You are here


Survey Answer:

1. Financial data
1.1. Collection and Processing
Banking and financial institutions shall not collect information that is not relevant to their business or collect such information in an inappropriate way, and they shall process customer financial data under the principle of "minimum necessity", and inform customers of the purpose and scope of using customer-related information.
1.2. Transfers
Banking and financial institutions shall not illegally use personal financial data, including not to do the following: sell personal financial data; or provide personal financial information to other institutions or individuals, unless with prior consent or permitted by laws and regulations.
Payment institutions shall not provide customer information to other institutions or individuals, unless otherwise provided by laws and regulations, or the customer itself has confirmed and made authorizations item by item.
Lending institutions shall notify subject of information when it has provided unfavorable personal information to a credit assessment institution, except for unfavorable information required to be made public by laws and regulations.
1.3. Security
Banking and financial institutions shall improve the information safety technology prevention measures, and guarantee the personal financial data not to be divulged during the collection, transmission, processing, storage and use, etc.
Where banking and financial institutions carry out business by way of outsourcing, they shall fully examine and evaluate the service provider's ability to protect personal financial data, and use it as an important criterion for selecting service providers.
Payment institutions shall formulate effective information protection measures and risk management mechanisms, and be responsible for maintaining the security of customer information.
Payment institutions shall prohibit merchants from storing customers’ bankcard information, such as magnetic strip or chip information, CVC, terms of validity of cards, passwords. If any merchant stores such information in violation of these rules, the payment institution will immediately suspend or terminate the merchant’s network payment service and take effective measures to delete such sensitive information.
Credit assessment institutions shall build and strictly enforce the information security measures, and take technical measures to ensure the security of information.
1.4. Retention
Credit investigation institutions shall keep the unfavorable personal information for 5 years following the occurrence of such unfavorable activity, upon the expiry of which such information is to be deleted.
1.5. Breach Notification
Banking and financial institutions are required to notify the local office of the People’s Bank of China in the case of the leak of personal financial data within 7 business days. If a regulator finds that any of the banking or financial institutions under its authority has committed a violation by providing personal financial data or any other conduct, it shall, within 7 business days as of the date of discovery, report the relevant information and the preliminary resolution opinions to the local office of the People’s Bank of China .
Payment institutions are also required to report to the local branch of the PBOC in the case of material risk events.
1.6. Marketing
Banking and financial institutions may not make the client’s consent or authorization for marketing or provision of information to third parties a pre-condition for establishing a business relationship, except where such prior consent or authorization is required due to the nature of such business.
Banking and financial institutions shall not illegally use personal financial data, including the use of personal financial data for other marketing activities that is beyond the business that has generated the information.
1.7. Cross-border Data Transfers
The personal financial data collected by banking financial institutions inside China shall be stored, processed and analyzed within China. Such personal financial data shall not be provided to an offshore entity or individual, unless otherwise provided by laws and regulations, or the PBOC’s rules.
The cross-border data transfer with offshore parents or subsidiary banks is however allowed, if the offshore parent or subsidiary can maintain confidentiality.
Cross-border bankcard transactions authorized by the cardholder can be processed offshore, where the personal financial data collected in China will be transferred to offshore card issuers and card acquirers for processing which shall keep such personal financial data confidential through agreement and business protocols.
Credit investigation institutions shall sort, store and process the information collected inside China. For providing any information to foreign organizations or individuals, it shall comply with relevant laws, regulations or PBOC’s rules.
1.8. Special Provisions for Sensitive Payment Information
Commercial banks, payment institutions (non-bank payment institutions) and bankcard clearing institutions shall not store payment sensitive information (including the magnetic stripe or chip information of bankcards, CVC, terms of validity of cards, passwords of bankcards, and online payment transaction passwords etc.) that belongs to another institution. Where there is necessity to keep such sensitive information, an authorization (item by item) from the account holder and the account management institution should be obtained beforehand.
Commercial banks, payment institutions (non-bank payment institutions) shall strengthen the protection of payment sensitive information. As of 1 December 2016, all commercial banks and payment institutions are required to implement tokenization technology to mask the data such as bankcard number, CVC, payment institution account.
2. Healthcare data
2.1. Collection and Processing
Relevant institutions shall collect the minimum amount of information necessary when collecting healthcare data.
2.2. Transfer
Healthcare data cannot be publicly disclosed without if it relates to confidential information or personal privacy.
2.3. Security
Relevant institutions shall, in accordance with the requirements of State information security level protection requirements, build relevant security systems and formulate security management systems, operating procedures and technical specifications, to protect healthcare data.
Relevant institutions shall establish the management system to track the use records, such that when any user builds, revises and accesses healthcare data, it will be subject to strict real name verification and authorization control, and all user behavior is manageable, controllable and traceable.
2.4. Retention
Healthcare data cannot be stored on offshore servers and the relevant institutions shall not host or rent offshore servers.

Provided By:
David Tang, Han Kun Law Offices