On February 12, 2025, the Cyberspace Administration of China (CAC) issued the final version of the Measures for the Administration of Compliance Audits on Personal Information Protection (hereinafter the "Measures"). These regulations outline the requirements for companies processing personal information in China to undergo a compliance audit, ensuring adherence to the country's data protection laws.
The Measures, initially released in draft form in 2023, mandate audits to confirm compliance with the Personal Information Protection Law (PIPL) and the Network Data Security Management Regulations. Companies can appoint an internal department or engage a third-party agency to conduct the audit. In certain situations, cybersecurity authorities may require companies to engage a professional institution for this process.
The Measures come into effect on May 1, 2025.
Who Must Conduct Compliance Audits?
Companies processing the personal information of over 10 million individuals must conduct an audit at least once every two years. While no specific audit frequency is mandated for companies processing smaller volumes of personal information, firms handling the data of more than 1 million individuals must designate a compliance officer.
Additionally, companies offering major internet platform services, those with over 50 million registered users or over 10 million monthly active users, and businesses with complex operational models must establish an independent supervisory organization composed primarily of external members.
Conducting a Compliance Audit
Companies can conduct audits internally or via external professional organizations. Those opting for self-audits must follow the Guidelines for Personal Information Protection Compliance Audits, issued alongside the Measures. However, cybersecurity authorities may require professional audits in specific cases, including:
If personal information processing significantly affects individuals' rights or lacks security measures.
When personal data processing presents risks of widespread rights infringement.
If a security breach impacts more than 1 million individuals or exposes sensitive information of over 100,000 people.
Professional auditors must maintain confidentiality regarding all obtained personal information, trade secrets, and business data. All relevant information must be promptly disposed of in compliance with legal requirements upon audit completion.
Requirements for Audits by Professional Institutions
If cybersecurity authorities mandate a professional institution audit, the company must:
Submit the final audit report to the authorities, signed by company leadership and the auditing institution.
Address identified compliance issues and submit a rectification report within 15 working days of corrective action.
Compliance Audit Guidelines
The audit guidelines cover 27 assessment areas. Three key areas include:
1. Legal Basis for Personal Information Processing
Audits must verify that companies comply with legal requirements for data processing, particularly:
Review Item | Legal Requirement | Legislation |
Is voluntary, informed consent obtained? | Personal data can only be processed with user consent. | Article 13(1), PIPL |
Is new consent required for changes in data processing? | Any change in processing purpose, method, or data type requires renewed consent. | Article 14(2), PIPL |
Is separate or written consent required for specific cases? | If mandated by law, additional consent must be obtained. | Article 14(1), PIPL |
Are there lawful exceptions to requiring consent? | Certain cases, such as contractual necessity or public interest, allow processing without consent. | Article 13(2-7), PIPL |
2. Compliance with Personal Information Processing Rules
The audit must assess:
Accuracy and transparency of company contact information.
Clarity in listing collected data and processing methods.
Whether processing methods minimize risks to personal rights.
Defined retention periods for personal information and disposal methods post-expiration.
Accessibility for individuals to manage their personal data (view, correct, delete, transfer, etc.).
Review Item | Legal Requirement | Legislation |
Are company details true and accessible? | Companies must disclose contact information transparently. | Article 17(1), PIPL |
Are data types and processing methods clearly listed? | Users must be informed about data collection and usage. | Article 17(2), PIPL |
Is data processing limited to intended purposes? | Data must be collected with minimal impact on rights. | Article 6, PIPL |
Are retention periods defined? | Data retention should be the shortest time necessary. | Articles 17(2), 19, 21(3), PIPL |
Are user rights outlined for data access and management? | Companies must enable data access, correction, and deletion. | Article 21(4), Network Data Security Management Regulations |
3. Compliance with Cross-Border Data Transfer Regulations
Audits must ensure compliance with China’s strict rules on cross-border data transfers, particularly for companies classified as Critical Information Infrastructure Operators (CIIOs).
Review Item | Legal Requirement | Legislation |
Has the CAC approved cross-border data transfers for CIIOs? | CIIOs must undergo a security assessment before transferring data overseas. | Article 38, PIPL |
Have non-CIIO companies exporting large amounts of data completed required security assessments? | Companies exporting over 1 million individuals’ data must undergo CAC security reviews. | Article 38, PIPL |
Have companies exporting moderate amounts of data (100,000-1 million users) followed standard contract or certification requirements? | These companies must meet legal standards via contracts or certification. | Article 8, Cross-Border Data Flow Regulations |
Has data transfer to foreign law enforcement been approved? | Approval is required before sharing data with foreign authorities. | Article 41, PIPL |
Is data transfer restricted to approved foreign entities? | Companies must not transfer data to prohibited entities. | Article 42, PIPL |
Penalties for Non-Compliance
Failure to comply with the Measures can result in substantial fines and business restrictions under the PIPL and Network Data Security Management Regulations.
General Violations: Companies can be fined up to RMB 1 million (USD 137,292), and responsible individuals can be fined from RMB 10,000 (USD 1,373) to RMB 100,000 (USD 13,729).
Serious Violations: Up to RMB 50 million (USD 6.9 million) or 5% of annual turnover for companies, and fines up to RMB 1 million for individuals. Business operations may be suspended, and executives may be barred from senior roles.
Network Data Security Violations: Companies failing to correct infractions may be fined up to RMB 10 million (USD 1.4 million).
Impact on Foreign Companies and Key Changes from Draft Measures
The new audit requirements introduce additional compliance obligations akin to financial audits. However, the final version eases requirements compared to earlier drafts:
The threshold for mandatory audits increased from 1 million to 10 million individuals' data, reducing the number of affected companies.
Audits are now required biennially instead of annually.
No minimum audit frequency is specified for companies processing data from under 10 million users.
While these audits create additional administrative processes, well-prepared companies should find them manageable. Compliance audits offer firms an opportunity to evaluate internal policies and ensure regulatory adherence. Organizations still lacking robust compliance frameworks should take immediate steps to mitigate potential risks and legal exposure.
Woodburn Accountants & Advisors is one of China’s most trusted business setup advisory firms.
Woodburn Accountants & Advisors is specialized in inbound investment to China and Hong Kong. We focus on eliminating the complexities of corporate services and compliance administration. We help clients with services ranging from trademark registration and company incorporation to the full outsourcing solution for accounting, tax, and human resource services. Our advisory services can be tailor-made based on the companies’ objectives, goals and needs which vary depending on the stage they are at on their journey.