Employee Data Privacy

China - Employee Consent

 Download as a PDF

Do I have to obtain employees' consent in order to collect their personal data?

 

The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.

 

The PRC Civil Code, which defines personal information and the general principles of personal information protection, came into effect on January 1, 2021. Under the Civil Code (Art. 1035), processing personal information must follow the principles of lawfulness, fairness, and necessity, and requires consent, except as otherwise provided by law or regulation.


Exceptions to the consent requirement include when processing basic information directly related to the employee and the labor contract. Under Employment Contract Law, employers have the right to process basic information. That said, the law does not define what constitutes “basic information,” though in the context of the employment relationship, it could arguably include personal information that is necessary to sign the labor contract, manage the relationship, enroll in social insurance and other mandatory benefits as well as comply with audit requirements from authorities.


Employers should establish specific rules for the collection, processing, storage, use, transmission, and disclosure of different categories of information, including obtaining consent when the processing goes beyond “basic information.”


Employers who collect personal information are expected to categorize the circumstances of the collection, use, transfer, and disclosure of employee information in its business management (not limited to human resource management), and establish a list of basic personal information, non-basic personal information, and sensitive personal information.


In addition, China’s Cybersecurity Law requires that network operators obtain consent from data subjects in order to collect and use their personal information. “Network operators” primarily applies to organizations who collect information from website users. That said, no guidance or regulation currently defines whether “network operators” includes employers who are processing their employees’ personal information.

 

HR Best Practices: Make sure to have an up-to-date privacy policy, which includes a clear and reasonable purpose for collecting employees’ personal information. 

UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk