the Personal Information Protection: Foreign Bank's Guidance


the Personal Information Protection: Foreign Bank's Guidance
文章图片
Recently, China promulgated the Personal Information Proectection Law (“PIPL”), the first comprehensive personal date protection law in China. The PIPL has come into effect on November 1, 2021. The principle of "extraterritorial jurisdiction" of the PIPL means that it will impact Chinese entities as well as overseas financial institution with cross-border operations in China. This requires the overseas and multinational financial institutions to review and update their existing compliance system for protection personal information according to the PIPL. Based upon our pratical experience, this article highlights the requirements of PIPL on the processing of personal information by overseas financial institutions and the cross-border transmission of personal information, so as to provide suggestions for overseas financial institutions in their cross-border financial businesses in China.
01PIPL has extra-territorial effects
According to paragraph 2, Article 3 of the PIPL, under any of the following circumstances, PIPL shall apply to the activities of processing the personal information of natural persons in China by processors outside of the territory of the People's Republic of China (“PRC”): (1) the provision of products or services to natural persons in China; (2) the analysis or assessment of the behaviors of natural persons in China; and (3) other circumstances as provided by laws or administrative regulations.
In practice, large overseas financial institutions, especially financial institutions in Hong Kong, frequently involve in providing products or services to individual clients in China or analyzing and assessing the financial activities of individual clients in China. According to the extra-territorial effects of the PIPL, such overseas financial institutions and their activities relating to personal information of natural persons in the PRC shall be governed by the PIPL.
To literally interpret the wordings of paragraph 2, Article 3 of the PIPL, all organizations around the world with any business of "processing the personal information of natural persons in China" shall be subject to the jurisdiction of PIPL. As explained by the legislator, the extra-territorial scope of the PIPL is necessary. It aims to make up the vulnerabilities for those natural persons in China whose personal information is illegally collected and processed by foreign data processors which evaded the supervisons by the PRC government for the purpose of reducing costs in compliance. In this aspect, the PIPL resembles various existing data protection regimes around the world such as the EU’s GDPR, which applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
02Criertia of the PIPL on the Processing of Personal Information by Overseas Financial Institutions
(1)The PIPL required overseas financial institutions that process the personal information of natural persons in China to appoint a data privacy organization or representative in China
According to Article 53 of the PIPL, once an overseas financial institution is determined as an personal information processor as defined in the PIPL, it shall appoint a data privacy organization or representative within the PRC to dealing with affairs relating to personal information protection. Such overseas financial institutions are further required to report the contact information of the data privacy organization or representative to the authorities in charge of personal information protection, which needs to be further specified by the implementing rules and other regulations of the PIPL.
(2)PIPL Sets Up Different Requirements for Processing Different Degrees of Personal Information
Firstly, overseas financial institutions shall obtain consent from the clients before collecting their general personal information (“General Infomration”). Under the PIPL, General Information refers to the identifiable information of a natural person, such as name, sex, date of birth, occupation, residential address and so on. Before processing the General Information, the overseas financial institutions need to inform owners of the General Information in an transparent, clear and understandable way. Specifically, the overseas financial institutions shall at least inform the clients of the types of personal information that will be collected, the purpose and method of processing the information, information retention period, limitations, etc and obtain their consent. In the common practice, the financial institutions can obtain clients’ consents by preparing “consent forms” such as “personal information authorization and consent form” or “privacy statement”, and having the clients sign such “consent forms” face-to-face or click confirmation box in the privacy policy pages of the websites/mobile apps to confirm their consents.


以上关于本文的内容,仅作参考!温馨提示:如遇专业性较强的问题(如:疾病、健康、理财等),还请咨询专业人士给予相关指导!

「辽宁龙网」www.liaoninglong.com小编还为您精选了以下内容,希望对您有所帮助: