Conventus Law

Conventus Law

by

On February 14, 2025, the Cyberspace Administration of China officially released the Administrative Measures for Personal Information Protection Compliance Audits (“Compliance Audit Measures”), which will take effect on May 1, 2025. The personal information protection compliance audit (“Compliance Audit”) system established by the Personal Information Protection Law (2021) (“PIPL”) is now entering the implementation phase.

Here, we will highlight the key points of the Compliance Audit Measures in a Q&A format.

1. Are Compliance Audits mandatory for enterprises?

Yes, Compliance Audits are mandatory for all enterprises processing personal information within China. This is required under Article 54 and Article 64 of the PIPL, and Article 27 of the Regulations on Network Data Security Management (2025)  (“Network Data Regulations”).

This means, enterprises processing personal information will need to determine internally about the frequency, responsibility, procedures and other relevant issues for conducting regular Compliance Audits to review, evaluate, and supervise their personal information protection measures.

2. What is the difference between a Compliance Audit and routine compliance management programs?

A Compliance Audit, as defined by the Compliance Audit Measures, is a supervisory activity that reviews and evaluates whether an enterprise’s personal information processing activities comply with laws and administrative regulations. It differs from routine compliance management in several key ways:

  • Independence: The core feature of an audit is its independence. Compliance Audits are generally separate from daily compliance management activities and act as the final line of defense in an enterprise’s risk management system.
  • Evaluation Object: Compliance Audits focus on the execution and effectiveness of routine compliance management activities. Reports, evaluation results, and records from these routine activities provide critical evidence for the audits.
  • Evaluation Scope: Routine compliance work typically targets specific projects or personal information processing activities. In contrast, a Compliance Audit involves a comprehensive review and evaluation of an enterprise’s overall compliance of personal information processing activities with the laws and administrative regulations.

3. When should enterprises conduct Compliance Audits?

There are two types of Compliance Audits contemplated under the Compliance Audit Measures, which are, self-initiated audits and audits mandated by the regulatory authorities in specific circumstances.

3.1Self-initiated Compliance Audits by enterprises

For self-initiated Compliance Audit, Article 54 of the PIPL and Article 27 of the Network Data Regulations only require that Compliance Audit be conducted “regularly” without providing the exact frequency. The Compliance Audit Measures further stipulate that personal information processors processing the personal information of more than 10 million individuals must conduct at least one Compliance Audit every two years. However, for those processing the personal information of fewer than 10 million individuals, the Compliance Audit Measures do not impose a mandatory frequency for their Compliance Audits.

When determining the frequency of self-initiated Compliance Audits, the following aspects will need to be taken into consideration.

  • Determine whether the total amount of personal information processed is more than 10 million individuals: The Compliance Audit Measures do not specify how to calculate this figure. In practice, enterprises may have different roles of personal information processing in various business scenarios. For instance, an enterprise might act as a personal information processor in one scenario and an entrusted processor in another. Whether the personal information processed in all these scenarios should be included in the total calculation requires further clarification.
  • Special audit requirements for specific type of personal information or industrial sector:  The relevant enterprises will also need to further evaluate whether they are subject to other legal requirements which prescribe the frequency of compliance audit.  For example, according to Article 37 of the Regulations on the Protection of Minors in Cyberspace (2023), personal information processors must conduct or entrust a professional agency to perform an annual compliance audit of their processing of minors’ personal information and report the audit results to the cyberspace administration. It is suggested that enterprises evaluate whether their business models or personal information processing activities could trigger these requirements or other existing or future industrial-sector requirement.

In addition to the above, enterprises may consider factors such as the scale and sensitivity of the personal information processed, potential changes in business and personal information processing activities, global compliance arrangements, data security incidents and breaches, and relevant internal and external environmental factors, to establish a reasonable Compliance Audit system.

3.2Compliance Audits mandated by the regulatory authorities

In addition to self-initiated Compliance Audits, regulatory authorities can require enterprises to appoint professional agencies to conduct Compliance Audit of their personal information processing activities when significant risks are identified or personal information security incidents occur. This includes: 

(1) Identifying major risks that severely affect personal rights or lack adequate security measures; 

(2) Personal information processing activities potentially infringing on the rights of many individuals; and

(3) Personal information security incidents involving the leakage, tampering, loss, or destruction of the personal information of more than one million individuals or the sensitive personal information of more than 100,000 individuals.

For Compliance Audits mandated by the regulatory authorities, enterprises are required to:

(1) Cooperate and assist with the Compliance Audit: they must provide necessary support for the professional agency to conduct the Compliance Audit and bear the audit costs. 

(2) Complete the Compliance Audit on time: they must ensure that the Compliance Audit is completed within the specified time frame by the regulatory authorities. For complex situations, extensions may be granted by regulatory authorities. 

(3) Implement rectifications: they are required to implement the rectification advice provided by the professional agency. 

(4) Submit the Report to the authorities: they will need to submit the Compliance Audit report and rectification result to the regulatory authorities.

4. Is a professional agency required for a Compliance Audit?

For self-initiated Compliance Audit, enterprises have the option to either perform the audits internally or appoint a third-party professional agency. For compliance audits mandated by regulatory authorities, enterprises are required to engage a third-party professional agency to carry out the Compliance Audit.

