To print this article, all you need to do is be registered or log in to Mondaq.com.
Regardless of their size, companies will inevitably collect, store and process the personal information of their employees. Such a process falls within the scope of “processing of personal information” under the Personal Information Protection Law of the PRC (“PIPL”).
How to treat personal information of employees in accordance with the PIPL?
Collection of personal information
When handling employees’ personal information, employers should be guided by three main principles, requiring the information to be handled:
- in accordance with the principles of legality, legitimacy, necessity and good faith, and not in a deceptive, fraudulent or coercive manner;
- for a specific and reasonable purpose, directly related to the purpose of the processing and in a way that has the least impact on personal rights and interests; in addition, the collection of personal information must be limited to the minimum extent necessary to achieve the purpose of the processing and must not be excessive;
- in accordance with the principles of openness and transparency, with the rules for the processing of personal information disclosed, and the purpose, method and scope of the processing expressly indicated.
In general, with regard to the processing of personal information, employees must be informed of the specific scope and purpose of the processing (and this purpose must be reasonable and the minimum necessary) and the collection and processing can only be initiated after obtaining the consent of the employee.
However, there are circumstances where consent is not required, namely:
- when this is necessary for the conclusion or performance of a contract to which the employee is a contracting party;
- when this is necessary for the performance of human resources management within the framework of a legally established employment policy or a legally concluded collective contract;
- where necessary to comply with a legal responsibility or legal obligation;
- when necessary to respond to a public health emergency or to protect the life, health or safety of an individual’s property in the event of an emergency;
- where the personal information is processed within a reasonable framework to carry out news reporting, public opinion monitoring or any other activity for the purpose of public interest;
- when personal information, which has already been disclosed by the individual or otherwise lawfully disclosed, is processed within a reasonable framework and in accordance with the law.
The circumstances listed under (i) and (ii) apply particularly when it comes to employees.
Transfer of personal information abroad
Personal information collected on the territory of China must, in principle, be stored in China. In practice, many foreign-invested enterprises normally transfer personal information of their employees to their overseas headquarters or give them or their foreign subsidiaries access to their employee database.
The law establishes clear rules for the cross-border transfer of personal information. The following requirements must be met:
- the transfer must be necessary;
- basic information about the foreign recipient must be provided and the consent to the cross-border transfer must be given separately and expressly by the employees before the transfer;
- the employer must adopt these obligations security measures as required by law;
- the country where the personal information is to be transferred must not be a foreign destination prohibited by China; and
- the foreign entity to which the personal information is to be provided cannot be a foreign judicial or law enforcement body.
In addition to legal requirements, the Cyberspace Administration of China (“CAC”) released Draft Measures for Cross-Border Data Transfer Security Assessment in October 2021.
Although these measures are not yet effective, it should be mentioned that in these measures, an application for a security assessment with CAC is required in any of the following circumstances:
- personal information and important details collected and generated by a Critical Information Infrastructure operator;
- the data to be transferred abroad contains important data;
- the data processor transferring the personal information overseas has processed the personal information of one million or more individuals;
- the personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals has been transferred overseas on a cumulative basis.
Given the potential impact of the provisions of the draft CAC measures, it will be interesting to check whether the provisions referred to above will be adopted as they stand or subsequently modified, and to follow the promulgation of possible future regulatory provisions by the CAC in the matter. .
Sharing personal information
These days, many employers hire the services of external professional consultants to help them with their day-to-day operations, including human resource management. How should employers handle it properly in the era of PIPL?
In this respect, it is necessary to distinguish between commissioning to the contracting parties and provide to third parties.
Where an employer must provide personal information about its employees to a third party due to the outsourcing of certain management functions, such as mandating a headhunter to recruit staff or a bank to pay salaries on its behalf, the employer must comply with the following specific rules:
- comply with its obligation to inform;
- implement a privacy impact assessment; and
- enter into a contract with the contracting parties, agree on the purpose, duration and method of the processing, the type of personal data to be processed, any protective measures to be taken, as well as the rights and obligations of both parties, and implement monitoring of the processing activities of the contracted parties.
In other scenarios where personal information is provided to other third parties (e.g., sharing information with or transferring information to business partners), employers should not only follow the above steps, but also expressly inform employees of the recipient’s name, contact details, purpose of the processing, the method of processing and the type of personal information, and obtain the separate consent of the employees concerned.
In light of PIPL’s impacts on employee management, we recommend that employers conduct a full and comprehensive compliance assessment of their data to identify potential non-compliance issues, formulate appropriate solutions, and adopt measures to meet the requirements of the PIPL.
In particular, we recommend the following actions.
- Sort and classify employee personal information
Employers should conduct a comprehensive classification of their employees’ personal information to verify what types of personal information is processed (distinguishing between personal information and sensitive personal information), identify information that should be deleted in a timely manner (because collected excess or no longer necessary), ensure that data security measures are in place and establish different levels of authorization in the internal management of the company.
- Establish regulations on the protection of employee personal information
Employers should also add a specific section on the protection of employee privacy in their employee handbook or establish a separate policy for the protection of employee privacy.
With regard to the employees authorized to access the processed personal information, specific contractual provisions must be concluded with these employees, clarifying and regulating the scope of the authorization and the relevant responsibilities and obligations.
- Signing consent letters with employees and adding a data chapter in the employment contract template
As mentioned above, notwithstanding the legal basis for processing employees’ personal information, it is always recommended that employers inform employees of the purpose, manner and scope of the processing of personal information. In this regard, it is highly recommended to have employees sign consent letters regarding the processing of personal information. In particular, if the processing of sensitive personal information is necessary, or if personal information is to be shared with third parties or transferred overseas, additional separate consent from employees must be obtained.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.