(2021年8月20日第十三届全国人民代表大会常务委员会第三十次会议通过)
目 录
第一章 总 则
第二章 个人信息处理规则
第一节 一般规定
第二节 敏感个人信息的处理规则
第三节 国家机关处理个人信息的特别规定
第三章 个人信息跨境提供的规则
第四章 个人在个人信息处理活动中的权利
第五章 个人信息处理者的义务
第六章 履行个人信息保护职责的部门
第七章 法律责任
第八章 附 则
第一章 总 则
第一条 为了保护个人信息权益,规范个人信息处理活动,促进个人信息合理利用,根据宪法,制定本法。
第二条 自然人的个人信息受法律保护,任何组织、个人不得侵害自然人的个人信息权益。
第三条 在中华人民共和国境内处理自然人个人信息的活动,适用本法。
This Law shall also apply to activities outside the People's Republic of China that process the personal information of natural persons within the People's Republic of China under any of the following circumstances:
(一)以向境内自然人提供产品或者服务为目的;
(二)分析、评估境内自然人的行为;
(三)法律、行政法规规定的其他情形。
Article 4 Personal information is all kinds of information about identified or identifiable natural persons recorded electronically or by other means, excluding information that has been anonymized。
个人信息的处理包括个人信息的收集、存储、使用、加工、传输、提供、公开、删除等。
Article 5 Personal information shall be processed in accordance with the principles of legality, legitimacy, necessity and good faith, and shall not be processed by means of misleading, fraud, coercion, etc。
Article 6 The processing of personal information shall have a clear and reasonable purpose, and shall be directly related to the purpose of processing, and shall be adopted in a manner that has the least impact on the rights and interests of individuals。
收集个人信息,应当限于实现处理目的的最小范围,不得过度收集个人信息。
第七条 处理个人信息应当遵循公开、透明原则,公开个人信息处理规则,明示处理的目的、方式和范围。
第八条 处理个人信息应当保证个人信息的质量,避免因个人信息不准确、不完整对个人权益造成不利影响。
第九条 个人信息处理者应当对其个人信息处理活动负责,并采取必要措施保障所处理的个人信息的安全。
Article 10 No organization or individual may illegally collect, use, process or transmit others' personal information, or illegally trade, provide or disclose others' personal information;They shall not engage in personal information processing activities that endanger national security and public interests。
Article 11 The State establishes a sound system for the protection of personal information, prevents and punishes acts infringing upon the rights and interests of personal information, strengthens publicity and education on the protection of personal information, and promotes the formation of a good environment for the government, enterprises, relevant social organizations and the public to participate in the protection of personal information。
Article 12 The State actively participates in the formulation of international rules for the protection of personal information, promotes international exchanges and cooperation in the protection of personal information, and promotes the mutual recognition of rules and standards for the protection of personal information with other countries, regions and international organizations。
第二章 个人信息处理规则
第一节 一般规定
第十三条 符合下列情形之一的,个人信息处理者方可处理个人信息:
(一)取得个人的同意;
(2) necessary for the conclusion and performance of contracts to which the individual is a party, or necessary for the implementation of human resources management in accordance with labor rules and regulations formulated according to law and collective contracts concluded according to law;
(三)为履行法定职责或者法定义务所必需;
(四)为应对突发公共卫生事件,或者紧急情况下为保护自然人的生命健康和财产安全所必需;
(五)为公共利益实施新闻报道、舆论监督等行为,在合理的范围内处理个人信息;
(六)依照本法规定在合理的范围内处理个人自行公开或者其他已经合法公开的个人信息;
(七)法律、行政法规规定的其他情形。
In accordance with other relevant provisions of this Law, the processing of personal information shall obtain the consent of the individual, but in the case of items 2 to 7 of the preceding paragraph, it is not necessary to obtain the consent of the individual。
第十四条 基于个人同意处理个人信息的,该同意应当由个人在充分知情的前提下自愿、明确作出。法律、行政法规规定处理个人信息应当取得个人单独同意或者书面同意的,从其规定。
个人信息的处理目的、处理方式和处理的个人信息种类发生变更的,应当重新取得个人同意。
第十五条 基于个人同意处理个人信息的,个人有权撤回其同意。个人信息处理者应当提供便捷的撤回同意的方式。
个人撤回同意,不影响撤回前基于个人同意已进行的个人信息处理活动的效力。
Article 16 A personal data processor shall not refuse to provide a product or service on the grounds that an individual does not consent to the processing of his or her personal information or withdraweth his or her consent;Except where the processing of personal information is necessary for the provision of products or services。
Article 17 Before processing personal information, a personal data processor shall truthfully, accurately and completely inform an individual of the following matters in a conspicuous manner and in clear and understandable language:
