Article-by-article interpretation of the "Personal Information Protection Act" (Personal Information Processing Rules·General Provisions)

Chapter 2 Personal Information Processing Rules

Section 1 General Provisions

Article 13 Only personal information processors may meet one of the following circumstances: Processing of personal information:

(1) Obtain the consent of the individual;

(2) Necessary for the conclusion and performance of a contract to which the individual is a party, or in accordance with labor regulations formulated in accordance with the law Necessary for the implementation of human resources management according to the collective contract signed in accordance with the law;

(3) Necessary to perform legal duties or legal obligations;

(4) To respond to emergencies** *Health incidents, or necessary to protect the life, health and property safety of natural persons in emergency situations;

(5) Conduct news reporting, public opinion supervision and other acts for the benefit of the public, within a reasonable scope Processing of personal information;

(6) Processing of personal information disclosed by individuals themselves or otherwise legally disclosed within a reasonable scope in accordance with the provisions of this Law;

(7) Laws and administrative regulations Other circumstances specified.

In accordance with other relevant provisions of this Law, individual consent must be obtained for processing personal information. However, individual consent is not required under the circumstances specified in items 2 to 7 of the preceding paragraph. According to Article 5 of the "Personal Information Protection Law", "personal information should be processed in compliance with the principles of legality, legitimacy, necessity and good faith." So what is "legality and legitimacy"? The problem solved by this article is "legality and legitimacy" question. Obtaining personal consent requires applicable rules in most cases where there is no special relationship and no special circumstances. For example, what kind of information on the mobile phone our mobile APP wants to collect requires our consent. In addition to "obtaining personal consent", in some special relationships or specific scenarios, for the normal operation of society and taking into account people's usual behaviors and habits, personal information can be processed without individual consent. These situations are: 1. The need to enter into and perform a contract. When signing a contract, we need to clearly indicate who the parties are. In order to specify the party, some party information needs to be written, such as ID card information. After signing a contract, when performing the contract, due to the need for performance, both parties or parties must know some information about other parties, such as the name, phone number, email, address, etc. of the contact person. Without this personal information, the contract may not be performed. 2. In labor relations, due to legal provisions and requirements for paying social security and provident funds, the employer often needs to know a lot of personal information about employees. This information is more detailed and more detailed than what is needed to sign and perform a contract. If employees refuse to provide personal information, it will result in the unit being unable to perform its duties in accordance with the law and being unable to manage effectively. 3. Necessary to perform statutory duties or legal obligations refers to the situation where the relevant state agencies or judicial agencies and public institutions need to obtain personal information in order to perform their duties and obligations because the law clearly stipulates their duties and obligations. For example, the household registration department of the public security organ needs to collect and organize citizens’ household registration information. 4. It is necessary to respond to public health emergencies, or to protect the life, health and property safety of natural persons in emergencies. This situation is particularly obvious during the epidemic. Legally, people's right to life and health is a higher-level right. In order to protect people's rights to life and health, personal consent is not required when processing personal information. However, there is also a problem of degree. , "It should be limited to the minimum scope to achieve the purpose of processing, and personal information must not be excessively collected", and the collected personal information must not be abused, illegally transferred, or traded. 5. The use of personal information in news reports generally falls within the scope of fair use. Article 999 of the previous Civil Code also stipulates: When carrying out news reporting, public opinion supervision and other activities for the benefit of the public, the name, title, portrait, personal information, etc. of civil subjects may be reasonably used; Anyone who reasonably infringes upon the personality rights of a civil subject shall bear civil liability in accordance with the law. 6. In the Civil Code, personal information protection and privacy protection are stipulated together, because the disclosure of personal information may violate their privacy rights. However, there is no privacy issue for personal information disclosed by oneself or in accordance with the law, and it can be used as long as it does not infringe on other legitimate rights and interests.

Among them, personal information that has been legally disclosed is often disclosed due to legal requirements and has other social values. For example, industrial and commercial registration information, judgments, information on persons subject to execution and information on high consumption restrictions, etc. Some APPs collect already disclosed personal or corporate information and further classify it to create new value for this information. Finally, a safety clause is stipulated to leave room for adapting to social and legal developments and changes, namely "other situations stipulated in laws and administrative regulations."

Article 14 Where personal information is processed based on individual consent, such consent shall be made voluntarily and clearly by the individual with full knowledge. If laws and administrative regulations stipulate that the processing of personal information requires individual consent or written consent, such provisions shall prevail.

If the purpose of processing personal information, the method of processing, and the types of personal information processed change, the individual's consent must be obtained again.

Article 15: Where personal information is processed based on individual consent, the individual has the right to withdraw his or her consent. Personal information processors should provide convenient ways to withdraw consent.

