千万元级罚单对商业银行个人信息保护法律风险警示及应对防范措施

【内容摘要】：商业银行个人信息保护长期以来一直备受社会的关注。《个人信息保护法》的出台，对掌握着庞大客户个人信息的商业银行提出了更高的管理和服务要求。监管部门向商业银行频繁地开出大额罚单，肯定了严监管的力度和决心。商业银行作为个人信息处理者，目前存在的制度不完善，“知情——同意”未全面落实的现状下，建立个人信息数据资产库、完善制度管理、落实自证合规，对防范个人信息法律风险有着重要意义。

【关键词】：个人信息保护、商业银行、知情——同意、数据资产库、自证合规

2022年1月，中国人民银行上海分行与中国人民银行杭州中心支行分别开出1674万元、2236.5万元的千万级罚单（详见表-1），从行政处罚信息公示表中显示，违法行为类型包括：违反信用信息采集、提供、查询及未按规定履行可疑交易报告义务。业内来看，这些处罚类型与个人信息保护、反洗钱及数据治理有密切关系。基于此，本文梳理个人信息保护发展进程、商业银行个人信息保护现状及法律风险，提出商业银行对个人信息保护的应对防范措施。

表-1行政处罚信息公示表

一、个人信息保护在欧洲及国内发展进程

在个人信息保护领域，欧盟相比其他地区和国家，一直处于领先地位¹。1981年1月28日，在自动处理个人数据越境流动日益频繁的背景下，欧洲委员会各成员国在斯特拉斯堡签署第108号条约即《有关个人数据自动化处理的个人保护公约》，这是全球范围内有关数据保护的第一份具有法律约束力的国际性文件。1995年，欧盟发布《关于涉及个人数据处理的个人保护以及此类数据自由流动的指令》。2018年，欧盟理事会通过了《一般数据保护条例》（General Data Protection Regulation，以下简称GDPR），这是20年来数据隐私条例最重要的变化，其颁布说明欧盟对个人信息保护和监管达到了最为严格的规定，立法者正努力满足欧盟的数据隐私和算法公平性原则，并提出信息处理前，取得有效的同意标准²，对于违规行为的处罚将会达到2000万欧元或年度全球营业额的4%（以较高者为准）。GDPR的适用范围不限于总部在欧盟地区的企业，而是覆盖到从欧盟公民处收集数据的所有组织，对于与欧盟产生的贸易关系的区域和国家都将或多或少的受其影响。

在我国《中华人民共和国个人信息保护法》（以下简称《个人信息保护法》）颁布前，商业银行保护个人信息的法律法规已有一段较完整的发展历史。1992年，国务院发布《储蓄管理条例》，规定“储蓄机构办理储蓄业务有为储户保密的责任”，向商业银行提出了保密的责任。1995年，全国人大常委会发布《中华人民共和国商业银行法》，在法律层面上规定“商业银行办理个人储蓄存款业务，应当为存款人保密的责任”。2005年《个人信用信息基础数据库管理暂行办法》的颁布对个人信用数据收集、加工、留存、查询、异议处理、用户管理、安全管理等方面进行了规范，要求商业银行获取个人信用信息时将当事人的知情权放在首位，开始设立商业银行的“告知”义务。2009年《刑法修正案（七）》和2015年《刑法修正案（九）》均明确指出侵犯公民个人信息将构成刑事犯罪，从刑事责任方面加大了惩罚力度。中国人民银行于2011年和2012年分别发布了《关于银行业金融机构做好个人金融信息保护工作的通知》（银发[2011]17号）和《关于金融机构进一步做好客户个人金融信息保护工作的通知》（银发[2012]80号）。以及之后的《居民身份证法》《关于加强网络信息保护的决定》《银行业消费者权益保护工作指引》《中国人民银行金融消费者权益保护实施办法》《网络安全法》《银行业金融机构数据治理指引》等都对商业银行保护个人信息起到指导、监管的作用。2021年1月1日，《中华人民共和国民法典》开始实施，明确了对个人隐私、个人信息以及个人数据的保护原则及立场。个人信息保护在长达30年的历史发展中，商业银行根据各类政策、法律法规，制定制度、管理办法和实施细则。（详见图-3）