(一)个人信息处理者的名称或者姓名和欧洲杯投注赔率;
(二)个人信息的处理目的、处理方式,处理的个人信息种类、保存期限;
(三)个人行使本法规定权利的方式和程序;
(四)法律、行政法规规定应当告知的其他事项。
前款规定事项发生变更的,应当将变更部分告知个人。
Where a processor of personal information notifies the matters referred to in paragraph 1 by formulating rules on the processing of personal information, the rules of processing shall be made public and readily accessible and stored。
Article 18 A processor of personal information may not inform an individual of the matters provided for in paragraph 1 of the preceding article if there are circumstances in which the processing of personal information should be kept confidential or does not require notification according to laws or administrative regulations。
Where it is impossible to inform an individual in a timely manner in order to protect the life, health and property safety of a natural person in an emergency, the personal information processor shall notify the individual in a timely manner after the emergency has been eliminated。
第十九条 除法律、行政法规另有规定外,个人信息的保存期限应当为实现处理目的所必要的最短时间。
Article 20 Where two or more processors of personal information jointly decide on the purpose and method of processing of personal information, they shall agree on their respective rights and obligations。但是,该约定不影响个人向其中任何一个个人信息处理者要求行使本法规定的权利。
个人信息处理者共同处理个人信息,侵害个人信息权益造成损害的,应当依法承担连带责任。
Article 21 Where a personal information processor entrusts the processing of personal information, it shall agree with the trustee on the purpose, time limit, method of processing, types of personal information, protection measures and rights and obligations of both parties, and supervise the personal information processing activities of the trustee。
The agent shall process personal information in accordance with the agreement and shall not process personal information beyond the agreed purpose and method of processing;If the entrustment contract is not effective, invalid, revoked or terminated, the agent shall return the personal information to the personal information processor or delete it and shall not retain it。
未经个人信息处理者同意,受托人不得转委托他人处理个人信息。
Article 22 Where a personal information processor needs to transfer personal information due to merger, division, dissolution, declaration of bankruptcy, etc., it shall inform the individual of the recipient's name or name and contact information。接收方应当继续履行个人信息处理者的义务。接收方变更原先的处理目的、处理方式的,应当依照本法规定重新取得个人同意。
Article 23 Where a personal information processor provides the personal information it processes to other personal information processors, it shall inform the individual of the recipient's name, contact information, processing purpose, processing method and type of personal information, and obtain the individual's separate consent。接收方应当在上述处理目的、处理方式和个人信息的种类等范围内处理个人信息。接收方变更原先的处理目的、处理方式的,应当依照本法规定重新取得个人同意。
Article 24 Where personal information processors use personal information to make automated decisions, they shall ensure the transparency of the decisions and the fairness and justice of the results, and shall not apply unreasonable differential treatment to individuals in terms of transaction prices and other trading conditions。
Information push and commercial marketing to individuals through automated decision-making should be accompanied by options that are not specific to their personal characteristics, or provide individuals with convenient means of rejection。
When a decision is made by means of automated decision-making that has a significant impact on the rights and interests of the individual, the individual has the right to ask the processor of the personal information to explain it, and the right to refuse the processor of the personal information to make a decision only by means of automated decision-making。
第二十五条 个人信息处理者不得公开其处理的个人信息,取得个人单独同意的除外。
Article 26 The installation of image acquisition and personal identification equipment in public places shall be necessary to maintain public security, comply with the relevant provisions of the State, and set up prominent prompt signs。The personal images and identification information collected can only be used for the purpose of maintaining public security and shall not be used for other purposes;Except where individual consent is obtained。
