《个人信息保护法》终稿解读中英双语版（第四章）

耀时跨境数据合规研究院

第四章 

个人在个人信息处理活动中的权利

Chapter IV 

Rights of Individuals in Personal Information Handling Activities

4.1

个人的知情权和决定权（第44条）

The right to know and decide (Article 44)

本条明确了个人的知情权和决定权。一般来说“知情权”指向个人有权知晓其个人信息被处理的情况；就“决定权”的内容而言，从条文文本本身来看，主要表现为“限制或拒绝他人的处理”，更多表现为一种被动的防御。就两者的关系上，知情权系行使决定权的前提。明确个人的知情权和决定权，有利于个人更好地实现对其个人信息的控制。此外，本条留下了但书规定，即“法律、行政法规另有规定的除外”，比如基于犯罪侦查收集个人信息，出于保密等原因，可以拒绝个人行使其知情权和决定权。

This article specifies the individuals’ right to know and the right to decide. In general, the "right to know" refers to the right of individuals to be informed of the handling of their personal data. In general, the right to information refers to the right of individuals to be informed of the handling of their personal information, while the right to decide is mainly expressed in the text of the articles themselves as "restricting or refusing to be handled by others", which is more of a passive defense. In terms of the relationship between the two, the right to information is a prerequisite for the exercise of the right to decide. The clarification of the individuals’ right to know and the right to make decisions will enable the individual to better control his or her personal information. In addition, this article leaves a proviso that "except where otherwise provided by law or administrative regulation", for example, if personal information is collected for the purpose of crime investigation, the individual may be denied the right to know and the right to decide for reasons such as confidentiality.

4.2

个人的查阅权、复制权、信息可携带权（第45条）

The right to access,copy,personal information portability

(Article 45)

本条明确了个人的查阅权、复制权和信息可携带权。《个人信息保护法》明确了个人享有查阅权和复制权的情形下，如无法适用例外情形，个人信息处理者应当采取适当的方式对个人查阅、复制其个人信息的请求及时予以回应，确保其查阅、复制权的行使。设立查阅权和复制权个人信息便于个人有效行使更正、删除个人信息的权利，有助于加强个人对个人信息的控制。

This article clarifies the individuals’ right to access and the right to copy. It clarifies that in cases where an individual has the right of access and the right of reproduction, and where an exception cannot be applied, the personal information handler shall respond to the individual’ request for access to and reproduction of his or her personal information in a timely manner in an appropriate manner to ensure the exercise of his or her right of access and reproduction. The establishment of the right of access and reproduction of personal information facilitates the effective exercise of the individuals’ right to correct and delete personal information and helps to strengthen the individual’ control over personal information.

《个人信息保护法》终稿在二审稿的基础上增加了第3款关于“个人信息可携带权”的规定：“个人请求将个人信息转移至其指定的个人信息处理者，符合国家网信部门规定条件的，个人信息处理者应当提供转移的途径”。这意味着，用户可以实现在各个平台或网站间自由移转其个人信息，甚至有望做到“一键转移”，无须逐个下载再逐个导入。因此，个人信息的可携带权对相关企业的技术能力提出了很高要求。

Article 45(3) of the personal information portability right is added to the final draft of the Personal Information Protection Law on the basis of the second draft: “If an individual requests to transfer his or her personal information to the personal information processor designated by him or her and meets the conditions prescribed by the state cyberspace administration, the personal information processor shall provide the means of transfer”. This means that the user can freely transfer their personal information between platforms or websites, even with the promise of "one-click transfer", that is,  the user does not need to download them one by one and then import them one by one. Therefore, the portability of personal information puts forward high requirements on the technical capabilities of relevant enterprises.

欧盟于2018年《一般数据保护条例》中确立了“数据可携带权”，我国《个人信息保护法》引入个人信息可携带权主要借鉴了欧盟的立法实践。但是《个人信息保护法》仅规定了“符合国家网信部门规定条件的”应提供转移的途径，尚有很多未明确之处，包括可携带权适用的数据范围以及数据传输的形式等。因此，下面将以欧盟的经验为参照，为个人信息处理者正确理解与适用这一制度提供合规指引。

The European Union established the right to data portability in the general Data Protection Regulations in 2018. The introduction of the right to personal information portability in China's Personal Information Protection Law mainly draws on the legislative practice of the EU, but the Personal Information Protection Law only stipulates the conditions that meet the requirements of the national network information department. There are still many unclarified aspects, including the scope of data applicable to the right of portability and the form of data transmission. Therefore, the following will provide compliance guidelines for personal information processors to correctly understand and apply this system based on the experience of the EU.

