Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Yes. Under the Cybersecurity Law (CSL), network operators may only collect, store, process, disclose and use personal information if individuals are notified of the purpose, manner and scope of such activities, and have consented to it. In particular, article 41 of the CSL states that network operators shall abide by the principles of ‘legality, rightfulness and necessity’ when collecting and using personal information, and that network operators shall not collect personal information that is irrelevant to the services provided by them. The Civil Code of the People’s Republic of China contains largely similar requirements regarding the collection and use of personal information.

Aside from the CSL, consent is required for the collection and use of an individual’s personal information under the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Yes. Under the non-binding Information Security Technology – Personal Information Security Specification 2020 (the 2020 PI Specification), ‘sensitive personal information’ refers to any personal information that if disclosed, illegally provided or misused could endanger an individual’s reputation, mental health and physical health, or lead to discriminatory treatment. The definition specifically includes:

  • identity card numbers;
  • biometric information;
  • bank account numbers;
  • communication records and content;
  • property information;
  • credit information;
  • location and tracking records;
  • accommodation information;
  • health and physiological data;
  • transaction data; and
  • any personal information of a minor under the age of 14.


Also, the 2020 PI Specification imposes additional requirements on ‘personal biometric information’, which includes personal genes, fingerprints, voiceprints, palm prints, auricles, irises and facial recognition data.

Under the Regulation on Cyber Protection of Children’s Personal Information, additional requirements are also imposed on network operators collecting, using or disclosing personal information of children under the age of 14.

In particular, network operators are required to provide a privacy policy and terms of use that are specifically tailored to, and appoint specific personnel to be in charge of, the protection of children’s personal information. Network operators must also comply with certain requirements when obtaining consent from a child’s guardian for the collection, use or disclosure of the child’s personal information. For example, network operators must notify the child’s guardian of the purposes for which the child’s personal information will be collected or used prominently and clearly before obtaining their consent. Fresh consent must also be obtained from the guardian where the use of the child’s personal information goes beyond the initially notified purposes. Additional security requirements will also apply concerning the handling of children’s personal information.

Data handling responsibilities of owners of PII


Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Yes. Article 41 of the Cybersecurity Law (CSL) and article 1035 of the Civil Code of the People’s Republic of China (the Civil Code) specifically requires that network operators may only collect, store, process, disclose and use personal information if individuals are notified of the purpose, manner and scope of such activities, and give their consent to such activities. Further, article 9 of the 2019 Draft Security Management Measures requires network operators to only collect personal information if the data subject is expressly aware of the network operator’s rules for collection and use and if the data subject has provided their explicit consent.

The non-binding Information Security Technology – Personal Information Security Specification 2020 (the 2020 PI Specification) provides that explicit consent (ie, positive action is required, such as electronically clicking an ‘accept’ button) is required for:

  • the collection, disclosure or transfer of sensitive personal information;
  • the collection of personal information concerning minors; and
  • the use of personal information for a new purpose or that goes beyond the original agreed purpose.


The 2020 PI Specification goes further and distinguishes between obtaining consent for ‘basic functions’ and ‘extended functions’. Data controllers may obtain a single consolidated express and informed consent from the data subject for all basic functions, but any amendments to the basic functions shall require further explicit consent.

Also, the 2020 PI Specification requires data controllers to obtain separate and explicit consent for the collection and use of an individual’s personal biometric information.

As a matter of caution, it is recommended that owners of PII always obtain explicit consent from data subjects when collecting any personal information.

Exemption from notification

When is notice not required?

Under the CSL and 2020 PI Specification, personal information can still be processed even if consent has not been obtained in the following circumstances:

  • where the personal information is anonymised and cannot be restored to its original state;
  • where the purpose is specified under certain laws and regulations, such as maintenance of public security;
  • where the purpose relates to academic research or social public interest; or
  • where the data processing relates to enforcement activities carried out by administrative authorities according to law or judicial authorities according to decisions and judgments.
Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

Yes. Under article 8.4 of the non-binding 2020 PI Specification, owners of PII should provide individuals with methods to withdraw their consent to the collection and processing of their personal information, and owners of PII should discontinue the processing of such personal information. Any processing of personal information that takes place before the individual’s withdrawal of consent would not be impacted.

Under the Measures for the Administration of Internet Email Services, where an email recipient has clearly consented to receive emails containing commercial advertisements, but later withdraws this consent, the sender must stop sending such emails unless otherwise agreed by both parties. When sending emails containing commercial advertisements, the sender must provide its contact information, including its email address, and a guarantee that this contact information will remain valid for 30 days.

Under the Administrative Provisions on Short Message Services, short message providers and short message content providers must not send commercial messages to users without their consent or request, and must explain the type and frequency of the commercial messages that will be sent. A user’s failure to respond will be regarded as a refusal of consent.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Under article 43 of the CSL, article 1037 of the Civil Code, and articles 8.2 and 8.3 of the 2020 PI Specification, owners of PII are required to take measures to comply with requests by individuals to delete and correct their personal information, if the personal information was collected or used in violation of the law, or if there are any inaccuracies with the personal information.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

Article 5.2 of the 2020 PI Specification sets out the data minimisation principle, which provides that owners of PII must only collect the minimum quantity of personal information necessary for carrying out the business functions of their products or services.

Article 6 of the 2020 PI Specification requires that owners of PII shall only retain the personal information for the shortest time necessary to achieve the stated purpose, after which deletion or data anonymisation should be carried out.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes, the CSL and its related regulations require that personal information must only be collected and used for the stated purpose. If the personal information will be used for any other purpose, express consent is required where the personal information will be used or transferred in a manner that is not covered by the original purpose and scope of the collection, unless one of the exemptions apply, under the non-binding 2020 PI Specification.

Under article 1036 of the Civil Code, a PII owner will not be in breach if it handles personal data within the scope of the consent given by the data subject. Accordingly, any acts carried out beyond such scope of consent will constitute a breach of the Civil Code.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

The 2020 PI Specification provides that explicit consent is required for the use of personal information for a new purpose or that goes beyond the original agreed purpose.

Law stated date

Correct on

Give the date on which the information above is accurate.

21 June 2021