Article 27 A processor of personal information may, within a reasonable range, process personal information disclosed by an individual or that has been lawfully disclosed;Except those expressly refused by the individual。个人信息处理者处理已公开的个人信息,对个人权益有重大影响的,应当依照本法规定取得个人同意。
第二节 敏感个人信息的处理规则
第二十八条 敏感个人信息是一旦泄露或者非法使用,容易导致自然人的人格尊严受到侵害或者人身、财产安全受到危害的个人信息,包括生物识别、宗教信仰、特定身份、医疗健康、金融账户、行踪轨迹等信息,以及不满十四周岁未成年人的个人信息。
The processing of sensitive personal information by the personal data processor is only possible if there is a specific purpose and sufficient necessity and strict protection measures are taken。
Article 29 Individual consent shall be obtained for the processing of sensitive personal information;Where laws or administrative regulations require written consent for the processing of sensitive personal information, such provisions shall prevail。
Article 30 Where a processor of personal information processes sensitive personal information, in addition to the matters provided for in paragraph 1 of Article 17 of this Law, it shall inform the individual of the necessity of processing sensitive personal information and the impact on the rights and interests of the individual;Except those that may not be informed to individuals in accordance with the provisions of this Law。
Article 31 Where a personal data processor processes the personal information of a minor under the age of 14, it shall obtain the consent of the minor's parents or other guardians。
个人信息处理者处理不满十四周岁未成年人个人信息的,应当制定专门的个人信息处理规则。
Article 32 Where laws and administrative regulations require relevant administrative licenses or other restrictions on the processing of sensitive personal information, such provisions shall prevail。
第三节 国家机关处理个人信息的特别规定
第三十三条 国家机关处理个人信息的活动,适用本法;本节有特别规定的,适用本节规定。
Article 34 State organs shall, in order to perform their statutory duties, process personal information in accordance with the authority and procedures prescribed by laws and administrative regulations, and shall not exceed the scope and limit necessary for the performance of their statutory duties。
Article 35 State organs, in order to perform their statutory duties in handling personal information, shall fulfill the obligation of notification in accordance with the provisions of this Law;Except in the circumstances provided for in paragraph 1 of Article 18 of this Law, or where the notification would impede the performance of statutory duties by state organs。
Article 36 Personal information processed by state organs shall be stored within the territory of the People's Republic of China.If it really needs to be provided overseas, security assessment shall be carried out。安全评估可以要求有关部门提供支持与协助。
Article 37 The provisions of this Law on the handling of personal information by state organs shall apply to organizations authorized by laws and regulations to handle personal information in order to perform their statutory duties。
第三章 个人信息跨境提供的规则
Article 38 Where a personal information processor really needs to provide personal information outside the People's Republic of China due to business or other needs, it shall meet one of the following conditions:
(一)依照本法第四十条的规定通过国家网信部门组织的安全评估;
(二)按照国家网信部门的规定经专业机构进行个人信息保护认证;
(三)按照国家网信部门制定的标准合同与境外接收方订立合同,约定双方的权利和义务;
(四)法律、行政法规或者国家网信部门规定的其他条件。
Where there are provisions in international treaties or agreements concluded or acceded to by the People's Republic of China on the conditions for providing personal information outside the territory of the People's Republic of China, such provisions may be followed。
Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this Law。
第三十九条 个人信息处理者向中华人民共和国境外提供个人信息的,The individual shall be informed of such matters as the name or name of the overseas recipient, the contact information, the purpose and method of processing, the type of personal information, and the way and procedure for the individual to exercise the rights provided for in this Law to the overseas recipient,并取得个人的单独同意。
