Insight,

China Issues New Rules on Personal Information Compliance Audit

20 February 2025

Our People
CN | EN
Current site :    CN   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Tag:Corporate, Mergers & Acquisitions-Corporate Compliance SystemDigital Economy

Compliance audits for personal information protection have drawn great attention in China for a while.

Back to 1 November 2021, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”) explicitly requires for the first time at the legislation level that personal information processing activities shall undergo regular compliance audits.

The personal information protection compliance audit (“PIPCA”) has since become a statutory obligation for personal information processors (“PI processors”) subject to the PIPL. The PIPCA requirement is also reiterated in the Cyber Data Security Management Regulations which was implemented on 1 January 2025.

On 14 February 2025, the Cyberspace Administration of China (CAC) officially issued the Administrative Measures for the Personal Information Protection Compliance Audit (the “PIPCA Measures”), which will become effective on 1 May 2025. It took about one and a half year for the issuance of the final version since its first draft for public comments issued in August 2023.

The PIPCA Measures including its appendix (the “PIPCA Guidelines”) specify detailed requirements for PI processors to conduct PIPCA, highlighting the important role of PIPCA in personal information protection compliance.

This article summarizes the key takeaways from the PIPCA Measures.

1.  Who is required to carry out PIPCA?

As mentioned above, in accordance with the PIPL and the PIPCA Measures, carrying out PIPCA is a statutory obligation that needs to be observed by almost all of PI processors in China[1] excluding state agencies or organizations authorized by laws and regulations to manage public affairs[2]. The term “PI processor” under the PIPL is equivalent to the concept of “personal data controller” under GPDR.

There are two scenarios for conducting PIPCA:

(1) PIPCA initiated by PI processors

Despite of the wide applicability of the PIPCA requirement, PI processors may initiate PIPCA under different circumstances with different frequencies:

a) When triggering the volume threshold

PI processors processing personal information of over 10 million individuals are required to conduct PIPCA at least once every two years[3].

b) When required by special regulations

Sector-specific data security regulations may impose specific audit frequency requirements. For example, Article 37 of the Regulations on the Protection of Minors in Cyberspace stipulates that PI Processors shall conduct compliance audits on an annual basis, either by themselves or with the assistance of third-party professional institutions, on their processing of minors’ personal information to ensure compliance with laws and regulations.

c) When observing general requirements under PIPL

For PI processors processing personal information without specific triggering threshold, the PIPCA Measures do not explicitly specify the audit frequency. However, this does not exempt such PI processors from conducting PIPCA, and PI processors should reasonably determine the frequency based on their own conditions[4].

(2) PIPCA ordered by authorities

Article 64 of the PIPL stipulates that if the authorities identify significant risks in personal information processing activities or the occurrence of personal information security incidents, it can mandate the PI processor to engage a professional institution to conduct PIPCA.

The PIPCA Measures specify the scope of the “significant risks”, including:

  • personal information processing activities that severely infringe on individual rights or lack adequate security measures;
  • personal information processing activities that may harm the rights of a large number of individuals; or
  • when there occurs personal information security incidents leading to the leakage, alteration, loss, or damage of personal information involving over 1 million individuals or sensitive personal information of over 100,000 individuals[5].

When the CAC or other personal information protection authorities (the “Authorities”) mandates the PIPCA, the PI processor cannot carry out the PIPCA on its own but shall rather engage a professional institution to do so. The PI processor shall provide necessary support and bear the audit costs[6].

2. How to carry out PIPCA?

Under normal circumstances, PI processors may determine whether to carry out PIPCA merely by itself or engaging an external professional institution. However, the external professional institution will become mandatory when the PIPCA is ordered by the Authorities.

(1) Roles and functions within PI processors

Regardless of whether an external professional institution is engaged, there are certain roles within PI processors that may be responsible for the implement of PIPCA:

a) Personal information protection officer (PIPO)

Article 52 of the PIPL requires PI processors processing personal information above the threshold specified by the CAC to appoint a PIPO.

The PIPCA Measures provide a clarification of such threshold - PI processors processing personal information of over 1 million individuals must appoint a PIPO responsible for overseeing PIPCA[7].

The PIPCA Guidelines further outline the qualifications and responsibilities of the PIPO, including:

  • the PIPO shall have relevant work experience and expertise in personal information protection laws and regulations;
  • the PIPO shall have clearly defined responsibilities and sufficient authority to coordinate internal departments and personnel;
  • the PIPO shall have the right to provide opinions and suggestions before major decisions on personal information processing are made; and
  • the PIPO shall have the authority to halt non-compliant personal information processing activities and implement corrective measures[8].

