欧美日韩国产一二区高清_日韩精品久久最新一区二区三区_亚洲精品成人456在线播放视频在线_日本熟日本熟妇中文在线_国产盗摄宾馆不卡一区二区_色综合色综合色综合最新网站_日韩精品专区av无码精品_亚洲精品福利成年人 jinv tv_欧美性爱操你啦免费观看_永久免费人成网ww555kkk手机


管理培訓搜索
18318889481 13681114876

合規(guī)
| PIPL Compliance of Multinational Company (I)當前您所在的位置:首頁 > 合規(guī) > 合規(guī)中心 > 境外投資與跨國合規(guī)

Following the promulgation of the Personal Information Protection Law of the People's Republic of China (hereinafter the “PIPL”) in November 2021, the legal systems regarding personal information protection in China have been improving gradually. It becomes an urgent task for multinational companies to review the compliance of their cross-border activities under China's personal information protection regime. We have provided PIPL compliance advice to numerous multinational companies on cross-border data processing, which enables us to understand and unscramble the practical requirement about the PIPL. Based on our experiences, we will publish 3 articles to analyze how multinational companies balance the costs and risks of compliance from the practical perspective of PIPL.

This is the first article. We will introduce in the following perspectives how multinational companies improve their compliance system under PIPL:

  • There is a lower risk of foreign websites being subject to the extraterritorial jurisdiction of the PIPL, but a higher risk of establishing Chinese websites and internally cross-border data flow within an international group;

  • In addition to obtaining individual's consent, personal information necessary for human resource management and performance of contractual obligations can also be the legal basis for collecting and processing personal information;

  • Evaluating and improving companies' privacy policy and cookie policy;

  • Performing the duty of notification when processing the data of employees;

  • Anonymizing personal information to avoid constituting transmission of personal information.

1. Where overseas collection and processing of personal information is subject to the extraterritorial jurisdiction of the PIPL

Multinational companies usually have multiple subsidiaries or branches worldwide. If its overseas headquarter/subsidiaries/branches process the personal information of natural persons in China’s territory (including not only PRC nationalities, but also foreign nationalities in China’s territory), which satisfies the conditions in Clause 2 of Article 3 of the PIPL, the PIPL has extraterritorial jurisdiction on such overseas subsidiaries. The PIPL applies to overseas companies under the following circumstances: (1) with the purpose to provide products or services to PRC natural persons; (2) analyzing and evaluating the activities of PRC natural persons; and (3) other circumstances stipulated by laws and administrative regulations.

We once offered advice on data compliance under the PIPL for an overseas bank in North America which provided online account opening services to PRC residents. In this matter, it is relatively unlikely that the overseas bank's collection of Chinese clients' information through its website will be determined as "analyzing and evaluating the activities of PRC natural persons", but it is highly likely that it will be determined as "with the purpose to provide products or services to PRC natural persons". Because the collection of Chinese clients' information is to facilitate more banking services to PRC residents, it should be subject to the extraterritorial jurisdiction of the PIPL.

In practice, under different circumstances, the risk of being subject to extraterritorial jurisdiction by the PIPL varies. From the regulator's perspective, we understand there is relatively little possibility and risk of triggering the extraterritorial supervision of PIPL when the collection and processing of data happened when the individuals in China access the foreign websites. However, the following circumstances may pose higher risks:

a)Setting up websites in Simplified Chinese, targeting individuals in China, and promoting the company’s product and service

Under such circumstance, the multinational companies are highly likely to be determined as an overseas personal information processor according to Section 2 of Article 3 of the PIPL because its purpose in providing products or services to PRC natural persons is highly obvious.