首先，对于响应可携带权请求的情形。一方面，根据欧盟《一般数据保护条例》第20条规定，数据主体有权以结构化、通用的和机器可读的格式接收其提供给控制者的有关自身的个人数据，并在基于同意或合同约定情形下处理数据时，有权不受妨碍地将这些数据传输给另一个控制者。《一般数据保护条例》还要求数据可携权只适用于数据处理是“通过自动化方式进行的”。因此，个人信息可携带权也仅适用于以电子形式记录的个人信息。另一方面，根据《个人信息保护法》第13条关于处理个人信息的合法性基础的规定，员工的个人信息可携带权应当严格遵守“为订立、履行个人作为一方当事人的合同所必需”这一条件下的构成要件，而对于在就业领域中遵守法律义务所必需的个人信息处理，企业则无需响应相应的请求。

First of all, in response to the request for portability, on the one hand, according to Article 20 of the EU General Data Protection Regulation, Data subjects have the right to receive personal data about themselves provided to controllers in a structured, commonly used and machine-readable format and to transmit such data to another controller without hindrance when the data is processed based on consent or contractual arrangements. General Data Protection Regulations also require that data portability rights apply only if data processing is carried out in an automated manner. Therefore, the right to personal information portability is only applicable to personal information recorded in electronic form. On the other hand, according to the provisions of Article 13 of the Personal Information Protection Law on the basis of the legality of handling personal information, the right to personal information portability of employees shall be strictly observed as necessary for the conclusion and performance of the contract in which the individual is a party. But for the processing of personal information necessary to comply with legal obligations in the field of employment, the enterprise does not have to respond to the corresponding request.

其次，针对可携带权的客体范围，即个人提供给信息处理者的个人信息。“提供”不仅包括用户通过自己明确的行为主动提供，还包括个人信息处理者对信息的收集。搜索引擎的历史记录、交通或位置信息、可穿戴设备记录的原始数据等均属于个人信息可携带权的客体。企业根据收集到的个人信息进行加工后产生的衍生数据，不在个人信息可携带权范围内，例如企业创建的“用户画像”。根据欧盟第29条工作组（欧盟数据保护委员会前身）制定的《数据可携权指南》，匿名数据不属于个人信息可携带权的范畴，但能够明确与个人联系起来的假名数据（pseudonymous data）仍处于可携权请求范围内，例如该个人提供的标识符。

Secondly, in view of the scope of the object of the right to personal information portability, namely the personal information provided by an individual to an information processor. “Provision” includes not only voluntary provision by users through their own clear behavior, but also the collection of information by personal information processors. Historical records of search engines, traffic information, location information and raw data recorded by wearable devices are subject to the right to personal information portability. Derived data generated by enterprises based on the personal information collected are not within the scope of personal information portability, such as user portraits created by enterprises. According to the Data Portability Guidelines formulated by the EU Article 29 Working Group (predecessor of the EU Data Protection Commission), anonymous data does not fall within the scope of personal information portability, but pseudonymous data that can be clearly associated with an individual is still within the scope of portability request, such as the identifier provided by the individual.

《个人信息保护法》第3条有关个人信息的定义与《民法典》第1034条的规定不同，《民法典》采用的是“可识别”到具体自然人的标准，而《个人信息保护法》则扩大范围，只要与已识别或者可识别的自然人“有关”的信息均为个人信息。因此，企业若基于商业上的考虑，不想将某类信息传输给其他第三方，则应当建立起数据分类标记管理制度，对于相应的衍生数据进行完全的脱敏加工或匿名化处理。

The definition of personal information in Article 3 of the Personal Information Protection Law is different from that in Article 1034 of the Civil Code, The Civil Code adopts the standard of being able to identify specific natural persons, while the Personal Information Protection Law expands its scope by requiring that all information relating to the identified or identifiable natural persons is personal information. Therefore, if enterprises do not want to transmit certain kinds of information to other third parties based on commercial considerations, they should establish a data classification and labeling management system to complete desensitization or anonymization of the corresponding derived data.

