Personal Information Protection Law of the People's Republic of China
中華人民共和國個人信息保護法
(Adopted at the 30th Meeting of the Standing Committee of the Thirteenth National People's Congress on August 20, 2021)
(2021年8月20日第十三屆全國人民代表大會常務委員會第三十次會議通過)
Chapter I
第一章 總 則
Article 1?This Law is enacted in accordance with the Constitution?for the purposes of protecting the rights and interests on?personal information, regulating personal information processing activities, and promoting reasonable use of personal information.
第一條 為了保護個人信息權益,規范個人信息處理活動,促進個人信息合理利用,根據憲法,制定本法。
Article 2?The personal information of natural persons shall be protected by law. No organization or individual may infringe upon natural persons' rights and interests on their personal information.
第二條 自然人的個人信息受法律保護,任何組織、個人不得侵害自然人的個人信息權益。
Article 3?This Law shall apply to the processing of personal information of natural persons within the territory of the People's Republic of China.
第三條 在中華人民共和國境內處理自然人個人信息的活動,適用本法。
This Law shall also apply to the processing outside the territory of the People's Republic of China of the personal information of natural persons within the territory of the People's Republic of China, under any of the following circumstances:
在中華人民共和國境外處理中華人民共和國境內自然人個人信息的活動,有下列情形之一的,也適用本法:
(1) for the purpose of providing products or services for?natural persons inside the People's Republic of China;
(一)以向境內自然人提供產品或者服務為目的;
(2) analyzing or evaluating the behaviors?of natural persons within the territory of the People's Republic of China; and
(二)分析、評估境內自然人的行為;
(3) any other circumstance as provided by any law or administrative regulation.
(三)法律、行政法規規定的其他情形。
Article 4?"Personal information" refers to various information related to an identified or identifiable natural person recorded electronically or by other means, but?does not include anonymized information.
第四條 個人信息是以電子或者其他方式記錄的與已識別或者可識別的自然人有關的各種信息,不包括匿名化處理后的信息。
Personal information processing includes personal information collection, storage, use, processing, transmission, provision, disclosure and deletion, among others.
個人信息的處理包括個人信息的收集、存儲、使用、加工、傳輸、提供、公開、刪除等。
Article 5?Personal information shall be processed?according to law?when it is necessary, with justified reason, and in good faith, and the processing may not involve?misguidance, fraud, coercion, and the like.
第五條 處理個人信息應當遵循合法、正當、必要和誠信原則,不得通過誤導、欺詐、脅迫等方式處理個人信息。
Article 6?Personal information processing shall be?based on?explicit and reasonable purposes?and directly related to those purposes, and shall exert?the minimum impacts on the rights and interests of?individuals.
第六條 處理個人信息應當具有明確、合理的目的,并應當與處理目的直接相關,采取對個人權益影響最小的方式。
The collection of personal information shall be limited to the minimum scope required by the purpose of processing, and personal information may not be collected excessively.
收集個人信息,應當限于實現處理目的的最小范圍,不得過度收集個人信息。
Article 7?The principles of openness and transparency shall be observed in the processing of personal information, the rules for processing personal information shall be disclosed, and the purposes, means, and scope of processing shall be explicitly indicated.
第七條 處理個人信息應當遵循公開、透明原則,公開個人信息處理規則,明示處理的目的、方式和范圍。
Article 8?The quality of personal information shall be guaranteed in?personal information processing, to avoid adverse impacts on the rights and interests of?individuals caused by inaccurate and incomplete personal information.
第八條 處理個人信息應當保證個人信息的質量,避免因個人信息不準確、不完整對個人權益造成不利影響。
Article 9?Personal information processors shall be responsible for their personal information processing activities and take necessary measures to ensure the security of the personal information they process.
第九條 個人信息處理者應當對其個人信息處理活動負責,并采取必要措施保障所處理的個人信息的安全。
Article 10?No organization or individual shall illegally collect, use, process, or transmit the personal information of other persons, or?illegally trade, provide or disclose the personal information of other persons, or?engage in personal information processing activities that endanger national security or harm public interests.
第十條 任何組織、個人不得非法收集、使用、加工、傳輸他人個人信息,不得非法買賣、提供或者公開他人個人信息;不得從事危害國家安全、公共利益的個人信息處理活動。
Article 11?The state shall establish and improve the personal information protection system to prevent and punish infringements upon the rights and interests on?personal information, strengthen publicity and education on personal information protection, and promote?a favorable environment for?the government, enterprises, relevant industry organizations, and the public?to?jointly?participate?in personal information protection.
第十一條 國家建立健全個人信息保護制度,預防和懲治侵害個人信息權益的行為,加強個人信息保護宣傳教育,推動形成政府、企業、相關社會組織、公眾共同參與個人信息保護的良好環境。
Article 12?The state will actively engage in the development of international rules on personal information protection, promote the international exchanges and cooperation in personal information protection, and encourage the mutual recognition of personal information protection rules and standards, among others, with other countries, regions, and international organizations.
第十二條 國家積極參與個人信息保護國際規則的制定,促進個人信息保護方面的國際交流與合作,推動與其他國家、地區、國際組織之間的個人信息保護規則、標準等互認。
Chapter II Personal Information Processing Rules
第二章 個人信息處理規則
Section 1? General Rules
第一節 一般規定
Article 13?A?personal information processor can process personal information?of an individual?only if one of the following circumstances exists:
第十三條 符合下列情形之一的,個人信息處理者方可處理個人信息:
(1) the individual's consent has been obtained;
(一)取得個人的同意;
(2)?the processing is necessary for the conclusion or performance of a contract in which the individual is a party, or necessary for human resources management in accordance with the labor rules and regulations established in accordance with the law and the collective contracts?signed in accordance with the law;
(二)為訂立、履行個人作為一方當事人的合同所必需,或者按照依法制定的勞動規章制度和依法簽訂的集體合同實施人力資源管理所必需;
(3)?the processing is necessary for the performance of statutory duties or obligations;
(三)為履行法定職責或者法定義務所必需;
(4)?the?processing is necessary for the response to public health emergencies, or for the protection of life, health,?and property safety of natural persons in emergencies;
(四)為應對突發公共衛生事件,或者緊急情況下為保護自然人的生命健康和財產安全所必需;
(5) the personal information is reasonably?processed for?news reporting, media supervision,?and other activities conducted in the public interest;
(五)為公共利益實施新聞報道、輿論監督等行為,在合理的范圍內處理個人信息;
(6) the personal information disclosed by the individual?himself?or other legally disclosed personal information?of the individual?is reasonably processed in accordance with this Law;?and
(六)依照本法規定在合理的范圍內處理個人自行公開或者其他已經合法公開的個人信息;
(7) other circumstances as provided by laws or administrative regulations.