b)Cross-border Internal Data Flows of Multinational Companies

We once advised a European bank on information sharing between its China branch and its headquarter in Europe. In practice, there are mainly two ways for a domestic company of a multinational group to transfer personal information overseas: (1) to transfer personal information collected by it through an outsourcing agreement to an overseas server and to deliver the same to the owner of the server (which is not a member of the multinational group) for processing; or (2) to transfer personal information collected in China to a central server held by its overseas headquarter, or to use the computer system within the multinational group to transfer the data to an overseas member in the group. We understand that the second way is the information sharing method adopted by this bank between its PRC branch and its overseas headquarter. It is highly possible the data flow within the bank will be determined as a kind of cross-border data transfer and the PRC branch may be required to undertake the obligations of cross-border transfer of personal information. Such actions will be subject to the supervision of PIPL. We will elaborate in our next article what should be taken care in the cross-border transfer of personal information.

c)Large Amount of Personal Information Processed by Overseas Companies

PRC laws and regulations do not expressly define the term "large amount". By reference to Section 1, Article 9 of the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft), if the data to be transmitted abroad contains or contains in aggregate the personal information of more than 500,000 users, the network operators should report to the competent authority or supervisory department to organize a security assessment. Therefore, if the number of PRC personal information processed by an overseas company is huge (for example, over 500,000 individuals), the company may be at high risks of being subject to extraterritorial supervision under the PIPL.

2. Fully Establishing the Legal Basis for the Collection and Processing of Personal Information

When collecting or processing personal information of PRC natural persons, multinational companies should fully establish and evaluate the legal basis for such activities. Article 13 of the PIPL establishes an "inform-consent" principle for personal information processing, and provides six exemptions for individual consent. We would suggest multinational companies to pay special attention to the following:

a)Method of Obtaining Individual Consent

Audit trail shall be available for obtaining individual consent. According to Article 69 of the PIPL, the principle of liability fixation for personal information processors is "the principle of presumption of fault", that is to say, personal information processors who want to be exempted from liability shall bear the burden of proof that they are not at fault. This puts forward a higher requirement for evidence preservation for personal information processors. Therefore, in order to avoid difficulty in evidence proving of the disputes, multinational companies, as personal information processors, are suggested to make proper records and archive the procedures of obtaining individual consent, compliance audit and impact assessment on personal information protection, and to be cautious in applying any other legal basis in addition to individual consent, so as to better protect their rights and interests in disputes.

b)The Risk of Violating the PIPL Without Individual Consent is Low for the Following Legal Basis

If a multinational corporation: (i) as one of the parties to the contract, shall collect and process the personal information to achieve the purposes of concluding and performing the contract, (ii) or collect the employees' personal information for the purpose of human resource management, (iii) or collect the personal information for performance of legal duties or obligations, the individual's consent can be exempted. Therefore, if a multinational company conducts any of the aforesaid activities, the risk of violating the PIPL is relatively low even if the individual's consent is not obtained. Nevertheless, we still recommend our client to take legal advice from professionals before they adopt the above items as the legal basis.

3. Evaluating and Refining the Company’s Privacy Policy and Cookie Policy

a)Evaluating and Refining the Company’s Privacy Policy

Under PIPL, the principles of openness and transparency should be followed in processing personal information. Multinational companies are therefore advised to explicitly indicate a privacy notice/policy/statement on their websites or elsewhere where personal information of users may be involved, to alert users and obtain their consent. To be compliant under PIPL, the privacy policy shall mainly include the following contents: (i) the name and contact information of the processor, (ii) the purpose and method of processing, (iii) the types of information collected and processed and the storage period, and (iv) the way and procedure for the data subject to exercise their legal rights.

b)Evaluating and Refining Cookie Policy

Although the cookie policy is not an essential element of a website under PIPL, in our observation, most companies display their cookie policy on their websites in practice. In order to comply with the compliance requirements of the PIPL and other relevant laws and regulations, the multinational company is advised to display its cookie policy and set up the Chinese version thereof. The cookie policy can be set aside with the privacy statement, or presented separately for users to tick or choose. For example, in one of the matter we engaged, the client provided its cookie policy on its website with the options of deleting cookies, clearing cookies and blocking cookies for users to choose at their own discretion.

