个人信息保护合规的体系构建

Constructing a Personal Information Protection Compliance System

作为企业管理工具,个人信息保护合规也存在被滥用的体系性风险。在分配个人信息处理风险时,应遵循比例原则的要求,合理限制公民个人、企业与国家公权力机关的个人信息处理自由,并以此作为个人信息保护合规的法理依据。企业在设计个人信息保护合规计划时,应遵循目的正当原则、区分原则、均衡原则与信赖原则。对企业进行个人信息保护合规审计时,应贯彻三阶审查法,即递进式审查合规计划的一般特征、具体要素及其功能、企业成员的具体行为。企业个人信息保护合规体系的底线,由侵犯公民个人信息罪划定。以企业的个人信息处理是否合规,以及企业领导人、合规负责人是否履行监管义务作为侵犯公民个人信息罪行为不法的评价标准,可有效保障本罪作为个人信息保护合规体系之底线的功能实现。

Personal information protection compliance,as an enterprise management tool,faces a systemic risk of abuse. For this reason,when allocating the risk of the processing of personal information,the requirements of the principle of proportionality should be followed,and the freedom of individual citizens,enterprises and public authorities in processing personal information should be reasonably restricted,both of which should be taken as a legal basis of the compliance with personal information protection. Accordingly,when designing a compliance program for the protection of personal information,enterprises should follow the principles of legitimate purpose,distinction,balance and trust. When conducting a compliance audit of an enterprise’s personal information protection,a three-step review method should be adopted,i. e.,a progressive review of the general characteristics of the compliance program,the specific elements and their functions,and the specific acts of members of the enterprise. The bottom line of an enterprise’s personal information protection compliance system is defined by the crime of infringing on citizens’ personal information. By using the compliance of an enterprise’s processing of personal information and the fulfillment of the supervisory obligations by the enterprise’s leaders and compliance officers as the criteria to evaluate the wrongfulness of this crime,the bottom-line function of the crime can be effectively realized.