(七)法律、行政法規規定的其他情形。
Individual consent shall be obtained for processing personal information?if any other relevant provisions of this Law?so provide, except under the circumstances specified in Subparagraphs (2) to (7) of the preceding paragraph.
依照本法其他有關規定,處理個人信息應當取得個人同意,但是有前款第二項至第七項規定情形的,不需取得個人同意。
Article 14?Where personal information processing is based on individual consent, the individual consent shall be voluntary,?explicit, and fully informed. Where any other law or administrative regulation provides that an?individual's separate consent or written consent must be obtained for processing personal information, such provisions?shall apply.
第十四條 基于個人同意處理個人信息的,該同意應當由個人在充分知情的前提下自愿、明確作出。法律、行政法規規定處理個人信息應當取得個人單獨同意或者書面同意的,從其規定。
In the case of any change of the purposes?or means of personal information processing, or the category of processed personal information,?a new consent shall be obtained from?the individual.
個人信息的處理目的、處理方式和處理的個人信息種類發生變更的,應當重新取得個人同意。
Article 15?Where personal information processing is based on individual consent, an individual shall have the right?to withdraw his consent. Personal information processors?shall provide convenient ways for individuals to withdraw their?consents.
第十五條 基于個人同意處理個人信息的,個人有權撤回其同意。個人信息處理者應當提供便捷的撤回同意的方式。
The withdrawal of consent shall not affect the validity of the processing activities conducted based on consent before it is withdrawn.
個人撤回同意,不影響撤回前基于個人同意已進行的個人信息處理活動的效力。
Article 16?A personal information processor shall not refuse to provide products or services for an individual on the grounds that the individual?withholds his consent for?the processing of his personal information or has withdrawn?his consent for?the processing of personal information, except where the processing of personal information is necessary for the provision of products or services.
第十六條 個人信息處理者不得以個人不同意處理其個人信息或者撤回同意為由,拒絕提供產品或者服務;處理個人信息屬于提供產品或者服務所必需的除外。
Article 17?A personal information processor shall, before processing personal information, truthfully, accurately and fully inform an individual of the following matters in a easy-to-notice manner and in clear and easy-to-understand language:
第十七條 個人信息處理者在處理個人信息前,應當以顯著方式、清晰易懂的語言真實、準確、完整地向個人告知下列事項:
(1) the name and contact information of the personal information processor;
(一)個人信息處理者的名稱或者姓名和聯系方式;
(2) the purposes and means of personal information?processing, and the categories and storage periods of the personal information to be processed;
(二)個人信息的處理目的、處理方式,處理的個人信息種類、保存期限;
(3) the methods and procedures for the individual to exercise his rights as provided in this Law; and
(三)個人行使本法規定權利的方式和程序;
(4) other matters that the individual should be notified of as provided by laws and administrative regulations.
(四)法律、行政法規規定應當告知的其他事項。
Where any matter as set forth in the preceding paragraph changes, the individual shall be informed of the change.
前款規定事項發生變更的,應當將變更部分告知個人。
Where the personal information processor informs an individual of the matters specified in the first?paragraph by formulating personal information processing rules, the processing rules shall be made public and be easy to consult and save.
個人信息處理者通過制定個人信息處理規則的方式告知第一款規定事項的,處理規則應當公開,并且便于查閱和保存。
Article 18?When?processing personal information,?personal information processors are permitted not to inform individuals of the matters specified in the first paragraph?of the preceding article where?laws or administrative regulations require confidentiality or?provide no requirement for?such notification.
第十八條 個人信息處理者處理個人信息,有法律、行政法規規定應當保密或者不需要告知的情形的,可以不向個人告知前條第一款規定的事項。
Where it is impossible to notify individuals in a timely manner?in a bid to protect?natural persons' life, health and property safety?in case of emergency, the personal information processors shall notify them without delay after the emergency is removed.
緊急情況下為保護自然人的生命健康和財產安全無法及時向個人告知的,個人信息處理者應當在緊急情況消除后及時告知。
Article 19?Except as otherwise provided by laws and administrative regulations, the storage period of personal information shall be the minimum time necessary to achieve the purpose of processing.
第十九條 除法律、行政法規另有規定外,個人信息的保存期限應當為實現處理目的所必要的最短時間。
Article 20?Where two or more personal information?processors jointly determine the purposes?and means of processing certain personal information, they shall reach an agreement on?their respective rights and obligations?in processing?the personal information. However, this agreement shall not affect an individual's request to any one of them to exercise his rights as provided in this Law.
第二十條 兩個以上的個人信息處理者共同決定個人信息的處理目的和處理方式的,應當約定各自的權利和義務。但是,該約定不影響個人向其中任何一個個人信息處理者要求行使本法規定的權利。
Where,?in?jointly processing certain personal information, a?processor infringes?the rights and interests on personal information and causes?damages, other personal information?processors shall bear?joint and several liability?in accordance with law.
個人信息處理者共同處理個人信息,侵害個人信息權益造成損害的,應當依法承擔連帶責任。
Article 21?A personal information processor entrusting the processing of certain personal information to a party shall reach an agreement with the entrusted party on the purposes, period?and?means?of processing, the categories of personal information to be processed and the protection measures, as well as the rights and obligations of both parties, among others, and?shall?supervise the personal information processing activities of the entrusted party.
第二十一條 個人信息處理者委托處理個人信息的,應當與受托人約定委托處理的目的、期限、處理方式、個人信息的種類、保護措施以及雙方的權利和義務等,并對受托人的個人信息處理活動進行監督。
The entrusted party shall process personal information in accordance with the agreement and may not process personal information beyond the purposes,?means?and other conditions as agreed upon. Where the entrustment contract has not taken effect, or is?invalid, or is revoked or terminated, the entrusted party shall return the personal information in question to the personal information processor or delete it and shall not retain the personal?information.
受托人應當按照約定處理個人信息,不得超出約定的處理目的、處理方式等處理個人信息;委托合同不生效、無效、被撤銷或者終止的,受托人應當將個人信息返還個人信息處理者或者予以刪除,不得保留。
Without the consent of the personal information processor, the entrusted party may not sub-contract the processing of personal information to any other party.
