Chinas PI Audit Regulation Finally Released: What You Need to Know
Written By
Related
Practices
Sectors
Regions
Countries
Offices
On February 14, 2025, the Cyberspace Administration of China (“CAC”) officially promulgated the final Personal Information Protection Compliance Audit Management Measures ("Measures"), set to take effect on May 1, 2025. This article discusses the finalised Personal Information (“PI”) Protection Compliance Audit (“PI Audit”) regulatory framework based on our previous analysis, with a particular focus on the key provisions, procedural requirements, and compliance obligations to be effective soon.
If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com
Background Introduction
Article 54 of the Personal Information Protection Law (“PIPL”) requires audits of PI processing activities by Personal Information Processors (“PI Processor”, akin to “controller” under the GDPR). While the concept of such audits was outlined in the PIPL, the specific framework for conducting these audits remained ambiguous until the introduction of the Draft Administrative Measures for Personal Information Protection Compliance Audit (“Draft Measures”) by the CAC on August 3, 2023. (Please click here for our comments on the Draft Measures). Following extensive discussions and revisions, the final Measures have now been officially released.
The PI Audit is an essential process to examine and evaluate an organisation’s PI processing activities. It plays a crucial role in mitigating compliance risks and enhancing data governance practices within organisations. According to the Measures, a PI Audit refers to the activities of reviewing and assessing whether PI processing adheres to relevant laws and administrative regulations. Importantly, other non-administrative level regulations, such as the department regulations issued by the CAC, may also be considered to ensure that PI processing activities are trustworthy, secure, and compliant.
The Measures now provide clearer guidelines than the Draft Measures, including a defined framework for initiating, conducting, and completing PI Audits. These include specifications on the subjects required to perform audits, the types of audits to be conducted, the frequency of audits, and the obligations of PI Processors in carrying out these audits. An annex to the Measures includes detailed guidelines that PI Processors can refer to comply with these requirements.
Key Provisions and Observations
Who Should Audit: The PI Processor
Under the Measures, PI Processors—those entities determining the purposes and means of PI processing activities—are the principal party responsible for conducting PI Audits. While only the activities performed as a PI Processor require an audit, entrusted parties are obligated to cooperate and assist in fulfilling these compliance obligations under the PIPL (Article 59 of the PIPL). The arrangement ensures that PI processing activities are not audited repeatedly. To ensure smooth cooperation between the PI Processors and the entrusted parties, it is recommended to include a clause in the data protection agreements executed by the PI Processors and entrusted parties, stipulating the obligations to be imposed on the entrusted parties to assist the PI Processors in conducting PI Audits.
In addition, the Measures retain the provisions from the Draft Measures concerning the PI Processor’s role, but offer additional clarity. Notably, operators of large-scale Internet platforms—those governed by Article 58 of the PIPL—are still required to establish an independent oversight body composed of external members to monitor PI protection practices.
II. How to Audit: Two Triggers for Initiation
A. PI Audits Initiated by the PI Processor
The Measures specify that PI Processors must regularly conduct PI Audits, which can be performed either by the PI Processor internally or by an external professional institution. Notably, the Measures require that PI Audits occur at least every two years for PI Processors processing PI of more than 10 million individuals. This reflects a slight adjustment from the Draft Measures, which had set the threshold at 1 million. Additionally, it should be noted that Processors of minors should conduct audits annually, and promptly report the audit results to departments such as cyber information.
B. PI Audits Requested by Supervisory Authorities
Under the Measures, Supervisory Authorities, including the CAC, can mandate that PI Processors undergo a PI Audit if they identify significant risks or security incidents related to PI processing activities. The Measures stipulate that such audits should be conducted by a third-party professional institution, not the PI Processor itself. The audit report must be submitted within a reasonable period (instead of 90 days in the Draft Measures), although extensions may be granted for complex cases. The audit report should include signatures from both the PI Audit responsible persons and the third-party institution, along with the institution's official seal. In the case where issues are spotted, PI Processor shall notify Supervisory Authorities of the remediation results within 15 working days of completion.
Since the audit report will be submitted to and reviewed by the Supervisory Authorities, any prior non-compliance - particularly in relation to reporting obligations and transparency - will be easily detected. In light of this, it is strongly recommended that PI Processors prioritise the following obligations:
- Prepare PIPL-compliant privacy policies and obtaining valid consent, especially separate consent
- Apply for the data export security assessment to the CAC for data export activities, or conducting the Personal Information Protection Impact Assessment (“PIPIA”), signing the Standard Contract for PI Export (“SCC”), and file the SCC and PIPIA report to the provincial CAC for PI export activities that do not necessitate a data export security assessment.
