DCC summary, not a translation. GB/T 35273-2020 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase of the standard’s structure and requirements, for overseas compliance teams.
Scope
GB/T 35273-2020 specifies principles and security requirements for the processing of personal information — covering collection, storage, use, sharing, transfer, public disclosure and deletion — together with requirements for security incident handling and for the personal-information security management organization. It applies to organizations of all kinds that process personal information through any channel, and is intended both to guide handlers in their practice and to serve as a reference for regulators, third-party assessors and others supervising or evaluating personal-information protection.
It is a recommended (GB/T, 推荐性) standard — not legally mandatory in itself — but it is the most widely cited practical benchmark in China’s personal-information regime.
Key contents
The standard is built around a set of basic principles and then proceeds lifecycle-stage by lifecycle-stage.
Basic principles. Accountability (权责一致), purpose specification (目的明确), choice and consent (选择同意), minimum necessity (最少够用), openness and transparency (公开透明), security safeguards (确保安全) and subject participation (主体参与). It defines and distinguishes personal information and sensitive personal information, with illustrative lists in its annexes.
Collection. Lawfulness of collection; the minimum-necessity rule; the requirement to obtain consent (and, for sensitive personal information, explicit consent); enumerated exceptions to consent; and a privacy-policy (隐私政策) content specification.
Storage. Minimization of retention period; de-identification and encrypted storage of sensitive personal information; and rules on cessation of operations.
Use. Access controls and display restrictions (e.g., masking); limits on use and on aggregation/portrait building; restrictions on automated decision-making and information-system-based decisions; and rules on entrusted processing, sharing, transfer and public disclosure — including the security due-diligence and recordkeeping a handler must perform before sharing or transferring, and the special rules for transfer on merger/acquisition.
Subject rights. Mechanisms for access, correction, deletion, withdrawal of consent, account cancellation and obtaining a copy of personal information, and responding to subject requests.
Security incident handling. Emergency response planning, incident disposal, and notification of affected individuals and authorities.
Organizational management. Appointment of a person responsible for personal-information protection and a working body; data-security impact assessment; audits; staff management and training; and security of the processing systems.
The annexes provide reference lists of personal information and sensitive personal information, a model privacy-policy template, and guidance on obtaining consent.
How it fits the regime
GB/T 35273 is the ancestor standard of China’s personal-information regime. Its 2017 first edition and 2020 revision long predated the Personal Information Protection Law (PIPL), and much of PIPL’s architecture — the consent rules, the sensitive-PI category, the notice/privacy-policy obligations, subject rights and the data-protection impact assessment — tracks concepts this standard developed first.
Since PIPL took effect (1 November 2021), the statute is the binding source of obligation. But GB/T 35273 remains the operational benchmark: it is far more granular than the law, and regulators, certification bodies and assessors continue to treat conformance with it as evidence of good practice. For overseas compliance teams, it is the document to consult when PIPL states a principle and you need the concrete, field-tested implementation detail. It also underpins more specialized downstream standards (impact assessment, de-identification, notice-and-consent) that build on its vocabulary.