未經個人信息處理者同意,受托人不得轉委托他人處理個人信息。
Article 22?Where a personal information processor needs?to transfer personal information due to a merger, division, dissolution, or bankruptcy?or for other reasons, the processor?shall inform the individuals of the name and contact information of the recipient?of the transferred personal information. The recipient shall continue to perform the obligations of the said personal information processor.?Any change?of the original purposes or means of processing?by the recipient?shall be subject to?individual consent in accordance with this Law.
第二十二條 個人信息處理者因合并、分立、解散、被宣告破產等原因需要轉移個人信息的,應當向個人告知接收方的名稱或者姓名和聯系方式。接收方應當繼續履行個人信息處理者的義務。接收方變更原先的處理目的、處理方式的,應當依照本法規定重新取得個人同意。
Article 23?To provide personal information for any other processor, a?personal information processor shall inform the individuals of the recipient's name and contact information, the purposes?and?means of processing and the categories of personal information?to be processed, and shall obtain the individuals' separate consent. The recipient shall process personal information within the scope of the purposes, means,?and?categories of personal information?mentioned above. Any change?of the purposes or means of processing?by the recipient?shall be subject to?individual consent in accordance with this Law.
第二十三條 個人信息處理者向其他個人信息處理者提供其處理的個人信息的,應當向個人告知接收方的名稱或者姓名、聯系方式、處理目的、處理方式和個人信息的種類,并取得個人的單獨同意。接收方應當在上述處理目的、處理方式和個人信息的種類等范圍內處理個人信息。接收方變更原先的處理目的、處理方式的,應當依照本法規定重新取得個人同意。
Article 24?Personal information processors using personal information for automated decision making shall ensure the transparency of the decision making and the fairness and impartiality of the results, and may not apply unreasonable differential treatment to individuals in terms of transaction prices and other transaction conditions.
第二十四條 個人信息處理者利用個人信息進行自動化決策,應當保證決策的透明度和結果公平、公正,不得對個人在交易價格等交易條件上實行不合理的差別待遇。
Information push and commercial marketing to individuals based on?automated decision making shall be?simultaneously accompanied by options not specific to their personal characteristics?or with convenient means?for individuals?to refuse.
通過自動化決策方式向個人進行信息推送、商業營銷,應當同時提供不針對其個人特征的選項,或者向個人提供便捷的拒絕方式。
Where a decision that may have a significant impact on an individual's rights and interests is made through automated decision making, the individual shall have the right to request clarification from the personal information processor and the right to refuse the processor for making?the decision only through automated decision making.
通過自動化決策方式作出對個人權益有重大影響的決定,個人有權要求個人信息處理者予以說明,并有權拒絕個人信息處理者僅通過自動化決策的方式作出決定。
Article 25?Personal information processors shall not disclose the personal information they process, except where separate consents?has been obtained from the individuals.
第二十五條 個人信息處理者不得公開其處理的個人信息,取得個人單獨同意的除外。
Article 26?Image collection and personal identification equipment in public places shall be installed only when it is necessary for the purpose of maintaining?public security, and shall be installed in compliance?with the relevant provisions of?the state and with?prominent reminders. The personal images and identification information collected can only be used for the purpose of maintaining public security and,?unless the individuals'?separate consents are obtained, shall not be used for any other purpose.
第二十六條 在公共場所安裝圖像采集、個人身份識別設備,應當為維護公共安全所必需,遵守國家有關規定,并設置顯著的提示標識。所收集的個人圖像、身份識別信息只能用于維護公共安全的目的,不得用于其他目的;取得個人單獨同意的除外。
Article 27?A personal information processor may?reasonably process the personal information disclosed by an individual?himself?or other legally disclosed personal information,?except where the individual expressly refuses. Where the processing?of disclosed personal information may have a significant?impact on an individual's?rights and interests, the?personal information?processors?shall?first?obtain the individual's consent in accordance with the provisions of this Law.
第二十七條 個人信息處理者可以在合理的范圍內處理個人自行公開或者其他已經合法公開的個人信息;個人明確拒絕的除外。個人信息處理者處理已公開的個人信息,對個人權益有重大影響的,應當依照本法規定取得個人同意。
Section 2? Rules on Processing Sensitive Personal Information
第二節 敏感個人信息的處理規則
Article 28?"Sensitive personal information" is personal information that once leaked or illegally used, may easily lead to the infringement of the personal dignity of a natural person or may endanger?his personal safety?or property, including?information such as?biometrics, religious belief, specific identity, medical health?status, financial accounts, and the person's whereabouts,?as well as?the?personal information of a minor under?the age of?14 years.
第二十八條 敏感個人信息是一旦泄露或者非法使用,容易導致自然人的人格尊嚴受到侵害或者人身、財產安全受到危害的個人信息,包括生物識別、宗教信仰、特定身份、醫療健康、金融賬戶、行蹤軌跡等信息,以及不滿十四周歲未成年人的個人信息。
Personal information processors can?process sensitive personal information only when there?is a specific purpose and when it is of necessity, under the circumstance where strict protective measures?are taken.
只有在具有特定的目的和充分的必要性,并采取嚴格保護措施的情形下,個人信息處理者方可處理敏感個人信息。
Article 29?For the processing of sensitive personal information,?individual's separate consent shall?be?obtained. Where other laws or administrative regulations provide that written consent?shall be obtained for the processing of sensitive personal information, such?provisions shall prevail.
第二十九條 處理敏感個人信息應當取得個人的單獨同意;法律、行政法規規定處理敏感個人信息應當取得書面同意的,從其規定。
Article 30?In addition to the matters specified in?the first paragraph of Article 17 of this Law, a?processor processing sensitive personal information?shall notify an?individual of the necessity of processing his sensitive personal information and the impact it has on his?rights and interests,?except where such notification is not required in accordance with the provisions of this Law.
第三十條 個人信息處理者處理敏感個人信息的,除本法第十七條第一款規定的事項外,還應當向個人告知處理敏感個人信息的必要性以及對個人權益的影響;依照本法規定可以不向個人告知的除外。
Article 31?To process the personal information of minors under the age of 14, personal information processors shall obtain the consent of the parents or other guardians of the minors.
第三十一條 個人信息處理者處理不滿十四周歲未成年人個人信息的,應當取得未成年人的父母或者其他監護人的同意。
Personal information processors?processing the personal information of minors under the age of 14?shall develop special rules for processing such personal information.
個人信息處理者處理不滿十四周歲未成年人個人信息的,應當制定專門的個人信息處理規則。
Article 32?Where other laws or administrative regulations provide that relevant administrative permit shall be obtained for the processing of?sensitive personal information or impose other restrictions, such provisions shall prevail.
