China — DPO, ROPA & DPIAs

China's Personal Information Protection Law (PIPL) establishes a mandatory appointment requirement for a personal information protection officer (PIPO, 个人信息保护负责人), a role functionally similar to the GDPR data protection officer. The obligation applies to "personal information handlers" — organizations or individuals that independently determine the purposes and means of processing personal information (Article 73(I) PIPL).

Article 52 statutory trigger. Under Article 52, personal information handlers must designate a PIPO when the volume of personal information processed reaches "the threshold specified by the Cyberspace Administration of China" (CAC). The PIPL itself does not set a numerical threshold. The statute delegates this determination to the CAC, leaving the scope of the obligation to be clarified through implementing regulations.

As of May 2026, the threshold remains incompletely specified in publicly available CAC regulations. The Measures for Personal Information Protection Compliance Audits (个人信息保护合规审计管理办法), issued by the CAC on February 14, 2025, and effective May 1, 2025, impose audit obligations on "personal information handlers conducting large-scale personal information processing activities" but do not expressly define "large-scale" in Article-by-Article text accessible in the primary publication. Industry guidance suggests a threshold of one million individuals, but practitioners should monitor the CAC's official pronouncements and clarifying notices for a definitive numerical trigger.

PIPO responsibilities. Article 52 assigns the PIPO responsibility for "supervising personal information handling activities as well as adopted protection measures." The CAC Audit Measures (effective May 1, 2025) require covered personal information handlers to conduct compliance audits "regularly," with the PIPO responsible for overseeing these audits. The Measures do not prescribe a fixed periodicity in the statute text; frequency will depend on the scale and risk profile of the processor's activities.

Reporting to the CAC. Article 52 requires the personal information handler to "report the name of the personal information protection officer and contact method to the departments performing personal information protection duties" — that is, to the CAC. The PIPL does not specify the reporting mechanism or timeline. The CAC has announced online reporting systems for PIPO registration, but the details are set forth in administrative notices rather than in the PIPL itself. Practitioners should consult the CAC's official website (cac.gov.cn) for current reporting procedures.

Penalties for non-compliance. Failure to appoint a PIPO when required, or to report the PIPO to the CAC, violates Article 52 and triggers administrative liability under Article 66. The CAC may issue warnings, confiscate illegal income, and impose fines on the entity and on individuals directly responsible. For "grave" violations (a term the PIPL does not define but which may include systemic failure to appoint a PIPO when processing large volumes of sensitive personal information), Article 71 authorizes fines on the entity of up to RMB 50 million or 5% of the prior year's revenue, and personal fines on directly responsible individuals of RMB 100,000 to RMB 1 million. Those individuals may be prohibited from serving as director, supervisor, senior manager, or PIPO for a specified period.

Foreign entities — Article 53 China representative requirement. Foreign personal information handlers subject to PIPL's extraterritorial reach under Article 3 (processing to provide products or services to individuals in China, or to analyze or assess activities of individuals in China) must separately "establish a dedicated entity or appoint a representative within the borders of China to be responsible for matters related to the personal information they process." Article 53 requires the foreign entity to report the name and contact information of this representative to the CAC-designated departments. This is a distinct obligation from the Article 52 PIPO requirement. A foreign processor meeting the CAC-specified volume threshold would face both duties: appointing a PIPO (Article 52) and establishing a China representative (Article 53).

Source: Personal Information Protection Law of the People's Republic of China (个人信息保护法), Presidential Order No. 91 (effective Nov. 1, 2021)

Source: Measures for Personal Information Protection Compliance Audits (个人信息保护合规审计管理办法), Cyberspace Administration of China (effective May 1, 2025)

China's Personal Information Protection Law (PIPL) establishes a mandatory personal information protection impact assessment (PIPIA, 个人信息保护影响评估) requirement for high-risk processing activities, functionally analogous to the GDPR's data protection impact assessment under Article 35. The obligation applies to personal information handlers that meet any of the five statutory triggers in Article 55.

Article 55 statutory triggers. Under Article 55 PIPL, a personal information processor must "assess in advance the impact on personal information protection and keep a record of the course of the processing" in five enumerated circumstances:

1. Processing sensitive personal information. "Sensitive personal information" (敏感个人信息) is defined in Article 28 as personal information that, once leaked or illegally used, may easily infringe upon human dignity or cause harm to personal or property security. Article 28 includes biometric characteristics, religious belief, specific identity (such as medical and health, financial accounts, individual location tracking), and personal information of minors under 14 years of age. Processing any category of sensitive personal information triggers the PIPIA duty.

