Personal Information Protection Audits in China: Final Measures Effective May 1

Posted by Written by Arendse Huld Reading Time: 11 minutes

China’s Cyberspace Administration has unveiled final measures mandating relevant companies to undergo the personal information protection audit. These new requirements, including less frequent audits and higher thresholds, offer an opportunity for businesses to strengthen compliance. Companies are suggested to act now to align with China’s evolving data laws and ensure smooth audits.

On February 12, 2025, the Cyberspace Administration of China (CAC) released the final version of measures outlining requirements for companies to undergo a compliance audit on personal information protection.

The Measures for the Administration of Compliance Audits on Personal Information Protection (hereinafter the “Measures”), which were first released in draft form in 2023, require companies that process personal information in China to undergo an audit to ensure compliance with China’s personal information and data protection regulations.

Under the measures, companies can either appoint an internal department or a third-party agency to conduct the audit. Under certain circumstances, the cybersecurity authorities may require companies to appoint a professional institution to conduct the audit on their behalf.

Auditors are required to assess whether companies comply with China’s data and personal information protection regulations, including the Personal Information Protection Law (PIPL) and the Network Data Security Management Regulations, among others.

The final version of the measures has been released along with guidelines for conducting compliance audits, which detail the personal information processing activities that must be reviewed during the audit.

The measures will come into effect on May 1, 2025.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Who is required to conduct a compliance audit on personal information protection?

Find Business Support
Complete Cybersecurity and Data Compliance Solutions for your Asia Business ⟶

Companies that process the personal information of more than 10 million individuals in China are required to conduct a compliance audit at least once every two years. The measures do not stipulate how often companies processing lower volumes of personal information must conduct audits.

However, they do require companies processing the personal information of more than 1 million people to designate a person to be in charge of personal information protection compliance audits.

Moreover, companies that provide important Internet platform services, have a large number of users (platforms with more than 50 million registered users or more than 10 million monthly active users) and have complex business models are required to establish an independent organization mainly composed of external members to supervise the audits.

How can companies conduct a compliance audit on personal information protection?

Companies may choose to conduct a compliance audit independently. In such cases, they must appoint either an internal organization or an external professional organization to perform regular compliance audits. Companies that conduct audits on their own (whether internally or with an external organization) must adhere to the Guidelines for Personal Information Protection Compliance Audits released along with the measures (discussed below ).

However, under certain circumstances, cybersecurity protection authorities may require a company to engage a professional institution to conduct a compliance audit. These circumstances include:

  • When the company’s personal information processing activities significantly affect the personal rights and interests of data subjects or show a serious lack of security measures;
  • When the company’s personal information processing activities pose a potential risk of infringing on the rights and interests of a large number of individuals;
  • When a personal information security incident occurs within the company, resulting in the leakage, tampering, loss, or destruction of personal information affecting more than 1 million people or sensitive personal information of over 100,000 people.

Professional institutions entrusted with conducting audits on companies must keep any personal information, trade secrets, and confidential business information obtained during the audit confidential in accordance with the law. They are prohibited from disclosing or unlawfully sharing this information with others. Additionally, they must promptly dispose of all relevant information upon completion of the compliance audit.

Requirements for undergoing an audit by a professional institution

The measures outline specific requirements for companies that are required by the cybersecurity protection authorities to undergo an audit by a professional institution.

These requirements include:

  • Rectifying the problems found in the audit in accordance with the requirements of the cybersecurity protection authorities, and submitting a rectification report to the cybersecurity protection authorities within 15 working days of rectifying said problems.

Guidelines for conducting compliance audits on personal information protection

As mentioned, companies that choose to conduct audits either with an internal organization or by appointing a professional institution (but not at the direction of the cybersecurity protection authorities) must adhere to the guidelines released with the measures.

The guidelines outline specific requirements for assessing compliance with different rules regarding personal information processing, including compliance with regulations on obtaining consent, protection of data subjects’ rights and freedom, personal information export, and many more.

The scope of activities that must be reviewed under the audit guidelines is extensive, covering a total of 27 areas of assessment. Below we outline the requirements for three such areas as an example.

Assessing the legal basis for personal information processing

When assessing the legal basis for processing individuals’ personal information, the audit must review a range of matters to ensure they comply with China’s personal information protection regulations.

If the processing of personal information is based on the personal consent of the individual, then the following must be assessed:

  1. Whether the individual’s consent has been obtained, and whether the consent is voluntary and informed;
  2. Whether the individual’s consent has been obtained again if the purpose, method, or type of personal information processed changes; and
  3. Whether the individual’s separate or written consent is obtained in accordance with laws and administrative regulations.

If, however, the personal information is processed without obtaining personal consent, then the audit should assess whether the specific processing activity falls within the circumstances in which personal consent is not required.

The legal requirements and legislative basis for these requirements are summarized in the table below.

