Authors: Liu Qi / Lian Yuxiong
(This article was first published on China Business Law Journal column "Labor Law", authorised reprint)
Internal compliance investigations are now laden with legal pitfalls for companies. Any mishandling of personal employee information risks invoking the increasingly strict regulations and enforcement of the Personal Information Protection Law (PIPL).
In particular, it is common for internal investigations to involve inspecting files and information that is stored on company-issued office equipment like computers and hard drives. This makes it difficult for inspectors to avoid any contact with employees’ personal or private information, such as correspondence records of instant messaging software like WeChat and QQ, or private mailboxes.
Under the PIPL, when handling personal information, companies must abide by the “inform and consent” principle. This means informing the individual and obtaining their consent beforehand. The Civil Code further provides that no organisation or individual may handle another’s privacy information unless otherwise provided by law, or with the express consent of the rights owner.
This article offers practical advice based on the authors’ professional experience about properly handling employee personal information during internal investigations.
01
PRIOR CONSENT
The “inform and consent” principle remains the ideal standard. To this end, a company can prepare a notification of consent letter that thoroughly covers all statutory notification issues around personal information, including the purpose (e.g. internal investigation), scope and method (e.g. entrusting to third-party suppliers, sharing with affiliated companies, or cross-border transfer). The letter should be signed at the time of each employee’s induction. It is much more difficult to secure ad hoc consent after that point.
Workarounds may also be considered, if judged to be prudent, feasible and necessary. This includes conducting keyword searches on instant messaging and email records stored in office equipment in the presence of the employee who is being investigated, or asking the employee to export work-related records in front of the company and/or a third-party institution.
02
REGULATORY DESIGN
Without prior consent, a company may consider citing PIPL provisions that exempt it from the need to obtain individual consent before handling personal information.
One applicable circumstance is personal information that is “necessary for human resources management in accordance with the lawfully established labour rules and regulations, and the lawfully signed collective contracts”.
As there remains no clear definition to the scope of being “necessary for human resources management”, companies are advised to clearly state the following in their employee handbooks or relevant policies:
“Internal investigation may be conducted as part of the human resources management. The company has ownership to all information stored on office equipment, which the company has the right to monitor and inspect at any time for the purpose of internal investigation. Employees are forbidden from storing personal information in office equipment. Where personal information is stored in office equipment, any monitoring, inspection and acquisition of such information by the company shall not constitute an invasion of the employee’s privacy or personal information security.”
03
RISK CONTROL
Recent judicial practice tends to particularly protect individuals’ privacy of their personal information. Plenty of adjudicators have determined correspondence to be private when it is contained in instant messaging apps like QQ, WeChat and DingTalk, emails in personal mailboxes, and mobile phone call records.
In other words, accessing, copying or using such information may be viewed as a violation of privacy or an infringement of personal information if a company does so without the employee’s consent, even if it is stored on company-issued computers or other equipment.
Accordingly, companies should prudently handle any personal information that is obtained without prior consent to lower the risk of infringement, or of the evidence being deemed illegitimate and invalid.
The authors offer the following advice:
When it comes to obviously personal or private information falling under the above-mentioned categories, unless absolutely necessary, companies should avoid an undifferentiated, exhaustive approach to reviewing, identifying, recovering or reproducing all items.
When it comes to obviously personal or private information falling under the above-mentioned categories, unless absolutely necessary, companies should avoid an undifferentiated, exhaustive approach to reviewing, identifying, recovering or reproducing all items.

Consider the following before deciding whether to use the information:
(1)Is the information private or another type of personal information?;
(2)What is the source of the information?;
(3)Does it come from personal instant messaging records or a system explicitly for work purposes, such as the company mailbox?; and
(4)The information’s impact on the handling of the case.
To preserve evidence, companies may consider video-recording the key steps of inspecting office equipment, such as exporting data in the employee’s presence.

When it comes to transferring information across borders, companies must adopt measures such as cross-border security evaluation, certification and standard contracting, in addition to securing prior consent.
They should make a comprehensive analysis of the necessity of transferring personal information overseas. For example, if a data transfer is to facilitate a headquarters’ decision, the information could be provided in anonymous form only, avoiding individual identification but describing the activity of non-compliance. Doing so would effectively avoid triggering the security procedures, while the purpose of the information transfer remains intact.
劳动和雇佣专栏往期文章  
  1. Compliance management with employment conflicts of interest
  2. 劳动用工视角下的利益冲突合规管理和处置
  3. 劳动争议解决中程序性规则的运用
  4. 用人单位以员工被拘留为由解除劳动合同的合法性分析
  5. Terminating labour contracts on grounds of detention
  6. 竞业限制违约行为的裁判认定与调查取证
  7. 浅谈竞业限制员工报告义务争议问题
  8. 北京地区违反落户服务期协议的损失赔偿
  9. 企业如何开展人力资源合规体检?
