China Issues Security Requirements for Processing of Sensitive Personal Information
Published 25 June 2025
Xia Yu
On 25 April 2025, the State Administration for Market Regulation of China and the National Standardization Administration of China jointly issued a recommended national standard of Data Security Technology - Security Requirements for Processing Sensitive Personal Information No. GB/T 45574 (“Standard”). The Personal Information Protection Law of China (“PIPL”) stipulates requirements for processing sensitive personal information. In response to these requirements, the Standard lists methods for identifying and defining sensitive personal information and provides general and special security requirements for processing sensitive personal data. The Standard will be implemented on 1 November 2025.
Article 28 of the PIPL stipulates that sensitive personal information refers to personal information that, once leaked or illegally used, is likely to cause infringement of a natural person’s individual dignity, personal safety, or property safety. This information is divided into seven categories: biometric information, religious belief information, specific identity information, medical and health information, financial account information, whereabouts information, and information of minors under the age of fourteen. Processing sensitive personal information shall have a specific purpose and be carried out with sufficient necessity and strict protection measures.
The Standard expands the seven categories of sensitive personal information listed in the PIPL to eight categories by adding a category of other sensitive personal information, and provides detailed definitions and descriptions of these eight categories of sensitive personal information one by one (“definition description”). In addition, it also includes Appendix A, which provides further normative descriptions of the eight categories of sensitive personal information (“normative description”). According to the Standard, biometric information refers to the physical, biological, or behavioral characteristics of a natural person, including personal genes, face, voiceprint, gait, fingerprints, eyeprints, auricle and iris that can be technically processed to identify the identity of a natural person alone or in combination with other information. Financial account information is related to personal bank and securities accounts and account fund transactions, including accounts and passwords of personal bank, securities, fund, insurance and provident fund; data involving provident fund joint accounts, payment accounts and bank card tracks; and payment tag information generated based on account information and personal income details. Other sensitive personal information includes precise location information, ID card photos, sexual orientation, sex life, credit information, criminal record information, and photos or videos showing private parts of a person’s body.
The Standard lists the following four methods for identifying sensitive personal information: 1. A single item of personal information that is likely to cause damage to individual dignity, personal safety, or property once leaked or illegally used.2. A collection of multiple pieces of personal information that is likely to cause damage to individual dignity, personal safety, or property once leaked or illegally used.3. Sensitive personal information collected and generated by the definition description, and in compliance with the normative description.4. Sensitive personal information stipulated by laws and regulations.
The Standard specifies the general security requirements for the processing of sensitive personal information from four aspects: basic requirements, collection requirements, notification and consent, and security protection. The basic requirements include the security requirements for processing personal information by the standard of Information Security Technology – Personal Information Security Specification No. GB/T 35273 and the requirements stipulated in Articles 28 and 29 of the PIPL, such as having a specific purpose and sufficient necessity, taking strict protection measures, and obtaining separate consent. The Standard stipulates that the collection of sensitive personal information must be legal and prohibits personal information processors from concealing the collection function, collecting through improper means or channels, automatically collecting through technical means, or collecting for illegal purposes or criminal activities. For the collection of sensitive personal information using mobile Internet applications, the Standard requires compliance with the requirements of the standard of Information Security Technology – Basic Requirement for Collecting Personal Information in Mobile Internet Applications No. GB/T 41391. Article 30 of the PIPL requires personal information processors to notify of the necessity of processing sensitive personal information and its impact on personal rights and interests. The Standard further clarifies the implementation and content of this notification obligation. Article 29 of the PIPL states that separate consent shall be obtained for processing sensitive personal information. The Standard clarifies detailed requirements for obtaining separate consent under seven different consent bases or scenarios. The Standard lists 25 detailed requirements for security protection. By the Standard, sensitive personal information should be identified and then defined before processing, stored and transmitted in encrypted form, and protected by de-identification. Sensitive personal information identified as important data should be protected as important data. The processor of sensitive personal information should have the data security capability of level 3 or above as specified in the standard of Information Security Technology – Data Security Capability Maturity Model No. GB/T37988. The planning and construction of products and services involving sensitive personal information should be carried out by the provisions of the standard of Information Security Technology – Guidelines for Personal Information Security Engineering No.: GB/T41817.
For the above eight categories of sensitive personal information, the Standard not only stipulates the above general security requirements but also proposes further specific security requirements. Taking biometric information as an example, in addition to complying with the general security requirements and the requirements of the standard of Information Security Technology – General Requirements for Biometric Information No. GB/T40660, personal information processors must also comply with the following six specific security requirements: 1. When conducting identification, other alternative identification methods that are not based on biometric information should be provided at the same time, and methods based on biometric information should not be used as the default option.2. Biometric information shall not be disclosed.3. Before collecting biometric information for identification without the cooperation of the personal information subject, written consent of the subject shall be obtained.4. Based on ensuring the realization of business functions, the collected biometric information is directly extracted for features and summary information.5. After achieving the processing purpose, the original biometric information collected shall be deleted.6. The written consent of the personal information subject should be obtained when using their biometric information for scientific research.