Review Items for Assessing Legal Basis for Personal Information Processing
Review item Corresponding legal requirement Legislation
Whether voluntary and informed consent has been obtained from the individual. Companies may only process personal information after obtaining consent from the individual. Article 13 Item 1 of the PIPL
Whether consent has been obtained again if the purpose for, method of, or type of personal information processed changes. If the purpose for or method of processing personal information or the type of personal information being processed changes, the individual’s consent shall be obtained again. Article 14 Paragraph 2 of the PIPL
Whether the individual’s separate or written consent has been obtained in accordance with Where laws and administrative regulations provide that the processing of personal information shall obtain the individual’s separate consent or written consent, such provisions shall prevail. Article 14 Paragraph 1 of the PIPL
When a company processes personal information without obtaining the individual’s consent, whether the activity falls under the circumstances in which the individual’s consent is not required. Companies may process the PI of an individual without their consent in the following scenarios:

  • Where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or to implement human resources management in accordance with labor rules and regulations formulated according with laws and collective contracts concluded according to law;
  • Where it is necessary for the performance of statutory duties or statutory obligations;
  • Where it is necessary for coping with public health emergencies or for the protection of the life, health, and property of a natural person;
  • Where activity such as news reporting and supervision of public opinion is carried in the public’s interest and the processing of PI is within a reasonable scope;
  • Where the PI is disclosed by individuals themselves or other legally disclosed PI is processed within a reasonable scope in accordance with the provisions of the PIPL; and
  • Other circumstances outlined in laws and administrative regulations.
 Article 13 Items 2 to 7 of the PIPL

Assessing compliance with personal information processing rules

When assessing compliance with personal information processing rules, the audit must review the following matters:

  1. Whether the name or surname and contact information of the company provided are true, accurate, and complete;
  2. Whether the personal information collected by the company, the methods used for processing, and the types of personal information that are processed are presented in a list or other easy-to-view form;
  3. Whether the processing activity is directly related to the intended purpose and whether the company has adopted the processing method that has the least impact on personal rights and interests;
  4. Whether the company has clearly stated the retention period of the personal information or the method for determining the retention period, the method for handling the personal information after expiration, and the determination of the retention period as the shortest time necessary to achieve the intended purpose of the processing activity; and
  5. Whether the channels and methods for individuals to review, copy, transfer, correct, supplement, delete, restrict the processing of personal information, cancel accounts, and withdraw consent are clearly stated.
Review Items for Assessing Compliance with Personal Information Processing Rules
Review item Corresponding legal requirement Legislation
Whether the provided name or surname and contact information of the company are true, accurate, and complete. Before processing personal information, the company must truthfully, accurately, and completely inform the individual of the company’s name or surname and contact information in a prominent manner and in clear and understandable language. Article 17 Item 1 of the PIPL
Whether the personal information collected by the company, the methods used for processing, and the types of personal information that are processed are presented in a list or other easy-to-view format. Before processing personal information, the company must truthfully, accurately, and completely inform the individual of the purpose and method of processing personal information, and the type of personal information being processed in a prominent manner and in clear and understandable language. Article 17 Item 2 or the PIPL
Whether the processing activity is directly related to the intended purpose and whether the company has adopted the processing method that has the least impact on personal rights and interests. The processing of personal information shall have a clear and reasonable purpose, and shall be directly related to the purpose of the processing, and shall be carried out in a manner that minimizes the impact on personal rights and interests. Article 6 of the PIPL
Whether the company has clearly stated the retention period of the personal information or the method for determining the retention period, the method for handling the personal information after expiration, and the determination of the retention period as the shortest time necessary to achieve the intended purpose of the processing activity. Before processing personal information, the company must truthfully, accurately, and completely inform the individual of the retention period of the personal information of personal information being processed in a prominent manner and in clear and understandable language.

 

The retention period of personal information must be the shortest period necessary to achieve the purpose of processing.

 

If, before processing personal information, the company informs the individual by establishing personal information processing rules, such rules must include information on the retention period of personal information and the method of handling it after expiration. If the retention period is difficult to determine, the method of determining the retention period shall be clearly stated.

 Article 17 item 2 of the PIPL

 

Article 19 of the PIPL

 

Article 21 Item 3 of the Network Data Security Management Regulations
Whether the channels and methods for individuals to review, copy, transfer, correct, supplement, delete, restrict the processing of personal information, cancel accounts, and withdraw consent are clearly stated. If, before processing personal information, the company informs the individual by establishing personal information processing rules, such rules must include the methods and channels for individuals to review, copy, transfer, correct, supplement, delete, restrict processing of personal information, cancel accounts, and withdraw consent. Article 21 Item 4 of the Network Data Security Management Regulations

Assessing compliance with rules on cross-border data transfer

When assessing compliance with the rules on the cross-border transfer of personal information, the audit must cover the following matters:

  1. Whether the personal information provided overseas by critical information infrastructure operators (CIIOs) has been subject to a data export security assessment organized by the CAC.
  2. Whether companies other than CIIOs that have, since January 1 of the current year, provided the personal information of more than 1 million people or the sensitive personal information of more than 10,000 people overseas have undergone a data export security assessment organized by the CAC.
  3. Whether companies other than CIIOs that have, since January 1 of the current year, cumulatively exported the personal information of more than 100,000 people but less than 1 million people, or the sensitive personal information of fewer than 10,000 people, have:
    1. Obtained personal information protection certification;
    2. Signed a standard contract with the overseas recipients of the personal information; or
    3. Met other conditions stipulated by laws, administrative regulations, or the CAC;
  4. Whether the provision of any personal information stored in China to a foreign judicial or law enforcement agency has been approved by the relevant Chinese authorities; and
  5. Whether personal information has been provided to organizations and individuals included in the list of entities restricted or prohibited from personal information provision.

