Administrative Measures for Personal Information Protection Compliance Audits

By Yoni HaoLast Updated on May 12, 2025

Promulgation Authorities: Cyberspace Administration of China

Release Date: 2025-02-12

Source: https://www.cac.gov.cn/2025-02/14/c_1741233507681519.htm

Original Title: Administrative Measures for Personal Information Protection Compliance Audits

Article 1 In order to regulate the personal information protection compliance audits and protect personal information rights and interests, these Measures are enacted in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulation on Network Data Security Management and other laws and administrative regulations.

Article 2 These Measures shall apply to the personal information protection compliance audits conducted within the territory of the People’s Republic of China.For the purpose of these Measures, the term “personal information protection compliance audits” refer to the supervision activities that examine and evaluate whether the personal information handling activities of a personal information handler comply with laws and administrative regulations.

Article 3 To conduct the personal information protection compliance audits by itself, a personal information handler shall have its internal body or a specialized agency entrusted thereby regularly audit the compliance of its handling of personal information with laws and administrative regulations.

Article 4 Any personal information handler handling the personal information of more than 10 million people shall carry out the personal information protection compliance audits at least once every two years.

Article 5 For a personal information handler who falls under any of the following circumstances, the cyberspace administration of China and other authorities performing responsibilities of personal information protection (hereinafter collectively referred to as the “protection authorities” in short) may require the personal information handler to entrust a specialized agency with the compliance audit of its personal information handling activities:

(1) Where its personal information handling activities involve relatively large risks such as serious impact on personal rights and interests or serious lack of security measures;

(2) Where its personal information handling activities may infringe upon the rights and interests of many people; or

(3) Where a personal information security incident occurs, resulting in the divulgence, tampering with, loss or damage of the personal information of more than one million people or the sensitive personal information of more than 100,000 people.For the same personal information security incident or risk, it is not allowed to repeatedly require the personal information handler concerned to entrust a specialized agency with the personal information protection compliance audits.

Article 6 Any personal information handler who conducts the personal information protection compliance audits on its own or entrusts a specialized agency to conduct the personal information protection compliance audits as required by the protection authorities shall be governed by the Guidelines for the Personal information protection compliance audits attached hereto mutatis mutandis.

Article 7 Relevant specialized agencies shall have the capability to conduct personal information protection compliance audits and have auditors, premises, facilities and funds commensurate with their services.Relevant specialized agencies are encouraged to pass the certification. The certification of specialized agency shall be carried out in accordance with the relevant provisions of the Regulations of the People’s Republic of China on Certification and Accreditation.

Article 8 A personal information handler conducting the personal information protection compliance audits as required by the protection authorities shall provide necessary support to the specialized agency concerned for the normal personal information protection compliance audits and bear the audit fees.

Article 9 A personal information handler conducting the personal information protection compliance audits as required by the protection authorities shall select a specialized agency as required by the protection authorities and complete the personal information protection compliance audits within the prescribed time limit; where the circumstance is complicated, the time limit may be extended appropriately upon approval from the protection authorities.

Article 10 A personal information handler conducting personal information protection compliance audits as required by the protection authorities shall submit the compliance audit report in respect of personal information protection issued by the specialized agency concerned to the protection authorities after the completion of the compliance audit.The compliance audit report on personal information protection shall be signed by the principal of the specialized agency and the person in charge of compliance audit of the specialized agency, the official seal of the specialized agency stamped therewith.

Article 11 A personal information handler conducting personal information protection compliance audits as required by the protection authorities shall shall make corrections to the problems discovered during the compliance audit as required by the protection authorities and submit a rectification report to the protection authorities within 15 workdays from the completion of rectification.

Article 12 A personal information handler handling the personal information of more than 1 million people shall designate a person in charge of personal information protection to be responsible for the compliance audit of its personal information protection.Any personal information handler that provides important Internet platform services, has a huge number of users and complicated business types shall establish an independent body mainly composed of external members to supervise the personal information protection compliance audits.

