What is China's Personal Information Protection Law (PIPL) and how does it impact payroll and HR?

What is the PIPL?

The new China Personal Information Protection Law (PIPL) represents the first comprehensive privacy law in the nation’s history. 

The introduction of the PIPL in November 2021 has a significant impact on the way that companies who do business in China or who handle and manage Chinese residents’ personal data.

Non-compliance could result in fines of up to 5% of a company’s annual revenue (or ¥50 million or approximately USD 12 million).

How is “personal data” defined within PIPL?

Personal data under the PIPL is any kind of information related to an identified or identifiable natural person that has not been anonymised. This means any information that could identify any aspect of an individual’s personal, public or professional life.  

Examples include a person’s name, address, phone number, email address, IP address, and cultural, economic and biometric information.

What responsibilities do HR leaders face around PIPL?

Among the most important considerations for business and HR leaders related to China’s Personal Information Privacy Law is how they’re capturing, using, managing and securing their Employee Data throughout its full lifecycle. 

There are many use cases that HR professionals and leaders will need to think as they prepare for further developments related to China’s Personal Information Privacy Law including: 

  • Use of entrusted parties 
  • Handling of sensitive Personal Information 
  • Cross-border transfer of Personal Information

Other PIPL points to consider:

Update your staff and applicants with privacy notices

Under the PIPL, you have to update your staff and applicants with privacy notices that specify what is the purpose of the processing and what is the legal basis for such processing, and whether you are transferring their data out of China.

Transfer personal data out of China

HR will have to implement a lawful mechanism to transfer personal data out of China. This lawful mechanism has yet to be defined by the Chinese government.

Notify the data protection authorities in time

PI Handler, meaning persons or companies making the decision to launch data processing and overseeing the means by which personal data is processed, must notify the Data Protection Authorities in time of being made aware of a personal data breach.

Document and demonstrate compliance with the PIPL

HR is now expected to document and demonstrate compliance with the PIPL, such as being able to provide a registry of applications, processes and categories of data being processed by your organisation. 

How an outsourced HCM solution can help

Given the complexity of compliance, it is not surprising that over three quarters of HR leaders are using the PIPL, GDPR and other data privacy legislation as a driver for seeking an outsourced HCM solution. 

Why outsource? Your company may not have the technical expertise or resources to carry out the necessary requirements of the PIPL and outsourcing your HR data processing to a cloud-based HCM provider like ADP can go a long way towards reducing the burden of accountability. ADP can help our clients position themselves to meet the requirements of this demanding new age in China’s privacy protection. 

Meet the PIPL requirements with ADP’s suite of global payroll products.

We’re passionate about protecting the privacy of our clients’ and employees’ personal information at every stage – as we define, develop and refine our products and set the policies that govern how we gather and manage data every single day. Implementing Binding Corporate Rules illustrates our commitment to protect personal data in accordance with the standards required in the EU, regardless of where the European data is processed, accessed or hosted. Implementing Binding Corporate Rules illustrates our commitment to protect personal data in accordance with the standards required in China, regardless of where the Chinese data is processed, accessed or hosted.

Carlos Rodriguez, President and CEO

Recent blog articles

Articles & Insights

China’s Personal Information Protection Law (PIPL) – don’t forget about your employee personal data

Download this tool to map how you process employee information
Learn More

Articles & Insights

China PIPL vs. GDPR: Similarities and Differences Explained

China’s PIPL, Cybersecurity Law, and Data Security Law provide the overall framework governing data protection, cybersecurity and data security in China for generations to come. 

Learn More

Articles & Insights

Top questions to ask to assess your employee data strategy for China’s Personal Information Protection Law (PIPL)

Wherever you are in the world, if you do business in China and handle China residents’ data, PIPL is set to change the way you manage data governance. Learn more.

Learn More

Get Started

Let's find the perfect solution for your business.

+65 6499 5388

Your privacy is assured.