Jinri Pu Law | @App operator and other personal information processing, how should the "inform" obligation be fulfilled?
Author:Tianjin Senior People's Court Time:2022.09.22
On November 1, 2021, the Personal Information Protection Law of the People's Republic of China (hereinafter referred to as the "Personal Information Protection Law") was officially implemented. As the first systematic and comprehensive law for personal information protection, the "Personal Information Protection Law" actively responded to social hot topics such as "prohibiting APPs from collecting personal information", and built a "inform-consent" as the core Personal information processing rules have opened a new chapter in my country's personal information protection.
The consent rules are composed of the notification rules and consent rules, and the premise is the premise of consent. So, how should apps such as app operators better fulfill the obligation of "inform"? Please see below.
"Personal Information Protection Law of the People's Republic of China"
Article 17
Personal information processors should tell the following matters to the individual in a significant, clear and easy -to -understand language before handling personal information:
(1) The name or name and contact information of the personal information processor;
(2) The purpose and method of processing of personal information, the types of personal information and preservation period for processing;
(3) Personal exercise methods and procedures for rights stipulated in this Law;
(4) Other matters that law and administrative regulations shall be informed.
If the matters stipulated in the preceding paragraph, the changing part shall inform individuals.
Personal information processors notify the provisions of the first paragraph specified by the personal information processing rules, and the processing rules should be disclosed, and it is easy to consult and save.
1. The meaning of informing the obligation
The obligation to inform the personal information processor of the Personal Information Protection Law refers to the knowledge of the relevant matters of the information of the information of the information processing activities in order to allow the information subject to actively inform the subject of the information in accordance with the law. The legal obligation of personal information processing related important matters.
The consent rules in personal information protection are composed of the notification rules and consent rules. In the "Personal Information Protection Law", inform the rules of the right to informed the right to the information of the information and the informing obligations of the personal information processor, and agree that the information self -determination rights corresponding to the information main body correspond to the rules are inseparable. The purpose of allowing personal information processors to assume the obligation to inform the obligation is to ensure the right to know the subject of the information, and to meet the public information processing principle of public information processing, and then ensure that the subject of the information is voluntarily and clearly made to make effective consent on the premise of fully informed it. The processor's personal information processing behavior provides the basis of legitimacy. [1] In other words, agreeing to inform as the premise.
The right to know the information of the information includes two aspects: positive and negative: the former refers to the freedom and rights of information processors who actively request personal information processors to provide information related to their personal information processing; the latter refers Personal information processors have the active notification obligation to the subject of the information. [2] This article is exactly the active notification obligation of personal information processing from the negative aspect of the right to know the right of information.
[1] See Cheng Xiao: "On Personal Information Treatment Rules in the Protection of the Personal Information Protection of my country", "Tsinghua Law", No. 3, 2021.
[2] See Zhang Xinbao and Ge Xin: "Personal Information Protection Law (Expert Proposal) and its legislative reasons", Renmin University of China Press, 2021, p. 33.
2. The content of the obligation
The content of the obligation refers to the itself that the processor should notify the personal information handled by the personal information. Generally speaking, the more the contents of the notification, the more the right to the information of the information can be fully guaranteed. However, for the enterprise, the performance of the notification obligation must require a certain cost. The more content the notification, the higher the cost, so the content of the obligation should have reasonable restrictions.
The "Personal Information Protection Law" on the basis of the experience of the comparative law is based on the "general regulations + special regulations" to make the processor that the processor should be informed by the individual. The so -called general regulations are the matters stipulated in Article 17, paragraph 1 of the Personal Information Protection Law. These matters are the common matters or general matters that personal information processing should inform individuals before any personal information processing. The so -called special regulations are the provisions of adding some notifications for some special personal information processing behaviors, such as Article 22, Article 23, 30, and 39 of the Personal Information Protection Law. The specific content of the obligation includes the following aspects:
1. The name or name and contact information of the personal information processor
Due to the complex and diverse and hidden majors of the processor's subject, in order to ensure the openness and transparency and fairness of personal information processing, the processor must inform the individual's name or name and contact information to make individuals know who the personal information is handled. The personal information protection level of different information processors is different. The identity of the information processor will have a significant impact on whether the information main body decides whether to deal with personal information. In addition, only if you know the name or name and contact information of the personal information processor, the information subject can exercise its rights in personal information processing, such as checking, replication, correction, supplement, deletion, etc.
