On July 18, 2025, the Cyberspace Administration of China (“CAC”) issued an announcement (“Announcement”) launching a mandatory online registration system and requiring “personal information processing entities” (equivalent to “data controller” under EU’s General Data Protection Rules) that process personal information of one million or more individuals to report the details of their personal information protection officer (“DPO”) through the “Personal Information Protection Business System.”

This development follows the finalization of the Measures for Personal Information Protection Compliance Audits (“Audit Measures”), effective May 1, 2025, which clarified the DPO responsibilities in conducting audits and confirmed the appointment threshold (i.e., 1 million individuals).

The obligation to appoint a DPO has been in place since China’s Personal Information Protection Law (“PIPL”) took effect in 2021.  Under the PIPL, entities processing data that exceeds “a certain volume” are required to appoint a DPO and to report certain information about the DPO — to include name and contact information — to CAC.  However, the specific threshold triggering this requirement was not defined until the release of the Audit Measures in February 2025.  The Announcement now provides further detail on the reporting process.

The chart below outlines the key requirements regarding the DPO reporting.

Notably, the DPO is responsible for carrying out personal information protection compliance audits according to the Audit Measures.  Under the Audit Measures, large-scale data processing entities (defined as those processing personal information of more than 10 million individuals) must conduct audits at least once every two years.  Other data processing entities are required to carry out audits “regularly,” with non-binding guidance suggesting a frequency of once every five years as a good practice. 

As part of the audit, the following aspects related to DPO appointment should be assessed:

  • Whether a system has been established to evaluate the performance of the DPO and relevant personnel;
  • Whether the DPO has relevant work experience and expertise, and is familiar with personal information protection laws and administrative regulations;
  • Whether the DPO has clear and defined responsibilities and is granted sufficient authority to coordinate internally;
  • Whether the DPO has the authority to provide relevant opinions and suggestions prior to decision-making for significant matters related to personal information processing;
  • Whether the DPO has the authority to stop non-compliant personal information processing practices entity and take necessary corrective actions; and
  • Whether the personal information processing entity publicly discloses the contact information of the DPO and submits the DPO’s details — including name and contact information — to the regulator.

Failing to appoint a DPO upon meeting the threshold, or to comply with the associated reporting obligations, constitutes a violation of the PIPL.  Companies processing large volumes of personal information in China should promptly assess whether they meet the 1 million individual threshold and, if so, take steps to complete the reporting.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a…

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s “40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Read more about Yan LuoEmail
Show more Show less