How to ensure compliance with the laws when using human resources(“HR”) is nowadays a hot topic for multinational corporations (“MNC”). Since the Personal Information Protection Law of the PRC (“PIPL”) came into effect in 2021, a series of new compliance requirements or challenges have been put forward for MNC in the context of HR management when processing employees' personal information. How to meet the needs of centralized HR management under the framework of the PRC laws became a hot potato that troubled many MNC. Notably, the recent development of legislation has provided some answers. And based on that, we have answered ten frequently asked questions about processing employees' personal information for MNC to consider.
Q1: How to understand the cross-border processing of employees' personal information?
(1) What kind of information qualifies as employees' personal information?
According to Article 4 of the PIPL, personal information refers to all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously. The definition of “personal information” is inclusive and contains rich connotations. According to the national standard Information Security Technology Personal Information Security Specifications, personal information may further include:
- basic information of an individual (Name, date of birth, gender, nation, nationality, family ties, home address, personal phone number, email address, etc.);
- identification information of an individual (ID card, passport, etc.);
- biometric information of an individual (facially recognizable features, etc.);
- information concerning the health and psychological status of an individual (height, weight, vital capacity, illness, etc.);
- information concerning the education and work of an individual (diploma, degree, educational background, work experience, training records, transcripts, etc.);
- information concerning personal property (bank accounts, real estate information, credit information, etc.);
- information concerning online identification symbols, contact information, individual's internet surfing records, information concerning the commonly used devices by individuals, location information, etc.
In reality, by collecting resumes and registration forms when recruiting, corporations often obtain the employees' basic information, contact information, information concerning the education and work experience, information concerning personal property, etc.; through pre-employment medical examinations, corporations often collect information concerning the health and psychological status of candidate employees; and biometric information of employees may also be collected through daily management of employees.
Notably, some employees' personal information may fall within the scope of "sensitive personal information". Article 28 of the PIPL defines sensitive personal information as the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts, and tracks, as well as the personal information of minors under the age of 14. Employees' personal information collected by corporations such as pre-employment medical examination reports, criminal records, religious beliefs, birth information, information on children under the age of 14, ID cards, social security cards or residence documents, credit information, fingerprints, iris recognition information, facial details, whereabouts, bank accounts, and payrolls, etc. evidently falls into the category of the "sensitive personal information". The PIPL and relevant laws and regulations set a higher bar for processing sensitive personal information (such as obtaining "separate consent" from personal information subjects).
In summary, to understand the personal information of employees, corporations should understand the connotation and scope of "personal information" defined by PRC law and regulations, and at the same time, sort out what kind of personal information (sensitive or not) will be processed under each of the specific scenarios when recruiting and managing employees.
(2) How to Understand the “Cross-border Provision of Personal Information” (“CPPI”)?
- The PIPL does not clearly define what constitutes CPPI. According to the status quo of the legislation, CPPI can be dissected from two perspectives :(1) CPPI means the processing activities that occurred overseas concerning the personal information of natural persons within mainland China; (2) CPPL means the situations of providing specific personal information generated within mainland China to the overseas importers. The following scenarios probably will be deemed as CPPI under current PRC laws and regulations:
- providing personal information to entities within mainland China, but such entities are not subject to or registered under the PRC jurisdiction of laws.
- accessing and viewing personal information by overseas institutions, organizations, or individuals (with the exception to public information and web page browsing), despite that such personal information has not been transferred or stored outside mainland China.;
- transferring the internal data of the network operator group overseas, which involves personal information collected and generated in the course of domestic operations.
The following scenarios may not fall within the scope of CPPI:
- Exporting personal information that is not collected and generated in the course of domestic operations is not CPPI, provided that such information has not been altered or processed in any way.
- Exporting personal information which is not collected and generated in the course of domestic operations despite being stored and processed within mainland China. Such export shall not in any fashion concerning personal information collected and generated in the course of domestic operations.
Due to the rapid changes concerning this sector of laws, the above comprehension of CPPI may be subject to adjustment, particularly when the implementation rules of the PIPL are promulgated.
Q2: Whether an overseas importers' remote access to the employees' personal information storage systems (the” System”) of domestic exporters constitute CPPI under PIPL?
Based on the analysis in Q1, we can find that overseas importers' remote access to the System of domestic exporters will be deemed CPPI and therefore governed by the PIPL. According to Article 4 of the PIPL, the processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion of personal information, etc. Even if an overseas importer merely accesses the System, the "access" is very likely to be deemed as the processing ("use") of domestic employees' personal information, thus falling into the definition of CPPI. Whether based on the context of the PIPL or by interpretation of other supportive laws and regulations, it is likely to be treated as the CPPI when overseas importers access the System of domestic exporters through API interfaces or other means.
Q3: How to understand the legal basis for processing personal information as “necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective agreement concluded in accordance with the law” in Article 13 of PIP?
Where a processor processing personal information, it must obtain at least one of the six "legal bases" listed in Article 13 of the PIPL, of which: "(2) [O]r for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective agreement concluded in accordance with the law[.]"(the “Second Legal Basis") Combined with the relevant provisions of the Labor Contract Law, this legal basis can be understood from the following two perspectives:
(1) Understanding the necessities to process personal information for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law:per Article 4 of the Labor Contract Law, when an employer formulates, revises, or decides on rules or major matters pertaining to labor remuneration, working hours, rest periods and off days, labor safety and health, insurance and, welfare, staff training, labor discipline, and labor quota administration, etc., which directly involves the vital interests of workers, such matters shall be discussed by the worker's congress or all-staff meeting which shall make a proposal and give their opinion and the employer shall carry out equal negotiation with the labor union or employee representatives before making a decision. Employers shall announce decisions on rules and major matters which directly involve the vital interests of workers or notify the workers. In another word, to be recognized as effective by PRC laws, employment policies or handbooks shall be enacted through the specific democratic negotiation process, during which the content of the employment policies or handbooks shall be circulated to the employees ensuring their right to be informed, and the final version of the employment policies or handbooks shall include the feedbacks collected through the full deliberation by the representing workers' congress or the all-staff meetings. To understand "necessary for human resource management", observations should be made to the specific items regulated through the employment policies or handbooks, and the corporations should ensure that process personal information is strictly in accordance with the scope agreed within a particular employment policy or handbook. Exceeding the scope authorized by such policy or handbook will result in the loss of the Second Legal Basis. For example, when a corporation enacted a policy on "labor remuneration" through a proper democratic negotiation process to collect information such as the name and seniority level of the employees, they cannot exceed such scope as to collect age and gender without losing the Second Legal basis for personal information process.
(2) Understanding the necessities to process personal information for the implementation of human resources management in accordance with a collective agreement concluded in accordance with the law:according to the Chapter 5, Section 1 of the Labor Contract, a collective agreement usually refers to a contract concluded by a union on behalf of the employees with the employer through equal negotiation on matters such as labor remuneration, working hours, rest and leave, labor safety and health, insurance, and welfare, etc. A draft collective agreement shall be submitted to the workers' congress or all-staff meetings for discussion and adoption. In practice, collective agreements are often found in specific industries such as construction, mining, and catering. Similarly, to implement human resources management under collective agreements, it is necessary to pay attention to the personal information required to be processed under the matters specified in the collective agreement (such as labor remuneration, working hours, rest and leave, labor safety, and health, insurance, and welfare, etc.), and personal information must not be processed beyond the agreed scope.
It should be noted that "consent" is one of the six legal bases, as "separate consent" is not listed as an independent legal basis within the PIPL, but as a special form of “consent”. Therefore, according to the relevant provisions of Article 13 of the PIPL, if an employer can base its processing of personal information on the Second Legal Basis, it is not required to obtain "consent" or "separate consent" for processing employees' personal information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