An individual's withdrawal of consent will not affect the effectiveness of personal information processing activities that have been carried out based on the individual's consent before the withdrawal.

Article 16 Personal information processors shall not refuse to provide products or services on the grounds that individuals do not agree to the processing of their personal information or withdraw their consent, unless the processing of personal information is necessary to provide products or services. Articles 14 to 16 provide more specific provisions on “individual consent”. What is "personal consent"? It seems to be a simple question, but in practice there are many problems. For example, does checking an electronic agreement or various forms of "notification" on a web page or APP count as "personal consent"? Many websites and APPs have done this for a long time. However, how many people have seriously read the electronics association or notice? The reason why recipients of services or products click "Agree" is because they cannot use the products or services without clicking Agree. The electronic agreement or notice is getting longer and longer, but no one reads it. In this case, it seems that the individual agrees to the processing of personal information, but this consent is "pseudo-consent" and is a false consent. In addition, if you "agree" by mistake or regret your "agree", can you withdraw it? In the past, the products or services we used rarely had such a function that allowed us to withdraw our consent. Consent that cannot be withdrawn is actually false "consent". Article 14 mainly stipulates: The prerequisite for consent is “full knowledge”. my country’s Consumer Rights Protection Law stipulates that consumers have the right to know. There is no real "consent" without "full knowledge." Regarding how to notify, Article 17 below has clear provisions. Article 15 mainly stipulates that individuals have the right to withdraw their consent and requires that "personal information processors should provide convenient ways to withdraw consent." At present, many products or services currently do not comply with the provisions of this article. After the "Personal Information Law" takes effect, if the products or services provided handle personal information, the functions need to be improved and a method of "withdrawing consent" needs to be added. Article 16 mainly stipulates whether those who do not agree to the processing of their personal information or withdraw their consent can continue to use products or services. As mentioned before, the reason why consumers agree to the processing of their personal information is that if they do not agree, they cannot use the products or services and have no choice. The "traditional" approach actually violates the consumer (or user) right of choice. According to this provision, if a product or service involving the processing of personal information refuses to provide the product or service on the grounds that the individual does not consent to the processing of his or her personal information or withdraws consent, the reasons need to be explained, that is, the specific consent needs to be stated to provide the product or service. Necessary for service. If it is not necessary, it violates the law. According to this provision, some products or services on the market need to be modified. In the user consent section, it is necessary to distinguish which ones are necessary to provide the products or services and which ones are not necessary. It is not necessary, users should be given the choice. Regarding what kind of information is necessary, application services can refer to the "Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications".

Article 17 Before processing personal information, personal information processors shall truly, accurately and completely inform individuals of the following matters in a conspicuous manner and in clear and understandable language:

(1) The name or name and contact information of the personal information processor;

(2) The purpose and method of processing personal information, the type of personal information processed, and the retention period;

(3) The methods and procedures for individuals to exercise their rights stipulated in this law;

(4) Other matters that should be notified according to laws and administrative regulations.

If any of the matters specified in the preceding paragraph are changed, the individual shall be informed of the changes.

If the personal information processor notifies the matters specified in paragraph 1 by formulating personal information processing rules, the processing rules should be made public and easy to review and save.

Article 18 If a personal information processor handles personal information and there are circumstances that require confidentiality or disclosure is not required by laws or administrative regulations, the personal information processor may not inform individuals of the matters specified in paragraph 1 of the preceding article.

If it is impossible to notify the individual in a timely manner in order to protect the life, health and property safety of natural persons in an emergency, the personal information processor shall notify the individual in a timely manner after the emergency situation is eliminated. According to Article 14, “Where personal information is processed based on individual consent, such consent shall be made voluntarily and clearly by the individual with full knowledge.” This requires personal information processors to have the obligation to inform before processing personal information. . The level of notification should reach the point where the individual is "fully informed". Article 17 sets out matters that need to be communicated to individuals. In these matters, the name (name) and contact information are a general notification. The purpose and method of processing personal information may become a key consideration for some companies, and may also be matters that are prone to change. Many companies have the idea of ????processing personal information to the maximum extent, but currently require clear processing purposes and processing methods, which will undoubtedly limit the scope of personal information processing in the future. In addition, the development of business models and the development of enterprises and technologies will produce new purposes and methods of processing personal information. When there are changes to matters that have been notified, individuals need to be notified of the changes again. At the same time, under the provisions of Article 14, the individual's consent is required again. This puts forward new requirements for some product or service providers. Article 18 stipulates exceptions for notification to individuals. There are two main exceptions: 1. Laws and administrative regulations (excluding departmental regulations, local regulations and other legal documents) should be kept confidential or do not need to be notified; 2. . In emergencies, if it is impossible to notify in time for higher legal values ??(life, health, property safety), notification can be made after the emergency is eliminated. In this case, it is not a failure to inform, but the obligation to inform can be suspended.

