The Cyberspace Administration of China (“CAC”) recently released requirements regarding data protection audits, titled “Administrative Measures on Compliance Auditing of Personal Information Protection” (the “Measures”). The Measures will go into effect on May 1, 2025.

The Measures were promulgated in accordance with the Personal Information Protection Law (“PIPL”) and Administrative Regulations on the Security of Network Data. The Measures set forth the: (1) conditions that would trigger an audit of a data handler’s compliance with relevant personal information protection legal requirements; (2) selection of third-party compliance auditors; (3) frequency of compliance audits; and (4) obligations of data handlers and third-party auditors in conducting compliance audits. An Appendix to the Measures, titled “Guidelines on Personal Information Protection Compliance Auditing” (the “Guidelines”), contains additional compliance audit requirements.

Voluntary and Mandatory Compliance Auditing

The Measures will require data handlers that process the personal information of more than 10 million individuals to conduct compliance auditing at least once every two years.

The Measures will permit cyberspace administration and other relevant authorities to request data handlers to conduct third-party audits where:

• the data handler’s processing activities pose a great risk to the rights and interests of individuals;
• the data handler lacks sufficient security measures;
• the data handler’s processing activities may infringe on the rights and interests of a large number of individuals; or
• the data handler experiences a data breach that results in the leakage, tampering, loss or destruction of the personal information of more than one million individuals or the sensitive personal information of more than 100,000 individuals.

For the above scenarios, the data handler will need to complete a compliance audit in accordance with the Measures’ requirements and submit an audit report to the data handler’s competent authority, with any requested corrections submitted within 15 business days to the authority.

Additionally, the Measures specify that data handlers may conduct compliance audits on a voluntary basis, either internally or through the use of a third-party auditor.

Specific Requirements for Certain Types of Data Handlers

Pursuant to the Measures, data handlers processing the personal information of more than one million individuals will need to designate a person in charge of the protection of personal information (referred to herein as the “Designated Data Protection Personnel”). Data handlers providing key online platform services with a significant number of users and a complex business model will need to establish an independent organization consisting mainly of external members to monitor compliance audits.

Requirements for Third-Party Auditors and Designated Data Protection Personnel

Third-party auditors will be required to be equipped with audit staff, premises, facilities and funds appropriate to the services provided, and to protect the confidentiality of data reviewed during compliance audits. Additionally, third-party auditors will be prohibited from using subcontractors.

The Measures will prohibit data handlers from using the same third-party auditor (or its affiliates) or the Designated Data Protection Personnel to conduct compliance audits on the same subject more than three times in a row.

Guidance on Compliance Audits

The Guidance will require data handlers to evaluate the following factors in compliance audits:

• the legal basis for processing the personal information;
• the relevant personal information processing rules;
• whether the data handler has fulfilled its individual notification obligations;
• the data handler’s joint processing activities;
• the vendors processing personal information on the data handler’s behalf;
• whether there has been a transfer of personal information due to a merger, reorganization, separation, dissolution, bankruptcy or other reason;
• whether the data handler has shared personal information with other data handlers;
• whether the data handler engages in automated decision-making activities;
• whether the data handler publicly publishes personal information (including instances in which the data handler obtains individuals’ consent to do so);
• whether the data handler has installed surveillance devices that may be used to identify individuals in public places;
• whether the data handler processes sensitive personal information;
• whether the data handler processes personal information of minors under 14 years old;
• whether the data handler transfers personal information outside of China;
• how the data handler complies with the right to erase personal information;
• how the data handler protects the rights of individuals in its processing activities;
• how the data handler responds to individuals’ data protection inquiries and explains its personal information processing activities;
• the data handler’s internal management policies and operating procedures;
• the technical security measures the data handler has implemented to protect personal information;
• the data protection education and training programs provided by the data handler to its workforce;
• the performance of the Designated Data Protection Personnel;
• whether the data handler conducts personal information protection impact assessment where required;
• the data handler’s incident response plan and its implementation of the plan; and
• for data handlers providing key online platform service with a significant number of users and a complex business model, the data handler’s social responsibility report on personal information protection.