Is it within the scope of PIA assessment for domestic companies to transmit employee information to overseas parent companies?

2023 09/06

It has been two and a half months since the implementation of the "Personal Information Exit Standard Contract Measures" and the "Personal Information Exit Standard Contract Filing Guidelines (First Edition)" in June 2023. During this period, the author received inquiries and commissions from multiple multinational corporations regarding the issuance of Personal Information Protection Impact Assessment (PIA) reports and the filing of personal information export standard contracts. The author found that there is a unique but common phenomenon in multinational enterprises, which is that overseas parent companies will dispatch personnel who establish labor relations with them (hereinafter referred to as these personnel) to work in domestic subsidiaries. In this case, domestic subsidiaries collect such personnel information based on the necessity of human resource management and transmit it to the overseas parent company. Before conducting a personal protection impact assessment, the domestic subsidiary proposed that if the overseas parent company has collected such personnel information and the domestic subsidiary provides such personnel information cross-border to the overseas parent company through the standard contract filing path, does it not need to include such personnel information in the assessment scope?


Firstly, from the perspective of the scope of application of the Personal Information Protection Law of the People's Republic of China (hereinafter referred to as the "Personal Insurance Law"), the activities of processing personal information of natural persons within the territory of the People's Republic of China shall be governed by the provisions of the "Personal Insurance Law". The Personal Protection Law stipulates the protection requirements for personal information processors throughout the entire life cycle of personal information processing, including collection, storage, use, processing, transmission, provision, disclosure, and deletion. Domestic subsidiaries that transmit personal information collected and stored domestically to overseas shall comply with the provisions of the Personal Insurance Law.


Secondly, from the perspective of cross-border provision of personal information, the Personal Security Law stipulates three paths: security assessment by the National Cyberspace Administration, personal information protection certification, and standard contract filing. If domestic subsidiaries want to transmit their collected personal information across borders, they should determine the outbound route based on their own subject nature, the quantity and type of personal information processed. Failure to transmit personal information cross-border through corresponding channels constitutes a violation of the Personal Insurance Law.


Once again, from the perspective of the impact assessment of personal information protection, the content of the impact assessment of personal information protection includes whether the processing activities are legal and compliant, the extent to which the processing activities cause damage to the legitimate rights and interests of the personal information subject, and the effectiveness of management and technical measures to protect the personal information subject. The impact assessment of personal information protection is triggered by the specific processing activities of the personal information processor. As long as there are specific processing activities, the assessment should be conducted, regardless of whether the information has been collected by the overseas parent company. The collection of such personnel information by the overseas parent company does not equate to the legal compliance of cross-border activities provided by the domestic subsidiary. The management and technical measures taken can ensure that personal information is not subject to risks such as tampering, destruction, illegal use, leakage, etc. during the transmission process.


Finally, from the perspective of the responsible party, domestic subsidiaries are domestic legal entities and should be bound by Chinese laws. If they transmit personal information collected in China cross-border without standard contract filing, they may face legal consequences such as civil tort liability, administrative liability, criminal liability, and credit punishment.


In summary, the author believes that if a domestic subsidiary transfers the information collected by the overseas parent company's dispatched employees across borders to the overseas parent company, the domestic subsidiary should include this information in the evaluation scope.