Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under the PRC Civil Code, employees should be clearly notified of the purpose, method and scope of personal information that the employer is collecting and processing about them.
Natural persons may retrieve or make copies of their personal information and have the right to raise an objection and request corrections if their information is incorrect. If employers (or other information processors) have violated laws, administrative regulations or breached the agreement while processing personal information, the individual has a right to request that their personal information is deleted.
In addition, the Cybersecurity Law generally prescribes data protection and data security obligations by network operators. Under this law, data subjects have the right to have their data corrected, as well as the right to request deletion in the event of a data breach.
The Ministry of Industry and Information Technology (MIIT) Regulation does require that, after users have terminated the use of telecommunications or internet information services, telecom business operators and internet information service providers stop the collection and use of the users' personal information, and provide the users with services for deregistering relevant phone numbers or account numbers.
As a best practice, some international employers operating in China also follow The Personal Information Security Specification, (个人信息安全规范, GB/T 35273-2020) when collecting employee data. Employers may take the following actions upon a data subject’s request:
- Provide employees and other data subjects with the personal information (or types of personal information related to the data subject) held by the employer; the source and purpose for collecting this personal data; and, the identity of 3rd parties or types of 3rd parties who have already obtained access to the personal data.
- Outline how individuals can obtain copies of their personal information, including basic personal data, personal identification information, personal health/physiological information and, personal education/work information.
- Delete personal data as required when violating laws or regulations.
- Cancel accounts held by data subjects (as appropriate) and anonymize or delete information after the account is canceled. Cancellation requests should be reviewed and processed within 15 days. Employees and other personal data subjects should not have extra obligations imposed upon them, and individuals cannot be asked to provide more information for the cancellation process than was required under the registration process.