catalog
general provisions
Chapter II Personal Information Processing Rules
Section 1 General Provisions
Section II Processing Rules of Sensitive Personal Information
Section 3 Special Provisions on the Handling of Personal Information by State Organs
Chapter III Rules for Cross border Provision of Personal Information
Chapter IV Individual Rights in Personal Information Processing Activities
Chapter V Obligations of Personal Information Processor
Chapter VI Departments Performing Personal Information Protection Responsibilities
Chapter VII Legal Liability
Chapter VIII Supplementary Provisions
general provisions
Article 1 This Law is formulated in accordance with the Constitution in order to protect the rights and interests of personal information, regulate the processing of personal information, and promote the rational use of personal information.
Article 2 The personal information of a natural person is protected by law, and no organization or individual may infringe upon the personal information rights and interests of a natural person.
Article 3 This Law shall apply to the processing of personal information of natural persons within the territory of the People's Republic of China.
This Law is also applicable to activities outside the People's Republic of China dealing with personal information of natural persons within the territory of the People's Republic of China under any of the following circumstances:
(1) For the purpose of providing products or services to domestic natural persons;
(2) Analyze and evaluate the behavior of domestic natural persons;
(3) Other circumstances stipulated by laws and administrative regulations.
Article 4 Personal information refers to all kinds of information related to identified or identifiable natural persons recorded electronically or in other ways, excluding information after anonymization.
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information.
Article 5 Personal information shall be processed in accordance with the principles of legality, legitimacy, necessity and good faith, and shall not be processed through misleading, fraud, coercion or other means.
Article 6 The processing of personal information shall have a clear and reasonable purpose, be directly related to the processing purpose, and adopt the method that has the least impact on personal rights and interests.
The collection of personal information shall be limited to the minimum scope for the purpose of processing, and shall not be excessive.
Article 7 The processing of personal information shall follow the principles of openness and transparency, disclose the rules of personal information processing, and clearly indicate the purpose, method and scope of processing.
Article 8 The processing of personal information shall ensure the quality of personal information and avoid adverse effects on personal rights and interests due to inaccurate and incomplete personal information.
Article 9 A personal information processor shall be responsible for its personal information processing activities and take necessary measures to ensure the security of the personal information it processes.
Article 10 No organization or individual may illegally collect, use, process or transmit the personal information of others, or illegally trade, provide or disclose the personal information of others; They shall not engage in personal information processing activities that endanger national security and public interests.
Article 11 The State shall establish and improve the personal information protection system, prevent and punish acts that infringe upon the rights and interests of personal information, strengthen the publicity and education of personal information protection, and promote the formation of a good environment for the government, enterprises, relevant social organizations and the public to participate in the protection of personal information.
Article 12 The State shall actively participate in the formulation of international rules for the protection of personal information, promote international exchanges and cooperation in the protection of personal information, and promote mutual recognition of personal information protection rules, standards, etc. with other countries, regions, and international organizations.
Chapter II Personal Information Processing Rules
Section 1 General Provisions
Article 13 A personal information processor may only process personal information if one of the following circumstances is met:
(1) Obtain individual consent;
(2) It is necessary for the conclusion and performance of a contract to which an individual is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated according to law and the collective contract signed according to law;
(3) Necessary for performing legal duties or obligations;
(4) It is necessary to respond to public health emergencies or protect the life, health and property safety of natural persons in emergencies;
(5) Implement news reporting, public opinion supervision and other behaviors for the public interest, and process personal information within a reasonable range;
(6) Dispose of personal information disclosed by individuals or other legally disclosed personal information within a reasonable range in accordance with the provisions of this Law;
(7) Other circumstances stipulated by laws and administrative regulations.
In accordance with other relevant provisions of this Law, personal consent shall be obtained for the processing of personal information, but it is not necessary to obtain personal consent in the case of the circumstances specified in Items 2 to 7 of the preceding paragraph.
Article 14 Where personal information is processed based on personal consent, the consent shall be made voluntarily and explicitly by the individual on the premise of full knowledge. Where laws and administrative regulations provide that individual consent or written consent shall be obtained for the processing of personal information, such provisions shall prevail.
If the purpose, method and type of personal information to be processed are changed, the individual consent shall be obtained again.
Article 15 Where personal information is processed based on personal consent, the individual has the right to withdraw his consent. The personal information processor shall provide a convenient way to withdraw consent.
