Article 1 These Provisions are formulated in accordance with the Decision of the Standing Committee of the National People's Congress on Strengthening the Protection of Network Information, the Regulations of People's Republic of China (PRC) Telecom and the Measures for the Administration of Internet Information Services in order to protect the legitimate rights and interests of telecommunications and Internet users and maintain the security of network information.

Article 2 These Provisions shall apply to the collection and use of users' personal information during the provision of telecommunication services and Internet information services in People's Republic of China (PRC).

Article 3 The Ministry of Industry and Information Technology and the communications administrations of all provinces, autonomous regions and municipalities directly under the Central Government (hereinafter referred to as telecommunications administrations) shall supervise and administer the protection of personal information of telecommunications and Internet users according to law.

Article 4 The user's personal information mentioned in these Provisions refers to the user's name, date of birth, ID number, address, telephone number, account number, password, and the time and place when the user uses the service, which are collected by telecom operators and Internet information service providers in the process of providing services.

Article 5 Telecom operators and Internet information service providers shall follow the principles of legality, fairness and necessity when collecting and using users' personal information in the process of providing services.

Article 6 Telecom operators and Internet information service providers shall be responsible for the security of users' personal information collected and used in the process of providing services.

Article 7 The State encourages the telecommunications and Internet industries to carry out self-discipline in the protection of users' personal information.

Chapter II Information Collection and Use Norms

Article 8 Telecom operators and Internet information service providers shall formulate rules for the collection and use of users' personal information and publish them on their business or service sites and websites.

Article 9 Without the consent of users, telecom operators and Internet information service providers shall not collect or use users' personal information.

When collecting and using users' personal information, telecom operators and Internet information service providers should clearly inform users of the purpose, method and scope of collecting and using information, the channels for inquiring and correcting information and the consequences of refusing to provide information.

Telecom business operators and Internet information service providers shall not collect personal information of users other than those necessary for providing services or use the information for purposes other than providing services, and shall not collect or use information by cheating, misleading, coercing or violating laws, administrative regulations and the agreement of both parties.

Telecom operators and Internet information service providers shall stop collecting and using users' personal information after users stop using telecom services or Internet information services, and provide users with the service of canceling numbers or accounts.

Where there are other provisions in laws and administrative regulations on the circumstances specified in the first to fourth paragraphs of this article, those provisions shall prevail.

Article 10 Telecom operators, Internet information service providers and their staff shall keep the personal information of users collected and used in the course of providing services strictly confidential, and shall not disclose, tamper with or damage it, and shall not sell or illegally provide it to others.

Article 11 Telecom operators and Internet information service providers who entrust others to act as agents for marketing, technical services and other directly user-oriented services, which involve the collection and use of users' personal information, shall supervise and manage the protection of users' personal information by agents, and shall not entrust agents who do not meet the requirements for the protection of users' personal information in these Provisions to act as agents for related services.

Article 12 Telecom operators and Internet information service providers shall establish a user complaint handling mechanism, publish effective contact information, accept complaints concerning the protection of users' personal information, and reply to the complainant within 15 days from the date of receiving the complaint.

Chapter III Safety Measures

Thirteenth telecom operators and Internet information service providers should take the following measures to prevent users' personal information from being leaked, damaged, tampered with or lost:

(a) to determine the responsibilities of users' personal information security management in all departments, posts and branches;

(2) Establishing the workflow and safety management system for the collection, use and related activities of users' personal information;

(three) the implementation of authority management of staff and agents, review the batch export, copy and destruction of information, and take measures to prevent leakage;

(four) properly keep the paper media, optical media, electromagnetic media and other carriers that record the personal information of users, and take corresponding safety storage measures;

(five) the implementation of access review of information systems that store users' personal information, and take anti-intrusion and anti-virus measures;

(six) record the information such as the personnel, time, place and matters that operate the personal information of users;

(seven) to carry out the security protection of communication networks in accordance with the provisions of the telecommunications regulatory agencies;

(eight) other necessary measures stipulated by the telecommunications regulatory agencies.

Article 14 If the personal information of users kept by telecom operators and Internet information service providers is or may be leaked, damaged or lost, they shall immediately take remedial measures; If it causes or may cause serious consequences, it shall immediately report to the telecommunications regulatory agency that granted the license or put on record, and cooperate with the investigation and handling of relevant departments.

The telecommunications regulatory agency shall make an impact assessment on the reported or discovered acts that may violate these provisions; If the impact is particularly significant, the communications administrations of the relevant provinces, autonomous regions and municipalities directly under the Central Government shall report to the Ministry of Industry and Information Technology. Before making a decision in accordance with these Provisions, the telecommunications regulatory agency may require the telecommunications business operators and Internet information service providers to suspend relevant acts, and the telecommunications business operators and Internet information service providers shall implement them.

Fifteenth telecom operators and Internet information service providers shall train their staff in the knowledge, skills and safety responsibilities related to the protection of users' personal information.

Article 16 Telecom operators and Internet information service providers shall carry out self-inspection on the protection of users' personal information at least once a year, record the self-inspection situation, and promptly eliminate the security risks found in the self-inspection.

Chapter IV Supervision and Inspection

Article 17 Telecommunication management institutions shall supervise and inspect the protection of users' personal information by telecommunication operators and Internet information service providers.

When conducting supervision and inspection, the telecommunications regulatory agency may require telecommunications operators and Internet information service providers to provide relevant materials and enter their production and business premises to investigate the situation, and the telecommunications operators and Internet information service providers shall cooperate.

When conducting supervision and inspection, the telecommunications regulatory agency shall record the supervision and inspection, and shall not interfere with the normal operation or service activities of telecommunications business operators and Internet information service providers, and shall not charge any fees.

Article 18 Telecommunications regulatory agencies and their staff shall keep confidential the personal information of users they know in performing their duties, and shall not disclose, tamper with, damage, sell or illegally provide it to others.

Nineteenth telecommunications regulatory agencies to implement the telecommunications business license and annual inspection of business license, it should review the protection of users' personal information.

Twentieth telecommunications management institutions should record the acts of telecom operators and Internet information service providers in violation of these provisions in their social credit files and announce them to the public.

Twenty-first telecommunications and Internet industry associations are encouraged to formulate a self-discipline management system for users' personal information protection according to law, guide members to strengthen self-discipline management, and improve the level of users' personal information protection.

Chapter V Legal Liability

Twenty-second telecom operators and Internet information service providers who violate the provisions of Article 8 and Article 12 of these Provisions shall be ordered by the telecommunications regulatory agency to make corrections within a time limit, given a warning and may be fined 1 10,000 yuan.

Article 23 If a telecom operator or Internet information service provider violates the provisions of Articles 9 to 11, Article 13 to 16, and Article 17, paragraph 2 of these Provisions, the telecommunications regulatory agency shall, according to its functions and powers, order it to make corrections within a time limit, give it a warning, and may concurrently impose a fine ranging from 1 10,000 yuan to 30,000 yuan, and make an announcement to the public; If a crime is constituted, criminal responsibility shall be investigated according to law.

Twenty-fourth telecom managers in the process of supervision and management of user personal information protection, dereliction of duty, abuse of power, corruption, shall be dealt with according to law; If a crime is constituted, criminal responsibility shall be investigated according to law.

Chapter VI Supplementary Provisions

Article 25 These Provisions shall come into force on September 1 day, 2065.