CCTV News: According to the "Internet Information China" official account, the State Internet Information Office recently announced the "Regulations on the Management of Personal Information Protection Compliance Audits" (hereinafter referred to as the "Measures"), which will come into effect on May 1, 2025.

A relevant person in charge of the State Internet Information Office said that the "Personal Information Protection Law of the People's Republic of China" and the "Regulations on Network Data Security Management" stipulate the conduct of personal information processors for personal information protection compliance audits. The "Measures" make detailed provisions on the development of compliance audit activities, the selection of compliance audit institutions, the frequency of compliance audits, and the obligations of personal information processors and professional institutions in compliance audits, aiming to provide systematic, targeted and operational specifications for personal information processors to carry out personal information protection compliance audits, improve the legality and compliance level of personal information processing activities, and protect personal information rights and interests.

The Measures clarify two situations in which personal information processors conduct compliance audits. First, if the personal information processor conducts a compliance audit on its own, the personal information processor's internal organization or entrusted professional organization shall conduct a compliance audit of its compliance with laws and administrative regulations in the processing of personal information. Personal information processors who process personal information of more than 10 million people should conduct personal information protection compliance audits at least once every two years. Second, if the department that performs personal information protection responsibilities finds that personal information processing activities have great risks, may infringe on the rights and interests of many people, or personal information security incidents occur, it may require the personal information processor to entrust a professional institution to conduct a compliance audit of the personal information processing activities.

The Measures clarify the obligations that personal information processors who conduct compliance audits should fulfill. If it is stipulated that if the personal information processor conducts compliance audits in accordance with the requirements of the department that performs personal information protection duties, it shall provide necessary support for professional institutions to carry out compliance audits normally and bear audit fees, complete compliance audits within a limited time, submit compliance audit reports and make rectifications.

The Measures clarify the obligations of professional institutions in compliance audits. First, we should have the ability to conduct compliance audits for personal information protection and have auditors, places, facilities and funds that are suitable for services. Second, we should abide by laws and regulations, be honest and upright, make professional judgments in compliance with audits fairly and objectively, and keep personal information, business secrets, confidential business information, etc. known during the performance of our duties confidential in accordance with the law. Third, no entrusting other institutions to conduct compliance audits for personal information protection. Fourth, the same professional institution and its affiliated institutions and the same compliance audit person shall not conduct personal information protection compliance audits on the same audit subject for more than three consecutive times.

The Measures provide the "Guidelines for Compliance Audit for Personal Information Protection" in the form of an attachment, sorting out the key points of laws and administrative regulations related to personal information protection, and refine them from the perspective of compliance audit. Personal information processors shall conduct personal information protection compliance audits on their own or entrust professional institutions to conduct personal information protection compliance audits in accordance with the requirements of departments that perform personal information protection responsibilities. They shall refer to the "Personal Information Protection Compliance Audit Guidelines".

The Measures also stipulate the supervision and management responsibilities of departments that perform personal information protection responsibilities and the legal responsibilities of personal information processors and professional institutions that violate the provisions of the Measures.