《中华人民共和国个人信息保护法》对人力资源管理的挑战

As the very first comprehensive and specialized legislation regarding personal information protection in China, the PRC Personal Information Protection Law (“PIPL”) was promulgated on 20 August 2021 and has become effective on 1 November 2021. For the overall brief of the PIPL, please refer to the CMS newsletter: PRC Promulgated Personal Information Protection Law.

Compared with the PRC Cyber Security Law and the PRC Civil Code which also provide legislation on personal information protection, the new PIPL refines the rules on processing of personal information and cross-border provision of personal information, rights of individuals in processing activities and obligations of personal information processors, etc., and provides more details. The new law imposes considerable challenges on companies in processing personal information in their daily operation. Below we discuss about the challenges to HR management when processing employees’ personal information:

1. The employer must notify the employees of processing the employees’ personal information and obtain their consents.

Under the new PIPL, as a basic principle, Notification + Consent is the basic requirement on the employer to process the employee’s personal information. I.e. when the employer collects, keeps, uses, processes, or transmit the employee’s personal information, the employer must notify the employee about the name and contact information of the processor, processing purpose and method, types of personal information involved and retention period as well as the ways and procedures of exercising legal rights in the processing of personal information, and the employer must obtain the consent of the employee.

In particular, if the employer processes the following specific personal information of an employee or processes the employee’s personal information in the following ways, the employer must fulfill the following specific statutory requirements:

(1) Processing the employee’s sensitive personal information

Under the new law, the personal information which, once leaked or illegally used, will easily lead to infringement of the human dignity or harm to the personal or property safety of a natural person, including biometric identification, religious belief, specific identity, medical and health information, financial accounts, personal whereabouts, etc. as well as any personal information of a minor under the age of 14 are defined as sensitive personal information.

The sensitive personal information of employees shall be processed by the employer in accordance with the following rules:

• Sensitive personal information can only be processed for specific purposes, with sufficient necessity and under strict protection.
• In addition to general information on the processing of personal information, the employee shall also be notified about the necessity of processing the sensitive personal information and impacts on personal interests.
• The employer must obtain specific consent from the employee.

(2) Providing the employee’s personal information to a third party

If the employer provides the employee’s personal information to a third party, the employer must notify the employee about the name of the information recipient and contact information, purpose and method of processing information, and types of information involved, and the employer must obtain specific consent from the employee. 

(3) Disclosing the employee’s personal information to the public

If the employer discloses the employee’s personal information to the public, it must obtain specific consent from the employee.

(4) Collecting personal image or personal identification information with image capturing or personal identification equipment installed in a public place for purposes other than maintaining public security

If the employer installs any image capturing or personal identification equipment in a public place, it shall comply with relevant regulations of the State, and indicate the equipment with a prominent sign. Except for the purpose of maintaining public security, the employer shall not process any personal image or personal identification information of an employee without specific consent of the employee.

2. Consent of employee can be exempted, if the employee’s personal information is necessary to be processed for HR management purposes.

According to the new law, as an exception, the employer is not obliged to obtain the consent of the employee on processing the employee’s personal information if such information is necessary for conclusion or performance of employment contract or for carrying out HR management according to its employment policies or collective contracts which have been established or concluded according to law.

Based on the above, the employer may, without obtaining the consent of the employee, process the employee’s personal information for the purpose of conclusion and performance of employment contract, such as the name, gender, ID number, residence address, email address, education and career background of the employee, etc. Further, for the purpose of HR management, the employer may establish its own employment rules and regulations by following up statutory procedures or conclude collective contracts with the employees covering the processing of specific personal information of employees. In such case the consent of the employee on processing such personal information is not necessary.