1. Using personal information for automated decision-making. Article 73(2) defines "automated decision-making" as "automatically analyzing and evaluating personal behaviors, hobbies, or economic, health, and credit status, among others, through computer programs, and making decisions." Profiling, algorithmic recommendation engines, and credit-scoring systems all fall within this definition. The PIPIA requirement applies whenever automated decision-making is used, regardless of whether the output is presented to the data subject or used solely for internal purposes.

1. Entrusting personal information processing to another party, providing personal information for another party, or publicizing personal information. This trigger captures three distinct scenarios: (a) delegating processing to a data processor under a service contract (the "entrusted party," analogous to a GDPR processor); (b) disclosing personal information to a separate controller (another personal information handler that will determine its own processing purposes); and (c) making personal information public. All three require a prior PIPIA.

1. Providing personal information for any party outside the territory of the People's Republic of China. Any cross-border transfer of personal information—whether to an overseas affiliate, a cloud service provider with servers abroad, or a foreign recipient under a standard contract—triggers the Article 55 PIPIA obligation. This assessment is required in addition to the separate security-assessment, standard-contract, or certification requirements imposed by Article 38 and the CAC's cross-border transfer implementing regulations (such as the Measures for the Standard Contract for the Cross-border Transfer of Personal Information, effective June 1, 2023). Practitioners conducting cross-border transfers under the standard-contract route must thus conduct two assessments: the Article 55 PIPIA and the specific transfer-impact assessment required by the Standard Contract Measures.

1. Conducting other personal information processing activities which may have significant impacts on individuals. This catch-all provision leaves the scope of the PIPIA requirement open-ended. PIPL does not define "significant impacts," and no CAC regulation has yet provided a comprehensive enumeration. Industry guidance suggests that large-scale processing (e.g., processing personal information of more than 1 million individuals), novel processing techniques (such as facial-recognition deployment in public spaces), or processing that creates power imbalances (such as employer monitoring of employee communications) may qualify. Practitioners should assess the risk profile of each new processing activity and document the rationale if they conclude a PIPIA is not required.

Article 56 required content. Article 56 specifies the substantive content of a personal information protection impact assessment. The assessment must address three elements:

• Legality, justification, and necessity of processing purposes and means. The handler must evaluate whether the processing activity has a lawful basis under Article 13 PIPL (consent, contract performance, legal obligation, vital interests, public interest, or legitimate interests), whether the purpose is legitimate, and whether the processing is necessary to achieve that purpose (the principle of data minimization).

• Impact on individuals' rights and interests, and security risks. The assessment must identify and evaluate the potential harms to data subjects, including risks of unauthorized access, leakage, alteration, or loss; potential discrimination or reputational harm; and impairment of data-subject rights (such as the right to access, rectification, or erasure under Articles 44–47). This element requires a forward-looking risk analysis, not merely a description of existing security measures.

• Whether protective measures are legal, effective, and appropriate to the degree of risk. The handler must document the technical and organizational measures implemented to mitigate identified risks—such as encryption, access controls, pseudonymization, staff training, and incident-response plans—and assess whether those measures are proportionate to the level of risk. If residual risks remain high, the handler must document additional mitigation steps or justify acceptance of the risk.

Recordkeeping requirement. Article 56 requires that "personal information protection impact assessment reports and handling status records shall be preserved for at least three years." The CAC Audit Measures (effective May 1, 2025) incorporate PIPIA reports as a key audit item: Article 13 of the Audit Measures requires auditors to verify that handlers processing sensitive personal information, utilizing automated decision-making, or engaging in cross-border transfers have conducted PIPIAs "in advance" and have preserved the reports for the statutory retention period. Failure to conduct a PIPIA, or to retain the assessment report, is a standalone compliance violation separate from any harm caused by the underlying processing.

No pre-clearance with the CAC. Unlike the GDPR's Article 36 requirement to consult the supervisory authority when a DPIA indicates high residual risk, PIPL Article 55–56 does not require submission of the PIPIA report to the CAC or any other enforcement authority prior to commencing processing. The assessment is an internal compliance obligation. However, enforcement authorities may request the report during an inspection, audit, or investigation under Article 64, and the quality and rigor of the PIPIA will inform the CAC's enforcement response if a violation is discovered.

Sanctions for non-compliance. Failure to conduct a required PIPIA violates Article 55 and triggers administrative liability under Article 66 PIPL. The CAC may issue warnings, confiscate illegal income, and impose fines on the entity and directly responsible individuals. For serious violations—such as commencing high-risk processing (e.g., large-scale sensitive-data processing or cross-border transfers) without conducting any PIPIA—Article 66 authorizes fines on the entity of up to RMB 50 million or 5% of the prior year's revenue, and personal fines on directly responsible individuals of RMB 100,000 to RMB 1 million.

