Case Description

Ms. Zhang signed up for a course for her child at a training institution. During the registration process, she registered the child's name and parents' contact information. Unexpectedly, the next day, Ms. Zhang began to receive sales calls from various extracurricular training institutions. Ms. Zhang felt that her personal information had been leaked by the training institutions. Coincidentally, Mr. Li once stayed at Hotel A in a certain city five years ago due to tourism. Recently, Mr. Li received an email from the hotel, informing him that the hotel network had been hacked and that the information of the guests, including Mr. Li, had been leaked. Both Mr. Li and Ms. Zhang would like to know what preventive or remedial measures are in place to prevent or remedy the leakage of personal information.

Lawyer Analysis

In daily life, people often need to provide some personal information to the outside world. China's laws have clear regulations on the collection, storage, and use of personal information. However, the leakage of personal information still occurs from time to time. For such situations, the following preventive and remedial measures can be considered:

1、 Require personal information processors to delete personal information

Article 47 of the Personal Information Protection Law stipulates that under any of the following circumstances, the personal information processor shall actively delete personal information; If the personal information processor has not deleted it, the individual has the right to request deletion: (1) the processing purpose has been achieved, cannot be achieved, or is no longer necessary to achieve the processing purpose; （2） The personal information processor stops providing products or services, or the storage period has expired; （3） Individual withdrawal of consent; （4） Personal information processors violate laws, administrative regulations, or agreements to process personal information; （5） Other circumstances stipulated by laws and administrative regulations. "If the retention period prescribed by laws and administrative regulations has not expired, or if it is technically difficult to delete personal information, the personal information processor shall stop processing other than storing and taking necessary security measures.".

In accordance with the foregoing provisions, individuals may request the personal information processor to delete the information and confirm it under the aforementioned circumstances. For example, Mr. Li in this article can request and confirm that the other party delete the personal information he has provided after his hotel stay.

2、 Complaints and reports on non-standard personal information processing behaviors

The Personal Information Protection Law stipulates that any organization or individual has the right to complain and report illegal personal information processing activities to the department performing personal information protection responsibilities. The national network information department and the relevant departments of the local people's governments at or above the county level are the departments that perform the duties of personal information protection.

According to regulations, personal information processors who commit illegal acts will face warnings, confiscate illegal income, suspend or terminate applications that illegally process personal information, and impose fines on enterprises and relevant personnel within the enterprise; If the circumstances are serious, they will face penalties such as suspension of business, suspension of business for rectification, revocation of business license or business license.

Therefore, for example, Ms. Zhang in this article, when she discovers that her personal information has been leaked, she can promptly file a complaint and report to the Internet management department, public security, industry and commerce, and other relevant departments to handle illegal acts.

3、 Claim compensation for losses according to law

According to the Personal Information Protection Law, if the processing of personal information infringes upon the rights and interests of personal information and causes damage, and the personal information processor cannot prove that he or she is not at fault, he or she shall bear tort liability such as compensation for damages. The liability for damages is determined based on the losses suffered by the individual or the benefits obtained by the personal information processor as a result; If it is difficult to determine the losses suffered by individuals and the benefits obtained by personal information processors, the amount of compensation shall be determined based on the actual situation.

In order to protect individuals who provide information, the law stipulates that in such lawsuits, the personal information processor should bear the burden of proof to prove that they are not at fault. Otherwise, it should bear the liability for compensation. At the same time, due to the fact that it is often difficult to determine the amount of losses caused to individuals due to personal information disclosure in practice, the law also makes provisions in favor of individuals in terms of determining the amount of losses.
It should be noted that once personal information is leaked, attention should be paid to collecting and retaining evidence in a timely manner for use in complaints or lawsuits.