(Adopted at the 30th meeting of the Standing Committee of the Thirteenth National People’s Congress on August 20, 2021)
Source: National People’s Congress Website Browse Font Size: Large, Medium, and Small
Table of contents
Chapter 1 General Provisions
Chapter II Personal Information Processing Rules
Section 1 General Provisions
Section 2 Processing Rules for Sensitive Personal Information
Section 3 Special Provisions on the Handling of Personal Information by State Organs
Chapter 3 Rules for Cross-Border Provision of Personal Information
Chapter 4 Rights of Individuals in Personal Information Processing Activities
Chapter 5 Obligations of Personal Information Processors
Chapter VI Departments Fulfilling Personal Information Protection Responsibilities
Chapter VII Legal Responsibilities
Chapter VIII Supplementary Provisions
Chapter 1 General Provisions
Article 1 In order to protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information, this Law is enacted in accordance with the Constitution.
Article 2 The personal information of natural persons is protected by law, and no organization or individual may infringe upon the personal information rights of natural persons.
Article 3 This Law shall apply to the activities of processing personal information of natural persons within the territory of the People’s Republic of China.
This law is also applicable to the activities of processing personal information of natural persons within the territory of the People’s Republic of China outside the territory of the People’s Republic of China, under any of the following circumstances:
(1) For the purpose of providing products or services to domestic natural persons;
(2) Analyzing and evaluating the behavior of domestic natural persons;
(3) Other circumstances stipulated by laws and administrative regulations.
Article 4 Personal information refers to various information related to identified or identifiable natural persons recorded electronically or in other ways, excluding anonymized information.
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.
Article 5 Handling of personal information shall follow the principles of legality, justification, necessity, and good faith, and shall not handle personal information by misleading, fraudulent, or coercive methods.
Article 6 The processing of personal information shall have a clear and reasonable purpose, and shall be directly related to the purpose of processing, and shall be carried out in a manner that has the least impact on the rights and interests of individuals.
The collection of personal information shall be limited to the minimum scope for achieving the purpose of processing, and excessive collection of personal information shall not be allowed.
Article 7 The handling of personal information shall follow the principles of openness and transparency, disclose the rules for handling personal information, and expressly state the purpose, method and scope of processing.
Article 8: When handling personal information, the quality of personal information shall be guaranteed to avoid adverse effects on personal rights and interests caused by inaccurate and incomplete personal information.
Article 9 Personal information processors shall be responsible for their personal information processing activities and take necessary measures to ensure the security of the personal information they process.
Article 10: Any organization or individual shall not illegally collect, use, process, or transmit personal information of others, shall not illegally buy, sell, provide, or disclose personal information of others; shall not engage in personal information processing activities that endanger national security or public interest.
Article 11: The state establishes and improves the personal information protection system, prevents and punishes acts that infringe on the rights and interests of personal information, strengthens publicity and education on personal information protection, and promotes the formation of a good environment for the government, enterprises, relevant social organizations, and the public to jointly participate in the protection of personal information.
Article 12: The state actively participates in the formulation of international rules for personal information protection, promotes international exchanges and cooperation in personal information protection, and promotes mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations.
Chapter II Personal Information Processing Rules
Section 1 General Provisions
Article 13 Personal information processors may only process personal information if one of the following circumstances is met:
(1) obtain the consent of the individual;
(2) It is necessary for the conclusion and performance of a contract with an individual as one of the parties, or it is necessary for the implementation of human resource management in accordance with the labor rules and regulations formulated according to law and the collective contract signed according to law;
(3) Necessary for the performance of statutory duties or obligations;
(4) It is necessary to respond to public health emergencies, or to protect the life, health and property safety of natural persons in emergency situations;
(5) Conduct news reporting, public opinion supervision and other acts for the public interest, and process personal information within a reasonable range;
(6) Process personal information that is disclosed by individuals or has been legally disclosed in accordance with the provisions of this law within a reasonable scope;
(7) Other circumstances stipulated by laws and administrative regulations.
In accordance with other relevant provisions of this law, the processing of personal information shall obtain the individual’s consent, but in the circumstances specified in items 2 to 7 of the preceding paragraph, the individual’s consent is not required.
Article 14 Where the processing of personal information is based on the consent of the individual, the consent shall be made voluntarily and explicitly by the individual on the premise of being fully informed. Where laws and administrative regulations stipulate that individual consent or written consent shall be obtained for the processing of personal information, such provisions shall prevail.
If the purpose of processing personal information, the method of processing, and the type of personal information to be processed change, the individual’s consent should be obtained again.
Article 15 Where personal information is processed based on the individual’s consent, the individual has the right to withdraw his or her consent. Personal information processors should provide a convenient way to withdraw consent.
The individual’s withdrawal of consent does not affect the effectiveness of the personal information processing activities based on the individual’s consent before the withdrawal.
Article 16 Personal information processors shall not refuse to provide products or services on the grounds that individuals do not agree to process their personal information or withdraw their consent; except where the processing of personal information is necessary for the provision of products or services.
Article 17 Before processing personal information, personal information processors shall truthfully, accurately and completely inform individuals of the following matters in a conspicuous manner and in clear and understandable language:
(1) The name or name and contact information of the personal information processor;
(2) The purpose and method of processing personal information, the types of personal information processed, and the retention period;
(3) Ways and procedures for individuals to exercise their rights under this Law;
(4) Other matters that should be notified as stipulated by laws and administrative regulations.
If the items specified in the preceding paragraph are changed, the individual shall be notified of the changed part.
Where personal information processors notify the matters specified in the first paragraph by formulating personal information processing rules, the processing rules shall be made public and easy to consult and save.
Article 18: Where personal information processors process personal information, and there are circumstances in which laws and administrative regulations stipulate that it should be kept confidential or that notification is not required, they may not notify the individual of the matters specified in paragraph 1 of the preceding article.
If in an emergency it is impossible to notify the individual in a timely manner to protect the life, health and property safety of a natural person, the personal information processor shall notify the individual in a timely manner after the emergency is resolved.
Article 19 Unless otherwise provided by laws and administrative regulations, the storage period of personal information shall be the shortest time necessary to achieve the purpose of processing.
Article 20: Where two or more personal information processors jointly decide on the purpose and method of processing personal information, they shall agree on their respective rights and obligations. However, this agreement does not affect the individual’s request to any one of the personal information processors to exercise the rights stipulated in this law.
Where personal information processors jointly process personal information and infringe on the rights and interests of personal information and cause damage, they shall bear joint and several liabilities in accordance with the law.
Article 21 Where a personal information processor entrusts the processing of personal information, it shall agree with the entrustee on the purpose, time limit, processing method, type of personal information, protection measures, and the rights and obligations of both parties, etc. Personal information processing activities are supervised.
The trustee shall process personal information in accordance with the agreement, and shall not process personal information beyond the agreed processing purpose and processing method; if the entrustment contract is not effective, invalid, revoked or terminated, the trustee shall return the personal information to the personal information processor or delete it , must not be retained.
Without the consent of the personal information processor, the trustee shall not entrust others to process personal information.
Article 22: Where personal information processors need to transfer personal information due to mergers, divisions, dissolutions, bankruptcy declarations, and other reasons, they shall inform individuals of the receiver’s name or name and contact information. The receiving party shall continue to perform the obligations of the personal information processor. If the receiving party changes the original processing purpose and processing method, it shall obtain the individual’s consent again in accordance with the provisions of this Law.
Article 23 Where a personal information processor provides other personal information processors with the personal information it processes, it shall inform the individual of the recipient’s name or name, contact information, processing purpose, processing method, and type of personal information, and obtain individual consent. The receiving party shall process personal information within the scope of the above-mentioned processing purposes, processing methods, and types of personal information. If the receiving party changes the original processing purpose and processing method, it shall obtain the individual’s consent again in accordance with the provisions of this law.
Article 24: Personal information processors who use personal information for automated decision-making shall ensure the transparency of the decision-making and the fairness and justice of the results, and shall not impose unreasonable differential treatment on individuals in terms of transaction prices and other transaction conditions.
Information push and commercial marketing to individuals through automated decision-making methods should also provide options that do not target their personal characteristics, or provide individuals with a convenient way to refuse.
To make decisions that have a significant impact on individual rights and interests through automated decision-making, individuals have the right to request an explanation from the personal information processor, and have the right to refuse the personal information processor to make a decision only through automated decision-making.
Article 25: Personal information processors must not disclose the personal information they process, unless they have obtained individual consent.
Article 26: The installation of image collection and personal identification equipment in public places shall be necessary to maintain public safety, comply with relevant national regulations, and set up prominent reminder signs. The collected personal images and identification information can only be used for the purpose of maintaining public safety, and shall not be used for other purposes; unless the individual consent is obtained.
Article 27: Personal information processors may, within a reasonable scope, process personal information that is disclosed by the individual or has been legally disclosed; unless the individual expressly refuses. Where personal information processors process disclosed personal information and have a significant impact on individual rights and interests, they shall obtain the individual’s consent in accordance with the provisions of this law.
Section 2 Processing Rules for Sensitive Personal Information
Article 28 Sensitive personal information refers to personal information that, once leaked or illegally used, may easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety, including biometrics, religious beliefs, specific identities, medical care, financial accounts, Whereabouts and other information, as well as personal information of minors under the age of fourteen.
Personal information processors may process sensitive personal information only when there is a specific purpose and sufficient necessity, and strict protection measures are taken.
Article 29: Individual consent shall be obtained for handling sensitive personal information; where laws and administrative regulations stipulate that written consent shall be obtained for handling sensitive personal information, such provisions shall prevail.
Article 30 Where personal information processors process sensitive personal information, in addition to the matters specified in the first paragraph of Article 17 of this law, they shall also inform individuals of the necessity of processing sensitive personal information and the impact on the rights and interests of individuals; Except for those that may not be notified to individuals as stipulated by law.
Article 31: Where personal information processors process personal information of minors under the age of fourteen, they shall obtain the consent of the minor’s parents or other guardians.
Where personal information processors process personal information of minors under the age of 14, they shall formulate special rules for handling personal information.
Article 32: Where laws and administrative regulations require that relevant administrative licenses be obtained or other restrictions be imposed on the handling of sensitive personal information, those provisions shall prevail.
Section 3 Special Provisions on the Handling of Personal Information by State Organs
Article 33: This law shall apply to the activities of state organs handling personal information; where there are special provisions in this section, the provisions of this section shall apply.
Article 34: In order to perform statutory duties, state organs shall process personal information in accordance with the authority and procedures stipulated by laws and administrative regulations, and shall not exceed the scope and limits necessary to perform statutory duties.
Article 35: State organs handling personal information in order to perform statutory duties shall fulfill the duty of notification in accordance with the provisions of this Law; except in the circumstances specified in Article 18, Paragraph 1 of this Law, or where the notification will prevent state organs from performing their statutory duties.
Article 36: Personal information processed by state organs shall be stored within the territory of the People’s Republic of China; if it is really necessary to provide it overseas, a security assessment shall be conducted. The safety assessment may require support and assistance from relevant departments.
Article 37: Organizations authorized by laws and regulations with the function of managing public affairs to process personal information in order to perform their statutory duties shall be governed by the provisions of this law on the handling of personal information by state organs.
Chapter 3 Rules for Cross-Border Provision of Personal Information
Article 38: Where personal information processors really need to provide personal information outside the People’s Republic of China due to business needs, they shall meet one of the following conditions:
(1) Pass the security assessment organized by the national network information department in accordance with the provisions of Article 40 of this Law;
(2) According to the regulations of the national network information department, conduct personal information protection certification through professional institutions;
(3) Concluding a contract with an overseas recipient in accordance with the standard contract formulated by the national network information department, stipulating the rights and obligations of both parties;
(4) Other conditions stipulated by laws, administrative regulations, or the national network information department.
If the international treaties and agreements concluded or acceded to by the People’s Republic of China have provisions on the conditions for the provision of personal information outside the People’s Republic of China, such provisions may be followed.
Personal information processors shall take necessary measures to ensure that the activities of overseas recipients to process personal information meet the personal information protection standards stipulated in this Law.
Article 39 Where a personal information processor provides personal information outside the territory of the People’s Republic of China, it shall inform the individual of the overseas recipient’s name or name, contact information, processing purpose, processing method, type of personal information, and the personal information to the overseas recipient. Matters such as the manner and procedure for exercising the rights stipulated in this Act, and obtain the individual’s individual consent.
Article 40: Key information infrastructure operators and personal information processors who process personal information reaching the amount specified by the national network information department shall store personal information collected and generated within the territory of the People’s Republic of China within the territory. If it is really necessary to provide it overseas, it shall pass a security assessment organized by the national cyberspace administration; where laws, administrative regulations, and national cyberspace affairs regulations do not require a security assessment, the provisions shall follow.
