PIPL Information Center
< All Topics

Data Sharing – Your 3rd Party Vendors

The new China PIPL is very strict on who and how you can share personal information and data. This affects everything from payroll to email marketing to product fulfillment and more.

These are about trusted persons and contracts with them, which must include:

  • Purpose – Why are you sharing data with these vendors, etc.?
  • Time Limit – What time limits are there for the processing and especially for the data, presumably including when and how they’ll delete it when finished or when the retention periods end.
  • Handling method – How will the personal data be used and processed?
  • Info categories – What categories and types of personal information are involved, such as employment data, purchase history, shipment addresses, contact details, etc.
  • Protection measures – What data protection measures are required and will be in use by your vendors?
  • Rights & Duties on both sides – What rights & duties are on both sides of the agreement, including the individual’s rights such as correction, deletion, etc. of individual data (including how you will flow individual’s requests through your vendor chains).
  • Supervision of vendors – How will you supervise and/or audit the handling activities of the vendors, as such supervision is required.
  • Limited to the agreement – Vendors, etc. must follow the contract and not handle the data in a way beyond the agreement, and when the agreement ends, etc. they must return or destroy the data.
  • Approve their subcontractors and vendors – Your partners, etc. are not allowed to further share or delegate data handling to others without your approval.

Also, note that article 23 requires you to notify your users about these secondary data handlers, including: name or personal name of the recipient, their contact method, the handling purpose, handling method, and personal information categories.

Further, you must obtain separate consent from the individual for each data sub-processor, and any change in the handling purpose or methods, consent must again be obtained.

Previous Cybersecurity Implications of PIPL
Next HR Compliance with PIPL
Table of Contents