- Conduct the algorithms filing on CAC’s online filing systems and submit an algorithms security assessment report.
III. Professional Institutions and Their Role
The Measures further define the role of professional institutions conducting PI Audits. These institutions must be qualified to perform the audits, with proper staffing, facilities, and financial resources. Certification is encouraged, and institutions are required to adhere to strict confidentiality rules concerning sensitive information, such as personal data and business secrets, acquired during the audit process. Importantly, professional institutions are prohibited from subcontracting or transferring audit responsibilities to other entities, ensuring a high standard of impartiality and professionalism in conducting audits.
IV. DPO Appointment
Article 52 of the PIPL mandates that PI Processors whose processing activities reach a threshold amount prescribed by the CAC must appoint a Data Protection Officer (DPO). Previously, the CAC had remained silent this threshold. However, the newly promulgated Measures stipulate that PI Processors processing the PI of more than 1 million individuals are now explicitly required to appoint a DPO to oversee PI audit activities. Consequently, it is reasonable to conclude that PI Processors processing the personal information of over 1 million individuals are obligated to appoint a DPO.
In addition, companies should also note PI Processors must disclose the contact information of their DPOs, and report the name, contact information and other information of the DPOs to the CAC. Nevertheless, the mechanisms for information reporting remain unspecified.
V. Liability
The Measures maintain the provisions from the Draft Measures regarding the consequences of non-compliance. Violators of the Measures can face liability under the PIPL and other applicable laws, with some violations subject to criminal prosecution. The enforcement framework has been enhanced to include additional supervisory powers and specific actions that must be taken by PI Processors in the event of audit findings, including prompt rectification and reporting to the Supervisory Authorities. To avoid or mitigate potential liabilities incurred due to non-compliance practices, we have included a checklist for companies’ reference at the end of this article.
VI. Comparison with Other Jurisdictions
Apart from China, several national data protection authorities, such as France’s National Commission on Informatics and Liberty (“CNIL”) or the UK’s Information Commissioner’s Office (“ICO”), have issued guidelines regarding compliance audits for PI protection. Notably, we have identified similarities among these audit rules across different jurisdictions.
On one hand, these audit rules share common purposes, which are to ensure the existence of appropriate policies and procedures, verify their implementation, assess the adequacy of controls, detect breaches or potential breaches, and recommend necessary changes to controls, policies, and procedures. On the other hand, the scope of these audit rules typically covers a whole range of processing activities from collection, utilisation, sharing, to storage, deletion, etc.
Regardless of the similarities reflected in the audit rules in different jurisdictions, the specific requirements outlined in the Measures in China differ from those in the audit rules of other jurisdictions. This is because the Measures are formulated pursuant to China’s PIPL, which imposes unique and distinct requirements and perspectives concerning PI protection, including conducting the PIPIA, obtaining separate consent, and addressing the special PI rights of deceased individuals. Therefore, data audits based on the GDPR or regulations in other jurisdictions cannot replace PI Audits conducted under the PIPL. For PI Processors who are subject to the PIPL and have conducted PI Audits in other jurisdictions, it is advisable to closely examine the checkpoints provided below to ensure compliance with the requirements of relevant Chinese laws.
Conclusion
The primary objective of PI Audits is to enable organisations to effectively identify and control risks to prevent data protection breaches, and more critically, safeguard the interests of PI subjects during PI processing activities. The formal Personal Information Protection Compliance Audit Management Measures represent a significant step forward in clarifying the PI audit landscape in China. With a clear roadmap for PI Processors, professional institutions, and Supervisory Authorities, the Measures ensure a rigorous approach to PI governance, further aligning China’s data protection framework with global standards. Organisations that are subject to the PIPL should take immediate steps to ensure their compliance practices align with the updated provisions and to prepare for the official enforcement of the Measures on May 1, 2025.