Article 13 When engaging in the personal information protection compliance audits, a specialized agency shall abide by laws and regulations, act in good faith, make professional judgment on compliance audit in a impartial and objective manner, and keep confidential the personal information, trade secrets and confidential business information obtained in fulfilling its responsibilities of personal information protection compliance audits in accordance with the law, shall not disclose or illegally provide the same to others, and shall delete relevant information in a timely manner after the completion of the compliance audit.

Article 14 A specialized agency shall not sub-entrust other agency with the personal information protection compliance audits.

Article 15 The same specialized agency and its affiliates and the same person-in-charge of compliance audit shall not conduct the personal information protection compliance audits for the same audit object for more than three consecutive times.

Article 16 The protection authorities shall supervise and inspect the personal information protection compliance audits conducted by personal information handlers.

Article 17 Any organization or individual is entitled to complain about or blow whistle on any illegal activity during the personal information protection compliance audits to the protection authorities. The protection authorities receiving such complaint or report shall promptly handle it in accordance with the law and inform the complainant or whistleblower of the handling results.

Article 18 Any personal information handler or specialized agency that violates the provisions hereof shall be punished in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulation on Network Data Security Management and other relevant laws and regulations; any criminal offence, if constituted, shall be investigated for criminal liability in accordance with the law.

Article 19 These Measures shall not apply to the personal information protection compliance audits carried out by state organs and organizations authorized by laws and regulations to exercise functions of administration of public affairs.

Article 20 These Measures shall come into force as of May 1, 2025.Annex:

Guidelines for Personal Information Protection Compliance Audits

I. These Guidelines are enacted in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulation on Network Data Security Management and other relevant laws and administrative regulations.

II. The following matters shall be examined as focus in conducting the compliance audit on the legal basis for handling an individual’s personal information:

-(1) Whether the individual’s consent has been obtained if the handling of the individual’s personal information is based on the individual’s consent, and whether the consent is voluntarily and explicitly given by the individual under the premise of full knowledge;-(2) Whether the individual’s consent has been re-obtained if the purpose and method of the handling of the individual’s personal information or the type of personal information to be handled changes based on the individual’s consent to handle personal information;-(3) Whether the individual’s separate consent or written consent has been obtained in accordance with laws and administrative regulations for the handling of the individual’s personal information based on the individual’s consent; and-(4) Whether the handling of the individual’s personal information is not subject to the consent of the individual as stipulated in laws and administrative regulations in the event that the individual’s consent is not obtained.

-III. The following matters shall be examined as focus in conducting the compliance audit on the rules for handling an individual’s personal information:

-(1) Whether the title or name and contact information of the personal information handler are informed of in a truthful, accurate and complete manner;-(2) Whether the personal information collected and the handling method and type of such information are set out in an easily accessible form such as a list;-(3) Whether the information is directly relating to the purpose of handling and the method with minimum impact on individual rights and interests is adopted;-(4) Whether the retention period of personal information or the method for determining the retention period, the method for handling upon expiration of the retention period, and the retention period determined as the minimum time necessary to achieve the purpose of handling are specified; and-(5) Whether the ways and methods for people to access, copy, transfer, correct, supplement, delete and restrict the handling of personal information, deregister accounts and withdraw consent are specified.

-IV. The following matters shall be examined as focus in conducting the compliance audit on the performance by a personal information handler of the obligation to inform the rules for handling an individua’s personal information:

-(1) Whether the personal information handler informs the individual of the rules for handling his/her personal information in an eye-catching manner and in clear and understandable wording in a truthful, accurate and complete manner prior to the handling of his/her personal information;-(2) Whether the size, font and color of the informed text are convenient for the individual to completely read the informed matters;-(3) Whether the informing obligation has been performed to the individual by marking, explanation or other means offline;-(4) Whether the text information is provided online or the informing obligation has been performed to the individual by appropriate means;-(5) Whether the individual has been informed of the changes in a timely manner in the case of changes to the rules for handling his/her personal information; and-(6) Whether the individual falls within the circumstances in which confidentiality shall be maintained or it is unnecessary to inform the individual in accordance with laws and administrative regulations if it is not required to inform the individual whose personal information is handled.

