Commercial banks and the protection of personal information

PProtecting customers’ personal information is one of the most fundamental principles of banks and other financial institutions. With the successive enactment of the Civil Code, the Data Security Act and the introduction of the Personal Information Protection Act (PIPL), the scope, principle and legal consequences of the protection of personal information have been further clarified.

While commercial banks enjoy certain inherent advantages of collecting massive amounts of personal information from customers, the use, storage and public disclosure of this information have come under scrutiny from regulators during the assessment. banks’ performance of their data protection obligations. These obligations also represent potential risks of civil, administrative and even criminal liability for commercial banks.


Personal information is divided by law into two categories: general personal information applicable at all levels and personal financial information specific to the financial sector. Article 1034 of the Civil Code gives the definition of personal information. Personal financial information, on the other hand, includes account information, identification information, financial transactions, personal identification, property information, borrowings and loans and other information reflecting the financial situation of subjects, in accordance with the Technical Specification on the Protection of Personal Financial Information, an annex to the People’s Bank of China Notice on the Publication of a Financial Industry Standard and Effective Information Protection Technology Management personal finances.

Yao Xiaomin
Lantai Partners

Regarding the basic principles used by commercial banks to handle personal information, a new article has been added to the Commercial Banking Laws to deal with “protection of personal information and data security”, which states that When collecting, storing and using personal information, commercial banks must abide by laws and administrative regulations and follow the principle of what is “lawful, legitimate and necessary”. They must also obtain personal consent and explicitly state the purpose, method and extent of the collection, storage and use of this information.

The principle of necessity requires that there is an explicit and rational purpose for the processing of personal information. Only the minimum amount of information necessary to achieve the designated purpose should be collected, and it should be processed in a manner that has the least impact on the subject’s personal interests. Commercial banks may not process any personal information unrelated to the stated purpose, nor collect personal information unrelated to their business operations.

With regard to obtaining personal consent, commercial banks should note that personal consent must be given voluntarily and explicitly by knowledgeable subjects:

  • Where required by law or administrative regulation, separate or written consent must be sought for the processing of certain information;
  • If the purpose, method or scope of personal information processing changes, banks must re-obtain personal consent; and
  • When processing the personal information of minors under the age of 14, consent must be given by their parents or other guardians.

Consent to the processing of personal information may be withdrawn after it has been given. Controllers of personal information should put in place a system where that consent can be withdrawn with relative ease. However, this will not affect the validity of the processing of personal information prior to withdrawal.


Administrative responsibility

Administrative penalties for banks related to the protection of personal information often involve their unlawful investigations, the disclosure or exchange of customer information, or insufficient security management. Administrative penalties for commercial banks illegally providing or selling personal information, or negligently disclosing such information, include a compliance audit, corrections, and fines. These are defined by law, including the Anti-Money Laundering Act, Resident Identity Cards Act, PIPL, Credit Investigation Industry Administration Regulations, Enforcement Measures work of the People’s Bank of China for the protection of the rights of financial consumers. and Interests.

Public liability

Articles 1182 and 1183 of the Civil Code provide that if the breach of a natural person’s personal information causes material damage, compensation will be paid based on the damage suffered. If it causes severe mental distress, the victim will be entitled to compensation for any pain and suffering. In addition to compensation, the victim can also request a formal apology from the bank and the restoration of personal information, as well as other civil liabilities under Article 179 of the Civil Code.

Wang Yao
Lantai Partners

In addition, the PIPL has defined rules of presumption of fault and joint and several liability in the processing of personal information. In other words, processors of personal information unable to prove their innocence must bear compensation and other responsibilities for infringement. When two or more personal information processors are involved in a breach, they must bear joint and several liability.

Criminal responsibility

Under Section 253 of the Criminal Law (2017 Amendment), a violation of a citizen’s personal information, such as illegally selling or providing a citizen’s personal information, is a criminal offence. Violators may be subject to a fine or imprisonment for up to three years or imprisonment in addition to a fine in serious cases; or imprisonment for five to seven years plus a fine in particularly serious cases. Unlawfully selling or providing a citizen’s personal information obtained in the course of performing their duties or providing services will result in stiffer penalties.

In this context, personal information refers to various types of electronically or otherwise recorded information that, individually or when combined with other information, could identify a specific natural person or reflect the activities of a specific natural person. . These include, but are not limited to, name, ID number, contact information, address, account and password, asset status and location.

Yao Xiaomin is Partner and Wang Yao is Partner at Lantai Partners

Lantai Partners
29th Floor, Tower B, Disanzhiye Mansion
A1 Shuguang Xili, Chaoyang County
Beijing 100028, China
Tel: +86 10 5228 7777
Fax: +86 10 5822 0039

[email protected]
[email protected]

Comments are closed.