The Personal Information Protection Law of the People’s Republic of China (“PIPL”) as promulgated contains new requirements for an enterprise’s processing the personal information of the employees in the course of employment, and enterprises will also be confronted with compliance risks associated with personal information protection. This article seeks to sort out the portions of laws and regulations related to the Labor Law and of the PIPL that pertain to the personal information of enterprise employees to remind the enterprise of its responsibility for protecting the personal information of its employees.
I. Legal basis for an enterprise’s processing of employee personal information
Article 13, Paragraph 1, Subparagraph (2) of the PIPL specifically provides that the processor of personal information may process personal information when necessary for the conclusion or performance of a contract to which the individual is a party or for the implementation of human resources management in accordance with lawfully formulated labor regulations and lawfully concluded collective contracts.
Under Article 8 of the Labor Contract Law of the People’s Republic of China (“Labor Contract Law”), “when an [employer] recruits a worker, it shall truthfully inform him of the job description… The [employer] has the right to acquire the basic information of the worker which is directly related to the labor contract, and the worker shall truthfully provide the same.” Under Article 8 of the Regulations on the Implementation of the Labor Contract Law of the People’s Republic of China, the employee roster stipulated in Article 7[2] of the Labor Contract Law shall include the name, gender, citizen identification number, permanent address and current address, contact information, form of employment, starting time of employment, term of the labor contract, etc., of the workers. Therefore, there is a clear legal basis for enterprises to collect personal information directly related to the employment contract, and employees may not refuse to provide such information without valid reasons. However, it should be noted that the scope of personal information to be provided by the employees is limited to the basic information directly related to the employment contract, usually name, gender, ID number, address, contact information, etc. It is relatively more difficult to process the rest of an employee’s personal information by relying on Article 13, Paragraph 1, Subparagraph (2) of the PIPL as the legal basis.
II. Circumstances where an enterprise is still required to obtain the individual consent of an individual employee
In addition to the information mentioned above, if an enterprise needs to process other information about an employee, it should, in principle, obtain the consent of the individual employee. In particular, the PIPL stipulates the following five circumstances in which the individual consent of the individuals (including the employees) is required.
Formal Legal Requirements | Legal Provisions |
Individual consent | Provision of personal information so processed to a third party (Article 23) |
Public disclosure of the personal information so processed (Article 25) | |
Personal images and identifying information to be captured or collected by image collecting and identifying equipment and used for purposes other than the maintenance of public safety (Article 26) | |
Processing of sensitive personal information (Article 29) | |
Provision of personal information to overseas parties[3] (Article 39) |
III. Rules that should be followed by an enterprise for processing the personal information of the employees
Article 3 of the PIPL provides that activities involving the processing of personal information of natural persons within the territories of the People’s Republic of China shall be governed by the PIPL. Therefore, when processing employees’ personal information, an enterprise shall also follow the relevant provisions of the PIPL. Articles 5 through 9 of the PIPL also contain specific provisions on the processing of personal information, and an enterprise should properly process employees’ personal information in compliance with the principles summarized below.
Article 5: Personal information shall be processed in compliance with the principles of legality, legitimacy, necessity, and good faith, and personal information shall not be processed by misleading, fraudulent, coercive, and other similar means. | Principle of good faith |
Article 6: The processing of personal information shall be conducted for a clear and reasonable purpose and shall be directly related to the purpose of processing with the least impact on the rights and interests of individuals. | Principle of clear, reasonable purposes and minimum necessity |
Article 7: Processing of personal information shall follow the principles of openness and transparency, make public the rules for the processing of personal information, and disclose the purposes, manners, and scope of processing. | Principle of openness and transparency |
Article 8: When personal information is processed, the quality of personal information shall be ensured to avoid adverse effect of inaccurate and incomplete personal information on the rights and interests of individuals. | Principle of information accuracy |
Article 9: A personal information processor shall be responsible for its personal information processing activities and take necessary measures to protect the security of the personal information so processed. | Principle of accountability for information processing |
IV. Coping approaches that should be adopted by enterprises
Since enterprises violating the relevant provisions of the PIPL will be subject to corresponding administrative, civil and criminal liability, it is recommended that enterprises control the processing of employee personal information in the following aspects.
1. Establish internal management systems and operating procedures. The Agreement on the Use of Employee Personal Information, the Employment Contract, the Employee Handbook, and other agreements related to personal information may be revised according to the actual situation.
2. Manage employee personal information by category, particularly with a focus on the processing of sensitive information.
3. Adopt corresponding security technologies and measures such as encryption and de-identification to enhance the security protection of employee personal information to the extent they are practicably operable.
4. Clarify the operating authority for processing personal information and held regular security education and training for practitioners.
5. Formulate and implement a contingency plan for personal information security incidents.
6. Pay attention to preserving evidence related to the obligation performed by an enterprise internally to protect employee personal information.[4]
For further information, please contact:
Joyce Wen, Lee Tsai & Partners
lawtec@leetsai.com
[1] The authors are lawyer and of-counsel at Shanghai Lee, Tsai & Partners. However, the contents of this article are personal opinions and do not represent the position of the law firm.
[2] Article 7 of the Labor Contract Law provides that an employer establishes an employment relationship with an employee from the date when the employer puts the employee to work. The employer shall prepare a roster of employees for inspection.
[3] For issues concerning cross-border distribution of information involved in an enterprise’s provision of personal information to overseas parties, please refer to the feature article of Shanghai Lee, Tsai & Partners on the special requirements for cross-border transmission of information under the Personal Information Protection Law.. https://www.leetsai.com/%e7%89%b9%e8%bc%af/feature-articles-on-chinas-personal-information-protection-law-3-special-regulations-and-requirements-on-cross-border-data-transmission-mainland-china?lang=zh-hant)
[4] Article 69 of the PIPL: If the processing of personal information infringes on the information rights and interests of individuals and causes damage and the processor of the personal information cannot prove that it is not at fault, it shall bear tort liability such as damages.