Introduction to the Administrative Measures for Personal Information Protection Compliance Audit (Mainland China)

On February 12, 2025, the State Internet Information Office issued the Administrative Measures for Personal Information Protection Compliance Audit (hereinafter referred to as the Measures), which will come into force on May 1, 2025.  The Measures provide detailed regulations on the conduct of compliance audit activities, the selection of compliance audit institutions, and the frequency of compliance audits, aiming to provide systematic, targeted, and operable norms for personal information processors to conduct personal information protection compliance audits, enhance the legal and compliance level of personal information processing activities, and protect personal information rights and interests.

The Measures specify two situations and audit frequencies for conducting compliance audits. One is self-audit, personal information processors can conduct regular compliance audits by themselves or entrust professional institutions.  Secondly, external audit: if the department responsible for personal information protection discovers significant risks in personal information processing activities, potential infringement of the rights and interests of numerous individuals, or the occurrence of personal information security incidents to a certain extent, it may require the personal information processor to entrust a professional organization to conduct compliance audits on the personal information processing activities.  It should be noted that processors handling personal information of over 10 million people must conduct an audit at least once every two years.

The Measures specify the requirements for professional audit institutions.  One is the ability to conduct compliance audits, with auditors, venues, facilities, and funds that are suitable for the service.  The second is to comply with laws and regulations, maintain independence and objectivity in conducting compliance audits, and keep confidential any information learned during the work and delete it after the audit is completed.  Thirdly, it is prohibited to delegate compliance audit work to other institutions.  Fourthly, the same professional institution and its affiliated institutions, as well as the same compliance audit leader, shall not conduct personal information protection compliance audits on the same audit object for more than three consecutive times.

The Measures clarify the obligations that personal information processors should fulfill.  If personal information processors are required to conduct compliance audits in accordance with the requirements of the department responsible for personal information protection, they shall assist and cooperate, provide necessary support, and bear audit costs.  They shall complete compliance audits within a limited time, submit compliance audit reports, and make necessary corrections as required.

The Measures provide the "Guidelines for Personal Information Protection Compliance Audit" in the form of an attachment, proposing reference points for the compliance audit of personal information protection.  When personal information processors conduct personal information protection compliance audits on their own or entrust professional institutions to conduct such audits in accordance with the requirements of the department responsible for personal information protection, they shall refer to the "Guidelines for Personal Information Protection Compliance Audit". The promulgation of the "Measures" will promote enterprises to improve their personal information processing activities.  It is requested that all enterprises pay attention to strengthening the risk assessment of personal information processing activities and developing internal personal information compliance audit systems based on the relevant provisions of the Measures and their own characteristics.