Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Personal information can be collected only for a lawful purpose that directly relates to a function or activity of the data user. The personal information collected must be no more than is necessary for that purpose (or a directly related purpose) – that is, it must not be excessive.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Data users should not retain personal information for longer than is necessary to fulfil the original purpose (or a directly related purpose) of collection, unless deletion of the personal information is prohibited by law.

No specific retention period is specified under Chinese law. To determine the appropriate maximum retention period, a data controller will need to assess each type of personal information that it collects and the purposes of the collection on a case-by-case basis. However, personal information must be deleted upon the expiry of the retention period of which the data subjects were notified when their personal information was collected.

Do individuals have a right to access personal information about them that is held by an organisation?

Telecommunications business operators and internet service providers must provide ways for users to inquire about or correct their personal information. Individuals have the right to request access to personal information held by an organisation, pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.

Do individuals have a right to request deletion of their data?

Not under the existing legislation; although the Provisions on Protecting the Personal Information of Telecommunications and Internet Users do require that telecommunications operators and internet service providers stop the collection and use of users’ personal information. However, individuals have the right to request deletion of their personal information pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems and the draft Cybersecurity Law.

Consent obligations
Is consent required before processing personal data?

Consent is required for the collection and use of an individual’s personal information pursuant to the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users. However, there are no detailed requirements under current law on the specific form or content of the consent (ie, whether it can be implied or inferred).

Prior express consent is required if the personal information will be used or transferred for direct marketing purposes pursuant to the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Measures for the Administration of Online Transactions.

If the personal information will be used for any other purpose, express consent is also required where the personal information will be used or transferred in a manner that is not covered by the original purpose and scope of collection, unless one of the exemptions apply, pursuant to the non-binding binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.

If consent is not provided, are there other circumstances in which data processing is permitted?

Under the non-binding binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, even if consent is not provided, personal data can still be processed and used for: 

  • purposes specified under certain laws and regulations, such as maintenance of public security;
  • the purposes of academic research or social public interest;
  • the enforcement of administrative authorities according to law; and
  • the enforcement of judicial authorities according to decisions and judgments.

What information must be provided to individuals when personal data is collected?

Under the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, telecommunications operators and internet service providers must provide the following information when they collect personal information:

  • the purpose, method and scope of the information to be collected or used;
  • the ways in which users can inquire about and correct information; and
  • the consequences of failure to provide the information.

Under the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, a data subject must be explicitly informed, prior to the collection of his or her personal information, of:

  • the purposes for which the personal information is being collected, used and processed;
  • the method and the scope of collection, use and processing;
  • the period for which the personal information will be retained;
  • the personal information protection measures in place;
  • relevant information regarding the data controller, such as its name, address and contact information;
  • any risks relating to the disclosure of personal information;
  • the consequences of failure to provide personal information;
  • the channels for checking and correcting personal information and filing a complaint; and
  • information relating to the transfer of personal information (eg, purpose, method and scope of transfer, the scope of use by data recipients, contact information of data recipients).

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

No overarching regulation governs cross-border transfers of personal information, except in specific sectors such as finance, healthcare and telecommunications. 

Article 35 of the second draft Cybersecurity Law provides that “operators of critical information infrastructure must store personal information and important transaction data collected and generated exclusively within the territory of mainland China. If, for legitimate business reasons, the data must be provided to a foreign organization or person outside China, the entity must complete a security evaluation jointly formulated by the National Cyberspace Administration and State Council”. ‘Critical information infrastructure’ includes public communications, broadcasting and television transmission services, energy, transportation, water conservancy, finance, electricity, water and gas supply, medical treatment and healthcare, social security, and computer networks and systems with a large number of users. The details of the security evaluation are not specified.

The non-binding Provisions on Protecting the Personal Information of Telecommunications and Internet Users allow for the cross-border transfer of personal information if the data subjects have expressly consented or if the transfer has been approved by the administration authorities or by national laws and regulations.

Are there restrictions on the geographic transfer of data?

Not other than in the cross-border context.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Consent must be obtained from the data subjects where their personal information will be processed by a third party.

The non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems set out the following requirements where personal information will be transferred to a third party:

  • The personal data must be transferred for and to the extent of the purposes notified to the data subjects when their personal information was collected.
  • Before personal information is transferred to third parties, the data controller must evaluate whether such third parties are capable of processing the information in accordance with the guidelines, and the liability of such third parties in relation to the protection of the personal information must be determined and specified by contract.
  • The data controller must ensure that the personal information will not be accessed by any entity other than the recipient in the course of the transfer.
  • The data controller must ensure that the personal information remains complete, available and up to date in the course of transfer.

Personal information may not be transferred to overseas recipients, including any individual overseas or any organisation or institution registered overseas, unless the data subject has expressly consented, the transfer is explicitly required by law or the competent department has issued its approval.

Click here to view the full article.