Today (18 July), the Cyberspace Administration of China (CAC) issued a notice requiring certain personal information processors to report details of their designated personal information protection officer (DPO).
This development implements the existing DPO requirements under China’s Personal Information Protection Law (PIPL) and recent data protection compliance audit requirements.
An online system has been launched to enable organisations to submit their requested DPO details online.
Who is affected?
The obligation applies to personal information processors handling personal information of over one million individuals.
If you meet this threshold, you must report your DPO's information to your local city-level CAC office.
Key timelines
- For companies reaching the threshold after this announcement, the reporting obligation must be fulfilled within 30 business days from the date your volume of processed personal information reaches one million individuals.
- For companies that had already reached the threshold before this announcement, the deadline for reporting is 29 August 2025.
- If there are substantive changes to the reported information, you must file an update within 30 business days following the change.
Details to be reported
Although it may have been expected that simply a DPO’s name and contact details must be filed, the new requirement stretches the PIPL’s reference to “other information” to the extreme, in particular requiring submission of:
- Basic information about the personal information processor, including company details, legal representative, and contact information.
- Details of the DPO, including their name, role, nationality, contact details, relevant appointment documents, and a scan of their personal identification.
- Information about the scope of personal information processing that the DPO is responsible for, including scale, types of personal information handled, monthly active users, and business lines or system / mobile applications involved.
While some of this information will be on-hand for organisations that have completed a CAC-led data export security assessment or China personal information export standard contact filing submission, more commercially-sensitive details such as monthly active users may need further consideration.
Next steps
Organisations should review their volume of personal information their China business processes in their PRC operations, and assess whether they are subject to the DPO appointment and reporting requirements.
As always, feel free to reach out if you have any questions.
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2025-07-03-11-42-05-966-68666c8d1103f79f336c9b4e.png)
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2025-03-13-11-37-36-003-67d2c380d420aa050cb5c7b9.png)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2025-07-14-09-44-12-247-6874d16ccd1d8850186e0a14.jpg)