-V. The following matters shall be examined as focus in conducting the compliance audit on the personal information jointly handled by a personal information handler and any other personal information handlers:

-(1) Whether the respective rights and obligations are agreed upon;-(2) The mechanism for protection of personal information rights and interests;-(3) The mechanism for reporting personal information security incidents; and-(4) Other rights and obligations to be agreed upon as stipulated by laws and administrative regulations.

-VI. The following matters shall be examined as focus in conducting the compliance audit on the handling of personal information entrusted by a personal information handler:

-(1) Whether the personal information handler has conducted the personal information protection impact assessment prior to entrusting its handling of personal information;-(2) Whether the contract concluded between the personal information handler and the party entrusted has agreed on the purpose, duration, and method of the entrusted handling, type of personal information and protection measures, as well as the rights and obligations of both parties; and-(3) Whether the personal information handler has supervised the personal information handling activities of the party entrusted by means of regular inspection, etc.

VII. Where a personal information handler needs to transfer personal information due to reasons such as merger, reorganization, demerger, dissolution or declaration of bankruptcy, the audit shall focus on whether the personal information handler has informed the individual of the name and contact information of the recipient.

VIII. The following matters shall be examined as focus in conducting the compliance audit of a personal information handler who provides an individual’s personal information handled by it to any other personal information handler:

-(1) Whether the individual’s consent for handling his/her personal information is obtained if such consent is required;-(2) Whether the individual is informed of the name and contact information of the recipient, purpose and method of the handling and types of personal information, unless the information shall be kept confidential, or it is unnecessary to be informed as stipulated by laws and administrative regulations; and-(3) Whether personal information protection impact assessment has been conducted beforehand.

IX. The following matters shall be examined as focus in conducting the compliance audit on the handling of an individual’s personal information by a personal information handler using automatic decision -making:

-(1) The transparency of automatic decision -making and whether the automatic decision -making results are fair and impartial;-(2) Whether the individual is informed beforehand of the type and possible impact of the handling under automatic decision -making;-(3) Whether personal information protection impact assessment has been conducted beforehand;-(4) Whether a protection mechanism is provided for users so that the individual can refuse in a convenient way the decisions made under automatic decision -making methods that have a significant impact on personal rights and interests, and whether the personal information handler is required to explain the decisions made under automatic decision -making methods that have a significant impact on personal rights and interests of users;-(5) For information push or commercial marketing to people, whether options not tailored to personal characteristics are also provided, or whether a convenient method for refusing automatic decision -making service is provided;-(6) Whether effective measures have been taken to prevent automatic decision -making from giving unreasonable differential treatment to people in terms of transaction conditions according to consumers’ preferences, transaction habits and so on; and-(7) Other matters that may affect the transparency of automatic decision -making and the fairness and impartiality of the results thereof.

X. The following matters shall be examined as focus in conducting the compliance audit on a personal information handler who disclosure an individual’s personal information based on the individual’s consent:

-(1) Whether the personal information handler has obtained the sole consent of the individual before disclosing the personal information it handled, and whether such authorization is true and valid, and whether such personal information is disclosed against the individual’s will; and-(2) Whether the personal information handler has conducted personal information protection impact assessment prior to the disclosure of the individual’s personal information.

XI. A personal information handler who installs image-collecting and personal identification equipment in public places shall examine the legality of the image-collecting and personal information identification equipment and the use of the personal information collected as focus. The examination shall include but not be limited to:

-(1) Whether the handling of personal information collected is necessary for maintaining public security; whether the handling of personal information collected is for business purposes;-(2) Whether a conspicuous prompting sign is set up; and-(3) Whether an individual’s sole consent has been obtained if the individual’s personal image and identification information collected by the personal information handler are used for purposes other than maintaining public security.

XII. In conduct the compliance audit on a personal information handler’s handling of disclosed personal information, whether the personal information handler has committed any of the following illegality or irregularity shall be examined as focus:

-(1) Sending commercial information that is irrelevant to the purpose of disclosure to the e-mail, mobile phone numbers etc. contained in the disclosed personal information;-(2) Using disclosed personal information to engage in cyber-violence, disseminating rumors and false information online and other activities;-(3) Handling disclosed personal information that the individual concerned explicitly refuses to do so;-(4) Failure to obtain the individual’s consent where there is significant impact on the individual’s rights and interests; and-(5) Exceeding the reasonable scope of the scale or time of collection, retention or handling of disclosed personal information or the purpose of use thereof.

