Measures for the Administration of Personal Information Protection Compliance Audits

Order of the Cyberspace Administration of China
(No. 18)

The Measures for the Administration of Personal Information Protection Compliance Audits, as deliberated and adopted at the 15th executive meeting of the Cyberspace Administration of China for 2024 on May 20, 2024, are hereby issued, and shall come into force on May 1, 2025.

Zhuang Rongwen, Director of the Cyberspace Administration of China
February 12, 2025

Measures for the Administration of Personal Information Protection Compliance Audits

Article 1 These Measures are developed in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management and other laws and administrative regulations, for the purposes of regulating compliance audit activities related to personal information protection and protecting personal information rights and interests.
Article 2 These Measures shall apply to the personal information protection compliance audits conducted within the territory of the People's Republic of China.
For the purposes of these Measures, “personal information protection compliance audits” means the supervisory activities of examining and evaluating whether the personal information processing activities of personal information processors comply with laws and administrative regulations.
Article 3 Where a personal information processor is to conduct a personal information protection compliance audit on its own, the internal institution of the personal information processor or a professional institution commissioned by it shall conduct the compliance audit of the compliance of its processing of personal information with laws and administrative regulations on a regular basis.
Article 4 A personal information processor that processes the personal information of more than 10 million people shall conduct personal information protection compliance audits at least once every two years.
Article 5 Where a personal information processor falls under any of the following circumstances, the national cyberspace authority and other departments performing personal information protection duties (hereinafter collectively referred to as “protection departments”) may require the personal information processor to commission a professional institution to audit the compliance of its or his personal information processing activities:
1. It is found that the personal information processing activities have relatively large risks such as seriously affecting rights and interests of individuals or being severely lacking in security measures.
2. The personal information processing activities may infringe upon the rights and interests of many individuals.
3. A personal information security incident occurs, resulting in the leakage, tampering, loss or damage of personal information of more than 1 million people or the sensitive personal information of more than 100,000 people.
With respect to the same personal information security incident or risk, it is not allowed to repeatedly require a personal information processor to commission a professional institution to conduct personal information protection compliance audits.
Article 6 Where a personal information processor conducts personal information protection compliance audits on its or his own or commissions a professional institution to conduct a personal information protection compliance audit as required by the protection department, it shall be governed, mutatis mutandis, by the Guidelines for Personal Information Protection Compliance Audits, the Annex to these Measures.
Article 7 Professional institutions shall have the capabilities of conducting personal information protection compliance audits and have audit personnel, venues, facilities and funds, among others, that are commensurate with the services.
Relevant professional institutions are encouraged to pass the certification. The certification of professional institutions shall be governed by relevant provisions of the Regulation of the People's Republic of China on Certification and Accreditation.
Article 8 Where a personal information processor conducts a personal information protection compliance audit in accordance with the requirements of the protection department, it or he shall provide necessary support for the professional institution to conduct the personal information protection compliance audit normally and bear the audit expenses.
Article 9 Where a personal information processor conducts a personal information protection compliance audit in accordance with the requirements of the protection department, it or he shall select a professional institution as required by the protection department, and complete the personal information protection compliance audit during a specified period; and if the circumstances are complicated, the period may be appropriately extended upon approval by the protection department.
Article 10 Where a personal information processor conducts a personal information protection compliance audit in accordance with the requirements of the protection department, it or he shall, after the compliance audit is completed, submit the personal information protection compliance audit report issued by the professional institution to the protection department.
The personal information protection compliance audit report shall be signed by the principal person in charge and the person in charge of compliance audit of the professional institution and stamped with the official seal of the professional institution.
Article 11 Where a personal information processor conducts a personal information protection compliance audit in accordance with the requirements of the protection department, it or he shall rectify problems found during the compliance audit according to the requirements of the protection department. The rectification report shall be submitted to the protection department within 15 working days after the completion of rectification.
Article 12 A personal information processor that processes the personal information of more than 1 million people shall appoint a person in charge of personal information protection to be responsible for the work related to the personal information protection compliance audits of the personal information processor.
Personal information processors that provide important Internet platform services involving a huge number of users and complicated business types shall form independent institutions mainly consisting of external personnel to supervise personal information protection compliance audits.
Article 13 When engaging in personal information protection compliance audit activities, professional institutions shall comply with laws and regulations, be honest and upright, make professional compliance audit judgments in a fair and objective manner, keep confidential in accordance with the law the personal information, trade secrets, and confidential business information, among others, to which they have access during the performance of the duties of personal information protection compliance audits, and shall not divulge or illegally provide others with such information. After the compliance audit work is completed, they shall delete relevant information in a timely manner.
Article 14 The commissioned professional institutions shall not commission other institutions to conduct personal information protection compliance audits.
Article 15 The same professional institution or any of its affiliated institutions or the same person in charge of compliance audits shall not conduct personal information protection compliance audits for the same auditee for three or more consecutive times.
Article 16 Protection departments shall conduct supervisory inspections of personal information protection compliance audits conducted by personal information processors.
Article 17 All organizations and individuals shall have the right to file complaints and reports about illegal activities in personal information protection compliance audits with protection departments. The departments receiving complaints and reports shall handle them without delay in accordance with the law, and notify the complainants and informants of the handling results.
Article 18 Personal information processors and professional institutions that violate these Measures shall be dealt with in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management and other laws and regulations. Where any violation is criminally punishable, the violator shall be held criminally liable in accordance with the law.
Article 19 These Measures shall not apply to the personal information protection compliance audits conducted by state organs and the organizations with the function of managing public affairs as authorized by laws and regulations.
Article 20 These Measures shall come into force on May 1, 2025.
Annex
Guidelines for Personal Information Protection Compliance Audits
I. These Guidelines are developed in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management, and other laws and administrative regulations.
II. Where the compliance audit of the base for the legality of a personal information processing activity is conducted, the focus of examination shall be put on following matters:
1. Where personal information is processed based on an individual's consent, whether the individual's consent has been obtained and whether such consent is voluntarily and explicitly given by the individual on a fully informed basis shall be examined.
2. Where personal information is processed based on an individual's consent, and the purpose or method of processing of personal information or the category of personal information to be processed changes, whether the individual's consent has been obtained anew shall be examined.
3. Where personal information is processed based on an individual's consent, whether the individual's separate consent or written consent has been obtained in accordance with laws and administrative regulations.
4. Where personal information is processed without an individual's consent, whether it falls under the circumstances that individual consent is not required as provided for by laws and administrative regulations.
III. Where the compliance of personal information processing rules is audited, the focus of examination shall be put on following matters:
1. Whether the name and contact information of a personal information processor have been notified to individuals in a truthful, accurate and complete manner.
2. Whether the personal information collected, the methods of processing and categories of personal information are listed in the forms easy to consult, such as checklists.
3. Whether the personal information processing is directly related to the processing purpose and in a manner that has the minimum impact on the rights and interests of individuals.
4. Whether the preservation period of personal information or the methods for determining the preservation period and the processing methods after the expiration of the period have been clarified, and whether it is ensured that the preservation period is the shortest time required to achieve the processing purpose.
5. Whether the channels and methods thro......