Question: Which personal information processors are required to conduct compliance audits under the "Administrative Measures for Compliance Audits of Personal Information Protection"?

Answer: The "Administrative Measures for Compliance Audits of Personal Information Protection" (hereinafter referred to as the "Measures") were issued by the Cyberspace Administration of China on 14 February 2025 and will come into effect on 1 May 2025. According to the "Measures," there are two categories of personal information processors required to conduct compliance audits:

1. Personal information processors conducting self-initiated compliance audits: All personal information processors are expected to maintain an awareness of compliance audit obligations and to conduct regular compliance audits. These audits, undertaken internally or with external professional support, should assess the legality, legitimacy, and necessity of their personal information processing activities to safeguard personal information rights. In particular, personal information processors handling data for over 10 million individuals are required, under the "Measures", to conduct a compliance audit at least once every two years. Such large-scale data processors handle vast amounts of personal information, and any security breach could have far-reaching consequences. Examples include major social media platforms and large-scale e-commerce platforms, which routinely collect and process data such as users' names, contact details, and purchasing histories. Their data processing activities must undergo regular scrutiny by internal teams or professional agencies to ensure full compliance with laws and regulations across all stages, including collection, storage, usage, and sharing.

2. Personal information processors conducting audits at the request of regulators: Regulatory authorities responsible for personal information protection—such as cyberspace and market supervision departments—may require compliance audits if, during routine oversight, they identify significant risks in personal information processing activities, potential infringement on individuals' rights, or incidents of personal information security breaches. In such cases, the relevant personal information processors must commission a professional agency to conduct a compliance audit. Upon completing the audit, these processors must report the findings to the regulatory authority and address any issues identified during the audit as required by the authority.