托处理个人信息的,应当与受托人约定委托处理的目的、期限、处理方式、个人信息的种类、保护措施以及双方的权利和义务等,并对受托人的个人信息处理活动进行监督。
Article 21 A personal information processor commissioning the processing of personal information shall agree with the commissioned party on the purposes and period of the commissioned processing, processing methods, categories of personal information, protection measures, as well as the rights and obligations of both parties, among others, and oversee the personal information processing activities of the commissioned party.
受托人应当按照约定处理个人信息,不得超出约定的处理目的、处理方式等处理个人信息;委托合同不生效、无效、被撤销或者终止的,受托人应当将个人信息返还个人信息处理者或者予以删除,不得保留。
第二十二条 个人信息处理者因合并、分立、解散、被宣告破产等原因需要转移个人信息的,应当向个人告知接收方的名称或者姓名和联系方式。接收方应当继续履行个人信息处理者的义务。接收方变更原先的处理目的、处理方式的,应当依照本法规定重新取得个人同意。
Article 22 Where a personal information processor needs to transfer personal information due to combination, division, dissolution or declaration of bankruptcy, among others, it or he shall notify individuals of the name and contact information of the recipient. The recipient shall continue to perform the obligations of the personal information processor. If the recipient changes the original purposes or methods of processing, it or he shall obtain the individuals' consent anew in accordance with this Law.
第二十三条 个人信息处理者向其他个人信息处理者提供其处理的个人信息的,应当向个人告知接收方的名称或者姓名、联系方式、处理目的、处理方式和个人信息的种类,并取得个人的单独同意。接收方应当在上述处理目的、处理方式和个人信息的种类等范围内处理个人信息。接收方变更原先的处理目的、处理方式的,应当依照本法规定重新取得个人同意。
Article 23 A personal information processor that provides any other personal information processor with the personal information it or he processes shall notify individuals of the recipient's name, contact information, purposes and methods of processing, and categories of personal information, and obtain the individuals' separate consent. The recipient shall process personal information within the scope of the aforementioned purposes and methods of processing, and categories of personal information, among others. Where the recipient changes the original purposes or methods of processing, it or he shall obtain individuals' consent anew in accordance with this Law.
第二十四条 个人信息处理者利用个人信息进行自动化决策,应当保证决策的透明度和结果公平、公正,不得对个人在交易价格等交易条件上实行不合理的差别待遇。
Article 24 Where a personal information processor conducts automated decision-making by using personal information, it or he shall ensure the transparency of the decision-making and the fairness and impartiality of the result, and shall not give unreasonable differential treatment to individuals in terms of trading price or other trading conditions.
通过自动化决策方式向个人进行信息推送、商业营销,应当同时提供不针对其个人特征的选项,或者向个人提供便捷的拒绝方式。
通过自动化决策方式作出对个人权益有重大影响的决定,个人有权要求个人信息处理者予以说明,并有权拒绝个人信息处理者仅通过自动化决策的方式作出决定。
第二十五条 个人信息处理者不得公开其处理的个人信息,取得个人单独同意的除外。
Article 25 Personal information processors shall not disclose the personal information processed, except with the separate consent of the individuals.
第二十六条 在公共场所安装图像采集、个人身份识别设备,应当为维护公共安全所必需,遵守国家有关规定,并设置显著的提示标识。所收集的个人图像、身份识别信息只能用于维护公共安全的目的,不得用于其他目的;取得个人单独同意的除外。
Article 26 The installation of image collection or personal identification equipment in public places shall be necessary for maintaining public security and comply with relevant provisions issued by the state, and conspicuous signs shall be erected. The collected personal images and identification information can only be used for the purpose of maintaining public security, and shall not be used for other purposes, except with the separate consent of individuals.
第二十七条 个人信息处理者可以在合理的范围内处理个人自行公开或者其他已经合法公开的个人信息;个人明确拒绝的除外。个人信息处理者处理已公开的个人信息,对个人权益有重大影响的,应当依照本法规定取得个人同意。
Article 27 A personal information processor may process within a reasonable scope the personal information that has been disclosed by an individual himself or herself or other personal information that has been legally disclosed, except that the individual has expressly refused. A personal information processor shall obtain consent from an individual in accordance with the provisions of this Law if the processing of the disclosed personal information of the individual has a major impact on the individual's rights and interests.
Section 2 Rules of Processing of Sensitive Personal Information
第二十八条 敏感个人信息是一旦泄露或者非法使用,容易导致自然人的人格尊严受到侵害或者人身、财产安全受到危害的个人信息,包括生物识别、宗教信仰、特定身份、医疗健康、金融账户、行踪轨迹等信息,以及不满十四周岁未成年人的个人信息。
Article 28 “Sensitive personal information” means the personal information of which the leakage or illegal use could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety, including information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.
只有在具有特定的目的和充分的必要性,并采取严格保护措施的情形下,个人信息处理者方可处理敏感个人信息。
第二十九条 处理敏感个人信息应当取得个人的单独同意;法律、行政法规规定处理敏感个人信息应当取得书面同意的,从其规定。
Article 29 An individual's separate consent shall be obtained for processing his or her sensitive personal information. Where any law or administrative regulation provides that written consent shall be obtained for processing sensitive personal information, such provision shall prevail.
第三十条 个人信息处理者处理敏感个人信息的,除本法第十七条第一款规定的事项外,还应当向个人告知处理敏感个人信息的必要性以及对个人权益的影响;依照本法规定可以不向个人告知的除外。
Article 30 To process sensitive personal information, personal information processors shall, in addition to the matters specified in paragraph 1 of Article 17 of this Law, notify individuals of the necessity of the processing of sensitive personal information and the impacts on individuals' rights and interests, except that it is not required by this Law to so notify.
第三十一条 个人信息处理者处理不满十四周岁未成年人个人信息的,应当取得未成年人的父母或者其他监护人的同意。
Article 31 Where a personal information processor processes the personal information of a minor under the age of fourteen, it or he shall obtain the consent of the minor's parents or other guardians.
个人信息处理者处理不满十四周岁未成年人个人信息的,应当制定专门的个人信息处理规则。
第三十二条 法律、行政法规对处理敏感个人信息规定应当取得相关行政许可或者作出其他限制的,从其规定。
Article 32 Where any law or administrative regulation provides that the processing of sensitive person information shall be subject to relevant administrative licensing or other restrictions, such provision shall prevail.
Section 3 Specific Provisions on the Processing of Personal Information by State Organs
第三十三条 国家机关处理个人信息的活动,适用本法;本节有特别规定的,适用本节规定。
Article 33 This Law shall apply to the processing of personal information by state organs. Where there are any special provisions in this Section, such provisions shall prevail.
第三十四条 国家机关为履行法定职责处理个人信息,应当依照法律、行政法规规定的权限、程序进行,不得超出履行法定职责所必需的范围和限度。
Article 34 The processing of personal information by state organs to fulfill their statutory functions shall be carried out in accordance with the authority and procedures provided in laws and administrative regulations, and shall not exceed the scope and limits necessary for the fulfillment of their statutory functions.
第三十五条 国家机关为履行法定职责处理个人信息,应当依照本法规定履行告知义务;有本法第十八条第一款规定的情形,或者告知将妨碍国家机关履行法定职责的除外。
Article 35 State organs processing personal information to fulfill their statutory functions shall fulfill the obligation of notification in accordance with the provisions of this Law, except that there is any circumstance as prescribed in paragraph 1 of Article 18 of this Law or notification will hinder state organs' fulfillment of their statutory functions.
第三十六条 国家机关处理的个人信息应当在中华人民共和国境内存储;确需向境外提供的,应当进行安全评估。安全评估可以要求有关部门提供支持与协助。
Article 36 Personal information processed by state organs shall be stored within the territory of the People's Republic of China; and where it is necessary to provide such information to an overseas recipient, security assessment shall be conducted. Relevant departments may be required to provide support and assistance for security assessment.
第三十七条 法律、法规授权的具有管理公共事务职能的组织为履行法定职责处理个人信息,适用本法关于国家机关处理个人信息的规定。
Article 37 Where organizations that are authorized by laws and regulations to exercise the power of administering public affairs process personal information to fulfill their statutory functions, the provisions of this Law on the processing of personal information by state organs shall apply.
