China launches data protection officer registration system

China's Cyberspace Administration (CAC) launched an online registration system for Data Protection Officers (DPOs) on July 18, 2025, requiring organizations processing personal information of more than 1 million individuals to report their DPO information to local authorities. The new system marks a significant enforcement step under China's Personal Information Protection Law (PIPL).

According to Article 52 of the PIPL and Article 12 of the Measures for the Administration of Personal Information Protection Compliance Audits, data controllers handling personal information of more than 1 million people must complete formalities for reporting DPO information to the internet information department of the city divided into districts where they are located.

The registration portal operates through the "Personal Information Protection Business System" available at https://grxxbh.cacdtsc.cn or accessible through the China Net Information Network homepage. The system provides a centralized platform for organizations to submit required documentation and track submission status.

Strict reporting deadlines create immediate compliance pressure

Organizations face tight deadlines under the new requirements. Controllers already processing personal information of 1 million individuals before the announcement must complete information reports by August 29, 2025. Organizations reaching the 1 million threshold after July 18, 2025, have 30 working days from reaching that number to submit their reports.

For organizations operating as company groups or maintaining multiple branches, the head office can perform information reporting procedures in a unified manner. Multiple related processors including subsidiaries, office chains, and third-party service companies can jointly fulfill submission procedures.

The system requires comprehensive documentation packages. Organizations must submit basic information reporting forms for personal information processors, personal information protection officer information forms, scanned copies of unified social credit code documents, identity documents for legal representatives and DPOs, position certification documents with official seals, authorization letters, and letters of undertaking.

Technical submission process demands detailed organizational information

The registration process involves multiple stages beginning with account creation. Users must create login credentials using 4-14 digit combinations of numbers and letters, with passwords requiring 6-12 characters including numbers, letters, and special characters. The system requires mobile phone numbers capable of receiving SMS verification codes.

After successful login, users access the "Personal Information Protection Officer Information Reporting System" where they complete subject information forms. Key requirements include ensuring the province and location fields match those registered in unified social credit code documents. The system defaults cell phone numbers to those used for account registration, which receive SMS notifications about submission progress.

Organizations must upload comprehensive information about their data processing activities. This includes details about the scale of personal information handling measured in millions of individuals, monthly active user counts, types of personal information processed, and specific information about handling minors' data for those under 14 years of age.

The system captures extensive technical details about data collection methods. Organizations report whether they collect information through mobile applications, websites, offline channels, or other means. They must provide domain name lists, external service information, and IP address details where applicable.

Rigorous audit process determines compliance status

The CAC completes material inspection within 15 working days of submission. The audit status column displays three possible outcomes: "Information Submission Complete," "Returned for Improvement," or "Audit Not Passed." Organizations can track progress through process records in the operation column.

When submissions receive "Returned for Improvement" status, organizations have 10 working days to supplement and improve materials. Failure to complete improvements within the deadline results in automatic termination of the information submission procedure. Organizations can voluntarily terminate submissions through the system interface.

Submissions marked "Audit Not Passed" indicate non-compliance with information submission requirements and automatically terminate the process. Users can review specific reasons for rejection through process logs in the actions column.

Upon completion of the submission process, submitted information undergoes periodic migration from the internet. Except for reporting unit names and audit status, all other information becomes unavailable for query and download. Organizations must maintain their own copies of submitted materials for backup purposes.

Significant changes trigger mandatory updates within 30 days

The regulations define substantial changes requiring updated filings within 30 working days. These include modifications to basic information forms covering personal information processor details, legal representative information, and DPO information. Changes to overall situations in DPO information submission forms or personal information handling in submitted applications, businesses, or systems also qualify as substantial changes.

Organizations no longer handling personal information or processing fewer than 1 million individuals after substantial changes need not report relevant information. However, those maintaining the 1 million threshold must log into the system, navigate to the information submission page, click "Fill in Information," upload new materials, and submit for review.

Account cancellation requires completion of all business processes for personal information protection. Users must ensure audit status shows information submission completed, audit failed, or submission terminated before canceling accounts through the "Account Center" interface.

Provincial contact network supports implementation

The CAC established contact information for all provincial internet information departments to assist with business and technical problems during the filing process. Contact numbers span 32 jurisdictions including Beijing ((010) 55520121), Shanghai ((021) 64271056), Guangdong ((020) 87100943), and autonomous regions like Xinjiang ((0991) 2384855).

This comprehensive contact network ensures organizations across China can access support during the registration process. The availability of provincial-level assistance reflects the significance placed on proper implementation of the DPO reporting requirements.

The launch of this system represents a major step in China's data protection enforcement infrastructure. Organizations processing personal data at scale must now navigate complex reporting requirements while maintaining ongoing compliance with evolving regulations. The August 29, 2025 deadline for existing processors creates immediate pressure for rapid compliance across affected organizations.

For the marketing community, these developments signal intensifying global focus on data protection compliance. International organizations operating in China must now factor DPO reporting obligations into their operational frameworks while managing similar requirements in other jurisdictions like Europe where data protection enforcement continues expanding.

Timeline

• July 18, 2025: Cyberspace Administration of China launches online DPO registration system for organizations handling over 1 million individuals' data
• August 29, 2025: Deadline for organizations already processing 1 million+ individuals' data before the announcement to complete registration
• Within 30 working days: Required timeframe for new organizations reaching 1 million threshold to submit reports
• Within 30 working days: Required timeframe for updating information after substantial changes
• Within 15 working days: CAC completion timeframe for material inspection and audit decisions
• Within 10 working days: Timeframe for organizations to supplement materials marked "Returned for Improvement"
• January 16, 2025: Privacy advocacy group noyb filed complaints against Chinese tech companies over EU data transfers
• May 2, 2025: Irish Data Protection Commission fined TikTok €530 million for data transfers to China
• July 10, 2025: Irish regulator opened investigation into TikTok's China data storage violations
• July 17, 2025: Privacy advocates filed GDPR complaints against Chinese tech platforms for access request violations

Summary

Who: China's Cyberspace Administration (CAC) and organizations processing personal information of more than 1 million individuals, including data controllers, personal information processors, legal representatives, and designated Data Protection Officers.

What: Launch of mandatory online registration system requiring organizations to report DPO information through the "Personal Information Protection Business System," including comprehensive documentation submission, audit processes, and ongoing compliance obligations for substantial changes.

When: System launched July 18, 2025, with existing processors facing August 29, 2025 deadline and new organizations having 30 working days after reaching 1 million threshold to submit reports.

Where: China, through online portal at https://grxxbh.cacdtsc.cn accessible via China Net Information Network, with provincial internet information departments providing support across 32 jurisdictions.

Why: Enforcement of Article 52 of China's Personal Information Protection Law (PIPL) and Article 12 of the Measures for the Administration of Personal Information Protection Compliance Audits, creating systematic oversight of data protection practices for organizations handling large-scale personal information processing.

Key Terms Explained

Data Protection Officer (DPO): A designated individual responsible for overseeing an organization's data protection strategy and ensuring compliance with privacy regulations. DPOs serve as the primary contact point between organizations and regulatory authorities, conducting privacy impact assessments, training staff on data protection requirements, and monitoring compliance with laws like China's PIPL or Europe's GDPR. Their role becomes particularly critical for organizations processing large volumes of personal data, as they must balance business objectives with privacy obligations while maintaining independence from operations that determine processing purposes.

Personal Information Protection Law (PIPL): China's comprehensive data protection framework that governs how organizations collect, process, store, and transfer personal information within Chinese jurisdiction. PIPL establishes fundamental principles for lawful processing, requires explicit consent for sensitive data handling, mandates data localization for critical information infrastructure operators, and imposes significant penalties for violations. The law mirrors aspects of European GDPR while incorporating unique Chinese characteristics, including specific provisions for cross-border data transfers and enhanced protections for minors' personal information.

Data Controller: The legal entity that determines the purposes and means of personal data processing activities, bearing primary responsibility for compliance with data protection regulations. Controllers must establish lawful bases for processing, implement appropriate technical and organizational measures, respond to data subject requests, conduct privacy impact assessments, and maintain records of processing activities. In marketing contexts, controllers often include advertisers, publishers, and technology platforms that collect user data for targeting, measurement, or personalization purposes.

Cross-border Data Transfer: The movement of personal data from one jurisdiction to another, requiring specific legal mechanisms to ensure adequate protection levels in destination countries. Organizations must implement safeguards such as adequacy decisions, standard contractual clauses, binding corporate rules, or additional security measures when transferring data to countries lacking equivalent protection standards. These transfers have become increasingly complex as regulators scrutinize international data flows, particularly involving countries with different surveillance frameworks or legal systems.

Unified Social Credit Code: A standardized 18-character identifier assigned to Chinese legal entities and organizations, combining previous separate registration numbers into a single identification system. This code serves as the primary business identifier for regulatory compliance, tax obligations, and administrative procedures, including the new DPO registration requirements. Organizations must ensure consistency between their unified social credit code registration information and data protection filings, as discrepancies can result in compliance issues or application rejections.

Data Localization: Legal requirements mandating that certain categories of personal data must be stored and processed within specific geographic boundaries, typically the country where the data was collected. China implements strict data localization rules for critical information infrastructure operators and requires data protection impact assessments for cross-border transfers exceeding specified thresholds. These requirements significantly impact multinational marketing operations, forcing organizations to redesign technical architectures and data flows to maintain compliance while preserving operational efficiency.

Information Reporting Subject: The organizational entity responsible for submitting data protection compliance documentation to regulatory authorities, typically the legal entity that serves as the data controller within a corporate structure. For multinational organizations or corporate groups, determining the appropriate reporting subject requires careful analysis of legal relationships, data processing activities, and regulatory obligations across different subsidiaries or affiliates. Head offices can often serve as unified reporting subjects for multiple related entities, streamlining compliance procedures while maintaining clear accountability structures.

Personal Information Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction. This broad definition encompasses virtually all interactions with personal data in marketing contexts, from initial data collection through analytics, targeting, measurement, and eventual deletion. Organizations must document processing purposes, implement appropriate safeguards, and ensure processing activities align with stated purposes and legal bases.

Monthly Active Users (MAU): A key performance metric measuring the number of unique individuals who engage with a platform, application, or service within a 30-day period, commonly used to assess user engagement and platform growth. For data protection compliance, MAU figures help organizations determine whether they exceed regulatory thresholds triggering additional obligations, such as China's 1 million individual requirement for DPO reporting. Accurate MAU calculation requires sophisticated data deduplication and identity resolution to avoid counting the same individual multiple times across different devices or sessions.

Substantial Change: A legal concept defining modifications to organizational structure, data processing activities, or compliance posture that trigger mandatory regulatory notifications or updated filings. Under China's DPO registration requirements, substantial changes include modifications to basic organizational information, legal representative details, DPO assignments, or significant alterations to data processing systems and applications. Organizations must establish internal monitoring systems to identify substantial changes and ensure timely regulatory notifications, as failure to report changes within specified timeframes can result in compliance violations and potential penalties.