On 3rd August 2023, the Cyberspace Administration of China issued the draft Administrative Measures for the Compliance Audit of Personal Information Protection (the “Measures”) and Key Points of Reference for Compliance Audit of Personal Information Protection (the “Key Points”), for which public comments are sought now.

Based on the Measures, a personal information processor that processes the personal information of more than 1 million individuals shall carry out the compliance audit of personal information protection at least once a year, and any other personal information processor shall conduct the compliance audit of personal information protection at least once every two years. Where a personal information processor carries out the compliance audit of personal information protection by itself, it may mandate the internal body within the organisation or entrust a specialised agency to carry out such an audit as required by the Measures considering the actual conditions. The specialised agency shall not conduct more than three consecutive compliance audits of personal information protection for the same processor.

According to the Key Points, the compliance audit of personal information protection shall examine the basic conditions of the legality of personal information processing activities, rules for processing personal information, the fulfillment of notification of obligations, etc. A personal information processor entrusts others with the processing of personal information, processes personal information jointly with others, needs to transfer personal information due to merger, reorganisation, division, dissolution, or declaration of bankruptcy, or processes personal information by using automatic decision-making. It shall focus on examining certain required matters.

Key Action Points

Based on the need to smoothly conduct compliance audits of personal information protection, enterprises need to focus on the frequency of conducting regular compliance audits of personal information protection, establishing internal standards and procedures for a compliance audit of personal information protection, identifying the responsible department and responsibilities, and requirements and procedures for selecting a specialised agency.

