2025.02.18 DONG, Xiao (Marissa)、FENG, Yijie、WEI, Weihua
On February 14, 2025, the Cyberspace Administration of China officially released the Administrative Measures for Personal Information Protection 优德88中国官方网站s(“优德88中国官方网站 Measures”), which will take effect on May 1, 2025. The personal information protection 优德88中国官方网站 (“优德88中国官方网站”) system established by the Personal Information Protection Law(2021) (“PIPL”) is now entering the implementation phase.
Here, we will highlight the key points of the 优德88中国官方网站 Measures in a Q&A format.
1. Are 优德88中国官方网站s mandatory for enterprises?
Yes, 优德88中国官方网站s are mandatory for all enterprises processing personal information within China. This is required under Article 54 and Article 64 of the PIPL, and Article 27 of the Regulations on Network Data Security Management (2025) (“Network Data Regulations”).
This means, enterprises processing personal information will need to determine internally about the frequency, responsibility, procedures and other relevant issues for conducting regular 优德88中国官方网站s to review, evaluate, and supervise their personal information protection measures.
2. What is the difference between a 优德88中国官方网站 and routine compliance management programs?
A 优德88中国官方网站, as defined by the 优德88中国官方网站 Measures, is a supervisory activity that reviews and evaluates whether an enterprise’s personal information processing activities comply with laws and administrative regulations. It differs from routine compliance management in several key ways:
Independence: The core feature of an audit is its independence. 优德88中国官方网站s are generally separate from daily compliance management activities and act as the final line of defense in an enterprise’s risk management system.
Evaluation Object: 优德88中国官方网站s focus on the execution and effectiveness of routine compliance management activities. Reports, evaluation results, and records from these routine activities provide critical evidence for the audits.
Evaluation Scope: Routine compliance work typically targets specific projects or personal information processing activities. In contrast, a 优德88中国官方网站 involves a comprehensive review and evaluation of an enterprise’s overall compliance of personal information processing activities with the laws and administrative regulations.
3. When should enterprises conduct 优德88中国官方网站s?
There are two types of 优德88中国官方网站s contemplated under the 优德88中国官方网站 Measures, which are, self-initiated audits and audits mandated by the regulatory authorities in specific circumstances.
3.1Self-initiated 优德88中国官方网站s by enterprises
For self-initiated 优德88中国官方网站, Article 54 of the PIPL and Article 27 of the Network Data Regulations only require that 优德88中国官方网站 be conducted “regularly” without providing the exact frequency. The 优德88中国官方网站 Measures further stipulate that personal information processors processing the personal information of more than 10 million individuals must conduct at least one 优德88中国官方网站 every two years. However, for those processing the personal information of fewer than 10 million individuals, the 优德88中国官方网站 Measures do not impose a mandatory frequency for their 优德88中国官方网站s.
When determining the frequency of self-initiated 优德88中国官方网站s, the following aspects will need to be taken into consideration.
Determine whether the total amount of personal information processed is more than 10 million individuals: The 优德88中国官方网站 Measures do not specify how to calculate this figure. In practice, enterprises may have different roles of personal information processing in various business scenarios. For instance, an enterprise might act as a personal information processor in one scenario and an entrusted processor in another. Whether the personal information processed in all these scenarios should be included in the total calculation requires further clarification.
Special audit requirements for specific type of personal information or industrial sector: The relevant enterprises will also need to further evaluate whether they are subject to other legal requirements which prescribe the frequency of 优德88中国官方网站. For example, according to Article 37 of the Regulations on the Protection of Minors in Cyberspace (2023), personal information processors must conduct or entrust a professional agency to perform an annual 优德88中国官方网站 of their processing of minors’ personal information and report the audit results to the cyberspace administration. It is suggested that enterprises evaluate whether their business models or personal information processing activities could trigger these requirements or other existing or future industrial-sector requirement.
In addition to the above, enterprises may consider factors such as the scale and sensitivity of the personal information processed, potential changes in business and personal information processing activities, global compliance arrangements, data security incidents and breaches, and relevant internal and external environmental factors, to establish a reasonable 优德88中国官方网站 system.
3.2优德88中国官方网站s mandated by the regulatory authorities
In addition to self-initiated 优德88中国官方网站s, regulatory authorities can require enterprises to appoint professional agencies to conduct 优德88中国官方网站 of their personal information processing activities when significant risks are identified or personal information security incidents occur. This includes:
(1) Identifying major risks that severely affect personal rights or lack adequate security measures;
(2) Personal information processing activities potentially infringing on the rights of many individuals; and
(3) Personal information security incidents involving the leakage, tampering, loss, or destruction of the personal information of more than one million individuals or the sensitive personal information of more than 100,000 individuals.
For 优德88中国官方网站s mandated by the regulatory authorities, enterprises are required to:
(1) Cooperate and assist with the 优德88中国官方网站: they must provide necessary support for the professional agency to conduct the 优德88中国官方网站 and bear the audit costs.
(2) Complete the 优德88中国官方网站 on time: they must ensure that the 优德88中国官方网站 is completed within the specified time frame by the regulatory authorities. For complex situations, extensions may be granted by regulatory authorities.
(3) Implement rectifications: they are required to implement the rectification advice provided by the professional agency.
(4) Submit the Report to the authorities: they will need to submit the 优德88中国官方网站 report and rectification result to the regulatory authorities.
4. Is a professional agency required for a 优德88中国官方网站?
For self-initiated 优德88中国官方网站, enterprises have the option to either perform the audits internally or appoint a third-party professional agency. For 优德88中国官方网站s mandated by regulatory authorities, enterprises are required to engage a third-party professional agency to carry out the 优德88中国官方网站.
The 优德88中国官方网站 Measures stipulate that personal information processors processing personal information of more than one million individuals must appoint a personal information protection officer to oversee the 优德88中国官方网站.
For personal information processors providing important internet platform services with a large user base and complex business types, the 优德88中国官方网站 Measures require the establishment of an independent body, primarily composed of external members, to supervise the 优德88中国官方网站. It remains to be seen which enterprises will be classified as such processors and how these independent bodies will be established and operated.
For enterprises conducting internal 优德88中国官方网站s, it is crucial to ensure the independence of the audit team. According to the national standard Data Security Technology - Personal Information Protection 优德88中国官方网站 Requirements (Draft for Comments), internal audit personnel should avoid auditing business areas for which they are responsible and should not participate in the daily operations or personal information security protection of the audited entities. If a dedicated personal information protection 优德88中国官方网站 team is not established, personnel should be selected from internal audit teams, security teams, legal teams, or other teams with relevant expertise while maintaining independence. The proportion of personnel from each team should be reasonable, and the audit team leader should approve the list of personnel.
When enterprises appoint third-party professional agencies to conduct a 优德88中国官方网站, the 优德88中国官方网站 Measures stipulate that the same professional agency and its affiliated entities, as well as the 优德88中国官方网站 leader, should not conduct more than three consecutive audits for the same entity. This ensures the objectivity and impartiality of the 优德88中国官方网站 process.
5. What should be reviewed in a 优德88中国官方网站?
The 优德88中国官方网站 Measures outline the key areas that personal information processors or their appointed professional agencies should focus on during a 优德88中国官方网站 in in its annex Guidelines for Personal Information Protection 优德88中国官方网站s (“优德88中国官方网站 Guidelines”). This involves five main modules with 27 sections, such as, personal information processing rules, rules for the cross-border provision of personal information, protection of the rights of personal information subjects, obligations of personal information processors, and the special responsibilities of large internet platforms.
The key review points in the 优德88中国官方网站 Guidelines align with specific provisions in the PIPL and incorporate requirements from other relevant regulations.
6. How is 优德88中国官方网站 work carried out in practice?
The 优德88中国官方网站 Measures do not specify the detailed procedures, implementation rules, personnel requirements, or evidence documentation for conducting 优德88中国官方网站s.
However, before the release of the 优德88中国官方网站 Measures, a draft national standard Data Security Technology - Personal Information Protection 优德88中国官方网站 Requirements (Draft for Comments) was issued on July 12, 2024 (“Draft 优德88中国官方网站 Requirements”). This provides detailed guidelines on the principles, requirements, process, audit content, methods and evidence requirements for 优德88中国官方网站s. It also includes templates for audit working papers and audit reports. Although this national standard has not been finalized, its detailed provisions and templates can serve as a practical guide for enterprises.
According to public reports, a series of standards and practice guidelines for 优德88中国官方网站s are under development. These forthcoming standards and guidelines will further support the implementation of the 优德88中国官方网站 Measures. We will continue to monitor and follow up on the implementation of 优德88中国官方网站s.
