China: CAC requests comments on administrative measures for auditing data protection
On August 3, 2023, the Cyberspace Administration of China (CAC) released the Administrative Measures for Compliance Auditing of Personal Information Protection (Draft for Comment) and is requesting public comments on the same.
The draft measures require personal information processors that process the personal information of more than one million people to conduct a personal information protection compliance audit at least once a year; conversely, other personal information processors must conduct a personal information protection compliance audit at least once every two years.
Entrusted professional institutions
The draft measures outline specific requirements associated with the use of entrusted professional institutions, including the authority they have, and timelines. Specifically, such institutions will have 90 working days to conduct a personal information protection compliance audit in accordance with the requirements of the department performing personal information protection duties. Where the situation is complicated, an extension may be made after the approval of the department responsible for information protection. Furthermore, the draft measures impose specific requirements on such entrusted professional institutions, including requirements to remain independent, objective, honest, and fair.
The draft measures outline key points that should be reviewed during audits. Specifically, the draft measures clarify that the audit should review, among other things:
- the legality of personal information processing activities;
- personal information processing rules and notification requirements;
- vendor management and automated decision-making to process personal information;
- cross-border data transfers; and
- individual rights.
Specific questions and factors that should be considered are elaborated in the draft measures.
Furthermore, the draft measures require personal information processors to:
- formulate contingency plans for personal information security incidents;
- establish internal management systems and operating procedures in accordance with the provisions of laws and administrative regulations;
- clarify the organizational structure and job responsibilities; and
- establish work procedures, improve internal control systems, and ensure compliance and security of personal information processing, which will be reviewed during the audit.
Public comments can be submitted via email to [email protected] until September 2, 2023.
You can read the press release and the draft measures, only available in Chinese, here.