Article 19 Unless otherwise provided by laws and administrative regulations, the retention period of personal information shall be the shortest time necessary to achieve the purpose of processing. This article is about the retention period of personal information. Regarding this issue, the "Personal Information Protection Law" does not make unified provisions, but stipulates a rule for determining time, that is: the minimum time necessary to achieve the purpose of processing. This rule, if you encounter a legal dispute, actually imposes a burden of proof on the information processor: explain or prove why certain information needs to be kept for one month or two months. What is the necessity? If the information processor cannot explain or prove If you prove the "minimum necessary time", you should bear the corresponding legal responsibility.

Article 20 If two or more personal information processors*** jointly decide on the purpose and method of processing personal information, they shall agree on their respective rights and obligations. However, this agreement does not affect an individual's right to request any of the personal information processors to exercise their rights under this law.

If personal information processors jointly process personal information and infringe upon personal information rights and interests and cause damage, they shall bear joint and several liability in accordance with the law. There are many cases where two or more personal information processors handle personal information at the same time. Some are two or more operators operating the same product or service, some are one or more operators operating on a platform provided by another operator, and some are two or more operators reaching an agreement to deal with them together. Personal information, no matter what the situation, if *** jointly decide the purpose and method of processing personal information, they should agree on their respective rights and obligations in accordance with the provisions of this article.

If the parties infringe personal rights by processing personal information, it is an infringement of the parties and they should bear joint and several liability.

Article 21 If a personal information processor entrusts the processing of personal information, it shall agree with the trustee on the purpose, period, processing methods, types of personal information, protective measures, and the rights and obligations of both parties. etc., and supervise the trustee’s personal information processing activities.

The trustee shall process personal information in accordance with the agreement and shall not process personal information beyond the agreed processing purposes and processing methods; if the entrustment contract is not effective, invalid, revoked or terminated, the trustee shall return the personal information The personal information processor may delete it and shall not retain it.

The trustee shall not entrust others to process personal information without the consent of the personal information processor. This article stipulates the obligations of those entrusted with the processing of personal information. Compared with the obligations of the personal information processor, the obligations of the person entrusted with the processing of personal information are much smaller: 1. Requirements regarding the content of the contract, that is, the purpose, period, processing method, type of personal information, protective measures, and both parties' agreement on the entrusted processing rights and obligations, etc.; 2. Accept the trustee's supervision of personal information processing activities; 3. Process personal information in accordance with the agreement; 4. If the contract is invalid or terminated, the personal information will be returned or deleted; 5. No subcontracting is allowed. Because the obligations of persons entrusted to process information are much smaller than those of personal information processors, some companies may define themselves as persons entrusted to process information to avoid legal obligations. At this time, we need to determine whether the company is a personal information processor or a person entrusted to process information based on the actual situation. If a company has dual identities as both a processor of personal information and a person who collects and processes personal information, it needs to specifically determine what legal obligations it assumes based on its specific business activities.

Article 22 If a personal information processor needs to transfer personal information due to merger, division, dissolution, declaration of bankruptcy, etc., it shall inform the individual of the name or name and contact information of the recipient. The recipient shall continue to perform its obligations as a personal information processor. If the receiving party changes the original purpose or method of processing, it shall obtain the individual's consent again in accordance with the provisions of this Law. This article is about the rules on what to do if personal information processors need to transfer personal information due to mergers, divisions, dissolutions, declarations of bankruptcy, etc. It should be pointed out that personal information may not necessarily be transferred when personal information processors merge or separate. When disbanding or being declared bankrupt, personal information must be transferred.

Article 23 If a personal information processor provides personal information processed by it to other personal information processors, it shall inform the individual of the recipient’s name, contact information, purpose of processing, method of processing and categories of personal information and obtain the individual’s separate consent. The receiving party shall process personal information within the scope of the above-mentioned processing purposes, processing methods and types of personal information. If the receiving party changes the original processing purpose or processing method, it shall obtain the individual's consent again in accordance with the provisions of this law. This article is the second provision under the law that requires individual consent. In practice, after collecting personal information, personal information processors often provide it to other personal information processors again, but basically without informing the individual or obtaining the individual's consent. At most, relevant provisions are reserved in the user agreement. . After the implementation of the "Personal Information Protection Law", the cost of providing personal information to other personal information providers will increase. Individuals need to be notified of relevant information and their separate consent must be obtained. The practice of reserving relevant provisions will not meet the requirements of the law. When understanding this article, it must be distinguished from Article 21. Article 21 talks about the scenario of entrusted processing of personal information. For example, after a personal information processor collects personal information, it hands it to its supplier and requires the supplier to perform certain analysis and processing according to its requirements. This article talks about handing over data to another personal information processor. For example, after collecting personal information, it is provided to another operator for the design and operation of its products or services.

