Commercial banks and protection of personal information

PProtecting the personal information of customers is one of the most basic principles of banks and other financial institutions. With the successive promulgation of the Civil Code, the Data Security Act and the introduction of the Personal Information Protection Act (PIPL), the scope, principle and legal consequences of the protection of personal information have been further clarified.

While commercial banks enjoy certain advantages inherent in collecting huge amounts of personal information from customers, the use, storage and public disclosure of this information were heavily scrutinized by regulators during the assessment. the execution by banks of their data protection obligations. Such obligations also represent potential risks of civil, administrative and even criminal liability for commercial banks.


Personal information is divided by law into two categories: general personal information applicable at all levels and personal financial information specific to the financial sector. Article 1034 of the Civil Code gives the definition of personal information. Personal financial information, on the other hand, includes account information, identifying information, financial transactions, personal identification, property information, borrowing and lending, and other information reflecting the situation. financial subjects, according to the technical specification of personal financial information protection, an annex to the notice of the People’s Bank of China on the issuance of a financial sector standard and effective technological management of personal financial information protection .

Yao Xiaomin
Lantai Partners

Regarding the basic principles that commercial banks use to process personal information, a new article has been added to commercial banking laws to deal with “protection of personal information and data security”, which states that when collection, storage and use of personal information, commercial banks must abide by laws and administrative regulations and follow the principle of what is “lawful, legitimate and necessary”. They must also obtain personal consent and explicitly state the purpose, method and extent of the collection, storage and use of this information.

The principle of necessity requires that there be an explicit and rational purpose for the processing of personal information. Only the minimum amount of information necessary to achieve the designated goal should be collected, and it should be handled in the way that has the least impact on the subject’s personal interests. Commercial banks may not process any personal information unrelated to the stated purpose, nor collect any personal information unrelated to their business operations.

In terms of obtaining personal consent, commercial banks should note that personal consent must be given voluntarily and explicitly by knowledgeable subjects:

  • Where required by laws or administrative regulations, separate or written consent should be requested for the processing of certain information;
  • In the event of a change in the purpose, method or scope of processing personal information, banks must re-obtain personal consent; and
  • When processing the personal information of minors under the age of 14, consent must be given by their parents or other guardians.

Consent to the processing of personal information may be withdrawn after it has been given. Personal information processors should establish a system in which such consent can be withdrawn with relative ease. However, this will not affect the validity of the processing of personal information prior to withdrawal.


Administrative responsibility. Administrative penalties for banks related to the protection of personal information often involve their unlawful investigations, disclosure or exchange of customer information, or insufficient security management. Administrative penalties for commercial banks that illegally provide or sell personal information, or disclose such information negligently, include a compliance audit, corrections, and fines. These are spelled out in law, including the Anti-Money Laundering Law, Resident Identity Cards Law, PIPL, Credit Investigation Sector Administration Regulation, implementation of the People’s Bank of China for the protection of financial consumer rights. and interest.

Public liability. Articles 1182 and 1183 of the Civil Code provide that if an attack on the personal information of a natural person causes any material damage, compensation will be paid according to the damage suffered. If this causes severe mental distress, the victim will be entitled to compensation for any pain and suffering. In addition to compensation, the victim can also request a formal apology from the bank and restoration of personal information, as well as other civil responsibilities under Article 179 of the Civil Code.

王瑶 -WANG-YAO- 兰台 律师 事务所 律师 -Associate-Lantai-Partners-S
Wang yao
Lantai Partners

In addition, the PIPL has defined rules of presumption of fault and joint and several liability in the processing of personal information. In other words, personal information processors unable to prove their innocence must assume compensation and other responsibilities for infringement. When two or more personal information processors are involved in a breach, they must assume joint and several liability.

Criminal liability. Under Article 253 of the Criminal Code (2017 amendment), a violation of a citizen’s personal information, such as the illegal sale or provision of a citizen’s personal information, is a criminal offense. Offenders may be liable to a fine or up to three years’ imprisonment or criminal detention in addition to a fine in serious cases; or imprisonment for five to seven years plus a fine in particularly serious cases. Selling or illegally providing a citizen’s personal information obtained in the course of performing their duties or providing services will result in heavier penalties.

Personal information in this context refers to various types of information recorded electronically or otherwise which, individually or in combination with other information, could identify a specific natural person or reflect the activities of a specific natural person. These include, without limitation, name, identification number, contact details, address, account and password, asset status and location.

Yao Xiaomin is a partner and Wang Yao is a partner at Lantai Partners

Lantai Partners
29th Floor, Tower B, Disanzhiye Mansion
A1 Shuguang Xili, Chaoyang District
Beijing 100028, China
Phone. : +86 10 5228 7777
Fax: +86 10 5822 0039

[email protected]
[email protected]

Comments are closed.