Article 21: Where personal information handlers entrust the handling of personal information, they shall agree with the entrusted person on the purpose, time period, methods of handling, types of personal information, protective measures, and the rights and obligations of both parties, and conduct oversight of the entrusted person's personal information handling activities.
The entrusted person shall handle personal information in accordance with the agreement, and must not process personal information beyond the agreed purpose and method; Where the entrustment contract is not effective, invalid, revoked, or terminated, the trustee shall return the personal information to the personal information handlers or delete it, and must not retain it.
Without the consent of the personal information processor, the entrusted person must not entrust others to handle personal information.
【Purpose of the Article】
This article is about the consignment of the handling of personal information.
[Understanding of the article]
1. The meaning of entrusted processing of personal information
The so-called entrustment of personal information by personal information processors refers to the entrustment of the personal information processor to other organizations or individuals in the handling of personal information, and the two parties enter into an entrustment contractual relationship, one party is the entrusting party and the other party is the entrusting party, and the entrusting party processes personal information for the entrusting person. The Client may specifically entrust the Trustee to carry out certain processing activities (e.g., merely storage or processing) for certain types of personal information, and may also entrust the Trustee to carry out multiple processing activities (e.g., storage, processing, analysis, etc.) for certain types of Personal Information.
In the case of entrusted processing of personal information, the Trustee only processes personal information on behalf of the Principal, and the purpose and method of processing the personal information are determined by the Principal independently, and the Trustee only processes the personal information in accordance with the purpose and method of processing decided by the Principal in accordance with the provisions of the entrustment contract. Therefore, although the Trustee is objectively carrying out the activities of processing personal information, it is not a "personal information processor" under the PIPL. In other words, although there is no distinction between data controllers and data processors in civil law as in EU legislation, in the case of entrusted processing of personal information, the principal as the personal information processor is equivalent to the data controller, and the trustee is the data processor. To this end, Article 59 of the PIPL specifically stipulates the obligations of a contractor entrusted with the processing of personal information, so as to distinguish it from a principal who is a personal information processor.
In order to better protect the rights and interests of personal information, Article 21 of the Personal Information Protection Law stipulates that the entrusted processing of personal information is regulated. First, it clarifies the matters that personal information processors must agree on when entrusting others to process personal information, that is, the necessary clauses in the contract for entrusting the processing of personal information; Second, it clarifies that the client has the obligation to supervise, that is, the entrusting party has the obligation to supervise the personal information processing activities of the entrusted party. Thirdly, it stipulates that the entrusted party shall not violate the provisions of the entrustment contract, exceed the agreed processing purpose and processing method, and shall not entrust the handling of personal information to others without authorization; Finally, in the event that the consignment contract is not effective, invalid, revoked, or terminated, the entrusted party is obliged to return or delete personal information.
II. Entrustment Contracts for the Handling of Personal Information
(1) The processor shall enter into an entrustment contract with the entrusted party
The general terms of the entrustment contract shall be handled in accordance with the provisions of the Civil Code on entrustment contracts, articles 921, 928 and 930).
The general terms of the entrustment contract shall be based on paragraph 1 of article 21 of the Personal Information Protection Law, which provides that where a personal information processor entrusts the processing of personal information, it shall agree with the trustee on the purpose, period, method of processing, type of personal information, protective measures, and the rights and obligations of both parties. This means that a contract of entrustment should be concluded between the principal and the trustee, which is mandatory. This paragraph clarifies the unique terms of such consignment contracts concluded for the processing of personal information.
(2) The form of the entrustment contract
It is a non-type contract.
3. Obligations of the Settlor and the Trustee
(1) The client's obligation to supervise
According to Article 21, Paragraph 1 of the Personal Information Protection Law, the Client shall supervise the Trustee's personal information processing activities. In other words, the settlor must not only make an agreement with the entrusted party, but also fulfill the obligation of supervision. The first sentence of Article 40 of the Data Security Law also stipulates that "when a state organ entrusts others to build and maintain an e-government system and store and process government affairs data, it shall go through strict approval procedures, and shall supervise the entrusted party to perform the corresponding data security protection obligations." "The Personal Information Protection Law and the Data Security Law do not stipulate the specific content of the supervision obligations of the entrusting party, and the corresponding laws, regulations or rules need to be refined in the future.
(2) Trustees must not handle personal information in violation of agreements
Article 922 of the Civil Code of the People's Republic of China stipulates that the trustee shall handle the entrusted affairs in accordance with the instructions of the client. Where it is necessary to change the client's instructions, the client's consent shall be obtained. Paragraph 2 of Article 21 of the PIPL stipulates that the entrusted party shall process personal information in accordance with the agreement, and shall not process personal information beyond the agreed processing purpose and method. Article 40 of the Data Security Law stipulates that the entrusted party shall perform data security protection obligations in accordance with the provisions of laws, regulations and contracts, and shall not retain, use, disclose or provide government affairs data to others without authorization. If the Trustee fails to process personal information in accordance with the agreement, such as processing personal information in violation of the processing purpose agreed in the entrustment contract, or processing personal information in a way other than the agreement, then the Trustee's processing behavior is an illegal processing of personal information, and the Trustee shall bear administrative liability and even criminal liability in accordance with law. If the infringement of personal information rights and interests causes harm, it is also necessary to bear civil liability in accordance with law. At the same time, since the trustee's breach of the entrustment contract also constitutes a breach of contract against the client, it needs to bear the liability for breach of contract to the client.
(3) Without the consent of the personal information handlers, they must not be retrusted
The entrustment contract is a civil legal relationship arising from the entrustment of the trustee to handle matters based on the trusting party's trust in the trustee. The trustee has the obligation to handle the entrusted affairs in person, and may not arbitrarily delegate to others. Article 923 of the Civil Code stipulates that "the trustee shall personally handle the entrusted affairs. With the consent of the settlor, the trustee may transfer the entrustment. If the transfer of entrustment is agreed or recognized, the client may directly instruct the third party to whom the entrustment is transferred, and the trustee shall only be liable for the selection of the third party and its instructions to the third party. If the subcommission is not consented to or recognized, the trustee shall bear responsibility for the acts of the third party who is subcommissioned; However, in an emergency, the trustee needs to entrust a third party in order to protect the interests of the client. "In the entrusted processing of personal information, in principle, the trustee cannot transfer the entrustment without the consent of the client, because this practice is contrary to the will of the client and harms the legitimate rights and interests of the client; Second, it is not conducive to protecting the rights and interests of personal information, and increases the risk of personal information being leaked or illegally used.
4. Obligation to return or delete personal information
Article 157 of the Civil Code stipulates: "After a civil juristic act is invalid, revoked or determined to be ineffective, the property acquired by the actor as a result of the act shall be returned; where it cannot be returned or there is no need to return it, compensation shall be made at a discounted price. The party at fault shall compensate the other party for the losses suffered thereby; Where all parties are at fault, they shall each bear corresponding responsibility. Where the law provides otherwise, follow those provisions. In order to effectively protect the rights and interests of personal information, paragraph 2 of Article 21 of the Personal Information Protection Law stipulates that if the entrustment contract is not effective, invalid, revoked or terminated, the entrusted party shall return the personal information to the personal information processor or delete it, and shall not retain it.