最后，关于个人信息处理者的具体义务。一是可携带个人信息的格式，欧盟《一般数据保护条例》要求以“结构化、通用的和机器可读”方式向数据主体或第三方提供个人信息。“结构化”指的是能够存储在计算机磁盘的结构数据，企业不能以书面形式向用户提供，以造成用户不必要的负担。“通用”意味着必须是能够被广泛地使用。“机器可读”则指的是能够被软件应用程序轻松识别和提取特定数据。对于可携带个人信息的具体格式，欧盟并没有作出强制要求，欧盟《数据可携权指南》建议如果所在的行业或部门中没有通用的特定格式，则应使用CSV、XML和JSON等开放格式提供个人数据。

Finally, with regard to the specific obligations of personal information processors, one is the format in which personal information can be carried. The EU General Data Protection Regulation requires that personal information should be provided to data subjects or third parties in a structured, commonly used and machine-readable format. Structuralization refers to structured data that can be stored on computer disks and cannot be provided to users in written form to impose unnecessary burdens on users. Generality means it must be widely available and machine readability means it can be easily identified and extracted by software applications. The EU does not mandate the specific format in which personal information can be carried. The EU Data Portability Guide recommends that open formats such as CSV XML and JSON be used to provide personal data if there is no common specific format in your industry or sector.

二是“互操作性”协助义务，个人信息可携带权并不要求企业有义务采用或维持与其他第三方系统相兼容的处理系统。但是，收到用户转移个人信息要求的企业应当保证传输上的技术可行性，不能设置任何不合理的障碍，以减缓或阻止向其他个人信息处理者传输个人信息。障碍可能包括对用户的请求收取费用、对用户提供繁琐的验证要求、提供的数据不可执行等。

The second is interoperability obligation. The right to personal information portability does not require an enterprise to adopt or maintain a processing system compatible with other third-party systems. However, enterprise receiving the request of transferring personal information   shall guarantee the transmission of technical feasibility, and can't set any unreasonable obstacles, including fees charge for users' requests, tedious authentication requirements for users, unexecutable data provided, etc, to slow or block the transmission of personal information to other personal information processors. 

三是个人信息完成传输后的义务，对于传输个人信息的企业，不存在对接收方后续处理行为负责的义务，但是应当确保在使用API等方式进行传输的过程中，个人信息不受被篡改或窃取的风险。一旦传输完成，个人信息以数据的形式到达第三方控制的系统，相应的风险则转移给接收方承担。对于接收个人信息的企业，并不是收到可携带权请求即可自动保留该数据，企业应当考虑接收该信息是否与处理目的直接相关，且未违法合法、正当、必要和诚信原则。此外，还需要考虑该个人信息中是否包含其他第三方的个人信息。作为新的个人信息处理者，应当确保自身享有《个人信息保护法》第13条项下处理该个人信息的合法性基础，并且不会对个人信息中的第三方造成影响。若接收到了没有理由进行保留的个人信息，则应当予以删除。

The third is the obligation after the completion of the transmission of personal information. For the enterprise transmitting personal information, there is no obligation to be responsible for the subsequent processing behavior of the receiving party, but it should ensure that the personal information is not subject to the risk of tampering or stealing in the process of transmission through API and other means. Once the transfer is complete, personal information arrives at the system controlled by a third party in the form of data, and the corresponding risk is transferred to the receiver. For enterprises receiving personal information, it is not automatic to retain the data after receiving the right of portability request. Enterprises should consider whether receiving the information is directly related to the purpose of processing, and is not against the principle of legality, legitimacy, necessity and good faith. In addition, it is also necessary to consider whether the personal information contains the personal information of other third parties. As a new personal information processor, it shall ensure that it enjoys the legal basis for processing the personal information under Article 13 of the Personal Information Protection Law and will not affect the third party in the personal information. If processors receive personal information that they have no reason to retain, they should delete it.

总的来说，企业不能在未经用户有效同意的情况下，擅自将个人信息提供给具有关联关系的平台；同时应当建立完善的个人信息可携带性评估制度和传输渠道，明确可携带的、通用的、机器可读的数据形式，及时有效地处理用户的可携带权请求。

In general, enterprises should not provide personal information to related platforms without the valid consent of users. At the same time, it is necessary to establish a perfect personal information portability assessment system and transmission channels, clarify the portable, commonly used, machine-readable data form, and handle users' portability requests timely and effectively. 

4.3

个人的更正权和补充权（第46条）

The right to rectification and supplementation (Article 46)

本条明确了个人的更正权和补充权。《个人信息保护法》在确定个人的更正权的同时，区分了个人信息不准确或者不完整的情形，并针对个人信息不完整的情形规定了个人的补充权，旨在针对实践中用户无法更正、补充其个人信息的问题。

This article specifies the individuals’ right to correction and the right to supplement. It establishes the individuals’ right to request personal information handlers to correct or complete their personal information where they discover that their personal information is incorrect or incomplete. And it also emphasize that where individuals request to correct or complete their personal information, the personal information handlers shall verify the personal information and correct or complete it in a timely manner.