Source: Personal Information Protection Law of the People's Republic of China (个人信息保护法), Presidential Order No. 91 (effective Nov. 1, 2021)

Source: Personal Information Protection Law (English), National People's Congress

Source: Measures for Personal Information Protection Compliance Audits (个人信息保护合规审计管理办法), Cyberspace Administration of China (effective May 1, 2025)

China's Personal Information Protection Law (PIPL) establishes a comprehensive obligation for personal information handlers to maintain internal management systems and operational procedures governing their processing activities, functionally analogous to the GDPR's Article 30 Record of Processing Activities (ROPA). Unlike the GDPR's prescriptive recordkeeping format, PIPL Article 51 embeds the documentation obligation within a broader mandate to implement organizational and technical safeguards.

Article 51 statutory framework. Article 51 PIPL requires personal information handlers to "take the following measures to ensure that personal information processing activities comply with laws and administrative regulations… and to prevent unauthorized access and disclosure, alteration, and loss of personal information." The statute enumerates six categories of required measures, two of which impose direct documentation and recordkeeping obligations:

1. Formulating internal management systems and operating procedures (制定内部管理制度和操作规程). The handler must document the governance framework for all personal information processing activities. This encompasses policies defining roles and responsibilities, processing purposes and lawful bases under Article 13, data-subject rights procedures under Articles 44–47, cross-border transfer protocols under Articles 38–39, and breach-response plans under Article 57. PIPL does not prescribe the format or granularity of these internal systems, but the CAC's implementing regulations — including the Measures for Personal Information Protection Compliance Audits (个人信息保护合规审计管理办法), effective May 1, 2025 — require auditors to verify that handlers have "established and effectively implemented" internal management systems covering the full processing lifecycle.

1. Implementing classified management of personal information (对个人信息实行分类管理). Handlers must categorize personal information according to type, sensitivity, and risk profile, and apply differentiated controls to each category. At a minimum, handlers must distinguish sensitive personal information (Article 28: biometric characteristics, religious belief, specific identity such as medical and health or financial accounts, individual location tracking, and personal information of minors under 14) from ordinary personal information, because sensitive personal information triggers heightened obligations under Articles 29–32 (separate consent, strict necessity, impact assessment under Article 55(1)). Industry guidance suggests further classification by processing purpose (e.g., customer service vs. marketing), retention period, and access permissions. Classified management underpins the principle of data minimization articulated in Article 6: "collection of personal information shall be limited to the minimum scope necessary to achieve the processing purpose."

Additional Article 51 safeguards integrated with recordkeeping. The remaining Article 51 measures interact with the documentation requirement:

1. Taking corresponding security technical measures such as encryption and de-identification (采取相应的加密、去标识化等安全技术措施). Handlers must document which categories of personal information are encrypted at rest and in transit, and which are pseudonymized or anonymized. The internal management system under Article 51(1) should specify the technical standards applied (e.g., AES-256 encryption, hashing algorithms) and the conditions under which de-identified data may be re-identified.

1. Reasonably determining the operational authority for personal information processing (合理确定个人信息处理的操作权限). Role-based access control (RBAC) is mandatory. The handler must maintain records of which employees, contractors, or system administrators have access to which categories of personal information, and under what circumstances. This ties directly to the classified-management requirement under Article 51(2): access permissions should map to the sensitivity classification.

1. Conducting security education and training for employees (对从业人员进行安全教育和培训). Handlers must document training programs, attendance records, and competency assessments. The CAC Audit Measures require auditors to verify that training occurs "regularly" and covers lawful bases for processing, data-subject rights, breach-response procedures, and the specific obligations for sensitive personal information and cross-border transfers.

1. Formulating and implementing personal information security incident emergency response plans (制定和组织实施个人信息安全事件应急预案). Handlers must maintain written incident-response plans specifying notification procedures, containment measures, and escalation protocols. Under Article 57, if a personal information security incident occurs or may occur, the handler must "immediately take remedial measures" and report to the department performing personal information protection duties (the CAC and relevant sector regulators). If the incident is likely to harm individual rights and interests, the handler must also notify affected data subjects "without delay." The emergency response plan required by Article 51(6) is the operational blueprint for meeting the Article 57 notification deadlines.

