(1) Whether the purpose and method of handling personal information are lawful, fair and necessary;
(two) the impact on personal rights and security risks;
(3) Whether the protective measures taken are legal, effective and appropriate to the degree of risk.
Personal information protection impact assessment report and handling records shall be kept for at least three years.
Article 57 Where personal information is leaked, tampered with or lost, the personal information processor shall immediately take remedial measures and notify the departments and individuals who perform the duties of personal information protection. The notice shall include the following contents:
(a) the types, causes and possible harm of personal information disclosure, tampering and loss;
(2) Remedial measures taken by personal information processors and measures that individuals can take to reduce damage;
(3) Contact information of the personal information processor.
If the measures taken by the personal information processor can effectively avoid the harm caused by information disclosure, tampering and loss, the personal information processor may not notify the individual; If the department performing the duty of personal information protection thinks that it may cause harm, it has the right to ask the personal information processor to notify the individual.