《个人信息保护法》终稿解读中英双语版（第二章第二、三节）

《个人信息保护法》终稿解读中英双语版（第二章第二、三节）

耀时跨境数据合规研究院

第二章 第二节 

敏感个人信息的处理规则解读

Chapter 2 Section 2 

Interpretation of Rules on Handling of Sensitive Personal

2.2

1.处理敏感个人信息的条件和敏感个人信息的定义（第28条）

1.Conditions for handling sensitive personal information and definition of sensitive personal information (Article 28)

具体而言，本条是对《个人信息保护法》第六条的深化，与GDPR第9条相似。本条在第六条处理个人信息要求具备“明确且合理目的”的基础上，提出了更高的要求，即个人信息处理者需要满足“特定目的+充分必要”的规范化要求。这就意味着个人信息处理者应当本着更为严格和谨慎的态度处理敏感个人信息。

此外，根据《数据安全管理办法》（征求意见稿）第十五条的规定，“网络运营者以经营为目的收集重要数据或个人敏感信息的，应向所在地网信部门备案。”可见，虽然敏感个人信息与重要数据是政府监管的重点，但是二者的概念各不相同。根据《个人信息和重要数据出境安全评估办法》（征求意见稿）的相关规定，重要数据是指与国家安全、经济发展，以及社会公共利益密切相关的数据。针对重要数据具体的识别方式，中国的《重要数据的识别指南》尚在立法推进过程中。

Specifically, this article is a deepening of Article 6 of the Personal Information Protection Law, which is similar to Article 9 of the GDPR. This article puts forward higher requirements on the basis of the "clear and reasonable purpose" required for handling personal information in Article 6, that is, personal information handlers need to meet the standardized requirements of "specific purpose + sufficient necessity". This means that personal information handlers should handle sensitive personal information in a more strict and cautious manner.

In addition, according to Article 15 of the "Data Security Management Measures" (Draft for Comment), "Network operators who collect important data or personal sensitive information for business purposes should file with the local network information department." It can be seen that although Sensitive personal information and important data are the focus of government supervision, but the concepts of the two are different. According to the relevant provisions of the Measures for the Security Evaluation of the Exit of Personal Information and Important Data (draft for comments), important data refers to data that is closely related to national security, economic development, and social and public interests. Regarding the specific identification methods of important data, China's "Important Data Identification Guide" is still in the process of legislative advancement.

2.2

2.基于个人同意处理敏感个人信息的要求（第29条）

2.Requirements for handling sensitive personal information based on individual consent (Article 29)

当在处理敏感个人信息时，应当视情形采用“单独同意”或“授权同意”的形式。需要注意，此处的“单独同意”需要同时满足“明示同意”的要求，而“授权同意”也必须符合“书面同意”的形式要件。此外，根据《网络交易监督管理办法》（征求意见稿）第十一条规定，“网络交易经营者收集、使用生物识别信息、健康信息、财产信息、社交信息等敏感信息的，应当逐项取得被收集者授权同意”。可见，对敏感个人信息的处理有别于一般信息，“单独同意”需要逐项授权。

When handling sensitive personal information, the form of "individual consent" or "authorized consent" should be adopted depending on the situation. It should be noted that the "individual consent" here needs to meet the requirements of "express consent" at the same time, and the "authorized consent" must also meet the formal requirements of "written consent". In addition, according to Article 11 of the Measures for the Supervision and Administration of Online Transactions (Draft for Comment), “Internet transaction operators who collect and use sensitive information such as biometric information, health information, property information, and social information shall obtain item by item. Authorized and agreed by the collector". It can be seen that the handling of sensitive personal information is different from general information, and "individual consent" needs to be authorized item by item.

2.2

3.处理敏感个人信息的告知义务（第30条）

3.The notification obligation for handling sensitive personal information (Article 30)

处理敏感个人信息，除了需要根据《个人信息保护法》第十七条向用户告知相应的事项外，还需要告知必要性以及对个人的影响，告知的要求更加严格。对于“对个人的影响”。举例来说，投保人身保险时，保险公司收集了投保人的病例等医疗健康信息，对个人的影响在于如果存在特殊疾病史等情况，可能影响是否承保以及保费的测算。

When handling sensitive personal information, in addition to the need to inform users of the corresponding matters in accordance with Article 17 of the Personal Information Protection Law, it is also necessary to inform the necessity and the impact on the individual, and the notification requirements are more stringent. Regarding the “impact on individuals”. For example, when applying for personal insurance, the insurance company collects medical and health information such as the insured’s cases. The impact on individuals is that if there is a history of special diseases, it may affect the coverage and premium Calculated.

2.2

4未成年人个人信息的特殊同意要求（第31条）

4 Special consent requirements for personal information of minors (Article 31)

《儿童个人信息网络保护规定》第九条规定“网络运营者收集、使用、转移、披露儿童个人信息的，应当以显著、清晰的方式告知儿童监护人，并应当征得儿童监护人的同意”。可能在对个人的身份、年龄等进行了充分认证的前提下，基于技术限制、个人恶意隐瞒等原因确实未发现为儿童的情况下，能够豁免未取得儿童监护人同意的责任，但具体适用，有待立法机关的进一步解释和细化。基于此，《个人信息保护法》第三十一条规定，针对未成年人个人信息，应当制定专门的个人信息处理规则。

Article 9 of the Regulations on the Protection of Children’s Personal Information Network stipulates that “network operators who collect, use, transfer, and disclose children’s personal information shall notify the child’s guardian in a conspicuous and clear manner, and shall obtain the consent of the child’s guardian”. It may be possible that on the premise that the individual's identity, age, etc. are fully verified, and the child is indeed not found due to technical restrictions, personal malicious concealment, etc., the responsibility for not obtaining the consent of the child's guardian can be exempted, but the specific application remains to be further explanation and refinement by the legislature. Based on this, Article 31 of the Personal Information Protection Law stipulates that special personal information processing rules should be formulated for minors' personal information.

2.2

5.处理敏感个人信息的特殊限制情形（第32条）

5.Special restrictions on handling sensitive personal information (Article 32)

《个人信息保护法》并未直接明确处理敏感个人信息的特殊限制情形，而是留下了适用规定，不排除后续可能有其他相关法律或者配套行政法规作出严格限制，需要加以关注。

The Personal Information Protection Law does not directly specify special restrictions on handling sensitive personal information. Instead, it leaves applicable regulations. It does not rule out that other relevant laws or supporting administrative regulations may impose strict restrictions in the future, which require attention.

第二章 第三节 

国家机关处理个人信息的特别规定解读

Chapter 2 Section 3 

Special Rules for Handling of Personal Information by State Organs Interpretation

2.3

1.国家机关处理个人信息的适用规则（第33条）

1.Rules applicable to the handling of personal information by state organs (Article 33)

本条明确了《个人信息保护法》调整的对象包括国家机关。

从一般规则看，国家机关处理个人信息需要适用《个人信息保护法》的一般规定；从特殊规则看，如果本节对国家机关处理个人信息进行了特殊规定，需要适用本节的特殊规定。

This article clarifies that the subject of adjustment of the Personal Information Protection Law includes state organs.

From the general rules, the state organs need to apply the general provisions of the Personal Information Protection Law in handling personal information; from the special rules, if this section has special provisions on the handling of personal information by the state organs, the special provisions of this section need to be applied.

2.3

2.国家机关为履行法定职责处理个人信息的规范化要求（第34、35条）

2.Standardized requirements for the handling of personal information by state organs in the performance of their statutory duties (Article 34, 35)

第三十四条是国家机关在处理个人信息时履行职责必要性的体现，有助于遏制“借公权力为名，行滥用个人信息之实”的现象，规范国家机关处理个人信息的实体和程序，以保障公民的合法权益。从第三十四条的规范化要求看，主要包括以下三点：（1）需要基于履行法定职责的需要，避免在法定职责之外随意收集、使用个人信息；（2）需要依照法律、行政法规规定的条件和程序进行，也就是说如未经法定条件和程序，即使在法定职责范围内国家机关也不得处理个人信息。举个例子，根据《网络安全法》等法律规定，公安机关有权依法对互联网服务提供者和联网使用单位履行法律、行政法规规定的网络安全义务情况进行安全监督检查，监督检查过程中很可能涉及用户的个人信息，《公安机关互联网安全监督检查规定》第三章对于公安机关进行互联网监督检查的程序进行了专章的规定，实践中公安机关开展涉个人信息的安全监督检查需要遵守该等规定；（3）不得超出履行法定职责所必需的范围和限度。这其实是比例原则的一定体现，但具体的范围和限度，仍待具体规定。

从第三十五条的具体要求来看，国家机关为履行法定职责处理个人信息，需要履行告知义务，一定程度上能够提高国家机关处理个人信息的透明度；从例外情形看，“有本法第十八条第一款规定的情形，或者告知将妨碍国家机关履行法定职责的除外”，比如为了犯罪侦查收集使用个人信息的，可以不向个人告知也无需获得其同意。

Article 34 is a reflection of the need for state organs to perform their duties in handling personal information, which helps to curb the phenomenon of "abuse of personal information in the name of public power" and regulate the entities and procedures of state organs in handling personal information to protect the legitimate rights and interests of citizens. From the normative requirements of Article 34, the following three points are included: (1) the need to perform statutory duties, to avoid the collection and use of personal information outside the statutory duties; (2) the need to be carried out in accordance with the conditions and procedures stipulated in laws and administrative regulations, that is, without the statutory conditions and procedures, even within the scope of statutory duties of state organs shall not handle personal information. For example, according to the "Network Security Law" and other laws, the public security organs have the right to supervise and inspect the Internet service providers and network users in accordance with the laws and administrative regulations to fulfill their obligations on network security, and the process of supervision and inspection is likely to involve users' personal information. In practice, the public security organs need to comply with these regulations when conducting security supervision and inspection involving personal information; (3) not to exceed the scope and limits necessary to perform their statutory duties. This is in fact a certain reflection of the principle of proportionality, but the specific scope and limits, still to be specified.

