Privacy policy is a document between enterprises and users regarding the basic rights and obligations of how to handle and protect user personal information, which is used to inform users about how personal information is collected, used, and shared with third parties. It is not only a constraint on enterprises, but also a basis for enterprises to prompt users to provide and dispose of personal information independently, voluntarily, and reasonably, and to distinguish between them and users’ responsibilities.
Legal basis:
Cybersecurity Law of the People’s Republic of China
Article 40: Network operators shall strictly keep confidential the user information they collect and establish a sound system for protecting user information.
Article 41: When collecting and using personal information, network operators shall follow the principles of legality, legitimacy, and necessity, publicly collect and use rules, clearly state the purpose, method, and scope of collecting and using information, and obtain the consent of the recipient.
Network operators shall not collect personal information unrelated to the services they provide, and shall not collect or use personal information in violation of the provisions of laws, administrative regulations, and the agreements between both parties. They shall handle the personal information they keep in accordance with the provisions of laws, administrative regulations, and agreements with users.
Article 42: Network operators shall not disclose, tamper with, or damage the personal information they collect; Without the consent of the recipient, personal information shall not be provided to others. However, exceptions are those that cannot identify a specific individual and cannot be restored after processing.
Network operators should take technical and other necessary measures to ensure the security of personal information they collect and prevent information leakage, damage, and loss. When personal information leakage, damage, or loss occurs or may occur, remedial measures should be taken immediately, users should be notified in a timely manner according to regulations, and relevant competent departments should be reported.
Article 43: If an individual discovers that a network operator has violated the provisions of laws, administrative regulations, or the agreement of both parties in collecting and using their personal information, they have the right to request the network operator to delete their personal information; If it is found that the personal information collected and stored by the network operator is incorrect, the operator has the right to request correction from the network operator. Network operators should take measures to delete or correct them.
Article 44: No individual or organization shall steal or obtain personal information in any other illegal way, and shall not illegally sell or provide personal information to others.
Article 45: Departments and their staff responsible for network security supervision and management in accordance with the law must strictly keep confidential personal information, privacy, and trade secrets that they come to know in the performance of their duties, and shall not disclose, sell, or illegally provide them to others.
Article 46: Any individual or organization shall be responsible for their use of the internet, and shall not establish websites or communication groups for the purpose of committing fraud, imparting criminal methods, producing or selling prohibited or controlled items, or other illegal and criminal activities. They shall not use the internet to publish information related to the commission of fraud, the production or sale of prohibited or controlled items, or other illegal and criminal activities.
Article 47: Network operators shall strengthen the management of information published by their users. If they discover information that is prohibited from being published or transmitted by laws or administrative regulations, they shall immediately stop transmitting the information, take measures such as elimination, prevent information diffusion, keep relevant records, and report to the relevant competent authorities.