China's Personal Information Protection Law (PIPL)

About China Privacy Law (PIPL) For Data & Information

The top legislative body in the People’s Republic of China passed the Personal Information Protection Law on August 20, 2021. It is China’s first comprehensive law in personal information protection domain and is based on China’s Constitution. It is effective from November 1, 2021.

Who must comply with China's Personal Information Protection Law?

This law applies to the processing of personal information of natural persons within the territory of the People’s Republic of China.

This law also applies to the processing of personal information of natural persons outside the People’s Republic of China under any of the following circumstances:

  • For the purpose of providing products or services to domestic natural persons.
  • Analyze and evaluate the behavior of natural persons in the territory.
  • Other circumstances stipulated by laws and administrative regulations.

Who Enforces China's Personal Information Protection Law (PIPL)?

If a processing entity violates the requirements under the PIPL, regulators may order it to take corrective actions, issue warnings, confiscate illegal income, suspend services or issue a fine. The fine can be up to 50 million RMB or 5% of an organization’s annual revenue for the prior financial year (Article 66).

China – Personal Information Protection Law

Key highlights of China's PIPL:

Personal InformationPersonal information is a variety of information related to an identified or identifiable natural person recorded electronically or by other means, excluding anonymized information. (Article 4)
Data Subject RightsThe PIPL provides the data subject rights, which largely mirror those provided by the GDPR.
Privacy AssessmentArticle 55 of the China PIPL requires DPIA to be conducted when personal information processing activities have a significant impact on personal rights and interests.
ConsentConsent under PIPL shall be made voluntarily and clearly by the individual with full knowledge.

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Download White Paper
Know the difference between Virginias CDPA, CCPA and CPRA - Mandatly Inc.

China’s PIPL Data Subject Rights: (Article 44-50)

Under PIPL, individuals have the following rights:

  1. Right to know: Individuals have the right to know and make decisions about the processing of their personal information. (Article 44)
  2. Right to restrict or refuse the processing of their personal information: Individuals have the right to restrict or refuse the processing of their personal information by others. (Article 44)
  3. Right to data portability: Individuals have the right to consult and copy their personal information to the personal information processor. (Article 45)
  4. Right to recertify/rectify: If an individual discovers that his personal information is inaccurate or incomplete, he has the right to request the personal information processor to correct or supplement it. (Article 46)
  5. Right to deletion: Individuals have right to deletion to personal information. (Article 47)
  6. Right to understand the processing rules of processor: Individuals have the right to request personal information processors to explain their personal information processing rules. (Article 48)

Legal basis: (Article 13)

Processing of Personal information shall be valid only if one of the following circumstances is met:

  1. Personal consent: Obtained personal consent.
  2. Performance of a contract: Necessary for the conclusion and performance of a contract in which an individual is a party, or necessary for the implementation of human resource management.
  3. Statutory duties or statutory obligations: Necessary to perform statutory duties or statutory obligations.
  4. Vital interest: Necessary to respond to public health emergencies, or to protect the life.
  5. Public interest: Carry out news reports, public opinion supervision and other acts for the public interest.
  6. Self-disclosed or legally disclosed personal information: Processing personal information disclosed by individuals or other legally disclosed personal information.
  7. Other circumstances stipulated by laws and administrative regulations.

Cross-border transfer of personal information: (Article 38-43)

If the processor needs to provide personal information outside the People’s Republic of China due to business needs, it shall meet one of the following conditions:

  1. Provide individuals with certain specific information about the transfers and obtaining separate consent.
  2. Adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under the PIPL.
  3. Carry out a personal information protection impact assessment.
  4. Other conditions stipulated by laws, administrative regulations, or the national cyberspace administration department.

Data Protection Impact Assessment: (Article 55)

In the following situations, personal information protection impact assessment is required to be conducted in advance and record the processing situation:

  1. Processing sensitive personal information.
  2. Using personal information to make automated decision-making.
  3. Entrust the processing of personal information, provide personal information to other personal information processors, and disclose personal information.
  4. Providing personal information abroad.
  5. Other personal information processing activities have a significant impact on personal rights and interests.

How Mandatly helps you achieve China's PIPL compliance?

Mandatly’s PIPL compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks.

Data Subject Rights (DSR) - Mandatly Inc.
Consumer RightsEnd-to-end DSAR fulfillment solution with automated identity verification and data discovery to fulfill the consumer request timely, securely, and efficiently.
Data Inventory and Mapping - Mandatly Inc.
Data Inventory and MappingMaintain your data sources and map data flows to meet the PIPL 'Lookback' requirements.
Assessment Portal - Mandatly Inc.
Privacy AssessmentsBundled with intelligence to uncover and assess privacy risks that your business can be exposed to.
Privacy Notices - Mandatly Inc.
Privacy NoticesGenerate privacy notices for your website or applications to keep your customers informed about how their Personal Information is collected, processed, and shared.
Automated 'Do Not Sell' Requests Handling - Mandatly Inc.
Do not sell my informationEnables customers to opt-out of the cookie based and non-cookie based sale of personal information.
Reporting and Governance - Mandatly Inc.
AnalyticsReporting features are built into the system to get a holistic view of the compliance program for different stakeholders.

Start with our forever free edition

Get Started Free

No credit card required

Recent Articles

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024Understanding New Data Privacy LawIn the ever-ex...
Read more
The Role of Employee Training in GDPR Compliance and Data Security - Mandatly Inc.

The Role of Employee Training in GDPR Compliance and Data Security

The Role of Employee Training in GDPR Compliance and Data SecurityOverview: GDPR Training For EmployeesIn today's rapidly evo...
Read more
The Intersection of GDPR & Cybersecurity - Mandatly Inc.

Explore the Link Between Cybersecurity and GDPR Compliance

The Intersection of GDPR & CybersecurityWhat is GDPR?Enforced since May 2018, GDPR is a comprehensive set of regulations ...
Read more
Cross Border Data Transfer & Legal Framework - Mandatly Inc.

International Data Transfers: Understanding Legal Frameworks

Cross Border Data Transfer & Legal FrameworkA Legal Framework For Data ProtectionBefore delving into the legal mechanisms...
Read more
Future Data Privacy Trends in the Digital Age - Mandatly Inc.

Navigating the Complex Landscape of Data Privacy Compliance

Data Privacy Compliance in E-commerce: Navigating the Complex LandscapeIn the digital age, data privacy has emerged as a crit...
Read more
The GDPR and the EU-U.S. Data Privacy Framework: A Symbiotic Relationship - Mandatly Inc.

EU-U.S. Data Privacy & GDPR: A Symbiotic Bond

The GDPR and the EU-US Data Privacy Framework: A Symbiotic RelationshipEU-US Data Privacy Shield FrameworkThe EU US Data Priv...
Read more