XIII. The following matters shall be examined as focus in conducting the compliance audit on a personal information handler’s handling of sensitive personal information:

-(1) When handling an individual’s personal information based on his/her consent, whether the individual’s sole consent has been obtained beforehand for the handling of his/her sensitive personal information such as biometric information, religious belief, specific identity, medical health, financial accounts and whereabouts;-(2) When handling personal information of a minor under the age of 14 based on his/her consent, whether consent of the minor’s parents or other guardians is obtained beforehand;-(3) Whether the purpose, method or scope of handling sensitive personal information is legitimate, justifiable and necessary;-(4) Whether a personal information protection impact assessment has been conducted beforehand;-(5) Whether the individual has been informed of the necessity to handle his/her sensitive personal information and the impact on his/her personal rights and interests, unless the confidentiality shall be maintained, or it is not necessary to be informed as stipulated by laws and administrative regulations;-(6) Whether written consent has been obtained for the handling of which a written consent is required as stipulated by laws and administrative regulations; and-(7) Whether the restrictive provisions of laws and administrative regulations on the handling of sensitive personal information are complied with.

XIV. The following matters shall be examined in conducting the compliance audit on a personal information handler’s handling of the personal information of minors under the age of 14:

-(1) Whether specialized rules have been formulated for handling personal information;-(2) Whether the minors and their guardians have been informed of the purpose, method and necessity of the handling of the personal information of minors, the type of personal information to be handled and the adopted protection measures, etc., unless it is not necessary to be informed as stipulated by laws and administrative regulations; and-(3) Whether there is the practice of compulsorily requiring minors or their guardians to agree to handle unnecessary personal information in handling personal information based on the consent of the individual concerned.

XV. The following matters shall be examined as focus in conducting the compliance audit on a personal information handler’s provision of personal information abroad:

-(1) Whether the provision of personal information abroad by a critical information infrastructure operator has been subject to the security assessment organized by the national cyberspace administration authority, unless it is otherwise provided for in laws, administrative regulations or by the national cyberspace administration authority;-(2) Whether the provision of personal information (excluding sensitive personal information) of more than 1 million people or sensitive personal information of more than 10,000 people in total abroad by a data handler other than a critical information infrastructure operator as of January 1 of the current year has been subject to the security assessment organized by the national cyberspace administration authority, unless it is otherwise provided for in laws, administrative regulations or by the national cyberspace administration authority;-(3) Whether the provision of personal information (excluding sensitive personal information) of more than 100,000 people but less than 1 million people or sensitive personal information of less than 10,000 people in total abroad by a data handler other than a critical information infrastructure operator as stipulated by the national cyberspace administration authority has been certified in terms of personal information protection in accordance with the provisions of the national cyberspace administration authority, or a contract has been entered into with the overseas recipient in accordance with the standard contract developed by the national cyberspace administration authority and filed for record with the local cyberspace administration authority at the provincial level, or other conditions stipulated by laws, administrative regulations or by the national cyberspace administration authority are met;-(4) In the case of the provision of personal information stored within the territory of the People’s Republic of China to foreign judicial or law enforcement authorities, whether such provision has been approved by the competent authority of the People’s Republic of China; and-(5) Whether the personal information is provided to any organization or person included in the list of organizations or persons to whom personal information provision is restricted or prohibited.

XXI. The following matters shall be examined as focus in conducting the compliance audit on the protection of the right to delete personal information:

-(1) Whether the purpose of personal information handling has been achieved, cannot be achieved or it is no longer necessary to achieve the purpose of personal information handling;-(2) Whether the personal information handler has ceased to provide products or services, or whether the individual concerned has deregistered his/her account;-(3) Whether the retention period has expired;-(4) Whether the individual concerned withdraws his/her consent;-(5) Whether the personal information handler handled personal information in violation of laws, administrative regulations or the agreement; and-(6) Whether the personal information handler has ceased handling other than storing and adopting necessary security measures if the storage period for the personal information that shall be deleted has not expired as prescribed by laws and administrative regulations, or it is difficult to delete the personal information technically.

