Chapter V Obligations of Personal Information Processors
Article 51
Translation Notice
This is an unofficial English translation prepared for general informational purposes only. It does not constitute legal advice. In case of any discrepancy, the official Chinese text published by the competent authority shall prevail.
本文为非官方英文翻译,仅供一般信息参考,不构成法律意见。如与主管机关发布的中文正式文本不一致,以中文正式文本为准。
Chinese Original
第五十一条 个人信息处理者应当根据个人信息的处理目的、处理方式、个人信息的种类以及对个人权益的影响、可能存在的安全风险等,采取下列措施确保个人信息处理活动符合法律、行政法规的规定,并防止未经授权的访问以及个人信息泄露、篡改、丢失: (一)制定内部管理制度和操作规程; (二)对个人信息实行分类管理; (三)采取相应的加密、去标识化等安全技术措施; (四)合理确定个人信息处理的操作权限,并定期对从业人员进行安全教育和培训; (五)制定并组织实施个人信息安全事件应急预案; (六)法律、行政法规规定的其他措施。
English Translation
A personal information processor shall, according to the processing purpose and method, the categories of personal information, the impact on personal rights and interests, and possible security risks, take the following measures to ensure that personal information processing activities comply with laws and administrative regulations and to prevent unauthorized access, leakage, tampering, or loss of personal information: (1) formulate internal management systems and operating procedures; (2) implement classified management of personal information; (3) adopt corresponding security technical measures such as encryption and de-identification; (4) reasonably determine operating authority for personal information processing and regularly provide security education and training to personnel; (5) formulate and organize the implementation of emergency plans for personal information security incidents; and (6) other measures provided by laws and administrative regulations.
Plain English Note
Site explanation only. Not part of the translation.
Article 51 is the baseline security obligation for personal information processors, including internal rules, classification, encryption, de-identification, access control, training, and incident response.