Checklist For a PI Audit
|
Article |
Circumstances |
Elements |
|
1 |
This Guideline is enacted in accordance with the Personal Information Protection Law of the People's Republic of China (PIPL), the Regulation on Network Data Security Management and other relevant laws and administrative regulations. |
|
|
2 |
The following matters shall be reviewed with priority in conducting the compliance audit on the legal basis for personal information processing activities: |
(1) Whether the individual's consent has been obtained if the processing of the individual's personal information is based on the individual's consent, and whether the consent is voluntarily and explicitly given by the individual under the premise of full knowledge. (2) Whether the individual's consent has been re-obtained if the purpose and method of processing personal information or the type of personal information to be processed has changes when processing personal information based on individual consent. (3) Whether the individual's separate consent or written consent has been obtained in accordance with laws and administrative regulations when processing personal information based on the individual's consent, and (4) Whether it falls under the circumstances where consent is not required as stipulated by laws and administrative regulations when processing personal information without obtaining individual consent. |
|
3 |
The following matters shall be reviewed with priority in conducting the compliance audit on the rules for processing personal information: |
(1) Whether the title or name and contact information of the personal information processor are informed of in a truthful, accurate and complete manner. (2) Whether the personal information collected and the processing method and type of such information are set out in an easily accessible form such as a list. (3) Whether the information is directly relating to the purpose of processing and the method with minimum impact on individual rights and interests is adopted. (4) Whether the retention period of personal information or the method for determining the retention period, the method for processing upon expiration of the retention period, and the retention period determined as the minimum time necessary to achieve the purpose of processing are specified, and (5) Whether the ways and methods for people to access, copy, transfer, correct, supplement, delete and restrict the processing of personal information, deregister accounts and withdraw consent are specified. |
|
4 |
The following matters shall be reviewed with priority in conducting the compliance audit on the obligation of personal information processors to inform the rules for processing personal information: |
(1) Whether the personal information processor informs the individual of the rules for processing personal information in an eye-catching manner and in clear and understandable wording in a truthful, accurate and complete manner prior to the processing of personal information. (2) Whether the size, font and colour of the informed text are convenient for the individual to completely read the informed matters. (3) Whether the informing obligation offline has been performed to the individual by marking, explanation or other means. (4) Whether online notification is provided in the form of text information or through appropriate means to fulfil the obligation to inform individuals. (5) Whether the individual has been informed of the changes in a timely manner in the case of changes to the rules for processing personal information, and (6) Whether the individual falls within the circumstances in which confidentiality shall be maintained or it is unnecessary to inform the individual in accordance with laws and administrative regulations if notification is not required for the processing of personal information. |
|
5 |
The following matters shall be reviewed with priority in conducting the compliance audit on the personal information jointly processed by a personal information processor and any other personal information processors: |
(1) Whether the respective rights and obligations are agreed upon. (2) The mechanism for protection of personal information rights and interests. (3) The mechanism for reporting personal information security incidents, and (4) Other rights and obligations to be agreed upon as stipulated by laws and administrative regulations. |
|
6 |
The following matters shall be reviewed with priority in conducting the compliance audit on the processing of personal information entrusted by a personal information processor: |
(1) Whether the personal information processor has conducted the Personal Information Protection Impact Assessment (PIPIA) prior to entrusting its processing of personal information. (2) Whether the contract concluded between the personal information processor and the party entrusted has agreed on the purpose, duration, and method of the entrusted processing, type of personal information and protection measures, as well as the rights and obligations of both parties, and (3) Whether the personal information processor has supervised the personal information processing activities of the party entrusted by means of regular inspection, etc. |
|
7 |
Where a personal information processor needs to transfer personal information due to reasons such as merger, reorganisation, demerger, dissolution or declaration of bankruptcy, the audit shall focus on whether the personal information processor has informed the individual of the name and contact information of the recipient. |
|
|
8 |
The following matters shall be reviewed with priority in conducting the compliance audit of a personal information processor who provides the personal information processed to any other personal information processor: |
(1) Whether the individual's consent for processing personal information is obtained if such consent is required. (2) Whether the individual is informed of the name and contact information of the recipient, purpose and method of the processing and types of personal information, unless the information shall be kept confidential, or it is unnecessary to be informed as stipulated by laws and administrative regulations, and (3) Whether PIPIA has been conducted beforehand. |
|
9 |
The following matters shall be reviewed with priority in conducting the compliance audit on the processing of personal information by a personal information processor using automatic decision -making: |
(1) The transparency of automatic decision -making and whether the automatic decision -making results are fair and impartial. (2) Whether the individual is informed beforehand of the type and possible impact of the processing under automatic decision -making. (3) Whether PIPIA has been conducted beforehand. (4) Whether a protection mechanism is provided for users so that the individual can refuse in a convenient way the decisions made under automatic decision -making methods that have a significant impact on personal rights and interests, and can request personal information processor to explain the decisions made under automatic decision -making methods that have a significant impact on personal rights and interests of users. (5) For information sending or commercial marketing to people, whether options not tailored to personal characteristics are also provided, or whether a convenient method for refusing automatic decision -making service is provided. (6) Whether effective measures have been taken to prevent automatic decision -making from giving unreasonable differential treatment to people in terms of transaction conditions according to consumers' preferences, transaction habits and so on, and (7) Other matters that may affect the transparency of automatic decision -making and the fairness and impartiality of the results thereof. |
|
10 |
The following matters shall be reviewed with priority in conducting the compliance audit on the public disclosure of personal information by personal information processors based on individual consent: |
(1) Whether the personal information processor has obtained the separate consent of the individual before disclosing the personal information processed, and whether such authorisation is true and valid, and whether such personal information is disclosed against the individual's will, and (2) Whether the personal information processor has conducted PIPIA prior to the disclosure of the individual's personal information. |
|
11 |
A personal information processor who installs image-collecting and personal identification equipment in public places shall review the legality of the image-collecting and personal information identification equipment and the use of the personal information collected with priority. The review shall include but not be limited to: |
(1) Whether the processing of personal information collected is necessary for maintaining public security; whether the processing of personal information collected is for business purposes. (2) Whether a significant prompting sign is set up, and (3) Whether an individual's separate consent has been obtained if the individual's personal image and identification information collected by the personal information processor are used for purposes other than maintaining public security. |
|
12 |
In conduct the compliance audit on a personal information processor's processing of disclosed personal information, whether the personal information processor has committed any of the following illegal activities shall be reviewed with priority: |
(1) Sending commercial information that is irrelevant to the purpose of disclosure to the e-mail, mobile phone numbers etc. contained in the disclosed personal information. (2) Using disclosed personal information to engage in cyber-violence, disseminating rumours and false information online and other activities. (3) Processing disclosed personal information that the individual concerned explicitly refuses to do so. (4) Failure to obtain the individual's consent where there is significant impact on the individual's rights and interests, and (5) Exceeding the reasonable scope of the scale or duration or the purpose of use on collection, retention or processing of disclosed personal information thereof. |
|
13 |
The following matters shall be reviewed with priority in conducting the compliance audit on a personal information processor's processing of sensitive personal information: |
(1) When processing personal information based on the individual’s consent, whether the individual's separate consent has been obtained beforehand for the processing of sensitive personal information such as biometric information, religious belief, specific identity, medical health, financial accounts and whereabouts, etc. (2) Whether consent of the minor's parents or other guardians is obtained beforehand when processing personal information of a minor under the age of 14 based on the individual’s consent. (3) Whether the purpose, method or scope of processing sensitive personal information is legitimate, justifiable and necessary. (4) Whether PIPIA has been conducted beforehand. (5) Whether the individual has been informed of the necessity to process his/her sensitive personal information and the impact on his/her personal rights and interests, unless the confidentiality shall be maintained, or it is not necessary to be informed as stipulated by laws and administrative regulations. (6) Whether written consent has been obtained for the processing of which a written consent is required as stipulated by laws and administrative regulations, and (7) Whether the restrictive provisions of laws and administrative regulations on the processing of sensitive personal information are complied with. |
|
14 |
The following matters shall be reviewed in conducting the compliance audit on a personal information processor's processing of the personal information of minors under the age of 14: |
(1) Whether specialised rules have been formulated for processing personal information. (2) Whether the minors and their guardians have been informed of the purpose, method and necessity of the processing of the personal information of minors, as well as the type of personal information to be processed and the adopted protection measures, etc., unless it is not necessary to be informed as stipulated by laws and administrative regulations, and (3) Whether there is the practice of compulsorily requiring minors or their guardians to give consent to process unnecessary personal information in processing personal information based on the consent of the individual concerned. |
|
15 |
The following matters shall be reviewed with priority in conducting the compliance audit on a personal information processor's provision of personal information abroad: |