Distinction from the Article 55–56 PIPIA recordkeeping obligation. Article 51 establishes a general, continuous recordkeeping obligation for all personal information handlers. By contrast, Article 55 requires handlers to conduct a personal information protection impact assessment (PIPIA) only for high-risk processing activities (processing sensitive personal information, automated decision-making, cross-border transfers, or other activities with significant impact on individuals), and Article 56 mandates retention of PIPIA reports and "handling status records" (处理情况记录) for at least three years. The Article 51 internal management systems and classified-management records serve as the baseline documentation from which the handler draws when preparing an Article 55 PIPIA. A handler processing only ordinary personal information for routine business purposes (e.g., customer contact information for order fulfillment) must maintain Article 51 documentation but may not trigger the Article 55 PIPIA requirement.

No prescribed retention period for Article 51 records. Unlike the GDPR's Article 30, which implies that records of processing activities must be maintained as long as the processing continues, and unlike PIPL Article 56, which mandates three-year retention of PIPIA reports, Article 51 does not specify a retention period for internal management systems or classified-management records. However, the CAC Audit Measures require covered handlers to produce these records upon audit, and Article 64 PIPL grants enforcement authorities the power to "inspect premises and equipment related to personal information processing activities" and to "require personal information handlers to provide materials related to personal information protection." Practitioners should retain Article 51 documentation for the duration of the processing activity plus a reasonable period (typically three years, aligning with the Article 56 PIPIA retention rule) to demonstrate historical compliance during enforcement inquiries.

Enforcement and penalties. Failure to establish internal management systems, implement classified management, or maintain the required operational procedures violates Article 51 and triggers administrative liability under Article 66 PIPL. The CAC may issue warnings, order corrections, confiscate illegal income, suspend the relevant business or order suspension of operations for rectification, and impose fines. For refusal to correct or serious violations, Article 66 authorizes fines on the entity of up to RMB 50 million or 5% of the prior year's revenue, and personal fines on directly responsible individuals of RMB 100,000 to RMB 1 million. Those individuals may be prohibited from serving as director, supervisor, senior manager, or personal information protection officer. The CAC has signaled that systemic failure to document processing activities — such as operating without any written policies or classified-management framework — will be treated as a serious violation warranting maximum penalties, particularly when combined with a data breach or other harm to data subjects.

Intersection with the compliance audit requirement. The Measures for Personal Information Protection Compliance Audits (effective May 1, 2025) require personal information handlers conducting "large-scale personal information processing activities" to engage qualified auditors to assess compliance with PIPL. Article 13 of the Audit Measures lists verification of Article 51 internal management systems and classified-management implementation as a mandatory audit item. Auditors must confirm that the handler has "formulated internal management systems and operational procedures covering the entire personal information processing lifecycle," has "established a classified management system distinguishing sensitive personal information from ordinary personal information," and has "effectively implemented" these systems in practice. The PIPIA reports required by Article 55–56, the training records required by Article 51(5), and the access-control logs required by Article 51(4) are all primary evidence reviewed during a compliance audit. Handlers subject to the audit requirement should treat their Article 51 documentation as the compliance backbone that will be tested during the audit engagement.

Source: Personal Information Protection Law of the People's Republic of China (个人信息保护法), Presidential Order No. 91 (effective Nov. 1, 2021), Article 51

Source: Measures for Personal Information Protection Compliance Audits (个人信息保护合规审计管理办法), Cyberspace Administration of China (effective May 1, 2025)

China's Personal Information Protection Law (PIPL) establishes a mandatory compliance audit obligation under Article 54, requiring all personal information handlers to "regularly conduct compliance audits of their processing of personal information in compliance with laws and administrative regulations." This foundational obligation is implemented and expanded by the Cyberspace Administration of China's Measures for Personal Information Protection Compliance Audits (个人信息保护合规审计管理办法), effective May 1, 2025, which establish specific triggers, audit modes, periodicity requirements, and professional-auditor standards.

Article 54 statutory foundation. Article 54 PIPL imposes a universal, periodic compliance-audit duty on all "personal information handlers" (Article 73(1): organizations or individuals that independently determine the purposes and means of processing personal information). The statute does not prescribe the frequency, scope, or methodology of these audits; it delegates detailed implementation to the CAC. This article sits alongside Article 64, which authorizes enforcement authorities to require an entity to engage an external auditor if the authority discovers "significant risk" or a personal information security incident during an inspection or investigation.