XVII. The following matters shall be examined as focus in conducting the compliance audit on the protection of the rights of individuals in personal information handling activities carried out by a personal information handler:

-(1) Whether a convenient mechanism for accepting and handling applications for individuals to exercise their rights has been established;-(2) Whether the response to an individual’s application for exercise of his/her rights is timely made; and whether the individual has been notified of the handling opinions or the execution results in a timely, complete and accurate manner; and-(3) Whether the reasons have be stated to an individual in the case of refusal of the individual’s request for exercise of his/her rights.

XVIII. A personal information handler shall respond to the applications filed by individuals and explain its rules on handling personal information, and evaluate the following contents in conducting the compliance audit:

-(1) Whether the personal information handler has provided convenient ways and channels to accept and deal with individuals’ requests for the interpretation of its rules on handling personal information; and-(2) Whether the personal information handler has explained its personal information handling rules in plain language within a reasonable period of time after receiving the request of an individual.

XIX. A personal information handler shall, in accordance with the provisions of laws and administrative regulations, formulate an internal management system and operating procedures, specify its organizational structure and job responsibilities, establish a workflow, and improve its internal control system, so as to ensure the compliance and security of its handling of personal information. In conducting the compliance audit, the personal information handler’s internal management system and operating procedures for the protection of personal information shall be examined as focus, including but not limited to:

-(1) Whether the guidelines, objectives and principles of personal information protection are in compliance with laws and administrative regulations;-(2) Whether the organizational structure, staffing, code of conduct and management responsibilities for the protection of personal information adapt to the responsibilities to be performed for personal information protection;-(3) Whether personal information has been classified according to the type, source, sensitivity and purpose of personal information;-(4) Whether an emergency response mechanism for personal information security incidents has been established;-(5) Whether a personal information protection impact assessment system and a compliance audit system have been established;-(6) Whether a smooth process for accepting complaints and whistleblowing about personal information protection has been established;-(7) Whether the authority to handle and operate personal information has been reasonably set;-(8) Whether a security education and training program on personal information protection has been formulated and implemented;-(9) Whether a performance evaluation system has been established for the person in charge of personal information protection and the relevant personnel;-(10) Whether a responsibility system has been established for dealing with personal information illegalities; and-(11) Other matters as prescribed by laws and administrative regulations.

XX. A personal information handler shall adopt technical security measures appropriate for the scale and type of the personal information handled by it and evaluate the effectiveness of the technical measures adopted by it. The evaluation shall include but not be limited to:

-(1) whether it has adopted corresponding technical security measures to realize the confidentiality, completeness and availability of personal information;-(2) Whether it has adopted technical security measures such as encryption and de-identification to ensure that the identifiability of personal information is eliminated or reduced without the use of additional information; and-(3) Whether the technical security measures adopted can reasonably determine the operation authority of relevant personnel to consult, copy and transmit personal information to reduce the risks of unauthorized access and abuse of personal information in the processing.

XXI. The following matters shall be evaluated as focus in conducting the compliance audit on the formulation and implementation of an education and training plan by a personal information handler:

-(1) Whether the personal information handler has provided the corresponding security education and training for its management personnel, technical personnel, operators and all staff as planned, and assessed the awareness and skills of relevant personnel for personal information protection; and-(2) Whether the content, method, object and frequency etc. of the training can meet the needs of personal information protection.

XXII. The following matters shall be examined as focus in conducting the compliance audit on the performance of responsibilities by the person in charge of personal information protection designated by a personal information handler:

-(1) Whether the person in charge of personal information protection has the relevant work experience and professional knowledge and is familiar with the relevant laws and administrative regulations on personal information protection;-(2) Whether the person in charge of personal information protection has specific and clear responsibilities, and whether he/she is authorized to coordinate the internal departments and personnel concerned of the personal information handler;-(3) Whether the person in charge of personal information protection has the right to put forward relevant opinions and suggestions prior to the decision of significant matters relating to the handling of personal information;-(4) Whether the person in charge of personal information protection has the right to stop the non-compliance in the handling of personal information within the personal information handler and to take necessary corrective measures; and-(5) Whether the personal information handler has disclosed the contact information of the person in charge of personal information protection and submitted the name and contact information of the person in charge of personal information protection to the protection authorities.