  10. How enterprises should conduct HR compliance self-inspection
  11. 员工安置现状的360°探讨
  12. 对新冠病毒感染实施“乙类乙管”后企业用工合规问题解答
  13. 奖金发放的法律实务要点
  14. 新防疫时期的企业用工合规问题九问九答
  15. 用人单位应对新《妇女权益保障法》之合规建议
  16. 解雇违纪高管行动方案的设计与执行
  17. Effecting strategic dismissals of senior management
  18. 股权激励的设计与风险防控
  19. 企业员工舞弊风险的应对
  20. 试用期使用的一些探讨
  21. 广东省新就业形态劳动者及劳动保障权益新规
  22. Protecting the rights of ‘new form’ labourers in Guangdong
  23. 员工舞弊案件中调查访谈的规范操作
  24. Normative Investigative Interviews in Employee Fraud Cases
  25. 因客观情况发生重大变化而解雇员工的传统困局和破解方向——聚焦上海地区近年司法实践
  26. 企业员工手册的常见问题及设计建议
  27. 《证券公司建立稳健薪酬制度指引》要点解析与合规建议
  28. Interpretation of New Regulations of Securities Companies
  29. 中国企业ESG劳动用工合规问题探讨
  30. Labour-related ESG compliance in China
  31. 浅谈互联网企业裁员的风险与合规
  32. Risk and compliance in layoffs at internet companies
  33. 用人单位在虚假报销劳动争议中的举证和应对
  34. Employer’s burden of proof in false reimbursement disputes
  35. 《深圳市员工工资支付条例》修订重点条款解读
  36. 用人单位在反职场性骚扰中的合规治理
  37. Employer compliance governance in workplace
  38. 员工舞弊处理中的停职调查要点
  39. 従業員による不正行為の処理対応における停職調査のポイント
  40. Pitfalls in suspending employees amid fraud investigations
  41. Personal information protection in internal corporate probes
  42. 《个人信息保护法》对企业用工管理的影响与合规建议
  43. Impact of personal information protection law on enterprise
  44. 居家办公涉及的常见用工法律问题与解答
  45. 员工造成经济损失,企业如何主张赔偿
  46. Holding employees liable for damages in court
  47. Remedial Measures for Non-Renewal of a Fixed-Term Labor Contract
  48. 用人单位如何应对职场中的性骚扰
  49. 未及时续签劳动合同的补救措施
  50. 如何认定劳动争议案件中的高级管理人员?
  51. Identifying senior management in labour disputes
  52. 创业企业联合创始人的竞业限制操作要点
  53. How startups enforce non-competition of departing co-founders
  54. 京沪两地退休年龄问题
  55. Retirement ages in Beijing and Shanghai
  56. 舞弊员工处理的合规要点分析
  57. 不正従業員の処遇に関するコンプライアンス上のポイントに関する分析
  58. Key compliance points when disciplining employees for fraud
  59. 竞业限制启动条款的效力分析
  60. 《民法典》生效,影响劳动合同了吗
  61. 『民法典』の施行は労働契約に影響を及ぼしたか?
  62. Does Civil Code affect the labour contract ?
  63. 客观情况发生重大变化下的劳动合同解除
  64. Termination of Employment under Changes of Circumstances
  65. 简析金融机构“风险金”制度
  66. Analysis of ‘risk fund’ system of financial institutions
  67. 类案检索制度影响下的单方待岗的合规注意事项
  68. Typical cases guide compliance on unilateral furloughing
  69. “协商变更”劳动合同常见误区
  70. Misconception with changing employment contract by consultation
  71. 劳动争议案件中的证据选择和准备
  72. Selection, preparation of evidence in labour dispute cases
  73. “社保入税”的新阶段与影响
  74. 试用期的深度解析(下)
  75. 试用期的深度解析(上)
  76. Non-compete Restriction
  77. 竞业限制调查取证的“新方法”
  78. 类案检索新规对企业劳动风险管理的重要影响
  79. The New Regulations on the Similar Cases Retrieval
  80. 公司提前解散关键法律问题解答
  81. 疫情影响下企业的灵活用工和员工安置
  82. 语音课堂丨劳动法第二期:停工停产
  83. 语音课堂丨劳动法第一期:疫情影响下企业的灵活用工安排
  84. Key Employment Issues amid COVID-19
  85. 疫情防控下的企业用工合规问题解答
  86. 疫病予防制御期間における使用者のコンプライアンス上の問題に関する回答
  87. 2019年劳动法领域重点立法与政策变化回顾
  88. Review of Key Updates to Employment Laws and Policies in 2019
  89. 关于“三期”员工的问与答——从上海地区的规定和实践出发
  90. 关于“三期员工”的问与答 Q&A About “Employee Undergoing Three Periods”
  91. 全球员工股权激励指引(中国篇)
  92. Employment Issues in China M&A Deals 中国并购交易中的劳动法问题 
  93. 收集和使用员工个人信息合规问题分析(上篇)
  94. 收集和使用员工个人信息合规问题分析(下篇)
  95. Compliance Issues on Employees' Personal Information
  96. 离职员工递延奖金发放的法律风险分析
  97. 从劳动法视角看“996工作制”
  98. 董事与高级管理人员的法定竞业限制义务——用人单位救济障碍与应对策略分析
  99. Directors and Senior Management's Non-Compete Obligations
  100. 用人单位是否需要为非全日制员工缴存住房公积金
  101. 防止被收购企业股东另起炉灶,竞业禁止条款如何巧妙设置?