Two audit modes under the CAC Measures. The CAC Measures distinguish two audit pathways:

1. Self-directed compliance audits (Article 3). Personal information handlers "shall regularly conduct compliance audits" by either an internal audit team or by engaging an external professional auditor. The choice between internal and external audit is discretionary for the handler unless the CAC (or another enforcement authority) exercises its Article 64 PIPL power to mandate external engagement. For handlers processing more than 10 million individuals' personal information, Article 12 of the CAC Measures imposes a minimum frequency: at least one compliance audit every two years. The Measures do not define a mandatory frequency for handlers below the 10-million threshold; those entities "determine the periodicity of regular compliance audits reasonably according to their own circumstances" (CAC Q&A published February 14, 2025). Industry guidance suggests annual or biennial audits for handlers processing large volumes of sensitive personal information or engaging in cross-border transfers, even if below 10 million records.

1. Authority-mandated compliance audits (Articles 8–11). When the CAC or another enforcement authority "discovers in the performance of its duties that personal information processing activities present significant risk, may infringe the rights and interests of many individuals, or that a personal information security incident has occurred" (Article 4), the authority may require the handler to engage a professional auditor (not an internal team) and report the audit results to the authority. The handler must complete the audit within the timeframe specified by the authority; if complexity demands additional time, the handler may request an extension from the authority (Article 9). Upon completion, the handler must submit the auditor's signed and sealed report to the enforcement authority (Article 10) and, within 15 working days of completing corrective action, submit a remediation report (Article 11).

10-million-person trigger — Article 12 mandatory biennial audit. Article 12 of the CAC Measures establishes the first numerical threshold for the PIPL audit regime: handlers processing personal information of more than 10 million individuals must conduct a compliance audit at least once every two years. This threshold is separate from (and lower than) the one-million-person PIPO-appointment threshold contemplated by Article 52 PIPL (which remains subject to further CAC clarification). The 10-million count is cumulative across all processing activities; it is not limited to active users or to a single product line. Handlers at or near this threshold should implement record-counting systems to determine when the obligation attaches. The CAC Measures do not specify whether the two-year clock runs from the date the handler first exceeded 10 million records, from the date the Measures became effective (May 1, 2025), or from the date of the handler's first audit; prudent handlers should conduct the first audit promptly after crossing the threshold and document the start of the two-year cycle.

Article 12 supervisory structure for 10-million-plus handlers. Article 12 also requires that handlers processing more than 10 million individuals' personal information designate a personal information protection officer (PIPO, 个人信息保护负责人) responsible for overseeing the compliance audit work. This is consistent with (and may overlap with) the Article 52 PIPL PIPO-appointment requirement. For "providers of major internet platform services with enormous user numbers and complex business types" — the CAC Audit Q&A suggests this means platforms with tens or hundreds of millions of users and multiple business lines (e.g., e-commerce combined with social networking and payment services) — Article 12 mandates that the handler "establish an independent institution composed mainly of external members to supervise personal information protection compliance audit activities." This independent oversight body (functionally similar to an audit committee under corporate governance frameworks) ensures that the compliance audit function is insulated from operational pressure and that audit findings receive senior-management attention.

Professional auditor qualifications — Article 7 and certification. When a handler engages an external auditor (whether voluntarily under the self-directed pathway or as mandated by an enforcement authority), the auditor must be a "professional institution" meeting the requirements of Article 7: the auditor must "possess the capability to conduct personal information protection compliance audits, with audit personnel, premises, facilities, and funding commensurate with the service." Article 7 "encourages" professional auditors to obtain certification in accordance with China's Certification and Accreditation Regulations. On May 27, 2025, the CAC announced that three certification bodies — the National Internet Information Office Data and Technology Security Center, the China Cybersecurity Review and Certification Center, and Beijing Saisi Certification Co. — have filed certification rules with the Certification and Accreditation Administration and will certify auditors against the Network Security Standard Practice Guideline — Personal Information Protection Compliance Audit Requirements and the Personal Information Protection Compliance Audit Professional Institution Service Capability Requirements. Handlers selecting an external auditor should verify the auditor's certification status or, at a minimum, confirm that the auditor maintains qualified personnel, documented audit methodologies, and professional-indemnity coverage.

Auditor independence — Article 13 rotation requirement. To preserve auditor objectivity, Article 13 prohibits "the same professional institution and its affiliated institutions, or the same compliance audit lead" from conducting compliance audits for the same handler more than three consecutive times. This rotation rule applies to both the audit firm and the individual engagement partner. A handler that engaged Auditor A for the 2025–2026 audit and the 2027–2028 audit may engage Auditor A once more (for 2029–2030) but must then rotate to a different firm (or ensure that the engagement is led by a different partner within the same firm, if the firm is large enough to satisfy the independence test). The CAC Measures do not specify a cooling-off period; a handler could, in principle, return to Auditor A for the 2031–2032 cycle after a one-cycle gap, though best practice is to rotate more broadly to ensure fresh perspectives.

