Data Collection and Processing in China: Personal Financial Information (Part 3)

Written By

james gong Module
James Gong

Legal Director
China

I am a Legal Director based in Hong Kong and lead the China data protection and cybersecurity team.

ying zhong Module
Ying Zhong

Associate
China

I am a technology, media, telecoms and privacy associate based in Beijing.

* This article is reproduced from Practical Law with the permission of the publishers.

China's financial sector is undergoing a digital transformation and financial institutions are processing large amounts of personal financial information (PFI) in their daily operations. The PFI processing should comply with the following three levels of rules and national standards:

General rules on data protection, including:

General rules on financial data protection. For example:

Special requirements for specific financial institutions. For example:

In order to provide an overview of the regulatory framework governing PFI processing activities in China, we prepared this three-part article covering the following topics:

  • Basic Introduction of PFI: PFI and SPI, PFI Collection and Processing, Legal Basis for Processing
  • PFI Processing Activities: PFI Storage, Third Party Processing, PFI Cross-Border Transfer
  • Data Security Management: Rights of Individuals, Accountability, Legal Enforcement

Below is the third part of the series. Read the first part in this series here and the second part here.

Rights of Individuals

Right to Be Informed

Individuals have the right to be informed of the processing of their PI (Article 44, 2021 PIPL).

Specific to the financial sectors:

Right to Restrict and Reject

Individuals have the right to restrict and reject the processing of their PI (Article 44, 2021 PIPL).

Banks and payment institutions that send financial marketing information to financial consumers should provide them with a way to refuse to continue receiving financial marketing information (2020 Financial Consumers Protection Measures).

Right to Access and Copy

Individuals have the right to inspect and copy their PI from the controller. The controller should respond in a timely manner to the corresponding request, unless there are laws and administrative regulations that stipulate that confidentiality should be preserved, or the request impedes the fulfilment of the legal duties of state organs. (Article 45, 2021 PIPL.)

In practice, the right for individuals to have access and copy information is important in the case of disputes with financial institutions or third parties. In the case of a dispute, a financial institution cannot unlawfully conceal information or refuse to provide relevant information.

Right to Rectify and Supplement

If individuals find that their PI is inaccurate or incomplete, they have the right to request the controller to correct or supplement it (Article 46, 2021 PIPL).

Specific to the business of credit bureaus, individuals may request corrections from credit bureaus or information providers, who should mark the relevant information and respond in writing within 20 days (Procedures for Handling Objections to the Basic Database of Personal Credit Information 2005).

Right to Erase and Delete

In any of the following circumstances, a data controller should voluntarily delete the PI (failing which, the individual has the right to request the deletion):

  • The purpose of processing has been achieved, cannot be achieved, or no longer needs to be achieved.
  • The data controller stops providing products or services or the retention period expires.
  • The individual withdraws consent.
  • The data controller violates laws or administrative regulations or breaches an agreement to process the PI.
  • Other situations stipulated by laws and administrative regulations.

Where the retention period prescribed by laws or administrative regulations has not expired, or where deletion of PI is technically difficult to achieve, the data controller should cease processing other than storing PI and taking necessary security measures (Article 47, 2021 PIPL).

Specific to the business of credit institutions, credit bureaus should delete the corresponding bad records five years after the termination of the individual's bad information (Article 16, 2013 Credit Collection Regulations).

Right to Portability

If an individual requests that PI be transferred to a data controller designated by them, the data controller should provide the means for the transfer (Article 45, 2021 PIPL).

Right to Complain

Any organisation or individual has the right to lodge a complaint or report on unlawful PI processing activities with the department responsible for the protection of PI. The department receiving the complaint or report should handle it promptly in accordance with the law and inform the complainant or reporter of the results of the handling. (Article 65, 2021 PIPL.)

Specific to the business of credit institutions, if a data subject believes that a credit institution or an information provider or information user has infringed on their lawful rights and interests, the data subject may file a complaint with an agency dispatched by the State Council's supervisory and regulatory authority. The agency that receives the complaint should carry out timely verification and processing and reply to the complainant in writing within 30 days from the date of acceptance. (Article 26, 2013 Credit Collection Regulations.

Accountability

DPO

General requirements on the role of a data protection officer (DPO) include:

  • Article 21 of the 2016 CSL, which states that network security operators must identify the person in charge of network security and implement the responsibility for network security protection.
  • Article 27 of the 2021 DSL, which states that processors of important data must identify the person in charge of data security and the management organisation, and implement the responsibility for data security protection.
  • Article 52 of the 2021 PIPL, which states that a data controller that handles PI up to a specified quantity must designate a person in charge of PI protection. That person is responsible for supervising the activities of PI processing, the protection measures taken, and so on.

Specific to the financial sectors:

  • Commercial banks. Banking financial institutions should set up full-time positions in the data governance focal point management department to meet their work needs, and set up full-time or part-time positions in other relevant business departments (Article 14, 2018 Banking Finance Data Governance Guidelines). Commercial banks should establish an organisational structure for emergency responses to operational disruptions, including an emergency decision-making layer, an emergency command layer, an emergency execution layer and an emergency protection layer (Guidelines on Business Continuity Supervision for Commercial Banks 2011).
  • Credit agencies. Individual credit collection agencies and corporate credit collection agencies handling corporate information of more than one million households should have company executives serving as the person in charge of information security and the person in charge of PI protection, and should set up a full-time department (Article 34, 2021 Credit Collection Measures).