4. To reviewing the compliance of processing employees’ data

a)Reference checks and Human Resource Management

According to Article 13.1.(2) of the PIPL, a company's collection or processing of employee's personal information could be based on the following two approaches, which do not require the employee's consent:

(i)Reference checks: Necessary for conclusion and performance of a contract to which an individual is a part

According to Article 8 of the Labor Contract Law, an employer is entitled to know an employee's basic information in relation to the labor contract, and the employee shall truthfully provide relevant information. Therefore, if the purpose of the reference check is to collect and process an employee's basic information in relation to the labor contract for better performance of the labor contract, the employer may process the employee's personal information without the employee's consent.

(ii)Human resource management: with reference to internal labor rules and regulations legally formulated and collective contracts legally concluded

In addition to the employee’s basic information mentioned in the item (i), companies may also need to collect other personal information of employees to meet the needs of human resources management, such as salary information, sick leave information, attendance information, etc. Generally speaking, companies may stipulate and publicize the collection and processing of employees' personal information in the company's labor rules and regulations formulated in accordance with the laws, but the collection and processing of such information shall be limited to the range of "necessary for human resources management". Companies shall not arbitrarily collect and process employees' sensitive personal information such as religious belief and whereabouts and tracks merely for the purpose of human resources management.

b)Content and Manner of Notification by the Employer

Under the PIPL, as an employer, a company shall, when collecting and processing employees' personal information and performing its duty of notification to employees during induction, training and other human resources management activities, comply with the following requirements of PIPL in terms of contents and manners:

(i)Companies shall inform employees of the name and contact information of personal information processor, purpose and method of processing, information types, storage period and location in a concise, transparent, easy-to-understand and obvious way.

(ii)Separate consents from the employees shall be obtained before processing employee’s sensitive personal information. Companies shall inform employees of the necessity and impact of such processing, conduct an impact assessment on personal information protection in advance and keep records of processing afterwards.

(iii)Companies shall inform employees of their legal rights and provide convenient and feasible channels for exercising such rights.

When entrusting a third party to collect or process employees' personal information, companies shall inform employees of the name and contact information of the third party and enter into an agreement with the third party on its rights and obligations such as the processing method, information types, purposes and period. Companies are also required to supervise the third party's processing of personal information under PIPL.

5. De-identification and Anonymization of Personal Information

The definition of personal information under the PIPL explicitly provides that the information of individuals before anonymization is personal information, which shall be protected by the PIPL. Article 51 of PIPL stipulates the obligations of the personal information processor to prevent divulgence, falsification and loss of personal information, including adopting corresponding technical security measures such as encryption and de-identification. Therefore, multinational companies are advised to adopt necessary technical measures regarding de-identification and anonymization of personal information if they store such information.

In a project that we participated, a Hong Kong-based bank used an identity information comparison service to help PRC customers open banks accounts in Hong Kong. In this project, although the identity information comparison service provider encrypted the comparison result during cross-border data flow, the comparison result was finally decrypted before presented to the HK bank. From our understanding, the clients' personal information was not successfully anonymized and cross-border flow of such personal information shall still be governed by the PIPL

We will continue to share our understandings in the next two articles on how multinational companies balance risks and costs under the PIPL.