(1) Whether the provision of personal information abroad by a Critical Information Infrastructure Operator (CIIO) has been subject to the security assessment organised by the national cyberspace administration, unless it is otherwise provided for in laws, administrative regulations or by the national cyberspace administration authority. (2) Whether the provision of personal information (excluding sensitive personal information) of more than 1 million people or sensitive personal information of more than 10,000 people in total abroad by a data processor other than a Critical Information Infrastructure Operator (CIIO) as of January 1 of the current year has been subject to the security assessment organised by the national cyberspace administration, unless it is otherwise provided for in laws, administrative regulations or by the national cyberspace administration authority. (3) Whether the provision of personal information (excluding sensitive personal information) of more than 100,000 people but less than 1 million people or sensitive personal information of less than 10,000 people in total abroad by a data processor other than a CIIO as stipulated by the national cyberspace administration has been certified in terms of personal information protection in accordance with the provisions of the national cyberspace administration, or a contract has been entered into with the overseas recipient in accordance with the Standard Contract Clauses (SCCs) developed by the national cyberspace administration and filed for record with the local cyberspace administration at the provincial level, or other conditions stipulated by laws, administrative regulations or by the national cyberspace administration are met. (4) In the case of the provision of personal information stored within the territory of the People's Republic of China to foreign judicial or law enforcement authorities, whether such provision has been approved by the relevant authorities of the People's Republic of China, and (5) Whether the personal information is provided to any organisation or person included in the list of organisations or persons to whom personal information provision is restricted or prohibited. |
|
16 |
The following matters shall be reviewed with priority in conducting the compliance audit on the protection of the right to delete personal information: |
(1) Whether the purpose of personal information processing has been achieved, cannot be achieved or it is no longer necessary to achieve the purpose of personal information processing. (2) Whether the personal information processor has ceased to provide products or services, or whether the individual concerned has deregistered his/her account. (3) Whether the retention period has expired. (4) Whether the individual concerned withdraws his/her consent. (5) Whether the personal information processor processed personal information in violation of laws, administrative regulations or the agreement, and (6) Whether the personal information processor has ceased processing other than storing and adopting necessary security measures x not expired as prescribed by laws and administrative regulations, or it is difficult to delete the personal information technically. |
|
17 |
The following matters shall be reviewed with priority in conducting the compliance audit on the protection of the rights of individuals in personal information processing activities carried out by a personal information processor: |
(1) Whether a convenient mechanism for accepting and processing applications for individuals to exercise their rights has been established. (2) Whether the response to an individual's application for exercise of his/her rights is timely made; and whether the individual has been notified of the processing opinions or the execution results in a timely, complete and accurate manner, and (3) Whether the reasons have be stated to the individual in the case of refusal of the individual's request for exercise of his/her rights. |
|
18 |
A personal information processor shall respond to the applications filed by individuals and explain its rules on processing personal information, and evaluate the following matters in conducting the compliance audit: |
(1) Whether the personal information processor has provided convenient ways and channels to accept and deal with individuals' requests for the interpretation of its rules on processing personal information, and (2) Whether the personal information processor has explained its personal information processing rules in plain language within a reasonable period after receiving the request of an individual. |
|
19 |
A personal information processor shall, in accordance with the provisions of laws and administrative regulations, formulate an internal management system and operating procedures, to specify its organisational structure and job responsibilities, establish a workflow, and improve its internal control system, so as to ensure the compliance and security of its processing of personal information. In conducting the compliance audit, the personal information processor's internal management system and operating procedures for the protection of personal information shall be reviewed with priority, including but not limited to: |
(1) Whether the guidelines, objectives and principles of personal information protection are in compliance with laws and administrative regulations. (2) Whether the organisational structure, staffing, code of conduct and management responsibilities for the protection of personal information adapt to the responsibilities to be performed for personal information protection. (3) Whether personal information has been classified according to the type, source, sensitivity and purpose of personal information. (4) Whether an emergency response mechanism for personal information security incidents has been established. (5) Whether a Personal Information Protection Impact Assessment (PIPIA) system and a compliance audit system have been established. (6) Whether a smooth process for accepting complaints and whistleblowing about personal information protection has been established. (7) Whether the permission to process and operate personal information has been reasonably set. (8) Whether a security education and training program on personal information protection has been formulated and implemented. (9) Whether a performance evaluation system has been established for the person in charge of personal information protection and the relevant personnel. (10) Whether a responsibility system has been established for dealing with personal information illegalities, and (11) Other matters as prescribed by laws and administrative regulations. |
|
20 |
A personal information processor shall adopt technical security measures appropriate for the scale and type of the personal information processed by it and evaluate the effectiveness of the technical measures adopted. The evaluation shall include but not be limited to: |
(1) Whether corresponding technical security measures has been adopted to realise the confidentiality, completeness and availability of personal information. (2) Whether technical security measures such as encryption and de-identification has been adopted to ensure that the identifiability of personal information is eliminated or reduced without the use of additional information, and (3) Whether the technical security measures adopted can reasonably determine the operation permissions of relevant personnel to access, copy and transmit personal information, thereby reducing the risks of unauthorised access and abuse of personal information in the processing. |
|
21 |
