Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The PRC Civil Code, which defines personal information and the general principles of personal information protection, came into effect on January 1, 2021. Under the Civil Code (Art. 1035), processing personal information must follow the principles of lawfulness, fairness, and necessity, and requires consent, except as otherwise provided by law or regulation.
Exceptions to the consent requirement include when processing basic information directly related to the employee and the labor contract. Under Employment Contract Law, employers have the right to process basic information. That said, the law does not define what constitutes “basic information,” though in the context of the employment relationship, it could arguably include personal information that is necessary to sign the labor contract, manage the relationship, enroll in social insurance and other mandatory benefits as well as comply with audit requirements from authorities.
Employers should establish specific rules for the collection, processing, storage, use, transmission, and disclosure of different categories of information, including obtaining consent when the processing goes beyond “basic information.”
Employers who collect personal information are expected to categorize the circumstances of the collection, use, transfer, and disclosure of employee information in its business management (not limited to human resource management), and establish a list of basic personal information, non-basic personal information, and sensitive personal information.
In addition, China’s Cybersecurity Law requires that network operators obtain consent from data subjects in order to collect and use their personal information. “Network operators” primarily applies to organizations who collect information from website users. That said, no guidance or regulation currently defines whether “network operators” includes employers who are processing their employees’ personal information.