From 1 November 2021 when the Personal Information Protection Law takes effect, the employerwill be confronted with a conflict between protection of the employee’s personal informationand the employer’s management rights. The Employment Contract Law gives the employer theright to "know the employee’s basic information directly related to the employment contract".However, after the Personal Information Protection Law is taken into action, the employer shouldcertainly comply with this law in its exercise of such right to “know” the employee’s informationand cannot "know" whatever they want about the employee’s personal information.
The Personal Information Protection Law imposes different obligations on the employer"processing information" of different types or in different ways. Processing informationimproperly could result in labor dispute risk and is more likely to incur administrative and civilresponsibility or even reputational damage risk.
The employer should clearly set out personal information protection clauses under humanresources management procedures to meet specific requirements of the Personal InformationProtection Law. A new provision of the final draft of the Personal Information Protection Lawstates that "if personal information is processed under legally formulated labour rules and alegally executed collective contract, individual approval may not be required". However, theemployer should make sure they meet the condition of having "labour rules legally formulatedand a collective contract legally executed". To use these rules as the legal basis for processingpersonal data, the employer should finish amending and bring into action such rules before thePersonal Information Protection Law is taken into action on November 1, 2021.
In addition, there are many documents that need to be updated in time, which cover the wholeHR management cycle from the beginning to end of employment. In the following, I will explainand list documents and actions the employer needs to sign or take to comply with the Personal Information Protection Law in each common HR management scenario for your reference.
NO. | SCENARIOS | DOCUMENTS | EXPLANATION & ACTIONS |
---|---|---|---|
1 | Pre-employment background check | Candidate’s Authorization to Process Their Personal Information for Background Checks | The employee should sign the Candidate’s Authorization to Process Their Personal Information for Background Checks. If the employer commissions the background check, the employer should also obtain the Candidate’s authorization to provide their personal information to third parties. |
2 | Signing of employment contract and start of employment | ①Personal information processing clauses added to Employment Contract ②Employee’s Personal Information Registration Form ③Employee’s Authorization to Process Their Personal Information | ①The employer should amend and add personal information processing clauses to the employment contract and require new employees to sign it. ②The employee should complete and write their personal information in the personal information collection form when they join the company. The employer should collect personal information to the smallest extent, for intended purpose and according to laws and requirements of the employer's rules. ③The Personal Information Protection Law requires "specific approval" for processing sensitive information such as biological, medical and health and financial account information and does not clearly state that sensitive information can be processed “without individual approval". To be prudent, the employee’s specific authorization to use sensitive information is recommended. |
3 | Personal information protection in day-to- day management activities | Personal information protection clauses /Personal Information Protection and Privacy Policy added to the Employee Handbook | Note that labour rules mentioned herein are not valid until they pass the democratic process and if used as the basis for processing personal information “without individual approval”, should set out the scope and purpose of collecting and rules on processing personal information without violating law. In addition, the rules should clearly set out the employer’s responsibilities for protecting personal information, the employer designated person responsible for protecting personal information and rules on exercise of the employee’s rights to access and copy personal information. |
4 | Transfer of the employee’s personal information to third parties (labour dispatch companies, partners, etc.) | ①Personal information processing clauses added to business contracts such as Labour Dispatch Agreement. ②Employee’s Authorization to Process Personal Information; and rules | ①Relevant clauses added to business contracts involving employee’s personal information (for example, with electronic labour contract service providers or social insurance contribution payment companies) such as Labour Dispatch Agreements, clearly setting out receiver’s/authorized person’s rights and obligations such as the purpose, period, ways, types and protection measures of personal information being processed. ②We advise that the employer obtain the Employee’s Authorization to Process Their Personal Information specifying information of the person receiving/authorized to process personal information and use of such personal information. |
5 | Cross-border transfer of the employee’s personal information | Employee’s Authorization to Process Personal Information; and rules | Personal Information Protection Law provides that providing personal information overseas should be subject to specific individual approval. As above, it remains unclear whether personal information may be provided overseas “without individual approval”. In particular, we suggest foreign funded businesses include an authorization to provide personal information overseas in the above Employee’s Authorization to Process Their Personal Information. |
6 | Resignation | Authorization to process the employee’s Personal Information; and rules | Resigning employees may request the employer remove their personal information. However, the employer may need to process personal information of employees who have left, for example, to perform a non-compete agreement, deal with a labor dispute or retain salary documents and other materials for a statutory period.. Therefore, we suggest the term of authorization in the Employee’s Authorization to Process Their Personal Information continue for a period of time after the employee leaves and the rules clearly set out rules on processing or removing personal information of employees who have left. In this case, the employer should stop processing personal information except for storing and taking necessary measures to protect the security of personal information. |
Note: By the publication date no legislative or legal interpretation of the Personal InformationProtection Law had existed and the logic of certain provisions and definitions of certain wordingswere not clear. In this situation, we suggest you apply and construe this law in a reasonably strictway to prevent risks.