Today (18 July), the Cyberspace Administration of China (CAC) issued a notice requiring certain personal information processors to report details of their designatedpersonalinformationprotectionofficer (DPO).
Appoint a PIPO: Designate a qualified individual to serve as your PersonalInformationProtectionOfficer in accordance with internal governance protocols.
China’sPersonalInformationProtection Law (“ PIPL ”) first introduced the requirement to appoint a PIPO in 2021. Under Article 52 of the PIPL, controllers that handle personal information in quantities reaching CAC‑prescribed thresholds must designate a PIPO.
Data controllers processing over one million individuals’ personal information should appoint a ChinaDPO. In addition, some recommended national standards set additional scenarios as best practice.
Under the PIPL, each personalinformation processor must appoint a PIPO if the amount of personal information it processes reaches a threshold prescribed by the Cyberspace Administration of China (CAC) (Article 52 PIPL).
Under the PIPL, entities processing data that exceeds “a certain volume” are required to appoint a DPO and to report certain information about the DPO — to include name and contact information — to CAC.
The filing requirement originates from the PersonalInformationProtection Law of China (PIPL), which requires personal data handlers to designate a person in charge of data compliance if processing personal data exceeds certain thresholds.
The Notice introduces a mandatory online reporting system for designatedPersonalInformationProtectionOfficers (the “PIPOs”) and outlines specific obligations for personal information (the “PI”) processors who have reached the statutory processing thresholds.
China’sPersonalInformationProtection Law (“ PIPL ”) first introduced the requirement to appoint a PIPO in 2021. Under Article 52 of the PIPL, controllers that handle personal...
Handlers may designate one PIPO to be responsible for personalinformation protection across all business lines, or they may designate one overall personalinformationprotectionofficer while also designating corresponding personalinformationprotectionofficers for different applications/businesses/systems.
