After the “strictest” personal information protection law in China took effect, companies that earn money by providing services and products, especially trustees of Chinese companies, must pay attention to the different regulation patterns in the Chinese Personal Information Protection Law compared to GDPR or other major countries in the world. This article will introduce the responsibilities of trustees.

Responsibilities of Trustees in GDPR

In GDPR, the responsibilities of the controller (who decides the purpose of personal data processing) and the processor (who processes the data according to the controller’s decision) are clearly divided, both in terms of civil and administrative responsibility (the regulations stipulate that the controller or the processor is the subject of the regulations). In principle, the controller is responsible for the damage caused when the rights of others are infringed, and only in exceptional cases does the processor need to bear the compensation liability for infringing personal data rights.

“Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”

Article 82, paragraph 2, GDPR

For example, a telecommunications company collects personal information (including address and contact information) from consumers in order to request monthly line rent and call charges (the purpose of using personal information). At this time, the telecommunications company is the controller of personal information. Because the telecommunications company is busy, it hires an account collection company to call consumers who have not paid their fees to collect the fees. At this time, the account collection company is the processor of personal information. The processor only needs to bear responsibility when it violates the controller’s instructions. As for the responsibility of the controller for collecting personal information in violation of regulations, the processor is not responsible.

The difference Personal Information Protection Law in China and GDPR

Unlike GDPR, which has a distinct binary role of “controller” and “processor,” the Personal Information Protection Law in China uses the term “personal information processor” uniformly. It is important to note that this definition of “processor” is different from the definition in GDPR. The Personal Information Protection Law in China does not clearly outline the civil and administrative responsibilities of a trustee. For example, in regulations requiring compensation for damages, it only stipulates that all personal data processors must be responsible, but it is unclear whether this includes trustees.

Where the handling of personal information infringes upon personal information rights and interests and results in harm, and personal information handlers cannot prove they are not at fault, they shall bear compensation and other take responsibility for the infringement. 
In the above clause, the responsibility to compensate for infringement shall be determined according to the resulting loss to the individual or the personal information handler’s resulting benefits. Where the loss to the individual and the personal information handler’s benefits are difficult to determine, determine compensation according to practical conditions.

Article 69 Personal Information Protection Law in China

Responsibility of the Processor in Commissioned Processing The Personal Information Protection Law in China does not clearly distinguish between the responsibilities of the controller and processor, as seen in the GDPR. Instead, it only broadly defines all personal information handlers as having responsibility. This may result in the processor having an excessive burden of responsibility. To avoid this, some Chinese scholars propose returning to the perspective of the Civil Code of China and basing it on the duty of reasonable review.

When the processor breaches the defined duties, the responsibility of the processor is determined by whether they fulfilled their duty of reasonable review. In other words, if the commissioning party today commissions an obviously illegal task, for example, to sell personal information to a fraud group, and the processor knows it is illegal but fails to fulfill their duty of reasonable review and participates in the violation of personal rights, they will also bear civil responsibility.

If the processor has fulfilled the duty of reasonable review, they can claim that they are not at fault. Even if the commissioning party’s commission is illegal, the processor does not have to bear any responsibility.


In conclusion, the commissioning company in China must pay attention to the requirements of the Chinese Personal Information Protection Law, which has a different regulatory model from GDPR or other major countries in the world. The commissioning company must also take responsibility for complying with the regulations of the Personal Information Protection Law and avoid violating the rights of individuals.

If there is anything you would like to know more about, feel free to leave a message.

Email / Line ID/ phone number /手機號碼