With the development of the legislation in data protection in China, especially after the promulgation of the Personal Information Protection Law (“PIPL”, effective on 1 November 2021) and the Data Security Law (effective on 1 September 2021), it becomes inevitable for corporations to bring data protection compliance to the next level. Many companies may consider reviewing its policies and workflow management to provide a sufficient and compliant protection for their customers and employees with respect to data security.
An effective system with a person-in-charge for the data compliance in a company (“Person-in-Charge”) is highly advisable to plan and organize the compliance in this regard.
This Q&A has been prepared to help understand the current responsibilities imposed by legislation on the Person-in-Charge in order to arrange the position properly.
1. Which Companies Should Have The Person-in-Charge?
According to Article 52 of the PIPL, the personal information processor whose processing of data has reached the threshold amount specified by the national network information department shall designate the person-in-charge of personal information protection.
Although the threshold amount has not yet clarified by the authority, a reasonable reference may be considered is 500,000 pursuant to Article 11.1(c) of GB-T35273-2020 Information Security Technology-Personal Information Security Specification: a company shall have a full-time Person-in-Charge, if the company handles or is expected to handle personal information of more than 1 million people within 12 months; or handles sensitive personal information of more than 100,000 people.
As such, it is advisable for companies meeting the above threshold to appoint the Person-in-Charge as a precautious step for the company data protection compliance.
Moreover, it should be noted that for companies that do not have an office in China and still want to provide services in China, a special agency or a designated Person-in-Charge in China is necessary in accordance with Article 53 of the PIPL.
2. Who Can Be The Person-In-Charge?
An employee, for instance, the head of legal or the head of IT, or even external professional consultant could be the Person-in-Charge. Current regulations do not impose compulsory requirements of qualification on the Peron-in-Charge. As a common practice, many companies choose to have an outsourced Person-in-Charge, such as professors, lawyers etc., who have expertise in data protection and are comparatively independent from the company, considering that an employee may have a conflict of interest to supervise its own employer.
However, for the purpose of compliance, to appoint someone who is not an employee, a well-developed service agreement and a Non-Disclosure Agreement should be in place in order to shield the company from any potential risk.
3. What Qualifications Does The Person-In-Charge Need To Have?
As mentioned above, the PIPL does not mandate any requirement for the Person-in-Charge with respect to its expertise, independency or certain certificates. Nowadays, there are several data protection related certificates available but they are not required by the laws and authorities.
In any event, to better perform its duty, the Person-in-Charge should be familiar with the data processing activities, has acquired proper relevant training or has appropriate knowledge of data protection law and practices.
4. What Responsibilities Do The Person-In-Charge Have?
The PIPL only stipulates the responsibilities of the Person-in-Charge as “supervising the personal information processing activities and the protection measures taken”. Therefore, the detailed responsibilities remain to be further clarified. It is common practice for the Person-in-Charge to fulfill the following duties:
- To plan, organize and implement the data protection work comprehensively, including but not limited to the formulation of a data security management system, the implementation of a data protection plan, the selection and appointment of a data security management team, and the granting of management authority, etc.
- To keep up with the latest relevant laws and regulations and supervise the business on the compliance closely. To update the data protection policies and workplans and analyze the potential risks and irregularities.
- To actively cooperate with the competent authorities in their regulatory work, including daily consultation on the data processing activities of the company, timely submission of the relevant reports, cooperation with the regulatory authorities to obtain the required data and information, etc.
- To coordinate the personnel of all parties to avoid data security incidents. To actively organize and carry out personal information security training for the relevant staff enhancing the data compliance awareness of the personnel, and to conduct irregular anonymous spot checks.
- To fulfill other obligations imposed by laws and regulations, including data retention and deletion, disclosure by means of complaints and reporting, data security incident reporting, etc.
5. What Liabilities Do The Person-In-Charge Need To Bear?
The PIPL will penalize “directly responsible individuals” for violations, and a Person-in-Charge could be a directly responsible individual. In this case, administrative penalties shall apply including a fine ranging from 10,000 RMB to 1 million RMB. In serious cases, criminal penalties may be imposed.
In any event, the risk and liabilities for the Person-in-Charge should be low if the person performs his/her duty diligently. The detailed requirements and standards to determine the Person-in-Charge’s performance remain to be further clarified by the authority.
6. What’s The Difference Between The Person-In-Charge And Data Protection Officer (“DPO”) Under GDPR?
It is true that the Person-in-Charge is similar with DPO under GDPR, but the two concepts are not completely the same. DPO emphasizes more on its independency from the data controller while the Person-in-Charge pays more attention to organize and plan the compliance for the company comprehensively and does not specifically focus on independency.
Moreover, to facilitate DPO’s performance of its duty, GDPR endeavors to limit its personal liabilities incurred while the Person-in-Charge tends to bear a bit more legal liability on the information protection.
To conclude, it is fundamental for companies to follow the latest legislation on data protection in China since the new laws have been passed over the past few years. Consequently, the approach that companies handle data and personal information in China has to progress accordingly. Companies are advised to take actions as soon as practically possible to ensure that their China-related privacy practices are compliant with the requirements prescribed therein. As one of the key points, the establishment and management of the Person-in-Charge in a company should be taken into serious consideration.