XXIII. In conducting the compliance audit on the personal information protection impact assessment conducted by a personal information handler, the examination shall be focused on the implementation of the impact assessment and assessment contents:

-(1) Whether the personal information handler has conducted the personal information protection impact assessment before its handling of personal information that has a significant impact on personal rights and interests in accordance with the provisions of laws and administrative regulations;-(2) Whether the personal information handler has conducted lawful, proper and necessary assessment of the purpose and method of its handling of personal information;-(3) Whether the personal information handler has conducted assessment of the impact on personal rights and interests and security risks; and-(4) Whether the personal information handler has conducted assessment of the legality and effectiveness of the protection measures taken and the said measures’ adaptability to its risk degree.

XXIV. A personal information handler shall develop an emergency plan for personal information security incidents. In conducting the compliance audit, the comprehensiveness, effectiveness and executability of the emergency plan shall be evaluated, including but not limited to the following contents:

-(1) Whether the personal information handler has made a systematic assessment and forecast of the personal information security risks it faces in light of its business practices;-(2) Whether the general requirements, basic strategies, organizational structure, personnel, technology and material support, command and disposal procedures, and emergency and supporting measures etc. are sufficient to respond to the forecasted risks; and-(3) whether the personal information handler has provided training on the emergency plan for the relevant personnel and regularly conducted drills of the emergency plan.

XXV. The following matters shall be examined as focus in conducting the compliance audit on a personal information handler’s emergency response to and handling of personal information security incidents:

-(1) Whether the personal information handler has timely found out the impact, scope and possible hazards of a personal information security incident, analyzed and determined the causes of incidents, and put forward measures and plans for preventing the expansion of the damage in accordance with the emergency plan and operating procedures;-(2) Whether the personal information handler has established notification channels to timely notify the protection authorities and people of the occurrence of a security incident in accordance with the relevant provisions; and-(3) Whether the personal information handler has taken corresponding measures to minimize the potential losses and risks of harm caused by a personal information security incident.

-XXVI. The following matters shall be examined as focus in conducting the compliance audit of the platform rules formulated by a personal information handler that provides important Internet platform services, has a huge number of users and has complicated business types:

-(1) Whether the platform rules contravene any laws or administrative regulations;-(2) The effectiveness of the personal information protection provisions of the platform rules, and whether the rights and obligations of the platforms, products or service providers in the platform to protect personal information are reasonably defined; and-(3) the implementation of the platform rules, and whether it has been verified through sampling or otherwise that the platform rules have been effectively implemented.

-XXVII. In conducting the compliance audit on the social responsibility report on personal information protection issued by a personal information handler that provides important Internet platform services, has a huge number of users and has complicated business types, the disclosure of the following contents of the social responsibility report shall be examined as focus:

-(1) The organizational structure and internal management of personal information protection;-(2) The development of personal information protection capability.

-(3) The measures taken for personal information protection and the effects thereof;-(4) Acceptance of applications filed by individuals for exercise of rights;-(5) The performance of responsibilities by the independent supervision body;-(6) The handling of a serious personal information security incident;-(7) Popularization and publicity of science and public welfare activities that promote social co-governance of personal information protection; and-(8) Other matters prescribed by laws and administrative regulations.

Localization

Monetization

Distribution

Game Publishing

User Acquisition

Integration

Hosting

Compliance

In-App Payments

Other Services

Blog

Government Documents

Infographics

China Game License Database

Test Your Site In China

App Store Index

Game Store Index

App Index

WeChat Mini Program Index

Mobile Game Index

Mobile Device Index

Cloud Provider Index

Our Company

Success Stories

Media

Careers

Administrative Measures for Personal Information Protection Compliance Audits