The withdrawal of an individual's consent shall not affect the effectiveness of the personal information processing activities that have been carried out based on the individual's consent before the withdrawal.
Article 16 A personal information processor shall not refuse to provide products or services on the ground that an individual does not agree to handle his personal information or withdraws his consent; The processing of personal information is not necessary for the provision of products or services.
Article 17 Before processing personal information, a personal information processor shall truthfully, accurately and completely inform individuals of the following matters in a conspicuous manner and in clear and understandable language:
(1) The name and contact information of the personal information processor;
(2) The purpose and method of personal information processing, the type and storage period of personal information processed;
(3) The ways and procedures for individuals to exercise their rights under this Law;
(4) Other matters that shall be notified according to laws and administrative regulations.
If the items specified in the preceding paragraph are changed, the individual shall be informed of the changed part.
If the personal information processor informs the matters specified in the first paragraph by formulating personal information processing rules, the processing rules shall be made public and easy to consult and save.
Article 18 When processing personal information, a personal information processor may not inform individuals of the matters specified in the first paragraph of the preceding article if there are circumstances that should be kept confidential or need not be disclosed according to laws and administrative regulations.
If it is impossible to inform individuals in time to protect the life, health and property safety of natural persons in an emergency, the personal information processor shall inform them in time after the emergency is eliminated.
Article 19 Unless otherwise provided by laws and administrative regulations, the storage period of personal information shall be the shortest time necessary for the purpose of processing.
Article 20 Where two or more personal information processors jointly decide on the purpose and method of personal information processing, they shall agree on their respective rights and obligations. However, this agreement does not affect the right of individuals to request any one of the personal information processors to exercise the rights specified in this Law.
Personal information processors who jointly process personal information and cause damage to personal information rights and interests shall bear joint liability according to law.
Article 21 Where a personal information processor entrusts the processing of personal information, it shall agree with the trustee on the purpose, time limit, processing method, type of personal information, protection measures, rights and obligations of both parties, and supervise the trustee's personal information processing activities.
The trustee shall process personal information in accordance with the agreement, and shall not process personal information beyond the agreed processing purpose, processing method, etc; If the entrustment contract is invalid, invalid, revoked or terminated, the trustee shall return the personal information to the personal information processor or delete it, and shall not retain it.
Without the consent of the personal information processor, the trustee shall not entrust others to process personal information.
Article 22 Where a personal information processor needs to transfer personal information due to merger, division, dissolution, bankruptcy or other reasons, it shall inform the individual of the recipient's name and contact information. The receiving party shall continue to perform the obligations of the personal information processor. If the receiving party changes the original purpose and method of handling, it shall obtain individual consent again in accordance with the provisions of this Law.
Article 23 Where a personal information processor provides personal information processed by it to other personal information processors, it shall inform the individual of the recipient's name, contact information, processing purpose, processing method and type of personal information, and obtain the individual's separate consent. The receiving party shall process personal information within the scope of the above processing purposes, processing methods and types of personal information. If the receiving party changes the original purpose and method of handling, it shall obtain individual consent again in accordance with the provisions of this Law.
Article 24 When personal information processors use personal information to make automated decisions, they shall ensure the transparency of the decisions and the fairness and impartiality of the results, and shall not apply unreasonable differential treatment to individuals on transaction terms such as transaction prices.
Information push and commercial marketing to individuals through automated decision-making should also provide options that are not specific to their personal characteristics, or provide convenient means of rejection to individuals.
When making decisions that have a significant impact on personal rights and interests through automated decision-making, individuals have the right to ask personal information processors to explain, and have the right to refuse personal information processors to make decisions only through automated decision-making.
Article 25 A personal information processor shall not disclose the personal information it processes, except with the individual's separate consent.
Article 26 The installation of image acquisition and personal identification equipment in public places shall be necessary for maintaining public security, comply with the relevant provisions of the State, and set up prominent prompt signs. The collected personal images and identification information can only be used for the purpose of maintaining public security, and cannot be used for other purposes; Except with individual consent.
Article 27 A personal information processor may, within a reasonable range, process personal information that is disclosed by itself or that has been legally disclosed; Except those specifically rejected by individuals. A personal information processor shall obtain personal consent in accordance with the provisions of this Law if his handling of publicly disclosed personal information has a significant impact on personal rights and interests.