Article 40 Key information infrastructure operators and personal information processors that process personal information in quantities specified by the national network information department shall store the personal information collected and generated within the territory of the People's Republic of China。If it really needs to be provided overseas, it shall pass the security assessment organized by the national network information department;Where laws, administrative regulations and the national network information department stipulate that security assessment may not be carried out, such provisions shall prevail。
Article 41 The competent authorities of the People's Republic of China shall, in accordance with relevant laws, international treaties and agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China。Without the approval of the competent authorities of the People's Republic of China, the personal information processor shall not provide the personal information stored in the territory of the People's Republic of China to foreign judicial or law enforcement agencies。
第四十二条 境外的组织、个人从事侵害中华人民共和国公民的个人信息权益,或者危害中华人民共和国国家安全、公共利益的个人信息处理活动的,国家网信部门可以将其列入限制或者禁止个人信息提供清单,Make public,并采取限制或者禁止向其提供个人信息等措施。
Article 43 Where any country or region takes discriminatory prohibitions, restrictions or other similar measures against the People's Republic of China in respect of the protection of personal information, the People's Republic of China may, in light of the actual situation, take reciprocal measures against that country or region。
第四章 个人在个人信息处理活动中的权利
Article 44 Individuals shall have the right to know and decide on the processing of their personal information, and shall have the right to restrict or refuse the processing of their personal information by others;Except as otherwise provided by laws and administrative regulations。
Article 45 An individual has the right to consult and copy his or her personal information to a personal data processor;Except in the circumstances provided for in Article 18, paragraph 1, and Article 35 of this Law。
个人请求查阅、复制其个人信息的,个人信息处理者应当及时提供。
If an individual requests the transfer of personal information to his or her designated personal information processor, and meets the conditions stipulated by the national network information Department, the personal information processor shall provide the means of transfer。
第四十六条 个人发现其个人信息不准确或者不完整的,有权请求个人信息处理者更正、补充。
个人请求更正、补充其个人信息的,个人信息处理者应当对其个人信息予以核实,并及时更正、补充。
Article 47 In any of the following circumstances, the personal information processor shall take the initiative to delete the personal information;If the personal information processor does not delete it, the individual has the right to request deletion:
(一)处理目的已实现、无法实现或者为实现处理目的不再必要;
(二)个人信息处理者停止提供产品或者服务,或者保存期限已届满;
(三)个人撤回同意;
(四)个人信息处理者违反法律、行政法规或者违反约定处理个人信息;
(五)法律、行政法规规定的其他情形。
If the storage period prescribed by laws and administrative regulations has not expired, or it is technically difficult to delete personal information, the personal information processor shall stop processing it except for storage and taking necessary security protection measures。
第四十八条 个人有权要求个人信息处理者对其个人信息处理规则进行解释说明。
Article 49 In the event of the death of a natural person, his close relatives may, for their own lawful and legitimate interests, exercise the rights of viewing, copying, correcting and deleting the relevant personal information of the deceased as provided for in this Chapter;Unless otherwise arranged before the death of the deceased。
第五十条 个人信息处理者应当建立便捷的个人行使权利的申请受理和处理机制。拒绝个人行使权利的请求的,应当说明理由。
个人信息处理者拒绝个人行使权利的请求的,个人可以依法向人民法院提起诉讼。
第五章 个人信息处理者的义务
Article 51 Personal information processors should be based on the purpose of personal information processing, processing methods, types of personal information and the impact on personal rights and interests, possible security risks,采取下列措施确保个人信息处理活动符合法律、行政法规的规定,并防止未经授权的访问以及个人信息泄露、篡改、丢失:
(一)制定内部管理制度和操作规程;
(二)对个人信息实行分类管理;
(三)采取相应的加密、去标识化等安全技术措施;
(四)合理确定个人信息处理的操作权限,并定期对从业人员进行安全教育和培训;
(五)制定并组织实施个人信息安全事件应急预案;
(六)法律、行政法规规定的其他措施。
