Setup Of The Personal Information Protection Officer

1. Which companies are required to set up the person in charge of personal information protection under China's personal information protection laws?

According to the Personal Information Protection Law the People's Republic of China (hereinafter referred to as "PIPL"）, if the number of personal information processed by the personal information processer (e.g. the company) reaches the threshold specified by the Cyberspace Administration of China, shall the processor of personal information designate the person in charge of personal information protection (similar as the data protection officer ("DPO") under the GDPR), who shall be responsible for supervising the activities of personal information processing and the protection measures taken. The recent state-issued Exposure Draft on Personal Information Protection Compliance Audit and the Exposure Draft of Data Security Technology Personal Information Protection Compliance Audit Requirements have also put forward clear audit requirements, particularly with regard to whether the setup, qualifications and responsibilities to the person in charge of personal information protection/DPO are in compliance with the law.

Generally speaking, the personal information processors stipulated by the Cyberspace Administration of China generally refer to the data processors who process the personal information of more than 1 million individuals, or the processors who accumulatively provide the personal information of over 100,000 individuals or sensitive personal information of over 10,000 individuals overseas since January 1 of the previous year. However, due to differences of the regulatory caliber in different regions, it is recommended that the company consult with lawyers and other professionals when setting up person in charge of personal information protection/DPO for safety reason.

According to the China's national standard GB/T35273-2020 Information Safety Technology: Personal Information Security Specification (the national standard is not mandatory, but generally will be used as a reference by the supervisory authority in practice at the present time when there is no implementation rules of the Personal Information Protection Law). An organization that meets one of the following conditions shall establish a full-time person in charge of personal information protection/DPO and a personal information protection organization in charge of personal information security:

1. The main business involves the processing of personal information, and the size of the workforce is larger than 200 people;
2. Processing personal information of more than one million individuals, or expecting to process personal information of more than one million individuals in 12 months;
3. Processing sensitive personal information of more than 100,000 individuals.

2. What are the requirements of the person in charge of personal information protection /DPO?

For the time being, there are no clear mandatory provisions on the qualification requirements for person in charge of personal information protection in the PIPL and its supporting documents, and it's only stipulated in GB/T 35273-2020 that the person in charge of personal information protection shall fulfill the following conditions and undertake the following duties: The personnel with relevant management work experience and professional knowledge of personal information protection shall be appointed. He/she shall participate in important decisions of relevant personal information processing activities and directly report work to the main principals of the organization. In terms of the actual needs of such position, only the interdisciplinary professionals who have a professional background in law, who are familiar with the laws on personal information protection, and who have the relevant technology knowledge and experience about the data security and personal information protection are capable of doing so.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.