Section II Processing Rules of Sensitive Personal Information
Article 28 Sensitive personal information refers to personal information that, once disclosed or illegally used, is likely to cause the human dignity of a natural person to be infringed or the safety of person and property to be jeopardized, including biometrics, religious beliefs, specific identities, medical and health care, financial accounts, whereabouts and other information, as well as personal information of minors under the age of 14.
The personal information processor can only process sensitive personal information if it has a specific purpose and sufficient necessity and takes strict protection measures.
Article 29 The processing of sensitive personal information shall be subject to the individual's separate consent; Where laws and administrative regulations stipulate that the handling of sensitive personal information requires written consent, such provisions shall prevail.
Article 30 Where a personal information processor processes sensitive personal information, in addition to the matters specified in the first paragraph of Article 17 of this Law, it shall also inform the individual of the necessity of processing sensitive personal information and the impact on the individual's rights and interests; Except those that may not be notified to individuals in accordance with the provisions of this Law.
Article 31 Where a personal information processor processes the personal information of a minor under the age of 14, it shall obtain the consent of the minor's parents or other guardians.
Where a personal information processor processes personal information of minors under 14 years of age, it shall formulate special rules for personal information processing.
Article 32 Where laws and administrative regulations stipulate that the handling of sensitive personal information shall be subject to relevant administrative licensing or other restrictions, such provisions shall prevail.
Section 3 Special Provisions on Handling Personal Information by State Organs
Article 33 This Law shall apply to the activities of state organs in handling personal information; If there are special provisions in this section, the provisions in this section shall apply.
Article 34 In order to perform its statutory duties, state organs shall process personal information in accordance with the limits of authority and procedures prescribed by laws and administrative regulations, and shall not exceed the scope and limits necessary for the performance of statutory duties.
Article 35 In order to process personal information for the purpose of performing its statutory duties, a state organ shall perform its obligation of disclosure in accordance with the provisions of this Law; Except for the circumstances specified in the first paragraph of Article 18 of this Law, or the notification will hinder the state organs from performing their statutory duties.
Article 36 Personal information processed by state organs shall be stored within the territory of the People's Republic of China; If it is really necessary to provide it overseas, safety assessment shall be carried out. The safety assessment can require relevant departments to provide support and assistance.
Article 37 The provisions of this Law on the processing of personal information by state organs shall apply to the processing of personal information by organizations authorized by laws and regulations to manage public affairs in order to perform their statutory duties.
Chapter III Rules for Cross border Provision of Personal Information
Article 38 Where a personal information processor really needs to provide personal information outside the People's Republic of China due to business needs, it shall meet one of the following conditions:
(1) To pass the security assessment organized by the national network information department in accordance with the provisions of Article 40 of this Law;
(2) Personal information protection certification by professional institutions in accordance with the provisions of the national network information department;
(3) Conclude a contract with the overseas recipient according to the standard contract formulated by the national network information department, and agree the rights and obligations of both parties;
(4) Other conditions stipulated by laws, administrative regulations or the national network information department.
If the international treaties and agreements concluded or acceded to by the People's Republic of China have provisions on the conditions for providing personal information outside the People's Republic of China, such provisions may be followed.
The personal information processor shall take necessary measures to ensure that the activities of the overseas recipient in processing personal information meet the personal information protection standards specified in this Law.
Article 39 Where a personal information processor provides personal information outside the People's Republic of China, it shall inform the individual of the name or name of the overseas recipient, contact information, processing purpose, processing method, type of personal information, as well as the way and procedure for the individual to exercise the rights specified in this Law to the overseas recipient, and obtain the individual's separate consent.
Article 40 The operator of key information infrastructure and the personal information processor who processes personal information up to the amount specified by the national network information department shall store the personal information collected and generated within the territory of the People's Republic of China. If it is really necessary to provide it overseas, it shall pass the security assessment organized by the national network information department; If laws, administrative regulations and the national network information department stipulate that security assessment may not be carried out, their provisions shall prevail.
Article 41 The competent authorities of the People's Republic of China shall, in accordance with relevant laws and international treaties and agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China. Without the approval of the competent authorities of the People's Republic of China, personal information processors shall not provide personal information stored in the People's Republic of China to foreign judicial or law enforcement agencies.
