On 18 July 2025, China’s Cyberspace Administration (CAC) officially launched its online portal (Portal) for registration of China Data Protection Officers (China DPO). This operationalizes the requirements under Article 52 of the Personal Information Protection Law (PIPL).
Who Must Appoint a China DPO?
Data controllers processing over one million individuals’ personal information should appoint a China DPO. In addition, some recommended national standards set additional scenarios as best practice.
Who Must Register their China DPO?
Data controllers processing over one million individuals’ personal information in China must register their China DPOs. While Article 53 of PIPL and the template registration forms provided by CAC suggest that offshore PIPL data controllers may also be subject to this requirement, clarification is needed on portal documentation requirement.
How to Register your China DPO?
Registration must be completed online at https://grxxbh.cacdtsc.cn, which involves submitting: (1) information forms for both data controllers and China DPOs; (2) identity and appointment documents; and (3) authorization letters and commitment statements. Notably, the forms require detailed disclosures including certain specifics on personal information processing activities.
What is the Registration Deadline?
The two key deadlines are: (1) by 29 August 2025, for data controllers who met the one million threshold before 18 July 2025; and (2) within 30 working days, for those who meet the threshold after 18 July 2025.
Who can be a China DPO?
A China DPO must be a natural person. While PRC citizenship or residency is not required for China DPOs of onshore data controllers, offshore PIPL data controllers must appoint a representative located in China. Best practices recommend appointing individuals with relevant management experience and expertise. Please see our article about the role and obligations of China DPOs and key distinctions between China DPOs and DPOs under the EU General Data Protection Regulation 2016/679.