第三十二條 法律、行政法規對處理敏感個人信息規定應當取得相關行政許可或者作出其他限制的,從其規定。
Section 3?Special?Provisions on the Processing of Personal Information by State Organs
第三節 國家機關處理個人信息的特別規定
Article 33?This Law shall apply to the processing of personal information by state organs; where there are special provisions in this Section, the provisions of this Section shall prevail.
第三十三條 國家機關處理個人信息的活動,適用本法;本節有特別規定的,適用本節規定。
Article 34?When state organs process personal information in order to?perform their statutory duties, they shall act?in accordance with the authority?and?procedures prescribed by laws and administrative regulations, and shall not exceed the scope and limits necessary to perform their statutory duties.
第三十四條 國家機關為履行法定職責處理個人信息,應當依照法律、行政法規規定的權限、程序進行,不得超出履行法定職責所必需的范圍和限度。
Article 35?When state organs process personal information in order to perform their statutory duties, they shall?fulfill the obligation?of notification?in accordance with the provisions of this Law,?except under?the circumstances specified in the first paragraph of Article 18 of this Law or?where?notification will hinder the state organs from performing their statutory duties.
第三十五條 國家機關為履行法定職責處理個人信息,應當依照本法規定履行告知義務;有本法第十八條第一款規定的情形,或者告知將妨礙國家機關履行法定職責的除外。
Article 36?Personal information processed by state organs shall be stored within the territory of the People's Republic of China.?A?security assessment shall be conducted where it is truly necessary to provide such information for any party outside of the territory?of the People's Republic of China. In the security assessment the relevant departments?shall provide support and assistance?if so requested.
第三十六條 國家機關處理的個人信息應當在中華人民共和國境內存儲;確需向境外提供的,應當進行安全評估。安全評估可以要求有關部門提供支持與協助。
Article 37?Where organizations authorized by laws or regulations with the function of administering public affairs process personal information?in order?to fulfill their statutory duties, the provisions herein?on the processing of personal information by state organs shall apply.
第三十七條 法律、法規授權的具有管理公共事務職能的組織為履行法定職責處理個人信息,適用本法關于國家機關處理個人信息的規定。
Chapter III Rules on?Provision of Personal Information?Across?Border
第三章 個人信息跨境提供的規則
Article 38?A?personal information processor?that truly needs?to provide personal information for?a party outside the territory of the People's Republic of China for business sake or other reasons,?shall meet one of the following requirements:
第三十八條 個人信息處理者因業務等需要,確需向中華人民共和國境外提供個人信息的,應當具備下列條件之一:
(1) passing the security assessment organized by the national cyberspace department?in accordance with Article 40 of this Law;
(一)依照本法第四十條的規定通過國家網信部門組織的安全評估;
(2) obtaining personal information protection certification?from the relevant specialized institution according to the provisions issued by the national cyberspace department;
(二)按照國家網信部門的規定經專業機構進行個人信息保護認證;
(3) concluding a contract stipulating both parties' rights and obligations?with the overseas recipient in accordance with the standard contract formulated by the national cyberspace department; and
(三)按照國家網信部門制定的標準合同與境外接收方訂立合同,約定雙方的權利和義務;
(4) meeting other conditions set forth by laws and administrative regulations and by the national cyberspace department.
(四)法律、行政法規或者國家網信部門規定的其他條件。
Where an international treaty?or?agreement that the People's Republic of China has concluded or acceded to stipulates conditions for providing personal information for a party outside the territory of the People's Republic of China, such stipulations may be followed.
中華人民共和國締結或者參加的國際條約、協定對向中華人民共和國境外提供個人信息的條件等有規定的,可以按照其規定執行。
The personal information processor shall take necessary measures to ensure that the?personal information processing activities of the overseas recipient meet the personal information protection standards set forth in this Law.
個人信息處理者應當采取必要措施,保障境外接收方處理個人信息的活動達到本法規定的個人信息保護標準。
Article 39?Where a personal information processor provides?personal information for?any party outside the territory of the People's Republic of China, the processor?shall inform the individuals of the overseas recipient's name and contact information, the purposes and?means of processing, the categories of personal information?to be processed, as well as the methods and procedures for the?individuals to exercise their?rights as provided in this Law over the overseas recipient, etc., and shall obtain individual's separate consent.
第三十九條 個人信息處理者向中華人民共和國境外提供個人信息的,應當向個人告知境外接收方的名稱或者姓名、聯系方式、處理目的、處理方式、個人信息的種類以及個人向境外接收方行使本法規定權利的方式和程序等事項,并取得個人的單獨同意。
Article 40?Critical information infrastructure operators and the personal information processors that process personal information up to the amount?prescribed by the national cyberspace department?shall store domestically the personal information collected and generated within the territory of the People's Republic of China. Where it is truly necessary to provide the information for a party outside the territory of the People's Republic of China, the matter shall be subjected to security assessment organized by the national cyberspace department. Where laws, administrative regulations, or the provisions issued by the national cyberspace department?provide that security assessment is not necessary, such provisions shall prevail.
第四十條 關鍵信息基礎設施運營者和處理個人信息達到國家網信部門規定數量的個人信息處理者,應當將在中華人民共和國境內收集和產生的個人信息存儲在境內。確需向境外提供的,應當通過國家網信部門組織的安全評估;法律、行政法規和國家網信部門規定可以不進行安全評估的,從其規定。
Article 41?The competent authorities?of the People's Republic of China shall handle?foreign judicial or law enforcement authorities' requests?for personal information stored within China?in accordance with relevant laws and the international treaties and agreements concluded or acceded to by the People's Republic of China, or under the principle of equality and reciprocity. Without the approval of the competent authorities?of the People's Republic of China, no organization or individual shall provide data stored in the territory of the People's Republic of China for?any foreign judicial or law enforcement authority.
第四十一條 中華人民共和國主管機關根據有關法律和中華人民共和國締結或者參加的國際條約、協定,或者按照平等互惠原則,處理外國司法或者執法機構關于提供存儲于境內個人信息的請求。非經中華人民共和國主管機關批準,個人信息處理者不得向外國司法或者執法機構提供存儲于中華人民共和國境內的個人信息。
Article 42?Where overseas organizations or individuals engage in personal information processing activities,?which infringe upon the rights and interests of?citizens of the People's Republic of China on personal information or endanger the national security or public interests of the People's Republic of China, the national cyberspace department?may include them in a list of restricted?or prohibited?recipients of personal information, publicize the list, and take measures such as restricting or prohibiting the provision of personal information for such organizations and individuals.
