the Personal Information Protection: Foreign Bank's Guidance( 二 )


Secondly, overseas financial institutions shall obtain separate consents from the clients before collecting their sensitive personal information (“Sensitive Information”). Under the PIPL, Sensitive Information refers to the biometric information, religious belief, specific identities, health care information, financial accounts, whereabouts and tracks, personal information of the minors under the age of 14 and so on.
In common practice, there are at least three methods available for financial institutions to obtain the client's separate consents:
a.The overseas financial institution can request clients to sign a single “personal information authorization and consent form” or documents of similar nature face-to-face to confirm their separate consents.
b.The overseas financial institution can request the clients to check the “notification and consent interface pop-up box” about processing Sensitive Information in the websites or mobile apps of the financial institutions to confirm their consents.
c.The overseas financial institution can request the clients to read and check the box in a separate chapters of "sensitive personal information" in the privacy policies of financial institutions to confirm their consents. As an example, when presenting their privacy policies to their clients, many online banks in China provide relatively tailored and separate clauses on the collection and use of the minor's personal information, followed by the checkbox of "user’s consent".
(3)Relevant Basic Principles under the PIPL that Overseas Financial Institutions shall Abide by
The first principle is necessity. It means overseas financial institutions are not allowed to collect personal information unrelated to their financial services. In practice, the conducts violating the principle of necessity are manifested as:
(a)collecting the clients' personal information that is not related to existing businesses;
(b)collecting the clients' personal information more frequently than actual needs;
(c)compulsorily collecting the clients' personal information on the excuses such as improving service quality.
Furthermore, the financial instutions are required to obtain consents from individual clients for different types of information separately (e.g. General Information and Sensitive Information). This means an overall consent from the clients doesn’t give the financial institution the right to access all information of the clients.
The second principle is to disclose rules for collecing and using personal information. Even with the consent of the clients, it is illegal to process personal information without disclose the rules to the clients. In practice, the conducts of violating the principle of transparency are manifested as:
(a)failure in setting up the rules for collecting and using personal information;
(b)failure in reminding the clients of the rules for collecting and using personal information on the first run of the rules;
(c)the rules for collecting and using personal information are difficult to access;
(d)the rules for collecting and using personal information are difficult to understand.
The third principle is transparency. Transparency is required in terms of the rules, purpose, method and scope in the processing of personal information. In practice, the conducts of violating the principle of transparency are manifested as:
(a)failure in listing all items of the rules;
(b)failure in notifying the clients of changes in the rules in a proper manner;
(c)failure in informing the client of the collection of Sensitive Information.
03Requirement for Cross-Border Transfer of Personal Information
Chapter 3 of the PIPL sets forth detailed rules regarding the cross-border transfer of personal information of persons in China. For overseas financial institutions, the scenario that we may always see is that the domestic branches of an overseas financial institutions ("Domestic Branches") transfer the clients’ personal information to its overseas headquarter. In practice, there are usually two ways of cross-border transfer: (1) Domestic Branches provide the personal information to a third-party processor, which stores the personal information in domestic servers and processes the information before transferring the information abroad; (2) Domestic Branches directly transfer the personal information of their clients to the overseas financial institutions through their internal systems.


以上关于本文的内容,仅作参考!温馨提示:如遇专业性较强的问题(如:疾病、健康、理财等),还请咨询专业人士给予相关指导!

「辽宁龙网」www.liaoninglong.com小编还为您精选了以下内容,希望对您有所帮助: