《个人信息保护法》终稿解读中英双语版（第五章）

耀时跨境数据合规研究院

第五章 

个人信息处理者的义务

Chapter V 

Obligations of Personal Information Handlers

5.1

个人信息处理者的安全保护义务（第51条）

Security protection obligations for personal information handlers (Article 51)

本条指出，个人信息处理者应当根据个人信息处理目的、处理方式、个人信息类别、对个人的影响和可能存在的安全风险等，采取下列必要措施，保证其个人信息处理活动符合法律、行政法规的规定，防止个人信息被非法获取、泄露、篡改、丢失。而具体要求包括内部管理制度和操作规程（第50条第1款）、分级分类管理（第50第2款）、相应的安全技术措施（第50条第3款）、内部操作权限配置（第50条第4款）、从业人员管理（第50条第5款）、制定并组织实施个人信息安全事件应急预案（第50条第6款）等。

This Article indicates that a personal information handler shall, on the basis of personal information handling purpose, handling method, personal information category, impact on individual and possible security risk, etc., take necessary measures as follows to ensure that its personal information handling activities comply with the provisions of laws and administrative regulations, and shall prevent unauthorized access to, leakage, distortion, or loss of personal information. And the specific requests includes internal management systems and operating procedures (Article 50, paragraph 1), hierarchical and categorized management (Article 50, paragraph 2), appropriate security technical measures (Article 50, paragraph 3), configuration of internal operating rights (Article 50, paragraph 4), management of practitioners (Article 50, paragraph 5) and developing and organizing the implementation of emergency plans for personal information security incidents (Article 50, paragraph 6).

5.2

设置个人信息保护负责人（第52条）

Establishment of a person in charge of personal information protection (Article 52)

个人信息保护法》下的个人信息保护负责人同GDPR的数据保护专员（DPO）存在一定的区别。就本条而言，《个人信息保护法》以个人信息处理者处理个人信息的数量作为划分门槛，仅有处理个人信息达到国家网信部门规定数量的个人信息处理者才负有指定个人信息保护负责人的义务。

There are certain differences between the person in charge of personal information protection under the Personal Information Protection Law and the Data Protection Officer (DPO) under the GDPR. For the purposes of this article, the Law of the People’s Republic of China on Personal Information Protection uses the amount of personal information handled by a personal information handler as the threshold for classification, and only personal information handlers that handle personal information up to the amount prescribed by the state cyberspace authority are obliged to designate a person in charge of personal information protection.

就职责来看，个人信息保护负责人的职责在于对个人信息处理活动以及采取的保护措施等进行监督。同时，个人信息处理者应当公开其姓名与联系方式等，并将相关信息报送相关监管部门。

In terms of responsibilities, the person in charge of personal information protection is responsible for supervising the activities of personal information handling and the protection measures taken, etc. At the same time, the person who handles personal information shall disclose his or her name and contact details, etc., and shall report the relevant information to the relevant supervisory authority. Overseas personal information handlers handling personal information of natural persons outside of China shall establish a special agency or designate a representative responsible for matters relating to the protection of personal information protection.

5.3

在境外处理境内自然人个人信息的境外个人信息处理者应设立专门机构或指定代表负责个人信息保护相关事务并报送相关监管部门（第53条）

Personal information and report to the relevant regulatory authority (Article 53)

本条明确了中国境外个人信息处理者在境内设立专门机构或者指定代表的义务。虽然本条并未明确设立专门机构或者指定代表的具体流程和要求，也并未明确其法律主体和责任。但是根据《个人信息出境安全评估办法（征求意见稿）》第二十条的立法精神，通过“白名单制度”的建立可以有效对个人信息安全进行必要管控，防止个人信息非法出境而使得我国境内公民人身权益遭受不必要的损害。

This article clarifies the obligation of personal information handlers outside the territory of the Peoples Republic of China to set up a specialized agency or appoint a representative within the territory of the Peoples Republic of China to take the responsibility of handling matters concerning personal information protection, and report the name of such agency or the name and contact information of the representative to the authorities performing personal information protection duties.

Although this article does not specify the specific handle and requirements for the establishment of specialized agencies or designated representatives, nor does it specify the legal subjects and responsibilities. However, according to the legislative spirit of Article 20 of the Measures for the Safe Assessment of Personal Information Leaving the Country, the establishment of a "white list system" can effectively provide the necessary control over the security of personal information and prevent personal information from leaving the country illegally and causing unnecessary damage to the personal rights of citizens of the Peoples Republic of China.

5.4

个人信息处理者的个人信息安全审计要求（第54条）

Security audit requirements for personal information handlers (Article 54)

本条明确了个人信息处理者的个人信息安全审计要求。但本条仅对个人信息处理者的安全审计要求进行了原则性规定，要求个人信息处理者确保在日常运营和业务开展过程中的个人信息处理行为符合法律法规规定。

This article specifies the personal information security audit requirements for personal information handlers. However, this article only stipulates the security audit requirements for personal information handlers in principle, requiring personal information handlers to ensure that their personal information handling practices in the course of daily operation and business conduct are in compliance with laws and regulations.

此外，从确保有效履职出发，本条规定了个人信息保护有权要求个人信息处理者委托专业机构进行审计，有助于推动审计工作的有效开展和提高审计工作的专业性。通常来说，这里的“专业机构”包括信息安全测评机构、律师事务所、会计师事务所等。

In addition, in order to ensure the effective performance of its duties, this article indicates that authorities performing personal information protection duties have the right to require the personal information handler to entrust a professional institution with such audit, which helps to promote the effective implementation of the audit and improve the professionalism of the audit. Generally speaking, "a professional institution" in this context include an information security evaluation agency, a law firm, accounting firm, etc.