TESG
企業(yè)概況
聯(lián)系我們
專家顧問
企業(yè)文化
黨風建設
核心團隊
資質(zhì)榮譽
合規(guī)監(jiān)管
部門職責
轉創(chuàng)中國
加入轉創(chuàng)
經(jīng)濟合作
智庫專家
質(zhì)量保證
咨詢流程
聯(lián)系我們
咨詢
IPO咨詢
投融資咨詢
會計服務
績效管理
審計和風險控制
競爭戰(zhàn)略
審計與鑒證、估價
企業(yè)管理咨詢
人力資源戰(zhàn)略與規(guī)劃
融資與并購財務顧問服務
投資銀行
企業(yè)文化建設
財務交易咨詢
資本市場及會計咨詢服務
創(chuàng)業(yè)與私營企業(yè)服務
公司治理、合規(guī)與反舞弊
國企改革
價值辦公室
集團管控
家族企業(yè)管理
服務
數(shù)據(jù)分析
資信評估
投資咨詢
風險及控制服務
管理咨詢
轉型升級服務
可行性研究咨詢服務
民企與私人客戶服務
解決方案
內(nèi)控
稅收內(nèi)部控制
稅收風險管理
內(nèi)控管理師
內(nèi)部控制咨詢
信用研究
信用法制中心
風險與內(nèi)控咨詢
無形資產(chǎn)內(nèi)控
企業(yè)內(nèi)控審計
內(nèi)部控制服務
內(nèi)部控制評價
內(nèi)部控制體系建設
內(nèi)部控制智庫
上市公司內(nèi)控
上市公司獨立董事
投行
M&A
資本市場
SPAC
科創(chuàng)板
金融信息庫
IPO咨詢
北交所
ASX
SGX
HKEX
金融服務咨詢
信用評級
上海證券交易所
NYSE
深圳證券交易所
審計
審計資料下載
法證會計
審計事務
審計及鑒證服務
審計咨詢
反舞弊中心
內(nèi)部控制審計
內(nèi)部審計咨詢
國際審計
合規(guī)
銀行合規(guī)專題
合規(guī)管理建設年
海關與全球貿(mào)易合規(guī)
數(shù)據(jù)合規(guī)專題
反腐敗中心
反壟斷合規(guī)
反舞弊中心
國際制裁
企業(yè)合規(guī)中心
信用合規(guī)專題
證券合規(guī)專題
合規(guī)中心
金融合規(guī)服務
反洗錢中心
全球金融犯罪評論
行業(yè)
新基建
文化、體育和娛樂業(yè)
電信、媒體和技術(TMT)
投城交通事業(yè)部
房地產(chǎn)建筑工程
醫(yī)療衛(wèi)生和社會服務
可持續(xù)發(fā)展與環(huán)保
全球基礎材料
大消費事業(yè)部
金融服務業(yè)
化學工程與工業(yè)
一帶一路
智慧生活與消費物聯(lián)
數(shù)字經(jīng)濟發(fā)展與檢測
食品開發(fā)與營養(yǎng)
先進制造事業(yè)部
能源資源與電力
消費與工業(yè)產(chǎn)品
運輸與物流
酒店旅游餐飲
科學研究與技術服務
政府及公共事務
化妝品與個人護理
一二三產(chǎn)融合
生物醫(yī)藥與大健康
新能源汽車與安全產(chǎn)業(yè)
法律
法律信息庫
稅法與涉稅服務
數(shù)字法治與網(wǎng)絡安全
勞動與人力資源法律
金融與資本市場法律
司法研究所
公司法專題
私募股權與投資基金
債務重組與清算/破產(chǎn)
轉創(chuàng)國際法律事務所
轉創(chuàng)法信事務所
財稅
法務會計
管理會計案例
決策的財務支持
家族資產(chǎn)和財富傳承
財稅法案例庫
資產(chǎn)評估
財稅信息庫
會計準則
財務研究所
財政稅收
財政研究所
會計研究所
財稅實務
投資咨詢
財務管理咨詢
審計事務
管理
轉創(chuàng)智庫
金融研究所
企業(yè)管理研究所
中國企業(yè)國際化發(fā)展
經(jīng)濟與產(chǎn)業(yè)研究
氣候變化與可持續(xù)
ESG中心
管理咨詢
轉創(chuàng)
咨詢業(yè)數(shù)據(jù)庫
轉創(chuàng)網(wǎng)校
生物醫(yī)藥信息庫
建筑工程庫
轉創(chuàng)首都
轉創(chuàng)教育
轉創(chuàng)國際廣東 官網(wǎng)
科研創(chuàng)服
中國轉創(chuàng)雜志社
創(chuàng)新創(chuàng)業(yè)
轉型升級
技術轉移中心
轉創(chuàng)中國
中外
粵港澳大灣區(qū)
中國-東盟
一帶一路
澳大利亞
俄羅斯
新加坡
英國
加拿大
新西蘭
香港
美國
中非平臺
開曼群島
法國
歐洲聯(lián)盟
印度
北美洲
18318889481 13681114876
在線QQ
在線留言
返回首頁
返回頂部
留言板
發(fā)送