Under the Labour Contract Law of the People’s Republic of China (PRC), an employer could formulate its internal policies in accordance with law. If the policies involve matters which have a direct impact on employee’s immediate rights and interest like working hours, work discipline, etc., they should be discussed by the employee representative congress of all employees, and then determined by the employer after consultation with a labour union or employee representative.
Regarding confidential information, pursuant to PRC Labour Contract Law, confidentiality obligation could be agreed upon between employer and employee in the employment contract. If the employee has divulged confidential information to any third party, the employer could claim any damage incurred thereof against the employee.
According to PRC Labour Contract Law, employers are entitled to know an employee’s basic information, which directly relates to the employment contract and the employee is obligated to inform the employer of the said information truthfully.
When conducting background check, however, the practice shall not infringe employees’ privacy rights or equal employment rights, otherwise the employer could be litigated pursuant to PRC Tort Law. In addition, when collecting or using employees’ personal electronic information obtained via background check or application questions, employers shall follow the principle of lawfulness, properness, methods, and scopes for collection and use of the information. Employers must also keep in strict confidence any personal electronic information of citizens collected in their business activities. Employers shall not divulge, distort or damage such information, or sell or illegally provide the same to others.
The National People’s Congress of China (NPC) deliberated on the draft of the Data Security Law which will be finalised within the year and that the regulatory requirements relating to data security will be reflected in law in China. In the draft, the NPC imposes multiple obligations with respect to conducting Data Activities, as follows:
Organisations and individuals conducting Data Activities that fail to fulfil the data security protection obligations will be subject to correction orders, warnings or penalties ranging from RMB 10,000 to RMB 100,000, including penalties on individuals directly in charge ranging from RMB 5,000 to RMB 50,000.
In the case of refusals to rectify or of serious consequences, such as massive leaks, penalties will be charged ranging from RMB 100,000 to RMB 1 million, including on individuals directly in charge ranging from RMB 10,000 to RMB 100,000.
Data transaction agents who fail to perform relevant obligations, where such failures result in an illegal data transaction, might be subject to a correction order, confiscation of illegal gains, penalties and penalties on the individual directly in charge.