Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Under the Cybersecurity Law, network operators may only collect, store, process, disclose and use personal information if individuals are notified of the purpose, manner and scope of such activities, and have consented to it. 

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

No specific retention period is specified under Chinese law. To determine the appropriate maximum retention period, a data controller will need to assess each type of personal information that it collects and the purposes of the collection on a case-by-case basis. However, personal information must be deleted upon the expiry of the retention period of which the data subjects were notified when their personal information was collected.

Do individuals have a right to access personal information about them that is held by an organisation?

Telecommunications business operators and internet service providers must provide ways for users to inquire about or correct their personal information. Individuals have the right to request access to personal information held by an organisation, pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.

Do individuals have a right to request deletion of their data?

Yes. Under the Cybersecurity Law, if an individual discovers that a network operator collects and uses his or her personal information in a manner that violates laws or administrative regulations or the agreement between the parties, he or she has the right to demand that the network operator delete his or her personal information. Additionally, if he or she discovers errors in the personal information collected and stored by the network operator, he or she has the right to demand that the network operator correct the information. The network operator is required to take measures to delete or correct the information accordingly. Individuals also have the right to request deletion of their personal information pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems. 

Consent obligations

Is consent required before processing personal data?

Yes. Under the Cybersecurity Law, a network operator must obtain the consent of an individual for the collection and use of their personal information. 

Consent is required for the collection and use of an individual’s personal information pursuant to the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users. However, there are no detailed requirements under current law on the specific form or content of the consent (ie, whether it can be implied or inferred).

Prior express consent is required if the personal information will be used or transferred for direct marketing purposes pursuant to the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Measures for the Administration of Online Transactions.

If the personal information will be used for any other purpose, express consent is also required where the personal information will be used or transferred in a manner that is not covered by the original purpose and scope of collection, unless one of the exemptions apply, pursuant to the non-binding binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes. Under the Cybersecurity Law, data processing is permissible if the personal information is anonymised and cannot be restored to its original state.

Under the non-binding binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, even if consent is not provided, personal data can still be processed and used for: 

  • purposes specified under certain laws and regulations, such as maintenance of public security;
  • the purposes of academic research or social public interest;
  • the enforcement of administrative authorities according to law; and
  • the enforcement of judicial authorities according to decisions and judgments.

What information must be provided to individuals when personal data is collected?

Under the Cybersecurity Law, network operators collecting and using individuals' personal information must inform them of the purpose, manner and scope for the collection and use, and obtain consent for such collection and use. Network operators must also make their policies on the collection and use of personal information publicly accessible.

Under the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, telecommunications operators and internet service providers must provide the following information when they collect personal information:

  • the purpose, method and scope of the information to be collected or used;
  • the ways in which users can inquire about and correct information; and
  • the consequences of failure to provide the information.

Under the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, a data subject must be explicitly informed, prior to the collection of his or her personal information, of:

  • the purposes for which the personal information is being collected, used and processed;
  • the method and the scope of collection, use and processing;
  • the period for which the personal information will be retained;
  • the personal information protection measures in place;
  • relevant information regarding the data controller, such as its name, address and contact information;
  • any risks relating to the disclosure of personal information;
  • the consequences of failure to provide personal information;
  • the channels for checking and correcting personal information and filing a complaint; and
  • information relating to the transfer of personal information (eg, purpose, method and scope of transfer, the scope of use by data recipients, contact information of data recipients).

Click here to view the full article.