Audit scope and reference guidance — Annex to the CAC Measures. The CAC Measures include an annex titled Personal Information Protection Compliance Audit Guidance (个人信息保护合规审计指引), which enumerates the substantive audit focus areas. Article 6 directs handlers and auditors to "refer to" this Guidance. The Guidance structures the audit around the major obligations chapters of PIPL: lawful bases for processing (Article 13 PIPL consent, contract, legal obligation, vital interests, public task, legitimate interests, and the separate-consent and strict-necessity requirements for sensitive personal information under Articles 29–30), data-subject rights procedures (Articles 44–47), security safeguards (Article 51 internal management systems, classified management, encryption, access controls, staff training, and breach-response plans), personal information protection impact assessments (Articles 55–56), cross-border transfer compliance (Articles 38–39 security assessments, standard contracts, or certification), and large-platform obligations (Article 58 social-responsibility reporting and external oversight). The Guidance also instructs auditors to verify that the handler has maintained records of processing activities under Article 51 and PIPIA reports under Article 56 for the required retention periods (three years for PIPIA reports; no prescribed period for Article 51 documentation, but recommended three years to align with the PIPIA rule).

Auditor confidentiality and no-subcontracting rule. Article 14 requires professional auditors to "maintain confidentiality over personal information, trade secrets, and confidential business information obtained in the course of performing compliance audit duties, and shall not leak or unlawfully provide such information to others." Upon completion of the audit engagement, the auditor must "promptly delete" the personal information and confidential business information obtained during the audit, retaining only the audit workpapers and final report as required under applicable audit-standards and professional-liability rules. Article 15 prohibits auditors from subcontracting the compliance audit to another firm; the handler must be confident that the engaged auditor will perform the work directly.

Enforcement and penalties. Failure to conduct the required compliance audit — either the Article 54 periodic self-audit or an Article 64 authority-mandated audit — violates PIPL and triggers administrative liability. Article 66 PIPL authorizes the CAC to issue warnings, order corrections, confiscate illegal income, suspend business operations, and impose fines. For refusal to conduct a mandated audit or for systematic failure to audit when processing large volumes of personal information (particularly sensitive personal information or cross-border transfers), the CAC may impose fines of up to RMB 50 million or 5% of the prior year's revenue on the entity, and personal fines of RMB 100,000 to RMB 1 million on directly responsible individuals (typically the PIPO, chief information security officer, or senior executives). Those individuals may be prohibited from serving as director, supervisor, senior manager, or PIPO for a specified period. The CAC has signaled in public statements that compliance audits are a "core tool" for assessing handler adherence to PIPL and that systematic non-compliance revealed during an audit (or the absence of any audit when one is required) will be treated as a serious violation warranting upper-tier penalties, particularly when combined with a data breach or other harm to data subjects.

Interaction with Article 55–56 PIPIA and Article 51 documentation. The compliance audit required by Article 54 and the CAC Measures is distinct from, but dependent upon, the handler's underlying documentation obligations. The auditor will examine the handler's internal management systems and classified-management records (Article 51), personal information protection impact assessments (Articles 55–56), data-subject rights request logs (Articles 44–47), breach-response plans and incident records (Article 57), and cross-border transfer assessments and standard contracts (Articles 38–39). A handler that has failed to maintain these foundational records will not be able to demonstrate compliance during the audit. The audit is thus the verification layer atop the handler's continuous compliance program. Handlers should view the audit as a structured opportunity to surface gaps, document corrective actions, and demonstrate to enforcement authorities (and to data subjects, in the case of large platforms publishing social-responsibility reports under Article 58) that the organization takes its PIPL obligations seriously.

Source: Personal Information Protection Law of the People's Republic of China (个人信息保护法), Presidential Order No. 91 (effective Nov. 1, 2021), Article 54

Source: Measures for Personal Information Protection Compliance Audits (个人信息保护合规审计管理办法), Cyberspace Administration of China (effective May 1, 2025)

Source: Q&A on the Measures for Personal Information Protection Compliance Audits, Cyberspace Administration of China (Feb. 14, 2025)

China's Personal Information Protection Law (PIPL) establishes a dual notification obligation when a personal information security incident occurs or may occur: handlers must report to the Cyberspace Administration of China (CAC) and relevant departments immediately, and must notify affected data subjects without delay when the incident is likely to harm their rights and interests. Article 57 PIPL governs this regime, imposing both proactive incident-response duties and mandatory disclosure obligations that operate on separate triggers and timelines.