Article 52 A personal information processor that processes personal information in the amount prescribed by the national network information department shall designate a person in charge of personal information protection, who is responsible for the supervision of personal information processing activities and the protection measures taken。
The personal information processor shall disclose the contact information of the person in charge of personal information protection, and submit the name and contact information of the person in charge of personal information protection to the department that performs the duty of personal information protection。
第五十三条 本法第三条第二款规定的中华人民共和国境外的个人信息处理者,应当在中华人民共和国境内设立专门机构或者指定代表,负责处理个人信息保护相关事务,并将有关机构的名称或者代表的姓名、欧洲杯投注赔率等报送履行个人信息保护职责的部门。
第五十四条 个人信息处理者应当定期对其处理个人信息遵守法律、行政法规的情况进行合规审计。
Article 55 In any of the following circumstances, the personal information processor shall conduct a personal information protection impact assessment in advance and record the processing:
(一)处理敏感个人信息;
(二)利用个人信息进行自动化决策;
(三)委托处理个人信息、向其他个人信息处理者提供个人信息、公开个人信息;
(四)向境外提供个人信息;
(五)其他对个人权益有重大影响的个人信息处理活动。
第五十六条 个人信息保护影响评估应当包括下列内容:
(一)个人信息的处理目的、处理方式等是否合法、正当、必要;
(二)对个人权益的影响及安全风险;
(三)所采取的保护措施是否合法、有效并与风险程度相适应。
个人信息保护影响评估报告和处理情况记录应当至少保存三年。
Article 57 In the event of or the possibility of leakage, alteration or loss of personal information, the personal information processor shall immediately take remedial measures and notify the department or individual performing the duty of personal information protection。通知应当包括下列事项:
(一)发生或者可能发生个人信息泄露、篡改、丢失的信息种类、原因和可能造成的危害;
(二)个人信息处理者采取的补救措施和个人可以采取的减轻危害的措施;
(三)个人信息处理者的欧洲杯投注赔率。
If the personal information processor takes measures to effectively prevent the harm caused by information disclosure, tampering or loss, the personal information processor may not notify the individual;Where the department responsible for the protection of personal information considers that harm may be caused, it has the right to require the personal information processor to notify the individual。
Article 58 Personal information processors that provide important Internet platform services, have a large number of users, and have complex business types shall perform the following obligations:
(a) In accordance with the provisions of the State to establish a sound personal information protection compliance system system, the establishment of an independent body mainly composed of external members to supervise the protection of personal information;
(b) In accordance with the principles of openness, fairness and justice, formulate platform rules to clarify the standards for the handling of personal information by product or service providers within the platform and the obligations to protect personal information;
(三)对严重违反法律、行政法规处理个人信息的平台内的产品或者服务提供者,停止提供服务;
(四)定期发布个人信息保护社会责任报告,接受社会监督。
Article 59 A trustee entrusted with handling personal information shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information handled and assist the personal information processor in fulfilling the obligations provided for in this Law。
第六章 履行个人信息保护职责的部门
第六十条 国家网信部门负责统筹协调个人信息保护工作和相关监督管理工作。The relevant departments under The State Council shall be responsible for the protection, supervision and administration of personal information within the scope of their respective functions and duties in accordance with the provisions of this Law, relevant laws and administrative regulations。
县级以上地方人民政府有关部门的个人信息保护和监督管理职责,按照国家有关规定确定。
前两款规定的部门统称为履行个人信息保护职责的部门。
第六十一条 履行个人信息保护职责的部门履行下列个人信息保护职责:
(一)开展个人信息保护宣传教育,指导、监督个人信息处理者开展个人信息保护工作;
(二)接受、处理与个人信息保护有关的投诉、举报;
(三)组织对应用程序等个人信息保护情况进行测评,并公布测评结果;
(四)调查、处理违法个人信息处理活动;
(五)法律、行政法规规定的其他职责。
第六十二条 国家网信部门统筹协调有关部门依据本法推进下列个人信息保护工作:
(一)制定个人信息保护具体规则、标准;
(2) Formulate special personal information protection rules and standards for small personal information processors, processing sensitive personal information, and new technologies and applications such as face recognition and artificial intelligence;
(三)支持研究开发和推广应用安全、方便的电子身份认证技术,推进网络身份认证公共服务建设;
(四)推进个人信息保护社会化服务体系建设,支持有关机构开展个人信息保护评估、认证服务;
(五)完善个人信息保护投诉、举报工作机制。
第六十三条 履行个人信息保护职责的部门履行个人信息保护职责,可以采取下列措施:
(一)询问有关当事人,调查与个人信息处理活动有关的情况;
(二)查阅、复制当事人与个人信息处理活动有关的合同、记录、账簿以及其他有关资料;
(三)实施现场检查,对涉嫌违法的个人信息处理活动进行调查;
(4) Inspect equipment and articles related to personal information processing activities;Equipment and articles proved to be used for illegal personal information processing activities may be sealed up or seized after a written report is submitted to the principal responsible person of the department and approval is obtained。
履行个人信息保护职责的部门依法履行职责,当事人应当予以协助、配合,不得拒绝、阻挠。
第六十四条 履行个人信息保护职责的部门在履行职责中,发现个人信息处理活动存在较大风险或者发生个人信息安全事件的,可以按照规定的权限和程序对该个人信息处理者的法定代表人或者主要负责人进行约谈,或者要求个人信息处理者委托专业机构对其个人信息处理活动进行合规审计。个人信息处理者应当按照要求采取措施,进行整改,消除隐患。
Departments performing the duty of personal information protection in the performance of their duties, found illegal handling of personal information suspected of crime, shall be transferred to the public security organs in a timely manner for handling according to law。
Article 65 Any organization or individual has the right to complain and report illegal personal information processing activities to the department that performs the duty of personal information protection。收到投诉、举报的部门应当依法及时处理,并将处理结果告知投诉、举报人。
履行个人信息保护职责的部门应当公布接受投诉、举报的欧洲杯投注赔率。
第七章 法律责任
第六十六条 违反本法规定处理个人信息,或者处理个人信息未履行本法规定的个人信息保护义务的,由履行个人信息保护职责的部门责令改正,Give a warning,没收违法所得,对违法处理个人信息的应用程序,责令暂停或者终止提供服务;拒不改正的,并处一百万元以下罚款;对直接负责的主管人员和其他直接责任人员处一万元以上十万元以下罚款。
有前款规定的违法行为,情节严重的,由省级以上履行个人信息保护职责的部门责令改正,没收违法所得,并处五千万元以下或者上一年度营业额百分之五以下罚款,And may order the suspension of the relevant business or business rectification, notify the relevant competent department to revoke the relevant business license or business license;The persons directly in charge and other persons directly responsible shall be imposed a fine of not less than 100,000 yuan but not more than one million yuan,并可以决定禁止其在一定期限内担任相关企业的董事、监事、高级管理人员和个人信息保护负责人。
第六十七条 有本法规定的违法行为的,依照有关法律、行政法规的规定记入信用档案,并予以公示。
Article 68 Where a state organ fails to perform its personal information protection obligations as provided for in this Law, it shall be ordered to make corrections by the organ at a higher level or by the department that performs the duties of personal information protection;The persons directly in charge and other persons directly responsible shall be given sanctions according to law。
履行个人信息保护职责的部门的工作人员玩忽职守、滥用职权、徇私舞弊,尚不构成犯罪的,依法给予处分。
Article 69 Where the processing of personal information infringes upon the rights and interests of personal information and causes damage, and the personal information processor cannot prove that he is not at fault, he shall bear tort liabilities such as compensation for damages。
The liability for damages provided for in the preceding paragraph shall be determined on the basis of the loss suffered by the individual or the benefits gained by the person processing the personal information.If it is difficult to determine the loss suffered by the individual and the benefits gained by the personal data processor, the amount of compensation shall be determined according to the actual situation。
Article 70 Where a personal information processor violates the provisions of this Law by processing personal information and infringes upon the rights and interests of a large number of individuals, the people's procuratorates, consumer organizations prescribed by law and organizations determined by the State cyberspace administration may bring a lawsuit in a people's court according to law。
Article 71 Whoever violates the provisions of this Law and constitutes an act violating the administration of public security shall be punished for the administration of public security according to law;If the case constitutes a crime, criminal responsibility shall be investigated according to law。
第八章 附 则
第七十二条 自然人因个人或者家庭事务处理个人信息的,不适用本法。
法律对各级人民政府及其有关部门组织实施的统计、档案管理活动中的个人信息处理有规定的,适用其规定。
第七十三条 本法下列用语的含义:
(一)个人信息处理者,是指在个人信息处理活动中自主决定处理目的、处理方式的组织、个人。
(2) Automated decision-making refers to the activity of automatically analyzing and evaluating an individual's behavior habits, interests, or economic, health, credit status through a computer program, and making decisions。
(三)去标识化,是指个人信息经过处理,使其在不借助额外信息的情况下无法识别特定自然人的过程。
(四)匿名化,是指个人信息经过处理无法识别特定自然人且不能复原的过程。
第七十四条 本法自2021年11月1日起施行。