The Personal Information Protection Law (PIPL), designed to protect the privacy rights of individuals living in China, will have a significant impact on employment context processing, and multinational companies’ HR activities, including recruitment, performance monitoring, and cross-border transfers, among others.
In effect since November 1, 2021, the PIPL prescribes various obligations for data controllers and data processors, restrictions on cross-border transfer, lawful basis of processing and hefty fines for violations.
The Human Resource Management Team of an organization will have the responsibility to comply with the PIPL. There are a few key obligations under the PIPL that an HR team must consider while handling personal information of job applicants, and current and former employees.
According to the PIPL, employers are “personal information processors”, because they “independently decide the purpose and method of processing and other personal information processing matters” of the employees’ personal data.
Personal information is the data used to identify a person, such as full name, date of birth, gender, address, resume, fingerprint, ID number, etc. Information processed anonymously will not count as personal information.
Under Chinese law, the processing of personal information refers to types of behaviors in relation to personal information, including the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information.
When a company requests an employee to fill in a form with name, phone number, contact address, etc., it is “collecting” personal information. When the employer inputs the employee’s information onto the HR systems, it is “storing” personal information. When the employer provides the employee’s information to an insurance company to purchase group insurance, it is “using” and “transmitting” personal information.
All these steps are collectively called “processing” of personal information.
If the employer is registered outside of China, the company may still be subject to the PIPL: where the company provides products or services to individuals inside China; and where the company analyzes and evaluates the activities of individuals inside China.
There are three basic principles an employer must follow when processing employees’ personal information: lawfulness, reasonable purpose and transparency.
Article 13 of the PIPL states that employers should not process the personal data of job applicants, current employees or former employees without having a lawful basis, legitimacy, necessity, and good faith.
The processing of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of processing, and shall be conducted in a way that minimizes the impact on personal rights and interests.
The processing shall follow the principles of openness and transparency, expressly indicating the purpose, method, and scope of such processing.
Among all the directives, the ‘principle of necessity’ and the ‘principle of minimum’ may be the two most difficult to manage by HR. An example could be sick leave, when an employer requests medical records, treatment and sick leave recommendation signed by a doctor.
This could seem an excessive collection of information and violate the minimum principle, thus opening the discussion to different interpretations. Employers should be careful and try to reduce their exposure to PIPL compliance risks.
When processing employees’ personal information, the employee’s consent must be obtained; and it should be given in a voluntary and explicit manner in the condition of full knowledge. The employer must notify employee about purpose,
processing method, type, and the retention period of the personal information.
If a company decides to outsource their HR management to a third party, the employer shall agree with the HR agent on the purpose, time limit, and method of entrusted processing, type of personal information and protection measures, as well as the rights and obligations of both parties, and supervise the personal information processing activities of the HR agent.
According to the PIPL, when the entrustment contract is no longer effective, invalid, revoked, or terminated, the HR agent shall return the personal information to employer or delete it, and shall not retain it.
When the cooperation of the employer with the third-party firm involves personal information processing, the employer should comply with its notification obligation and obtain separate consent from employee.
Sensitive personal information is “the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14,” states the PIPL.
An employer can process its employees’ sensitive personal information for a specific purpose and sufficient necessity, only if strict protection measures have been taken and a separate consent has been given.
The employer must notify employees about necessary information such as purpose, processing method, type, and the retention period of the personal information to be collected, also inform employees of the necessity of processing their sensitive personal information.
Many companies transmit their employee’s personal information to their overseas headquarters (HQ) or allow them access to their database. Such transmission or access are defined as “cross-border provision of personal information”.
To provide the employees’ personal information to overseas HQ outside of China, the employer should obtain a separate consent and inform the employee of the name of the overseas HQ, contact information, purpose and method of processing, type of personal information.
After the consent is obtained, the organization is required to fulfill other cross border data transfer requirements. Employers should also conduct an assessment on the destination country to ensure that proper legislations are in place to protect an individual's data.
In the event of a data breach, the PIPL requires employers to take “immediate” remediation actions and notify the relevant agency and affected employees.
It is important that employers review their employment policies and identify any possible legal risks in order to implement solutions and the correct strategies in compliance with the PIPL.
With data growing rapidly and privacy regulations getting stricter, organizations should optimize their data and consent management systems.
The most important obligation under the PIPL is the need to obtain freely given consent and with data being collected at such large volumes, it becomes extremely difficult to this manually. Automated systems can facilitate the process and keep employment management compliant with the law.
To learn more about our services in China, contact our Head of Business Advisory - Ms. Kristina Koehler-Coluccia at firstname.lastname@example.org.
DISCLAIMER: All information in this article is verified to the best of our ability and is assumed to be correct at time of release; however, Woodburn Accountants & Advisors does not accept responsibility for any losses arising from reliance on the information provided within. The information provided is for general guidance and does not replace specialized advice.