## Article 57 statutory framework — two distinct duties

Immediate reporting to the CAC. Under Article 57, if "a personal information security incident occurs or may occur" (发生或者可能发生个人信息泄露、篡改、丢失), the personal information handler must immediately take remedial measures (立即采取补救措施) and report to the departments performing personal information protection duties (向履行个人信息保护职责的部门报告). The statute uses the temporal marker "immediately" (立即), establishing a deadline measured in hours or, at most, days from the handler's discovery of the incident. PIPL does not prescribe a numerical hour count (unlike the GDPR's 72-hour clock under Article 33), but the CAC has signaled in enforcement guidance that handlers discovering a breach during business hours should report the same day, and handlers discovering a breach outside business hours should report no later than the following business day.

The reporting obligation attaches when an incident "occurs or may occur." This dual trigger requires handlers to report both confirmed breaches (e.g., unauthorized access logs, confirmed exfiltration of a database, ransom demand from an attacker) and suspected or imminent breaches (e.g., vulnerability disclosure indicating that sensitive personal information is exposed, anomalous network traffic suggesting ongoing reconnaissance, or a third-party processor's notification that it experienced a breach affecting data the handler entrusted to it). Handlers uncertain whether an anomaly constitutes a reportable incident should err on the side of reporting and document their analysis; failure to report a later-confirmed breach on grounds that the handler "was not certain" at the time of discovery will not satisfy Article 57 and exposes the handler to administrative penalties under Article 66.

Notification to data subjects when high risk exists. Article 57 imposes a second, conditional notification duty: if the personal information security incident is likely to harm the rights and interests of individuals (危害个人的权益), the handler must notify affected individuals without delay (还应当将事件情况以邮件、信函、电话、推送通知等方式通知个人). The statute uses "without delay" (及时), a temporal standard functionally equivalent to "immediately" but explicitly tied to the condition that the incident is "likely to harm" data subjects. PIPL does not define "likely to harm," leaving handlers to assess the risk profile of each incident. Industry guidance and CAC enforcement practice suggest the following factors weigh in favor of data-subject notification:

• Volume of affected individuals. Incidents affecting more than 1,000 individuals are presumptively "likely to harm" and trigger notification unless the handler can demonstrate that effective technical measures (encryption, pseudonymization) rendered the data unusable by the unauthorized recipient.

• Sensitivity of the compromised information. Breaches of sensitive personal information under Article 28 PIPL (biometric characteristics, religious belief, specific identity such as medical and health or financial accounts, individual location tracking, or personal information of minors under 14) are presumptively high-risk. Notification is required unless the data were encrypted and the encryption keys were not compromised.

• Nature of the threat actor and the risk of misuse. Unauthorized access by a malicious external actor (ransomware group, state-sponsored threat, credential-stuffing botnet) creates higher risk of misuse than accidental internal disclosure (e.g., an employee emailing a spreadsheet to the wrong recipient within the same organization). Handlers should assess whether the unauthorized recipient is likely to exploit the personal information for identity theft, financial fraud, stalking, harassment, or other harms.

• Downstream consequences for data subjects. Breaches that may lead to discrimination (e.g., disclosure of health information to an employer or insurer), reputational harm (e.g., exposure of political or religious affiliation), or physical safety risks (e.g., disclosure of domestic-violence shelter addresses, witness identities) are "likely to harm" and require notification even if the volume is small.

If the handler concludes that the incident does not meet the "likely to harm" threshold—for example, a low-volume breach of non-sensitive information that was encrypted and the recipient promptly deleted the data upon notification—the handler is not required to notify data subjects but must still report the incident to the CAC and document the rationale for the no-notification decision in the breach record required by Article 57.

## Required content of CAC report — Article 57 enumerated elements

Article 57 specifies that the report to the CAC must include the following main information (包括下列事项): (1) the type and scope of the incident, including the categories of personal information involved and the approximate number of affected individuals; (2) the possible harms (可能的危害) arising from the incident; (3) the remedial measures (已采取或者拟采取的补救措施) the handler has taken or plans to take; and (4) contact information for the handler's designated contact person responsible for the incident response. Handlers should prepare incident-report templates in advance mapping these four elements to their internal breach-classification and impact-assessment protocols. The CAC has announced online reporting portals at cac.gov.cn for incident submission; handlers operating in multiple sectors (e.g., telecommunications, finance, health) may also be required to report to sector-specific regulators in parallel.

