首页关于我们专业领域
专业团队新闻中心加入我们联系我们

How to Implement Personal Information Protection Law in HR Scenarios

From 1 November 2021 when the Personal Information Protection Law takes effect, the employer will be confronted with a conflict between protection of the employee’s personal information and the employer’s management rights. The Employment Contract Law gives the employer the right to "know the employee’s basic information directly related to the employment contract". However, after the Personal Information Protection Law is taken into action, the employer should certainly comply with this law in its exercise of such right to “know” the employee’s information and cannot "know" whatever they want about the employee’s personal information.
作者:Wang Hongliang
2021-12-22 11:43:17

From 1 November 2021 when the Personal Information Protection Law takes effect, the employerwill be confronted with a conflict between protection of the employee’s personal informationand the employer’s management rights. The Employment Contract Law gives the employer theright to "know the employee’s basic information directly related to the employment contract".However, after the Personal Information Protection Law is taken into action, the employer shouldcertainly comply with this law in its exercise of such right to “know” the employee’s informationand cannot "know" whatever they want about the employee’s personal information.


The Personal Information Protection Law imposes different obligations on the employer"processing information" of different types or in different ways. Processing informationimproperly could result in labor dispute risk and is more likely to incur administrative and civilresponsibility or even reputational damage risk.


The employer should clearly set out personal information protection clauses under humanresources management procedures to meet specific requirements of the Personal InformationProtection Law. A new provision of the final draft of the Personal Information Protection Lawstates that "if personal information is processed under legally formulated labour rules and alegally executed collective contract, individual approval may not be required". However, theemployer should make sure they meet the condition of having "labour rules legally formulatedand a collective contract legally executed". To use these rules as the legal basis for processingpersonal data, the employer should finish amending and bring into action such rules before thePersonal Information Protection Law is taken into action on November 1, 2021.


In addition, there are many documents that need to be updated in time, which cover the wholeHR management cycle from the beginning to end of employment. In the following, I will explainand list documents and actions the employer needs to sign or take to comply with the Personal Information Protection Law in each common HR management scenario for your reference. 


NO. 
SCENARIOS 
DOCUMENTS 
EXPLANATION & ACTIONS 
1Pre-employment 
background check 
Candidate’s Authorization to Process Their Personal Information for Background Checks
The employee should sign the Candidate’s Authorization to Process Their Personal Information for Background Checks. If the employer commissions the background check, the employer should also obtain the Candidate’s authorization to provide their personal information to third parties.
2Signing of employment contract and start of employment
①Personal information processing clauses added to Employment Contract
②Employee’s Personal Information Registration Form
③Employee’s Authorization to Process Their Personal Information
①The employer should amend and add
personal information processing clauses to
the employment contract and require new
employees to sign it.
②The employee should complete and write
their personal information in the personal
information collection form when they join
the company. The employer should collect
personal information to the smallest extent,
for intended purpose and according to laws
and requirements of the employer's rules.
③The Personal Information Protection Law
requires "specific approval" for processing
sensitive information such as biological,
medical and health and financial account
information and does not clearly state that
sensitive information can be processed
“without individual approval". To be prudent,
the employee’s specific authorization to use
sensitive information is recommended. 
3Personal information protection in day-to- day management activities
Personal information protection clauses /Personal Information Protection and Privacy Policy added to the Employee Handbook
Note that labour rules mentioned herein are not valid until they pass the democratic process and if used as the basis for processing personal information “without individual approval”, should set out the scope and purpose of collecting and rules on processing personal information without violating law.
In addition, the rules should clearly set out the employer’s responsibilities for protecting personal information, the employer designated person responsible for protecting personal information and rules on exercise of the employee’s rights to access and copy personal information.
4Transfer of the
employee’s personal
information to third
parties (labour
dispatch companies,
partners, etc.) 
①Personal information
processing clauses added to
business contracts such as
Labour Dispatch
Agreement.
②Employee’s
Authorization to Process
Personal Information; and
rules 

①Relevant clauses added to business contracts involving employee’s personal information (for example, with electronic labour contract service providers or social insurance contribution payment companies) such as Labour Dispatch Agreements, clearly setting out receiver’s/authorized person’s rights and obligations such as the purpose, period, ways, types and protection measures of personal information being processed.
②We advise that the employer obtain the Employee’s Authorization to Process Their Personal Information specifying information of the person receiving/authorized to process personal information and use of such personal information.
5Cross-border transfer
of the employee’s
personal information 
Employee’s Authorization to Process Personal Information; and rules
Personal Information Protection Law provides that providing personal information overseas should be subject to specific individual approval. As above, it remains unclear whether personal information may be provided overseas “without individual approval”. In particular, we suggest foreign funded businesses include an authorization to provide personal information overseas in the above Employee’s Authorization to Process Their Personal Information.
6Resignation
Authorization to process the employee’s Personal Information; and rules
Resigning employees may request the employer remove their personal information. However, the employer may need to process personal information of employees who have left, for example, to perform a non-compete agreement, deal with a labor dispute or retain salary documents and other materials for a statutory period..
Therefore, we suggest the term of authorization in the Employee’s Authorization to Process Their Personal Information continue for a period of time after the employee leaves and the rules clearly set out rules on processing or removing personal information of employees who have left.
In this case, the employer should stop processing personal information except for storing and taking necessary measures to protect the security of personal information.


Note: By the publication date no legislative or legal interpretation of the Personal InformationProtection Law had existed and the logic of certain provisions and definitions of certain wordingswere not clear. In this situation, we suggest you apply and construe this law in a reasonably strictway to prevent risks.