In addition to the above, the employer also does not need to obtain the consent of the employee on processing the personal information in the following circumstances:

(1) Where it is necessary for performing a statutory responsibility or statutory obligation;

(2) Where it is necessary for responding to a public health emergency, or for protecting the life, health or property safety of the employee in the case of an emergency;

(3) Where the personal information is processed within a reasonable scope to carry out any news reporting, supervision by public opinions or any other activity for public interest purposes;

(4) Where the personal information, which has already been disclosed by the employee or otherwise legally disclosed, is processed within a reasonable scope and in accordance with the law; or

(5) Any other circumstance as provided by law or administrative regulations.

However, even if the consent of the employee is not required, notification to the employee about processing such personal information shall still be made. Further, in processing the personal information, the employer should comply with the basic principles such as the following:

(1) The personal information shall be processed in accordance with the principles of lawfulness, legitimacy, necessity and good faith, and not in any manner that is misleading, fraudulent or coercive.

(2) Processing of personal information shall be for a specified and reasonable purpose and be conducted for a purpose directly relevant to the purpose of processing and in a way that has the least impact on personal rights and interests. Collection of personal information shall be limited to the minimum scope necessary for achieving the purpose of processing and shall not be excessive.

(3) Personal information shall be processed in accordance with the principles of openness and transparency, with the rules of processing of personal information disclosed, and the purpose, method and scope of processing expressly stated.

3. For cross-border provision of personal information, the employer must not only fulfill statutory requirements, but also notify the employees and obtain their specific consents.

According to the new law, if the employer wants to provide the employee’s personal information abroad, it shall first fulfill the statutory requirements such as accepting security assessment as organized by the national cyberspace authority, getting personal information protection certification as issued by a qualified professional institution, or signing standard contract with overseas recipient as formulated by the national cyberspace authority, etc.

In addition, the employer must notify the employee of the name and contact information of the overseas recipient, processing purpose and method, type of personal information involved as well as the way and procedure for the employee to exercise their legal rights against the overseas recipient, and the employer must obtain specific consent from the employee.

4. The employer must comply with the statutory requirements on retention and deletion of the employee’s personal information.

According to the new law, the retention period of the personal information shall be the minimum period for realizing the purpose of processing such personal information. The employer shall proactively delete the employee’s personal information where the purpose is realized or is impossible to be realized, or the personal information is no longer necessary for the processing purpose, or the employee withdraws his/her consent if such consent is necessary for personal information processing. If the employer fails to do so, the employee is entitled to request the employer to delete the personal information. However, if the retention period provided by statutory law has not expired or it is technically difficult to delete the personal information, the employer can keep such personal information for storage and take necessary measures for security protection, but shall cease processing the personal information.

5. Improper processing of employees’ personal information may cause legal liabilities to the employer.

According to the new law, if the employer fails to process the personal information according to law, it may be ordered to make rectification or be subject to warning, or the illegal income, if any, may be confiscated. Failure of making rectification may lead to penalties on the employer and its staff directly in charge or responsible. If the employer causes any damages to the employee in processing the personal information, the employer shall be liable for such damages except if the employer proves that it does not have faults or gross negligence.   

Actions to be taken

The PIPL is of huge influence on HR management. A company, in addition to taking general measures on properly processing the personal information according to the laws and regulations, such as setting up an internal management system and operating procedures, managing personal information based on classification, taking appropriate technical security measures such as encryption and de-identification, etc., for processing of the employee’s personal information for HR management purpose, may wish to specifically take the following actions:

(1) To sort out the employees’ personal information which is currently processed by the company and to evaluate whether it is necessary to process such personal information for the purpose of HR management;

(2) To do an internal audit to check whether the processing of each personal information necessary for HR management in all related processes of HR management comply with the requirements of the PIPL;

(3) To update the employment rules and regulations or sign collective contracts with the employees to ensure that the personal information of employees necessary for HR management have been covered by the company’s policies or collective contracts, or to obtain the consent of the employees necessary for the processing of relevant personal information; and

(4) To update the rules on HR management procedures in the processing of employees’ personal information according to the PIPL and ensure the implementation of such procedures in daily work.