4.4

个人的删除权（第47条）

The right to erasure (Article 47)

本条明确了个人所享有的个人信息删除权和以及个人信息处理者存在的删除义务，并同时对删除权行使的豁免进行了规定。具体而言，本条规定了删除权行使的两种途径，即个人在满足相关条件后享有删除个人信息的权利。与此同时，个人信息处理者在出现相关情形时，也具有删除个人信息的义务。但是，个人信息处理者的删除义务并不是绝对的。如果技术上难以实现，或者法定保留期限尚未届满，则个人信息处理者可以不必删除个人信息，但是个人信息处理者必须停止处理个人信息。

This article specifies the individuals’ right to erasure of personal information and the personal information handlers’ obligation to erasure. Specifically, this article provides for two ways in which the right to erasure may be exercised, namely, the right of an individual to erase personal information if the relevant conditions are met. At the same time, the personal information handler is also obliged to delete personal information in the event of relevant circumstances. However, the obligation of personal information handlers to delete is not absolute. If it is technically difficult to do so, or if the legal retention period has not yet expired, the personal information handler may not be obliged to delete personal information, but the personal information handler must cease handling personal information.

本条所规定的“删除权”在 GDPR 中被命名为“被遗忘权”，但本条规定较 GDPR 更为细致。此外，相较 GDPR 的纯权利设定，本条还将将删除权列为了个人信息处理者的一项义务。

The "right to erasure" in this Article is named the "right to be forgotten" in the GDPR, but this Article is more detailed than the GDPR. In addition, this article includes the right to erasure as an obligation for personal information handlers while the GDPR just consider it as a pure right .

4.5

要求获得解释和说明的权利（第48条）

The right to request explanation (Article 48)

本条首次提出了解释权的概念，即明确了个人有权要求个人信息处理者释明其个人信息处理规则。即对于个人信息处理规则中存在的专业术语或者是理解上可能存在的偏差等问题，个人有权要求个人信息处理者进行解释说明，但具体解释说明的提出方式可以根据不同互联网企业的规则进行明示。

This article introduces the concept of the right to request explanation for the first time. Specifically, it clarifies that individuals have the right to request personal information handlers to explain their personal information handling rules. That is, individuals have the right to request personal information handlers to provide explanations for issues such as technical terms or possible deviations in understanding in personal information handling rules, but the specific way in which explanations are proposed can be expressed according to the rules of different Internet enterprises.

4.6

近亲属对于死者个人信息行使权利的要求（第49条）Requirement to close relatives exercising the right to personal information of the deceased (Article 49)为了避免近亲属对于死者个人信息的过度干预，违背死者的生前意愿，《个人信息保护法》在二审稿的基础上对死者近亲属行使权利进行了三点限制：一是行使目的限制，必须是为了自身的合法、正当利益；二是权利类型限制，近亲属仅能行使第四章中规定的查阅、复制、更正、删除等权利；三是死者生前安排优先，以死者生前意愿为先。

In order to avoid excessive interference of close relatives in the deceased's personal information and violation of the deceased's will, the Personal Information Protection Law regulates three restrictions on the exercise of the rights of close relatives of the deceased on the basis of the second draft: first, the purpose of exercise restriction must be for their own legitimate interests; Second, restrictions on the type of rights. Close relatives can only exercise the rights to access, copy, correction deletion, etc. stipulated in Chapter 4. Third, arrangements of the deceased take precedence, and the will of the deceased comes first.

4.7

建立个人行权申请受理和处理机制的要求（第50条）

Requirement to establish an application acceptance and handling mechanism for individuals to exercise their rights (Article 50)

要求个人信息处理者应建立申请受理和处理机制，以保障个人行使其相关权利，并要求个人信息处理者就拒绝个人行权请求的情形下，应说明理由。

This article requires that personal information handlers should establish an application acceptance and handling mechanism for individuals to exercise their relevant rights, and they should give reasons for refusing requests for the exercise of their rights by individuals.

值得讨论的是，本条似乎更多系规定个人信息处理者之义务而非个人之权利，可能规定在《个人信息保护法》第五章“个人信息处理者的义务”中更为合适。

It is worth discussing that this article seems to be more about the obligations of personal information handlers rather than the rights of individuals, and it might more appropriately be set out in Chapter V of the Law of the People’s Republic of China on Personal Information Protection.