Compliance Guide on Personal Information Protection for SMEs

Written By

james gong Module
James Gong

Legal Director
China

I am a Legal Director based in Hong Kong and lead the China data protection and cybersecurity team.

The PRC Personal Information Protection Law (“PIPL”) came into effect on 1 November 2021. It is the first piece of comprehensive and dedicated personal information protection law in China, representing a milestone in the development of China’s personal information protection regime. The law imposes high compliance requirements on processors of personal information in all aspects of their processing activities. It should be noted that the PIPL also sets heavy fines of up to RMB 50 million or 5% of the previous year's turnover for the illegal processing of personal information, which is the highest penalty so far. Small and medium enterprises (“SMEs”), when processing personal information of their employees, customers, suppliers, users and other individuals, should take PIPL compliance seriously. Therefore, we prepare this Self-Checklist for Personal Information Protection Compliance (hereinafter referred to as the “Self-Checklist”), which is tailor-made to SMEs:

In the Self-Checklist, we use the most common scenarios of personal information processing in the operation and management of SMEs, human resource management and interactions with customers or users, to demonstrate various personal information processing related matters. It may help SMEs to quickly understand and meet the compliance requirements of PIPL in a cost-efficient way. We recommend the following steps for SMEs to follow in order to be compliant with personal information protection requirements.

Step 1: Fill in the Self-Checklist based on the actual practice of the company. Assess the company’s compliance status by completing the Self-Checklist and understand the basic compliance requirements of the PIPL.

Step 2: Carry out internal compliance review and revision of personal information protection related documents in accordance with the compliance requirements listed in the Self-Checklist. The relevant documents mainly include:

  • Rules and Policies: The company shall establish an internal management system for the protection of personal information, which may be established in addition to or included as part of the company’s existing internal management rules and policies(e.g. Employee Handbook). Such rules and policies shall include, at a minimum, rules and procedures for processing personal information, policies of personal information classification and management , rules regarding personal information processing authorisation and access control, and contingency plans for personal information security incidents. In addition, it is recommended that companies specify, as clearly as possible, in their rules and policies the circumstances in which personal information of employees shall be processed in daily operation (e.g. sick leave certificates to be collected for leave management, personal information to be collected for internal investigations on various matters, etc.), in order to ensure that companies have a solid basis supporting the processing of employees’ personal information based on HR management necessity.
  • Employment contracts, privacy statements, notices on personal information processing, etc.: companies shall inform individuals truthfully and accurately, in a prominent manner and in clear and understandable language, in the text of employment contracts, privacy statements, notices on personal information processing, etc. of the purpose and method of processing personal information, the type of personal information to be processed, the retention period, the circumstances under which personal information may be shared with third parties, as well as the manner in which individuals may exercise their rights to be informed, to make decisions, to access, to copy, to correct inaccurate or supplement incomplete personal information, etc., as provided for by law.
  • Contracts with third parties: where a company cooperates with third parties such as customers or suppliers, and where the processing of personal information of its own or the third parties’ employees or users is involved, it shall, depending on the specific relationship with the third parties (e.g. joint processing, entrusted processing or processing separately, etc.), clearly agree with such third parties on their respective duties and obligations in relation to the protection of personal information, and make clear arrangements for the allocation of liability.

Step 3: Develop a personal information protection impact assessment template and where prior assessment is legally required, optimise the content of the template based on the personal information processing activities involved, comprehensively assess the potential impact of the processing activities on the rights and interests of individuals and the security risks they may contain, and produce a personal information protection impact assessment report. Records of risk assessment reports and processing activities shall be retained for at least three years:

  • An assessment should address at least the following issues: whether the purpose and method of processing personal information are legitimate, appropriate and necessary; the impact on individuals and the degree of security risks; and whether the safety and protection measures taken are legitimate, effective and proportionate to the degree of risks.
  • Common circumstances where a prior personal information protection impact assessment is required for SMEs include: processing sensitive personal information (e.g. processing sick leave certificates submitted by employees), entrusting the processing of personal information to entrusted processors (e.g. engaging HR service providers to provide payroll and social security payment services), providing personal information to third party personal information processors (e.g. providing insurance companies with employees’ personal information for the purpose of purchasing commercial insurances), disclosing personal information to the public (e.g. disclosing employees’ private mobile phone numbers on the company’s website), and transferring personal information outside of mainland China (e.g. sharing employees’ CVs with foreign affiliates).

