What is China's Personal Information Protection Law (PIPL) and how does it impact payroll and HR?

What is the PIPL?

The new China Personal Information Protection Law (PIPL) represents the first comprehensive privacy law in the nation’s history. 

The introduction of the PIPL in November 2021 has a significant impact on the way that companies who do business in China or who handle and manage Chinese residents’ personal data.

Non-compliance could result in fines of up to 5% of a company’s annual revenue (or ¥50 million or approximately USD 12 million).

How is “personal data” defined within PIPL?

Personal data under the PIPL is any kind of information related to an identified or identifiable natural person that has not been anonymised. This means any information that could identify any aspect of an individual’s personal, public or professional life.  

Examples include a person’s name, address, phone number, email address, IP address, and cultural, economic and biometric information.

What responsibilities do HR leaders face around PIPL?

Among the most important considerations for business and HR leaders related to China’s Personal Information Privacy Law is how they’re capturing, using, managing and securing their Employee Data throughout its full lifecycle. 

There are many use cases that HR professionals and leaders will need to think as they prepare for further developments related to China’s Personal Information Privacy Law including: 

  • Use of entrusted parties 
  • Handling of sensitive Personal Information 
  • Cross-border transfer of Personal Information

Other PIPL points to consider:

Update your staff and applicants with privacy notices

Under the PIPL, you have to update your staff and applicants with privacy notices that specify what is the purpose of the processing, what is the legal basis for such processing, and who is processing their personal data.

Transfer personal data out of China

HR will have to implement a lawful mechanism to transfer personal data out of China. The exact mechanisms have yet to be defined by the Chinese government.

Notify the data protection authorities in time

Personal information handlers, meaning persons or companies making the decision to launch data processing and overseeing the means by which personal data is processed, must notify the Data Protection Authorities once made aware of a personal data breach.

Document and demonstrate compliance with the PIPL

HR is now expected to document and demonstrate compliance with the PIPL, such as being able to provide a registry of applications, processes and categories of data being processed by your organisation.

How an outsourced HCM solution can help

Given the complexity of compliance, it is not surprising that over three quarters of HR leaders are using the PIPL, GDPR and other data privacy legislation as a driver for seeking an outsourced HCM solution. 

Why outsource? Your company may not have the technical expertise or resources to carry out the necessary requirements of the PIPL and outsourcing your HR data processing to a cloud-based HCM provider like ADP can go a long way towards meeting the burden of accountability. ADP has experience in successfully implementing privacy principles similar to PIPL across the globe. We have operationalised PIPL provisions within our services to help you navigate compliance challenges. ADP can help your organisation position itself to meet the requirements of this demanding new age in China’s privacy protection. 

Meet the PIPL requirements with ADP’s suite of global payroll products.

We’re passionate about protecting the privacy of our clients’ and employees’ personal information at every stage – as we define, develop and refine our products and set the policies that govern how we gather and manage data every single day. Implementing Binding Corporate Rules illustrates our commitment to protect personal data in accordance with the standards required in the EU, regardless of where the European data is processed, accessed or hosted. Implementing Binding Corporate Rules illustrates our commitment to protect personal data in accordance with the standards required in China, regardless of where the Chinese data is processed, accessed or hosted.

Carlos Rodriguez, President and CEO

Recent blog articles

Articles & Insights

China’s Personal Information Protection Law (PIPL) – don’t forget about your employee personal data

Download this tool to map how you process employee information
Learn More

Articles & Insights

China PIPL vs. GDPR: Similarities and Differences Explained

China’s PIPL, Cybersecurity Law, and Data Security Law provide the overall framework governing data protection, cybersecurity and data security in China for generations to come. 

Learn More

Articles & Insights

Top questions to ask to assess your employee data strategy for China’s Personal Information Protection Law (PIPL)

Wherever you are in the world, if you do business in China and handle China residents’ data, PIPL is set to change the way you manage data governance. Learn more.

Learn More

Get Started

Let's find the perfect solution for your business.

+65 6499 5388

Your privacy is assured.