图-3 我国个人信息保护法律法规发展进程

二、商业银行个人信息保护现状及风险警示

（一）制度管理粗放，基层分支机构频发违规现象

自1992年《储蓄管理条例》颁布，随着后续各法律法规的陆续出台，大部分银行在总行层面都有出台一系列的规章制度或操作指引，对个人信息查询、核实、变更、保管做出要求，对于行内各岗位处理个人信息设置了系统上的硬管理和控制。

《个人信息保护法》颁布后，在《中华人民共和国反洗钱法》、《个人存款账户实名制规定》、《金融机构客户身份识别和客户身份资料及交易记录保存管理办法》等法律法规规定下，商业银行触发个人信息违规处理事件频频发生。根据《中国金融机构从业人员犯罪问题研究白皮书（2021）》显示，因总行、省级分行员工不直接面对客户，违法利用客户信息的情况鲜有发生，中层、基层分支机构工作人员对客户个人信息进行核实、收集的过程中，因管理制度或操作指引不细化或管理培训不到位，个人信息保护在实际业务操作中未落地，造成无意违规查询客户个人信息而遭投诉或因工作原因或非工作原因违法违规查询、轻易获取客户个人信息甚至泄露、倒卖客户个人信息，与外部人员勾结，以此牟利的现象却屡见不鲜³（详见表-2）。因管理制度、操作指引以及系统设置不到位或未及时更新，给违规查询、收集、泄露客户个人信息的行为有了可乘之机。

表-2 涉案金融机构从业人员职务分布各年度对比

（二）信息共享第三方平台，脱离银行管控的风险

商业银行已普遍在手机银行、网上银行以及微信小程序中引入第三方合作平台，在未获得客户明确“知情”或未获得客户“同意”的情况下，引导客户进行注册、授权第三方平台查询客户信息等现象普遍存在。客户在商业银行信用背书的前提下，通过商业银行官网、APP、微信小程序等界面进入第三方平台。客户在第三方平台注册用户信息以及授权第三方平台查阅个人信息时降低防备心里，后因第三方平台泄露客户个人信息带来的损失，寻找商业银行“买单”的现象频频发生。或商业银行因业务发展需要，将客户个人信息主动共享与第三方平台，第三方平台获取信息，信息便开始脱离银行监控，此举无疑增加了客户信息泄露的风险。

（三）个人信息保护法律责任

1.民事责任与行政责任

《个人信息保护法》明确了违法、违规需承担的民事责任和行政责任⁴。承担民事责任时，对商业银行实行过错推定原则，增加了商业银行自证合规、合法的责任。《个人信息保护法》还将因违反该法提起诉讼的权利赋予了人民检察院、法律规定的消费者组织和由国家网信部门确定的组织。法律赋予侵犯个人信息公益诉讼的权利，势必增加了商业银行声誉风险和舆情风险。承担行政责任时，针对违法程度，从轻微的由执法部门责任改正，给予警告，没收违法所得等处罚措施；到情节严重的，由省级以上履行个人信息保护职责的部门责令改正，没收违法所得，并处五千万元以下或者上一年度营业额百分之五以下罚款，并可以责令暂停相关业务或者停业整顿、通报有关主管部门吊销相关业务许可或者吊销营业执照等不同处罚程度的规定。在违规重罚的力度上，《个人信息保护法》参考了欧盟GDPR的做法，大大提高了商业银行在个人信息保护方面违规、违法的成本。今年开年监管部门频频开出的千万级罚单，用实际行动印证了处罚力度和严管的决心。

