文:上海君倫律師事務所
去年年底,大陸《個人資訊保護法(草案)》(“草案”)對外發佈並徵求意見。作為基本法律的《個人資訊保護法》很有可能於今年出臺。《個人資訊保護法》會對哪類企業有影響,誰需要關注個人資訊處理的合法性問題,如何處理個人資訊才合法?敬請看官查閱本指南。
At the end of last year, the draft of the Personal Information Protection Law (“The Draft”) was released for public comment. As a fundamental law, the Personal Information Protection Law(”The Law”) is likely to be introduced this year. What kind of enterprise will the Law impact? Who needs to pay special attention to the legality of personal information processing? How to handle personal information legally? Please refer to this guide.
Q1.哪些企業應關注個人資訊處理的法律監管?
A1.對於哪些企業需要關注個人資訊處理的法律監管,有一種誤區——互聯網公司需要關注。其實,無論傳統業態還是新型商業模式,幾乎每個企業在經營過程中都涉及對個人資訊的處理。
Q1. Which enterprises should pay attention to the legal supervision of personal information processing?
A1. The idea that only internet companies need to pay special attention to personal information processing is a mere misconception. In fact, from traditional industries to industries with emerging business formats, almost every enterprise touches on the processing of personal information during business.
例 如
人臉、指紋識別門禁考勤、招聘錄用階段採集員工個人資訊、首次到店消費填寫使用者資訊表、H5活動報名連結收集參會人員資訊,因此,大多企業都受《個人資訊保護法》的規範。
Activities such as facial recognition, fingerprint access control, collection of personal information during recruitment, providing user information form to stores that you first visit, collecting participant information via H5 event registration link, and so on.
As a result, most enterprises are subject to the Law.
Q2.哪些“個人資訊處理”活動面臨監管?
A2.回答哪些個人資訊處理活動會面臨法律監管,需要明確什麼是個人資訊,以及什麼是對個人資訊的處理。
Q2. What personal information processing activities are subject to legal supervision?
A2. To answer what activities are subject to legal supervision, one needs to understand the definition of personal information and the definition of personal information processing.
Q2.1.什麼是個人資訊?
A2.1.草案將個人資訊概括定義為“與已識別或者可識別的自然人有關的各種資訊”。隨著技術的日新月異,個人資訊將不只局限於姓名、證件號碼、電話等熟知的資訊,能夠識別個人的消費記錄、搜索記錄、IP位址等資料也可能納入法律保護的範疇。
Q2.1. What is personal information?
A2.1. The draft generally defines personal information as “all kinds of information related to the identified or identifiable natural person”. With the rapid development of technology, personal information is no longer limited to information such as name, ID number and telephone number. Data that can identify personal consumption record, search record, IP address and other data may also be included in the scope of legal protection.
Q2.個人資訊處理活動有哪些?
A2.2.在法律對個人資訊的保護範疇內,個人資訊的“處理”包括了對個人資訊的收集、存儲、使用、加工、傳輸、提供、公開等活動。
可謂涉及到個人的資訊生命週期的全部活動都受到法律規制。
Q2. What are personal information processing activities?
A2.2. Within the legal protection scope, the processing of personal information includes collection, storage, use, fabrication, transmission, provision, disclosure and other activities of personal information.
In other words, all activities involving the information life cycle of individuals are regulated by the law.
Q3.如何處理個人資訊才合法?
A3.草案要求處理個人資訊應當方式合法正當、目的明確且範圍最小化、處理規則公開透明、資訊準確及時、保護資訊安全、管控可問責。企業原則上需將“告知+同意”落實到收集、使用、加工、提供、公開的全階段。“告知”處理規則,並取得資訊主體充分知情的前提下自願、明確的同意。
Q3. How to handle personal information legally?
A3. The draft requires that personal information should be handled in a legal and legitimate manner, with clear objectives and minimum scope, open and transparent processing rules, accurate and timely updates, security protection, and accountable control. In principle, the enterprise shall implement “informing & consent” in the whole stage of collection, use, processing, supply and disclosure of personal information. One must inform the processing rules, and only obtain the information after having the fully informed, voluntary and explicit consent of the relevant subject.
Q3.1.如何收集個人資訊?