Chapter III Rules of Cross-Border Provision of Personal Information
第三十八条 个人信息处理者因业务等需要,确需向中华人民共和国境外提供个人信息的,应当具备下列条件之一:
Article 38 Where a personal information processor truly needs to provide personal information to any party outside the territory of the People's Republic of China for business or other needs, it or he shall meet any of the following conditions:
(一)依照本法第四十条的规定通过国家网信部门组织的安全评估;
(二)按照国家网信部门的规定经专业机构进行个人信息保护认证;
(三)按照国家网信部门制定的标准合同与境外接收方订立合同,约定双方的权利和义务;
中华人民共和国缔结或者参加的国际条约、协定对向中华人民共和国境外提供个人信息的条件等有规定的,可以按照其规定执行。
个人信息处理者应当采取必要措施,保障境外接收方处理个人信息的活动达到本法规定的个人信息保护标准。
第三十九条 个人信息处理者向中华人民共和国境外提供个人信息的,应当向个人告知境外接收方的名称或者姓名、联系方式、处理目的、处理方式、个人信息的种类以及个人向境外接收方行使本法规定权利的方式和程序等事项,并取得个人的单独同意。
Article 39 Where a personal information processor provides personal information to any party outside the territory of the People's Republic of China, it or he shall notify individuals of the overseas recipient's name and contact information, purposes and methods of processing, categories of personal information, the methods and procedures for individuals' exercise of the rights provided in this Law over the overseas recipient, and other matters, and obtain individuals' separate consent.
第四十条 关键信息基础设施运营者和处理个人信息达到国家网信部门规定数量的个人信息处理者,应当将在中华人民共和国境内收集和产生的个人信息存储在境内。确需向境外提供的,应当通过国家网信部门组织的安全评估;法律、行政法规和国家网信部门规定可以不进行安全评估的,从其规定。
Article 40 Critical information infrastructure operators and the personal information processors that process the personal information reaching the threshold specified by the national cyberspace administration in terms of quantity shall store domestically the personal information collected and generated within the territory of the People's Republic of China. Where it is truly necessary to provide the information to an overseas recipient, the security assessment organized by the national cyberspace administration shall be passed. Where laws, administrative regulations, or provisions issued by the national cyberspace administration provide that security assessment is not required, such provisions shall prevail.
第四十一条 中华人民共和国主管机关根据有关法律和中华人民共和国缔结或者参加的国际条约、协定,或者按照平等互惠原则,处理外国司法或者执法机构关于提供存储于境内个人信息的请求。非经中华人民共和国主管机关批准,个人信息处理者不得向外国司法或者执法机构提供存储于中华人民共和国境内的个人信息。
Article 41 The competent authority of the People's Republic of China shall process a request for personal information stored within the territory of the People's Republic of China from a foreign judicial or law enforcement authority in accordance with applicable laws and international treaties and agreements concluded or acceded to by the People's Republic of China, or under the principle of equality and reciprocity. Without the approval of the competent authority of the People's Republic of China, a personal information processor shall not provide personal information stored within the territory of the People's Republic of China to any foreign judicial or law enforcement authority.
第四十二条 境外的组织、个人从事侵害中华人民共和国公民的个人信息权益,或者危害中华人民共和国国家安全、公共利益的个人信息处理活动的,国家网信部门可以将其列入限制或者禁止个人信息提供清单,予以公告,并采取限制或者禁止向其提供个人信息等措施。
Article 42 Where an overseas organization or individual engages in personal information processing activities that infringe upon the rights and interests relating to personal information of citizens of the People's Republic of China or compromise national security or public interests of the People's Republic of China, the national cyberspace administration may include it or him in a list of those the provision of personal information to whom is restricted or prohibited, make an announcement, and take measures such as restricting or prohibiting the provision of personal information to it or him.
第四十三条 任何国家或者地区在个人信息保护方面对中华人民共和国采取歧视性的禁止、限制或者其他类似措施的,中华人民共和国可以根据实际情况对该国家或者地区对等采取措施。
Article 43 Where any country or region adopts any prohibitive, restrictive or other similar discriminatory measures against the People's Republic of China in terms of personal information protection, the People's Republic of China may take reciprocal measures against the aforesaid country or region in accordance with the actual circumstances.
Chapter IV Individuals' Rights in Personal Information Processing Activities
第四十四条 个人对其个人信息的处理享有知情权、决定权,有权限制或者拒绝他人对其个人信息进行处理;法律、行政法规另有规定的除外。
Article 44 Individuals shall have the right to know and the right to decide on the processing of their personal information, and have the right to restrict or refuse the processing of their personal information by others, except as otherwise provided by any law or administrative regulation.