Article 41: The competent authorities of the People’s Republic of China shall, in accordance with relevant laws and international treaties and agreements concluded or acceded to by the People’s Republic of China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies to provide personal information stored within the territory. Without the approval of the competent authorities of the People’s Republic of China, personal information processors shall not provide foreign judicial or law enforcement agencies with personal information stored in the territory of the People’s Republic of China.
Article 42: Where overseas organizations and individuals engage in personal information processing activities that infringe on the rights and interests of citizens of the People’s Republic of China, or endanger the national security and public interests of the People’s Republic of China, the national network information department may list them as restricted or prohibited Provide a list of personal information, make an announcement, and take measures such as restricting or prohibiting the provision of personal information to them.
Article 43: Where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People’s Republic of China in terms of personal information protection, the People’s Republic of China may take reciprocal measures against the country or region based on actual conditions.
Chapter 4 Rights of Individuals in Personal Information Processing Activities
Article 44: Individuals have the right to know and the right to make decisions about the handling of their personal information, and have the right to restrict or refuse other people’s handling of their personal information, unless otherwise stipulated by laws and administrative regulations.
Article 45: Individuals have the right to consult and copy their personal information from personal information processors; except for the circumstances specified in paragraph 1 of Article 18 and Article 35 of this law.
Where an individual requests to review or copy their personal information, the personal information processor shall provide it in a timely manner.
Where individuals request the transfer of personal information to their designated personal information processors, and the conditions specified by the national cyberspace administration are met, the personal information processors shall provide a means of transfer.
Article 46: Individuals who discover that their personal information is inaccurate or incomplete have the right to request corrections and supplements from personal information processors.
Where individuals request correction or supplementation of their personal information, personal information processors shall verify their personal information and make corrections and supplements in a timely manner.
Article 47: Under any of the following circumstances, the personal information processor shall voluntarily delete the personal information; if the personal information processor does not delete it, the individual has the right to request deletion:
(1) The purpose of processing has been achieved, cannot be achieved, or is no longer necessary to achieve the purpose of processing;
(2) The personal information processor stops providing products or services, or the storage period has expired;
(3) individual withdrawal of consent;
(4) Personal information processors process personal information in violation of laws, administrative regulations, or agreements;
(5) Other circumstances stipulated by laws and administrative regulations.
If the storage period stipulated by laws and administrative regulations has not expired, or if it is technically difficult to delete personal information, personal information processors should stop processing other than storage and take necessary security protection measures.
Article 48: Individuals have the right to request personal information processors to explain their personal information processing rules.
Article 49 Where a natural person dies, his close relatives may, for their own legitimate and legitimate interests, exercise the rights of consulting, copying, correcting, and deleting the relevant personal information of the deceased as stipulated in this chapter, unless otherwise arranged by the deceased.
Article 50: Personal information processors shall establish a convenient mechanism for accepting and processing applications for individuals to exercise their rights. Where an individual’s request to exercise a right is rejected, the reasons shall be explained.
If the personal information processor refuses the individual’s request to exercise the rights, the individual may bring a lawsuit to the people’s court according to law.
Chapter 5 Obligations of Personal Information Processors
Article 51 Personal information processors shall take the following measures to ensure that personal information processing activities comply with laws, administrative regulations, etc. Regulations, and to prevent unauthorized access and personal information disclosure, tampering, loss:
(1) Formulating internal management systems and operating procedures;
(2) Implement classified management of personal information;
(3) Adopt corresponding security technical measures such as encryption and de-identification;
(4) Reasonably determine the operational authority for personal information processing, and regularly conduct safety education and training for employees;
(5) Formulating and organizing the implementation of emergency plans for personal information security incidents;
(6) Other measures prescribed by laws and administrative regulations.
Article 52: Personal information processors whose personal information has reached the amount specified by the national cyberspace administration shall designate a person in charge of personal information protection to be responsible for supervising personal information processing activities and the protection measures adopted.
Personal information processors shall disclose the contact information of the person in charge of personal information protection, and submit the name and contact information of the person in charge of personal information protection to the department performing personal information protection duties.
Article 53: The processors of personal information outside the territory of the People’s Republic of China as specified in the second paragraph of Article 3 of this law shall establish special agencies or designate representatives within the territory of the People’s Republic of China to be responsible for handling matters related to the protection of personal information, and notify the relevant agencies The name or representative’s name, contact information, etc. shall be submitted to the department performing personal information protection duties.
Article 54: Personal information processors shall conduct compliance audits on a regular basis to comply with laws and administrative regulations in the processing of personal information.
