Since the Personal Information Protection Law (PIPL) came into effect last year, foreign companies operating in China have had to adapt to stricter compliance standards when processing employee’s information. Chinese authorities have been actively investigating suspected violations and issuing fines.

The rules set forth by the PIPL apply to any organization that processes the personal information of Chinese citizens for the purpose of providing them with products or services, analyzing or assessing their behavior, or for “other purposes to be specified by laws and regulations.”

The law applies not only to local companies but to foreign firms processing such data, even if the processing occurs outside of China. In order to process the data of Chinese citizens, foreign “personal information processing entities” must follow certain guidelines and requirements.

The PIPL, which came into effect on November 1, 2021, is similar in size and scope to the EU’s General Data Protection Regulation (GDPR).

Along with China’s Data Security Law, the PIPL creates a framework that gives China’s government broad enforcement capabilities and creates a strict compliance environment for the nation’s big tech companies and international businesses operating in China.

The goals of the PIPL are to “protect the rights and interests of individuals” and facilitate the “reasonable use” of personal information through the regulation of personal information processing activities.

Companies are prohibited from sharing employee’s personal information with third parties without their consent. If a firm uses a third party in the recruitment process or to conduct a background check, the enterprise must obtain the written authorization of the employee, otherwise, it may infringe on the individual’s rights.

When hiring a person, a company may only collect “basic information directly related to the labor contract”, such as name, gender, nationality, identity certificate number, address, personal email, health status, education and degree, work experience, and emergency contact, among other.

The scope and content of information should be determined by the employer, and its content should be reasonable and minimal. For any sensitive information that is necessary to be collected, the explicit consent of employees must be obtained.

It is imperative that companies protect any collected personal information in both hard or soft copies such as employees’ certificates, files, and documents with personal information, fingerprints, and face recognition information (if any). Any storage equipment, transmission equipment, and used equipment shall be encrypted for security measures.

Employees’ personal information can be stored on equipment provided by the company, including mobile phones, computers, and other devices. To reduce legal risks, employees shall be informed in writing before the company provides equipment that it shall not be used for personal affairs, and the employer reserves the right to inspect and monitor information on such equipment.

Employees should be reminded to delete personal information before equipment is repaired, inspected, or recycled. Any employee’s personal information found shall be kept confidential.

Multinational companies need employees’ written authorization and consent before transmitting any personal information abroad. Relevant requirements such as network security agency services, firewalls, and other means to ensure the security of information shall be implemented.

There are significant restrictions within the PIPL regarding data that crosses borders. For example, organizations that are designated as Critical Information Infrastructure (CII) operators must submit to a mandatory security assessment conducted by the Cyberspace Administration of China (CAC).

For companies that are not designated as part of the CII, data transfers beyond Chinese borders require organizations to submit to a voluntary security assessment, be certified by agencies appointed by the CAC, or enter into an agreement with the CAC.

Once data leaves Chinese borders, the same protections will continue to apply, including data used by third-party processors.

In case of labor termination, companies should only archive necessary information and delete the sensitive personal information and other data that is no longer required. If the new employer requests a background check, the employee must provide prior written consent for the employer to disclose his/her information to other companies, otherwise, it is likely to infringe on the employee’s rights and interests.

One of the challenges with PIPL compliance is the lack of specificity in much of the law, along with its rapid implementation. While the GDPR gave organizations two years to prepare for implementation, PIPL went into effect less than three months after being passed into law.

However, any organization collecting or processing personal information from individuals in China, must comply.

One of the first things organizations need to do to ensure that they comply with PIPL is review their data processing standards. Under the PIPL, businesses must have a lawful basis for any data that is collected, stored, or processed related to a Chinese citizen.

The PIPL requires personal information to be limited to the smallest scope to fulfill that purpose.

A company must have a clear and reasonable purpose for data collection or use, such as to enter or perform a contract, conduct human resources/personnel management practices per labor policies, comply with legal duties, and to respond to public health incidents or protect the rights and interests of Chinese citizens.

Businesses using data for purposes outside those listed here need to take a careful look at their data processing policies with their legal counsel.

In most cases, the PIPL requires that organizations obtain consent for data collection and processing. Companies should review their collection and use policies to make sure consent is collected where required.

Woodburn Accountants & Advisors is one of China’s most trusted business setup advisory firms.

Woodburn Accountants & Advisors is specialized in inbound investment to China and Hong Kong. We focus on eliminating the complexities of corporate services and compliance administration. We help clients with services ranging from trademark registration and company incorporation to the full outsourcing solution for accounting, tax, and human resource services. Our advisory services can be tailor-made based on the companies’ objectives, goals and needs which vary depending on the stage they are at on their journey.

Talk to an expert

Schedule a 30-mins complimentary, no-obligation call to see how Woodburn can help you. Book a call with our Head of Business Advisory - Kristina Koehler-Coluccia.

​

Topics we can advise on include:

​

• Company Registration

• Cloud Accounting & Financial Reporting

• Cloud Payroll Services

• Tax & Audit Services

• Recruitment

• Employer-of-Record

• Visa Application

• Trademark Registration

• Switch to Woodburn

• Partner with Woodburn (cross referral) 
  

Our calls are automatically scheduled via Zoom - or via Teams, WeChat or WhatsApp upon direct request. 

​

Our advisory calls are available from Monday-Friday from 8am to 5pm CEST and Wednesday until 9pm CEST.