第四十二條 境外的組織、個人從事侵害中華人民共和國公民的個人信息權益,或者危害中華人民共和國國家安全、公共利益的個人信息處理活動的,國家網信部門可以將其列入限制或者禁止個人信息提供清單,予以公告,并采取限制或者禁止向其提供個人信息等措施。
Article 43?Where any country or region adopts any prohibitive, restrictive or other similar discriminatory measures against the People's Republic of China in terms of personal information protection, the People's Republic of China may take countermeasures?against the aforesaid country or region based on actual situations.
第四十三條 任何國家或者地區在個人信息保護方面對中華人民共和國采取歧視性的禁止、限制或者其他類似措施的,中華人民共和國可以根據實際情況對該國家或者地區對等采取措施。
Chapter IV Individuals' Rights in Personal Information Processing Activities
第四章 個人在個人信息處理活動中的權利
Article 44?Individuals shall have the right to be informed,?the right to make decisions on the processing of their personal information, and the right to restrict or refuse the processing of their personal information by others, except as otherwise provided by laws?or administrative regulations.
第四十四條 個人對其個人信息的處理享有知情權、決定權,有權限制或者拒絕他人對其個人信息進行處理;法律、行政法規另有規定的除外。
Article 45?Individuals shall have the right to consult and duplicate their personal information from personal information processors, except under circumstances as set out in the first paragraph of Article 18 and Article 35 of this Law.
第四十五條 個人有權向個人信息處理者查閱、復制其個人信息;有本法第十八條第一款、第三十五條規定情形的除外。
Where an individual requests?the consultation or duplication of his personal information, the requested personal information processor shall provide such information in a timely manner.
個人請求查閱、復制其個人信息的,個人信息處理者應當及時提供。
Where an individual requests?the transfer of his personal information to a?designated personal information processor, which meets the?requirements?of national cyberspace department?for transferring personal information , the requested personal information processor shall provide means for the transfer.
個人請求將個人信息轉移至其指定的個人信息處理者,符合國家網信部門規定條件的,個人信息處理者應當提供轉移的途徑。
Article 46?Where an individual discovers?that his personal information is incorrect or incomplete, he shall have the right to request?the?personal information processors to rectify or supplement relevant information.
第四十六條 個人發現其個人信息不準確或者不完整的,有權請求個人信息處理者更正、補充。
Where an individual requests?the rectification or supplementation of his personal information, the personal information processors shall verify the information?in question, and make rectification?or supplementation?in a timely manner.
個人請求更正、補充其個人信息的,個人信息處理者應當對其個人信息予以核實,并及時更正、補充。
Article 47?In any of the following circumstances, a personal information processor shall take the initiative to erase personal information,?and an?individual has the right to request the deletion?of his personal information?if the personal information processor fails to erase the information:
第四十七條 有下列情形之一的,個人信息處理者應當主動刪除個人信息;個人信息處理者未刪除的,個人有權請求刪除:
(1) the purposes of processing have been achieved or cannot be achieved, or?such information?is no longer necessary?for achieving the purposes?of processing;
(一)處理目的已實現、無法實現或者為實現處理目的不再必要;
(2)?the personal information processor ceases?to provide products or services, or the storage period has expired;
(二)個人信息處理者停止提供產品或者服務,或者保存期限已屆滿;
(3) the individual withdraws his?consent;
(三)個人撤回同意;
(4) the personal information processor?processes?personal information in violation of laws, administrative regulations, or agreements; or
(四)個人信息處理者違反法律、行政法規或者違反約定處理個人信息;
(5)?other circumstances as provided by laws and administrative regulations.
(五)法律、行政法規規定的其他情形。
Where the storage period provided by any law or administrative regulation has not expired, or it is difficult to erase?personal information technically, the personal information processor shall cease the processing of personal information other than storing and taking necessary security protection measures for such information.
法律、行政法規規定的保存期限未屆滿,或者刪除個人信息從技術上難以實現的,個人信息處理者應當停止除存儲和采取必要的安全保護措施之外的處理。
Article 48?An individuals has?the right to request?a?personal information processor to interpret the personal information processing rules?developed by the latter.
第四十八條 個人有權要求個人信息處理者對其個人信息處理規則進行解釋說明。
Article 49?The?close relatives?of?a deceased natural person may, for their own legal and legitimate interests, exercise the rights?to handle?the personal information of the deceased, such as consultation, duplication, rectification, and?deletion,?as provided in this Chapter,?except as otherwise arranged by the deceased before death.
第四十九條 自然人死亡的,其近親屬為了自身的合法、正當利益,可以對死者的相關個人信息行使本章規定的查閱、復制、更正、刪除等權利;死者生前另有安排的除外。
Article 50?A personal information processor shall establish the mechanism for receiving and handling?individuals' requests for exercising their rights. Where?an individual's request is rejected, the reasons therefor shall be given.
第五十條 個人信息處理者應當建立便捷的個人行使權利的申請受理和處理機制。拒絕個人行使權利的請求的,應當說明理由。
Where an individual's request to exercise his rights?is rejected by a personal information processor, the individual may file a lawsuit with?the people's court in accordance with the law.
個人信息處理者拒絕個人行使權利的請求的,個人可以依法向人民法院提起訴訟。
Chapter V Obligations of Personal Information Processors
第五章 個人信息處理者的義務
Article 51?Personal information processors shall take the following measures to ensure that their personal information processing activities are in compliance?with laws and administrative regulations based on the purpose and?means of processing, the categories of personal information?to be processed, the impact on personal rights and interests, and the potential security risks, among others, and shall prevent unauthorized access to, as well as?breach, tampering or loss of any personal information:
第五十一條 個人信息處理者應當根據個人信息的處理目的、處理方式、個人信息的種類以及對個人權益的影響、可能存在的安全風險等,采取下列措施確保個人信息處理活動符合法律、行政法規的規定,并防止未經授權的訪問以及個人信息泄露、篡改、丟失:
(1) formulating?internal management system and operational?procedures;
(一)制定內部管理制度和操作規程;
(2) implementing classified management of personal information;
(二)對個人信息實行分類管理;
(3) adopting?corresponding security technical measures such as encryption and de-identification;
(三)采取相應的加密、去標識化等安全技術措施;
(4) reasonably determining the operational?authority?of personal information processing, and regularly conducting safety education and training for practitioners;
(四)合理確定個人信息處理的操作權限,并定期對從業人員進行安全教育和培訓;
(5) formulating?contingent plans for personal information security emergencies?and organizing the implementation of such plans; and
(五)制定并組織實施個人信息安全事件應急預案;
(6) other measures as provided by laws and administrative regulations.
