[Legal Updates] Security Rules for Sensitive Personal Data

2025. 7. 4

The National Internet Security Standardization Technical Committee recently published the full text of the"Data Security Technology—Security Requirements for Processing Sensitive Personal Information" (GB/T 45574—2025) on its website. This standard, issued by the State Administration for Market Regulation and the Standardization Administration of China, will come into effect on November 1, 2025.

The standard clarifies theidentification and definition of sensitive personal information and specifies general and specific security requirements for its processing. General requirements include lawful collection, notification and consent, and security safeguards, while specific requirements cover the processing of biometric data, religious beliefs, medical and health information, financial accounts, and behavioral tracking data.

This standard applies topersonal information processors, regulatory authorities, and third-party assessment bodies, emphasizing the need to obtain explicit individual consent and implement strict security measures when handling sensitive information.