Employees’ Personal Information Management under PRC Personal Information Protection Law

A. Introduction

With the rapid development of technology and the digital economy, data protection has been attached with more and more importance and we have seen a number of legislative developments in this space in China in recent years. As the first law targeted at regulating the area of personal information protection in the People’s Republic of China (“PRC”), the PRC Personal Protection Law (“PIPL”) was passed by the Standing Committee of the PRC People’s Congress in August 2020 and came into effect on 1 November 2021. PIPL, together with the PRC Cyber Security Law (effective on 1 June 2017), and the PRC Data Security Law (effective on 1 September 2021), collectively constitute the three fundamental and framework laws regulating cybersecurity and data security protection in PRC.

PIPL does not only apply to PI processing activities within PRC, but also overseas PI processing activities if it is for the purpose of providing products or services to natural persons in PRC, or analyzing and assessing the behaviors of natural persons in PRC. With the PIPL coming into force, it comes into play in employment-related scenarios where employers deal with personal information of employees in the entire lifecycle of employee management. It is also anticipated that employees will have growing awareness of protecting their personal information rights. Therefore, the employers may need to upgrade relevant HR operations as necessary to comply with the requirements set out by the PIPL.

In this article, we will introduce the main contents of PIPL and its key implications to the area of employment, together with suggestions for employers in processing employees’ personal information.

B. Main contents of the PIPL

The newly enacted PIPL sets up comprehensive and systematic rules on the processing and protection of personal information. Below please find a summary of the main contents.

1. What is Personal Information

According to the PIPL, “Personal information” (“PI”) refers to all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, excluding information that has been anonymized. In the employment-related scenarios, employee’s PI includes but is not limited to his or her names, date of birth, identification number, residential addresses, phone numbers, email addresses, etc.

The PIPL also defines certain personal information as “sensitive personal information” (“Sensitive PI”), of which processing is subject to stricter regulations. Sensitive PI refers to the personal information, if being leaked or used illegally, may easily cause harm to the dignity of natural persons, or serious damage to the safety of individuals and properties, including information relating to biometric identification, religious beliefs, specific identities, healthcare, financial account, individual location tracking, etc., and personal information of minors under the age of 14.

2. What is Processing and what are the principles of PI processing

The processing of PI includes but is not limited to collection, storage, use, handling, transmission, provision, disclosure, and deletion of PI. The key principles set by the PIPL of processing PI are as follows:-

Lawful, Transparent, Accurate, and Secured: PI shall be processed in accordance with the principles of legality, legitimacy, necessity, good faith, openness, and transparency. In addition, the quality and security of PI shall be guaranteed in the processing of PI;
With Specified Purpose: PI shall be processed for a specified and reasonable purpose. The processing shall be directly relevant to the processing purpose and in a manner that has the minimum impact on personal rights and interests;
Minimized Collection: The collection of Personal Data shall be limited to the minimum scope necessary for achieving the processing purpose and shall not be excessive;
With Limited Retention Period: The retention period of personal information shall be the shortest time necessary for achieving the processing purpose, except as otherwise provided by any law or administrative regulation.

3. Rules of PI processing

The PIPL sets out specific requirements in terms of legal grounds for PI processing (individuals’ consents as the principal legal ground), rules for processing Sensitive PI, consent requirements, sharing PI with third parties, PI cross-border transfer, PI retention, etc. We will explore the specific requirements and implications in the employment-related scenarios in the section of Management and Protection of Employees’ PI.

4. Legal Liabilities

PI processors who violate the PIPL regarding their PI processing will be subject to the following legal liabilities:-

Civil liabilities: Presumption of Fault & Public Interest Lawsuit

Individuals can file lawsuits against PI processors according to the PRC Civil Code claiming infringement on PI. As provided by the PIPL, the burden of proof for such cases is on the PI processor to prove that it is not at fault. Otherwise, the PI processor shall be liable for damages and other civil liabilities.

In addition to civil lawsuits filed by individuals, where PI processors violate the requirements under the PIPL during PI processing and infringe the rights and interests of multiple individuals, the People’s Procuratorate, consumer organizations prescribed by the laws and organizations determined by the state cyberspace authorities may file lawsuits.

Administrative Liabilities: Huge amount of fines for violations & liabilities for responsible person

Competent PI protection authorities can also issue orders for rectification, warnings, and confiscate unlawful income against PI processors for violations of PIPL. In the case of failure to rectification, fines can be imposed on PI processors (up to RMB 1,000,000) and the person in charge who is directly responsible and other personnel who bear direct responsibility (from RMB 10,000 to RMB 100,000).

For serious violations, in addition to rectification and confiscation of unlawful income, a fine of up to RMB 50,000,000 or 5% of the turnover for the previous year can be imposed. In addition, the person in charge who is directly responsible and other personnel who bear direct responsibility shall be liable to a fine between RMB 10,000 and RMB 100,000.

Criminal Liabilities: the PIPL refers to PRC Criminal Law for relevant behaviors constituting crimes. According to PRC Criminal Law, fines and/or up to 7 years of imprisonment can be imposed for illegally acquiring, selling or providing PI to third parties.

5. Rights of PI Subjects

The PIPL provides PI subjects with a number of rights, including the right to access and copy their PI; rectify their PI; have their PI erased; withdraw their consent to PI processing; restrict the processing of their PI; object to the processing of their PI; and object to the use of automated individual decision-making.

6. Others

The PIPL also provides the following aspects of regulations: 1) specific requirements for state organs and critical information infrastructure operators processing PI, and PI processors that process PI beyond a specific amount threshold (yet to be determined); 2) obligations of PI processors to establish a comprehensive PI protection mechanism including but not limited to formulating internal management policies and operation process, classifying PI, adopting security technical measures, etc.; 3) requirements for local storage and establishing special institutions or designating representatives within PRC under certain circumstances, etc.

C. Management and Protection of Employees’ PI

1. Legal Grounds for Processing Employees’ PI

1) Legal grounds for processing PI

According to the PIPL, PI can only be processed based on one of the following seven lawful grounds:

The individual’s consent has been obtained;
The processing is necessary for the conclusion or performance of a contract to which the individual is a contracting party or for conducting human resource management under the employment rules and regulations legally established and collective contracts legally concluded;
The processing is necessary to fulfil statutory functions or statutory obligations;
The processing is necessary to respond to public health emergencies or protect the life, health or property safety of natural persons under emergency circumstances;
PI is processed within a reasonable scope to conduct news reporting, public opinion-based supervision, or other activities in the public interest;
The PI that has been disclosed by the individuals themselves or other PI that has been legally disclosed and is processed within a reasonable scope in accordance with the PIPL; or
Under any other circumstance as provided by any law or administrative regulations.

2) Is employees’ consents a “must” for processing their PI?

Among the above grounds for lawful processing PI, the grounds most related to employment are the first two grounds: “consent” and “necessary for conducting human resource management”. As “necessary for conducting human resource management” alone is a legal ground for processing PI, if the PI is necessary for conducting human resource management, such PI can be processed without the employees’ consent.

However, the PIPL does not stipulate specific standard for determining what constitutes “necessary for conducting human resource management”. To date, it also a lacks clear standard for reference in practice. For example, some employers may understand that employees’ fingerprints are necessary for daily check-in for the purpose of attendance management and thus are “necessary for conducting human resource management”. By contrast, others may argue that there are other alternative ways for achieving this purpose, and therefore it is not “necessary”.

Considering that there are uncertainties in determining whether it is “necessary for conducting human resource management”, at the current stage, it is suggested that it is better for the employers to try to obtain consents from the employees for PI needed in the first place. It is expected that detailed rules and/or standards in practice will come out in the future and employers can adjust the scope of PI necessary to obtain consents from the employees accordingly.

3) What is a sufficient “consent”

In order to meet the standards of “consent” as required by the PIPL, the consent shall be voluntarily and explicitly given by the individual on a fully informed basis. The PI processor shall truthfully, accurately and completely inform individuals of the following matters (“Items to Inform”) in a conspicuous way and in clear and easily understood languages:

The name and contact information of the PI processor；
Purposes and methods of processing the PI, categories of PI to be processed, and the retention periods；
Methods and procedures for individuals to exercise the rights provided by PIPL; and
Other matters that should be notified as provided by laws and administrative regulations.

The PIPL also requires “separate consent”, which is a form of consent with higher requirements, under the following circumstances:

Providing PI to third parties;
Disclosing PI to the public;
Processing Sensitive PI;
Installing personal images and identification information collecting devices in public places for purposes other than public security; and
Cross-border transferring PI.

The specific requirement and form of Separate Consent is not specified by the PIPL. Based on the current understanding and practice, in order to constitute a Separate Consent, the specific item involving PI processing should be listed as a separate item requesting the individual’s specific consent explicitly to this item, instead of being hidden in a package of items pending for obtaining individual’s consent altogether.

In light of the above, it is suggested that a consent letter be signed by the employee, specifying the contents listed above as required by the PIPL to obtain employees’ consents, including separately listed the items requiring separate consent.

For example, if the employer needs to process employees’ Sensitive PI, it is suggested to be explicitly listed in the consent letter that “the employee agrees that his/her Sensitive PI (a definition or list can be included) will be collected and processed by the employer for specific purposes (to be specified)”.

2. Processing Employees’ Sensitive PI

Employers may process abovementioned Sensitive PI of employees during the employment process, such as when employers use fingerprints or face identity information for daily check-in, collecting employers’ health-related information for insurance purposes, etc.

According to the PIPL, the following requirements shall be met for processing Sensitive PI:

The process shall be with specific purposes and sufficient necessity and strict protection measures shall be taken;
Apart from the Items to Inform, Inform individuals of the necessity of the processing Sensitive PI and the impacts on individuals’ rights and interests;
Obtain separate consent; and
Conduct Personal Information Protection Impact Assessment (“PIPIA”).

3. Sharing Employees’ PI to Third Parties

The PIPL sets further requirements for sharing PI to third parties. The most relevant employment-related scenarios include engaging third parties in background checks, recruitment, payroll services, and labor dispatch, etc.

The PIPL differentiates third parties into “joint PI processor” and “entrusted PI processor” based on whether the third-party PI processor independently determine the processing purpose and processing method. For entrusted PI processor, it only processes the PI in accordance with the processing purpose and processing method determined by the entrusting PI processor.

When entrusting a third party to process PI on behalf of the employer, an agreement shall be entered into between the employer and the entrusted party to specify the purposes, duration and means of processing, categories of PI and protection measures, as well as rights and obligations of both parties, etc.

For sharing employees’ PI to third party processors, apart from the Items to Inform, the employer shall also inform the employees of the recipient’s name, contact information, purposes and methods of processing, categories of PI, and obtain the employee’s separate consent.

4. Cross-border Transferring Employees’ PI

Cross-border transfer of employees’ PI is not rare in practice, especially for multinational employers sharing employees’ PI within the global management system. Considering the special nature of cross-border transfer, the PIPL sets detailed requirements in this regard including:

Any one of the following three requirements shall be met: 1) security assessment organized by National Cyberspace Department; 2) certification by a specialized agency for protection of personal information in accordance with the provisions of the National Cyberspace Department; or 3) entering into the standard contract formulated by the National Cyberspace Department with the overseas recipient (yet to be published);
Apart from the Items to Inform, inform the employee the name of the overseas recipient, contact information, purpose and method of processing, type of personal information and the method and procedure for the individual to exercise the rights stipulated in PIPL against the overseas recipient;
Obtain the data subject’s separate consent; and
Conduct PIPIA.

5. Retaining Employees’ PI

According to the PIPL, the retention period of PI shall be the shortest time necessary for achieving the processing purpose though the specific length of the retention period is not specified. It is suggested that employers decide the retention period according to the type of PI and the specific stage in the employment lifecycle.

Before Employment

For candidates during the recruitment process, considering that the purpose of collecting their PI shall be to assess their eligibility, only the PI related to such purpose shall be collected and such PI shall be deleted if the candidate is not selected. Some employers may retain relevant information of such candidates even if they are not selected, as standby for future recruitment. With the PIPL coming into force, it is suggested to obtain consents from the candidates. In addition, under such circumstances, it is suggested to cease any processing of personal information other than storing and taking necessary security protection measures for such information.

During Employment

For management purposes, PI of employees can be retained throughout the whole process of employment subject to other processing requirements as stipulated by the PIPL.

Termination

Under PRC employment laws, the employer shall preserve the employment contracts for not less than two years for reference purposes after termination of the employment relationship. The employer shall also preserve records relating to salary payment, including the payment amount, date, receiver’s name, and signature for not less than two years.

Other than the abovementioned PI, although main purposes of retaining the PI of employees have been achieved upon the termination of employment, there are certain scenarios where it may also be reasonable for the employers to retain some PI of the employees. For example, employers may need to retain relevant PI for purposes such as cooperating with prospective new employers of the ex-employees in conducting background checks, reviewing the employee’s rejoining, for possible labor disputes arises in the future, etc.

Considering that the PIPL sets stronger protection for sensitive PI, it is suggested that employers delete Sensitive PI of ex-employees such as fingerprints and face identity information (as check-in is no longer needed). For other PI of ex-employees, it is suggested that the employers only keep PI based on legal grounds (better to obtain consent from the employees), and set a reasonable period for such retention.

Conclusion

With the PIPL coming into force, employers are facing more requirements and challenges in processing employees’ PI and carrying out daily work. Employers are suggested to upgrade relevant HR operations and follow the best practices where possible to ensure its processing of employees’ PI is compliant with the PIPL.

It is also expected to see further detailed rules, interpretation and guidance from relavant authorities, as well as developed practice related to employees’ PI protection as time goes on, and employers shall be able to gradually find a better balance between the management of employees and the protection of employees’ PI.

Cookie	Duration	Description
__RequestVerificationToken	session	This cookie is set by web application built in ASP.NET MVC Technologies. This is an anti-forgery cookie used for preventing cross site request forgery attacks.
ep201	30 minutes	This cookie is set by Wufoo for load balancing, site traffic and preventing site abuse.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
uc_session	session	This cookie is set by Dropbox and is used for the 'save to Dropbox' functionality. This cookie stores user session IDs.
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
hid	session	No description available.
tableau_locale	session	No description available.
tableau_public_negotiated_locale	session	No description available.

Cookie	Duration	Description
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	1 year 1 month 4 days	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.