《个人信息保护法》终稿解读中英双语版（第六章）

《个人信息保护法》终稿解读中英双语版（第六章）

耀时跨境数据合规研究院

第六章 

履行个人信息保护职责的部门 解读

Chapter VI

Authorities Performing Personal Information Protection Duties

6.1

履行个人信息保护的具体行政监管部门（第60条）

Specific administrative supervision authorities performing personal information protection duties(Article 60)

《个人信息保护法》第56条明确了履行个人信息保护的具体行政监管部门。国家网信部门负责统筹协调个人信息保护工作和相关监督管理工作。国务院有关部门依照本法和有关法律、行政法规的规定，在各自职责范围内负责个人信息保护和监督管理工作。县级以上地方人民政府有关部门的个人信息保护和监督管理职责，按照国家有关规定确定。

Article 56 of the Personal Information Protection Law stipulates the specific administrative supervision authorities performing personal information protection duties. The State cyberspace authorities are responsible for the overall planning and coordination of personal information protection and related supervision and regulation. Relevant authorities under the State Council are responsible for personal information protection and the supervision and regulation thereof within their respective scope of duties according to the provisions of this Law and relevant laws and administrative regulations. The duties for personal information protection and the supervision and management thereof to be performed by relevant authorities of people’s governments at the county level or above shall be determined according to relevant State regulations. Authorities specified in the preceding two paragraphs shall be collectively referred to as authorities performing personal information protection duties.

根据本条规定，履行个人信息保护职责的部门由国家网信部门进行统筹和协调，具体落实的工作由国务院各部门在各自职责范围内进行纵向的“条块管理”，县级以上地方人民政府也按照该模式进行管理。例如，上海市各委办局根据其所负责的不同条块，负责对注册在上海的个人信息处理者进行日常管理，而上海市网信办负责对其进行协调、统筹和监督。

According to the provisions of this Article, the departments responsible for protecting personal information shall be subject to the overall planning and coordination by the national cyberspace administration department, and the specific implementation work shall be subject to the vertical management by the departments under the State Council within the scope of their respective duties, and the local people's governments at or above the county level shall also be subject to the administration under such mode. For example, all Shanghai Municipal Commissions, Offices and Bureaus are responsible for the daily administration of personal information processors registered in Shanghai according to their respective divisions and areas, while the Shanghai Municipal Cyberspace Administration Office is responsible for the coordination, overall planning and supervision of personal information processors.

6.2

履行个人信息保护职责的部门的职责（第61条）

Duties of Departments Fulfilling Duties of Protection of Personal Information(Article 61)

《个人信息保护法》第61条规定了履行个人信息保护职责的部门的工作内容和职责。

包括：

（一）开展个人信息保护宣传教育，指导、监督个人信息处理者开展个人信息保护工作；

（二）接受、处理与个人信息保护有关的投诉、举报；

（三）组织对应用程序等个人信息保护情况进行测评，并公布测评结果；

（四）调查、处理违法个人信息处理活动；

（五）法律、行政法规规定的其他职责。

明确职责可以避免由于职责不清或者职责重合对个人信息监管所带来不良影响，有利于后续个人信息保护工作的有序开展。

Article 61 of the Personal Information Protection Law provides for the contents and duties of the departments performing the duty of protecting personal information, including: 

1. conducting awareness and education activities for personal information protection, and guiding and supervising personal information handlers in conducting personal information protection;

2. accepting and handling personal information protection-related complaints and reports;

3. organizing the assessment of the protection of personal information such as applications and publishing the assessment results;

4. investigating and handling unlawful personal information handling activities; and

5. other duties as specified in laws or administrative regulations.

Clarifying duties can avoid the adverse impact on the supervision of personal information due to ambiguity or overlapping of duties, and is conducive to the orderly implementation of the subsequent work of personal information protection.

6.3

中央层面履行个人信息保护职责的部门的特殊职责（第62条）

Special Duties of Departments Performing the Duty of Protecting Personal Information at the Central Level(Article 62)

除履行第61条规定的基本职责外，《个人信息保护法》第62条规定了国家网信部门和国务院有关部门等中央层面的履行个人信息保护职责的部门的特殊职责，包括组织制定个人信息保护的相关规则和标准，推进个人信息保护社会化服务体系建设，并承担支持有关机构开展相关评估、认证服务的责任。

In addition to performing the basic duties set out in Article 61, Article 62 stipulates the special duties of the cyberspace administration of the State, relevant departments under the State Council and other departments at the central level that fulfill the duty of protecting personal information, including organizing the development of personal information protection-related rules and standards, advancing the building of a socialized service system for personal information protection, and supporting relevant institutions in conducting personal information protection assessment and certification services.

6.4

履行个人信息保护职责的部门履职时可以采取的措施（第63条）

Measures that may be taken by the departments performing the duties of protecting personal information in performing their duties(Article 63)

《个人信息保护法》第63条规定了履行个人信息保护职责的部门履行个人信息保护职责,可以采取的措施：

（一）询问有关当事人,调查与个人信息处理活动有关的情况；

（二）查阅、复制当事人与个人信息处理活动有关的合同、记录、账簿以及其他有关资料；

（三）实施现场检查，对涉嫌违法的个人信息处理活动进行调查；

（四）检查与个人信息处理活动有关的设备、物品；对有证据证明是用于违法个人信息处理活动的设备、物品，可以查封或者扣押。

此外，该条也规定了当事人的协助配合义务。履行个人信息保护职责的部门依法履行职责，当事人应当予以协助、配合，不得拒绝、阻挠。

Article 63 stipulates that authorities performing personal information protection duties may adopt the following measures when performing their personal information protection duties:

1. interviewing any relevant concerned party to investigate any circumstance related to a personal information handling activity;

2. consulting and copying any contract, record, receipt or any other relevant material of a concerned party that is related to a personal information handling activity;

3. conducting on-site inspections to investigate any suspected unlawful personal information handling activity;

4. inspecting any equipment or item related to personal information processing activities, which may be sealed up or seized if there is evidence to prove that it is used in an illegal personal information processing activities.

Any concerned party shall assist or cooperate with, and may not deny or obstruct the performance of their duties according to the law by authorities performing personal information protection duties.

明确相关部门可以采取的措施，一方面为相关部门实施的履职行为提供法律依据，使其在履职时有法可依，另一方面也有助于其履职过程中的行政相对人了解相关部门的职责范围，实现对相关部门履职行为的有效监督。

Measures that may be taken by the relevant departments are specified, which can, on the one hand, provide a legal basis for the performance of duties of the relevant departments so that they have laws to abide by in the performance of their duties, on the other hand, help the administrative counterparts in the process of their performance of duties to understand the scope of duties of the relevant departments and realize the effective supervision of the performance of duties of the relevant departments.

6.5

个人信息保护监管的约谈制度（第64条）

Regulatory Interview System for the Protection of Personal Information(Article 64)

《个人信息保护法》第64条规定，履行个人信息保护职责的部门在履行职责中，发现个人信息处理活动存在较大风险或者发生个人信息安全事件的，可以按照规定的权限和程序对该个人信息处理者的法定代表人或者主要负责人进行约谈。个人信息处理者应当按照要求采取措施，进行整改，消除隐患。

Article 64 stipulates that for any considerable risk existing in a personal information handling activity or any personal information security incident discovered by authorities performing personal information protection duties in the course of performing their duties, the authorities may, according to their powers and procedures as prescribed, conduct a talk with the legal representative or main responsible person(s) of the personal information handler concerned. The personal information handler shall adopt measures as required to rectify and eliminate any hazard discovered.

本条赋予了履行个人信息保护职责的部门存在较大风险或者发生个人信息安全事件相应的认定权。此外，对个人信息处理者的法定代表人或者主要负责人进行约谈既是一种义务，也是一种权利，通过约谈的形式可以更好的进行有效监督。由于《个人信息保护法》第54条已经要求个人信息处理者定期进行审计，因此，监管部门还可以在委托律师事务所进行审计后，根据审计结果，要求个人信息处理者进行整改并消除隐患。

This Article grants the corresponding right to identify the existence of major risks or occurrence of personal information security incidents to the departments performing duties of protecting personal information. In addition, interview with the legal representative or person in charge of a personal information processor is both an obligation and a right, which can be better supervised. Since Article 54 has required personal information processors to conduct audit on a regular basis, regulatory authorities may also require personal information processors to make rectification and eliminate hidden dangers according to the audit results after entrusting law firms to conduct audit. 

6.6

个人信息保护相关的投诉、举报机制（第65条）

Complaint and Reporting Mechanism in Connection with the Protection of Personal Information(Article 65)

《个人信息保护法》第65条规定，任何组织、个人有权对违法个人信息处理活动向履行个人信息保护职责的部门进行投诉、举报。收到投诉、举报的部门应当依法及时处理，并将处理结果告知投诉、举报人。履行个人信息保护职责的部门应当公布接受投诉、举报的联系方式。

Article 61 stipulates that any organization or individual shall have the right to file a complaint or report about any unlawful personal information handling activity with authorities performing personal information protection duties. Authorities receiving a complaint or report shall handle it promptly and according to the law, and notify the person filing the complaint or report of the handling outcome. Authorities performing personal information protection duties shall make their contact information publicly available to accept complaints and reports.

从举报主体看，无论是否具有利害关系，任何组织和个人都可以进行举报，意味着用户、非用户、竞争对手、第三方测评机构、自媒体等都可以作为举报主体，有助于推动形成本法第11条所称的“共同参与个人信息保护的良好环境”。

From the perspective of reporting subjects, no matter whether they have interests or not, any organization or individual may report, which means that users, non- users, competitors, third-party evaluation and evaluation agencies and self-media can all act as reporting subjects, which is conducive to promote the formation of “good joint participation in the protection of personal information” as specified in Article 11 hereof.

从受理部门来看，无论中央或是地方，只要是履行个人信息保护职责的部门都可以受理举报。

From the point of view of the receiving department, both central and local, as long as the department is responsible for the protection of personal information can receive reports.

从举报处理来看，收到投诉、举报的部门应当依法及时处理并将处理结果告知投诉、举报人。若相应部门未能及时处理或未能将处理结果进行告知，可能会被认定为行政违法或不作为。同时，本条亦强调履行个人信息保护职责的部门应履行行政公开义务，公开接受投诉、举报的联系方式。

In terms of the handling of reports, the department receiving the complaint or report should deal with it in a timely manner and inform the complainant or whistleblower of the result in accordance with the law. If the relevant department fails to deal with the complaint in a timely manner or fails to inform the complainant of the result, it may be considered as an administrative offence or inaction.

At the same time, this article also emphasises that the department performing the duty to protect personal information should fulfil its obligation of administrative disclosure to make their contact information publicly available to accept complaints and reports.