Privacy & Cybersecurity Law Blog

On April 29, 2026, China's Cyberspace Administration (“CAC”) released an official Q&A document (only available in Chinese) (the “Guidance”) on personal data audits intended to help data handlers (i.e., controllers) understand and comply with the personal data audit-related framework under Chinese data protection laws (certain of which are listed below).

The Guidance answers several practical questions relating to personal data audits, including how to count the number of individuals whose personal data is being processed, the required frequency of personal data audits, and the content for audits on the processing of children’s personal data. The Guidance details the following:

• Several key regulations in China (including the Network Data Security Management Regulations, the Personal Information Protection Compliance Audit Management Measures, and the rules on cross-border data transfers) use thresholds based on how many individuals’ personal data a data handler processes. The CAC clarified that these thresholds are inclusive of the stated number (e.g., “more than 10 million” includes exactly 10 million). The count should reflect the number of natural persons whose data is currently being processed. Deleted records are excluded from the count.
• The Guidance addresses how often data handlers must conduct personal information protection compliance audits. The Personal Information Protection Law (“PIPL”) requires all personal data handlers to conduct regular compliance audits. The Compliance Audit Management Measures set out specific minimum frequencies based on scale: (1) more than 10 million individuals: at least once every two years; (2) between 1 million and 10 million individuals: at least once every three to four years (per national standard guidance); and (3) up to 1 million individuals: at least once every five years. Data handlers are expected to formalize these timelines in an internal compliance audit policy, and may reference the relevant national standards when determining the exact cadence.
• The Guidance also states what data handlers must cover when auditing how they handle the personal data of minors (defined as individuals under 18 years old under Chinese civil law). Under the Regulations on the Protection of Minors in Cyberspace, any data handler that processes the personal information of minors must conduct a dedicated compliance audit annually (either internally or through an accredited third party) and report the results to the CAC and other relevant authorities. This obligation applies regardless of whether the data handler formally identifies or verifies the status of users as minors. If there is any possibility that the personal data of minors is being processed, the audit requirement is triggered. The scope of such audits should align with PIPL, the Network Data Security Management Regulations, the Provisions on the Protection of Children's Personal Information Online, and the Compliance Audit Management Measures, and may draw on national technical standards for detailed audit criteria.