(六)法律、行政法規規定的其他措施。
Article 52?A personal information processor that processes?personal information up to the amount?prescribed by the national cyberspace department?shall designate a person in charge of personal information protection, who shall supervise?the personal information processing activities of the processor as well as?the?protective measures taken?thereby, among others.
第五十二條 處理個人信息達到國家網信部門規定數量的個人信息處理者應當指定個人信息保護負責人,負責對個人信息處理活動以及采取的保護措施等進行監督。
The?personal information processor shall disclose the contact information of the person in charge of personal information protection, and submit the said person's name, contact information, and other information?to the departments?with personal information protection duties.
個人信息處理者應當公開個人信息保護負責人的聯系方式,并將個人信息保護負責人的姓名、聯系方式等報送履行個人信息保護職責的部門。
Article 53?Personal information processors outside the territory of the People's Republic of China as specified in the second paragraph of Article 3 of this Law shall set up specialized agencies or designate representatives within the territory of the People's Republic of China to be responsible for handling personal information protection related matters, and shall submit the names, contact information, and other information?of the agencies and representatives to the departments?with personal information protection duties.
第五十三條 本法第三條第二款規定的中華人民共和國境外的個人信息處理者,應當在中華人民共和國境內設立專門機構或者指定代表,負責處理個人信息保護相關事務,并將有關機構的名稱或者代表的姓名、聯系方式等報送履行個人信息保護職責的部門。
Article 54?Personal information processors shall regularly conduct compliance audits of their personal information processing activities with laws and administrative regulations.
第五十四條 個人信息處理者應當定期對其處理個人信息遵守法律、行政法規的情況進行合規審計。
Article 55?In any of the following circumstances, a personal information processor shall assess?in advance the impact on personal information protection?and?keep a record of the?course of the processing:
第五十五條 有下列情形之一的,個人信息處理者應當事前進行個人信息保護影響評估,并對處理情況進行記錄:
(1) processing sensitive personal information;
(一)處理敏感個人信息;
(2) using personal information to conduct automated decision making;
(二)利用個人信息進行自動化決策;
(3) entrusting personal information processing?to another?party, providing personal information for?another?party, or publicizing?personal information;
(三)委托處理個人信息、向其他個人信息處理者提供個人信息、公開個人信息;
(4) providing personal information for any party outside the territory of the People's Republic of China; or
(四)向境外提供個人信息;
(5)?conducting other personal information processing activities which may have?significant impacts on individuals.
(五)其他對個人權益有重大影響的個人信息處理活動。
Article 56?The assessment of impact on personal information protection shall include the following contents:
第五十六條 個人信息保護影響評估應當包括下列內容:
(1) whether the purposes and means of personal information?processing,?are legitimate, justified and necessary;
(一)個人信息的處理目的、處理方式等是否合法、正當、必要;
(2) the?impact on individuals'?rights and interests, and security risks; and
(二)對個人權益的影響及安全風險;
(3) whether the protection measures taken are legitimate, effective, and compatible with the degree of risks.
(三)所采取的保護措施是否合法、有效并與風險程度相適應。
The report of the impact assessment on personal information protection and the processing record shall be retained for at least three years.
個人信息保護影響評估報告和處理情況記錄應當至少保存三年。
Article 57?Where the breach, tampering, or loss of personal information occurs?or may occur, a?personal information processor shall immediately take remedial measures and notify the departments with?personal information protection duties and the relevant individuals. The notice shall?include the following items:
第五十七條 發生或者可能發生個人信息泄露、篡改、丟失的,個人信息處理者應當立即采取補救措施,并通知履行個人信息保護職責的部門和個人。通知應當包括下列事項:
(1) the categories of personal information that has been or may be breached, tampered with?or lost, and the reasons and possible harm of the breach, tampering and loss;
(一)發生或者可能發生個人信息泄露、篡改、丟失的信息種類、原因和可能造成的危害;
(2) the remedial measures adopted by the personal information processor and the measures the individuals may take to mitigate the harm; and
(二)個人信息處理者采取的補救措施和個人可以采取的減輕危害的措施;
(3) the contact information of the personal information processor.
(三)個人信息處理者的聯系方式。
Where the measures taken by the personal information processor can effectively avoid the harm caused?by breach, tampering, or loss of personal information, the personal information processor is not required to notify individuals; where the departments?with personal information protection duties consider that harm may be caused, they?have the authority to request the personal information processor to notify individuals.
個人信息處理者采取措施能夠有效避免信息泄露、篡改、丟失造成危害的,個人信息處理者可以不通知個人;履行個人信息保護職責的部門認為可能造成危害的,有權要求個人信息處理者通知個人。
Article 58?A personal information processor that provides?important internet platform services involving a huge number of users and complicated business types shall perform the following obligations:
第五十八條 提供重要互聯網平臺服務、用戶數量巨大、業務類型復雜的個人信息處理者,應當履行下列義務:
(1) establishing and improving the personal information protection compliance system in accordance with the provisions of the state and establishing an independent organization mainly composed of external members to supervise the protection of personal information;
(一)按照國家規定建立健全個人信息保護合規制度體系,成立主要由外部成員組成的獨立機構對個人信息保護情況進行監督;
(2) following the principles of openness, fairness, and justice, formulating platform rules, and clarifying the norms and obligations that product or service providers within the platform?should meet when?processing personal information;
(二)遵循公開、公平、公正的原則,制定平臺規則,明確平臺內產品或者服務提供者處理個人信息的規范和保護個人信息的義務;
(3) stopping providing services for product or service providers within the platforms?that process personal information in serious violation of laws and administrative regulations;?and
(三)對嚴重違反法律、行政法規處理個人信息的平臺內的產品或者服務提供者,停止提供服務;
(4) regularly publishing social responsibility reports on personal information protection for public supervision.
(四)定期發布個人信息保護社會責任報告,接受社會監督。
Article 59?The party entrusted with the processing of personal information shall, in accordance with this Law and relevant laws and administrative regulations, take the necessary measures to ensure the security of the personal information entrusted for processing, and assist the entrusting personal information processor in fulfilling?the?obligations provided by this Law.