Article 42 Where an overseas organization or individual engages in personal information processing activities that infringe upon the personal information rights and interests of citizens of the People's Republic of China, or endanger the national security and public interests of the People's Republic of China, the national online information department may list them in the list of restrictions or prohibitions on the provision of personal information and make a public announcement, And take measures such as restricting or prohibiting the provision of personal information to them.
Article 43 Where any country or region takes discriminatory prohibition, restriction or other similar measures against the People's Republic of China in the protection of personal information, the People's Republic of China may take corresponding measures against that country or region according to the actual situation.
Chapter IV Individual Rights in Personal Information Processing Activities
Article 44 Individuals have the right to know and make decisions on the processing of their personal information, and have the right to restrict or refuse others to process their personal information; Unless otherwise provided by laws and administrative regulations.
Article 45 Individuals have the right to consult and copy their personal information from personal information processors; Except for the circumstances specified in Paragraph 1 of Article 18 and Article 35 of this Law.
Where an individual requests to consult or copy his/her personal information, the personal information processor shall provide it in a timely manner.
If an individual requests to transfer his/her personal information to the personal information processor designated by him/her and meets the conditions specified by the national network information department, the personal information processor shall provide the means of transfer.
Article 46 If an individual finds that his personal information is inaccurate or incomplete, he has the right to request the personal information processor to correct or supplement it.
If an individual requests to correct or supplement his/her personal information, the personal information processor shall verify his/her personal information and correct or supplement it in a timely manner.
Article 47 Under any of the following circumstances, the personal information processor shall actively delete personal information; If the personal information processor has not deleted, individuals have the right to request deletion:
(1) The processing purpose has been achieved, cannot be achieved or is no longer necessary to achieve the processing purpose;
(2) The personal information processor has stopped providing products or services, or the storage period has expired;
(3) Individual withdrawal of consent;
(4) The personal information processor processes personal information in violation of laws, administrative regulations or agreements;
(5) Other circumstances stipulated by laws and administrative regulations.
Where the storage period specified by laws and administrative regulations has not expired, or it is technically difficult to delete personal information, the personal information processor shall stop processing except for storing and taking necessary security protection measures.
Article 48 An individual has the right to ask the personal information processor to explain his personal information processing rules.
Article 49 If a natural person dies, his or her close relatives may, for their own legitimate and legitimate interests, exercise the right to consult, copy, correct or delete the relevant personal information of the deceased as prescribed in this Chapter; Unless otherwise arranged by the deceased.
Article 50 A personal information processor shall establish a convenient application acceptance and processing mechanism for individuals to exercise their rights. If an individual's request to exercise his rights is refused, the reasons shall be explained.
If a personal information processor refuses to request an individual to exercise his rights, the individual may bring a lawsuit to the people's court according to law.
Chapter V Obligations of Personal Information Processor
Article 51 A personal information processor shall take the following measures to ensure that personal information processing activities comply with the provisions of laws and administrative regulations, and prevent unauthorized access, personal information disclosure, tampering lose:
(1) Develop internal management system and operating procedures;
(2) Classified management of personal information;
(3) Take corresponding security technical measures such as encryption and de identification;
(4) Reasonably determine the operation authority of personal information processing, and regularly conduct safety education and training for employees;
(5) Formulate and organize the implementation of emergency plans for personal information security incidents;
(6) Other measures stipulated by laws and administrative regulations.
Article 52 A personal information processor who processes personal information up to the amount specified by the national network information department shall appoint a person in charge of personal information protection to supervise the personal information processing activities and the protection measures taken.
The personal information processor shall disclose the contact information of the person in charge of personal information protection, and submit the name and contact information of the person in charge of personal information protection to the department performing the responsibility of personal information protection.
Article 53 A personal information processor outside the People's Republic of China as prescribed in the second paragraph of Article 3 of this Law shall establish a special agency or designate a representative within the territory of the People's Republic of China to handle matters related to the protection of personal information, and submit the name of the relevant agency or the name and contact information of the representative to the department performing the responsibility of personal information protection.
Article 54 A personal information processor shall regularly conduct compliance audits on its compliance with laws and administrative regulations in processing personal information.
Article 55 Under any of the following circumstances, the personal information processor shall evaluate the impact of personal information protection in advance and record the processing:
(1) Handling sensitive personal information;
(2) Use personal information for automated decision-making;
(3) Entrust the processing of personal information, provide personal information to other personal information processors, and disclose personal information;
(4) Providing personal information overseas;
(5) Other personal information processing activities that have a significant impact on individual rights and interests.