Step 4: Regularly train HR and personnel playing a role in personal information processing or management on personal information protection related matters.

On the one hand, it is to make sure that people concerned are clear about the requirements of the PIPL and to reduce the risk of processing personal information in breach of the law; on the other hand, it is to fulfil the statutory obligation to provide trainings and demonstration the company’s effort in taking necessary organisational measures to prevent data breaches.

Step 5: (For cross-border transfer of personal information) individuals shall be fully informed and their separate consent shall be obtained if their personal information will be transferred outside of mainland China. Meanwhile, self-security assessments shall be performed in due course in accordance with the standards set by the Cyberspace Administration of China (“CAC”), and the appropriate route of transferring personal information outside of mainland China shall be selected based on the scale and quantity of the personal information involved. For most SMEs, the most common practice would likely be entering into standard contractual clauses formulated by the CAC with the overseas personal information recipients.

The above are the basic steps we recommend for SMEs to take towards PIPL compliance. Among these steps, the completion of this Self-Checklist should be a good start. Please note that this Self-Checklist is for information purposes only and shall not be treated as legal or professional advice. The completion of this Self-Checklist does not represent a confirmation or endorsement of Bird & Bird on the compliance status of a company’s personal information protection practice.

It is also important to note that the completion of the above steps does not mean that the company’s personal information protection is fully compliant. Compliance should be reflected not only in a company’s systems or documents, but also in the practical process of personal information processing.

Self-Checklist for Personal Information Protection Compliance

Self-Checklist for HR Management

Tasks of HR management  Questions
 Recruitment
  • Does the company avoid collecting personal information not relevant to the conclusion of the employment contract from candidates during the recruitment, such as marital/maternity status, family members, religion, sexual orientation, involvement in lawsuits, etc., other than the CV submitted voluntarily by the candidate?
  • Does the company adequately inform* candidates of its privacy policy regarding the processing of candidates’ personal information on the job posting page?
  • Is the detailed processing scope and method clearly communicated to the candidate and the candidate’s authorisation obtained if the company decides to conduct a background check on a candidate?
  • If a candidate does not join the company eventually, does the company strictly follow the purpose and method informed to the candidates to process their personal information?
 Onboarding
  • If the company asks employees to fill in personal information registration forms or otherwise collect personal information from them, does the company avoid collecting information on marital/maternity status, family members, religion, sexual orientation, involvement in lawsuits, criminal records, etc.?
  • Are employees fully informed when they are required to provide personal information at the time of onboarding? Are the relevant records well kept?
  • Are there clauses on the protection of personal information in the employment contract or any other documents addressing the protection of personal information matters (such as a privacy policy) that require employees’ signing?
 Day-to-day Management
  • If the company adopts attendance methods such as fingerprint punching, face recognition or movement tracking, does the company fully inform employees and obtain separate consent from them before such attendance methods are implemented?
  • If surveillance equipment is installed in the workplace for purposes other than public safety, does the company has fully informed employees and obtained separate consent from them?
  • If the company monitors office facilities and accounts such as employees' work computers, work mobile phones and email addresses, internal communication tools, etc., does the company fully inform employees and obtain consent from them?
  • When an employee applies for sick leave, does the company only require the employee to submit a sick leave certificate (doctor’s note) issued by the hospital as proof?
  • Will the employee’s audio and video interviews be recorded during disciplinary investigations? If so, does the company fully inform employees and obtain consent from them before recording?
  • Does the company fully inform employees and obtain consent from them for the public disclosure of disciplinary, performance and termination information, or for the disclosure of personal information about employees in advertising campaigns?
  • For the aforementioned public announcement, is the scope of disclosure limited?
  • Does the company have any internal management system and operating procedures regarding personal information?
  • Does the company have contingency plans for personal information security incidents in place?
  • Does the company classify personal information of employees for management?
  • Does the company provide regular trainings to personnel involving in the processing of employees’ personal information?
  • Does the company set penalties for illegal processing of personal information?
  • Does the company assess the approach, necessity, legality, and ability of third parties engaged (such as suppliers and clients) to process personal information?
  • Are there any clauses on the protection of personal information in the company’s cooperation agreements with third parties?
  • Does the company provide access for employees to review, copy, correct, supplement, transfer and delete personal information?
 Termination
  • Does the company delete personal information of employees whose employment contracts are terminated, or as soon as the purpose of the processing has been achieved, cannot be achieved or is no longer necessary to achieve the purpose of the processing?
  • Does the company destroy or take other technical measures on employees’ personal information that has exceeded the retention period?
  • When the new employer of a former employee conducts a background check with the company, does the company fully inform the employee and obtain his/her authorization to provide the new employer with his/her personal information?
  • When the new employer of a former employee conducts a background check, will the company verify that it has the employee’s authority to do so?
  • Does the company conduct investigations into the compliance of former employees with their non-compete obligations through non-public means (e.g., tracking, recording)?
 Cross border transfer (if applicable)
  • Does the company conduct any self-security assessment before transferring personal information outside of mainland China? Does the company understand whether and when it will need to pass the security assessment organized by the CAC, obtain a personal information protection certificate issued by a professional agency appointed by the CAC, or enter into standard contractual clauses formulated by the CAC with the overseas data recipients?
  • Does the company inform employees of the name of each overseas data recipient, its contact details, the purpose and manner of processing, etc. and obtain their separate consent?