  102. 谈谈企业规章制度民主程序的“是与非” ——以《劳动合同法》第四条第二款的司法实践解读为视角
作者介绍
刘琦律师毕业于华东政法大学和德国法兰克福大学,分别获得法学学士和法学硕士学位,之后曾在耶鲁大学短期进修美国法。刘律师2006年获得中华人民共和国律师资格。
刘律师具有超过15年的法律从业经验,主要业务领域为劳动法和公司法。刘律师拥有丰富的涉外法律服务经验。她服务的客户覆盖石油化工、机械制造、医疗器械、食品、酒店、时装等各行各业,就规模而言,其中既有中小型外商投资企业,也包括多家世界500强跨国巨头。刘律师曾参与多家跨国公司在华企业员工遣散、安置及转移项目。刘律师同时擅长为跨国企业提供高质量的人力资源法律服务,包括起草和修订雇佣相关的法律文件,协助高管解雇谈判,以及提供人力资源合规、员工安置及遣散、员工股权激励、外国人在华就业和居留和劳动争议解决、企业全球用工合规等方面的法律服务。她严谨、负责、务实而高效的工作风格受到其欧美客户的高度评价及认可。
刘律师2019年1月加入竞天公诚之前,曾在北京斐石(上海)律师事务所担任合伙人,并曾在美国贝克·麦坚时国际律师事务所、德国百达国际律师事务所等大型国际、国内律师事务所工作十余年。刘律师多次举办劳动法研讨会,且在《German Chamber Ticker》、威科、律商等多家法律媒体发表劳动法主题的中文和英文文章。刘律师被世界知名法律媒体Who’s Who Legal评选为2020年度中国劳动法领域领先律师,并被Asian Legal Business评选为“2021 ALB China十五佳女律师”,同时入选《商法》(China Business Law Journal)公布的“The A-List法律精英2022”名册(The A-List 2022)。
刘琦律师历史文章  
  1. Compliance management with employment conflicts of interest
  2. 劳动用工视角下的利益冲突合规管理和处置
  3. 中国企业建立ESG劳动用工合规体系的实操建议
  4. How companies should establish an ESG labour compliance system
  5. 企业如何开展人力资源合规体检?
  6. How enterprises should conduct HR compliance self-inspection
  7. 用人单位应对新《妇女权益保障法》之合规建议
  8. 解雇违纪高管行动方案的设计与执行
  9. Effecting strategic dismissals of senior management
  10. 因客观情况发生重大变化而解雇员工的传统困局和破解方向——聚焦上海地区近年司法实践
  11. 中国企业ESG劳动用工合规问题探讨
  12. Labour-related ESG compliance in China
  13. 用人单位在虚假报销劳动争议中的举证和应对
  14. Employer’s burden of proof in false reimbursement disputes
  15. 用人单位在反职场性骚扰中的合规治理
  16. Employer compliance governance in workplace
  17. 《个人信息保护法》对企业用工管理的影响与合规建议
  18. Impact of personal information protection law on enterprise
  19. 居家办公涉及的常见用工法律问题与解答
  20. 用人单位如何应对职场中的性骚扰
  21. 如何认定劳动争议案件中的高级管理人员?
