Managing Employee Personal Information 

In China: A Compliance Checklist 

📅 28/03/2025

 

China has established a comprehensive legal framework for the protection of personal information, including employee data. Employers are legally required to handle employee personal information with great care throughout the entire employment lifecycle. They must comply with a range of laws and meet a variety of responsibilities and standards. The key legislation relevant to employers’ obligations regarding employee data protection in China includes the Civil Code, the Labor Contract Law, the Personal Information Protection Law (PIPL), the Cybersecurity Law and the Data Security Law.

 

However, managing compliance in practice can be challenging due to the complex and varied scenarios in which employers collect, process, and store employee data. Many employers have faced penalties or legal claims due to inadequate policies or failure to meet regulatory requirements. Multinational companies, especially those with a presence or employees in China, must understand the risks associated with employee data protection and the key considerations for compliance.
 

Common areas of risks

Handling employee personal information comes with several risks that employers need to be aware of and mitigate. Here are some notable instances where employers have breached their obligations and faced challenges.


•    Inadequate security measures
An information technology and chemical company was warned and fined by the local public security bureau for failing to implement security measures, such as password protection and dedicated user accounts for Excel spreadsheets containing employee personal information. The company was found to have failed to adequately prevent information leakage and loss.
•    Unauthorised use
A former employee sued a related company (Company A) of his previous employer for listing the employee's mobile phone number in the "Company Contact Number" field of Company A's annual report. The court upheld the employee's claim for cessation of infringement and an apology.
•    Excessive workplace surveillance
A company installed a surveillance camera in a small meeting room used exclusively by an employee, Mr. Han, without informing him or specifying the purpose and scope of the monitoring. Mr. Han sued his employer, alleging infringement of his privacy and personal information rights. The court ruled that the company's actions exceeded the necessary limits of normal personnel management and ordered the company to cease the infringement and issue a written apology.
 

Useful compliance checklists

To help employers assess their compliance with data protection regulations and mitigate legal risks, this article provides a practical checklist of key compliance considerations for common employment scenarios in China.

 

1.    Employee personal information protection policies and procedures

2. Personal information protection during recruitment and hiring  

3. Personal information protection during human resources management

4.    Employee personal information protection in data transfers 

5.    Employee personal information protection in cross-border transfers 

6.    Protection of personal information of former employees

Key contacts / Authors

Yuhua YANG: yuhua.yang@thornhill-legal.com

April XIAO: april.xiao@thornhill-legal.com

Rhea YU: rhea.yu@thornhill-legal.com

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.