The said professional qualities and responsibilities of the PIPO are similar to that of the data protection officer (DPO) under the GDPR. However, under the GDPR, the DPO can be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. The PIPCA Measures have not specified in this regard.

b) Other internal departments

For those PI processors processing personal information less than 1 million individuals, as the PIPO is not mandatorily required, PIPCA would need to be coordinated and observed by relevant internal departments, which may typically include legal, compliance, IT and certain business functions, as the case may be depending on the internal structure of various PI processors.

c) Independent oversight body

Under the PIPL, PI processors that: (i) provide significant internet platform services; (ii) have a large user base; and (iii) engage in complex business types, must establish an independent oversight body composed primarily of external members[9].

To further clarify the above triggering circumstances of the independent oversight body, the Cyber Data Security Management Regulations further define the “large online platforms” as the platforms that:

  • have over 50 million registered users or over 10 million monthly active users;
  • carry out complex business types; and
  • carry out processing activities that may materially impact national security, economic operations, or public welfare[10].

It is specified by the PIPCA Measures that, the independent oversight body (where applicable) shall be responsible for monitoring the implementation of PIPCA[11].

(2) External professional institutions

Where the external professional institutions are mandatorily to be engaged by PI processors, the PIPCA Measures impose certain requirements on professional institutions’ capabilities, independence and confidentiality obligations:

  • The professional institution shall have sufficient capabilities of carrying out PIPCA, with professional individuals and premises, facilities, funds etc.[12]
  • The PIPCA report shall be signed by the institution’s responsible person and the PIPCA project responsible person, and stamped with the institution’s official seal[13].
  • The professional institution shall maintain confidentiality and promptly delete personal information, trade secrets, confidential business information and other relevant information after completing PIPCA[14].
  • The professional institution shall carry out PIPCA directly and shall not subcontract the PIPCA to other institutions[15].
  • The same professional institution and its affiliates, or the same responsible person of the audit cannot conduct PIPCA for the same auditee for more than three consecutive times[16].

3. What is the timeline of PIPCA?

For normal circumstances (i.e. the PIPCA initiated by PI processors), the PIPCA Measures do not specify how fast should PIPCA be completed. Pending further rules, PI processors may determine the timescales of the PIPCA progress on their own.

For PIPCA ordered by the Authorities, the timeline of PIPCA is subject to the Authorities’ requirements. Such timeline can be extended if PIPCA is complex upon the Authorities’ further approval[17].

4. What shall be done after PIPCA is completed?

PIPCA is a measure to identify the compliance gaps of the processing activities carried out by PI processors. Therefore, based on the results of PIPCA, PI processors should rectify the identified non-compliance and determine when the next round of PIPCA should be launched as required by law or determined by PI processors.

For those PIPCA ordered by the Authorities, PI processors shall submit the PIPCA report issued by the external professional institution to the Authorities, take rectification measures and further prepare a rectification report to be submitted to the Authorities within 15 working days after completing the rectification[18].

5. What to be audited?

The PIPCA Guidelines provide 26 aspects of compliance audits, which are set out and categorized as follows:

As opposed to simply pointing out the aspects to be audited on a high-level basis, the PIPCA Guidelines set forth more details to be assessed under each aspect, depending on the complexity of the processing and the detailed degree of the relevant laws and regulations. For example, “internal management system and operating procedures for the protection of personal information” contains up to 11 points to be audited, covering the internal policy development, the organization structure and staffing, the procedure of responding to individuals’ requests, the training plan and performance evaluation to staff, and the operating procedure of personal information processing, etc.

The key points of the PIPCA Guidelines are set out as follows:

(1) Legal basis

PIPCA shall primarily focus on the legal basis for processing personal information, which in most cases refers to obtaining the individual’s consent.

Echoing to the PIPL, the PIPCA Guidelines require examining whether the individual’s consent has been obtained, whether such consent is given voluntarily and explicitly on the basis of full knowledge, whether the special formality of consent is applicable (e.g., separate consent or written consent), etc.

In the absence of obtaining the individual’s consent, it needs to examine whether such processing activity falls within the scope where the individual’s consent is exempted as stipulated by laws, including when it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, the performance of statutory duties or statutory obligations, and other circumstances laid down in Article 13 of the PIPL.

(2) Notification

Notifying the individual of the rules for processing personal information is explicitly required by the PIPL as a prior obligation for the processing of personal information, whether or not the processing is subject to the obtainment of the individual’s consent.

In the event of failure to notify individuals, it needs to examine whether the processing is subject to confidentiality or not necessary to inform, as stipulated by laws and regulations.

According to the PIPCA Guidelines, “notification” shall be examined from two perspectives:

  • What to notify: Essentially, the matters to be informed of to individuals should contain those required by the PIPL, including but not limited to the title or name and contact information of the PI processor, the purpose and method of processing personal information, and the type and retention period of the processed personal information, and the method and procedure for the individual to exercise rights.
  • How to notify: PIPCA also needs to focus on the method and formality of notification, specifically: whether the rules for processing personal information is presented to individuals in a conspicuous manner and in clear and understandable language; whether the size, font and color of the text are convenient for the individual to read in full; and the method of notification should be appropriate to the online/offline scenario, etc.

