China Releases Measures for Compliance Audit on Personal Information Protection
Published 10 March 2025
Xia Yu
On 12 February 2025, the Cyberspace Administration of China (“CAC”) published the Personal Information Protection Compliance Audit Management Measures (“Measures”), which the CAC adopted on 20 May 2024. It consists of 20 articles and will be effective on 1 May 2025. It is stipulated in China’s Personal Information Protection Law and Regulation on Network Data Security Management that personal information processors (“Processors”) shall conduct personal information protection compliance audits by themselves or by entrusting professional institutions (“Institutions”). The Measures are the specific implementation rules of the law that guide auditing personal information processing activities conducted within China.
The Measures define the term of “personal information protection compliance audit” (“Compliance Audit”) as the supervisory activities of reviewing and evaluating whether the personal information processing activities of the Processors comply with the requirements of laws and regulations. It requires the Processors to regularly conduct the Compliance Audit on themselves or entrust the Institutions. The Processors processing personal information of more than 10 million people shall designate a person for the Compliance Audits conducted at least once every two years, while the Processors providing important Internet platform services, having a large number of users, or having complex business types shall establish an external independent supervisory agency to supervise their Compliance Audits.
In the event that personal information processing activities involve high risks, may infringe upon the rights of many individuals, or cause serious personal information security incidents, the competent authorities, namely the CAC and other departments that perform personal information protection duties, may require the Processors to entrust the Institutions to conduct the Compliance Audits. Then, the Processors shall provide necessary support to the Institutions, submit audit reports on time, and bear relevant audit fees.
The Institutions are required to have certain qualifications, such as auditors with auditing capabilities, venues, facilities, and funds. The Measures encourage but do not force the Institutions to obtain certification by the provisions of China’s Regulations on Certification and Accreditation. To ensure the independence of the Compliance Audits, the Measures prohibit the Institutions from entrusting other institutions to conduct Compliance Audits and disallow the same Institution and the same compliance audit person in charge from conducting Compliance Audits on the same audit object for more than three consecutive times.
The Measures stipulate that all the Compliance Audits conducted by the Processors or the Institutions need to refer to the Guidelines for Compliance Audit of Personal Information Protection (“Guidelines”), an annexure of the Measures. The Guidelines, containing 27 articles, list the key points for the Compliance Audits on the legal basis of personal information processing activities, the rules for personal information processing, and the Processors.
According to the Guidelines, the focus of the Compliance Audits of the legal basis of personal information processing activities is to examine whether the Processors have fulfilled the obligation to inform and whether the effective consent of the individual has been obtained. The focus of the Compliance Audits of personal information processing rules is to examine whether the Processors have been informed of their contact details, the period and method of storing personal information, and the ways and methods of processing personal information such as access, copying, transfer, correction, supplement, deletion, and restriction; whether the personal information collected and the processing method are clearly defined; whether the processing with the least impact on personal rights has been adopted, etc.
The Processors are the focus of the Compliance Audits. The Guidelines list in detail the key points of the Compliance Audits for the Processors, including fulfilling relevant legal obligations; jointly processing or entrusting others to process personal information; transferring, disclosing or providing personal information to others; processing public, sensitive or minor personal information; using automated decision-making to process personal information; and installing equipment to collect personal information in public places. The Guidelines point out that the key points of the Compliance Audits for providing personal information overseas by the Processors are as follows:1. Whether the Processors, including the operators of critical information infrastructure, have passed the relevant security assessment, obtained certification or registered;2. Whether it has been approved to provide the personal information stored in China to foreign judicial or law enforcement agencies;3. Whether personal information is provided to the restricted or prohibited organizations and individuals.
In conclusion, the Measures clarify the obligations of the Processors and the Institutions and refine the review focus of various aspects of the Compliance Audits as stipulated by laws and regulations. This will help the Processors to effectively carry out the Compliance Audits.
The Measures define the term of “personal information protection compliance audit” (“Compliance Audit”) as the supervisory activities of reviewing and evaluating whether the personal information processing activities of the Processors comply with the requirements of laws and regulations. It requires the Processors to regularly conduct the Compliance Audit on themselves or entrust the Institutions. The Processors processing personal information of more than 10 million people shall designate a person for the Compliance Audits conducted at least once every two years, while the Processors providing important Internet platform services, having a large number of users, or having complex business types shall establish an external independent supervisory agency to supervise their Compliance Audits.
In the event that personal information processing activities involve high risks, may infringe upon the rights of many individuals, or cause serious personal information security incidents, the competent authorities, namely the CAC and other departments that perform personal information protection duties, may require the Processors to entrust the Institutions to conduct the Compliance Audits. Then, the Processors shall provide necessary support to the Institutions, submit audit reports on time, and bear relevant audit fees.
The Institutions are required to have certain qualifications, such as auditors with auditing capabilities, venues, facilities, and funds. The Measures encourage but do not force the Institutions to obtain certification by the provisions of China’s Regulations on Certification and Accreditation. To ensure the independence of the Compliance Audits, the Measures prohibit the Institutions from entrusting other institutions to conduct Compliance Audits and disallow the same Institution and the same compliance audit person in charge from conducting Compliance Audits on the same audit object for more than three consecutive times.
The Measures stipulate that all the Compliance Audits conducted by the Processors or the Institutions need to refer to the Guidelines for Compliance Audit of Personal Information Protection (“Guidelines”), an annexure of the Measures. The Guidelines, containing 27 articles, list the key points for the Compliance Audits on the legal basis of personal information processing activities, the rules for personal information processing, and the Processors.
According to the Guidelines, the focus of the Compliance Audits of the legal basis of personal information processing activities is to examine whether the Processors have fulfilled the obligation to inform and whether the effective consent of the individual has been obtained. The focus of the Compliance Audits of personal information processing rules is to examine whether the Processors have been informed of their contact details, the period and method of storing personal information, and the ways and methods of processing personal information such as access, copying, transfer, correction, supplement, deletion, and restriction; whether the personal information collected and the processing method are clearly defined; whether the processing with the least impact on personal rights has been adopted, etc.
The Processors are the focus of the Compliance Audits. The Guidelines list in detail the key points of the Compliance Audits for the Processors, including fulfilling relevant legal obligations; jointly processing or entrusting others to process personal information; transferring, disclosing or providing personal information to others; processing public, sensitive or minor personal information; using automated decision-making to process personal information; and installing equipment to collect personal information in public places. The Guidelines point out that the key points of the Compliance Audits for providing personal information overseas by the Processors are as follows:1. Whether the Processors, including the operators of critical information infrastructure, have passed the relevant security assessment, obtained certification or registered;2. Whether it has been approved to provide the personal information stored in China to foreign judicial or law enforcement agencies;3. Whether personal information is provided to the restricted or prohibited organizations and individuals.
In conclusion, the Measures clarify the obligations of the Processors and the Institutions and refine the review focus of various aspects of the Compliance Audits as stipulated by laws and regulations. This will help the Processors to effectively carry out the Compliance Audits.