Note:
* “Fully inform” means that the company shall inform individuals truthfully and accurately, in a prominent manner and in clear and understandable language, of the name and contact details of personal information processor, the purpose and method of processing personal information, the type of personal information to be processed, the retention period, and the manner in which individuals exercise their rights, as provided for by law.

Self-Checklist for Interactions With Customers or Users

 Initial Stage Communication
  • Is the company clearly aware of the possibility of collecting and processing a range of customer personal information (e.g. contact person names, contact details, addresses, enquiry records, etc.) each time it approaches a potential customer?
  • At the initial stage, does the company discuss and clarify the specific purpose* for the collection or processing of customer personal information?
  • Does the company understand how to maintain the minimum necessary scope for collecting personal information from an individual (e.g. contact person of a customer)?
  • Is the company aware of the circumstances under which the consent of an individual must be obtained before collecting personal information and the requirements for a valid consent?
 Engagement
  • Does the company understand the circumstances under which customer personal information can be collected without the consent of the relevant individuals?
  • Are the relevant individuals aware that the company will collect and process their personal information while doing business with them, and are they aware of how the company will use their personal information?
  • Are there any templates in place to inform individuals about how the company will process and use their personal information according to different business scenarios (e.g. privacy policy template)?
  • Is the company aware of the information must be communicated to individuals before collecting their personal information? Please try to list 5 categories of information must be communicated.
 Doing Business
  • Does the company carry out any assessments or organise special discussions and trainings on the protection of customer personal information in daily operations?
  • Has the company ever shared customer personal information with other companies (e.g. subcontractors, advertisers, IT service providers, etc.)? If yes, has a specific contract been signed for the information sharing?
  • Please list 5 technical or management measures taken within the company to protect customer personal information?
  • Is the company aware of the circumstances under which it can send commercial marketing advertising emails to customer contacts?
  • Does the company use mobile apps, applets, social media, public websites, etc. to engage in business or marketing? If yes, is the company aware of the relevant personal information protection requirements?
  • Assuming the company receives an email from a customer contact person asking the company to explain to her what personal information has been collected or processed about her in the last three years and requesting a copy of the information, does the company know how to respond?
 Information   Management
  • Is the company aware of for how long it can keep the customer personal information?
  • If the company’s IT department discovers that systems have been hacked, resulting in the loss of some customer personal information, does the company know what to do about it? For example, which authorities should be notified and whether affected individuals should be notified?
  • Has the company ever considered deleting historical customer personal information stored in the system since it was founded?
 Cross border transfer (if applicable)
  • Has the company transferred any customer personal information to any foreign companies or individuals?
  • Are there any of the company’s marketing and sales systems, client management systems, financial systems, human resource management systems, etc. being deployed abroad?
  • Does the company know how to transfer customer personal information outside of mainland China in a compliant manner? For example, what are the permitted route via which personal information shall be exported and under what circumstances must personal information be stored locally in mainland China?

Note:

*Specific purposes should not be described in general terms or in ambiguous way (e.g. “to enhance the customer experience”, etc.).

Latest insights

More Insights
Curiosity line teal background

Key Privacy Issues in Adtech

1 minute Nov 22 2024

Read More
featured image

Bird & Bird marks World Children’s Day by announcing its forthcoming Global Comparative Guide to Children in the Digital World

7 minutes Nov 20 2024

Read More
The European Commission Modern office buildings in Brussels, Belgium.

VAT in the Digital Age (“ViDA”): prepare your business with Bird & Bird – 10 key insights for success

Nov 15 2024

Read More