(3) Flow of personal information

The aspects to be examined in the flow of personal information restate the rights and obligations of the PI processor required by the PIPL. For example, whether the PI processor has agreed with the counterparty (through a contract) on each party’s rights and obligations and the processing details (e.g., the personal information types, the processing purpose and methods), whether certain obligations have been fulfilled (e.g., obtaining separate consent from individuals, notifying individuals of the flow of personal information), etc.

To be noted, the entrusted processing of personal information and the sharing of personal information both emphasize the assessment on whether the Personal Information Protection Impact Assessment (PIPIA) has been conducted prior to the processing. As the PIPCA is a post-assessment, once the PI processor is found not to have conducted the PIPIA before carrying out the certain processing activities, even though it could make rectifications after the audit, the previous violation to laws cannot be erased and will constitute a material non-compliance.

As such, we suggest implementing the PIPIA as required to ensure compliance, rather than making post rectification.

(4) Special processing activities

With respect to the special processing activities that may bring higher risks to individuals’ rights and interests, the PIPCA Guidelines focus on assessing the lawfulness, legitimacy and necessity of such processing activities and whether the relevant obligations required in the PIPL have been fulfilled to protect individuals’ rights.

Furthermore, the PIPCA Guidelines also supplement more specific scenarios to interpret the existing requirements laid down in the PIPL. For example, the PIPL provides that “a personal information processor may, within a reasonable scope, process the personal information that is disclosed by the individual concerned himself/herself or other personal information that has been legally disclosed…”[19], while the PIPL itself does not explain what is the “reasonable scope”. The PIPCA Guidelines provide that, for processing personal information that has been disclosed, if the PI processor:

  • sends commercial information that is irrelevant to the purpose of disclosure to the e-mail, mobile phone numbers etc. contained in the disclosed personal information;

uses disclosed personal information to engage in cyber-violence, disseminating rumors and false information online and other activities;

  • exceeds the reasonable scope of the scale or time of collection, retention or processing of disclosed personal information or the purpose of use thereof,

such processing will be deemed as “violation to laws and regulations”. We understand that such clauses materialize the concept of “reasonable scope” and will provide more reference to PI processors.

(5) Protection of individuals’ rights in personal information processing

The individual’s rights include the right to know, the right to copy, the right to modify and supplement, the right to withdraw consent, etc. The PIPCA Guidelines reiterate the PI processor’s obligations of protection individuals’ rights in processing personal information as stipulated in the PIPL.

Among others, the PIPCA Guidelines emphasize the protection of the right to delete and require assessing whether the circumstances where the PI processor should delete personal information, on its own initiative or upon requests by individuals, have occurred and whether the deletion has been legally implemented.

We remind PI processors to pay more attention to the implementation of the deletion of personal information. Once the circumstances where the personal information should be deleted occur (e.g., the purpose of personal information processing has been achieved, cannot be achieved or it is no longer necessary to achieve, or the PI processor has ceased to provide products or services), even though such personal information could be of value in the future business operation, the PI processor should delete the personal information in time, unless the statutory retention obligation is applicable.

(6) Obligations of the PI processor

The PIPL stipulates wide-ranging obligations for the PI processor, covering various dimensions such as policies development, procedures establishment, technical security measures, organization and staffing management, and channel building for accepting individuals’ requests, etc.

Similarly, the PIPCA Guidelines also provide more interpretation to the existing requirements in the PIPL by giving more specific examples:

  • The PIPL requires the PI processor to “develop internal management systems and operating procedures”.
  • The PIPCA Guidelines indicate that such “internal management systems” shall include “the guidelines, objectives and principles of personal information protection”, “PIPIA system and PIPCA system”, “the performance evaluation system for the PIPO and the relevant personnel”, and “the accountability system for illegal processing of personal information”.

It is worth noting that the PIPL only requires the PI processor to conduct audits on its processing of personal information on a regular basis, but it does not expressly require developing the audit system. Besides, the PIPL only requires taking appropriate technical security measures such as encryption and de-identification, while the PIPCA Guidelines further require evaluating the effectiveness of the adopted technical security measures.

The said new requirements would bring clearer guide for the audits.

(7) Internet platform services provider

It is an existing requirement in the PIPL that the PI processor that provides important internet platform services with a large number of users and complicated business type shall, amongst other obligations:

  • follow the principles of openness, fairness and impartiality, formulate platform rules specifying the standards for the processing of personal information by product or service providers on the platform and their obligations to protect personal information; and
  • regularly release social responsibility reports on personal information protection for social supervision[20].

Reflecting the above requirements, the PIPCA Guidelines require evaluating the lawfulness, effectiveness and reasonableness of the platform rules and whether the platform rules have been effectively implemented by sampling check or other means.

Suggestions

As mentioned above, the PIPCA is not a new requirement but a statutory obligation established since the effectiveness of the PIPL. The PIPCA Measures detail the requirements for PI processors to conduct PIPCA.

We suggest that PI processors proactively consider the implementation of PIPCA by following the detailed requirements and guidelines provided in the PIPCA Measures to ensure full compliance.

For PI processors that do not trigger the special threshold for PIPCA, carrying out PIPCA on a regular basis will be necessary to minimize non-compliance risks as well as demonstrating the good practice and robust governance of personal information protection.

Scan the QR code to subscribe to "King & Wood Mallesons" for more information

Article 2 of the PIPCA Measures

Article 19 of the PIPCA Measures

Article 4 of the PIPCA Measures

Q&A from the PIPCA Measures Press Conference

Article 5 of the PIPCA Measures

Article 8 of the PIPCA Measures

Article 12 of the PIPCA Measures

Article 22 of the PIPCA Guidelines

Article 58 of the PIPL

Article 62 of the Cyber Data Security Management Regulations

Article 12 of the PIPCA Measures

Article 7 of the PIPCA Measures

Article 10 of the PIPCA Measures

Article 13 of the PIPCA Measures

Article 14 of the PIPCA Measures

Article 15 of the PIPCA Measures

Article 9 of the PIPCA Measures

Article 11 of the PIPCA Measures

Article 27 of the PIPL

Article 58 of the PIPL
Categories

Reference

  • [1]

    Article 2 of the PIPCA Measures

  • [2]

    Article 19 of the PIPCA Measures

  • [3]

    Article 4 of the PIPCA Measures

  • [4]

    Q&A from the PIPCA Measures Press Conference

  • [5]

    Article 5 of the PIPCA Measures

  • [6]

    Article 8 of the PIPCA Measures

  • [7]

    Article 12 of the PIPCA Measures

  • [8]

    Article 22 of the PIPCA Guidelines

  • [9]

    Article 58 of the PIPL

  • [10]

    Article 62 of the Cyber Data Security Management Regulations

  • [11]

    Article 12 of the PIPCA Measures

  • [12]

    Article 7 of the PIPCA Measures

  • [13]

    Article 10 of the PIPCA Measures

  • [14]

    Article 13 of the PIPCA Measures

  • [15]

    Article 14 of the PIPCA Measures

  • [16]

    Article 15 of the PIPCA Measures

  • [17]

    Article 9 of the PIPCA Measures

  • [18]

    Article 11 of the PIPCA Measures

  • [19]

    Article 27 of the PIPL

  • [20]

    Article 58 of the PIPL

    • SHOW MORE

MEET THE AUTHORS

LATEST THINKING
Insight
Data Breach Risks & Compliance: Trends, Legal Frameworks, and Strategic Response in China and the U.S.
Data misuse and breaches remain two of the most significant threats to data security. China’s Cybersecurity Law, Data Security Law and Personal Information Protection Law set strict standards to prevent improper handling, however, even after years of legal updates and recent draft amendments that increase penalties for large-scale incidents, high-profile breaches keep making headlines.

10 June 2025

Insight
China’s Technology Import/Export Control: A Crucial Compliance Landscape
China’s regulatory framework for cross-border technology transfers has gained prominence amid global tech competition and geopolitical shifts. While U.S. export controls often dominate discussions, China’s evolving system—rooted in decades of legislative development—demands careful navigation. Below is a streamlined overview of critical aspects of the regime.

10 June 2025

Insight
New Changes in Non-Use Cancellation Practices in China and Response Strategies
Since early 2025, the China National Intellectual Property Administration (CNIPA) has been gradually adjusting the evidentiary requirements for applicants of the non-use cancellation proceedings. The applicants of non-use cancellations have been receiving Notifications of Amendment one after another, with increasingly demanding requirements for additional information and materials.  On May 26, 2025, the CNIPA updated the guidance on "Application for Non-use Cancellation of a Registered Trademark" (https://sbj.cnipa.gov.cn/sbj/sbsq/sqzn/202303/t20230330_26201.html) on its website to provide detailed explanations of changes in documentation requirements faced by non-use cancellation applicants. This article is intended to outline the specific changes in requirements on applicants of the non-use cancellations, explore the motivations behind the changes, and provide some advice to help trademark registrants prepare for potential non-use cancellations, as well as to assist applicants of non-use cancellations in adjusting their filing strategies.intellectual property-trademarks and copyright

05 June 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
CROSS-JURISDICTIONAL PRACTICE OFFICE
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies