On February 1, 2024, the State Post Bureau requested comments on the Measures for the Security Management of Personal Information of Mail and Delivery Service Users. Comments were due to be submitted by March 2, 2024.

In particular, the Measures outline their application to the operation and use of postal services within China involving security activities related to personal information as well as the supervision and management of post management department. The Measures provide that personal information processing activities of mailing and delivery enterprise services must adhere to principles including legitimacy and necessity, not illegally buying, selling, providing, or disclosing personal information, or engaging in the processing of personal information that endangers national security or public interests.

More specifically, the Measures detail that delivery companies may process users' personal information where:

• they have obtained the user's consent;
• it is necessary for the conclusion and performance of a delivery service contract;
• it is necessary to perform legal obligations;
• the processing is for public health emergencies, or it is necessary to protect the life, health, and property of natural persons; and
• other situations as stipulated in laws and guidelines.

Regarding the retention of personal information, the Measures note that delivery companies should retain users' personal information for a maximum of three years from the date of collection.

Likewise, prior to processing, shipping companies must accurately and completely in clear and understandable language inform users of the purpose and method of processing, retention period, and company contact information. The Measures also detail mechanisms to ensure the processing of user personal information by third parties in accordance with the instructions of the providing party. Notably, where personal information is provided to a third party outside China, the delivery company must do so in accordance with relevant laws and regulations applicable to cross-border data transfers.

The Measures further provide the carrying out of an impact assessment on data subject rights and interests, and security measures, concerning, among other things:

• the processing of sensitive information;
• the provision of personal information to third parties;
• the provision of personal information to third parties outside China; and
• the use of personal information for automated decision-making.

You can read the press release here and the Measures here, both only available in Chinese.