Employee Data Privacy

China - Employee Consent

 Download as a PDF

Do I have to obtain employees' consent in order to collect their personal data?


The processing of any personal data can impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.


China’s Cybersecurity Law requires that network operators obtain consent from data subjects in order to collect and use their personal information. “Network operators” primarily applies to organizations who collect information from website users. That said, no guidance or regulation currently defines whether “network operators” includes employers who are processing their employees’ personal information.


Some employers follow the The Personal Information Security Specification, (个人信息安全规范, GB/T 35273-2017) when collecting employee data. The Specification includes suggested best practices for personal data controllers (business and individuals who process personal data), such as:


  • obtaining the employee’s consent to the collection/use/disclosure of their personal data;
  • providing employees with a notification which includes: the categories of personal data collected; the purpose/use of collection; the means and frequency of the collection; where data will be stored; the retention period; the measures the employer will take to protect the data; 3rd parties to whom the data may be shared and whether the data may be transferred across borders.

scott-webb-199458The Specification includes additional restrictions when processing sensitive personal information (ex. bank account numbers, personal health information, biometric data, personal identification numbers, network identification information, personal phone numbers, marriage history, religious beliefs, sexual orientation, undisclosed criminal records, geographical location, internet browsing history, etc.) When processing sensitive personal information, employers should obtain express consent from employees and job applicants. Express consent should be specific, clear, unambiguous and voluntarily given.

Employees and other data subjects whose sensitive personal information is being processed should be informed of all core (and related) business functions or services that will require their sensitive personal information. They must also be informed of the potential impact if they do not provide consent. A separate consent should be provided for each function/service and for each automated data collection.

Under the Specification, businesses do not have to obtain consent in certain cases, such as when:

  • necessary to perform a contract requested by the employee (or other data subject);
  • data was disclosed publicly;
  • related to a trial or criminal investigation;
  • protecting life, property, or material legal rights of individuals;
  • required to maintain the safe and stable operation of the products/services provided by the business directly and related to national security; or, when
  • directly related to public safety/public health/ public interests.


HR Best Practices: Make sure to have an up-to-date privacy policy, which includes a clear and reasonable purpose for collecting employees’ personal information. Follow the best practices outlined in the Specification to obtain employee consent to process personal employee data.

Ultimate Software's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where Ultimate Software's customers have employees. HR Compliance Assist is a service exclusively available to Ultimate Software customers.

Share Your Feedback

Let's Talk