Last review date: 13 January 2025

Yes

Yes

• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
• the core activities of the controller or the processor consist of processing on a large scale of special categories of data
• the organization employs more than a certain number of individuals in the jurisdiction
• other

A DPO should be appointed if the volume of personal information processed reaches the threshold prescribed by the CAC (under the Network Data Security Regulations, the threshold is 10 million data subjects) or important data is being processed. The DPO is responsible for, amongst other things, supervising the personal information / important data processing activities and the protection measures taken.

Pursuant to the recommended national standards, it is suggested that the following organizations designate a person in charge of data protection:

• Organizations whose main business is to process personal information and which have over 200 employees
• Organizations which currently process personal information of over 1,000,000 individuals or which are expected to process personal information of over 1,000,000 individuals within 12 months
• Organizations which process sensitive personal information of over 100,000 individuals

In addition, a Critical Information Infrastructure Operator (CIIO) should appoint a person in charge of security management according to the requirements of the classified protection system for cybersecurity. The designated person-in-charge could be deemed to be assuming responsibilities similar to a DPO. Further, companies processing "important data" would need to appoint a person responsible for the security management of "important data."

We noted that in certain areas, a so-called Chief Data Officer (CDO) requirement has been rolled out by local governments (e.g., Shenzhen special economic zone and Guangdong province) as pilot programs. However, currently, such CDO requirement is only applicable to selected governmental departments and agencies but not to the private sector.

Last review date: 13 January 2025

Yes

If yes, what are these requirements?

• other professional qualifications / experience
• other

Pursuant to PIPL, there is no specific requirement for the DPO. Depending on sector-specific laws, however, the qualifications and experience of a DPO may vary. For example, DPOs of commercial banks (with independent legal qualifications) must satisfy the minimum years of experience in the financial industry, whereas there are no specific requirements for DPOs of CIIOs and entities processing children's personal information. However, it is commonly believed that a DPO should be a resident of China.

In the Network Data Security Regulations, it is stipulated that the person in charge of the management of network data security shall have specialized knowledge of network data security and relevant management experience, be a management personnel of the network data processor, and have the right to report directly to the relevant competent authorities regarding the network data security status of the network data processor. The Network Data Security Regulations further require that a network data processor that holds important data of a specific type and scale as specified by the competent authorities shall conduct a security background check on the person in charge of network data security and the personnel in relevant key positions.

Last review date: 13 January 2025

No

The regular processing of data is generally not required to be registered with, filed with or notified to the data protection authorities, except in the following circumstances:

• Upon the occurrence of a data breach event, the operator needs to report the details to the data protection authorities (and notify the impacted data subjects) when the applicable circumstances are triggered.
• The CIIO should conduct an assessment on the security of its website and the associated risks at least once a year and file the assessment report and improving measures with the data protection authorities.