In conclusion, the Standard not only provides compliance operation guidelines for personal information processors on how to process sensitive personal information, but also provides guidance for regulatory authorities and third-party assessment agencies to supervise and assess the processing of sensitive personal information.
Article 28 of the PIPL stipulates that sensitive personal information refers to personal information that, once leaked or illegally used, is likely to cause infringement of a natural person’s individual dignity, personal safety, or property safety. This information is divided into seven categories: biometric information, religious belief information, specific identity information, medical and health information, financial account information, whereabouts information, and information of minors under the age of fourteen. Processing sensitive personal information shall have a specific purpose and be carried out with sufficient necessity and strict protection measures.
The Standard expands the seven categories of sensitive personal information listed in the PIPL to eight categories by adding a category of other sensitive personal information, and provides detailed definitions and descriptions of these eight categories of sensitive personal information one by one (“definition description”). In addition, it also includes Appendix A, which provides further normative descriptions of the eight categories of sensitive personal information (“normative description”). According to the Standard, biometric information refers to the physical, biological, or behavioral characteristics of a natural person, including personal genes, face, voiceprint, gait, fingerprints, eyeprints, auricle and iris that can be technically processed to identify the identity of a natural person alone or in combination with other information. Financial account information is related to personal bank and securities accounts and account fund transactions, including accounts and passwords of personal bank, securities, fund, insurance and provident fund; data involving provident fund joint accounts, payment accounts and bank card tracks; and payment tag information generated based on account information and personal income details. Other sensitive personal information includes precise location information, ID card photos, sexual orientation, sex life, credit information, criminal record information, and photos or videos showing private parts of a person’s body.
The Standard lists the following four methods for identifying sensitive personal information: 1. A single item of personal information that is likely to cause damage to individual dignity, personal safety, or property once leaked or illegally used.2. A collection of multiple pieces of personal information that is likely to cause damage to individual dignity, personal safety, or property once leaked or illegally used.3. Sensitive personal information collected and generated by the definition description, and in compliance with the normative description.4. Sensitive personal information stipulated by laws and regulations.
The Standard specifies the general security requirements for the processing of sensitive personal information from four aspects: basic requirements, collection requirements, notification and consent, and security protection. The basic requirements include the security requirements for processing personal information by the standard of Information Security Technology – Personal Information Security Specification No. GB/T 35273 and the requirements stipulated in Articles 28 and 29 of the PIPL, such as having a specific purpose and sufficient necessity, taking strict protection measures, and obtaining separate consent. The Standard stipulates that the collection of sensitive personal information must be legal and prohibits personal information processors from concealing the collection function, collecting through improper means or channels, automatically collecting through technical means, or collecting for illegal purposes or criminal activities. For the collection of sensitive personal information using mobile Internet applications, the Standard requires compliance with the requirements of the standard of Information Security Technology – Basic Requirement for Collecting Personal Information in Mobile Internet Applications No. GB/T 41391. Article 30 of the PIPL requires personal information processors to notify of the necessity of processing sensitive personal information and its impact on personal rights and interests. The Standard further clarifies the implementation and content of this notification obligation. Article 29 of the PIPL states that separate consent shall be obtained for processing sensitive personal information. The Standard clarifies detailed requirements for obtaining separate consent under seven different consent bases or scenarios. The Standard lists 25 detailed requirements for security protection. By the Standard, sensitive personal information should be identified and then defined before processing, stored and transmitted in encrypted form, and protected by de-identification. Sensitive personal information identified as important data should be protected as important data. The processor of sensitive personal information should have the data security capability of level 3 or above as specified in the standard of Information Security Technology – Data Security Capability Maturity Model No. GB/T37988. The planning and construction of products and services involving sensitive personal information should be carried out by the provisions of the standard of Information Security Technology – Guidelines for Personal Information Security Engineering No.: GB/T41817.
For the above eight categories of sensitive personal information, the Standard not only stipulates the above general security requirements but also proposes further specific security requirements. Taking biometric information as an example, in addition to complying with the general security requirements and the requirements of the standard of Information Security Technology – General Requirements for Biometric Information No. GB/T40660, personal information processors must also comply with the following six specific security requirements: 1. When conducting identification, other alternative identification methods that are not based on biometric information should be provided at the same time, and methods based on biometric information should not be used as the default option.2. Biometric information shall not be disclosed.3. Before collecting biometric information for identification without the cooperation of the personal information subject, written consent of the subject shall be obtained.4. Based on ensuring the realization of business functions, the collected biometric information is directly extracted for features and summary information.5. After achieving the processing purpose, the original biometric information collected shall be deleted.6. The written consent of the personal information subject should be obtained when using their biometric information for scientific research.
In conclusion, the Standard not only provides compliance operation guidelines for personal information processors on how to process sensitive personal information, but also provides guidance for regulatory authorities and third-party assessment agencies to supervise and assess the processing of sensitive personal information.