The Compliance Audit Measures stipulate that personal information processors processing personal information of more than one million individuals must appoint a personal information protection officer to oversee the Compliance Audit. 

For personal information processors providing important internet platform services with a large user base and complex business types, the Compliance Audit Measures require the establishment of an independent body, primarily composed of external members, to supervise the Compliance Audit. It remains to be seen which enterprises will be classified as such processors and how these independent bodies will be established and operated.

For enterprises conducting internal compliance audits, it is crucial to ensure the independence of the audit team. According to the national standard Data Security Technology – Personal Information Protection Compliance Audit Requirements (Draft for Comments), internal audit personnel should avoid auditing business areas for which they are responsible and should not participate in the daily operations or personal information security protection of the audited entities. If a dedicated personal information protection compliance audit team is not established, personnel should be selected from internal audit teams, security teams, legal teams, or other teams with relevant expertise while maintaining independence. The proportion of personnel from each team should be reasonable, and the audit team leader should approve the list of personnel.

When enterprises appoint third-party professional agencies to conduct a Compliance Audit, the Compliance Audit Measures stipulate that the same professional agency and its affiliated entities, as well as the compliance audit leader, should not conduct more than three consecutive audits for the same entity. This ensures the objectivity and impartiality of the compliance audit process.

5. What should be reviewed in a Compliance Audit?

The Compliance Audit Measures outline the key areas that personal information processors or their appointed professional agencies should focus on during a Compliance Audit in in its annex Guidelines for Personal Information Protection Compliance Audits (“Compliance Audit Guidelines”). This involves five main modules with 27 sections, such as, personal information processing rules, rules for the cross-border provision of personal information, protection of the rights of personal information subjects, obligations of personal information processors, and the special responsibilities of large internet platforms.

The key review points in the Compliance Audit Guidelines align with specific provisions in the PIPL and incorporate requirements from other relevant regulations.

6. How is Compliance Audit work carried out in practice?

The Compliance Audit Measures do not specify the detailed procedures, implementation rules, personnel requirements, or evidence documentation for conducting Compliance Audits.

However, before the release of the Compliance Audit Measures, a draft national standard Data Security Technology – Personal Information Protection Compliance Audit Requirements (Draft for Comments) was issued on July 12, 2024 (“Draft Compliance Audit Requirements”). This provides detailed guidelines on the principles, requirements, process, audit content, methods and evidence requirements for Compliance Audits. It also includes templates for audit working papers and audit reports. Although this national standard has not been finalized, its detailed provisions and templates can serve as a practical guide for enterprises.

According to public reports, a series of standards and practice guidelines for Compliance Audits are under development. These forthcoming standards and guidelines will further support the implementation of the Compliance Audit Measures. We will continue to monitor and follow up on the implementation of Compliance Audits.

WRITTEN BY

For further information, please contact:

DONG, Xiao (Marissa) – JunHe,
dongx@junhe.com

Professional Experience 

Ms. Dong is a partner in the Beijing office and specializes in the areas of foreign direct investment, mergers and acquisitions, and telecom, internet, high-tech and data privacy and information law. She represents multinationals, foreign investment enterprises, and large Chinese state-owned and private companies. In her corporate and M&A practice, Ms. Dong guides inbound investors through all stages of operation in China, from market investigation to market entry and business expansion (including incorporating PRC entities, mergers and acquisitions, business permits and applications, corporate restructuring and compliance issues). Her clients include industry leaders in manufacturing, high-tech and internet and telecommunications services and education. By supporting clients in their operations in China, Ms. Dong has not only gained substantial experience in dealing with complex commercial transactions but also a deep understanding of the law and its implementation, government policies and the business environment, which enables her to assist clients to set up sensible strategies and explore practical approaches to doing business in China. 

She also advises clients on all aspects of matters involving new technology and data, with a special emphasis on information privacy (consumers, employees, and patients), data security and breaches, and international data transfers. In these businesses, she has gained an understanding of new business models and technology, such as targeted advertising, internet payments, telematics, IoT and cloud computing, so as to help clients navigate China’s complex and sector-specific policy and regulatory landscape. Her clients include national and international information technology vendors, internet service providers, data brokers, retailers and distributors, and manufacturers of medical, industrial, and consumer products. 

She also consults with JunHe lawyers and clients on eDiscovery strategy, data privacy and state secret law matters. Such matters are normally related to pending or threatened litigation, government investigation, internal investigation and other matters, carried out in China or overseas, relating to Chinese companies and foreign operations in China and in various industries such as manufacturing, pharmaceuticals, financial services, and professional services. 

She wrote the PRC component of Mergers & Acquisitions, Global Privacy and Security Law, The Privacy, Data Protection and Cybersecurity Law Review, and is a contributing legal expert to MULTILAW’s Global Data Privacy Tool. She has written several articles on mergers and acquisitions, data protection for PLC and BNA Bloomberg. She is consistently recognized as an expert in Information Technology by Who’s Who Legal. 

Education 

LL.B., Peking University Law School 

Professional Associations 

Ms. Dong is a member of the All-China Bar Association. 

Language Skills 

Mandarin, English 

Practice Area 

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES