Entrusted processing of personal information is an inevitable option of information flowing, sharing, and using. Article 21 of the Personal Information Protection Law (PIPL) specifically provides a regulatory basis for entrusted processing of personal information, filling the normative gaps of the Civil Code, the Electronic Commerce Law and the Network Security Law. However, how to interpret and apply the regulatory content of this article, and the specific development of the purpose, objects, methods and other elements of the entrusted processing still needs to be improved through interpretation. In judicial practice, information processors often cite the existence of contracts or other transaction arrangements with a third party, in which the damage is caused by others rather than their own processing behaviors, which brings challenges to the protection of the rights and interests of information subjects. This is the core of civil law regulation of entrusted processing. As the basic argument of private law regulation of entrusted processing, the legal structure of entrusted processing is different from joint processing, in which there is a subordinate relationship between the information processor and the entrusted party. The information processor decides the purpose and method of processing, and the entrusted party can process the personal information only as instructed by the information processor. In order to better safeguard the rights of information subjects, the internal contract of entrusted processing relationship must include mandatory provisions to ensure that the entrusted party legally processes data and the information processor can check whether the entrusted party has complied with these provisions. Compared with Article 20 of the PIPL which stipulates the rights and obligations of each party shall be agreed upon by an internal person, Article 21.1 that lists in detail the purpose, duration, and method of the entrustment, types of personal information, protection measures as well as the rights and obligations of the parties is a positive legislative choice. In accordance with Article 21.2 of the PIPL and the general rules of foreign law, the entrusted party shall bear three statutory obligations, including process as instructions, return or deletion, and keep confidentiality. In addition, the general rules of entrustment contracts cannot apply to sub-entrustment, notification of consent, as well as appropriate appointment and supervision, which are for the purpose of ensuring that the entrusted party can correctly and appropriately perform its duties and comply with the regulations on the protection of personal information. As for the assumption of liability of the parties, Article 69 of the PIPL provides for the liability for damages. Meanwhile, the system is expanded by relying on the norms of the Civil Code. Therefore, the remedy of the rights and interests of the information subject can not only be solved through the Personality Rights Part, but also be protected through the Tort Liability Part. However, Article 21 of the PIPL does not provide for the division of responsibilities between the information processor and the entrusted party, which constitutes a legal loophole. In order to alleviate the relief predicament of liability subject, the rights relief of the information subject should be realized through joint and several liability rules. Specifically speaking, the theory of joint dangerous acts may be used, and by analogy the provisions of Article 1170 of the Civil Code may be applied, which requires the information processor and the entrusted party to be jointly liable for damages in the same transaction, unless it can be proved that the damages are actually caused by the other parties.