2.刑事责任

《中华人民共和国刑法（2020修正）》第二百五十三条之一 明确侵犯公民个人信息罪的刑罚。2017年5月8日，最高人民法院,最高人民检察院发布《最高人民法院、最高人民检察院关于办理侵犯公民个人信息刑事案件适用法律若干问题的解释》，对侵犯公民个人信息罪的“国家有关规定”做了解释，包括法律、行政法规和部门规章。《个人信息保护法》属于其中的法律规定，商业银行及其从业人员违反个人信息保护，将可能被追究刑事责任。根据《中国金融机构从业人员犯罪问题研究白皮书》（2021）分析及研究，金融机构从业人员犯罪的判决中共同犯罪的占比高，除了传统的集资诈骗罪、非法吸收公众存款罪，还涉及到到保险诈骗、侵犯公民个人信息罪等。侵犯公民个人信息罪犯罪案件数量从2020年7起增加到2021年的8起。据此看出，刑事责任从立法层面已明确规定，实际中侵犯公民个人信息罪的犯罪现在屡禁不止。

三、商业银行个人信息保护防范措施

2021年11月1日，《个人信息保护法》正式实施，其为我国首部针对个人信息保护的立法，是个人信息领域的基本法律，构建了完整的个人信息保护框架。《个人信息保护法》明确定义了个人信息是以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息，不包括匿名化处理后的信息；规定了个人信息处理采取对个人权益影响“最小的方式”、收集信息应当限于实现处理目的“最小范围”及保存期限应当为实现处理目的所必要的最短时间的“三最”原则；全面强化处理个人信息时应使得客户“知情”的职责，并取得客户的“同意”，处理敏感信息需要取得单独“同意”的处理规定。为此，建议商业银行做好如下信息防范措施：

（一）建立个人信息数据资产库，做好“硬”系统防护

总行层面设置数据资产管理部门，对现有个人信息数据资产进行梳理盘点、统计、清理。根据《个人信息保护法》、《个人金融信息保护技术规范》、《个人信用信息基础数据库管理暂行办法》等规定采取相应措施：一是对数据分类分级管理，按照数据的敏感程度，从高到低分为C3、C2、C1三个级别，并对每条数据的查询、修改、删除等设置处理权限；二是落实数据处置的风险监控预警报告，防止未经授权的访问，避免基层分支机构因“软”系统，如制度不完善或培训不到位而误操作、误处理数据造成个人信息泄露、篡改、丢失，从“硬”系统方面加强对客户个人信息的保护；三是数据处理过程中采取匿名化、去标化等安全技术措施。

（二）细化个人信息数据保护制度，覆盖数据全生命周期

个人金融信息生命周期包括个人金融信息的收集、传输、存储、使用、删除、销毁等处理的整个过程。商业银行作为个人信息处理者，明确行内个人信息保护责任机构，制定信息保护的规章制度和操作指引，与系统相结合，对个人信息数据处置按类别、分层次、全周期进行管理。在建立制度的基础上，加强商业银行从业人员的执业道德培训，风险始终来自于人，使员工敬畏监管、敬畏法律，促进个人信息合规合法处理。个人信息保护制度和操作指引在业务操作中落地。

（三）自证合规，“知情——同意”有迹可循

“知情——同意”是个人客户信息保护原则的核心。商业银行在收集处理个人客户信息前，应充分获得客户同意，并履行告知义务：一是商业银行在线下处理个人信息时，应以显著方式、清晰易懂的语言，知情客户信息处理的目的；客户协议文本中，避免使用“开放性”词语，应以明确的表达方式知情客户处理的目的、方式、范围等，保存好知情和客户同意的签字文本。二是商业银行通过APP、微信公众号、网站等渠道处理客户信息时，避免使用大量冗杂信息，应该同样使用清晰易懂的文字知情客户；避免将默认视为同意，应当设置强制阅读，可以引入滚动触底式、计时式等方式。三是根据数据资产库的等级，对于敏感信息要确保取得客户的“单独同意”。四是线上处理个人信息，需要保存处理信息的日志，以备后续“自证合规”有迹可循。

