The Personal Information Protection Law of the People's Republic of China (PIPL) took effect on 1 November 2021. As mentioned in our last article here, in the employment context the PIPL imposes more stringent requirements for employers to process employees' personal information for purposes such as recruitment, management, internal investigation, disciplinary action, business cooperation, mergers and acquisitions, termination of employment and resignation.
Will a local subsidiary be deemed as personal information processor, joint personal information processor, or entrusted third party?
There are different scenarios that may apply. If the headquarters independently process information for the purpose of, for example, group diversity monitoring, then the headquarters will be deemed the personal information processor under the PIPL. If the local subsidiary and another affiliate jointly determine the purpose and method of processing, they will be deemed as joint personal information processors.
If the local subsidiary independently determines the purpose and method of processing and another affiliate only processes the personal information on behalf of the local subsidiary, e.g. processing for social insurance and housing fund contributions in the PRC, then the local subsidiary will be deemed as the personal information processor and the affiliate is an entrusted third party under PIPL.
If the headquarters or another affiliate is the personal information processor and collects and processes personal information of the local subsidiary's employees, then it is subject to the (extraterritorial) governance of the PIPL even if it is located outside the PRC. According to the PIPL, entities which are not located in the PRC are required to establish a special agency or appoint a representative, within the territory of the PRC to be responsible for personal information protectionrelated affairs, and submit the name of such agency or the name and contact information of the representative to the authorities performing personal information protection duties (the details and procedures are pending clarification).
If the local subsidiary and another affiliate are joint information processors, they must put in place an agreement setting out their respective rights and obligations in relation to the joint processing. Such agreement will not affect the rights of individuals under the PIPL against any of the joint personal information processors.
If the local subsidiary is the personal information processor and another affiliate is an entrusted third party, the local subsidiary must sign an agreement with the affiliate setting out the obligations of the affiliate while processing personal information, and supervise the affiliate's processing of the personal information. In addition, the local subsidiary must implement an internal personal information security impact assessment.
Practically, while the local subsidiary is part of the group and may follow the group's direction on certain issues, the local subsidiary (as an independent legal entity with its own governance structure) should make its own decisions in terms of how to process personal information in the PRC. In most cases the local subsidiary will be the personal information processer and the other affiliates will be entrusted parties under the definitions of PIPL.
What are the requirements for an employer to provide employees' personal data to a third party?
When providing third parties with employees' personal information (e.g. in the case of business outsourcing, managing social insurance and housing fund contributions, paying wages or recruitment), employers should ensure that the following requirements are complied with:
- employees should be informed of the purpose and the content of the employee information that needs to be provided;
- the employer should assess the supplier's personal information protection capabilities;
- employers and third parties should understand their respective rights and obligations;
- in addition to general terms, the contract with the third party should include the purpose, time limit, method, type of personal information and protection measures, for the employee's personal information;
- when handling sensitive personal information, the separate consent of individual employees should be obtained.
In other scenarios where personal information is provided externally (when sharing information with users or disclosing information to customers), employers must not only comply with the above requirements, but also provide additional notification to inform the recipient of the name, contact, and purpose of processing, processing methods and types of personal information, and obtain individual consent.
If the third parties are located outside the PRC the cross-border, transfer requirements must be met. Among others, employers must ensure one of the following safeguards is satisfied:
- the processor has passed a security assessment conducted by the Cyberspace Administration of China (CAC) (details yet to be formulated);
- the processor has obtained certification for personal information protection from an accredited institution (details yet to be determined);
- the processor has entered into a contract (in a model form to be prescribed by the authority) with the overseas personal information recipient to set out the rights and obligations of the parties; or
- any other safeguards specified under applicable laws or by the CAC.