第五十九條 接受委托處理個人信息的受托人,應當依照本法和有關法律、行政法規的規定,采取必要措施保障所處理的個人信息的安全,并協助個人信息處理者履行本法規定的義務。
Chapter VI Departments with Personal Information Protection Duties
第六章 履行個人信息保護職責的部門
Article 60?The national cyberspace department?shall be responsible for the overall planning and coordination of personal information protection and related supervision and administration. The relevant departments of the State Council shall, in accordance with this Law and?other?relevant laws and administrative regulations, be responsible for personal information protection and related supervision and administration within the scope of their respective duties.
第六十條 國家網信部門負責統籌協調個人信息保護工作和相關監督管理工作。國務院有關部門依照本法和有關法律、行政法規的規定,在各自職責范圍內負責個人信息保護和監督管理工作。
The?duties of personal information protection?and related supervision and administration of the relevant departments of the local people's governments at or above the county level shall be determined in accordance with the relevant provisions of the state.
縣級以上地方人民政府有關部門的個人信息保護和監督管理職責,按照國家有關規定確定。
The departments provided in the preceding two paragraphs are?collectively referred to as the departments with personal information protection duties.
前兩款規定的部門統稱為履行個人信息保護職責的部門。
Article 61?Departments with personal information protection duties shall perform the following personal information protection duties:
第六十一條 履行個人信息保護職責的部門履行下列個人信息保護職責:
(1) conducting publicity and education on personal information protection, and guiding and supervising personal information processors?in their protection of personal information;
(一)開展個人信息保護宣傳教育,指導、監督個人信息處理者開展個人信息保護工作;
(2) receiving and handling?complaints and reports related?to personal information protection;
(二)接受、處理與個人信息保護有關的投訴、舉報;
(3) organizing evaluations?on applications, etc. in terms of personal information protection and publish the results of such evaluations;
(三)組織對應用程序等個人信息保護情況進行測評,并公布測評結果;
(4)?investigating and handling?illegal personal information processing activities; and
(四)調查、處理違法個人信息處理活動;
(5) other duties as provided by laws and administrative regulations.
(五)法律、行政法規規定的其他職責。
Article 62?The national cyberspace department?shall coordinate relevant departments to promote personal information protection through the following?efforts in accordance with this Law:
第六十二條 國家網信部門統籌協調有關部門依據本法推進下列個人信息保護工作:
(1) formulating specific rules and standards for personal information protection;
(一)制定個人信息保護具體規則、標準;
(2)?developing special personal information protection rules and standards for small personal information processors, the processing of sensitive personal information, and new technologies and applications such as face recognition and artificial intelligence;
(二)針對小型個人信息處理者、處理敏感個人信息以及人臉識別、人工智能等新技術、新應用,制定專門的個人信息保護規則、標準;
(3)?supporting the research?and development,?and promoting the?application of secure and convenient electronic identity authentication technology, and advancing the?public services for network identity authentication;
(三)支持研究開發和推廣應用安全、方便的電子身份認證技術,推進網絡身份認證公共服務建設;
(4) promoting the development of a personal information protection service system?with the participation of various social sectors, and supporting relevant institutions in providing personal information protection assessment and certification services; and
(四)推進個人信息保護社會化服務體系建設,支持有關機構開展個人信息保護評估、認證服務;
(5) improving the complaint and reporting mechanism?related to personal information protection .
(五)完善個人信息保護投訴、舉報工作機制。
Article 63?A department with personal information protection duties when fulfilling related duties may take the following measures:
第六十三條 履行個人信息保護職責的部門履行個人信息保護職責,可以采取下列措施:
(1) questioning relevant parties, and investigating circumstances related?to personal information processing activities;
(一)詢問有關當事人,調查與個人信息處理活動有關的情況;
(2) consulting and duplicating the parties' contracts, records, account books and other relevant materials related?to personal information processing activities;
(二)查閱、復制當事人與個人信息處理活動有關的合同、記錄、賬簿以及其他有關資料;
(3) conducting on-site inspections, and?investigating?suspected illegal personal information processing activities; and
(三)實施現場檢查,對涉嫌違法的個人信息處理活動進行調查;
(4) inspecting equipment and articles related?to personal information processing activities; and sealing up or seizing equipment and articles related to illegal personal information processing activities as proved by evidence after submitting written reports to and obtaining approval from the principal person?in?charge of the departments with personal information protection duties.
(四)檢查與個人信息處理活動有關的設備、物品;對有證據證明是用于違法個人信息處理活動的設備、物品,向本部門主要負責人書面報告并經批準,可以查封或者扣押。
When departments with personal information protection duties carry out?their duties in accordance with the law, the parties concerned shall?cooperate and?provide assistance, and shall not reject or obstruct them.
履行個人信息保護職責的部門依法履行職責,當事人應當予以協助、配合,不得拒絕、阻撓。
Article 64?Where a department with personal information protection duties finds, when?performing?its duties,?relatively high risks in personal information processing activities or the occurrence of personal information security incidents, the department may hold an interview with the legal representative or the principal person in charge of the personal information processor according to the provided authority and procedures, or request the processor to entrust a professional institution to conduct compliance audits of the?personal information processing activities. The personal information processor shall adopt measures?to?make rectification and eliminate potential risks as required.
第六十四條 履行個人信息保護職責的部門在履行職責中,發現個人信息處理活動存在較大風險或者發生個人信息安全事件的,可以按照規定的權限和程序對該個人信息處理者的法定代表人或者主要負責人進行約談,或者要求個人信息處理者委托專業機構對其個人信息處理活動進行合規審計。個人信息處理者應當按照要求采取措施,進行整改,消除隱患。
Where a department with personal information protection duties, in performing its duties, finds?an illegal personal information?processing?activity that may involve a crime, the department shall transfer the case?to the public security organ in a timely manner in accordance with the law.
履行個人信息保護職責的部門在履行職責中,發現違法處理個人信息涉嫌犯罪的,應當及時移送公安機關依法處理。
Article 65?Any organization or individual has the right to complain and report to a?department with personal information protection duties about illegal personal information processing. The department that receives such a complaint or report shall handle it in a timely manner in accordance with the law, and notify the complainant or informant of the results.
第六十五條 任何組織、個人有權對違法個人信息處理活動向履行個人信息保護職責的部門進行投訴、舉報。收到投訴、舉報的部門應當依法及時處理,并將處理結果告知投訴、舉報人。
Departments with personal information protection duties shall publish their contact information for receiving complaints and reports.