Article 56 The impact assessment of personal information protection shall include the following contents:
(1) Whether the purpose and method of personal information processing are legal, legitimate and necessary;
(2) Impact on personal rights and security risks;
(3) Whether the protective measures taken are legal, effective and compatible with the degree of risk.
The personal information protection impact assessment report and processing record shall be kept for at least three years.
Article 57 Where personal information is leaked, tampered with or lost, the personal information processor shall immediately take remedial measures and notify the department and individual performing the responsibility of personal information protection. The notice shall include the following items:
(1) Types, causes and possible hazards of personal information leakage, tampering and loss that have occurred or may occur;
(2) Remedial measures taken by personal information processors and measures that individuals can take to mitigate hazards;
(3) Contact information of personal information processor.
If the personal information processor takes measures that can effectively avoid the harm caused by information disclosure, tampering and loss, the personal information processor may not notify the individual; The department performing the responsibility of personal information protection has the right to require the personal information processor to notify the individual if it believes that there may be harm.
Article 58 Personal information processors who provide important Internet platform services, have a large number of users and complex business types shall perform the following obligations:
(1) Establish and improve the personal information protection compliance system in accordance with national regulations, and establish an independent body mainly composed of external members to supervise the protection of personal information;
(2) Follow the principles of openness, fairness and impartiality, formulate platform rules, and clarify the norms for products or service providers on the platform to handle personal information and their obligations to protect personal information;
(3) Stop providing services to the products or service providers on the platform that deal with personal information in serious violation of laws and administrative regulations;
(4) Periodically publish the report on social responsibility for personal information protection and accept social supervision.
Article 59 A trustee entrusted to process personal information shall, in accordance with the provisions of this Law and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information it processes, and assist the personal information processor in fulfilling its obligations under this Law.
Chapter VI Departments Performing Personal Information Protection Responsibilities
Article 60 The national network information department is responsible for the overall coordination of personal information protection and related supervision and management. The relevant departments of the State Council shall be responsible for the protection, supervision and administration of personal information within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
The responsibilities of the relevant departments of the local people's governments at or above the county level for the protection, supervision and administration of personal information shall be determined in accordance with the relevant provisions of the State.
The departments specified in the preceding two paragraphs are collectively referred to as the departments performing the responsibility of personal information protection.
Article 61 The department performing the personal information protection duty shall perform the following personal information protection duties:
(1) Carry out publicity and education on personal information protection, guide and supervise personal information processors to carry out personal information protection work;
(2) Receive and handle complaints and reports related to personal information protection;
(3) Organize the evaluation of the protection of personal information such as applications, and publish the evaluation results;
(4) Investigate and handle illegal personal information processing activities;
(5) Other duties stipulated by laws and administrative regulations.
Article 62 The national network information department shall coordinate with relevant departments to promote the following personal information protection work in accordance with this Law:
(1) Formulate specific rules and standards for personal information protection;
(2) Formulate special personal information protection rules and standards for small personal information processors, sensitive personal information processing, face recognition, artificial intelligence and other new technologies and applications;
(3) Support the research, development and application of secure and convenient electronic identity authentication technology, and promote the construction of network identity authentication public services;
(4) Promote the construction of the socialized service system for personal information protection, and support relevant institutions to carry out personal information protection assessment and certification services;
(5) We will improve the mechanism for personal information protection complaints and reports.
Article 63 The department performing the responsibility of personal information protection may take the following measures to perform the responsibility of personal information protection:
(1) Inquire relevant parties and investigate the situation related to personal information processing activities;
(2) Look up and copy contracts, records, account books and other relevant materials related to personal information processing activities of the parties;
(3) Carry out on-site inspection and investigate the suspected illegal personal information processing activities;
(4) Check the equipment and articles related to personal information processing activities; The equipment and articles that have been proved to be used for illegal personal information processing activities can be sealed up or detained after being reported in writing to the main responsible person of the department and approved.
The department performing the responsibility of personal information protection shall perform its duties according to law, and the party concerned shall provide assistance and cooperation, and shall not refuse or obstruct.
