China launches data protection officer registration system

China’s Cyberspace Administration (CAC) launched an internet registration system for Information Safety Officers (DPOs) on July 18, 2025, requiring organizations processing private data of greater than 1 million people to report their DPO data to native authorities. The brand new system marks a major enforcement step beneath China’s Private Info Safety Regulation (PIPL).

Based on Article 52 of the PIPL and Article 12 of the Measures for the Administration of Private Info Safety Compliance Audits, knowledge controllers dealing with private data of greater than 1 million folks should full formalities for reporting DPO data to the web data division of town divided into districts the place they’re situated.

The registration portal operates by way of the “Private Info Safety Enterprise System” obtainable at https://grxxbh.cacdtsc.cn or accessible by way of the China Internet Info Community homepage. The system offers a centralized platform for organizations to submit required documentation and observe submission standing.

Organizations face tight deadlines beneath the brand new necessities. Controllers already processing private data of 1 million people earlier than the announcement should full data stories by August 29, 2025. Organizations reaching the 1 million threshold after July 18, 2025, have 30 working days from reaching that quantity to submit their stories.

For organizations working as firm teams or sustaining a number of branches, the pinnacle workplace can carry out data reporting procedures in a unified method. A number of associated processors together with subsidiaries, workplace chains, and third-party service corporations can collectively fulfill submission procedures.

The system requires complete documentation packages. Organizations should submit primary data reporting kinds for private data processors, private data safety officer data kinds, scanned copies of unified social credit score code paperwork, identification paperwork for authorized representatives and DPOs, place certification paperwork with official seals, authorization letters, and letters of enterprise.

Technical submission course of calls for detailed organizational data

The registration course of entails a number of levels starting with account creation. Customers should create login credentials utilizing 4-14 digit combos of numbers and letters, with passwords requiring 6-12 characters together with numbers, letters, and particular characters. The system requires cell phone numbers able to receiving SMS verification codes.

After profitable login, customers entry the “Private Info Safety Officer Info Reporting System” the place they full topic data kinds. Key necessities embrace making certain the province and site fields match these registered in unified social credit score code paperwork. The system defaults cellphone numbers to these used for account registration, which obtain SMS notifications about submission progress.

Organizations should add complete details about their knowledge processing actions. This contains particulars concerning the scale of private data dealing with measured in thousands and thousands of people, month-to-month energetic person counts, varieties of private data processed, and particular details about dealing with minors’ knowledge for these beneath 14 years of age.

The system captures in depth technical particulars about knowledge assortment strategies. Organizations report whether or not they accumulate data by way of cellular functions, web sites, offline channels, or different means. They need to present area identify lists, exterior service data, and IP deal with particulars the place relevant.

Rigorous audit course of determines compliance standing

The CAC completes materials inspection inside 15 working days of submission. The audit standing column shows three attainable outcomes: “Info Submission Full,” “Returned for Enchancment,” or “Audit Not Handed.” Organizations can observe progress by way of course of data within the operation column.

When submissions obtain “Returned for Enchancment” standing, organizations have 10 working days to complement and enhance supplies. Failure to finish enhancements throughout the deadline leads to automated termination of the knowledge submission process. Organizations can voluntarily terminate submissions by way of the system interface.

Submissions marked “Audit Not Handed” point out non-compliance with data submission necessities and routinely terminate the method. Customers can assessment particular causes for rejection by way of course of logs within the actions column.

Upon completion of the submission course of, submitted data undergoes periodic migration from the web. Apart from reporting unit names and audit standing, all different data turns into unavailable for question and obtain. Organizations should keep their very own copies of submitted supplies for backup functions.

Vital modifications set off necessary updates inside 30 days

The laws outline substantial modifications requiring up to date filings inside 30 working days. These embrace modifications to primary data kinds protecting private data processor particulars, authorized consultant data, and DPO data. Adjustments to total conditions in DPO data submission kinds or private data dealing with in submitted functions, companies, or methods additionally qualify as substantial modifications.

Organizations not dealing with private data or processing fewer than 1 million people after substantial modifications needn’t report related data. Nevertheless, these sustaining the 1 million threshold should log into the system, navigate to the knowledge submission web page, click on “Fill in Info,” add new supplies, and submit for assessment.

Account cancellation requires completion of all enterprise processes for private data safety. Customers should guarantee audit standing reveals data submission accomplished, audit failed, or submission terminated earlier than canceling accounts by way of the “Account Heart” interface.

The CAC established contact data for all provincial web data departments to help with enterprise and technical issues through the submitting course of. Contact numbers span 32 jurisdictions together with Beijing ((010) 55520121), Shanghai ((021) 64271056), Guangdong ((020) 87100943), and autonomous areas like Xinjiang ((0991) 2384855).

This complete contact community ensures organizations throughout China can entry help through the registration course of. The provision of provincial-level help displays the importance positioned on correct implementation of the DPO reporting necessities.

The launch of this technique represents a serious step in China’s knowledge safety enforcement infrastructure. Organizations processing private knowledge at scale should now navigate complicated reporting necessities whereas sustaining ongoing compliance with evolving laws. The August 29, 2025 deadline for present processors creates rapid stress for fast compliance throughout affected organizations.

For the advertising neighborhood, these developments signal intensifying global focus on data protection compliance. Worldwide organizations working in China should now issue DPO reporting obligations into their operational frameworks whereas managing related necessities in different jurisdictions like Europe the place data protection enforcement continues expanding.

Timeline

Abstract

Who: China’s Our on-line world Administration (CAC) and organizations processing private data of greater than 1 million people, together with knowledge controllers, private data processors, authorized representatives, and designated Information Safety Officers.

What: Launch of necessary on-line registration system requiring organizations to report DPO data by way of the “Private Info Safety Enterprise System,” together with complete documentation submission, audit processes, and ongoing compliance obligations for substantial modifications.

When: System launched July 18, 2025, with present processors dealing with August 29, 2025 deadline and new organizations having 30 working days after reaching 1 million threshold to submit stories.

The place: China, by way of on-line portal at https://grxxbh.cacdtsc.cn accessible through China Internet Info Community, with provincial web data departments offering help throughout 32 jurisdictions.

Why: Enforcement of Article 52 of China’s Private Info Safety Regulation (PIPL) and Article 12 of the Measures for the Administration of Private Info Safety Compliance Audits, creating systematic oversight of information safety practices for organizations dealing with large-scale private data processing.

Key Phrases Defined

Information Safety Officer (DPO): A chosen particular person liable for overseeing a corporation’s knowledge safety technique and making certain compliance with privateness laws. DPOs function the first contact level between organizations and regulatory authorities, conducting privateness influence assessments, coaching workers on knowledge safety necessities, and monitoring compliance with legal guidelines like China’s PIPL or Europe’s GDPR. Their function turns into notably essential for organizations processing giant volumes of private knowledge, as they need to stability enterprise targets with privateness obligations whereas sustaining independence from operations that decide processing functions.

Private Info Safety Regulation (PIPL): China’s complete knowledge safety framework that governs how organizations accumulate, course of, retailer, and switch private data inside Chinese language jurisdiction. PIPL establishes elementary rules for lawful processing, requires express consent for delicate knowledge dealing with, mandates knowledge localization for essential data infrastructure operators, and imposes vital penalties for violations. The legislation mirrors facets of European GDPR whereas incorporating distinctive Chinese language traits, together with particular provisions for cross-border knowledge transfers and enhanced protections for minors’ private data.

Information Controller: The authorized entity that determines the needs and means of private knowledge processing actions, bearing major duty for compliance with knowledge safety laws. Controllers should set up lawful bases for processing, implement acceptable technical and organizational measures, reply to knowledge topic requests, conduct privateness influence assessments, and keep data of processing actions. In advertising contexts, controllers typically embrace advertisers, publishers, and know-how platforms that accumulate person knowledge for focusing on, measurement, or personalization functions.

Cross-border Information Switch: The motion of private knowledge from one jurisdiction to a different, requiring particular authorized mechanisms to make sure sufficient safety ranges in vacation spot international locations. Organizations should implement safeguards comparable to adequacy choices, normal contractual clauses, binding company guidelines, or extra safety measures when transferring knowledge to international locations missing equal safety requirements. These transfers have turn out to be more and more complicated as regulators scrutinize worldwide knowledge flows, notably involving international locations with totally different surveillance frameworks or authorized methods.

Unified Social Credit score Code: A standardized 18-character identifier assigned to Chinese language authorized entities and organizations, combining earlier separate registration numbers right into a single identification system. This code serves as the first enterprise identifier for regulatory compliance, tax obligations, and administrative procedures, together with the brand new DPO registration necessities. Organizations should guarantee consistency between their unified social credit score code registration data and knowledge safety filings, as discrepancies can lead to compliance points or utility rejections.

Information Localization: Authorized necessities mandating that sure classes of private knowledge have to be saved and processed inside particular geographic boundaries, sometimes the nation the place the info was collected. China implements strict knowledge localization guidelines for essential data infrastructure operators and requires knowledge safety influence assessments for cross-border transfers exceeding specified thresholds. These necessities considerably influence multinational advertising operations, forcing organizations to revamp technical architectures and knowledge flows to keep up compliance whereas preserving operational effectivity.

Info Reporting Topic: The organizational entity liable for submitting knowledge safety compliance documentation to regulatory authorities, sometimes the authorized entity that serves as the info controller inside a company construction. For multinational organizations or company teams, figuring out the suitable reporting topic requires cautious evaluation of authorized relationships, knowledge processing actions, and regulatory obligations throughout totally different subsidiaries or associates. Head places of work can typically function unified reporting topics for a number of associated entities, streamlining compliance procedures whereas sustaining clear accountability buildings.

Private Info Processing: Any operation carried out on private knowledge, together with assortment, recording, group, structuring, storage, adaptation, retrieval, session, use, disclosure, dissemination, alignment, mixture, restriction, erasure, or destruction. This broad definition encompasses nearly all interactions with private knowledge in advertising contexts, from preliminary knowledge assortment by way of analytics, focusing on, measurement, and eventual deletion. Organizations should doc processing functions, implement acceptable safeguards, and guarantee processing actions align with said functions and authorized bases.

Month-to-month Lively Customers (MAU): A key efficiency metric measuring the variety of distinctive people who have interaction with a platform, utility, or service inside a 30-day interval, generally used to evaluate person engagement and platform development. For knowledge safety compliance, MAU figures assist organizations decide whether or not they exceed regulatory thresholds triggering extra obligations, comparable to China’s 1 million particular person requirement for DPO reporting. Correct MAU calculation requires subtle knowledge deduplication and identification decision to keep away from counting the identical particular person a number of instances throughout totally different gadgets or periods.

Substantial Change: A authorized idea defining modifications to organizational construction, knowledge processing actions, or compliance posture that set off necessary regulatory notifications or up to date filings. Below China’s DPO registration necessities, substantial modifications embrace modifications to primary organizational data, authorized consultant particulars, DPO assignments, or vital alterations to knowledge processing methods and functions. Organizations should set up inside monitoring methods to establish substantial modifications and guarantee well timed regulatory notifications, as failure to report modifications inside specified timeframes can lead to compliance violations and potential penalties.