第四十五条 个人有权向个人信息处理者查阅、复制其个人信息;有本法第十八条第一款、第三十五条规定情形的除外。
Article 45 Individuals shall have the right to consult and duplicate their personal information from personal information processors, except under circumstances as set out in paragraph 1 of Article 18 or Article 35 of this Law.
个人请求查阅、复制其个人信息的,个人信息处理者应当及时提供。
个人请求将个人信息转移至其指定的个人信息处理者,符合国家网信部门规定条件的,个人信息处理者应当提供转移的途径。
第四十六条 个人发现其个人信息不准确或者不完整的,有权请求个人信息处理者更正、补充。
Article 46 Where individuals discover that their personal information is incorrect or incomplete, they shall have the right to request personal information processors to correct or supplement relevant information.
个人请求更正、补充其个人信息的,个人信息处理者应当对其个人信息予以核实,并及时更正、补充。
第四十七条 有下列情形之一的,个人信息处理者应当主动删除个人信息;个人信息处理者未删除的,个人有权请求删除:
Article 47 Under any of the following circumstances, a personal information processor shall voluntarily delete an individual's personal information; and, if the personal information processor fails to delete such information, the individual shall have the right to request it or him to do so:
(二)个人信息处理者停止提供产品或者服务,或者保存期限已届满;
(3) The individual withdraws consent.
(四)个人信息处理者违反法律、行政法规或者违反约定处理个人信息;
(5) Other circumstances as provided by laws and administrative regulations.
法律、行政法规规定的保存期限未届满,或者删除个人信息从技术上难以实现的,个人信息处理者应当停止除存储和采取必要的安全保护措施之外的处理。
第四十八条 个人有权要求个人信息处理者对其个人信息处理规则进行解释说明。
Article 48 Individuals shall have the right to request personal information processors to explain their personal information processing rules.
第四十九条 自然人死亡的,其近亲属为了自身的合法、正当利益,可以对死者的相关个人信息行使本章规定的查阅、复制、更正、删除等权利;死者生前另有安排的除外。
Article 49 Where a natural person dies, his or her close relatives may, for their own lawful and legitimate rights and interests, exercise the rights to consult, duplicate, correct and delete the relevant personal information of the deceased, except as otherwise arranged by the deceased before his or her death.
第五十条 个人信息处理者应当建立便捷的个人行使权利的申请受理和处理机制。拒绝个人行使权利的请求的,应当说明理由。
Article 50 Personal information processors shall establish convenient mechanisms for accepting and handling individuals' applications for exercising their rights. If an individual's request for exercising his or her rights is rejected, the reasons therefor shall be given.
个人信息处理者拒绝个人行使权利的请求的,个人可以依法向人民法院提起诉讼。
Chapter V Obligations of Personal Information Processors
第五十一条 个人信息处理者应当根据个人信息的处理目的、处理方式、个人信息的种类以及对个人权益的影响、可能存在的安全风险等,采取下列措施确保个人信息处理活动符合法律、行政法规的规定,并防止未经授权的访问以及个人信息泄露、篡改、丢失:
Article 51 Personal information processors shall, on the basis of the purposes and methods of processing of personal information, categories of personal information, the impacts on individuals' rights and interests, and potential security risks, take the following measures to ensure that personal information processing activities comply with the provisions of laws and administrative regulations, and prevent unauthorized access to as well as the leakage, tampering or loss of personal information:
(1) Developing internal management rules and operating procedures.
(2) Conducting classified management of personal information.
(3) Taking corresponding security technical measures such as encryption and de-identification.
(四)合理确定个人信息处理的操作权限,并定期对从业人员进行安全教育和培训;
(6) Other measures as provided by laws and administrative regulations.
第五十二条 处理个人信息达到国家网信部门规定数量的个人信息处理者应当指定个人信息保护负责人,负责对个人信息处理活动以及采取的保护措施等进行监督。
Article 52 A personal information processor that processes the personal information reaching the threshold specified by the national cyberspace administration in terms of quantity shall appoint a person in charge of personal information protection to be responsible for overseeing personal information processing activities as well as the protection measures taken, among others.