Audits

A data controller should conduct regular compliance audits of their handling of PI in compliance with laws and administrative regulations (Article 54, 2021 PIPL).

Specific to the financial sectors:

  • Commercial banks. Non-bank payment institutions and bank card clearing organisations engaged in bank card acquiring business and network payment business should internally audit the security of payment-sensitive information at least twice each year, and file a report for reference (Article 1, Notice of the PBOC on Further Strengthening the Risk Management of Bank Cards 2016).
  • Credit agencies. Credit collection agencies should conduct compliance audits of their own personal credit collection business every year and report them to the People's Bank of China (PBOC) in a timely manner (Article 43, 2021 Credit Collection Measures).

Assessment

A data controller must conduct a prior impact assessment of PI protection and record the processing in any of the following circumstances:

  • Processing SPI.
  • Using PI for automated decision-making.
  • Entrusting the processing of PI, providing PI to other controllers, and disclosing PI.
  • Providing PI outside the country.
  • Other PI processing activities that have a significant impact on the rights and interests of individuals.

    (Article 55, 2021 PIPL.)

Specific to the financial sectors:

  • Network payment service operators. Network payment service operators with automated decision-making mechanisms that can significantly affect the rights and interests of PI subjects should assess the impact on the security of PI at:
    • the stage of planning and design of automated decision-making or before the first use; and
    • regular intervals (at least once a year) while using automated decision-making.

    (Article 8.3, 2021 Network Payment Data Security Draft Guidelines.)

  • Commercial banks. Commercial banks should develop an ongoing risk identification and assessment process to:
    • identify areas of potential risk in IT;
    • evaluate the potential impact of risks on their business;
    • rank the risks; and
    • prioritise risk prevention measures and resources required (including outsourcing vendors, product providers, and service providers).

    (Article 16, 2009 IT Risk Management Guidelines.)

Retention of Processing Records

PI must be kept for the shortest period of time necessary to fulfil the purposes for which it was processed (Article 19, 2021 PIPL).

Specific to the financial sectors:

  • Banking financial institutions and non-bank payment institutions. They should keep their PI processing records for at least three years (Article 44, 2020 Financial Consumers Protection Measures).
  • Securities companies. The core information system for client information should record operations such as adding, deleting, and modifying electronic client information, and set up an operation log to record the personnel, time, and content of the operations carried out. The records should be kept for not less than one year. (Article 7, 2014 Securities Firms Information Code 2014.)
  • Insurance companies and insurance intermediaries. They should collect audio-visual information and electronic data through audio-visual recording and other technical means while selling commercial insurance products whose policyholders are natural persons. The retention period of audio-visual data must be calculated from the date of termination of the insurance contract. It should not be less than:
    • five years if the insurance period is less than one year; and
    • ten years if the insurance period is more than one year.

    In the event of disputes such as consumer complaints or legal proceedings, audio-visual data should also be preserved for at least two years after the end of the dispute. (Articles 2, 8, and 13, 2017 Insurance Sales Traceability Interim Measures.)

    Legal Enforcement

    In the event of any breach of the 2021 PIPL, a data processor may be held responsible for administrative and civil liability.

    Administrative Liability

    If the severity of the violation is average, the CAC may:

  • Order rectification or forfeiture of illegal income.
  • Issue warnings.
  • Impose a fine of up to RMB1 million on the processor and up to RMB100,000 on the persons responsible.
  • In serious cases, the fines can be increased to up to RMB50 million or 5% of last year's turnover for the processor and up to RMB1 million for the persons responsible. The authorities may even order the data processor to suspend the relevant business or cease operation for rectification, have the relevant business permit revoked, or have its business licence revoked.

    If banking financial institutions refuse or obstruct off-site supervision or on-site inspection, provide false statements, reports, and other documents and information, conceal important facts, or fail to disclose information in accordance with the regulations, they should be ordered to make corrections and be subject to a fine of not less than RMB200,000 and up to RMB500,000 (Banking Supervision and Administration Law 2006, with effect 1 January 2007).

    Civil Liability

    If the accidental access causes damage to the rights and interests of data subjects and the data processor cannot prove that it was not at fault, the processor should be liable for damages and other tort liability.

    The processor's breaches of the 2021 PIPL may be recorded in its credit file and made public.

    PFI Processing Enforcement Focus

    PFI processing

    Common breach activities

    PFI collection and processing

    • In connection with applications: non-compliant privacy policies, permissions violations, and obtaining individual consent.
    • Financial institution employees overstep their authority to query PFI.

    PFI storage

    • PFI is not stored using encryption and other technical means.
    • Financial institution employees exceed their rights to download PFI.
    • PFI is not deleted on schedule.

    PFI sharing

    • Selling PFI.
    • Providing PFI without consent.

    Third party processing

    • Providing PFI to third party organisations beyond the scope of co-operation.
    • Failure to use effective encryption for transmission to third parties.

     

    Latest insights

    More Insights
    Curiosity line green background

    A Deep Dive into China’s Network ID Proposal

    Nov 06 2024

    Read More
    mountain scape

    European Union Artificial Intelligence Act Guide

    Nov 06 2024

    Read More
    Curiosity line blue background

    Transforming A Brand into A Global Business – what to consider from a legal perspective

    Nov 05 2024

    Read More