Measures for the Administration of Compliance Audits of Personal Information Protection

top cover

(Promulgated by the Cyberspace Administration of China on February 12, 2025 and effective as of May 1, 2025.)

Order of the CAC No.18

Article 1:  These Measures have been formulated in accordance with laws and administrative regulations such as the PRC Law on the Protection of Personal Information and the Regulations for the Administration of Network Data Security in order to regulate compliance audits of personal information protection and protect rights and interests in personal information.

Article 2:  These Measures shall govern the conduct of compliance audits of personal information protection in the mainland of the People’s Republic of China.

For the purposes of these Measures, the term “compliance audit of personal information protection” (a “Compliance Audit”) means the oversight activity wherein whether the personal information processing activities of a personal information handler complies with laws and administrative regulations is examined and assessed.

Article 3:  Where a personal information handler conducts Compliance Audits itself, compliance audits of whether its processing of personal information complies with laws and administrative regulations shall be conducted on a regular basis by an internal organ of the personal information handler or by a professional firm engaged by it.

Article 4:  A personal information handler that processes the personal information of more than 10 million persons shall conduct a Compliance Audit at least once every two years.

Article 5:  Where any of the circumstances set forth below applies to a personal information handler, the state cyberspace administration or another department that performs the duty of protecting personal information (hereinafter collectively referred to as a “Protection Department”) may require the personal information handler to engage a professional firm to conduct a compliance audit of its personal information processing activities:

(1)      where a relatively large risk, such as the personal information processing activities materially impacting the rights and interests of individuals or seriously lacking security measures, is discovered;

(2)    the personal information processing activities potentially infringing the rights and interests of a large number of individuals; or

(3)     a personal information security incident occurs, resulting in the leakage, alteration or loss of, or damage to, the personal information of at least one million persons or the sensitive personal information of at least 100,000 persons.

With respect to any one personal information security incident or risk, a personal information handler may not be repeatedly required to engage a professional firm to conduct Compliance Audits.

Article 6:  Where a personal information handler itself conducts or engages a professional firm at the request of a Protection Department to conduct a Compliance Audit, reference shall be made to the Annex hereto, Guidelines for Compliance Audits of Personal Information Protection.

Article 7:  A professional firm shall possess the capabilities to conduct Compliance Audits and the auditors, premises, facilities and funds commensurate with the service.

Relevant professional firms are encouraged to undergo certification. The certification of professional firms shall be carried out in accordance with the relevant provisions of the PRC Regulations on Certification and Accreditation.

Article 8:  Where a personal information handler conducts a Compliance Audit at the request of a Protection Department, it shall provide the support necessary for the professional firm to carry out the normal Compliance Audit work and bear the audit expenses.

Article 9:  Where a personal information handler conducts a Compliance Audit at the request of a Protection Department, it shall select a professional firm as required by the Protection Department, which shall complete the Compliance Audit by the specified deadline. Where the circumstances are complex, a suitable extension may be granted after the approval by the Protection Department.

Article 10:  Where a personal information handler conducts a Compliance Audit at the request of a Protection Department, it shall submit the Compliance Audit report issued by the professional firm to the Protection Department after completion of the Compliance Audit.

A Compliance Audit report shall be signed by the principal person in charge of the professional firm and the officer in charge of the Compliance Audit and bear the official seal of the professional firm.

Article 11:  Where a personal information handler conducts a Compliance Audit at the request of a Protection Department, it shall rectify the issues discovered during the Compliance Audit as required by the Protection Department. A rectification report shall be submitted to the Protection Department within 15 working days after completion of rectification.

Article 12:  A personal information handler that processes the personal information of at least one million persons shall designate an officer in charge of personal information protection who shall be responsible for the work associated with the personal information handler’s Compliance Audits.

A personal information handler that provides key internet platform services, whose user base is large or whose business type is complex, shall establish an independent organ composed mainly of external members to scrutinize its Compliance Audits.

Article 13:  When conducting Compliance Audit activities, a professional firm shall comply with laws and regulations, render its professional Compliance Audit judgment in a good faith, honest, impartial and objective manner and keep confidential in accordance with the law the personal information, trade secrets, confidential business information, etc. to which it was privy in the course of performing its Compliance Audit duties, may not disclose the same or unlawfully provide the same to third parties and shall, in a timely manner, delete the relevant information after completion of the Compliance Audit work.

Article 14:  A professional firm may not subcontract the conduct of a Compliance Audit to another firm.

Article 15:  Any one professional firm, its affiliates and the same officer in charge of Compliance Audits may not conduct Compliance Audits of the same auditee three or more times in succession.

Article 16:  A Protection Department shall conduct monitoring inspections of the Compliance Audits conducted by personal information handlers.

Article 17:  Any organization or individual shall have the right to lodge a complaint or report with the Protection Department in respect of illegal activities carried out during a Compliance Audit. A department that receives such a complaint or report shall deal with the same in a timely manner in accordance with the law and inform the complainant or whistleblower of the outcome of its handling thereof.

Article 18:  Where a personal information handler or professional firm violates these Measures, matters shall be handled in accordance with laws and regulations such as the PRC Law on the Protection of Personal Information and the Regulations for the Administration of Network Data Security. If a criminal offense is constituted, criminal liability shall be pursued in accordance with the law.

Article 19:  These Measures shall not apply to the Compliance Audits of organizations authorized by a state authority, law or regulation with a public affairs administration function.

Article 20:  These Measures shall be effective as of May 1, 2025.

(国家互联网信息办公室于二零二五年二月十二日公布，自二零二五年五月一日起施行。)