四、结语

商业银行应主动迎接《个人信息保护法》带来的新机遇与挑战，积极做好个人信息安全防护，建立数据资产库，确保精准服务、专业、敏捷地识别和保障个人信息数据，将压力转为助力，保证个人信息权益的同时，实现商业银行向金融数字化升级。

参考书目：

1.刘恩泽.欧盟《一般数据保护条例》监管实效与影响.银行家, The Chinese Banker, 2022（02）：136-139。

2.于甡甡.《境内外法律环境趋势严态势下银行如何保护个人数据？》 .《中国银行业》,2020（1）：90-93。

3.余保才.《金融科技发展对商业银行个人信息保护的挑战及应对策略》.南方金融2020（529）：78-90。

4.韩晓莹.《商业银行个人信息保护法律分析与措施建议》. 现代金融导刊 2021（04）：72-75。

5.中国司法大数据研究院等单位编写《中国金融机构从业人员犯罪问题研究白皮书（2021）》。

作者：浙江利群律师事务所   叶  萍   15067668220  

浙江利群律师事务所   毛余洋   18358665058

Ten-million-yuan-level fines warn commercial banks of personal information protection legal risks and countermeasures

Abstract: The protection of personal information in commercial banks has long attracted the attention of the society. The promulgation of the "Personal Information Protection Law" has put forward higher management and service requirements for commercial banks that hold a large amount of customer personal information. The regulatory authorities frequently issued large fines to commercial banks , affirming the strength and determination of strict supervision. As personal information processors, commercial banks currently have imperfect systems, and under the current situation that "informed-consent" has not been fully implemented, establishing a personal information data asset database, improving system management, and implementing self-certification and compliance will play a significant role in preventing personal information laws and regulations. Risk matters.

【Key words】：personal information protection, commercial bank, informed -consent, data asset database, self-certification compliance

In January 2022, the Shanghai Branch of the People's Bank of China and the Hangzhou Central Sub-branch of the People's Bank of China issued fines of 16.74 million yuan and 22.365 million yuan respectively ( see Table - 1 for details) . The types of behavior include: violation of credit information collection, provision, inquiry, and failure to perform suspicious transaction reporting obligations in accordance with regulations . From the perspective of the industry, these types of penalties are closely related to personal information protection, anti-money laundering and data governance. Based on this, this paper sorts out the development process of personal information protection , the current situation of personal information protection of commercial banks and legal risks, and puts forward countermeasures for commercial banks to protect personal information.

Table -1 Administrative Punishment Information Publicity Form

1. The development process of personal information protection in Europe and China

In the field of personal information protection, the EU has always been in a leading position compared with other regions and countries 1 . On January 28, 1981 , in the context of the increasingly frequent cross-border flow of automatic processing of personal data, the member states of the Council of Europe signed Treaty No. 108 in Strasbourg , the "Convention on the Protection of Individuals Concerning the Automatic Processing of Personal Data". It is the first legally binding international document on data protection in the world. In 1995, the European Union issued the Directive on the Protection of Individuals Involving the Processing of Personal Data and the Free Movement of Such Data. In 2018, the Council of the European Union passed the General Data Protection Regulation (GDPR), which is the most important change in data privacy regulations in the past 20 years. Strict regulations, lawmakers are trying to meet the EU's principles of data privacy and algorithmic fairness , and propose a valid consent standard before information processing2 , and penalties for violations will reach 20 million euros or annual global turnover4 % (whichever is higher). Scope of application of the GDPRIt is not limited to companies headquartered in the EU, but covers all organizations that collect data from EU citizens, and the regions and countries that have trade relations with the EU will be more or less affected by it.

Before the promulgation of the "Personal Information Protection Law of the People's Republic of China" (hereinafter referred to as the "Personal Information Protection Law"), laws and regulations on the protection of personal information by commercial banks had a relatively complete history of development . In 1992, the State Council promulgated the "Regulations on the Administration of Savings", stipulating that "savings institutions have the responsibility to keep depositors confidential in handling savings business" , and put forward the responsibility of confidentiality to commercial banks. In 1995, the Standing Committee of the National People's Congress promulgated the "Commercial Bank Law of the People's Republic of China", which stipulates at the legal level that "commercial banks shall be responsible for the confidentiality of depositors when handling personal savings deposits." The promulgation of the "Interim Measures for the Management of Personal Credit Information Basic Database" in 2005 regulated the collection , processing , retention , query, objection handling, user management, and security management of personal credit data , requiring commercial banks to Put the right to know in the first place , and began to establish the obligation of "telling" of commercial banks . Both the 2009 "Criminal Law Amendment (VII)" and the 2015 "Criminal Law Amendment (IX)" clearly stated that infringing on citizens' personal information would constitute a criminal offense, and increased punishment from the perspective of criminal responsibility. People's Bank of China atIn 2011 and 2012, the "Notice on the Protection of Personal Financial Information by Banking Financial Institutions" (Yinfa [2011] No. 17) and the "Notice on Further Improving the Protection of Customers' Personal Financial Information by Financial Institutions" ( Yinfa [2012] No. 80). And later the "Resident ID Card Law", "Decision on Strengthening Network Information Protection", "Guidelines for the Protection of Banking Consumer Rights and Interests", "Implementation Measures of the People's Bank of China for the Protection of Financial Consumer Rights and Interests", "Network Security Law", "Banking Financial Institutions" The Guidelines on Data Governance and others play a guiding and supervising role in the protection of personal information by commercial banks. On January 1, 2021, the "Civil Code of the People's Republic of China" came into effect, clarifying the principles and positions for the protection of personal privacy, personal information and personal data. In the 30- year historical development of personal information protection , commercial banks have formulated systems, management methods and implementation rules in accordance with various policies, laws and regulations. (See Figure -3 for details)

Figure -3 The development process of laws and regulations on personal information protection in China

2. The current situation and risk warning of personal information protection in commercial banks

(1) System management is extensive , and grassroots branches frequently violate regulations

Since the promulgation of the "Regulations on the Administration of Savings" in 1992, with the successive promulgation of subsequent laws and regulations, most banks have issued a series of rules and regulations or operational guidelines at the head office level to make personal information inquiries, verifications, changes, and storage. According to the requirements, hard management and control on the system have been set up for the processing of personal information by each position in the industry.

After the promulgation of the "Personal Information Protection Law", under the provisions of laws and regulations such as the "Anti-Money Laundering Law of the People's Republic of China", "Regulations on the Real-Name System of Personal Deposit Accounts", and "Administrative Measures for Financial Institutions' Customer Identification and Customer Identity Data and Transaction Record Storage", Incidents of commercial banks triggering violations of personal information processing occurred frequently. According to the "White Paper on Research on Criminal Issues of Employees of Financial Institutions in China ( 2021)" , because employees of the head office and provincial branches do not directly face customers, illegal use of customer information rarely occurs. In the process of verifying and collecting information, due to lack of refinement of the management system or operating guidelines or insufficient management training, personal information protection has not been implemented in actual business operations, resulting in unintentional violations of regulations for querying customers' personal information and being or It is not uncommon for non-work reasons to inquire in violation of laws and regulations, easily obtain personal information of customers, or even leak and resell personal information of customers, and collusion with outsiders to make profits . Due to the management system, operating guidelines and system settings not in place or not updated in time, there is an opportunity for illegal inquiry, collection and disclosure of customer personal information.

Table- 2 Year-to-Year Comparison of the Position Distribution of Employees in the Financial Institutions Involved 

(2) Third-party platform for information sharing, risk of breaking away from bank control

Commercial banks have generally introduced third-party cooperation platforms in mobile banking, online banking, and WeChat applets, and guide customers to register and authorize third-party platform inquiries without the customer's explicit "knowledge" or customer "consent" Phenomena such as customer information are ubiquitous. On the premise of the commercial bank's credit endorsement, the customer enters the third-party platform through the commercial bank's official website, APP , WeChat applet and other interfaces. When customers register user information on third-party platforms and authorize third-party platforms to view personal information, they lower their guards. Later, due to losses caused by the disclosure of customer personal information by third-party platforms, the phenomenon of looking for commercial banks to "pay" frequently occurs . Or commercial banks actively share customer personal information with third-party platforms due to business development needs. The third-party platform obtains information, and the information begins to escape the bank's monitoring. This will undoubtedly increase the risk of customer information leakage.

(3) Legal responsibility for personal information protection

1. Civil Liability and Administrative Liability

The "Personal Information Protection Law" clarifies the civil and administrative responsibilities for violations of laws and regulations4 . When assuming civil liability, the principle of presumption of fault is implemented for commercial banks, which increases the responsibility of commercial banks to self-certify compliance and legality. The Personal Information Protection Law also empowers people's procuratorates, consumer organizations specified by law, and organizations determined by the national cyberspace administration to file lawsuits for violations of the law . The law grants the right to public interest litigation for infringement of personal information, which will inevitably increase the reputation risk and public opinion risk of commercial banks. When assuming administrative responsibility, according to the degree of violation, the law enforcement department shall be responsible for corrections, give warnings, and confiscate illegal gains and other punishment measures for minor cases; to serious cases, departments performing personal information protection duties at or above the provincial level shall order corrections and confiscate illegal gains , and impose a fine of less than 50 million yuan or less than 5% of the previous year's turnover, and may order the suspension of relevant business or suspend business for rectification, and notify the relevant competent department to revoke relevant business permits or revoke business licenses and other regulations of varying degrees of punishment. In terms of heavy penalties for violations, the "Personal Information Protection Law" refers to the practice of the EU's GDPR, which greatly increases the cost of commercial banks' violations and violations of personal information protection. The tens of millions of fines frequently issued by the regulatory authorities at the beginning of this year have confirmed the severity of punishment and the determination to strictly control with practical actions.

2. Criminal responsibility

Article 253-1 of the "Criminal Law of the People's Republic of China ( 2020 Amendment)" specifies the penalty for the crime of violating citizens' personal information. On May 8, 2017, the Supreme People's Court and the Supreme People's Procuratorate issued the "Interpretation of the Supreme People's Court on Several Issues Concerning the Application of Laws in Handling Criminal Cases of Infringement of Citizens' Personal Information ". ” made an explanation, including laws, administrative regulations and departmental rules. The "Personal Information Protection Law" is one of the legal provisions that commercial banks and their employees may be held criminally responsible for violations of personal information protection. According to the analysis and research of the "White Paper on the Research on Crimes of Employees of Financial Institutions in China" ( 2021 ), joint crimes account for a high proportion of crimes committed by employees of financial institutions. From insurance fraud to crimes of infringing upon citizens’ personal information. The number of criminal cases of crimes against citizens' personal information has increased from 7 in 2020 to 8 in 2021 . Based on this, it can be seen that criminal responsibility has been clearly stipulated at the legislative level, and the crime of infringing on citizens' personal information is now repeatedly prohibited.

3. Commercial Banks’ Personal Information Protection and Precautionary Measures

On November 1, 2021, the "Personal Information Protection Law" was officially implemented. It is my country's first legislation on personal information protection. It is the basic law in the field of personal information and has established a complete framework for personal information protection. The "Personal Information Protection Law" clearly defines that personal information is all kinds of information related to identified or identifiable natural persons recorded electronically or in other ways, excluding anonymized information; The "minimal way" that affects rights and interests, the "minimum scope" of collecting information should be limited to the realization of the purpose of processing, and the "three most" principles that the storage period should be the shortest time necessary to achieve the purpose of processing; comprehensively strengthen the processing of personal information to make customers "informed". "Responsibilities, and to obtain the customer's "consent", the processing of sensitive information requires a separate "consent" processing regulations. To this end, commercial banks are advised to take the following information precautions:

(1) Establish a personal information data asset database and do a good job of "hard" system protection

A data asset management department is set up at the head office level to sort out, count, and clean up existing personal information data assets . Take corresponding measures in accordance with the "Personal Information Protection Law", "Technical Specifications for Personal Financial Information Protection", "Interim Measures for the Management of Personal Credit Information Basic Database" and other regulations: First, classify and manage data according to the degree of sensitivity of the data, from high to low The low level is divided into three levels : C3, C2, and C1, and processing authority is set for each data query , modification , deletion , etc.; the second is to implement the risk monitoring and early warning report of data processing to prevent unauthorized access and avoid grass-roots branches Due to the "soft" system, such as imperfect systems or inadequate training, misoperation and mishandling of data cause personal information leakage, tampering, and loss, and strengthen the protection of customers' personal information from the "hard" system; the third is during the data processing process . Take security technical measures such as anonymization and de-standardization .

(2) Refining the personal information data protection system, covering the entire life cycle of data

The life cycle of personal financial information includes the entire process of collection, transmission, storage, use, deletion, and destruction of personal financial information . Commercial banks, as personal information processors, specify the responsible institutions for personal information protection within the bank, formulate rules and regulations and operational guidelines for information protection, and integrate with the system to manage personal information data processing by category, level, and throughout the cycle. On the basis of establishing a system, strengthen the professional ethics training of commercial bank employees. Risks always come from people, so that employees are in awe of supervision and law, and promote the compliance and legal processing of personal information. The personal information protection system and operational guidelines are implemented in business operations.

(3) Self-certification compliance, "informed-consent" has traces to follow

"Informed-consent" is the core of the principle of personal customer information protection. Before collecting and processing personal customer information, commercial banks should fully obtain the customer’s consent and perform the obligation of notification : First, when commercial banks process personal information offline, they should be aware of the purpose of customer information processing in a prominent way and in clear and understandable language ; In the text of the client agreement, avoid using "openness" words, and should clearly express the purpose, method, scope, etc. of the client's processing, and keep the signed text of the informed and client's consent. Second, when commercial banks process customer information through APP, WeChat official account, website and other channels, they should avoid using a large amount of redundant information, and should also use clear and easy-to-understand text to inform customers; Rolling bottom type, timing type, etc. Third, according to the level of the data asset database, it is necessary to ensure the "separate consent" of the customer for sensitive information. The fourth is to process personal information online, and it is necessary to keep a log of the processed information in case there are traces to follow in the follow-up "self-certification and compliance".

Four. Conclusion

Commercial banks should take the initiative to meet the new opportunities and challenges brought by the "Personal Information Protection Law", actively do a good job in personal information security protection, establish a data asset database, ensure accurate service, professional and agile identification and protection of personal information data, and transfer the pressure to In order to help, while ensuring the rights and interests of personal information, realize commercial banks to upgrade to financial digitization.

bibliography:

1. Liu Enze. Supervision Effectiveness and Impact of EU General Data Protection Regulation. Banker, The Chinese Banker, 2022 (02): 136-139.

2. Yu Shengsheng. "How can banks protect personal data under the strict trend of domestic and foreign legal environments?" ". "China Banking Industry", 2020 (1): 90-93.

3. Yu Baocai. "Challenges and Countermeasures of Financial Technology Development to Commercial Banks' Personal Information Protection". Southern Finance 2020 (529): 78-90.

4. Han Xiaoying. "Legal Analysis and Suggestions on Personal Information Protection of Commercial Banks". Modern Finance Guide 2021 (04): 72-75.

5. The China Judicial Big Data Research Institute and other units compiled the "White Paper on Research on Criminal Issues of Employees of Financial Institutions in China (2021)" .

Author: Zhejiang Liqun Law Firm    Ye Ping 15067 668220       

Zhejiang Liqun Law Firm    Mao Yuyang 18358665058