Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 28
28
Privacy Policy Checklist:
Privacy policies informing individuals of the
purpose, method, and type of personal data
to be collected and provided to other network
data handlers (in which case the information
of the network data recipient should also be
notified) should be displayed in a checklist or
similar form.
Obligations for Processing Important Data:
Network data handler processing important
data shall: (i) establish and appoint a dedicated
officer and an organisational body responsible
for network data security; (ii) conduct risk
assessment prior to providing important
data to others (as entrusted processor or data
handler) or jointly handling important data
with others; (iii) implement technical and
organisational measures to ensure network
data security and promptly report to competent
regulators the data disposal plan and identity,
and contact details of data recipients in case
of Key Transactions; (iv) conduct annual risk
assessments and submit such assessments to
the CAC and provincial-level authorities.
China’s Personal Information Protection
Compliance Audits Measures
China’s Personal Information Protection
Compliance Audit Measures (Audit Measures),
finalized by the CAC on February 14, 2025,
refine existing obligations under the PIPL
and Network Data Regulation. Effective May
1, 2025, the rules establish a dual-track audit
framework: mandatory periodic audits
for high-volume data handlers and
authority-triggered audits for data handlers
facing significant risks or breaches.
The Audit Measures provide further guidance
on the conduct of personal information
protection compliance audits (Data Audit), the
selection of professional institutions to conduct
Data Audits, the frequency of audits, and the
obligations of personal information handlers,
and professional institutions during
Data Audits.
Hogan Lovells
Key Requirements include:
Regular Data Audit:
· Personal data handler processing personal
data of over 10 million China-based
individuals must conduct Data Audits every
two years.
· Accordingly, personal data handlers
processing personal data of less than 10
million China-based individuals are given
some flexibility and are not obliged to
conduct the Data Audit every two years. They
should reasonably determine the frequency
of Data Audit based on their own conditions,
pursuant to the Q&A Session regarding the
Audit Measures.
· Other sector-specific rules (e.g., annual
audits for minors’ data under the Regulations
on the Protection of Minors in Cyberspace)
may impose stricter obligations.
Authority-Instigated Audit:
The Audit Measures clarify three specific
scenarios where the competent authorities
may order the personal information handler
to engage a professional institution to conduct
Data Audits:
· Where there are significant risks in personal
information processing activities, e.g.,
serious impact on personal rights and
interests or severely inadequate
security measures;
· Where there are personal information
processing activities that may infringe on the
rights of numerous individuals; and,
· Where there are personal information
incidents leading to the leakage, tampering,
loss, or destruction of personal information
for over 1 million individuals or of sensitive
personal information for over
100,000 individuals.
