China Issues a Notice on DPO Reporting Requirements
Time 2 Minute Read
Categories: International, Cybersecurity

On July 18, 2025, the Cybersecurity Administration of China (the “CAC”) issued a notice on compliance with existing personal information protection officer (“DPO”) reporting requirements under applicable Chinese data protection law.

Both the Personal Information Protection Law of China (“PIPL”) and the Administrative Measures of Compliance Audit on Personal Information Protection of China (“PIPCA”) require data handlers (equivalent to data controllers under the GDPR) subject to the laws to report certain information about their DPO, but neither includes specifics on how to do so.

The CAC’s notice specifies that data handlers processing the personal information of more than 1 million individuals must fulfill the relevant DPO reporting requirements to the appropriate municipal-level cyberspace office as follows:

  • If, prior to July 18, 2025, a data handler processed the personal information of more than 1 million individuals, the data handler must comply with the DPO reporting requirements by August 29, 2025.
  • If, at any point after July 18, 2025, the data handler begins to process the personal information of more than 1 million individuals, the data handler must comply with the DPO reporting requirements within 30 business days from trigging this numerical threshold. Data handlers also must ensure that the reported DPO information remains up to date, by making revisions within 30 business days to reflect any substantial changes.

The CAC guidance instructs data handlers to submit the required DPO information through the CAC’s website, including the following documents:

  1. The basic information form of the data handlers;
  2. The basic information form of the DPO (including contact information of the DPO and processing activities of the data handler)
  3. Copy of the business license;
  4. Copy of the ID of the legal representative;
  5. Copy of the ID of the DPO;
  6. Employment certificate of the DPO;
  7. Copy of the ID of the person in charge of reporting DPO information;
  8. The authorization letter for the person in charge of reporting DPO information; and
  9. Undertaking letter.
Tags: China, Data Protection Officer, Personal Data, Personal Information
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
UK ICO Publishes Guidance on Recognized Legitimate Interest Basis

On March 23, 2026, the UK Information Commissioner's Office released new guidance clarifying the use of the new recognized legitimate interest lawful basis for processing personal information under UK data protection law.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
CalPrivacy Reaches Settlement with Ford Motor Company Over CCPA Opt-Out Right Violations

On March 5, 2026, the California Privacy Protection Agency announced that the agency had reached a settlement with Ford Motor Company resolving an enforcement action against the company that alleged noncompliance with the California Consumer Privacy Act’s opt-out of sale/sharing rights.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page