The following matters shall be evaluated with priority in conducting the compliance audit on the formulation and implementation of an education and training plan by a personal information processor: |
(1) Whether the personal information processor has provided the corresponding security education and training for its management personnel, technical personnel, operators and all staff as planned, and assessed the awareness and skills of relevant personnel for personal information protection, and (2) Whether the content, method, object and frequency etc. of the training can meet the needs of personal information protection. |
|
22 |
The following matters shall be reviewed with priority in conducting the compliance audit on the performance of responsibilities by the person in charge of personal information protection designated by a personal information processor: |
(1) Whether the person in charge of personal information protection has the relevant work experience and professional knowledge and is familiar with the relevant laws and administrative regulations on personal information protection. (2) Whether the person in charge of personal information protection has specific and clear responsibilities, and whether he/she is authorised to coordinate the internal departments and personnel concerned of the personal information processor. (3) Whether the person in charge of personal information protection has the right to put forward relevant opinions and suggestions prior to the decision of significant matters relating to the processing of personal information. (4) Whether the person in charge of personal information protection has the right to stop the non-compliance in the processing of personal information within the personal information processor and to take necessary corrective measures, and (5) Whether the personal information processor has disclosed the contact information of the person in charge of personal information protection and submitted the name and contact information of the person in charge of personal information protection to the protection authorities. |
|
23 |
In conducting the compliance audit on the PIPIA conducted by a personal information processor, the review shall be focused on the implementation of the impact assessment and assessment contents: |
(1) Whether the personal information processor has conducted the PIPIA before its processing of personal information that has a significant impact on personal rights and interests in accordance with the provisions of laws and administrative regulations. (2) Whether the personal information processor has conducted lawful, proper and necessary assessment of the purpose and method of its processing of personal information. (3) Whether the personal information processor has conducted assessment of the impact on personal rights and interests and security risks, and (4) Whether the personal information processor has conducted assessment of the legality and effectiveness of the protection measures taken and the measures' adaptability to its risk degree. |
|
24 |
The personal information processor shall develop an emergency response plan for personal information security incidents. In conducting the compliance audit, the comprehensiveness, effectiveness and executability of the emergency response plan shall be evaluated, including but not limited to the following matters: |
(1) Whether the personal information processor has made a systematic assessment and forecast of the personal information security risks it faces in light of its business practices. (2) Whether the general requirements, basic strategies, organisational structure, personnel, technology and material support, command and disposal procedures, and emergency and supporting measures etc. are sufficient to respond to the forecasted risks, and (3) Whether the personal information processor has provided training on the emergency response plan for the relevant personnel and regularly conducted drills of the emergency response plan. |
|
25 |
The following matters shall be reviewed with priority in conducting the compliance audit on a personal information processor's emergency response and processing of personal information security incidents: |
(1) Whether the personal information processor has timely found out the impact, scope and possible hazards of a personal information security incident, analysed and determined the causes of incidents, and put forward measures and plans for preventing the expansion of the damage in accordance with the emergency response plan and operating procedures. (2) Whether the personal information processor has established notification channels to timely notify the protection authorities and people of the occurrence of a security incident in accordance with the relevant provisions, and (3) Whether the personal information processor has taken corresponding measures to minimise the potential losses and risks of harm caused by a personal information security incident. |
|
26 |
The following matters shall be reviewed with priority in conducting the compliance audit of the platform rules formulated by a personal information processor that provides important Internet platform services, has a huge number of users and has complicated business types: |
(1) Whether the platform rules contravene any laws or administrative regulations. (2) The effectiveness of the personal information protection provisions of the platform rules, and whether the rights and obligations of the platforms, products or service providers in the platform to protect personal information are reasonably defined, and (3) The implementation of the platform rules, and whether the effective implementation of platform rules has been verified through methods such as sampling. |
|
27 |
In conducting the compliance audit on the social responsibility report on personal information protection issued by a personal information processor that provides important Internet platform services, has a huge number of users and has complicated business types, the disclosure of the following matters of the social responsibility report shall be reviewed with priority: |
(1) The organisational structure and internal management of personal information protection. (2) The development of personal information protection capability. (3) The measures taken for personal information protection and the effects thereof. (4) Acceptance of applications filed by individuals for exercise of rights. (5) The performance of responsibilities by the independent supervision body. (6) The processing of the serious personal information security incident. (7) Popularisation and publicity of science and public welfare activities that promote social co-governance of personal information protection, and (8) Other matters prescribed by laws and administrative regulations. |