## Required content of data-subject notification — transparency and actionable guidance

When notifying affected individuals, Article 57 requires that the handler communicate the type and scope of the incident, the possible harms, the remedial measures taken, and contact information for inquiries. The notice should be written in plain language accessible to a lay reader and should provide actionable guidance tailored to the risk. For financial-account breaches, handlers should instruct individuals to monitor account statements, change passwords, and enable multi-factor authentication. For breaches of identification documents (national ID numbers, passport numbers), handlers should advise individuals to place fraud alerts with credit bureaus and monitor for identity-theft indicators. Handlers should deliver the notice through the most direct channel available (邮件、信函、电话、推送通知等方式): email if the handler has a verified email address, SMS or push notification if email is unavailable, postal mail for individuals without digital contact information. If individual notification is not possible (e.g., the handler lacks current contact information for many affected individuals, or the volume is so large that individual contact would impose disproportionate burden), Article 57 permits public announcement (公告) in lieu of individual notice, provided the announcement is posted prominently on the handler's website and disseminated through channels likely to reach affected individuals.

## Recordkeeping obligation — breach logs under Article 57

Article 57 requires handlers to keep records of the handling course (记录处理情况) of personal information security incidents. The statute does not prescribe a retention period, but the CAC Audit Measures (effective May 1, 2025) incorporate breach records as a mandatory audit item. Handlers should maintain breach logs for at least three years (aligning with the Article 56 PIPIA retention period) and should document: the date and time the incident was discovered; the categories and approximate volume of personal information affected; the root cause (e.g., SQL injection attack, misconfigured cloud storage, employee phishing, third-party processor breach); the timeline of investigation and containment; the decision tree for whether to notify data subjects (and if not, the rationale); copies of the CAC report and any data-subject notifications sent; and evidence of remedial measures implemented (e.g., vulnerability patches applied, access controls tightened, affected accounts reset). The breach log is primary evidence during a CAC investigation; handlers unable to produce a contemporaneous record of the incident response face heightened enforcement risk.

## Intersection with Article 51 emergency response plans

Article 57's notification obligations presuppose that the handler has already implemented the emergency response plan (个人信息安全事件应急预案) required by Article 51(6) PIPL. That plan must specify the internal escalation protocols, the decision-making authority for triggering CAC reporting and data-subject notification, the communication templates, and the roles and responsibilities of the incident-response team (typically including the personal information protection officer under Article 52, the chief information security officer, legal counsel, and public relations). Handlers should conduct tabletop exercises at least annually to test the plan and identify gaps. The CAC Audit Measures require auditors to verify that the handler has both formulated the emergency response plan (documentation exists) and organized implementation (the plan has been tested and staff are trained on it).

## Penalties for non-compliance — Article 66 administrative liability

Failure to report a personal information security incident to the CAC, or to notify affected data subjects when required, violates Article 57 and triggers administrative liability under Article 66 PIPL. The CAC may issue warnings, order corrections, confiscate illegal income, suspend business operations, and impose fines. For refusal to correct or for serious violations—such as intentionally concealing a large-scale breach of sensitive personal information, or failing to notify affected individuals when the incident leads to identity theft or financial fraud—Article 66 authorizes fines on the entity of up to RMB 50 million or 5% of the prior year's revenue, and personal fines on directly responsible individuals of RMB 100,000 to RMB 1 million. Those individuals may be prohibited from serving as director, supervisor, senior manager, or personal information protection officer. The CAC has signaled that breach-notification violations carry heightened enforcement priority because they compound the original security failure with a failure to enable affected individuals and authorities to mitigate the harm. Handlers that report promptly and transparently, even when the breach resulted from their own negligence, will receive more favorable treatment than handlers that attempt to conceal the incident or delay reporting in hopes that the breach will not be discovered.

## No private right of action for non-notification, but civil liability exposure

PIPL does not establish a standalone private right of action for failure to provide breach notification. However, Article 69 PIPL grants individuals whose personal information rights and interests are infringed a general right to sue for damages under the Civil Code. If a handler's failure to notify data subjects of a breach proximately causes harm—for example, an individual suffers financial losses from identity theft that could have been mitigated if the handler had disclosed the breach promptly—the individual may seek compensation for actual damages and, in serious cases, mental-distress damages. Courts will evaluate the handler's breach-notification compliance as evidence of whether the handler satisfied its Article 9 PIPL duty to "adopt necessary measures to ensure the security of the personal information it processes." A handler that violated Article 57 will face difficulty defending against a negligence claim.

Source: Personal Information Protection Law of the People's Republic of China (个人信息保护法), Presidential Order No. 91 (effective Nov. 1, 2021), Article 57