- Time period to fulfill a DSR request: The PIPL provides that personal information handlers shall fulfill the DSR requests in a timely manner. It does not provide the specific timeline and extension period requirements.
- Denial of a DSR request: If personal information handlers reject a DSR request, then they are required to explain the reason for doing so. Individuals may file a lawsuit with a People's Court according to the law to challenge the rejection of their DSR requests.
- DSR mechanism: The PIPL requires that personal information handlers shall establish mechanisms to accept and process requests from individuals to exercise their rights.
- Inherited Rights: All the DSR extend beyond an individual’s death and can be exercised by the next of kin of the decedent unless otherwise arranged by the decedent during their lifetime.
1. Data Protection Program:
As per the obligation set out under the Chapter V of the PIPL, personal information handlers should have a data protection program in place. The PIPL also provides a non-exhaustive list of specific program measures, such as:
- Implement classified management system of personal information
- Formulate internal management structures and operating rules
- Regular compliance audits and privacy impact assessments
- Adoption of corresponding technical security measures such as encryption, de-identification, etc
- Employee Awareness & Training
- Individual rights request mechanism
- Security Breach Response and reporting requirements
Personal information handlers are required to appoint Personal Information Protection Officers ( also called DPOs) in specific situations, depending on the volume of personal information processed. Personal information handlers shall disclose the methods of contacting DPO and report the names of the officers and contact methods to the departments fulfilling personal information protection duties and responsibilities.
Personal information handlers handling the personal data of more than one million individuals are required to report the DPO’s details to the relevant municipal cyberspace authority:
- Within 30 working days of crossing the one million threshold, or
- By 29 August 2025 if they already exceed the threshold.
They must also update authorities within 30 working days if any reported details change.
Personal information handlers outside the borders of China are required to establish a dedicated entity or appoint a representative within the borders of China to be responsible for matters related to the personal information they handle. Such entities must provide the name and contact method of the representative to the relevant departments responsible for implementing the PIPL.
Personal information handlers must conduct a personal information protection impact assessment before the processing in one of the following scenarios:
- Handling sensitive personal information;
- Using personal information to conduct automated decision-making;
- Entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information;
- Providing personal information abroad;
- Other personal information handling activities with a major influence on individuals.
The content of the personal information protection impact assessment shall include:
- Whether or not the personal information handling purpose, handling method, etc., are lawful, legitimate, and necessary;
- The impact on individual’s rights and interests, and the security risks; and
- Whether protective measures undertaken are legal, effective, and suitable to the degree of risk.
Personal information protection impact assessment reports and handling status records shall be preserved for at least three years.
Moreover, as per the Personal Information Protection Compliance Audit Management Measures, personal information processors managing data of over 10 million individuals must conduct audits every two years. They are obligated to cooperate with the audit, correct any identified issues, and report to the relevant authorities. If processing information of more than 1 million individuals, the personal information processors shall designate a person responsible for audits. In cases of significant risks or large-scale data breaches, audits can be performed by specialized organizations.
4. Security Breach Mechanism and Notifications:
In the event of a security breach, the PIPL requires entities to take “immediate” remediation actions and notify the relevant agency and affected individuals. Where adopted measures can effectively avoid security breach harms, personal information handlers do not have to notify individuals.
Furthermore, the Data Security Regulations emphasize breach prevention and incident response. There is a 24-hour requirement for notification of breaches impacting national security or public interest.
5. Requirements of Entrusted Parties (Third Parties Processors):
If personal information handlers engage entrusted parties for the handling of personal information, they are required to conclude an agreement with the entrusted parties on the purpose for entrusted handling, the time limit, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted person.
Entrusted parties shall handle personal information according to the agreement, and are required to take necessary measures to safeguard the security of the personal information they handle and assist personal information handlers in fulfilling the obligations provided in the PIPL.
The PIPL requires personal information handlers that provide internet platform services to a “large” number of users and have complex business models to:
- Establish and complete personal information protection compliance structures;
- Establish an independent body to supervise personal information handling;
- Follow the principles of openness, fairness, and justice;
- Immediately cease their service offerings when in serious violation of the law; and
- Regularly publish reports on the social responsibility of personal information handling.
For the cross-border transfer of personal information, personal information handlers must provide notices to individuals explaining the details of the transfer, and obtain their specific consent for the transfer of their personal information. It also imposes an obligation on personal information exporters to ensure data protection standards are met after transfer.
Personal information handlers are also required to meet one of the following conditions:
- Passing a security assessment organized by the CAC and informatization department (this requirement is for the operators of Critical Information Infrastructure and organizations that transfer personal organization of more than one million individuals or sensitive personal information of more than 10,000 individuals; or
- Undergoing personal information protection certification conducted by a specialized body according to provisions by the CAC and informatization department (this is a requirement for organizations that transfer personal information of between 100,000 and one million individuals; or sensitive PI of less than 10,000 individuals); or
- Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the cyberspace and information department, agreeing upon the rights and responsibilities of both sides (this is a requirement for organizations that transfer personal information of between 100,000 and one million individuals; or sensitive PI of less than 10,000 individuals); or
- Other conditions provided in laws or administrative regulations or by the State cybersecurity and information department.
The thresholds have been added by the Regulations on Promoting and Standardizing the Cross-border Flow of Data. These regulations grant also exemptions from security assessments for data transfers related to trade, transport, academia, non-important or non-personal business data, contractual obligations, employee management, and emergencies
Furthermore, the Data Security Regulations expand on the relaxations by introducing additional legal bases for cross-border data transfers. In addition to the existing three mechanisms, businesses may now rely on the following justifications:
- transfers necessary for contract signing or performance;
- transfers of employee data necessary for cross-border human resources management;
- emergency situations;
- transfers necessary for performing mandatory duties; or
- transfers permitted under other laws and regulations.
It’s also important to note that operators of Critical Information Infrastructure and entities that transfer a large volume of personal information must locally store personal information collected in China and undergo a security assessment to transfer if necessary. The PIPL also explicitly allows the cross-border transfer of personal information when treaties or international agreements are in place.
If it is necessary to transfer personal information outside of China for international judicial assistance or administrative law enforcement, personal information handlers must file an application with the relevant competent authority for approval.
Automated Decision Making
For the automated decision making, the PIPL prescribes the following strict requirements for the personal information handlers:
- Personal information handlers must guarantee transparency, fairness, and reasonability of the result of automated decision-making.
- Personal information handlers should not engage in unreasonable differential treatment of individuals in trading conditions and specifically prohibits price discrimination through automated decision-making.
- If using automated decision-making for targeted marketing offerings, personal information handlers should provide an option for individuals to receive information not based on personal characteristics or offer a convenient method of refusal.
Regulatory Authority and Enforcement
The PIPL does not create an independent regulatory authority to oversee its compliance. The Cyberspace Administration of China is the primary body responsible for data protection enforcement, but there are several other state council departments that may also regulate the PIPL.
Non-compliance involves unlawfully processing personal information or failure to adopt proper necessary security protection measures in accordance with further regulations. The departments fulfilling data protection duties may order a correction, confiscate unlawful income, and issue a warning. The PIPL prescribes the following penalties for violations and non-compliance:
- An organization that refuses to correct the violations may be subject to baseline fines of up to 1 million RMB.
- If the violation is considered serious, the fine may be increased up to 50 million RMB or 5% of the organization’s annual revenue for the prior financial year.
- The personnel who are directly responsible for the personal information processing may be fined up to RMB 1 million.
- The PIPL also provides a private right of action to individuals.
How Securiti Can Help
Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.
Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PIPL, as well as other privacy and security regulations all over the world. See how it works. Request a demo today.
