CHINA Law and Practice Contributed by: Yang Cheng, Songshan Liu, Yan Yu and Weina Wang, Lantai Law Firm
• strengthened reporting mechanisms. Although PRC law does not mandate such follow-up measures in every case, they are closely linked to the employer’s general duty of prudent management and risk prevention. Failure to adopt reasonable organisa - tional responses may weaken the employer’s position if similar issues recur. Accordingly, HR internal investigations rarely end with a purely binary outcome, but are commonly followed by proportionate organisational or cultural measures aimed at preventing recurrence and reinforcing gov - ernance.
Investigations must comply with basic safeguards, including lawful internal rules, data security and respect for employees’ data subject rights, and may not involve excessive monitoring or covert access. Unlawfully obtained data may be excluded in labour disputes. Where data is handled by external advis - ers or transferred overseas, entrusted processing and cross-border transfer rules apply. In short, personal data processing is permitted for HR investigations, but only within a narrow, tightly regu - lated and proportionate scope. 7.2 Specific Rules When collecting and processing personal data for HR internal investigations, employers must comply with the following: • Personal Information Protection Law; • Labor Contract Law; • Civil Code; and • Cybersecurity Law. An internal investigation does not create any com - pliance exemption. Data processing must be lawful, necessary and proportionate, and unlawful processing may lead to regulatory liability, evidentiary exclusion and invalidation of disciplinary action. Employers may process personal data where neces - sary for human resources management or performance of the employment contract, such as investigating attendance, misconduct, compliance with internal rules or workplace safety. Separate consent is not always required where processing is directly connect - ed to employment management and based on lawfully adopted and disclosed rules. This justification does not extend to exploratory or unrelated data collection. Sensitive personal information, including health data, biometric data or information relating to suspected criminal conduct, may be processed only where strictly necessary and, in principle, with separate and explicit consent. Access to data on personal devic - es, private accounts or unrelated communications is highly restricted and generally unlawful without volun - tary, informed consent.
7. Data Protection 7.1 Collecting Personal Data
Employers may collect and process personal data for HR internal investigations, but such processing is
strictly regulated under the following: • Personal Information Protection Law; • Labor Contract Law; and • Civil Code.
An internal investigation does not create any exemp - tion from data protection requirements. Processing must be lawful, necessary, purpose-limited and pro - portionate, and over-collection may lead to adminis - trative, civil or evidentiary consequences. Personal data may be processed where necessary for human resources management or performance of the employment contract, such as investigating attend - ance, misconduct, compliance with internal rules or workplace safety, and separate consent is not always required. This basis does not justify exploratory or unrelated data collection. Employers may generally review work-related data within company systems if relevant to the investiga - tion. By contrast, sensitive personal information, data on personal devices or private accounts, or informa - tion unrelated to employment performance may be processed only where strictly necessary and, in prin - ciple, with explicit consent.
116 CHAMBERS.COM
Powered by FlippingBook