From the specific requirements of Article 35,  to handle personal information for the performance of statutory duties, state organs need to perform notification obligation, to a certain extent to improve the transparency of state organs to handle personal information; from the exceptions, "in any of the circumstances specified in Article 18(1) of this Law, or to inform  will prevent the state organs to perform their statutory duties," except for the collection of personal information for crime investigation, for example, can be used without informing individuals or obtaining their consent.

2.3

3.国家机关存储个人信息的一般要求和向境外提供个人信息的特殊要求（第36条）

3.General requirements for the storage of personal information by state organs and special requirements for the provision of personal information outside the country. (Article 36)

从一般要求看，国家机关一般应将处理的个人信息存储在境内；确需向境外提供的，应当进行安全评估。这里可以提供支持与协助的有关部门，从理解的角度，主要包括网信部门、公安部门等。本条严格遵循了《网络安全法》中有关数据本地化存储和跨境流转的要求。根据《网络安全法》第三十七条的规定，“关键信息基础设施的运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据应当在境内存储。因业务需要，确需向境外提供的，应当按照国家网信部门会同国务院有关部门制定的办法进行安全评估；法律、行政法规另有规定的，依照其规定。”可见，《个人信息保护法》将国家机关处理的个人信息全部纳入到了本地化存储和跨境风险评估的范围。因此，《个人信息保护法》生效后，不仅仅是关键信息基础设施运营者需要符合此类要求，国家机关也需要。

From the general requirements, state organs should generally store the personal information handled in the territory; if it is necessary to provide outside the country, a safety assessment should be conducted. Here can provide support and assistance to the relevant departments, from the point of view of understanding, mainly including the Internet information department, public security departments, etc. This article strictly follows the requirements of the "Network Security Law" regarding the localized storage and cross-border flow of data. According to the provisions of Article 37 of the "Network Security Law", "operators of critical information infrastructure in the People's Republic of China operations collected and generated in the personal information and important data should be stored in the territory. Due to business needs, it is necessary to provide outside the country, should be in accordance with the national network information department in conjunction with the relevant departments of the State Council to develop a security assessment; laws and administrative regulations otherwise provided for, in accordance with its provisions." As can be seen, the Personal Information Protection Law includes all personal information handled by state agencies in the scope of localized storage and cross-border risk assessment. Thus, after the Personal Information Protection Law comes into effect, not only critical information infrastructure operators will need to comply with such requirements, but also state organs.

2.3

4.与GDPR比较

4.Comparison with GDPR

结合近期国际社会对于限制各国公权力机构对于个人信息处理的呼声，借鉴GDPR第2条第3款等相关条款对于相关机构、实体适用的立法经验，《个人信息保护法》特设专节对于国家机关处理个人信息进行规制。这一特别规定也回应了疫情期间民众对于政府的个人信息处理行为的疑虑。

《个人信息保护法》第三十三条规定国家机关处理个人信息的行为应适用本法；国家机关应严格遵守法定权限、程序，并且不得超出法定职责所必需的范围和限度（第三十四条）；除非法律、法规规定应当保密或者将妨碍法定职责的履行，否则国家机关履职时如涉及处理个人信息，应按本法规定向个人告知（第三十五条）。

《个人信息保护法》第三十七条规定了国家机关本地化存储个人信息的义务，以及如确需向境外提供个人信息，应进行安全评估的义务。

In light of recent international calls for restricting the handling of personal information by public authorities in various countries, and drawing on the legislative experience of the application of Article 2(3) of the GDPR and other relevant provisions to relevant institutions and entities, the Personal Information Protection Law has a special section regulating the handling of personal information by state authorities. This special provision also responds to the public's concerns about the government's handling of personal information during the epidemic.

Article 33 of the Personal Information Protection Law provides that this Law shall apply to the handling of personal information by state organs; state organs shall strictly comply with the legal authority and procedures, and shall not exceed the scope and limits necessary for their statutory duties (Article 34); state organs shall inform individuals and obtain their consent to the handling of personal information in the performance of their duties in accordance with this Law, unless otherwise provided by law or regulation or unless such consent has been obtained (Article 35).

Article 37 of the Personal Information Protection Law provides for the obligation of state organs to localize the storage of personal information and the obligation to conduct a safety assessment if it is necessary to provide personal information outside the country.