Personal information protection compliance, as an enterprise management tool, faces a systemic risk of abuse. For this reason, when allocating the risk of the processing of personal information, the requirements of the principle of proportionality should be followed, and the freedom of individual citizens, enterprises and public authorities in processing personal information should be reasonably restricted, both of which should be taken as a legal basis of the compliance with personal information protection. Accordingly, when designing a compliance program for the protection of personal information, enterprises should follow the principles of legitimate purpose, distinction, balance and trust. When conducting a compliance audit of an enterprise's personal information protection, a three-step review method should be adopted, i.e., a progressive review of the general characteristics of the compliance program, the specific elements and their functions, and the specific acts of members of the enterprise. The bottom line of an enterprise's personal information protection compliance system is defined by the crime of infringing on citizens' personal information. By using the compliance of an enterprise's processing of personal information and the fulfillment of the supervisory obligations by the enterprise's leaders and compliance officers as the criteria to evaluate the wrongfulness of this crime, the bottom-line function of the crime can be effectively realized. |