Introduction

China’s data protection regime is in a period of change and there has been significant progress in the field of data protection legislation in recent years.

The Civil Code, effective on 1 January 2021, expressly provides the right of privacy and personal information protection. The express protection of personal information under the Civil Code represents a new era of privacy and personal information protection.

The Personal Information Protection Law (“PIPL”) entered into effect on November 1, 2021. It is China’s first comprehensive personal information protection law, and is modeled after the European Union’s General Data Protection Regulation. The PIPL governs personal information processing activities carried out by entities or individuals within China and, once certain conditions are met, processing activities outside China.

There are two other key laws on cybersecurity and data protection, namely the Cybersecurity Law (“CSL”) (effective on June 1, 2017) and the Data Security Law (“DSL”) (effective on September 1, 2021). The CSL, the DSL, and the PIPL altogether constitute the three fundamental pieces of legislation in respect of cybersecurity and data protection in China. The relevant implementing rules are still in the process of drafting and seeking public opinion.

How do I handle the issue of background checks, including those involving sensitive personal data such as criminal records?

“Personal information” is broadly defined by the PIPL to cover various information, recorded in electronic or any other form, that is related to an identified or identifiable natural person, excluding any information that has been anonymized. Furthermore, sensitive personal information, which refers to any information that may easily result in violation to the personal dignity of any natural person or endanger personal or property safety, once it is leaked or unlawfully used, enjoys more protections under the PIPL. Personal information generally includes, without limitation, name, date of birth, ID number, address and telephone number of the natural person while sensitive personal information includes without limitation biometric identification, religious belief, particular identity, medical health information, financial accounts, and whereabouts and tracks, as well as the personal information of minors under the age of 14. Compared with processing non-sensitive personal information with informed consents, processing sensitive personal information requires separate consents from individuals. Separate consent means that the data processor shall obtain individual’s informed consent for each item of personal information rather than one-off informed consents for multiple items of personal information or multiple processing activities.

An employer, as a personal information processor, shall, before collecting personal information, inform candidates of the following truthfully, accurately and completely in a notable manner and by using explicit and easy to understand languages:

• name and contact details of processor;
• purposes and methods of processing and catalogues and storage period of personal information to be processed;
• methods and procedures through which individuals can exercise their rights granted by the PIPL; and
• other matters that are required to be informed by laws and regulations.

After being fully informed, candidates may give their explicit consents on a voluntary basis or each individual shall give his/her separate consent or written consent if laws and regulations require to do so. In the event of any change of processing purposes, processing methods or catalogues of personal information to be processed, processor is obligated to reobtain individuals’ consents. Even so, each individual has the right to withdraw consent at his/her own discretion. Withdrawal of consent would not affect the validity of personal information processing that has been completed based on individual’s consent. Processor should provide to individuals convenient ways of withdrawal.

Generally, under PRC law, background checks for candidates are permitted. It is advisable to notify each candidate of the scope of information that will be collected, the intended purposes of such collection and other required items as outlined above; it is also advisable to obtain written consent from each candidate before such data collection. If background checks will involve collection of sensitive personal information, employers should explicitly list what type of personal information will be collected in their personal information notice and consent form and collect separate consents from candidates.

Are there particular issues in checking candidates’ social media profiles?

Candidates’ social media profiles fall into the scope of sensitive personal information and, under certain circumstance, may also be protected as candidates’ privacy. Generally, obtaining consent from candidates is the prerequisite for processing his/her personal information. However, PIPL additionally provides an exemption to obtain consent if the personal information has already been disclosed by the individual. So, employers may review social media profiles, which have been disclosed by candidates themselves and can be available publicly online, without obtaining consent, and process such information within a reasonable scope. Additionally, employers should obtain candidates’ explicit consents before accessing social media profiles which are not disclosed by candidates no matter they are sensitive personal information or privacy.

Are employees entitled to lie or to omit information; if information is subsequently found to be false, what can I do?

PRC Labor Contract Law entitles employers to enquire of employees about their basic information in direct relation to their labor contracts while it obliges employees to give answers truthfully. If an employee concludes a labor contract by use of fraudulent act, which leads to that his/her employer acts against its real intention, such labor contract may be wholly or partially invalid.

A more common practice is that (i) employers may request their employees to represent and warrant in a written form the authentication, accuracy and completeness of all information they have disclosed; (ii) breach of such representation or warranty would be deemed as a serious violation of employers’ rules and policies; and (iii) employers may take disciplinary actions against employees up to immediate dismissal, subject to specifics of their rules and policies. 

Can I ask candidates about their covid19 vaccination status?

Covid-19 vaccination is not mandatory in PRC. Any resident in PRC may receive Covid-19 vaccination on voluntary basis after being fully informed. It is debatable that Covid-19 vaccination information is in direct relation to candidates’ labor contracts. Therefore, candidates or employees are not obligated to disclose their Covid-19 vaccination status. However, it does not prohibit employers from collecting such sensitive personal information after they obtain separate consents from candidates and employees.

How should I deal with the personal data of unsuccessful candidates?

Generally speaking, personal information shall be stored for a minimum period necessary for achieving the processing purposes, unless applicable laws and regulations require otherwise.

Moreover, a personal information processor should delete personal information under any of the following circumstances:

• the purposes for which personal information is processed have been achieved or cannot be achieved, or personal information is no longer necessary in relation to the purposes for which it is processed;
• personal information processor ceases services or products supply or the agreed time limit of personal information storage has expired;
• consents have been withdrawn;
• personal information processor processes personal information by violation of laws, regulations or agreements;
• other circumstances as provided by laws and regulations.

Given the above, an employer should delete personal information of unsuccessful candidates upon any of the above circumstances or retain such personal information for a period of minimum necessity as explicitly consented by candidates.

In practice, some employers would retain the personal information of unsuccessful candidates with the intention that they may provide the appropriate position and recruitment information to the unsuccessful candidates in the future. Under such circumstance, they need to obtain explicit consent from unsuccessful candidates for such retention.