Article 64 If the department performing the responsibility of protecting personal information finds that there is a greater risk in personal information processing activities or a personal information security incident occurs in the course of performing its duties, it may interview the legal representative or the main person in charge of the personal information processor according to the prescribed authority and procedures, Or require personal information processors to entrust professional institutions to conduct compliance audits of their personal information processing activities. The personal information processor shall take measures as required to rectify and eliminate hidden dangers.
If the department performing the responsibility of personal information protection finds that the illegal handling of personal information is suspected of committing a crime in the course of performing its duties, it shall promptly transfer it to the public security organ for handling according to law.
Article 65 Any organization or individual has the right to make complaints and reports on illegal personal information processing activities to the department performing the responsibility of personal information protection. The departments receiving complaints and reports shall deal with them in a timely manner according to law and inform the complainants and informants of the results of their handling.
The department performing the responsibility of personal information protection shall publish the contact information of receiving complaints and reports.
Chapter VII Legal Liability
Article 66 Where personal information is processed in violation of the provisions of this Law, or the processing of personal information fails to fulfill the obligations of personal information protection under this Law, the department performing the duties of personal information protection shall order it to make corrections, give a warning, confiscate its illegal income, and order the application program of illegal processing of personal information to suspend or terminate its provision of services; If it refuses to make corrections, it shall be fined not more than one million yuan; The directly responsible person in charge and other directly responsible persons shall be fined not less than 10000 yuan but not more than 100000 yuan.
In case of any serious violation of the provisions of the preceding paragraph, the department responsible for personal information protection at or above the provincial level shall order it to make corrections, confiscate its illegal income, impose a fine of less than 50 million yuan or less than 5% of the turnover of the previous year, and may order it to suspend its relevant business or suspend its business for rectification Inform the relevant competent department of the revocation of the relevant business license or the revocation of the business license; The directly responsible person in charge and other directly responsible persons shall be fined not less than 100000 yuan but not more than 1 million yuan, and may decide to prohibit them from serving as directors, supervisors, senior managers and persons in charge of personal information protection of relevant enterprises within a certain period of time.
Article 67 Anyone who commits an illegal act as prescribed by this Law shall be recorded in the credit file and publicized in accordance with the provisions of relevant laws and administrative regulations.
Article 68 Where a State organ fails to perform its obligations of personal information protection as prescribed in this Law, its superior organ or the department performing its duties of personal information protection shall order it to make corrections; The directly responsible person in charge and other directly responsible persons shall be given sanctions according to law.
If the staff of the department performing the responsibility of personal information protection neglects their duties, abuses their power, or engages in malpractices for personal gain, which does not constitute a crime, they shall be punished according to law.
Article 69 Where the processing of personal information infringes upon the rights and interests of personal information and causes damage, and the personal information processor cannot prove that he is not at fault, he shall bear tort liability such as damages.
The liability for damages specified in the preceding paragraph shall be determined according to the losses suffered by individuals or the benefits obtained by personal information processors as a result; If it is difficult to determine the losses suffered by individuals and the benefits obtained by personal information processors, the amount of compensation shall be determined according to the actual situation.
Article 70 Where a personal information processor, in violation of the provisions of this Law, processes personal information and infringes upon the rights and interests of many individuals, the People's Procuratorate, the consumer organizations prescribed by law and the organizations determined by the national online information department may bring a lawsuit to the People's Court according to law.
Article 71 If a violation of the provisions of this Law constitutes a violation of the administration of public security, administrative penalties for public security shall be imposed according to law; If a crime is constituted, criminal responsibility shall be investigated according to law.
Chapter VIII Supplementary Provisions
Article 72 This Law is not applicable to natural persons who handle personal information for personal or family affairs.
Where laws provide for the processing of personal information in statistical and archival management activities organized and implemented by people's governments at all levels and their relevant departments, such provisions shall apply.
Article 73 For the purpose of this Law, the meanings of the following terms are as follows:
(1) Personal information processors refer to organizations and individuals that independently decide the purpose and method of processing in personal information processing activities.
(2) Automated decision-making refers to the activity of automatically analyzing and evaluating individual behaviors, hobbies or economic, health, credit status, etc. through computer programs, and making decisions.
(3) De identification refers to the process that personal information is processed so that it cannot identify a specific natural person without the help of additional information.
(4) Anonymization refers to the process in which personal information cannot be identified and recovered after being processed.
Article 74 This Law shall come into force as of November 1, 2021.