5.5

个人信息处理者的事前风险评估义务（第55、56条）

Prior risk assessment obligations for personal information handlers (Article 55、56)

本条明确了个人信息处理者的事前保护影响评估义务。同时，本条明确规定了需要进行事前保护影响评估的个人信息处理活动类别，并提出了保护影响评估报告和处理情况记录应当至少保存三年的具体要求，为个人信息处理者开展个人信息事前保护影响评估指明了方向。

但本条涉及的评估范围太大，负担未免过重，建议参考GDPR第35 条第3.款细化和限定评估情形。

This article specifies the prior protection impact assessment obligations of personal information handlers. It specifies the status of personal information handling activities that require prior protection impact assessment, and sets out the specific requirement for the content of a protection impact assessment, indicating the direction for personal information handlers to carry out prior protection impact assessment of personal information.

However, the scope of assessment in this article is too wide and burdensome and it is suggested that the circumstances of assessment be refined and limited by reference to Article 35 , paragraph 3 of the GDPR.

5.6

发现个人信息泄露时个人信息处理者的补救和

通知义务（第57条）

Remedial and notification obligations 

of personal information handlers 

(Article 57)

本条明确了发现个人信息泄露时个人信息处理者的补救和通知义务。第一，履行通知义务的主体是个人信息处理者。第二，本条还明确了履行通知义务的条件是个人信息遭受泄露或者是履行个人信息保护职责的部门向其提出要求这两类情形。第三，除通知义务外，个人信息处理者还需要及时采取补救措施，防止损失的扩大。第四，本条规定了个人信息处理者采取措施能够有效避免信息泄露造成损害的的情形下，个人信息处理者的通知义务可以被豁免。最后需要提醒，个人信息处理者采取的补救措施必须是及时且专业的，由于补救措施采取的不及时或者是不专业导致个人信息泄露扩大进而导致个人损失扩大的，个人信息处理者可能还需要承担相应的侵权责任。

This article specifies the remedial and notification obligations of the personal information handler in the event that a breach of personal information is discovered.Firstly, the subject of the obligation to notify is personal information handlers who identifies any leakage of personal information. Secondly, this article also specifies that two conditions for fulfilling the duty to notify are that the personal information has been leaked or that the department performing the duty to protect personal information has made a request to it. Third, the personal information handler is also required to take timely remedial measures to prevent the expansion of damage. Fourthly, it provides that the personal information handlers’ obligation to notify may be exempted in cases where the measures taken by the personal information handler can effectively prevent the damage caused by the leakage of information. Finally, it should be reminded that the remedial measures taken by the personal information handler must be timely and professional, and that the personal information handler may also be liable for tort liability in the event that the personal information is leaked in an untimely or unprofessional manner, resulting in the expansion of the damage caused to the individual.

5.7

大型个人信息处理者的个人信息保护义务（第58条）

Personal information protection obligations of large personal information processors(Article 58)

为了强化大型个人信息处理者的个人信息保护义务，《个人信息保护法》第58条创设性规定了中国版的数字守门人条款，明确提供重要互联网平台服务、用户数量巨大、业务类型复杂的个人信息处理者，应当承担额外的个人信息保护义务，包括：成立主要由外部成员组成的独立机构对个人信息保护情况进行监督；遵循公开、公平、公正的原则，制定平台规则，明确平台内产品或者服务提供者处理个人信息的规范和保护个人信息的义务；对严重违反法律、行政法规处理个人信息的平台内的产品或者服务提供者，停止提供服务；定期发布个人信息保护社会责任报告，接受社会监督。

In order to strengthen the personal information protection obligations of large personal information processors, Article 58 of the Personal Information Protection Law creates China's version of the digital gatekeeper clause, clearly stating that personal information processors which provide important Internet platform services, own a large number of users, and do complex types of business, shall bear the additional personal information protection obligations, including setting up independent agencies composed mainly of external members to supervise the protection of personal information; abiding by the principle of openness, fairness and justice, formulating rules of the platform, and clarifying the standards and obligations of product or service providers on the platform for handling personal information and protecting personal information; for products or service providers on platforms that seriously violate laws and administrative regulations in handling personal information, stopping their services to product or service providers on platforms that deal with personal information in serious violation of laws and administrative regulations, stopping their services; regularly issuing social responsibility reports on personal information protection and accepting social supervision.

对于小型个人信息处理者的问题，《个人信息保护法》第62条明确由国家网信部门针对小型个人信息处理者制定专门个人信息保护规则、标准的规定。这一规定留出了针对小型个人信息处理者的立法空间，下一步国家网信部门可以在降低要求、责任豁免等方面对小型个人信息处理者作出专门规则设计。

For small personal information processors, Article 62 of the Personal Information Protection Law explicitly states that provision of special personal information protection rules and standards for small personal information processors shall be stipulated by the National Internet and Information Administration. This regulation leaves a legislative space for small personal information processors. In the next step, the National Internet and Information Administration can design special rules for small personal information processors in terms of reduction of requirements, immunity from liability, etc. 

5.8

接受委托处理个人信息的受托人义务（第59条）

Obligation of a trustee entrusted with handling personal information (Article 59)

“接受委托处理个人信息的受托人”作为辅助人，承担一定范围内的个人信息安全保障义务，应当依照本法和有关法律、行政法规的规定，采取必要措施保障所处理的个人信息的安全，并协助个人信息处理者履行本法规定的义务。

The trustee entrusted with personal information processing, as an assistant, shall undertake the obligation of personal information security to a certain extent, and shall in accordance with the provisions of this Law and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information handled, and assist the personal information handler to fulfill the obligations stipulated in this Law.