The Personal Information Protection Law (the “PIPL”) is China’s primary data protection law which is said to be at par with regulations such as the CCPA and GDPR. This law is designed to protect the privacy rights of individuals living in China. The PIPL came into effect on November 1, 2021. The PIPL prescribes various obligations for data controllers and data processors, restrictions on cross-border transfer, lawful basis of processing and hefty fines. These requirements will have a significant effect on employment context processing, multinational companies’ HR activities, including recruitment, performance monitoring, cross-border transfers etc. If an offshore employer processes the personal data of Chinese residents (employees) for the purpose of analyzing and assessing their behavior and for another purpose specified under other Chinese regulations, then the employer is required to fulfill the PIPL obligations.
This article provides a guide for the Human Resource Management Team (HRM Team) of an organization aiming to comply with the PIPL. Following are the key obligations under the PIPL that an HRM Team must consider while handling personal data of job applicants and current and former employees.
Employer’s Obligations Under the PIPL:
Article 13 of the PIPL provides that employers should not process the personal data of job applicants, current employees or former employees without having a lawful basis of processing. Following are the basis that an employer can rely on to process the data of prospective, current and former employees:
- Performing a contract that is necessary for the implementation of human resources management; or
- Fulfilling statutory obligations; or
- Responding to sudden public health incidents; or
- Acting in the public interest within a reasonable scope; or
- Processing personal information disclosed by the employee within a reasonable scope; or
- The employee has given consent to data processing.
Securiti’s Data Mapping Solution enables organizations to conduct effective and automated data mapping that can help organizations identify the correct legal basis and ensure lawful data processing.
Consent requirements in the employment context:
There are certain circumstances in which employers need to rely on specific consent as a lawful basis for processing employees' personal data. These circumstances are:
- Under Article 23 of PIPL, employers are required to obtain consent from an employee before transferring their data to a third party.
- As per Article 25 of the PIPL, consent of an employee needs to be obtained before publicizing an employee’s personal information.
- Consent is needed to use an employee’s personal image and personal identification information collected by image capturing and personal identification equipment.
- Under Articles 28 and 29 of the PIPL, consent must be obtained from employees to use data captured by biometric identification systems, location tracking and health information.
- Consent needs to be obtained before an employee’s personal information is shared with overseas parties.
Please note that consent should be voluntary and clear. If there are material changes to the purpose or manner of processing or the type of processed information, the employer would need to obtain the employee’s consent again. Furthermore, employers should ensure that they process the personal information of employees for a proper purpose and in a reasonable manner. The employer must ensure complete compliance with all of the Personal Information Processing Principles when it comes to handling employees’ personal information.
Securiti offers a consent management solution to simplify compliance. This solution will let organizations obtain and keep track of the consent while maintaining comprehensive reports.
2. Providing privacy notices to employees:
The PIPL requires employers to give employees an individual privacy notice before any data is “handled”. This notice needs to have the identity and contact of the employer, the purpose and of data handling, the categories of handled personal information, the retention period of the data with the employer, and procedures to exercise rights under the PIPL. These privacy notices should be provided in a clear and comprehensible manner.This would include employers’ obligation to notify its employees of the existence of any monitoring activity (or any surveillance if carried out), the purposes for which the personal data is to be processed for and any other information necessary to guarantee fair processing.
These privacy notices should be provided in a clear and comprehensible manner.
Securiti helps revamp your privacy notice and simplify the creation process. This module can help you manage your privacy notices and keep them in line with the requirements set by privacy regulations.
The PIPL does not clearly state exactly how long the employer is allowed to retain an employee's personal information after they have left the organization. It is often advised that the personal information be erased 3 years after the employee’s employment has been terminated.
1. Overseas
Article 38, 39 and 40 of the PIPL state that an employer needs to obtain freely given consent before transferring this data. Employers must also provide notices to employees explaining the details of the transfer. The notice should include the following:
- Foreign recipient name or personal name;
- Contact method,
- Purpose of processing and processing methods; and
- Personal information categories, as well as ways for employees to exercise their rights under the PIPL with the foreign recipient, or other matters related to transfer.
Failure to do so will be in breach of this provision which will result in fines and penalties.
After the consent is obtained, the organization is required to fulfill other cross border data transfer requirements. Employers should also conduct an assessment on the destination country to ensure that proper legislations are in place to protect an individual's data.
Securiti offers an all-encompassing and comprehensive Schrems-II solution to enable companies to conduct effective cross-border data transfer risk assessments, identify and review data transfers from the EU and remediate discovered vendor risks.
2. Third-Party
When we look at third-party transfers, the only obligation towards the employer is to gain written consent from the employee before transferring their data.If an employer engages a third party (e.g., human resources service providers) to process an employee’s personal information, the employer should carry out risk assessment in advance. The employer should also supervise the third party’s processing of such information.
For example, if an employer is outsourcing payroll services, it should obtain consent from its employees for the transfer of their personal data.
Securiti’s Vendor Management Solution allows organizations to assess their vendors based on a predefined risk score and also offers a centralized process to assess how compliant the third-party vendors are with the PIPL.
5. Data Breach Management
In the event of a data breach, the PIPL requires employers to take “immediate” remediation actions and notify the relevant agency and affected employees.
Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations deliver breach notifications within hours of a security incident.
6. Security Requirements
Under the PIPL, there are certain security requirements that employers must abide by in order to stay compliant. These requirements are as follows:
- Implement classified management system of data.
- Formulate internal management structures and rules.
- Regular compliance audits.
- Adoption of corresponding technical security measures.
- Employee Awareness & Training.
- Individual rights request mechanism.
Employees Rights:
Under the PIPL, employees are given the following rights:
- Employees have the right to know about the processing of their personal information. For example, if surveillance cameras are installed at the workplace, the employees should be informed.Employees have the right to access their personal information in a timely manner. For example, an employee can ask for his/her leave record etc.
- Employees have the right to correction of their incomplete or inaccurate personal information. Where employees request to correct or complete their personal information, employers are required to verify the personal information and correct or complete it in a timely manner.
- Employees can get their stored data deleted. This can be done under the three conditions:
- The agreed retention period has expired.
- Employers cease the provision of services.
- Employee rescinds his/her consent.
- The employer is in violation of laws, regulations or agreements.
- Employees have the right to request employers explain their processing rules.
- Employees can request an employer to transfer their personal information to another employer. Specific conditions for porting data will be determined by state cybersecurity and information departments.
Employers are required to fulfill the DSR requests of their employees in a timely manner.
Securiti offers the DSR Automation Solution to help organizations honor all rights and simplify the process of exercising these rights. This process turns manual work into an automated system that will help enterprises swiftly process data subject requests and enable coordination between stakeholders for reviews and approvals.
Consequence of non-compliance:
Non-compliance with the law can result in various fines and penalties. In case of non-compliance, the departments fulfilling data protection duties may order the organization a correction, confiscate unlawful income, or issue a warning. The PIPL prescribes the following penalties for violations and non-compliance:
- An organization that refuses to correct the violations may be subject to up to 1 million RMB.
- If the violation is considered serious, the fine may be increased up to 50 million RMB or 5% of the organization’s annual revenue.
- The personnel who are directly responsible for the personal information processing may be fined up to RMB 1 million.
- The PIPL also provides a private right of action to individuals.
Operationalizing the PDPA
In order to achieve compliance, HR management needs to honor the aforementioned obligations. This can be done in the following ways:
- Disclose how employees’ data is being processed through transparent formal policies.
- Develop formal policies and procedures for data collection and handling.
- Update privacy policies as needed.
- Ensure privacy policies and notices are easily accessible.
- Review and update processes.
- Maintain proper documentation.
Manual methods come with a flurry of obstacles such as high costs and the risk of human error. In this day and age, organizations need to incorporate the help of automation to ensure compliance with privacy regulations such as China’s PIPL.
Securiti’s Sensitive Data Intelligence Solution enables organizations to discover, analyze, and protect large datasets. It offers organizations a 360-degree solution to all their compliance needs. Watch a demo of Securiti’s Sensitive Data Intelligence solution and start your journey to PIPL compliance.
Conclusion
With data growing rapidly and employee obligations getting more strict, organizations need to start optimizing their data and consent management systems. The most important obligation under China's PIPL is the need to obtain freely given consent and with data being collected at such large volumes, it becomes virtually impossible for this to be done through manual methods. Organizations need to start considering the adoption of automated processes to keep them compliant with China’s PIPL as well as privacy regulations around the world.
See how Securiti can help you get automated. Request a demo today.