Article 24 When personal information processors use personal information to make automated decisions, they should ensure the transparency of the decision-making and the fairness and impartiality of the results, and should not impose unreasonable differential treatment on individuals in terms of transaction prices and other transaction conditions. .

When pushing information and commercial marketing to individuals through automated decision-making, they should also provide options that are not targeted at their personal characteristics, or provide individuals with a convenient way to refuse.

When decisions that have a significant impact on personal rights and interests are made through automated decision-making, individuals have the right to request an explanation from the personal information processor and the right to refuse the personal information processor to make decisions solely through automated decision-making. This article stipulates the issues of "user portraits" and "big data familiarity". For a period of time, many consumers have reported that they were just wondering whether to buy a certain product, and suddenly received a push for this product; some consumers also reported that they encountered big data to kill familiarity: for the same product or service, regular customers and The prices for strangers are different, and even different types of mobile phones and different genders have different prices. Many people suspect that this is the operator engaging in big data to kill regular customers, taking advantage of the insensitivity of some regular customers to prices to gain unreasonable profits. This article does not stipulate that "user profiling" cannot be carried out, but it only requires that unreasonable differential treatment in transaction prices and other trading conditions shall not be implemented. In addition, proactively pushed information should provide options that are not targeted at personal characteristics and provide a convenient way to refuse. This gives the initiative to individuals. Individuals have the right to refuse the push of information based on personal characteristics and the right to refuse the push of information.

Article 25 Personal information processors shall not disclose the personal information they process, except with the individual's separate consent. This is again a clause about an individual's "individual consent". It should be pointed out that "individual consent" must be made expressly, and it cannot be inferred that "individual consent" is implied by a series of consenting actions by an individual. The so-called "publicity" means that the information is not controlled within a certain range and can be obtained by unspecified people. If the collected personal information is used for analysis and to provide reference for decision-making, it is not disclosed and does not require separate consent from the individual. However, if the collected personal information is processed and displayed to unspecified persons, separate consent from the individual is required. In addition, the personal information here refers to the personal information processed based on the consent of the individual as stipulated in Article 13. Other information that is not processed based on obtaining the individual's consent does not need to obtain the individual's separate consent again when it is disclosed.

Article 26 The installation of image collection and personal identification equipment in public places shall be necessary to maintain public safety, comply with relevant national regulations, and set up prominent reminder signs. The collected personal images and identification information can only be used for the purpose of maintaining public security and may not be used for other purposes, except with the individual's separate consent. This is the third legal provision requiring individual consent. According to this regulation, equipment that collects and identifies personal information can be installed in public places only to maintain public security. It cannot be installed at will unless it is necessary to maintain public safety. For example, the operator of a bookstore cannot install filming equipment to photograph the public area outside the store. Secondly, prominent reminder signs should be set up. Those who fail to set up conspicuous reminder signs have failed to fulfill their legal obligations. Thirdly, the personal information collected can only be used for the purpose of maintaining public security and cannot be used for other purposes. Finally, if it is used for other purposes, individual consent must be obtained. It should be noted that if a large number of people are involved in the personal information collected in some public places, it is almost difficult to obtain the individual consent of each individual. For example, personal information collected at airports and train stations.

Article 27 Personal information processors may process within a reasonable scope personal information that an individual discloses on his own initiative or that has been legally disclosed by others; unless the individual explicitly refuses. If a personal information processor handles disclosed personal information and has a significant impact on individual rights and interests, it must obtain the individual's consent in accordance with the provisions of this law. According to the provisions of Article 13, personal information processors may process personal information disclosed by individuals themselves or otherwise legally disclosed within a reasonable scope in accordance with the provisions of this Law. So, what is the "reasonable scope"? This article gives the following rules: 1. If an individual explicitly refuses to process personal information, the personal information processor cannot process it; 2. The processing of personal information that has been disclosed has significant impact on the individual's rights and interests. If it is affected, the individual's consent should be obtained. In the case of a moral rights dispute between Suzhou Berta Data Technology Co., Ltd. and Yi Mou, Berta Company posted Yi Mou's judgment on its website, and Yi Mou sued the company to the court.

The court pointed out: Berta Company failed to delete relevant judgment documents and announcement documents in a timely manner after receiving Yi's request, which was contrary to Yi's intention to control the dissemination of disclosed information and violated the principles of legality, legitimacy and necessity. , it should be considered that it has a significant impact on Yi's interests and infringes on his personal information rights. After Yi contacted Berta Company to request the deletion of the documents, Berta Company still refused to delete the documents involved on the grounds that the dispute documents had been published on the China Judgment Documents Network, which constituted illegal public use of Yi Mou's personal information.