2. The purpose and method of processing of personal information, the types and preservation period of personal information processing, the type of personal information
The purpose of the so -called personal information processing refers to the processor to handle personal information for what the processor is. The reason for the request to be notified is because the purpose of processing is very important in personal information processing. The principle of purpose limit is the basic principle of personal information processing. It requires that the processor should have a clear and reasonable purpose when dealing with personal information, and it should be limited to the minimum range of the necessary processing purposes. Do not process personal information processing that has nothing to do with the purpose of processing. Therefore, only by clarifying the purpose of the treatment can individuals determine whether they agree with the treatment behavior based on specific treatment purposes. The processing method of personal information mainly refers to the processing method of the processor's personal information, which includes the collection, storage, use, processing, transmission, provision, disclosure, deletion of personal information. Therefore, the processor must inform individuals what the treatment method it takes is to collect and store it, but not in use, processing, or collection, storage, use, processing but not provided. Different processing methods have different impact on personal information rights, so they need to inform individuals and obtain consent. There are many types of personal information, including but not limited to the names of natural persons, date of birth, ID number, biometric information, address, telephone number, e -mail, health information, travel information, etc. Personal information can be divided into sensitive personal information and non -sensitive personal information. Different personal information has different impact on personal information rights. The processing of sensitive personal information will have great risks to personal information rights and interests, because once such information is leaked or illegally, it may cause individuals to be discriminated against or personal and property security. Therefore, the types of personal information are what must be notified. When the processor notify the type of personal information to the individual, the processor shall follow the principle of openness and transparency, and shall not be too general. For example, the personal information that cannot be notified is "health information" or "information related to health". This scope is too wide and may cover countless information. "And" pregnancy age "depends on the treatment and the purpose of treatment. The preservation period of personal information is also very important. The longer the preservation period, the greater the possibility of leakage or illegal use, and the greater the adverse effect on personal information rights, so it is necessary to inform individuals. Personally, the preservation period is also conducive to the exercise of the deletion right in accordance with Article 47 of the Personal Information Protection Law when the preservation period expires. 3. Personal exercise methods and procedures for rights stipulated in this Law
The so -called "exercise of rights stipulated in this Law" refers to the rights of individuals stipulated in Chapter 4 of the Personal Information Protection Law in the personal information processing activity, including the right to decide in the personal information processing activities, including the right to decide, check the right to replicate, the power of data carrying, correct the right to supplement,, and the right to supplement,, and the right to supplement, and Delete the right to explain, explain the right to explain. The reason why individuals need to exercise the rights and procedures for rights stipulated in the Personal Information Protection Law are to encourage and facilitate the main body of information.
4. Other matters that laws and administrative regulations should be notified
This is a bottom -out rule. On the one hand, it is connected with the provisions of the "Personal Information Protection Law" on special notification matters, and on the other hand, it also leaves room for relevant laws and administrative regulations.