Article 55: Under any of the following circumstances, personal information processors shall conduct an assessment of the impact of personal information protection in advance, and record the processing situation:
(1) Handling sensitive personal information;
(2) Using personal information for automated decision-making;
(3) entrusting the processing of personal information, providing personal information to other personal information processors, and disclosing personal information;
(4) Providing personal information overseas;
(5) Other personal information processing activities that have a significant impact on individual rights and interests.
Article 56: Personal information protection impact assessments shall include the following:
(1) Whether the purpose and method of processing personal information are legal, legitimate, and necessary;
(2) Impact on personal rights and security risks;
(3) Whether the protective measures taken are legal, effective and commensurate with the degree of risk.
Personal information protection impact assessment reports and processing records shall be kept for at least three years.
Article 57: Where personal information leakage, tampering, or loss occurs or may occur, personal information processors shall immediately take remedial measures and notify the departments and individuals performing personal information protection duties. The notification shall include the following items:
(1) The types, reasons and possible harm of personal information leakage, tampering, or loss that occurred or may occur;
(2) Remedial measures taken by personal information processors and harm mitigation measures that individuals can take;
(3) Contact information of the personal information processor.
If the measures taken by the personal information processor can effectively avoid the harm caused by information leakage, tampering, or loss, the personal information processor may not notify the individual; if the department performing personal information protection duties believes that harm may be caused, it has the right to require the personal information processor to notify the individual .
Article 58: Personal information processors that provide important Internet platform services, have a large number of users, and have complex types of business, shall perform the following obligations:
(1) Establish and improve the personal information protection compliance system in accordance with national regulations, and establish an independent organization mainly composed of external members to supervise the protection of personal information;
(2) Follow the principles of openness, fairness, and impartiality, formulate platform rules, and clarify the norms for processing personal information and the obligation to protect personal information of product or service providers on the platform;
(3) Stop providing services to product or service providers on the platform that seriously violate laws and administrative regulations in handling personal information;
(4) Regularly release social responsibility reports on personal information protection and accept social supervision.
Article 59: Trustees who accept entrustment to process personal information shall, in accordance with the provisions of this law and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information they process, and assist personal information processors in performing the tasks stipulated in this law. obligation.
Chapter VI Departments Fulfilling Personal Information Protection Responsibilities
Article 60: The national cyberspace administration is responsible for overall planning and coordination of personal information protection work and related supervision and management work. The relevant departments of the State Council are responsible for the protection, supervision and management of personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
The personal information protection, supervision and management responsibilities of the relevant departments of the local people’s government at or above the county level shall be determined in accordance with the relevant state regulations.
The departments specified in the preceding two paragraphs are collectively referred to as the departments performing personal information protection duties.
Article 61: Departments performing personal information protection duties are to perform the following personal information protection duties:
(1) Carry out publicity and education on personal information protection, guide and supervise personal information processors to carry out personal information protection work;
(2) Accept and handle complaints and reports related to personal information protection;
(3) Organizing the evaluation of the protection of personal information such as applications, and announcing the results of the evaluation;
(4) Investigate and deal with illegal personal information processing activities;
(5) Other duties stipulated by laws and administrative regulations.
Article 62: The national network information department coordinates and coordinates relevant departments to promote the following personal information protection work in accordance with this law:
(1) Formulate specific rules and standards for personal information protection;
(2) Formulate special personal information protection rules and standards for small personal information processors, processing sensitive personal information, and new technologies and applications such as face recognition and artificial intelligence;
(3) Support research, development, promotion and application of safe and convenient electronic identity authentication technologies, and promote the construction of public services for network identity authentication;
(4) Promote the construction of a socialized service system for personal information protection, and support relevant institutions in carrying out personal information protection assessment and certification services;
(5) Improve the personal information protection complaint and reporting mechanism.
Article 63: Departments performing personal information protection duties may take the following measures to perform personal information protection duties:
(1) Inquiring about the relevant parties and investigating the situation related to personal information processing activities;
(2) Consult and copy the parties’ contracts, records, account books and other relevant materials related to personal information processing activities;
(3) Conducting on-site inspections to investigate suspected illegal personal information processing activities;
(4) Check equipment and items related to personal information processing activities; for equipment and items that have been proved to be used in illegal personal information processing activities, report in writing to the main person in charge of the department and obtain approval, and may seal up or seize them.
Departments performing personal information protection duties shall perform their duties in accordance with the law, and the parties shall assist and cooperate with them, and shall not refuse or obstruct them.