个人信息处理者应当公开个人信息保护负责人的联系方式,并将个人信息保护负责人的姓名、联系方式等报送履行个人信息保护职责的部门。
第五十三条 本法第三条第二款规定的中华人民共和国境外的个人信息处理者,应当在中华人民共和国境内设立专门机构或者指定代表,负责处理个人信息保护相关事务,并将有关机构的名称或者代表的姓名、联系方式等报送履行个人信息保护职责的部门。
Article 53 Personal information processors outside the territory of the People's Republic of China as provided in paragraph 2 of Article 3 of this Law shall establish special institutions or designate representatives within the territory of the People's Republic of China to handle affairs relating to personal information protection, and submit the names of relevant institutions or the names and contact information of representatives to the authorities performing personal information protection functions.
第五十四条 个人信息处理者应当定期对其处理个人信息遵守法律、行政法规的情况进行合规审计。
Article 54 Personal information processors shall audit on a regular basis the compliance of their processing of personal information with laws and administrative regulations.
第五十五条 有下列情形之一的,个人信息处理者应当事前进行个人信息保护影响评估,并对处理情况进行记录:
Article 55 Under any of the following circumstances, personal information processors shall conduct personal information protection impact assessment in advance, and record the processing information:
(1) Processing sensitive personal information.
(2) Using personal information to conduct automated decision-making.
(三)委托处理个人信息、向其他个人信息处理者提供个人信息、公开个人信息;
(4) Providing personal information to an overseas recipient.
Article 56 The personal information protection impact assessment shall include the following:
(2) The impacts on individuals' rights and interests and security risks.
第五十七条 发生或者可能发生个人信息泄露、篡改、丢失的,个人信息处理者应当立即采取补救措施,并通知履行个人信息保护职责的部门和个人。通知应当包括下列事项:
Article 57 Where leakage, tampering or loss of personal information occurs or may occur, a personal information processor shall immediately take remedial measures, and notify the authority performing personal information protection functions and the relevant individuals. The notice shall include the following matters:
(一)发生或者可能发生个人信息泄露、篡改、丢失的信息种类、原因和可能造成的危害;
(二)个人信息处理者采取的补救措施和个人可以采取的减轻危害的措施;
(3) The contact information of the personal information processor.
个人信息处理者采取措施能够有效避免信息泄露、篡改、丢失造成危害的,个人信息处理者可以不通知个人;履行个人信息保护职责的部门认为可能造成危害的,有权要求个人信息处理者通知个人。
第五十八条 提供重要互联网平台服务、用户数量巨大、业务类型复杂的个人信息处理者,应当履行下列义务:
Article 58 Personal information processors that provide important Internet platform services involving a huge number of users and complicated business types shall perform the following obligations:
(一)按照国家规定建立健全个人信息保护合规制度体系,成立主要由外部成员组成的独立机构对个人信息保护情况进行监督;
(二)遵循公开、公平、公正的原则,制定平台规则,明确平台内产品或者服务提供者处理个人信息的规范和保护个人信息的义务;
(三)对严重违反法律、行政法规处理个人信息的平台内的产品或者服务提供者,停止提供服务;
第五十九条 接受委托处理个人信息的受托人,应当依照本法和有关法律、行政法规的规定,采取必要措施保障所处理的个人信息的安全,并协助个人信息处理者履行本法规定的义务。
Article 59 The parties that are commissioned to process personal information shall, in accordance with the provisions of this Law and applicable laws and administrative regulations, take necessary measures to ensure the security of the personal information processed, and assist personal information processors in fulfilling the obligations specified in this Law.
Chapter VI Authorities Performing Personal Information Protection Functions
第六十条 国家网信部门负责统筹协调个人信息保护工作和相关监督管理工作。国务院有关部门依照本法和有关法律、行政法规的规定,在各自职责范围内负责个人信息保护和监督管理工作。
Article 60 The national cyberspace administration shall be responsible for the overall planning and coordination of personal information protection work and related supervision and administration. Relevant departments of the State Council shall, in accordance with this Law and applicable laws and administrative regulations, be responsible for personal information protection and the supervision and administration thereof within the scope of their respective functions.
县级以上地方人民政府有关部门的个人信息保护和监督管理职责,按照国家有关规定确定。
第六十一条 履行个人信息保护职责的部门履行下列个人信息保护职责:
Article 61 Authorities performing personal information protection functions shall perform the following personal information protection functions:
(一)开展个人信息保护宣传教育,指导、监督个人信息处理者开展个人信息保护工作;
(2) Accepting and processing complaints and reports relating to personal information protection.
