CAC Notice on Seeking Public Comments on the Administrative Measures for the Compliance Audit of Personal Information Protection (Exposure Draft)

Promulgation Authorities: Cyberspace Administration of China

Release Date: 2023-08-03

Source: http://www.cac.gov.cn/2023-08/03/c_1692628348448092.htm

Original Title: 国家互联网信息办公室关于《个人信息保护合规审计管理办法（征求意见稿）》公开征求意见的通知

CAC Notice on Seeking Public Comments on the Administrative Measures for the Compliance Audit of Personal Information Protection (Exposure Draft)

In order to guide and regulate the compliance audit of personal information protection, the Cyberspace Administration of China (“CAC”) has drafted the Administrative Measures for the Compliance Audit of Personal Information Protection (Exposure Draft) in accordance with the Personal Information Protection Law of the People’s Republic of China and other laws and regulations, for which public comments are hereby sought. The public may give feedback through the following channels and ways:

1. Log in the website of Ministry of Justice of the People’s Republic of China or Chinese Government Legislative Information Website (www.moj.gov.cn, www.chinalaw.gov.cn) and click the column of “Comments Sought on the Legislation” on the Main Menu Bar of the homepage to give comments.

2. Send comments by e-mail to: shujuju@cac.gov.cn.

3. Send comments by post to: Network Data Administration Bureau under the CAC at No.15 Fucheng Road, Haidian District, Beijing, post code 100048, with the words “Comments Sought on the Administrative Measures for the Compliance Audit of Personal Information Protection” indicated on the envelope.

The period for feedback will end on September 2, 2023.

Cyberspace Administration of China

August 3, 2023

Administrative Measures for the Compliance Audit of Personal Information Protection (Exposure Draft)

Article 1 These Measures are enacted in accordance with the Personal Information Protection Law of the People’s Republic of China and other laws, administrative regulations and relevant provisions of the State in order to guide and regulate compliance audits of personal information protection, improve the compliance level of personal information handling and protect personal information rights and interests.

Article 2 These Measures shall apply to the regular compliance audits of personal information protection by personal information handlers, or the compliance audits of their personal information handling activities by a specialized agency entrusted by such handlers as required by the authorities performing duties of personal information protection, as well as the supervision and administration of compliance audits of personal information protection.

Article 3 For the purpose of these Measures, the term “compliance audit of personal information protection” refers to the supervision activities that review and evaluate whether the personal information handling activities by personal information handlers comply with laws and administrative regulations.

Article 4 A personal information handler that handles the personal information of more than 1 million individuals shall carry out the compliance audit of personal information protection at least once a year, and any other personal information handler shall conduct the compliance audit of personal information protection at least once every two years.

Article 5 Where a personal information handler carries out the compliance audit of personal information protection by itself, it may mandate the internal body within the organization or entrust a specialized agency to carry out such audit as required by these Measures in light of the actual conditions.

Article 6 Where authorities performing duties of personal information protection find in the process of performance of duties that there are relatively high risks in personal information handling activities, or personal information security incidents have occurred, they may require personal information handlers to entrust a specialized agency to conduct compliance audit of their personal information handling activities.

Article 7 Where a personal information handler carries out the compliance audit of personal information protection as required by the authorities performing duties of personal information protection, it shall select a specialized agency to conduct such compliance audit as required as soon as possible upon receipt of notice.

Article 8 Where a personal information handler entrusts a specialized agency to conduct compliance audit of personal information protection as required by the authorities performing duties of personal information protection, it shall ensure that the specialized agency can normally exercise the following authorities:

(I) requiring provision or assistance in consulting relevant documents or materials;

(II) entering relevant premises of personal information handling activities;

(III) observing the personal information handling activities occurred in the premises;

(IV) investigating relevant business activities and information systems on which it relies;

(V) checking and testing the equipment and facilities relating to personal information handling activities;

(VI) retrieving or consulting data or information relevant to personal information handling activities;

(VII) interviewing the personnel related to the activities of handling personal information;

(VIII) investigating, inquiring and taking evidence with respect to the relevant issues; and

(IX) other authorities required by conduct of compliance audit.

Article 9 Where a personal information handler entrusts a specialized agency to carry out the compliance audit of personal information protection as required by the authorities performing duties of personal information protection, the compliance audit of personal information protection shall be completed within 90 working days; where the circumstances are complicated, the aforesaid time limit may be extended appropriately upon approval by the authorities performing duties of personal information protection.

Article 10 Where a personal information handler entrusts a specialized agency to carry out the compliance audit of personal information protection as required by the authorities performing duties of personal information protection, it shall organize and implement the compliance audit of personal information protection as required by these Measures, and after necessary compliance audit procedures have been performed, it shall timely submit the compliance audit report on personal information protection issued by the specialized agency to the authorities performing duties of personal information protection. The compliance audit report on personal information protection shall be signed by the person in charge of the compliance audit and the person in charge of the specialized agency, with the official seal of the specialized agency affixed.

Article 11 Where a personal information handler entrusts a specialized agency to carry out the compliance audit of personal information protection as required by the authorities performing duties of personal information protection, it shall make rectification according to the rectification suggestions given by the specialized agency and submit the rectification information to the authorities performing duties of personal information protection upon review by the specialized agency.

Article 12 The specialized agency conducting the compliance audit of personal information protection shall maintain its independence and objectivity and carry out the compliance audit of personal information protection for the same object no more than three times consecutively.

Article 13 The national cyberspace authority shall, in concert with the public security organs and other relevant departments under the State Council, establish a recommended catalogue of specialized agencies for compliance audit of personal information protection under the principles of overall planning, reasonable layout and selective recommendation, organize and conduct the assessment and evaluation of specialized agencies for compliance audit of personal information protection every year and dynamically adjust the recommended catalogue of specialized agencies for compliance audit of personal information protection based on the assessment and evaluation results.Personal information handlers are encouraged to preferentially select the specialized agencies in the recommended catalogue to carry out the compliance audit of personal information protection.

Article 14 When engaging in the compliance audit of personal information protection, a specialized agency shall act in good faith and make a professional judgment of compliance audit in a fair and objective manner.The specialized agency shall not subcontract or entrust any third party to carry out the compliance audit of personal information protection.

The information obtained by the specialized agency in fulfilling its duties of compliance audit of personal information protection may only be used for the compliance audit of personal information protection and shall not be used for other purposes; the specialized agency shall bear the responsibility of confidentiality for the information obtained; and the specialized agency shall take corresponding technical and other necessary measures to ensure data security.

When fulfilling its duties of compliance audit of personal information protection, the specialized agency shall not maliciously interfere with the normal business operations of any personal information handler.

Where any specialized agency issues false or inaccurate reports or commits any other violations, the personal information handler and relevant parties may lodge complaints with the authorities performing duties of personal information protection. Upon verification by the said authorities, the specialized agency shall be permanently banned from the recommended catalogue of specialized agencies for compliance audit of personal information protection.

Article 15 Any violation of the provisions of the present Measures shall be punished in accordance with the Personal Information Protection Law of the People’s Republic of China and other laws and regulations; if a crime is constituted, criminal liability shall be investigated in accordance with the law.

Article 16 The CAC shall be responsible for the interpretation of the present Measures, which shall come into force as of MM/DD/YY.Annex:

Reference Points for Compliance Audit of Personal Information Protection

Article 1 The present Points are developed in accordance with the compulsory requirements of the Personal Information Protection Law of the People’s Republic of China and other laws, administrative regulations and national standards and provide reference for the compliance audit of personal information protection.

Article 2 The compliance audit of personal information protection shall first examine the basic conditions of legality of personal information handling activities, focusing on examination of the following matters:

(I) whether the individual’s consent has been obtained for the handling of personal information, and whether such consent is voluntarily and expressly given on the premise that the subject of personal information is fully informed;

(II) whether the individual’s consent has been re-obtained in the event of changes to the purpose and method of the handling of personal information and the type of personal information to be handled based on the individual’s consent to handle personal information;

(III) whether a convenient method for withdrawing consent has been provided for the individual based on the individual’s consent to handle personal information;

(IV) whether the operations of the individual’s consent are recorded based on the individual’s consent to handle personal information;

(V) whether, based on the individual’s consent to handle personal information, there are circumstances of refusal to provide products or services on the grounds that the individual does not agree to have his/her personal information handled or withdraws his/her consent, except where the handling of personal information is necessary for provision of products or services; and

(VI) whether the handling of personal information without the individual’s consent falls within the circumstances in which the individual’s consent is not required in accordance with the provisions of laws and administrative regulations.

Article 3 The audit of rules for handling personal information shall focus on the examination of the following matters:

(I) whether the name and contact details of the personal information handler are informed in an authentic, accurate and complete manner;

(II) whether the personal information collected and the purpose, method and scope of handling of such information are set out in the form of a list;

(III) whether the storage period of personal information, or the method for determining the storage period, the method for handling upon expiration, as well as the minimum time necessary for the storage period to achieve the purpose of handling are specified;

(IV) whether the ways and methods for individuals to access, reproduce, process, transfer, correct, supplement, delete, disclose and restrict the handling of personal information, deregister accounts and withdraw consent are specified;

(V) where personal information is provided to a third party, whether the individual is explicitly informed of the name and contact information of the recipient, purpose and method of handling and type of personal information, and whether the individual’s separate consent is obtained; and

(VI) other matters stipulated by laws and administrative regulations.

Article 4 When handling personal information, a personal information handler shall fulfill its obligation of notification, focusing on examination of the following matters in audit:

(I) whether the personal information handler, prior to handling personal information, informs the individual of the rules for handling personal information in an eye-catching way and in clear and understandable language in a truthful, accurate and complete manner;

(II) whether the size, font and color of the notification text are convenient for the individual to completely read the notified matters;

(III) whether the notification obligation has been performed to the individual by marking, description or other means in offline notification;

(IV) whether the text information is provided online, or the notification obligation has been performed to the individual by appropriate means; and

(V) whether the individual has been informed of the change to the rules for handling personal information in a timely manner.

Article 5 Where a personal information handler handles personal information jointly with others, it shall focus on examining the following matters:

(I) whether the respective rights and obligations are agreed upon;

(II) the measures taken by each party to protect personal information;

(III) the mechanism for protection of personal information rights and interests;

(IV) the mechanism for reporting personal information security incidents;

(V) the liability that shall be borne by each party for damage caused by infringement of personal information rights and interests; and

(VI) other rights and obligations that shall be agreed upon in accordance with laws and administrative regulations.

Article 6 Where a personal information handler entrusts others with the handling of personal information, it shall focus on examining the following matters:

(I) whether the personal information handler has conducted the impact assessment of personal information protection prior to entrusting others with the handling of personal information;

(II) whether the purpose, duration, and method of entrusted handling, type of personal information, technical and management measures to be adopted by the trustee, and rights and obligations of both parties have been agreed upon in the contract concluded between the personal information handler and the trustee;

(III) whether the personal information handler has supervised the personal information handling activities of the trustee by means of regular inspection, etc., so as to ensure that the entrusted handling of personal information complies with the provisions of laws;

(IV) whether the trustee handles personal information in strict accordance with the entrustment contract and whether the trustee handles personal information beyond the agreed purpose and method of handling;

(V) whether the trustee has returned the personal information to the personal information handler or deleted the personal information when the entrustment contract is not effective, invalid, revoked or terminated; and

(VI) whether the trustee has subcontracted the handling of personal information to others and whether it has obtained the consent of the personal information handler.

Article 7 Where a personal information handler needs to transfer personal information due to merger, reorganization, division, dissolution or declaration of bankruptcy, it shall focus on examining the following matters:

(I) whether the personal information handler has informed the individual of the name and contact information of the recipient;

(II) whether the recipient continues to fulfill the obligations of the personal information handler; and

(III) whether the recipient has obtained the individual’s consent anew in accordance with relevant provisions of laws and administrative regulations if it changes the original purpose and method of handling.

Article 8 Where a personal information handler provides any other personal information handler with the personal information handled by it, it shall focus on examining the following matters:

(I) whether the individual’s separate consent is obtained;

(II) whether the individual is informed of the name and contact information of the recipient, purpose and method of handling and type of personal information;

(III) whether the recipient handles the personal information within the scope of the purpose and method of handling and type of personal information as agreed upon by both parties;

(IV) whether the individual’s consent has been obtained anew in accordance with laws and administrative regulations if there is a change to purpose and method of handling; and

(V) whether an assessment on the impact of personal information protection has been conducted in advance.

Article 9 Where a personal information handler handles personal information by using automatic decision-making, it shall focus on the evaluation of the transparency of automatic decision-making and the fairness and impartiality of the results in the process of audit:

(I) whether the individual is actively informed in advance of the type of personal information handled by automatic decision-making and the possible impact;

(II) whether the security evaluation of the algorithm model is conducted in advance and such evaluation is filed in accordance with the relevant provisions of the State so as to reduce the defects in the automatic decision-making algorithm model as far as possible; whether the algorithm model is re-evaluated when the application scenario and main functions change;

(III) whether the scientific and technological ethical review of the algorithm model is conducted in advance;

(IV) whether an assessment on the impact of personal information protection has been conducted in advance;

(V) whether a protection mechanism is provided for users so that users may refuse to make decisions in a convenient way through automatic decision-making methods that have significant impacts on personal rights and interests or request the personal information handler to explain the decisions made through automatic decision-making methods that have significant impacts on personal rights and interests of users;

(VI) whether a function of deleting or modifying user labeling used in automatic decision-making services targeting at users’ personal characteristics is provided for users;

(VII) whether necessary measures have been taken to protect the algorithm and parametric models;

(VIII) whether a record is made for manual operations in the automatic decision-making process such as personal information handling, label management and model training so as to prevent malicious manipulation of automatic decision-making information and results;

(IX) when pushing information and commercial marketing to individuals, whether an option not targeting at personal characteristics is also provided, or a convenient method for refusing automatic decision-making service is provided;

(X) whether effective measures have been taken to prevent automatic decision-making from giving unreasonable differential treatment to individuals in terms of transaction conditions according to consumers’ preferences, transaction practices and so on; and

(XI) other matters that may affect the transparency of automatic decision-making and the fairness and impartiality of the results thereof.

Article 10 Where a personal information handler discloses the personal information it handles, it shall focus on the review of the following matters:

(I) whether the personal information handler has obtained the separate consent of an individual before disclosing the personal information handled by it, whether such authorization is authentic and valid, and whether the personal information is disclosed against the individual’s will; and

(II) whether the personal information handler has assessed the impact of personal information protection prior to disclosure of personal information.

Article 11 Where a personal information handler installs image collecting and personal identification equipment in public places, it shall focus on the review of the legality of the image collecting and personal information identification equipment and the use of the personal information collected. The review shall include but not be limited to:

(I) whether it is necessary for maintaining public security, and whether there are circumstances of handling the information collected for commercial purposes;

(II) whether a conspicuous prompt sign is set up; and

(III) whether the separate consent of the individual has been obtained if the personal images and identification information collected by the personal information handler are used for purposes other than maintaining public security.

Article 12 Where a personal information handler handles the disclosed personal information, the review shall focus on whether the personal information handler has committed any of the following violations in the course of audit:

(I) sending information irrelevant to the purpose of disclosure to the e-mail and mobile phone numbers in the disclosed personal information;

(II) using the disclosed personal information to engage in cyber-violence activities;

(III) handling the disclosed personal information that the individual explicitly refuses to handle; and

(IV) handling the disclosed personal information without the consent of the individual, resulting in a significant impact on the individual’s rights and interests.

Article 13 Where a personal information handler handles sensitive personal information, it shall focus on examination of the following matters in the course of audit:

(I) whether the individual’s separate consent has been obtained in advance for the handling of biometric identification, religious belief, specific identity, medical health, financial accounts, whereabouts and tracks and other sensitive personal information;

(II) whether the consent of the parents or other guardians of minors has been obtained in advance for the handling of the personal information of the minors under the age of 14;

(III) whether the purpose or method of handling sensitive personal information is legitimate, justifiable and necessary;

(IV) whether the handling of sensitive personal information is closely related to such specific purposes as providing goods or services, performing statutory duties or statutory obligations, and whether it is subject to the principle of handling unless necessary;

(V) whether an assessment of the impact on personal information protection has been conducted in advance, and the individuals have been notified of the necessity of handling sensitive personal information and the impact on personal rights and interests;

(VI) whether a written consent has been obtained for the handling where it is required by laws and administrative regulations; and

(VII) whether the process of handling sensitive personal information is recorded so as to guarantee the legality and compliance of the process of handling sensitive personal information.

Article 14 Where the business of a personal information handler involves the handling of the personal information of minors under the age of 14, it shall focus on the review of the following matters in the course of audit:

(I) whether special rules for handling the personal information of minors have been formulated;

(II) whether the minors and their guardians have been informed of the purpose, method and necessity of the handling of the personal information of minors, the type of personal information to be handled and the protective measures adopted; and

(III) whether there is the practice of mandatorily requiring minors or their guardians to agree with non-necessary handling of personal information.

Article 15 Where a personal information handler provides personal information overseas, it shall focus on the review of the following matters:

(I) whether a critical information infrastructure operator or a personal information handler handling the personal information of more than 1 million individuals has passed the security assessment organized by the national cyberspace authority when providing personal information to overseas parties;

(II) whether the personal information handler that has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in aggregate to overseas parties since January 1 of the previous year has passed the security assessment organized by the national cyberspace authority when providing personal information overseas;

(III) whether there are circumstances under which the personal information stored within the territory of the People’s Republic of China is provided to foreign judicial or law enforcement agencies, and if so, whether such circumstances have been approved by the competent authorities of the People’s Republic of China;

(IV) whether the international treaties or agreements concluded or acceded to by the People’s Republic of China are complied with if they have provisions on the conditions for provision of personal information outside the territory of the People’s Republic of China;

(V) whether the protection of personal information has been certified by a specialized agency in accordance with the provisions of the national cyberspace authority or whether the contract has been signed with the overseas recipient in accordance with the standard contract prepared by the national cyberspace authority, or whether other conditions stipulated by the laws, administrative regulations and the national cyberspace authority are satisfied;

(VI) whether the personal information handler understands the impacts of the personal information protection policies and the cyber security environment of the country or region where the overseas recipient is located on the outbound transfer of personal information; and

(VII) whether there is any circumstance of illegal provision of personal information to the organizations and individuals included in the restricted or prohibited list for provision of personal information.

Article 16 Where a personal information handler provides personal information overseas, it shall take necessary measures to ensure that the handling of personal information by the overseas recipient meets the standards for protection of personal information prescribed in the Personal Information Protection Law of the People’s Republic of China. During the course of audit, it shall focus on the review of the effectiveness of the supervision measures adopted by the personal information handler against the overseas recipient, including but not limited to:

(I) whether it knows about and grasps the information of the overseas recipient and, in particular, whether the overseas recipient has the necessary ability to protect personal information;

(II) whether it notifies the overseas recipient of the requirements of China’s laws and administrative regulations on the protection of personal information and requires the overseas recipient to take corresponding protection measures; and

(III) whether it urges the overseas recipient to effectively perform the obligation of protecting personal information by means of signing an agreement, regular verification or otherwise.

Article 17 The audit of the protection of the right to delete personal information shall focus on the review of the deletion of personal information under the following circumstances:

(I) the purpose of handling personal information has been achieved, cannot be achieved or it is no longer necessary to achieve the purpose of handling personal information;

(II) the provision of products or services is ceased, or the individual closes his/her account;

(III) the storage period agreed with the individual has expired;

(IV) the individual withdraws his/her consent;

(V) it is impossible to avoid the collection of unnecessary personal information or unauthorized personal information due to the use of automatic collection technology or otherwise; and

(VI) the personal information handler handles personal information in violation of laws, administrative regulations or the relevant agreement.Where the storage period as prescribed by laws and administrative regulations does not expire, or the deletion of personal information is difficult to be realized technically, the personal information handler shall cease any handling other than storing such information and taking necessary security measures.

Article 18 A personal information handler shall guarantee individuals’ right to exercise the rights and interests in personal information, focusing on the examination of the following matters during the course of audit:

(I) whether it has established a mechanism for accepting applications for individuals’ exercise of rights;

(II) whether it has provided individuals with convenient methods to access, reproduce, transfer, correct, supplement and delete personal information; and

(III) whether it has responded to individuals’ application for exercise of rights in a timely manner; and informed of the handling opinions or the execution results in a timely, complete and accurate manner.

Article 19 A personal information handler shall respond to individuals’ applications and explain the rules for handling personal information. During the course of audit, it shall place emphasis on the evaluation of the following contents:

(I) whether the personal information handler has provided convenient methods and channels to accept and process individuals’ requests for the interpretation of the rules for handling personal information; and

(II) whether the personal information handler explains the rules for handling personal information in plain language within a reasonable period of time after receiving the request of individuals.

Article 20 A personal information handler shall bear the primary responsibility for protecting personal information. During the course of audit, emphasis shall be put on the evaluation of the performance of primary responsibility by the personal information handler, including but not limited to the following matters:

(I) the adaptability of the formulation of personal information protection systems, organizational structure, management procedures to the nature, scale, complexity and risk degree of handling personal information;

(II) whether the division of responsibilities for personal information protection is reasonable, whether the responsibilities are specific and whether the reporting relationship is clear; and

(III) the compatibility between the human, financial and material support provided by the personal information handler for personal information protection and the enterprise’s business scale, operation plan and personal information compliance risk management.

Article 21 A personal information handler shall, in accordance with the provisions of laws and administrative regulations, formulate its internal management system and operating procedures, specify its organizational structure and post responsibilities, establish a workflow and improve its internal control system, so as to ensure the compliance and security of its handling of personal information. During the course of audit, emphasis shall be put on the review of the personal information handler’s internal management system and operating procedures for the protection of personal information, including but not limited to:

(I) whether the guidelines, objectives and principles of personal information protection are in compliance with laws and administrative regulations;

(II) whether the organizational structure, staffing, code of conduct and management responsibilities for personal information protection are consistent with the responsibilities to be performed for personal information protection;

(III) whether personal information has been classified according to its type, source, sensitivity and purpose, and pertinent management or technical security measures have been taken;

(IV) whether an emergency response mechanism for personal information security incidents has been established;

(V) whether the system for assessment of the impact of personal information protection and compliance audit has been established;

(VI) whether a smooth process for accepting complaints and reports about personal information protection has been established;

(VII) whether a security education and training plan on personal information protection has been formulated and implemented;

(VIII) whether a performance evaluation system has been established for the person in charge of personal information protection and relevant personnel;

(IX) whether an accountability system for illegal handling of personal information or violation of regulations has been established and effectively implemented for personnel involved in the handling of personal information; and

(X) other contents prescribed by laws and administrative regulations.

Article 22 A personal information handler shall adopt technical security measures appropriate for the scale and type of personal information handled and evaluate the effectiveness of the technical measures adopted by it. The evaluation shall include but not be limited to:

(I) whether it has adopted corresponding technical security measures to realize the confidentiality, completeness and availability of personal information by reference to relevant national standards or technical requirements;

(II) whether it has adopted technical security measures such as encryption and de-identification to ensure that the identifiability of personal information is eliminated or reduced without the use of additional information; and

(III) whether the technical security measures adopted can reasonably determine the operation authority of relevant personnel to consult, copy, transmit personal information and reduce the risks of unauthorized access and abuse of personal information in the handling process.

Article 23 The audit of the formulation and implementation of the education and training plan by a personal information handler shall focus on the evaluation of the following matters:

(I) whether it has conducted the corresponding security education and training for its management personnel, technical personnel, operators and all staff as planned and assessed the awareness and skills of relevant personnel in personal information protection; and

(II) whether the training contents, methods, objects, frequency, etc., can meet the needs of personal information protection.

Article 24 A personal information handler that handles the personal information reaching the quantity prescribed by the national cyberspace authority shall designate a person in charge of personal information protection to be responsible for the compliance of personal information handling activities. In audit, emphasis shall be placed on the examination of the following matters:

(I) whether the person in charge of personal information protection has the relevant work experience and professional knowledge and is familiar with relevant laws and administrative regulations on personal information protection;

(II) whether the person in charge of personal information protection has definite and clear duties and has been granted with sufficient authority to coordinate relevant departments and personnel in charge of the handling of personal information within the organization;

(III) whether the person in charge of personal information protection has the right to nominate the team leader of personal information protection and maintain smooth communication and contact with him/her;

(IV) whether the person in charge of personal information protection has the right to put forward relevant opinions and suggestions prior to the decision of major matters relating to the handling of personal information;

(V) whether the person in charge of personal information protection has the right to stop any incompliance in the handling of personal information within the organization and take necessary corrective measures; and

(VI) whether the personal information handler has disclosed the contact information of the person in charge of personal information protection and submitted the name and contact information of the person in charge of personal information protection to the authorities performing duties of personal information protection.

Article 25 In the audit of the assessment of the impact of personal information protection conducted by a personal information handler, emphasis shall be placed on the examination of the implementation of the impact assessment and the contents of assessment:

(I) whether it has passed the assessment of the impact of personal information protection prior to the handling of personal information that has a significant impact on personal rights and interests in accordance with the provisions of laws and administrative regulations;

(II) whether the legality, legitimacy and necessity of the handling of personal information has been analyzed and assessed, and whether there is excessive collection of personal information;

(III) whether the security risks such as restriction of personal autonomy, triggering of differential treatment, causing of damage to personal reputation or mental stress, or causing of personal and property damage have been analyzed and assessed;

(IV) whether the legality, effectiveness and adaptability of the protection measures adopted have been analyzed and assessed; and

(V) whether the assessment report on the impact of personal information protection and handling records have been kept for at least three years.

Article 26 A personal information handler shall develop an emergency plan for personal information security incidents. In conducting audit, it shall evaluate the comprehensiveness, effectiveness and enforceability of the emergency plan, including but not limited to the following aspects:

(I) whether it has made systematic assessment and prediction of personal information security risks faced in light of its business practices;

(II) whether the guiding ideology and basic strategies, organizational structure, personnel, technology and material support as well as command and handling procedures, emergency response and supporting measures are sufficient to respond to the predicted risks; and

(III) whether it has provided training on emergency plan for the relevant personnel and regularly conducted drills for the emergency plan.

Article 27 In evaluating a personal information handler’s emergency response to and handling of personal information security incidents, the following factors shall be given priority:

(I) whether the impact, scope and possible harm of the personal information security incidents are identified in a timely manner in accordance with the emergency plan and operating procedures, the causes of the incidents are analyzed and determined, and the measures and plans for preventing the expansion of the harm are put forward;

(II) whether a notification channel has been established, and whether the authorities performing duties of personal information protection and individuals can be notified within 72 hours after the occurrence of the incidents; and

(III) whether corresponding measures have been taken to minimize the potential losses and risks of harm caused by the personal information security incidents.

Article 28 Operators of large internet platforms shall establish an independent agency mainly composed of external members to supervise the protection of personal information. At the time of audit, the independence, performance ability, supervisory role, etc. of the independent agency shall be evaluated:

(I) evaluating the independence of the independent agency in supervising the protection of personal information, with focus on reviewing whether there is any relationship between the external members and the personal information handler and its major shareholders that may hinder the independent and objective judgments thereof;

(II) evaluating the ability of external members to perform their duties, with focus on reviewing whether the external members have corresponding professional knowledge, ability and experience, can supervise and guide the protection of personal information by the personal information handler and give objective and fair opinions and suggestions; and

(III) evaluating the supervisory role of the independent agency, with focus on the review of the role played by the independent agency in the development of a compliance system for personal information handler, the formulation of platform rules, the handling of major personal information security incidents and urging enterprises to fulfill social responsibilities.

Article 29 The audit of the rules for a large internet platform shall focus on the following matters:

(I) evaluating the legality and compliance of the platform rules and whether there are circumstances in conflict with laws and administrative regulations;

(II) evaluating the fairness and impartiality of the platform rules and whether there is any content in violation of the principle of fair competition, the principle of good faith, public order and good morals such as malicious competition or affecting the rights and interests of consumers;

(III) evaluating the effectiveness of the provisions on personal information protection in the platform rules, whether the rights and obligations of the platform and the product or service providers within the platform to protect personal information are reasonably defined, whether the handling of personal information by the operators using the platform is regulated, and whether the obligations of the operators using the platform to protect personal information are clarified; and

(IV) checking the implementation of the platform rules and verifying whether the platform rules are effectively implemented by means of sampling or otherwise.

Article 30 Operators of large internet platforms shall supervise the handling of personal information by the product or service providers within the platform. In the course of audit, emphasis shall be placed on the examination of the following matters:

(I) whether the legality and reasonableness of the rules for handling the personal information of the product or service providers within the platform are regularly reviewed;

(II) whether the handling of personal information by the product or service providers within the platform in compliance with laws and administrative regulations is regularly reviewed; and

(III) whether the platform timely ceases to provide services for the product or service providers that handle personal information in serious violation of laws and administrative regulations.

Article 31 Operators of large internet platforms shall release a social responsibility report on personal information protection on an annual basis. In the course of audit, emphasis shall be placed on the examination of the disclosure of the following contents of the social responsibility report:

(I) organizational structure and internal management of personal information protection;

(II) development of personal information protection capacity;

(III) measures for personal information protection and the effects thereof;

(IV) acceptance of applications filed by individuals for exercising rights;

(V) performance of duties by the independent supervision body;

(VI) handling of major personal information security incidents; and

(VII) other circumstances stipulated by laws and administrative regulations.