Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: CAC requests comments on administrative measures for auditing data protection

On August 3, 2023, the Cyberspace Administration of China (CAC) released the Administrative Measures for Compliance Auditing of Personal Information Protection (Draft for Comment) and is requesting public comments on the same.


The draft measures require personal information processors that process the personal information of more than one million people to conduct a personal information protection compliance audit at least once a year; conversely, other personal information processors must conduct a personal information protection compliance audit at least once every two years.

Entrusted professional institutions

The draft measures outline specific requirements associated with the use of entrusted professional institutions, including the authority they have, and timelines. Specifically, such institutions will have 90 working days to conduct a personal information protection compliance audit in accordance with the requirements of the department performing personal information protection duties. Where the situation is complicated, an extension may be made after the approval of the department responsible for information protection. Furthermore, the draft measures impose specific requirements on such entrusted professional institutions, including requirements to remain independent, objective, honest, and fair.

Reference points

The draft measures outline key points that should be reviewed during audits. Specifically, the draft measures clarify that the audit should review, among other things:

  • the legality of personal information processing activities;
  • personal information processing rules and notification requirements;
  • vendor management and automated decision-making to process personal information;
  • cross-border data transfers; and
  • individual rights.

Specific questions and factors that should be considered are elaborated in the draft measures.

Furthermore, the draft measures require personal information processors to:

  • formulate contingency plans for personal information security incidents;
  • establish internal management systems and operating procedures in accordance with the provisions of laws and administrative regulations;
  • clarify the organizational structure and job responsibilities; and
  • establish work procedures, improve internal control systems, and ensure compliance and security of personal information processing, which will be reviewed during the audit.

Public comments can be submitted via email to [email protected] until September 2, 2023.

You can read the press release and the draft measures, only available in Chinese, here.