履行個人信息保護職責的部門應當公布接受投訴、舉報的聯系方式。
Chapter VII Legal Liability
第七章 法律責任
Article 66?Where personal information is processed in violation of the provisions of this Law or without fulfilling?the personal information protection obligations provided in this Law, the departments with personal information protection duties shall order the violator to make corrections, give a warning, confiscate the?illegal gains,?and order the suspension or termination of provision of services by the applications that illegally process personal information; where the violator?refuses to make?corrections, a?fine?of?not more than RMB one million yuan?shall be imposed thereupon; and the directly liable persons in charge and other directly liable persons shall each be fined not less than RMB 10,000 yuan nor more than RMB 100,000 yuan.
第六十六條 違反本法規定處理個人信息,或者處理個人信息未履行本法規定的個人信息保護義務的,由履行個人信息保護職責的部門責令改正,給予警告,沒收違法所得,對違法處理個人信息的應用程序,責令暫停或者終止提供服務;拒不改正的,并處一百萬元以下罰款;對直接負責的主管人員和其他直接責任人員處一萬元以上十萬元以下罰款。
In case of an illegal act as prescribed in the preceding paragraph and the circumstances are serious, the departments with personal information protection duties?at or above the provincial level shall order the violator to make corrections, confiscate the illegal gains, impose a fine of?not more?than RMB 50 million yuan or not more than five percent?of the previous year's turnover;?may also order the suspension of relevant businesses,?or order the suspension of all the business operations for an overhaul, and notify the competent authorities?to revoke relevant business permits?or license; shall impose a fine?of not less than RMB 100,000 yuan but not?more than?RMB 1 million yuan?upon each of the directly liable persons in charge and other directly liable persons,?and may decide to prohibit?the abovementioned persons?from serving as directors, supervisors, senior managers,?or the persons?in charge of relevant?companies within a specific period of time.
有前款規定的違法行為,情節嚴重的,由省級以上履行個人信息保護職責的部門責令改正,沒收違法所得,并處五千萬元以下或者上一年度營業額百分之五以下罰款,并可以責令暫停相關業務或者停業整頓、通報有關主管部門吊銷相關業務許可或者吊銷營業執照;對直接負責的主管人員和其他直接責任人員處十萬元以上一百萬元以下罰款,并可以決定禁止其在一定期限內擔任相關企業的董事、監事、高級管理人員和個人信息保護負責人。
Article 67?Any violation of?the provisions of this Law?shall be entered?in?the relevant credit record and be published in accordance with the provisions of the relevant laws and administrative regulations.
第六十七條 有本法規定的違法行為的,依照有關法律、行政法規的規定記入信用檔案,并予以公示。
Article 68?Where any state organ fails to fulfill the personal information protection obligations as provided in this Law, the organ at the?higher level or the departments with personal information protection duties?shall order it to make corrections, and discipline?the directly liable person in charge and other directly liable persons in accordance with the law.
第六十八條 國家機關不履行本法規定的個人信息保護義務的,由其上級機關或者履行個人信息保護職責的部門責令改正;對直接負責的主管人員和其他直接責任人員依法給予處分。
Where a staff member of a department with personal information protection duties?neglects duties, abuses power,?or?practices favoritism, which does not constitute a crime, the staff member shall be subject to sanction in accordance with?the law.
履行個人信息保護職責的部門的工作人員玩忽職守、濫用職權、徇私舞弊,尚不構成犯罪的,依法給予處分。
Article 69?Where a personal information processor infringes the rights or interests on personal information due to any personal information processing activity and cannot prove that the processor is?not at fault, the?processor shall assume the liability for damages and other tort liability.
第六十九條 處理個人信息侵害個人信息權益造成損害,個人信息處理者不能證明自己沒有過錯的,應當承擔損害賠償等侵權責任。
The liability for damages prescribed in the preceding paragraph shall be determined based on the losses of individuals incurred thereby and the benefits acquired by the infringing personal information processor; and where it is difficult to determine the?aforementioned?losses or the benefits, the amount of damages shall be determined based on?the actual circumstances.
前款規定的損害賠償責任按照個人因此受到的損失或者個人信息處理者因此獲得的利益確定;個人因此受到的損失和個人信息處理者因此獲得的利益難以確定的,根據實際情況確定賠償數額。
Article 70?Where a personal information processor processes personal information in violation of the provisions of this Law?and?infringes?the rights and interests of?many individuals, the people's procuratorate, the consumer organizations?specified by law,?and the organization designated?by the national cyberspace department?may file a lawsuit with the people's court in accordance with the law.
第七十條 個人信息處理者違反本法規定處理個人信息,侵害眾多個人的權益的,人民檢察院、法律規定的消費者組織和由國家網信部門確定的組織可以依法向人民法院提起訴訟。
Article 71?Any violation of this Law which constitutes a violation of public security administration?shall be subject to public security administration penalty?in accordance with?the law.?If the violation constitutes a crime, the violator shall be held criminally liable in accordance with?the law.
第七十一條 違反本法規定,構成違反治安管理行為的,依法給予治安管理處罰;構成犯罪的,依法追究刑事責任。
Chapter VIII Supplementary?Provisions
第八章 附 則
Article 72?This Law is not applicable?where a natural person processes personal information for personal or household affairs.
第七十二條 自然人因個人或者家庭事務處理個人信息的,不適用本法。
Where other laws provide personal information processing in statistical or archives management?activities organized and conducted by the people's governments at all levels and their relevant departments,?the?provisions of such laws shall prevail.
法律對各級人民政府及其有關部門組織實施的統計、檔案管理活動中的個人信息處理有規定的,適用其規定。
Article 73?For purposes of this Law, the following terms shall have the following meanings:
第七十三條 本法下列用語的含義:
(1) "A personal information processor" refers to an organization or individual that autonomously determines the purposes?and means of personal information processing.
(一)個人信息處理者,是指在個人信息處理活動中自主決定處理目的、處理方式的組織、個人。
(2) "automated decision making" refers to the activities of automatically analyzing and evaluating personal behaviors, hobbies, or economic, health, and credit status, among others, through computer programs, and making decisions.
(二)自動化決策,是指通過計算機程序自動分析、評估個人的行為習慣、興趣愛好或者經濟、健康、信用狀況等,并進行決策的活動。
(3) "de-identification" refers to processing personal information to make it impossible to identify specific natural persons in the absence of the support of additional information.
(三)去標識化,是指個人信息經過處理,使其在不借助額外信息的情況下無法識別特定自然人的過程。
(4) "anonymization" refers to the process of processing personal information to make it impossible to identify specific natural persons and impossible to restore.
(四)匿名化,是指個人信息經過處理無法識別特定自然人且不能復原的過程。
Article 74?This Law shall come into force as of?November 1st?, 2021.
第七十四條 本法自2021年11月1日起施行。