* This article is reproduced from Practical Law with the permission of the publishers.
China's financial sector is undergoing a digital transformation and financial institutions are processing large amounts of personal financial information (PFI) in their daily operations. The PFI processing should comply with the following three levels of rules and national standards:
General rules on data protection, including:
General rules on financial data protection. For example:
Special requirements for specific financial institutions. For example:
In order to provide an overview of the regulatory framework governing PFI processing activities in China, we prepared this three-part article covering the following topics:
Below is the third part of the series. Read the first part in this series here and the second part here.
Individuals have the right to be informed of the processing of their PI (Article 44, 2021 PIPL).
Specific to the financial sectors:
Individuals have the right to restrict and reject the processing of their PI (Article 44, 2021 PIPL).
Banks and payment institutions that send financial marketing information to financial consumers should provide them with a way to refuse to continue receiving financial marketing information (2020 Financial Consumers Protection Measures).
Individuals have the right to inspect and copy their PI from the controller. The controller should respond in a timely manner to the corresponding request, unless there are laws and administrative regulations that stipulate that confidentiality should be preserved, or the request impedes the fulfilment of the legal duties of state organs. (Article 45, 2021 PIPL.)
In practice, the right for individuals to have access and copy information is important in the case of disputes with financial institutions or third parties. In the case of a dispute, a financial institution cannot unlawfully conceal information or refuse to provide relevant information.
If individuals find that their PI is inaccurate or incomplete, they have the right to request the controller to correct or supplement it (Article 46, 2021 PIPL).
Specific to the business of credit bureaus, individuals may request corrections from credit bureaus or information providers, who should mark the relevant information and respond in writing within 20 days (Procedures for Handling Objections to the Basic Database of Personal Credit Information 2005).
In any of the following circumstances, a data controller should voluntarily delete the PI (failing which, the individual has the right to request the deletion):
Where the retention period prescribed by laws or administrative regulations has not expired, or where deletion of PI is technically difficult to achieve, the data controller should cease processing other than storing PI and taking necessary security measures (Article 47, 2021 PIPL).
Specific to the business of credit institutions, credit bureaus should delete the corresponding bad records five years after the termination of the individual's bad information (Article 16, 2013 Credit Collection Regulations).
If an individual requests that PI be transferred to a data controller designated by them, the data controller should provide the means for the transfer (Article 45, 2021 PIPL).
Any organisation or individual has the right to lodge a complaint or report on unlawful PI processing activities with the department responsible for the protection of PI. The department receiving the complaint or report should handle it promptly in accordance with the law and inform the complainant or reporter of the results of the handling. (Article 65, 2021 PIPL.)
Specific to the business of credit institutions, if a data subject believes that a credit institution or an information provider or information user has infringed on their lawful rights and interests, the data subject may file a complaint with an agency dispatched by the State Council's supervisory and regulatory authority. The agency that receives the complaint should carry out timely verification and processing and reply to the complainant in writing within 30 days from the date of acceptance. (Article 26, 2013 Credit Collection Regulations.
General requirements on the role of a data protection officer (DPO) include:
Specific to the financial sectors:
A data controller should conduct regular compliance audits of their handling of PI in compliance with laws and administrative regulations (Article 54, 2021 PIPL).
Specific to the financial sectors:
A data controller must conduct a prior impact assessment of PI protection and record the processing in any of the following circumstances:
(Article 55, 2021 PIPL.)
Specific to the financial sectors:
(Article 8.3, 2021 Network Payment Data Security Draft Guidelines.)
(Article 16, 2009 IT Risk Management Guidelines.)
PI must be kept for the shortest period of time necessary to fulfil the purposes for which it was processed (Article 19, 2021 PIPL).
Specific to the financial sectors:
In the event of disputes such as consumer complaints or legal proceedings, audio-visual data should also be preserved for at least two years after the end of the dispute. (Articles 2, 8, and 13, 2017 Insurance Sales Traceability Interim Measures.)
In the event of any breach of the 2021 PIPL, a data processor may be held responsible for administrative and civil liability.
If the severity of the violation is average, the CAC may:
In serious cases, the fines can be increased to up to RMB50 million or 5% of last year's turnover for the processor and up to RMB1 million for the persons responsible. The authorities may even order the data processor to suspend the relevant business or cease operation for rectification, have the relevant business permit revoked, or have its business licence revoked.
If banking financial institutions refuse or obstruct off-site supervision or on-site inspection, provide false statements, reports, and other documents and information, conceal important facts, or fail to disclose information in accordance with the regulations, they should be ordered to make corrections and be subject to a fine of not less than RMB200,000 and up to RMB500,000 (Banking Supervision and Administration Law 2006, with effect 1 January 2007).
If the accidental access causes damage to the rights and interests of data subjects and the data processor cannot prove that it was not at fault, the processor should be liable for damages and other tort liability.
The processor's breaches of the 2021 PIPL may be recorded in its credit file and made public.
PFI processing |
Common breach activities |
PFI collection and processing |
|
PFI storage |
|
PFI sharing |
|
Third party processing |
|