Review Items for Assessing Compliance with Cross-Border Data Transfer Rules
Review item Corresponding legal requirement Legislation
Whether the personal information provided overseas by CIIOs has been subject to a data export security assessment organized by the CAC. Companies must undergo a security assessment by the CAC if they wish to export data if they are:

  • CIIOs and companies that process PI of more than one million people providing PI overseas.
 Article 38 of the PIPL

 

Article 4 Item 2 of the Measures for Data Export Security Assessment
Whether companies other than CIIOs that have, since January 1 of the current year, provided the personal information of more than 1 million people or the sensitive personal information of more than 10,000 people overseas have undergone a data export security assessment organized by the CAC. companies other than CIIOs that provide important data overseas, or have provided the personal information of more than 1 million people or the sensitive personal information of more than 10,000 people cumulatively since January 1 of the current year must undergo a security assessment by the CAC. Article 38 of the PIPL

 

Article 7 Item 2 of the Regulations to Promote and Standardize Cross-Border Data Flows
Whether companies other than CIIOs that have, since January 1 of the current year, cumulatively exported the personal information of more than 100,000 people but less than 1 million people, or the sensitive personal information of fewer than 10,000 people, have:

  1. Obtained personal information protection certification;
  2. Signed a standard contract with the overseas recipients of the personal information; or
  3. Met other conditions stipulated by laws, administrative regulations, or the national cyberspace administration department.
 companies other than CIIOs who have provided the personal information of more than 100,000 people but less than 1 million people or the sensitive personal information of fewer than 10,000 people since January 1 of the current year must enter into a standard contract with the overseas recipient or obtain personal information protection certification. Article 38 of the PIPL

 

Article 8 of the Regulations to Promote and Standardize Cross-Border Data Flows
Whether the provision of any personal information stored in China to a foreign judicial or law enforcement agency has been approved by the relevant Chinese authorities. Without the approval of the competent Chinese authority, companies shall not provide personal information stored in China to judicial or law enforcement agencies outside China’s territory. Article 41 of the PIPL
Whether personal information has been provided to organizations and individuals included in the list of entities restricted or prohibited from receiving personal information. If foreign organizations or individuals engage in personal information processing activities that infringe on the rights and interests of Chinese citizens or threaten China’s national security or public interests, the CAC may add them to a list of entities restricted or prohibited from receiving personal information. The CAC may also issue public announcements and implement measures such as restricting or prohibiting the transfer of personal information to these entities. Article 42 of the PIPL

Penalties for violations

If a company or professional institution tasked with conducting an audit violates the provisions of the measures, it can be liable for penalties under the PIPL, the Network Data Security Management Regulations, and other data security laws and regulations.

Under the PIPL, companies can be fined up to RMB 1 million (US$137,292) for non-compliance if not corrected, while individuals can be fined between RMB 10,000 (US$1,373) and RMB 100,000 (US$13,729). Serious violations can lead to fines of up to RMB 50 million (US$6.9 million) or 5 percent of the previous year’s turnover for companies, or between RMB 100,000 and RMB 1 million for individuals.

Violations can also lead to suspension of related business operations, revocation of business licenses or permits, or prohibition on responsible individuals serving as directors, supervisors, senior managers, or personal information protection officers for a certain period.

Meanwhile, penalties for violations of the Network Data Security Management Regulations can include fines of up to RMB 1 million for companies and between RMB 10,000 and RMB 100,000 for individuals for general violations. Serious violations can lead to fines of RMB 1 million to RMB 10 million (US$1.4 million) for companies if violations are not corrected.

Implications for foreign companies and changes from the draft measures

Find Business Support
Find out what a Virtual CIO can do for you ⟶

The requirements for regular compliance audits will add an additional compliance burden for foreign companies operating in China, similar to statutory financial audits. However, the final version of the measures has eased the requirements compared to the draft. For instance, it increases the threshold for requiring an audit from companies processing the personal information of 1 million to 10 million people, meaning fewer companies will be subject to mandatory audits. Additionally, these companies are now only required to conduct an audit once every two years, rather than annually, as stipulated in the draft measures. The final version also does not specify how often companies that fall below this threshold must undergo an audit – the draft measures set a minimum frequency of once every two years.

Although the audit itself introduces an additional compliance process, companies that are already working to meet regulatory requirements should not be overly concerned about the audit’s outcome. In fact, compliance audits may help companies gain a clearer understanding of how the regulations will be enforced in practice. Transparency and cooperation with auditors will be key to ensuring a smooth audit process. Companies that have yet to implement procedures to comply with China’s personal information protection laws should take immediate steps to address any potential gaps or violations.

Also read:

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.