Specifically, the special notification items mainly include four types of situations: First, when personal information processors need to transfer personal information due to the merger and separation of legal persons or illegal organizations, in accordance with Article 22 of the Personal Information Protection Law, The name or name and contact information of the receiver should be informed of the individual, which is mainly to ensure that individuals can claim the rights in personal information processing to the receiver. Secondly, if the personal information processor provides the personal information of the processor of other personal information, in accordance with Article 23 of the Personal Information Protection Law, the name or name, contact information, processing purpose of the receiver must also inform the receiver of the person. , Types of processing and personal information, and obtain individual consent. This is because the processor provides personal information to others. The receiver does not simply accept personal information. It is possible to use new processing purposes and take new processing methods to process personal information. Therefore, it is required that the processor rather than the receiving direction to inform and obtain a separate consent, otherwise it must not provide personal information to others. Thirdly, in order to better protect the sensitive personal information, Article 30 of the Personal Information Protection Law requires that when dealing with sensitive personal information, personal information processors must not only inform the matters specified in Article 17, but also Inform individuals that the necessity of handling sensitive personal information and the impact on the individual, except for the "Personal Information Protection Law" regulations that can not be informed by individuals. The reason why it is required to deal with sensitive personal information must be notified of the need for processing is that once sensitive personal information is leaked or illegally used, it may cause individuals to be discriminated against? Strong protection. Although my country's "Personal Information Protection Law" does not take the mode of processing sensitive personal information that is prohibited in principle and exceptions, it can better protect the rights and interests of personal information by strengthening the need for the need for sensitive personal information. The so -called impact on individuals refers to the impact of sensitive personal information on individuals, mainly refers to adverse effects. Only by fully disclosing this impact can individuals make voluntary consent if they are fully informed. Finally, when the personal information is provided cross -border, according to Article 39 of the Personal Information Protection Law, the processor shall inform the individual's name or name, contact information, processing purpose, processing method, the type of personal information, and individuals of the individual Exercise the ways and procedures of rights stipulated in the Personal Information Protection Law to the overseas receiving party, and obtain individual individual consent. Third, inform the performance of obligations
1. Time to inform the obligation to perform
Personal information processors must inform individuals processed by personal information before processing personal information, and cannot inform individuals after the personal information processing behavior has been implemented. Because it is only meaningful to the information of the information beforehand.
In the case of exception, if in accordance with Article 18 of the Personal Information Protection Law, it can be exempted from informs or informs in a timely manner.
2. Inform how the obligation is fulfilled
Article 17, paragraph 1 of the Personal Information Protection Law clearly stipulates the way of the personal information processor to inform the obligations of the obligation, that is, "the true, accurate, and complete inform individuals should be real, accurate, and complete in a remarkable way."
The so -called obvious way refers to the personal information processor to let individuals understand the content of the processor in the way that the processor is easy to identify and easy to obtain, and cannot hide it in a pile of so -called "privacy policies" containing various contents containing various contents. Among them, or in other unprecedented ways such as very small, unspeakable fonts, make individuals unable to identify or obtain the content notified by the processor. This so -called inform can also be considered as a fraud or misleading approach.
The clear and easy -to -understand language means that the processor should inform the language expressions that ordinary people can understand, so that any individual who does not have personal information processing professional knowledge can know the content of the processor. In practice, in order to avoid legal responsibilities, personal information processors often tend to use extremely abstract or quite obscure languages to describe the purpose of collecting and using personal information in privacy policies, such as "improving service quality", "improvement of user experience", "improved user experience", "improved user experience", "improved user experience" " R & D new products "" enhance safety "and so on. This language expression is obviously very vague, and it also makes the processor's handling the purpose of handling very clearly, violating the principles of the purpose and the principle of openness and transparency.
"Real" means that the information informed by the personal information processor cannot be false; "accurate" means that the information informed by the personal information processor cannot be wrong; "comprehensive" means that the information notified by the personal information processor cannot be incomplete of. These requirements are to strengthen the obligation of personal information processors and protect the right to know the subject of information.
- END -
Extraordinary ten years of colorful Central Plains | Ruyang Court: Build a Fengqiao -style People's Court to promote high -quality development of trials
Henan Daily client reporter Tian Yilong Ji Xiaoping correspondent Jiu Hongjie Li X...
Shenzhen boy ran away from home and ran to Harbin!Parents are anxious ...
On the morning of August 30, the Taipingzhuang Police Station of the Daoli Branch ...