Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under China’s Civil Code, natural persons may retrieve or make copies of their personal information and have the right to raise an objection and request corrections if their information is incorrect. If employers (or other information processors) have violated laws, administrative regulations or breached the agreement while processing personal information, the individual has a right to request that their personal information is deleted.
The Personal Information Protection Law (PIPL) (Chapter 4) also gives data subjects certain rights, which are applicable to employees in relation to personal information processed by the employer. This includes the right to:
- access and to a copy of their personal information (Art. 45);
- correction and supplement (Art. 46);
- deletion, in certain circumstances (Art. 47);
- transfer (this appears to be a right to data portability, Art. 45);
- request details of processing (including automated decision making, and the right to refuse such decision) and handling rules (Arts. 24 and 48);
- withdraw consent (Art. 15); and, the right to
- object to and restrict the processing of their individual data (Art. 44).
Data subject requests should be addressed in a timely manner by data controllers. Data subjects have the right to (i) complain and (ii) deregister accounts under the Personal Information Security Specification. Data subjects may also bring civil action against a data controller refusing to honor their data subject rights.
In addition, the Cybersecurity Law generally prescribes data protection and data security obligations by network operators. Under this law, data subjects have the right to have their data corrected, as well as the right to request deletion in the event of a data breach.
The Ministry of Industry and Information Technology (MIIT) Regulation does require that, after users have terminated the use of telecommunications or internet information services, telecom business operators and internet information service providers stop the collection and use of the users' personal information, and provide the users with services for deregistering relevant phone numbers or account numbers.
Data Processing Notice
Under the PRC Civil Code, employees should be clearly notified of the purpose, method and scope of personal information that the employer is collecting and processing about them.
In addition to the above, the data processing notice must include:
- the data controller’s (i.e., the employer’s) name and contact information;
- categories of personal information processed;
- name and contact details of other data controllers to which personal will be disclosed, along with the purpose and method of the disclosure, and the categories of personal information to be disclosed;
- retention periods for the collected personal information;
- how data subjects can exercise their rights; and,
- any other terms required by law or administrative regulation.
If an employer, or other data controller, transfers personal information outside of China, the data processing notice also must include:
- the data importer’s name and contact details;
- the data importer’s processing purposes and methods;
- categories of personal information transferred; and
- how to submit requests to the data importer to exercise individual rights.
If the employer is required to designate a data protection officer (DPO), the contact details for the DPO must be included in the notice. Data subjects must be informed of any changes to the information provided.