CHINA Law and Practice Contributed by: Linda Liang, Piao Liu, Chutian Wang and Xiangbo Lv, King & Wood Mallesons
• Minimised collection: the collection of PI shall be limited to the minimum scope necessary for achieving the processing purpose, and shall not be excessive. • Limited retention period: the retention period of PI shall be the shortest time necessary for achieving the processing purpose, except as otherwise pro - vided by any law or administrative regulation. Legal Grounds for Processing Employees’ PI According to the PIPL, PI can only be processed based on statutory grounds, with the two grounds most related to the employment sphere being that: • the individual’s consent has been obtained; and • the processing is necessary for the conclusion or performance of a contract to which the individual is a contracting party, or for conducting human resource management under the employment rules and regulations legally established and collective contracts legally concluded. However, the PIPL does not stipulate specific stand - ards for determining what constitutes “necessary for conducting human resource management”, and thus it is suggested that the employers try to obtain consent from the employees for PI needed in the first place. Consent and Separate Consent As the key legal ground for processing PI, the PIPL sets out requirements on obtaining “consent”. The consent shall be voluntarily and explicitly given by the individual on a fully informed basis. The PI proces - sor shall truthfully, accurately and completely inform individuals of the following required matters (“Items to Inform”): • the name and contact information of the PI proces - sor; • the purposes and methods of processing the PI, the categories of PI to be processed, and the retention periods; • the methods and procedures for individuals to exercise the rights provided by the PIPL; and • other matters that should be notified as provided by laws and administrative regulations.
The PIPL also requires “separate consent” for certain circumstances (eg, sharing PI with third parties, pro - cessing sensitive PI, outbound transferring PI), which is a form of consent with higher requirements. The specific requirements and form of separate consent are not specified by the PIPL. Based on the current understanding and practice, to constitute a separate consent, the specific item involving PI processing should be listed as a separate item requesting the individual’s specific consent explicitly for this item, instead of being hidden in a package of items pend - ing the individual’s joint consent. Sharing Employees’ PI With Third Parties The most relevant employment-related scenarios include engaging third parties in background checks, recruitment, payroll services and labour dispatch, etc. When sharing employees’ PI with third-party proces - sors, apart from the Items to Inform, the employer shall also inform the employees of the recipient’s name and contact information, the purposes and methods of processing, and the categories of PI, and obtain the employee’s separate consent. Outbound Transfer of Employees’ PI and Standard Contract The outbound transfer of employees’ PI is not unu - sual, especially for multinational employers sharing employees’ PI within a global management system. Given the special nature of outbound transfer, the PIPL sets out detailed requirements in this regard. Apart from informing employees of the Items to Inform and additional items, and obtaining separate consent, the PI processor also needs to conduct a PI protec - tion impact assessment and adopt one of the three following legal mechanisms: • a security assessment organised by the National Cyberspace Department; • a certification by a specialised agency for protec - tion of personal information in accordance with the provisions of the National Cyberspace Department; or • a standard contract (SCC) formulated by the National Cyberspace Department with the over - seas recipient (the “SCC Approach”).
132 CHAMBERS.COM
Powered by FlippingBook