Article 64: If the department performing personal information protection duties discovers that there are relatively large risks in personal information processing activities or personal information security incidents occur during the performance of its duties, it may follow the prescribed authority and procedures to legally represent the personal information processor. Interview with the person or the main person in charge, or require the personal information processor to entrust a professional institution to conduct a compliance audit of its personal information processing activities. Personal information processors should take measures as required to make rectifications and eliminate hidden dangers.
Departments performing personal information protection duties shall, in the course of performing their duties, discover that illegal handling of personal information is suspected of committing a crime, and shall promptly transfer it to the public security organ for handling in accordance with the law.
Article 65: Any organization or individual has the right to complain and report to the department performing personal information protection duties regarding illegal personal information processing activities. Departments that receive complaints and reports shall deal with them in a timely manner according to law, and inform the complainants and whistleblowers of the results.
Departments performing personal information protection duties shall publish the contact information for receiving complaints and reports.
Chapter VII Legal Responsibilities
Article 66: Where personal information is processed in violation of the provisions of this Law, or where the personal information protection obligations stipulated in this Law have not been fulfilled, the departments performing personal information protection duties shall order corrections, give warnings, confiscate illegal gains, and punish violations. The application of personal information shall be ordered to suspend or terminate the provision of services; if corrections are refused, a fine of less than one million yuan shall be imposed; the directly responsible supervisor and other directly responsible personnel shall be fined not less than 10,000 yuan but not more than 100,000 yuan.
Where there is an illegal act specified in the preceding paragraph, and the circumstances are serious, the departments above the provincial level performing personal information protection duties shall order corrections, confiscate illegal gains, and impose a fine of less than 50 million yuan or less than 5% of the previous year’s turnover, And may order to suspend relevant business or suspend business for rectification, notify the relevant competent department to revoke relevant business permit or revoke business license; impose a fine of not less than 100,000 yuan but not more than one million yuan on the directly responsible person in charge and other directly responsible personnel, and may decide to prohibit He serves as a director, supervisor, senior manager and person in charge of personal information protection of the relevant company within a certain period of time.
Article 67: Where there are violations of the provisions of this law, record them in the credit file in accordance with the provisions of relevant laws and administrative regulations, and make them public.
Article 68: Where state organs fail to perform their personal information protection obligations under this Law, their superior organs or departments performing personal information protection duties shall order corrections; the directly responsible managers and other directly responsible personnel shall be punished according to law.
Where staff members of departments performing personal information protection duties neglect their duties, abuse their powers, engage in favoritism, and engage in malpractice for personal gain, if they do not constitute a crime, they shall be punished according to law.
Article 69: Where the processing of personal information infringes on the rights and interests of personal information and causes damage, and the processor of personal information cannot prove that he is not at fault, he shall bear tort liability such as compensation for damages.
The liability for damages stipulated in the preceding paragraph is determined according to the losses suffered by the individual or the benefits obtained by the personal information processor; if it is difficult to determine the losses suffered by the individual and the benefits obtained by the processor of personal information, the amount of compensation shall be determined according to the actual situation.
Article 70: Where personal information processors process personal information in violation of the provisions of this law and infringe upon the rights and interests of numerous individuals, the people’s procuratorate, consumer organizations specified by law, and organizations determined by the national cyberspace administration may file lawsuits in people’s courts in accordance with the law.
Article 71 Anyone who violates the provisions of this law and constitutes a violation of public security management shall be given public security management penalties according to law; if a crime is constituted, criminal responsibility shall be investigated according to law.
Chapter VIII Supplementary Provisions
Article 72: This Law does not apply to natural persons handling personal information for personal or family affairs.
Where laws have provisions on the handling of personal information in statistics and archives management activities organized and implemented by people’s governments at all levels and their relevant departments, those provisions shall apply.
Article 73 The meanings of the following terms used in this law:
(1) Personal information processors refer to organizations and individuals that independently determine the purpose and method of processing in personal information processing activities.
(2) Automated decision-making refers to activities that automatically analyze and evaluate an individual’s behavior habits, hobbies, or economic, health, and credit status through computer programs, and make decisions.
(3) De-identification refers to the process in which personal information is processed so that a specific natural person cannot be identified without additional information.
(4) Anonymization refers to the process in which personal information cannot identify a specific natural person after processing and cannot be recovered.
Article 74 This Law shall come into force on November 1, 2021.