A3.1.原則上基於“告知+同意”收集個人資訊,並提供撤回授權的管道。根據收集的目的確定收集的範圍,公開告知資訊處理規則並且便於查閱、保存。
Q3.1. How is personal information collected?
A3.1. Collection of personal information is based on “informing & consent” principle, and channels for the withdrawal of authorization shall be provided in the mean time. The scope of collection should be determined according to the purpose of collection, and the information processing rules shall be publicly informed and easy to access and save.
Q3.1.1.網路環境下怎麼做?
A3.1.1.使用者在網路平臺上被要求同意和確認的“隱私政策”是收集個人資訊時常見的授權,但隱私政策往往不能下載或複製。為滿足“便於查閱與保存”的要求,企業應考慮增加隱私政策保存功能,例如:隱私政策可下載為PDF、連結可分享。
另外,基於目的明確且範圍最小化的要求,APP在獲取使用者設備的通訊錄、位置資訊、相機、麥克風等許可權時,應當獲取與所提供的業務相關的,並告知獲取的目的,除非是提供服務所必需,否則使用者可以拒絕相關授權並照常使用APP。
Q3.1.1. What to do in the online environment?
A3.1.1. The request for consent and confirmation from users on “privacy policy” of the network platform is a common authorization when collecting personal information, but the privacy policy usually cannot be downloaded or copied. To meet the requirement of “easy access and saving”, companies should consider adding privacy policy saving functions, such as: privacy policy as downloadable PDF, or sharable links.
In addition, based on requirements of clear objectives and minimum scope, when Apps manage to obtain permissions on users’ address book, position information, camera and microphone, etc., Apps shall only obtain those related to their business provided, and inform the users with the purpose of use. Unless required, users have the right to refuse such permissions and use the App as usual.
例 如
提供金融借貸服務的APP,收集使用者的通訊錄資訊一般不屬於提供金融借貸服務所必需的資訊,若使用者拒絕提供通訊錄資訊,金融機構不得以此拒絕提供金融借貸服務。
Cases such as
For Apps that provide financial lending services, the collection of users’ address book information is generally not the necessary information for financial lending services. If users refuse to provide address book information, financial institutions shall not refuse to provide financial lending services.
Q3.1.2.線下經營中怎麼做?
A3.1.2.在內部管理中,招聘用工時所有企業都會涉及對個人資訊的收集。在對外經營中,為個人客戶提供服務或銷售產品時,也可能涉及收集個人資訊。
Q3.1.2. What to do in offline business?
A3.1.2. Internally, every enterprise will touch on collection of personal information during processes of recruitment and employment. Externally, the provision of services for individual customers or the sale of products in foreign business operations may also involve the collection of personal information.
例 如
首次到店客戶填寫資訊表
填寫應聘資訊表、入職登記資訊
採集錄用員工的指紋或人臉資訊用於考勤
公開處理規則線上下收集個人資訊的場景中可能不多見,但同樣重要。建議企業根據資訊收集的不同目的對資訊收集行為分類,並分別建立公開處理規則的制度。例如:個人資訊登記表的背面附個人資訊處理規則、單獨的個人資訊處理規則告知書等。
Cases such as
First-time customer to the store filling in the information form
Filling in the job application information form and employment registration information
Collecting employees’ fingerprints or facial information to record attendance
Public processing rules may be less common in the offline collection of personal information, but they are just as important. It is suggested that enterprises should classify information collection behaviors according to different purposes of information collection and establish a public system of processing rules respectively. For example: the back of the personal information registration form attached to the personal information processing rules, a separate personal information processing rules notice, etc.
Q3.2.如何使用個人資訊?
A3.2.原則上,企業應根據資訊主體所同意的處理方式、處理範圍使用個人資訊。網路環境與線下經營中個人資訊使用的方式差異較大,關注點也有所不同。
Q3.2. How is personal information used?
A3.2. In principle, the enterprise shall use personal information according to the processing method and processing scope agreed by the information subject. The online and offline businesses are different in how they use personal information, the focus of use is also different.
Q3.2.1.網路環境下怎麼做
A3.2.1.在網路環境中,通過“自動化決策”使用個人資訊較為常見。資訊時代下的大部分企業,應當重點關注自動化決策的透明、結果的公平合理,並在決策結果對用戶權益造成重大影響時,為用戶提供救濟途徑。
Q3.2.1. What to do in the online environment
A3.2.1. In an online environment, the use of personal information through “automated decision making” is common. In the information age, most enterprises should focus on the transparency of automated decisions, and the fairness and reasonability of the results. Meanwhile, enterprises should provide users with remedy approach when the results of decisions have a significant impact on the rights and interests of users.
例 如
依據自動化決策個人貸款額度的,通過隱私政策向用戶告知自動化決策的存在、基本的運行邏輯及其對個人的影響,設置自動化決策關閉選項。在個人拒絕接受僅以自動決策方式確定的額度時,對貸款額度進行人工覆核。
Cases such as
In case of determining personal loan limit via automatic decision, users shall be informed of the existence of such automatic decision, its basic operation logic, its impact on individuals, and the option to shut down such automatic decision setting. In the event that an individual refuses to accept an amount determined only by automatic decision making, a manual review of the loan amount shall be conducted.
Q3.2.2.線下經營中怎麼做
A3.2.2.線下經營中,企業向協力廠商提供個人資訊更為常見也易被忽略。
Q3.2.2. What to do in offline business
A3.2.2. In offline operations, it is more common for enterprises to provide personal information to third parties, such provision has a tendency to be ignored.
例 如
將入職候選人背景調查、員工社保繳納等非核心事務委託協力廠商
向集團公司提供個人客戶/供應商/員工資訊
企業在使用過程中,若將收集的個人資訊提供協力廠商,需就此事項取得資訊主體的單獨同意;同時,應通過委託合同準確劃分雙方關於個人資訊保護的權利義務和責任。
Cases such as
Entrust a third party with non-core affairs such as background investigation of incoming job candidates and employee social security payment.
Provide individual customer/supplier/employee information to group companies.
If an enterprise provides the collected personal information to a third party in the process of using it, it shall obtain the separate consent of the information subject. At the same time, the rights, obligations and responsibilities of both parties regarding the protection of personal information should be accurately distinguished through the contract of mandate.
Q3.3.如何保存個人資訊?
A3.3.無論網路環境還是線下經營,企業對收集到的個人資訊負有妥善保管的義務。企業應對儲存介質進行加密處理、去標識化處理等手段,明確相關崗位的操作許可權,加強資訊管理崗位的培訓;在根據實現資訊處理目的所必要的最短時間內保存,同時遵守法律法規對保存期限的規定。因此,建議企業根據保存期限分類,對於已到期的個人資訊,及時依法刪除。
Q3.3. How does one restore personal information?
A3.3. Online or offline, enterprises have the obligation to properly restore the collected personal information. Enterprises should encrypt the storage media and de-label the storage media, clarify the operation authority of relevant posts, and strengthen the training of information management posts. In accordance with the shortest time necessary to achieve the purpose of information processing, and comply with the provisions of laws and regulations on the period of storage. Therefore, it is recommended that enterprises classify the expired personal information according to the storage period and delete it in time according to law.
例 如
金融機構需要根據《反洗錢法》的規定將客服資訊至少保存五年;
企業應根據《勞動合同法》對已經解除或者終止的勞動合同的文本,至少保存二年備查。
Cases such as
Financial institutions are required to keep customer service information for at least five years in accordance with the AML;
The enterprise shall, in accordance with the Labor Contract Law, keep the text of the terminated or rescinded labor contract for at least two years for future reference.
個人資訊處理無處不在,法律對個人資訊處理的要求覆蓋方方面面,習以為常的行為也許隱藏著不合法的法律後果。作為資訊處理者的企業們,應該儘早建立風險意識,根據業務模式,對經營管理的各環節進行排查,針對不同資訊處理方式建立個人資訊處理制度,避免《個人資訊保護法》實施後措手不及。
Personal information processing is everywhere, and the legal requirements for personal information processing contain all aspects. Habitual behaviors may imply illegal consequences. Enterprises, as information processers, should establish risk awareness according to the business model as soon as possible, apply screening processes for every link of operation and management, establish personal information processing systems for different information processing methods, all to avoid being caught unprepared after the implementation of the Law.
