On February 14, 2025, the Cyberspace Administration of China (CAC) published the Administrative Measures for Compliance Audits on the Protection of Personal Data, which will come into effect on May 1, 2025. The new regulations apply to all companies in China that process personal data and define clear requirements regarding the frequency of self-assessments as well as the conditions for mandatory external audits.
Companies processing personal data of more than 10 million individuals are required to conduct a compliance audit at least every two years. For companies handling smaller volumes of personal data, audit requirements remain flexible. Authorities may mandate external audits if significant risks to personal data are identified, if a large number of individuals are affected, or in the event of serious data protection breaches. Companies may use internal or external auditors for self-assessments; however, mandatory audits must be conducted by external specialized institutions.
Although no specific certifications are required for audit firms, they must have adequately qualified personnel, sufficient infrastructure, and financial resources. Additionally, an institution may not audit the same client more than three times in a row to prevent conflicts of interest. The legal text also includes guidelines for the audit process, focusing on data collection, usage practices, data subjects’ privacy rights, and technical and organizational protective measures.
Companies operating in China should review their data protection and audit processes to ensure compliance with the new regulations in a timely manner and to avoid potential sanctions.
China Intellectual Property Blog 