SlideShare ist ein Scribd-Unternehmen logo
1 von 34
D A T A P R O T E C T I O N
China’s Draft ‘Personal
Information Protection Law’
General meaning of Personal Data
In daily lives we give our personal data which is also known as personal information to somewhere or the other. Personal
data is the data which identifies an individual who owns that data. For example while purchasing anything online, while
signing on the applications, while using online payment modes, etc.
Personal Data / information includes:
A name or surname
 Home address
 Office address
 An email address
 An ID card number [aadhar card number, PAN number, passport]
 An IP address
 Information held by a hospital, etc.
Personal data under the draft
Personal data is defined under the draft:
Individual data is a wide range of data recorded by electronic or different means identified with distinguished or
recognizable normal people, excluding data after anonymization taking care of.
Individual data dealing with incorporates individual data assortment, stockpiling, use, preparing, transmission,
arrangement, distribution, and other such exercises.
Personal information handling
Individual data controllers may just deal with individual data where they adjust to one of the accompanying condition:
• Getting people’s assent
• Where important to close or satisfy an agreement wherein the individual is an invested individual
• Where important to satisfy legal obligations and obligations or legal commitments
• Where important to react to unexpected general wellbeing episodes or ensure regular people’s lives and wellbeing, or the
security of their property , under crises conditions
• Taking care of individual data inside a sensible extension to execute news detailing, popular assessment oversight, and
other such exercises for the public interest
• Different conditions gave in laws and authoritative guidelines
 Biometric data
 Health concerning data
 Philosophical beliefs
 Political opinions
 Religious opinion, etc
Types of sensitive personal data:
• Personal information
• Business information
• Classified information
Sensitive Personal data needs more protection because of its sensitive nature. It has to be processed differently from the
other data and there is a clear distinction between sensitive personal data and non-sensitive personal data made by GDPR.
General meaning of sensitive personal data
.
Sensitive personal data under the Draft
The expression “sensitive personal data” under the draft PIP law is characterized as individual data of which spillage or
unlawful use might prompt prejudicial therapy or genuine harm to individual or property wellbeing, including race,
nationality, strict convictions, individual biometrics, clinical wellbeing data, monetary records, and individual
location/whereabouts, and so forth.
The draft PIP law gives more limitations on the handling of delicate individual data. An individual data processor can
possibly deal with sensitive personal information on the off chance that it has explicit purposes and such preparing is
adequately fundamental, yet the draft PIP law doesn’t give further translation of what comprises “explicit purposes” and
“sufficiently necessary”.
Sensitive personal information handling
 Individual data oversees might deal with delicate individual data just for explicit purposes and when adequately
important/necessary.
 When dealing with delicate individual data depends on individual assent, individual data oversees will get independent
assent from the person.
 When individual data oversees handle sensitive personal data, aside from the prerequisites of article 18 of the law, they
will likewise tell the person about the need of sensitive personal data taking care of , as well as the impact on the person.
 Where laws or authoritative guidelines give that significant regulatory licenses will be gotten or stricter limitation forced for
the treatment of delicate individual data, those arrangements are followed.
Scope and Applicability
The draft PIP just indicates responsibility and consistence necessities on “individual data processor” that refers to
associations or people that autonomously decide the reason, extension, scope, and strategies for preparing of individual
information.
This law applies to state organs’ exercises of taking care of individual data; where this section contains explicit
arrangement, the arrangements of this part applies.
State organs taking care of individual’s data to satisfy their legal obligations and obligations will lead them as per the
forces and strategies gave parents in law and managerial guidelines; they may not surpass the extension or degree
important to satisfy their legal obligations and responsibilities.
Individual data took care by state bodies will be stored within the boundaries of the people’s republic of China; where it is
important to give it abroad, a danger appraisal will be led.
Application divisions might be needed to offer help, support and assistance for hazard evaluations.
Extraterritorial Application
Global organizations might be generally intrigued by the considered extraterritorial jurisdiction of the draft PIP law, which may
expand consistence hazard for unfamiliar organizations that have working subsidiaries in China or don’t have a legitimate
presence in China yet provide products or administrations to Chinese people.
The draft would apply to company overseas:
That interaction individual data of people in China to provide products or administrations to them;
 Material scope
Data or any information which is considered as personal data is protected under the draft. It is the sole responsibility
of the data user to safeguard and protect the personal data that they collect.
 That investigate and evaluate the exercises of people in China through the assortment of individual data; or
 For different purposes indicated by laws and regulatory guidelines.
Furthermore, the draft PIP law additionally looks like the GDPR arrangement and requires seaward processors that cycle
individual data of people in the PRC to build up an assigned office or delegate an agent in the PRC to be answerable for
individual data assurance in the PRC. Name and contact data of such office or agent ought to be submitted to the controllers.
This law will applies to associations and people’s taking care of individual data exercises of normal people inside the
boundaries of people’s Republic of China.
Where one of the accompanying conditions is available in taking care exercises outside the line of people’s republic of
China of personal data of regular people inside the lines of the people’s republic of China, this law applies too;
•Where the object id to give items or administrations to regular people inside the lines;
•Where directing examinations or evaluations of activities of normal or regular people inside the boundaries
•Other situations provides in law or administrative guidelines.
Repeating the GDPR abroad processors if individual data that fall inside the extraterritorial extent of the PIP law should build
up “uncommon foundation or assigned delegates” inside the territory of China to manage PIP law matters for the benefit of
the abroad element.
General meaning of consent
As we all know that there is a requirement of consent when we use something of someone. Consent means
giving people a real choice and control over how you use their data.
The consent which has no real choice, that does not considered as a free consent and it will be invalid.
A person is said to be given a free consent when he is not bound by anything or anyone and must be able to
withdraw consent easily anytime whenever he wants to.
It also means that consent should be boundless or unbundled from other terms and conditions.
Consent under the draft
If the data subject would like to use the data collected for some different purpose other than then that for which it is
collected, the data subject must obtain the prescribed consent of the person whom data they are using and the consent
must be free [voluntarily].
This means that the person has given their consent on their behalf.
If the data user is not able to give the consent, a person who is minor [that is below the age of 18] in that situation, parents
of that person is responsible for giving the consent on the behalf of that person.
Before a data user can use a data subject’s personal information or data for marketing purposes, the user must obtain
his/her consent. This consent must be given orally or in written form.
Consent for taking care of individual personal data will be given by people under the precondition of full information, and in a
deliberate, voluntary and explicit proclamation of wishes.
Where laws or managerial guidelines give that separate consent or written consent will be acquired to deal with individual
data, those arrangements are followed.
Where a change happens in the purpose of handling the personal data of an individual, the dealing with strategy, or the
classes took care of individual data, the person’s consent shall be acquired once more.
Without the consent of the individual data controller, and endowed party may not further depend individual data taking care of
to different people. Individual data controller will, where it is important to move individual data because of consolidation,
partitions, and other such reason, inform people about the accepting party’s personality and contact technique.
Where the receiving side changes the first taking care of direction or dealing with strategy, they will advise the individual
again as given in this law and acquire their consent. Where the reason at the time the individual data was distributed isn’t
clear, individual data collectors will deal with distributed personal data in a sensible and careful way; for activities using
distributed personal data affecting people, the individual will be told by the arrangements of the PIP law, and their consent
obtained. An individual also have the right to revoke or withdraw hid consent of individual data taking care of exercises
conducted based on person’s consent. Without the consent of the personal data handler, a dependent party may not further
entrust individual data handling of to another person. When the personal information handlers provide the information to third
party, they shall notify the individual about the identity of third party which includes their name, contact details, there data
receiving and handling method, ad obtain an individual consent for it.
In the case of processing sensitive personal data, the handler shall obtain separate consent from the individual. That too in
written form were provided by laws or administrative regulations. When state organs handles personal data for the purpose or
reason to fulfill statuary duties and responsibilities shall notify the data owner according to the provisions of this law and must
obtain their consent. When the personal data is provided by the personal data handlers outside the border of People’s
Republic of China, they should inform the individual about the data receiver outside and must obtain separate consent the
same.
It is clearly mentioned in the draft that if the data handler rescinds his consent, personal data handlers shall, dependent on
individual’s request, delete personal information.
Principles
According to the PIP draft there are some there are some basic principles that must be followed for the processing and
functioning of personal data or information:
• The principle of legality and goof faith
Personal data or information of an individual should be processed in accordance with the criteria or principle of legality,
appropriateness, necessity, need and good faith. The PIPL underlines that personal data must not be handled through
deceiving, fake, fraudulent or coercive manner or strategies.
• Clear and reasonable purpose
Purpose that is both clear and reasonable. Personal data processing should have a clear, fair, sensible and reasonable
purpose that is directly connected to the processing purpose. The processing personal data should be prepared in a
manner that has a least impact on personal rights of an individual.
Personal information should be collected only to the that extent which is necessary for the intended purpose, and
unreasonable collection of data or information is not permitted under the draft.
• Transparency and openness
The processors of personal information must explicitly disclose or reveal the personal data processing rules, the
purpose of processing the information, the processing mechanism and the processing scope of the same.
• Quality assurance
To avoid any detrimental impact on personal rights and interest caused by inaccuracy and incompleteness of personal
information, the quality of personal information must be protected when it is processed.
Furthermore, the processors are responsible for taking precautions to protect the security and privacy of personal data
or information.
• Illegality
Unlawful acquisition, use, processing, and transfer of personal data, as well as the illegal sale, supply, and publishing
of personal information, are all banned for both entities and people.
Processing actions that jeopardise national security and the public interest are strictly banned.
The PIPL further refines the standards and principles and personal data processing rules to be followed in the security of
individual data, explains the limits of rights and obligations in processing activities of personal information and further
develops the framework and method or mechanism for personal data security and protection.
Enforcement
Where it is required to transmit personal data outside the borders of PRC (People’s Republic of Chins) for global legal help
or administrative law enforcement help, an application must be made with the appropriate competent agency for
permission, according to the legislation.
Regarding the PIPL, at the same time as government’s organs and its data protection authorities are getting ready to deal
with it. What actions are required by the PIPL one it enforced is the question. Answering that, there are some actions which
is required by PIP law such as:
• Creating internal management structure and rules within the organization to handle data and to manage the handling of
data within the organization.
• Adopting corresponding technical security measures that would include physical measures like safety but, of course also
cyber measures software limiting the access to data to on a need to known basis within the organization and encryption
etc.
• Determining operational limits for personal information handling.
• Regularly conducting security education and training within the organization for employees that have access to data.
• Formulating security incident response plans
In all over the world many countries still don’t have any law related to data protection. China has also started looking into
data related law which subsequently result with several legislations implemented or drafted for public consultation in the
last few years. Personal Information Protection (PIP) law just closed for public opinion and expected to be finalised in later
in 2021.
The government which is responsible for the enforcement of this law is CAC (Cyberspace Administration China)
Internal transfer of information
Under the draft, it is mentioned under Article 38 that if the data processor has to transmit personal data beyond of PRC
for business or any other purpose, the data processor must meet at least one of the following requirements:
• Passing a security assessment determined by the CAC (Cyberspace Administration China) which is the government
department that is responsible for the enforcement of this law
• CAC as per Article 40 of the draft of PIPL, which necessitates that administration of Critical Information Infrastructure
(CII) 1 and that move a specific volume of personal data of an individual (to be determined by CAC) should locally
store personal data collected and created in PRC and should go through a security assessment if the cross-border
transfer id necessary, except if such security evaluation is not needed by laws, administrative regulators and CAC
rules
• Obtaining a certification provided by the CAC
• Establishing an agreement with the foreign receiving party (this is something that would be in the control of data
handler without the need of government approval)
• Other conditions provided in laws, administrative regulations, or by the CAC
The regulations governing cross-border information transmitting are a major source of worry for many international
corporations doing business in the PRC.
In general, the PIPL requires personal information processors to take the appropriate steps to ensure that the actions of
foreign receiver in processing personal data comply with the PIPL’s personal information protection requirements.
Besides the above general requirements, Critical Information Infrastructure Operators (CIIO) or personal information
processing companies that processes up to the amount authorized by the national cyberspace administration should keep
personal data within China in addition to the above general requirement.
As a result, that applicant must pass the national cyberspace authority’s security assessment before they may provide
such information to an overseas recipient, if it is necessary.
Beyond the criteria, they urge that firms pay attention to any specific rues or advice that may be imposed by ralavent
agencies.
Automobile data processors that hold critical data may only send data overseas if it is absolutely necessary and only after
passing a data outbound security assessment established by the national cyberspace authority.
Individuals and organizations are not permitted under Article 41 of the PIPL to transmit personal data held in China to
foreign law enforcement authorities without the prior consent of the appropriate Chinese authorities. It is unclear how data
“stored within China” is defined and how a “data processing” company may request for permission at this time; the actual
implementation of such provision would most likely depend on further precise laws or measures released by the
appropriate regulatory agencies.
Even if a processor is permitted to transfer personal information to an offshore party, it must notify individuals of at least the
following information: the offshore recipient's identity and contact information; the purposes and means of processing; the
categories of personal information to be transferred; and the means to exercise rights under this law against the offshore
recipient.
Furthermore, for such cross-border transfers, the processor must seek individual consent from everyone.
Data breach
Data breach is a security incident in which sensitive protected or confidential data is
copied, transmitted, viewed, stolen or used by an individual and unauthorized to do so.
In the incident of data breach it might involve the loss or damage of financial
information, social media account, band accounts, credit card or debit card details,
personal medical information, email address, passwords, necessary documents, and
other confidential information which is really private to an individual.
Many jurisdictions have past data breach notification laws requiring a company that
has been subject to a data breach to inform customers and take other steps to
remediate possible injuries, this may include incidents such as theft or loss of digital
media such as computer tapes, hard drives or laptop computers containing such media
upon which such information is stored unencrypted. Posting such information on the
world wide web or on a computer otherwise accessible from the internet without
proper information security precautions cause those damages.
Data breaches present position under PIPL
Proposed amendments regarding necessary breach notification
• Definition of “personal data breach”
• Notification threshold
• Notification timeframe
• Mode of notification
Lawful processing of personal data
A data user must have to collect data from a data subject for a lawful purpose. For which a data subject is giving his consent
to data user to use his personal data that processing must be lawful and trustworthy.
A data user may collect personal information of a data subject on if:
• The personal information on an individual is collected for a lawful purpose which is directly related to the event of exercise of
the data user who is to use the personal data.
• It should be mandatory that the collection of personal data is for and directly related to that purpose for which he has given
his voluntary consent.
• The personal data is sufficient or adequate, but not excessive in relation to that purpose.
• There must be a fair and reasonable processing of personal data of an individual.
• Personal data shall be processing to only that purpose which is clear, specific, direct and lawful.
• There must be a collection limitation which means that only necessary personal data must be collected, and the collection must
be limited to such data.
• Personal data may be processed, if necessary, situation occurred such as to respond to any medical emergency, to take
measure to provide health services to any individual an epidemic or pandemic, to ensure the safety on a personal during the
situation of any disaster or any breakdown of public order, necessary for the employment etc.
• Processing of sensitive personal data based on explicit content, for certain functions of the state, for any order of the court or
tribunal, for prompt action [medical emergency], processing of personal sensitive data of children, etc.
Moreover, if the personal data will be used or transferred for direct marketing
purposes or any other purpose which is not included in the original collection
purpose or a directly related purpose , consent is required for that. Data subject
have the right to ask a data user to stop using or transferring the personal
information for direct marketing purposes, and the data user must observe or
comply with such requests.
Companies that violate the PIPL are liable to administrative, civil, and criminal penalties, as described below. Administrative
penalties. In the case of a violation of the PIPL, personal information protection authorities may issue a rectification order or
a warning, and any unlawful gains may be confiscated. Services for the relevant apps may be suspended or terminated.
Companies and their accountable executives that refuse to correct violations may face extra penalties.
Serious violations may result in the suspension of business activities, the termination of a business certificate, and the
imposition of a fine of up to RMB 50,000,000 or 5% of annual revenue. Fines and bans from accepting management or
personal information protection responsibilities in other firms may be imposed on responsible executives. In line with the
applicable rules, PIPL breaches may also be made public and recorded in the social credit records of the relevant firms.
Civil liability. If the processing of personal information in violation of an individual's rights causes injury and the personal
information processor cannot demonstrate that it is not at fault, the processor may be held responsible for damages and
other civil penalties. If a substantial number of people are affected, designated consumer groups may file a lawsuit on their
behalf. Criminal Responsibility. Violations of the PIPL that constitute criminal crimes may result in criminal prosecution.
Individual rights under the PIP draft
Individual rights before data handling under the draft:
• To know that the data is being handled
• To decide, if the data id going to be handled
• To limit the purpose of handling the data
• To refuse to handle the data
Data subject’s rights one the data is handled:
• To access the data
• To copy the data
• To correct or complete the data, if required
• To delete the data and once it has been done there is also a right to be forgotten
Individual rights. When it comes to personal information processing activities, this law codifies the individual's rights such as
the right to know and to restrict or reject others' processing of personal information, as well as the right of inquiry and
request a copy of personal information from processors. Those that process personal data are required to provide persons
with a simple way to exercise the rights listed above.
Individuals also have the right to revoke their consent to personal information handling actions done with their consent.
They must agree on the rights and duties of each when two or more handlers of personal information make a joint decision
on a personal information handling purpose and method. As a result of this agreement, an individual is still free and clear to
demand that any personal information handler comply with all this Law's obligations. Personal information controllers are
jointly liable if they infringe on personal information rights and interests.
It is a person's right to ask personal information handlers to explain how automated decision making affects their rights and
interests, and it is also their right to reject that personal information handlers make choices exclusively based on automated
decision-making techniques.
When talking about the regulations on the cross-border provisions of personal information one of them is that conclusion of
an agreement with a foreign receiving party, agreement on both parties' rights and duties, and supervision of their personal
information handling activities to ensure compliance with the personal information protection standards set out in this Law.
Where personal information handlers provide personal information outside of the borders of the People’s Republic of China,
they must inform individuals about the foreign receiving party's identity, contact method and handling purpose as well as
personal information categories, as well as how they can exercise their rights under this Law with the foreign receiving party.
They must set up procedures to accept and process requests from persons seeking to exercise their rights. If they deny a
person's request to exercise their rights, they must give a justification for doing so.
The right to make a complaint or report regarding unlawful personal information handling practises is available to any
organisation or individual.
Accountability
The DPP5 requires data users to take all the reasonable measures to ensure that
their personal information policies and exercises regarding personal data
collecting, storing, transferring and using it.
In the PDPO, accountability principles and other privacy management measures
are not explicitly defined. In order to ensure compliance with the PDPO, the
PCPD recommends organizations adopt privacy management system.
The PCPD also recommends appointing data protection officers and conducting
privacy impact assessments for this purpose.
All feasible steps must be taken to safeguard personal data possessed by data
users against unauthorized access, use, processing, erasure, lost, theft or
disclosure.
Breach notification has no mandatory requirement, but it is recommended that
the PCPD (and the data subjects, where appropriate) be notified
If there is any kind of data breach and there is no proper mechanism that was
being followed, the organization shall be accountable for that.
The PDPO does not explicitly make certification or adherence to a code of prsctice
a legal basis for cross-border transfers.
Data protection authority
Privacy Commissioner for Personal Data (PCPD) is the authority which enforcing
the PDPO in Hong Kong. Furthermore, the PCPD has additionally developed a
number of codes of practice (available here) that provide practical guidance in
relation to the requirements under the PDPO.
If a data user breaches the code of practice, the presumption will apply to any
legal proceeding under the PDPO, unless the data user can demonstrate that the
requirement of the PDPO was actually complied within an alternative way.
Various guidance notes has published by PCPD which referred to as good practice
recommendations for protecting personal data in Hong Kong.
Regulatory authority
PCPD is an independent statutory body established to supervise the enforcement
of PCPD.
As stated on its website, its main responsibility is to “ensure the protection of the
privacy of individuals in terms of personal data by promoting, monitoring and
supervising compliance with the PDPO.
Privacy Management
The PCPD has upheld since 2014 for hierarchical data users to execute a Privacy
management programme (PMP), in order to accept personal data assurance as a
component of their corporate administration obligations and apply them as a basic
all through the association.
Recently, the PCPD reexamined and distributed its Privacy Management Program:
a best practice guide (the PMP guide), which prescribes association to shape PMPs
with three segment, specifically:
Authoritative responsibilities
Program controls
Continues evaluation and update
To oversee the compliance with the PDPO and implementation of the PMP, the
PMP guide encourages organizations to appoint a designated officer (i.e. a DPO).
The DPO should either the owner of a small organization or a senior executive of a
major corporation.
The main responsibilities of a DPO is:
 setting up and executing the PMP program controls, specifically tracking
the association’s very own personal data, starting the beginning of occasional
danger evaluation to all divisions, organizing and observing the treatment of
data breach incidents.
 auditing the adequacy of the PMP, for example setting up an oversight and
survey plan for the PMP and overhauling the program controls where it is
necessary.
 if any problem is occurred, reporting it to the top management periodically
on the organization’s compliance issues, problem encountered, and
complaints received in relation to personal data privacy.
Responsibilities
The PCPD has power to find relevant data users when it receives a complaint or
has reasonable reasons to believe that an activity has contravened the relevant
needs the PDPO.
The PCPD also has the authority to review any personal data system used by a data
user in order to obtain information that will assist the PCPD in making
recommendations for compliance with the PDPO. The PCPD has to inform the
respective data user in advance in writing of its intention to inspect or conduct an
investigation, unless there are reasonable assumptions that this harm the
purposes of the investigation.
For investigation or inspection purposes, the PCPD may enter may enter into any
premises with a court order or prior written notice.
If the investigation confirms that the data user has violated a PDPO requirement,
the PDPO can send the data user an enforcement notice to instruct him to take
necessary steps to remedy the violation and to take reasonable legal steps.
Compliance with an enforcement order is a criminal offence.
Moreover, if a data subject is harmed as a result of a breach under the PDPO, the
PCPD may provide legal assistance to bring a claim against the relevant data user.
In an investigation the PCPD will also try to resolve the issue in a less formal way
through mediation or conciliation.
Data sharing
Data users may not transfer personal data to third party without informing the
data subject of the following at the time their personal data was collected or
before it or before it was collected:
That their personal data or information could be transferred
The types of people the data could be transferred
There are presently no restrictions on the transfer of personal data outside of
Hong Kong, as the cross-border transfer restrictions outlined in the ordinance
have yet to take effect.
In the event that these restrictions come into force as right now drafted, they
will have a critical affect upon outsourcing courses of action, intragroup
information sharing courses of action, compliance with oversees reporting
commitments and other exercises that include cross-border data exchange.
All things considered, non-binding best practice guidance distributed by the PCPD
energizes compliance with the cross-border transfer restrictions in the ordinance,
which disallow the exchange of personal information to outside Hong Kong unless,
certain situations are met [counting a white list of jurisdictions; separate and
intentional consent obtained from the information subject; and an enforceable
information exchange understanding for which the PCPD gives proposed model
clauses].
Anonymized data
Anonymised data means data which removes all identifiers irreversibly and that
data subject is no longer identifiable in any manner.
It is an information which may be a sort of data sanitization in which
information anonymization devices scramble or expel actually identifiable data
from data sets from the reason of protecting a data subject’s privacy.
This decreases the chance of unintended disclosure amid the exchange of data
over boundaries and encourages assessment analytics post-anonymization.
There is no such concept of anonymization within the PDPO.
However, the PCPD distributes the guidance note titled Direction on Individual
Eradication and anonymization which gives the information which is
anonymised, to the degree that the data user will not be able to specifically of
indirectly identify the individual concerned, will not be considered as [personal
data] under the PDPO.
Anonymising data is therefore an alternative for taking care of an individual’s
information which is not required for the purpose for which it was collected or
stored, other than total erasure.
Concluding that, anonymized data is not considered as “personal data” under
Personal Data Privacy Ordinance PDPO.
Data localization
Data localization means information localization or information residency law
requires information around a nation’s citizens or inhabitants to be collected,
handled, stored and/or put inside the nation, frequently some time before
being transferred internationally.

Weitere ähnliche Inhalte

Was ist angesagt?

Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
Keys to Creating an Analytics-Driven Culture
Keys to Creating an Analytics-Driven CultureKeys to Creating an Analytics-Driven Culture
Keys to Creating an Analytics-Driven CultureDATAVERSITY
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Data Privacy and the GDPR
Data Privacy and the GDPRData Privacy and the GDPR
Data Privacy and the GDPRDemandbase
 
Modernizing Integration with Data Virtualization
Modernizing Integration with Data VirtualizationModernizing Integration with Data Virtualization
Modernizing Integration with Data VirtualizationDenodo
 
Retail Analytics and BI with Looker, BigQuery, GCP & Leigha Jarett
Retail Analytics and BI with Looker, BigQuery, GCP & Leigha JarettRetail Analytics and BI with Looker, BigQuery, GCP & Leigha Jarett
Retail Analytics and BI with Looker, BigQuery, GCP & Leigha JarettDaniel Zivkovic
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
BigID, OneTrust, IAPP Webinar: Bridging the Privacy Office with IT
BigID, OneTrust, IAPP Webinar: Bridging the Privacy Office with ITBigID, OneTrust, IAPP Webinar: Bridging the Privacy Office with IT
BigID, OneTrust, IAPP Webinar: Bridging the Privacy Office with ITBigID Inc
 
Data Modeling, Data Governance, & Data Quality
Data Modeling, Data Governance, & Data QualityData Modeling, Data Governance, & Data Quality
Data Modeling, Data Governance, & Data QualityDATAVERSITY
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdfTrustArc
 
Revolutionizing Procurement with Artificial Intelligence and Machine Learning
Revolutionizing Procurement with Artificial Intelligence and Machine LearningRevolutionizing Procurement with Artificial Intelligence and Machine Learning
Revolutionizing Procurement with Artificial Intelligence and Machine LearningSAP Ariba
 
Data Governance
Data GovernanceData Governance
Data GovernanceRob Lux
 
Enabling a Data Mesh Architecture and Data Sharing Culture with Denodo
Enabling a Data Mesh Architecture and Data Sharing Culture with DenodoEnabling a Data Mesh Architecture and Data Sharing Culture with Denodo
Enabling a Data Mesh Architecture and Data Sharing Culture with DenodoDenodo
 
Master Data Management - Practical Strategies for Integrating into Your Data ...
Master Data Management - Practical Strategies for Integrating into Your Data ...Master Data Management - Practical Strategies for Integrating into Your Data ...
Master Data Management - Practical Strategies for Integrating into Your Data ...DATAVERSITY
 
Enterprise Data Management Framework Overview
Enterprise Data Management Framework OverviewEnterprise Data Management Framework Overview
Enterprise Data Management Framework OverviewJohn Bao Vuu
 
McKinsey Global Institute Report - A labor market that works: Connecting tale...
McKinsey Global Institute Report - A labor market that works: Connecting tale...McKinsey Global Institute Report - A labor market that works: Connecting tale...
McKinsey Global Institute Report - A labor market that works: Connecting tale...McKinsey & Company
 

Was ist angesagt? (20)

Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
 
Keys to Creating an Analytics-Driven Culture
Keys to Creating an Analytics-Driven CultureKeys to Creating an Analytics-Driven Culture
Keys to Creating an Analytics-Driven Culture
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials  by QualsysGDPR: Training Materials  by Qualsys
GDPR: Training Materials by Qualsys
 
Data Privacy and the GDPR
Data Privacy and the GDPRData Privacy and the GDPR
Data Privacy and the GDPR
 
Modernizing Integration with Data Virtualization
Modernizing Integration with Data VirtualizationModernizing Integration with Data Virtualization
Modernizing Integration with Data Virtualization
 
Retail Analytics and BI with Looker, BigQuery, GCP & Leigha Jarett
Retail Analytics and BI with Looker, BigQuery, GCP & Leigha JarettRetail Analytics and BI with Looker, BigQuery, GCP & Leigha Jarett
Retail Analytics and BI with Looker, BigQuery, GCP & Leigha Jarett
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
BigID, OneTrust, IAPP Webinar: Bridging the Privacy Office with IT
BigID, OneTrust, IAPP Webinar: Bridging the Privacy Office with ITBigID, OneTrust, IAPP Webinar: Bridging the Privacy Office with IT
BigID, OneTrust, IAPP Webinar: Bridging the Privacy Office with IT
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
Data Modeling, Data Governance, & Data Quality
Data Modeling, Data Governance, & Data QualityData Modeling, Data Governance, & Data Quality
Data Modeling, Data Governance, & Data Quality
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
 
Saksoft Overview
Saksoft OverviewSaksoft Overview
Saksoft Overview
 
Revolutionizing Procurement with Artificial Intelligence and Machine Learning
Revolutionizing Procurement with Artificial Intelligence and Machine LearningRevolutionizing Procurement with Artificial Intelligence and Machine Learning
Revolutionizing Procurement with Artificial Intelligence and Machine Learning
 
Data Governance
Data GovernanceData Governance
Data Governance
 
Enabling a Data Mesh Architecture and Data Sharing Culture with Denodo
Enabling a Data Mesh Architecture and Data Sharing Culture with DenodoEnabling a Data Mesh Architecture and Data Sharing Culture with Denodo
Enabling a Data Mesh Architecture and Data Sharing Culture with Denodo
 
Master Data Management - Practical Strategies for Integrating into Your Data ...
Master Data Management - Practical Strategies for Integrating into Your Data ...Master Data Management - Practical Strategies for Integrating into Your Data ...
Master Data Management - Practical Strategies for Integrating into Your Data ...
 
Enterprise Data Management Framework Overview
Enterprise Data Management Framework OverviewEnterprise Data Management Framework Overview
Enterprise Data Management Framework Overview
 
McKinsey Global Institute Report - A labor market that works: Connecting tale...
McKinsey Global Institute Report - A labor market that works: Connecting tale...McKinsey Global Institute Report - A labor market that works: Connecting tale...
McKinsey Global Institute Report - A labor market that works: Connecting tale...
 

Ähnlich wie China's Draft Personal Information Protection Law Explained

Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfDaviesParker
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfInternet Law Center
 
India's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadIndia's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadEquiCorp Associates
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Asia Counsel Insights May 2023
Asia Counsel Insights May 2023Asia Counsel Insights May 2023
Asia Counsel Insights May 2023Minh Duong
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxssuser36d167
 
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...Dr. Oliver Massmann
 
NEW DECREE ON PERSONAL DATA PROTECTION - WHAT YOU MUST KNOW
NEW DECREE ON PERSONAL DATA PROTECTION - WHAT YOU MUST KNOWNEW DECREE ON PERSONAL DATA PROTECTION - WHAT YOU MUST KNOW
NEW DECREE ON PERSONAL DATA PROTECTION - WHAT YOU MUST KNOWDr. Oliver Massmann
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 
GDPR webinar for business leaders
GDPR webinar for business leadersGDPR webinar for business leaders
GDPR webinar for business leadersDeeson
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRNupur Samaddar
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 

Ähnlich wie China's Draft Personal Information Protection Law Explained (20)

China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdf
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdf
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
CEU DPA
CEU DPACEU DPA
CEU DPA
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
 
India's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road AheadIndia's Data Protection Law 2018- Future Road Ahead
India's Data Protection Law 2018- Future Road Ahead
 
Data privacy act of 2012 presentation
Data privacy act of 2012 presentationData privacy act of 2012 presentation
Data privacy act of 2012 presentation
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
Asia Counsel Insights May 2023
Asia Counsel Insights May 2023Asia Counsel Insights May 2023
Asia Counsel Insights May 2023
 
HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ?
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
 
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
LAWYER IN VIETNAM DR OLIVER MASSMANN NEW DRAFT DECREE ON PERSONAL DATA PROTEC...
 
NEW DECREE ON PERSONAL DATA PROTECTION - WHAT YOU MUST KNOW
NEW DECREE ON PERSONAL DATA PROTECTION - WHAT YOU MUST KNOWNEW DECREE ON PERSONAL DATA PROTECTION - WHAT YOU MUST KNOW
NEW DECREE ON PERSONAL DATA PROTECTION - WHAT YOU MUST KNOW
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018
 
Data privacy act
Data privacy actData privacy act
Data privacy act
 
GDPR webinar for business leaders
GDPR webinar for business leadersGDPR webinar for business leaders
GDPR webinar for business leaders
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPR
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
 

Kürzlich hochgeladen

RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxJFSB1
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfssuser3e15612
 
Attestation presentation under Transfer of property Act
Attestation presentation under Transfer of property ActAttestation presentation under Transfer of property Act
Attestation presentation under Transfer of property Act2020000445musaib
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in SalesMelvinPernez2
 
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiAlexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiBlayneRush1
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxBharatMunjal4
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its historyprasannamurthy6
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksFinlaw Associates
 
Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,1882Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,18822020000445musaib
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklosbeduinpower135
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.2020000445musaib
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicableSaraSantiago44
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeBlayneRush1
 
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsVanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsAbdul-Hakim Shabazz
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxjennysansano2
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxgurcharnsinghlecengl
 

Kürzlich hochgeladen (20)

RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptx
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
 
Attestation presentation under Transfer of property Act
Attestation presentation under Transfer of property ActAttestation presentation under Transfer of property Act
Attestation presentation under Transfer of property Act
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales
 
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogiAlexis O'Connell Arrest Records Houston Texas lexileeyogi
Alexis O'Connell Arrest Records Houston Texas lexileeyogi
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptx
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its history
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
 
Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,1882Conditions Restricting Transfer Under TPA,1882
Conditions Restricting Transfer Under TPA,1882
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklos
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicable
 
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis LeeAlexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
Alexis O'Connell lexileeyogi Bond revocation for drug arrest Alexis Lee
 
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 ShopsVanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guide
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docx
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
 

China's Draft Personal Information Protection Law Explained

  • 1. D A T A P R O T E C T I O N China’s Draft ‘Personal Information Protection Law’
  • 2. General meaning of Personal Data In daily lives we give our personal data which is also known as personal information to somewhere or the other. Personal data is the data which identifies an individual who owns that data. For example while purchasing anything online, while signing on the applications, while using online payment modes, etc. Personal Data / information includes: A name or surname  Home address  Office address  An email address  An ID card number [aadhar card number, PAN number, passport]  An IP address  Information held by a hospital, etc.
  • 3. Personal data under the draft Personal data is defined under the draft: Individual data is a wide range of data recorded by electronic or different means identified with distinguished or recognizable normal people, excluding data after anonymization taking care of. Individual data dealing with incorporates individual data assortment, stockpiling, use, preparing, transmission, arrangement, distribution, and other such exercises. Personal information handling Individual data controllers may just deal with individual data where they adjust to one of the accompanying condition: • Getting people’s assent • Where important to close or satisfy an agreement wherein the individual is an invested individual • Where important to satisfy legal obligations and obligations or legal commitments • Where important to react to unexpected general wellbeing episodes or ensure regular people’s lives and wellbeing, or the security of their property , under crises conditions • Taking care of individual data inside a sensible extension to execute news detailing, popular assessment oversight, and other such exercises for the public interest • Different conditions gave in laws and authoritative guidelines
  • 4.  Biometric data  Health concerning data  Philosophical beliefs  Political opinions  Religious opinion, etc Types of sensitive personal data: • Personal information • Business information • Classified information Sensitive Personal data needs more protection because of its sensitive nature. It has to be processed differently from the other data and there is a clear distinction between sensitive personal data and non-sensitive personal data made by GDPR. General meaning of sensitive personal data
  • 5. . Sensitive personal data under the Draft The expression “sensitive personal data” under the draft PIP law is characterized as individual data of which spillage or unlawful use might prompt prejudicial therapy or genuine harm to individual or property wellbeing, including race, nationality, strict convictions, individual biometrics, clinical wellbeing data, monetary records, and individual location/whereabouts, and so forth. The draft PIP law gives more limitations on the handling of delicate individual data. An individual data processor can possibly deal with sensitive personal information on the off chance that it has explicit purposes and such preparing is adequately fundamental, yet the draft PIP law doesn’t give further translation of what comprises “explicit purposes” and “sufficiently necessary”. Sensitive personal information handling  Individual data oversees might deal with delicate individual data just for explicit purposes and when adequately important/necessary.  When dealing with delicate individual data depends on individual assent, individual data oversees will get independent assent from the person.  When individual data oversees handle sensitive personal data, aside from the prerequisites of article 18 of the law, they will likewise tell the person about the need of sensitive personal data taking care of , as well as the impact on the person.  Where laws or authoritative guidelines give that significant regulatory licenses will be gotten or stricter limitation forced for the treatment of delicate individual data, those arrangements are followed.
  • 6. Scope and Applicability The draft PIP just indicates responsibility and consistence necessities on “individual data processor” that refers to associations or people that autonomously decide the reason, extension, scope, and strategies for preparing of individual information. This law applies to state organs’ exercises of taking care of individual data; where this section contains explicit arrangement, the arrangements of this part applies. State organs taking care of individual’s data to satisfy their legal obligations and obligations will lead them as per the forces and strategies gave parents in law and managerial guidelines; they may not surpass the extension or degree important to satisfy their legal obligations and responsibilities. Individual data took care by state bodies will be stored within the boundaries of the people’s republic of China; where it is important to give it abroad, a danger appraisal will be led. Application divisions might be needed to offer help, support and assistance for hazard evaluations. Extraterritorial Application Global organizations might be generally intrigued by the considered extraterritorial jurisdiction of the draft PIP law, which may expand consistence hazard for unfamiliar organizations that have working subsidiaries in China or don’t have a legitimate presence in China yet provide products or administrations to Chinese people. The draft would apply to company overseas: That interaction individual data of people in China to provide products or administrations to them;
  • 7.  Material scope Data or any information which is considered as personal data is protected under the draft. It is the sole responsibility of the data user to safeguard and protect the personal data that they collect.  That investigate and evaluate the exercises of people in China through the assortment of individual data; or  For different purposes indicated by laws and regulatory guidelines. Furthermore, the draft PIP law additionally looks like the GDPR arrangement and requires seaward processors that cycle individual data of people in the PRC to build up an assigned office or delegate an agent in the PRC to be answerable for individual data assurance in the PRC. Name and contact data of such office or agent ought to be submitted to the controllers. This law will applies to associations and people’s taking care of individual data exercises of normal people inside the boundaries of people’s Republic of China. Where one of the accompanying conditions is available in taking care exercises outside the line of people’s republic of China of personal data of regular people inside the lines of the people’s republic of China, this law applies too; •Where the object id to give items or administrations to regular people inside the lines; •Where directing examinations or evaluations of activities of normal or regular people inside the boundaries •Other situations provides in law or administrative guidelines. Repeating the GDPR abroad processors if individual data that fall inside the extraterritorial extent of the PIP law should build up “uncommon foundation or assigned delegates” inside the territory of China to manage PIP law matters for the benefit of the abroad element.
  • 8. General meaning of consent As we all know that there is a requirement of consent when we use something of someone. Consent means giving people a real choice and control over how you use their data. The consent which has no real choice, that does not considered as a free consent and it will be invalid. A person is said to be given a free consent when he is not bound by anything or anyone and must be able to withdraw consent easily anytime whenever he wants to. It also means that consent should be boundless or unbundled from other terms and conditions. Consent under the draft If the data subject would like to use the data collected for some different purpose other than then that for which it is collected, the data subject must obtain the prescribed consent of the person whom data they are using and the consent must be free [voluntarily]. This means that the person has given their consent on their behalf. If the data user is not able to give the consent, a person who is minor [that is below the age of 18] in that situation, parents of that person is responsible for giving the consent on the behalf of that person. Before a data user can use a data subject’s personal information or data for marketing purposes, the user must obtain his/her consent. This consent must be given orally or in written form.
  • 9. Consent for taking care of individual personal data will be given by people under the precondition of full information, and in a deliberate, voluntary and explicit proclamation of wishes. Where laws or managerial guidelines give that separate consent or written consent will be acquired to deal with individual data, those arrangements are followed. Where a change happens in the purpose of handling the personal data of an individual, the dealing with strategy, or the classes took care of individual data, the person’s consent shall be acquired once more. Without the consent of the individual data controller, and endowed party may not further depend individual data taking care of to different people. Individual data controller will, where it is important to move individual data because of consolidation, partitions, and other such reason, inform people about the accepting party’s personality and contact technique. Where the receiving side changes the first taking care of direction or dealing with strategy, they will advise the individual again as given in this law and acquire their consent. Where the reason at the time the individual data was distributed isn’t clear, individual data collectors will deal with distributed personal data in a sensible and careful way; for activities using distributed personal data affecting people, the individual will be told by the arrangements of the PIP law, and their consent obtained. An individual also have the right to revoke or withdraw hid consent of individual data taking care of exercises conducted based on person’s consent. Without the consent of the personal data handler, a dependent party may not further entrust individual data handling of to another person. When the personal information handlers provide the information to third party, they shall notify the individual about the identity of third party which includes their name, contact details, there data receiving and handling method, ad obtain an individual consent for it. In the case of processing sensitive personal data, the handler shall obtain separate consent from the individual. That too in written form were provided by laws or administrative regulations. When state organs handles personal data for the purpose or reason to fulfill statuary duties and responsibilities shall notify the data owner according to the provisions of this law and must obtain their consent. When the personal data is provided by the personal data handlers outside the border of People’s Republic of China, they should inform the individual about the data receiver outside and must obtain separate consent the same. It is clearly mentioned in the draft that if the data handler rescinds his consent, personal data handlers shall, dependent on individual’s request, delete personal information.
  • 10. Principles According to the PIP draft there are some there are some basic principles that must be followed for the processing and functioning of personal data or information: • The principle of legality and goof faith Personal data or information of an individual should be processed in accordance with the criteria or principle of legality, appropriateness, necessity, need and good faith. The PIPL underlines that personal data must not be handled through deceiving, fake, fraudulent or coercive manner or strategies. • Clear and reasonable purpose Purpose that is both clear and reasonable. Personal data processing should have a clear, fair, sensible and reasonable purpose that is directly connected to the processing purpose. The processing personal data should be prepared in a manner that has a least impact on personal rights of an individual. Personal information should be collected only to the that extent which is necessary for the intended purpose, and unreasonable collection of data or information is not permitted under the draft. • Transparency and openness The processors of personal information must explicitly disclose or reveal the personal data processing rules, the purpose of processing the information, the processing mechanism and the processing scope of the same.
  • 11. • Quality assurance To avoid any detrimental impact on personal rights and interest caused by inaccuracy and incompleteness of personal information, the quality of personal information must be protected when it is processed. Furthermore, the processors are responsible for taking precautions to protect the security and privacy of personal data or information. • Illegality Unlawful acquisition, use, processing, and transfer of personal data, as well as the illegal sale, supply, and publishing of personal information, are all banned for both entities and people. Processing actions that jeopardise national security and the public interest are strictly banned. The PIPL further refines the standards and principles and personal data processing rules to be followed in the security of individual data, explains the limits of rights and obligations in processing activities of personal information and further develops the framework and method or mechanism for personal data security and protection.
  • 12. Enforcement Where it is required to transmit personal data outside the borders of PRC (People’s Republic of Chins) for global legal help or administrative law enforcement help, an application must be made with the appropriate competent agency for permission, according to the legislation. Regarding the PIPL, at the same time as government’s organs and its data protection authorities are getting ready to deal with it. What actions are required by the PIPL one it enforced is the question. Answering that, there are some actions which is required by PIP law such as: • Creating internal management structure and rules within the organization to handle data and to manage the handling of data within the organization. • Adopting corresponding technical security measures that would include physical measures like safety but, of course also cyber measures software limiting the access to data to on a need to known basis within the organization and encryption etc. • Determining operational limits for personal information handling. • Regularly conducting security education and training within the organization for employees that have access to data. • Formulating security incident response plans In all over the world many countries still don’t have any law related to data protection. China has also started looking into data related law which subsequently result with several legislations implemented or drafted for public consultation in the last few years. Personal Information Protection (PIP) law just closed for public opinion and expected to be finalised in later in 2021. The government which is responsible for the enforcement of this law is CAC (Cyberspace Administration China)
  • 13.
  • 14. Internal transfer of information Under the draft, it is mentioned under Article 38 that if the data processor has to transmit personal data beyond of PRC for business or any other purpose, the data processor must meet at least one of the following requirements: • Passing a security assessment determined by the CAC (Cyberspace Administration China) which is the government department that is responsible for the enforcement of this law • CAC as per Article 40 of the draft of PIPL, which necessitates that administration of Critical Information Infrastructure (CII) 1 and that move a specific volume of personal data of an individual (to be determined by CAC) should locally store personal data collected and created in PRC and should go through a security assessment if the cross-border transfer id necessary, except if such security evaluation is not needed by laws, administrative regulators and CAC rules • Obtaining a certification provided by the CAC • Establishing an agreement with the foreign receiving party (this is something that would be in the control of data handler without the need of government approval) • Other conditions provided in laws, administrative regulations, or by the CAC The regulations governing cross-border information transmitting are a major source of worry for many international corporations doing business in the PRC. In general, the PIPL requires personal information processors to take the appropriate steps to ensure that the actions of foreign receiver in processing personal data comply with the PIPL’s personal information protection requirements.
  • 15. Besides the above general requirements, Critical Information Infrastructure Operators (CIIO) or personal information processing companies that processes up to the amount authorized by the national cyberspace administration should keep personal data within China in addition to the above general requirement. As a result, that applicant must pass the national cyberspace authority’s security assessment before they may provide such information to an overseas recipient, if it is necessary. Beyond the criteria, they urge that firms pay attention to any specific rues or advice that may be imposed by ralavent agencies. Automobile data processors that hold critical data may only send data overseas if it is absolutely necessary and only after passing a data outbound security assessment established by the national cyberspace authority. Individuals and organizations are not permitted under Article 41 of the PIPL to transmit personal data held in China to foreign law enforcement authorities without the prior consent of the appropriate Chinese authorities. It is unclear how data “stored within China” is defined and how a “data processing” company may request for permission at this time; the actual implementation of such provision would most likely depend on further precise laws or measures released by the appropriate regulatory agencies. Even if a processor is permitted to transfer personal information to an offshore party, it must notify individuals of at least the following information: the offshore recipient's identity and contact information; the purposes and means of processing; the categories of personal information to be transferred; and the means to exercise rights under this law against the offshore recipient. Furthermore, for such cross-border transfers, the processor must seek individual consent from everyone.
  • 16. Data breach Data breach is a security incident in which sensitive protected or confidential data is copied, transmitted, viewed, stolen or used by an individual and unauthorized to do so. In the incident of data breach it might involve the loss or damage of financial information, social media account, band accounts, credit card or debit card details, personal medical information, email address, passwords, necessary documents, and other confidential information which is really private to an individual. Many jurisdictions have past data breach notification laws requiring a company that has been subject to a data breach to inform customers and take other steps to remediate possible injuries, this may include incidents such as theft or loss of digital media such as computer tapes, hard drives or laptop computers containing such media upon which such information is stored unencrypted. Posting such information on the world wide web or on a computer otherwise accessible from the internet without proper information security precautions cause those damages.
  • 17. Data breaches present position under PIPL Proposed amendments regarding necessary breach notification • Definition of “personal data breach” • Notification threshold • Notification timeframe • Mode of notification
  • 18. Lawful processing of personal data A data user must have to collect data from a data subject for a lawful purpose. For which a data subject is giving his consent to data user to use his personal data that processing must be lawful and trustworthy. A data user may collect personal information of a data subject on if: • The personal information on an individual is collected for a lawful purpose which is directly related to the event of exercise of the data user who is to use the personal data. • It should be mandatory that the collection of personal data is for and directly related to that purpose for which he has given his voluntary consent. • The personal data is sufficient or adequate, but not excessive in relation to that purpose. • There must be a fair and reasonable processing of personal data of an individual. • Personal data shall be processing to only that purpose which is clear, specific, direct and lawful. • There must be a collection limitation which means that only necessary personal data must be collected, and the collection must be limited to such data. • Personal data may be processed, if necessary, situation occurred such as to respond to any medical emergency, to take measure to provide health services to any individual an epidemic or pandemic, to ensure the safety on a personal during the situation of any disaster or any breakdown of public order, necessary for the employment etc. • Processing of sensitive personal data based on explicit content, for certain functions of the state, for any order of the court or tribunal, for prompt action [medical emergency], processing of personal sensitive data of children, etc.
  • 19. Moreover, if the personal data will be used or transferred for direct marketing purposes or any other purpose which is not included in the original collection purpose or a directly related purpose , consent is required for that. Data subject have the right to ask a data user to stop using or transferring the personal information for direct marketing purposes, and the data user must observe or comply with such requests. Companies that violate the PIPL are liable to administrative, civil, and criminal penalties, as described below. Administrative penalties. In the case of a violation of the PIPL, personal information protection authorities may issue a rectification order or a warning, and any unlawful gains may be confiscated. Services for the relevant apps may be suspended or terminated. Companies and their accountable executives that refuse to correct violations may face extra penalties. Serious violations may result in the suspension of business activities, the termination of a business certificate, and the imposition of a fine of up to RMB 50,000,000 or 5% of annual revenue. Fines and bans from accepting management or personal information protection responsibilities in other firms may be imposed on responsible executives. In line with the applicable rules, PIPL breaches may also be made public and recorded in the social credit records of the relevant firms. Civil liability. If the processing of personal information in violation of an individual's rights causes injury and the personal information processor cannot demonstrate that it is not at fault, the processor may be held responsible for damages and other civil penalties. If a substantial number of people are affected, designated consumer groups may file a lawsuit on their behalf. Criminal Responsibility. Violations of the PIPL that constitute criminal crimes may result in criminal prosecution.
  • 20. Individual rights under the PIP draft Individual rights before data handling under the draft: • To know that the data is being handled • To decide, if the data id going to be handled • To limit the purpose of handling the data • To refuse to handle the data Data subject’s rights one the data is handled: • To access the data • To copy the data • To correct or complete the data, if required • To delete the data and once it has been done there is also a right to be forgotten
  • 21. Individual rights. When it comes to personal information processing activities, this law codifies the individual's rights such as the right to know and to restrict or reject others' processing of personal information, as well as the right of inquiry and request a copy of personal information from processors. Those that process personal data are required to provide persons with a simple way to exercise the rights listed above. Individuals also have the right to revoke their consent to personal information handling actions done with their consent. They must agree on the rights and duties of each when two or more handlers of personal information make a joint decision on a personal information handling purpose and method. As a result of this agreement, an individual is still free and clear to demand that any personal information handler comply with all this Law's obligations. Personal information controllers are jointly liable if they infringe on personal information rights and interests. It is a person's right to ask personal information handlers to explain how automated decision making affects their rights and interests, and it is also their right to reject that personal information handlers make choices exclusively based on automated decision-making techniques. When talking about the regulations on the cross-border provisions of personal information one of them is that conclusion of an agreement with a foreign receiving party, agreement on both parties' rights and duties, and supervision of their personal information handling activities to ensure compliance with the personal information protection standards set out in this Law. Where personal information handlers provide personal information outside of the borders of the People’s Republic of China, they must inform individuals about the foreign receiving party's identity, contact method and handling purpose as well as personal information categories, as well as how they can exercise their rights under this Law with the foreign receiving party. They must set up procedures to accept and process requests from persons seeking to exercise their rights. If they deny a person's request to exercise their rights, they must give a justification for doing so. The right to make a complaint or report regarding unlawful personal information handling practises is available to any organisation or individual.
  • 22. Accountability The DPP5 requires data users to take all the reasonable measures to ensure that their personal information policies and exercises regarding personal data collecting, storing, transferring and using it. In the PDPO, accountability principles and other privacy management measures are not explicitly defined. In order to ensure compliance with the PDPO, the PCPD recommends organizations adopt privacy management system. The PCPD also recommends appointing data protection officers and conducting privacy impact assessments for this purpose. All feasible steps must be taken to safeguard personal data possessed by data users against unauthorized access, use, processing, erasure, lost, theft or disclosure. Breach notification has no mandatory requirement, but it is recommended that the PCPD (and the data subjects, where appropriate) be notified
  • 23. If there is any kind of data breach and there is no proper mechanism that was being followed, the organization shall be accountable for that. The PDPO does not explicitly make certification or adherence to a code of prsctice a legal basis for cross-border transfers.
  • 24. Data protection authority Privacy Commissioner for Personal Data (PCPD) is the authority which enforcing the PDPO in Hong Kong. Furthermore, the PCPD has additionally developed a number of codes of practice (available here) that provide practical guidance in relation to the requirements under the PDPO. If a data user breaches the code of practice, the presumption will apply to any legal proceeding under the PDPO, unless the data user can demonstrate that the requirement of the PDPO was actually complied within an alternative way. Various guidance notes has published by PCPD which referred to as good practice recommendations for protecting personal data in Hong Kong.
  • 25. Regulatory authority PCPD is an independent statutory body established to supervise the enforcement of PCPD. As stated on its website, its main responsibility is to “ensure the protection of the privacy of individuals in terms of personal data by promoting, monitoring and supervising compliance with the PDPO.
  • 26. Privacy Management The PCPD has upheld since 2014 for hierarchical data users to execute a Privacy management programme (PMP), in order to accept personal data assurance as a component of their corporate administration obligations and apply them as a basic all through the association. Recently, the PCPD reexamined and distributed its Privacy Management Program: a best practice guide (the PMP guide), which prescribes association to shape PMPs with three segment, specifically: Authoritative responsibilities Program controls Continues evaluation and update
  • 27. To oversee the compliance with the PDPO and implementation of the PMP, the PMP guide encourages organizations to appoint a designated officer (i.e. a DPO). The DPO should either the owner of a small organization or a senior executive of a major corporation. The main responsibilities of a DPO is:  setting up and executing the PMP program controls, specifically tracking the association’s very own personal data, starting the beginning of occasional danger evaluation to all divisions, organizing and observing the treatment of data breach incidents.  auditing the adequacy of the PMP, for example setting up an oversight and survey plan for the PMP and overhauling the program controls where it is necessary.  if any problem is occurred, reporting it to the top management periodically on the organization’s compliance issues, problem encountered, and complaints received in relation to personal data privacy.
  • 28. Responsibilities The PCPD has power to find relevant data users when it receives a complaint or has reasonable reasons to believe that an activity has contravened the relevant needs the PDPO. The PCPD also has the authority to review any personal data system used by a data user in order to obtain information that will assist the PCPD in making recommendations for compliance with the PDPO. The PCPD has to inform the respective data user in advance in writing of its intention to inspect or conduct an investigation, unless there are reasonable assumptions that this harm the purposes of the investigation. For investigation or inspection purposes, the PCPD may enter may enter into any premises with a court order or prior written notice. If the investigation confirms that the data user has violated a PDPO requirement, the PDPO can send the data user an enforcement notice to instruct him to take necessary steps to remedy the violation and to take reasonable legal steps. Compliance with an enforcement order is a criminal offence.
  • 29. Moreover, if a data subject is harmed as a result of a breach under the PDPO, the PCPD may provide legal assistance to bring a claim against the relevant data user. In an investigation the PCPD will also try to resolve the issue in a less formal way through mediation or conciliation.
  • 30. Data sharing Data users may not transfer personal data to third party without informing the data subject of the following at the time their personal data was collected or before it or before it was collected: That their personal data or information could be transferred The types of people the data could be transferred There are presently no restrictions on the transfer of personal data outside of Hong Kong, as the cross-border transfer restrictions outlined in the ordinance have yet to take effect. In the event that these restrictions come into force as right now drafted, they will have a critical affect upon outsourcing courses of action, intragroup information sharing courses of action, compliance with oversees reporting commitments and other exercises that include cross-border data exchange.
  • 31. All things considered, non-binding best practice guidance distributed by the PCPD energizes compliance with the cross-border transfer restrictions in the ordinance, which disallow the exchange of personal information to outside Hong Kong unless, certain situations are met [counting a white list of jurisdictions; separate and intentional consent obtained from the information subject; and an enforceable information exchange understanding for which the PCPD gives proposed model clauses].
  • 32. Anonymized data Anonymised data means data which removes all identifiers irreversibly and that data subject is no longer identifiable in any manner. It is an information which may be a sort of data sanitization in which information anonymization devices scramble or expel actually identifiable data from data sets from the reason of protecting a data subject’s privacy. This decreases the chance of unintended disclosure amid the exchange of data over boundaries and encourages assessment analytics post-anonymization. There is no such concept of anonymization within the PDPO. However, the PCPD distributes the guidance note titled Direction on Individual Eradication and anonymization which gives the information which is anonymised, to the degree that the data user will not be able to specifically of indirectly identify the individual concerned, will not be considered as [personal data] under the PDPO.
  • 33. Anonymising data is therefore an alternative for taking care of an individual’s information which is not required for the purpose for which it was collected or stored, other than total erasure. Concluding that, anonymized data is not considered as “personal data” under Personal Data Privacy Ordinance PDPO.
  • 34. Data localization Data localization means information localization or information residency law requires information around a nation’s citizens or inhabitants to be collected, handled, stored and/or put inside the nation, frequently some time before being transferred internationally.