On 18 July 2025, the Cyberspace Administration of China issued the Announcement on Reporting Information of the Personal Information Protection Officer (“Announcement”). Under Article 52 of the Personal Information Protection Law of the People’s Republic of China (“PIPL”) and Article 12 of the Measures for the Administration of Personal Information Protection Compliance Audits (“Compliance Measures”), China’s Personal Information Protection Officer regime requires the Personal Information Processors handling the personal information of exceeding one million individuals (“Processors”) to designate Personal Information Protection Officers (“PIPOs”) and report relevant information of them such as names and contact details. The Announcement establishes detailed implementation rules for such reporting obligations.
The Announcement consists of four parts: information reporting requirements, reporting timelines, reporting methods, and legal liabilities. Under the Announcement, the Processors are required to submit the details of their PIPOs to the municipal-level cyberspace administration in their jurisdiction. For entities that first reach the threshold of processing personal information of 1 million individuals, the submission must be completed within 30 working days from the date the threshold is reached. For entities that already processed personal information of 1 million individuals before the Announcement, the submission must be completed by 29 August 2025. If any material changes occur after the initial submission, an update must be filed within 30 working days.
The submission shall be conducted online via the Personal Information Protection Business System (“Submission System”) at https://grxxbh.cacdtsc.cn. The homepage of the Submission System provides a submission guideline, specifically the User Manual for the Personal Information Protection Officer Information Submission System (First Edition). Following the submission guideline, group companies or entities operating through multiple branches may fulfill the submission obligations centrally through their headquarters. Where multiple Processors are related, such as subsidiaries, regional offices, franchise stores, or third-party service providers, they may submit jointly. After logging into the Submission System, the first step is to register for an account. Then, follow the system prompts to upload required materials mainly involving the basic information of the Processors, PIPOs and the personal information processing situation, including but not limited to basic Information form of the Processor, PIPO Information Submission Form, Power of Attorney, Letter of Commitment, certificate of Unified Social Credit Code, ID document of the legal representative/head, PIPO ID document and PIPO Appointment Document.
Failure to submit the required information by relevant laws and regulations, including the PIPL and Compliance Measures, will be “dealt with according to relevant laws, regulations and rules”. While the Announcement does not explicitly specify the legal basis for penalties, such penalties should include those stipulated under Article 66 of the PIPL, which provides for potential sanctions, including issuance of warnings, confiscation of illegal gains, and imposition of fines. For severe violations, the penalties can be a maximum fine of RMB 50 million (approximately USD 7 million) or 5% of the previous year’s annual revenue, and mandatory business suspension for rectification or revocation of business licenses. The most severe punishment for an individual is a fine ranging from RMB 100,000 to 1 million (approximately USD 13,910 to 139,100) for directly responsible personnel, disqualification from serving as senior management of relevant enterprises, or the PIPO for a specified period.
In conclusion, the issuance of the Announcement indicates that the entry of China’s personal information protection regulation into the administrative filing stage for the PIPOs, reinforcing the accountability of the Processors through filing. Such filing serves as a prerequisite for compliance audits, and failure to complete it may impact the subsequent annual audits required under the Compliance Measures. Relevant enterprises should promptly conduct self-assessments of their data processing volumes, verify the qualifications of the designated PIPOs, and establish a dynamic information update mechanism.
The Announcement consists of four parts: information reporting requirements, reporting timelines, reporting methods, and legal liabilities. Under the Announcement, the Processors are required to submit the details of their PIPOs to the municipal-level cyberspace administration in their jurisdiction. For entities that first reach the threshold of processing personal information of 1 million individuals, the submission must be completed within 30 working days from the date the threshold is reached. For entities that already processed personal information of 1 million individuals before the Announcement, the submission must be completed by 29 August 2025. If any material changes occur after the initial submission, an update must be filed within 30 working days.
The submission shall be conducted online via the Personal Information Protection Business System (“Submission System”) at https://grxxbh.cacdtsc.cn. The homepage of the Submission System provides a submission guideline, specifically the User Manual for the Personal Information Protection Officer Information Submission System (First Edition). Following the submission guideline, group companies or entities operating through multiple branches may fulfill the submission obligations centrally through their headquarters. Where multiple Processors are related, such as subsidiaries, regional offices, franchise stores, or third-party service providers, they may submit jointly. After logging into the Submission System, the first step is to register for an account. Then, follow the system prompts to upload required materials mainly involving the basic information of the Processors, PIPOs and the personal information processing situation, including but not limited to basic Information form of the Processor, PIPO Information Submission Form, Power of Attorney, Letter of Commitment, certificate of Unified Social Credit Code, ID document of the legal representative/head, PIPO ID document and PIPO Appointment Document.
Failure to submit the required information by relevant laws and regulations, including the PIPL and Compliance Measures, will be “dealt with according to relevant laws, regulations and rules”. While the Announcement does not explicitly specify the legal basis for penalties, such penalties should include those stipulated under Article 66 of the PIPL, which provides for potential sanctions, including issuance of warnings, confiscation of illegal gains, and imposition of fines. For severe violations, the penalties can be a maximum fine of RMB 50 million (approximately USD 7 million) or 5% of the previous year’s annual revenue, and mandatory business suspension for rectification or revocation of business licenses. The most severe punishment for an individual is a fine ranging from RMB 100,000 to 1 million (approximately USD 13,910 to 139,100) for directly responsible personnel, disqualification from serving as senior management of relevant enterprises, or the PIPO for a specified period.
In conclusion, the issuance of the Announcement indicates that the entry of China’s personal information protection regulation into the administrative filing stage for the PIPOs, reinforcing the accountability of the Processors through filing. Such filing serves as a prerequisite for compliance audits, and failure to complete it may impact the subsequent annual audits required under the Compliance Measures. Relevant enterprises should promptly conduct self-assessments of their data processing volumes, verify the qualifications of the designated PIPOs, and establish a dynamic information update mechanism.