  22. Identifying senior management in labour disputes
  23. 京沪两地退休年龄问题
  24. Retirement ages in Beijing and Shanghai
  25. 客观情况发生重大变化下的劳动合同解除
  26. Termination of Employment under Changes of Circumstances
  27. 解雇不胜任员工的法定条件分析及实操经验分享
  28. 劳动争议案件中的证据选择和准备
  29. Selection, preparation of evidence in labour dispute cases
  30. Employee placement in early dissolution of enterprises
  31. 公司提前解散关键法律问题解答
  32. 疫情影响下企业的灵活用工和员工安置
  33. 语音课堂丨劳动法第一期:疫情影响下企业的灵活用工安排
  34. Key Employment Issues amid COVID-19
  35. 疫病予防制御期間における使用者のコンプライアンス上の問題に関する回答
  36. 疫情防控下的企业用工合规问题解答
  37. Review of Key Updates to Employment Laws and Policies in 2019
  38. 2019年劳动法领域重点立法与政策变化回顾
  39. 关于“三期员工”的问与答 Q&A About “Employee Undergoing Three Periods”
  40. 关于“三期”员工的问与答——从上海地区的规定和实践出发
  41. Employment Issues in China M&A Deals 中国并购交易中的劳动法问题
  42. Compliance Issues on Employees' Personal Information
  43. 收集和使用员工个人信息合规问题分析(下篇)
  44. 收集和使用员工个人信息合规问题分析(上篇)
  45. 从劳动法视角看“996工作制”
  46. Directors and Senior Management's Non-Compete Obligations
  47. 董事与高级管理人员的法定竞业限制义务——用人单位救济障碍与应对策略分析
连煜雄律师毕业于中南财经政法大学和厦门大学,分别获得法学学士和法学硕士学位。连律师的主要业务领域为劳动法和公司法。
连律师为包括汽车、机械制造、食品饮料和特许经营在内的各行业的客户提供法律服务。连律师曾在德国百达国际律师事务所、瑞典维格律师事务所和北京斐石(上海)律师事务所等大型国际、国内律师事务所工作超过十年以上,还曾担任麦当劳中国总部的法律顾问。
连律师擅长为各类内外资企业提供高质量的人力资源法律服务,包括日常法律咨询,法律风险评估,提供合规整体方案,审查、起草和修改劳动合同、规章制度及其他劳动法律文件,处理外国人在华就业和居留的相关事宜,企业全球用工合规,为客户及其员工提供培训服务,设计员工安置方案,提供员工股权激励、高管解雇/离职和劳动争议等方面的法律服务。
连煜雄律师历史文章  
  1. Compliance management with employment conflicts of interest
  2. 劳动用工视角下的利益冲突合规管理和处置
  3. 中国企业建立ESG劳动用工合规体系的实操建议
  4. How companies should establish an ESG labour compliance system
  5. 企业如何开展人力资源合规体检?
  6. How enterprises should conduct HR compliance self-inspection
  7. 用人单位应对新《妇女权益保障法》之合规建议
  8. 解雇违纪高管行动方案的设计与执行
  9. Effecting strategic dismissals of senior management
  10. 因客观情况发生重大变化而解雇员工的传统困局和破解方向——聚焦上海地区近年司法实践
  11. 中国企业ESG劳动用工合规问题探讨
  12. Labour-related ESG compliance in China
  13. 用人单位在虚假报销劳动争议中的举证和应对
  14. Employer’s burden of proof in false reimbursement disputes
  15. 用人单位在反职场性骚扰中的合规治理
  16. Employer compliance governance in workplace
  17. 《个人信息保护法》对企业用工管理的影响与合规建议
  18. Impact of personal information protection law on enterprise
  19. 居家办公涉及的常见用工法律问题与解答
  20. 用人单位如何应对职场中的性骚扰
  21. 如何认定劳动争议案件中的高级管理人员?
  22. Identifying senior management in labour disputes
  23. Employee placement in early dissolution of enterprises
  24. 公司提前解散关键法律问题解答
  25. 疫情影响下企业的灵活用工和员工安置
  26. Key Employment Issues amid COVID-19
  27. Review of Key Updates to Employment Laws and Policies in 2019
  28. 2019年劳动法领域重点立法与政策变化回顾
  29. 关于“三期员工”的问与答 Q&A About “Employee Undergoing Three Periods”
  30. 关于“三期”员工的问与答——从上海地区的规定和实践出发
  31. Employment Issues in China M&A Deals 中国并购交易中的劳动法问题
  32. Compliance Issues on Employees' Personal Information
  33. 收集和使用员工个人信息合规问题分析(下篇)
  34. 收集和使用员工个人信息合规问题分析(上篇)
  35. 从劳动法视角看“996工作制”
  36. Directors and Senior Management's Non-Compete Obligations
  37. 董事与高级管理人员的法定竞业限制义务——用人单位救济障碍与应对策略分析
继续阅读
阅读原文