Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GB/T 35273

Information Security Technology — Personal Information Security Specification (GB/T 35273-2020).

信息安全技术 个人信息安全规范 (GB/T 35273-2020)

FILED UNDER · Personal Information

DCC summary, not a translation. GB/T 35273-2020 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase of the standard’s structure and requirements, for overseas compliance teams.

Scope

GB/T 35273-2020 specifies principles and security requirements for the processing of personal information — covering collection, storage, use, sharing, transfer, public disclosure and deletion — together with requirements for security incident handling and for the personal-information security management organization. It applies to organizations of all kinds that process personal information through any channel, and is intended both to guide handlers in their practice and to serve as a reference for regulators, third-party assessors and others supervising or evaluating personal-information protection.

It is a recommended (GB/T, 推荐性) standard — not legally mandatory in itself — but it is the most widely cited practical benchmark in China’s personal-information regime.

Key contents

The standard is built around a set of basic principles and then proceeds lifecycle-stage by lifecycle-stage.

Basic principles. Accountability (权责一致), purpose specification (目的明确), choice and consent (选择同意), minimum necessity (最少够用), openness and transparency (公开透明), security safeguards (确保安全) and subject participation (主体参与). It defines and distinguishes personal information and sensitive personal information, with illustrative lists in its annexes.

Collection. Lawfulness of collection; the minimum-necessity rule; the requirement to obtain consent (and, for sensitive personal information, explicit consent); enumerated exceptions to consent; and a privacy-policy (隐私政策) content specification.

Storage. Minimization of retention period; de-identification and encrypted storage of sensitive personal information; and rules on cessation of operations.

Use. Access controls and display restrictions (e.g., masking); limits on use and on aggregation/portrait building; restrictions on automated decision-making and information-system-based decisions; and rules on entrusted processing, sharing, transfer and public disclosure — including the security due-diligence and recordkeeping a handler must perform before sharing or transferring, and the special rules for transfer on merger/acquisition.

Subject rights. Mechanisms for access, correction, deletion, withdrawal of consent, account cancellation and obtaining a copy of personal information, and responding to subject requests.

Security incident handling. Emergency response planning, incident disposal, and notification of affected individuals and authorities.

Organizational management. Appointment of a person responsible for personal-information protection and a working body; data-security impact assessment; audits; staff management and training; and security of the processing systems.

The annexes provide reference lists of personal information and sensitive personal information, a model privacy-policy template, and guidance on obtaining consent.

How it fits the regime

GB/T 35273 is the ancestor standard of China’s personal-information regime. Its 2017 first edition and 2020 revision long predated the Personal Information Protection Law (PIPL), and much of PIPL’s architecture — the consent rules, the sensitive-PI category, the notice/privacy-policy obligations, subject rights and the data-protection impact assessment — tracks concepts this standard developed first.

Since PIPL took effect (1 November 2021), the statute is the binding source of obligation. But GB/T 35273 remains the operational benchmark: it is far more granular than the law, and regulators, certification bodies and assessors continue to treat conformance with it as evidence of good practice. For overseas compliance teams, it is the document to consult when PIPL states a principle and you need the concrete, field-tested implementation detail. It also underpins more specialized downstream standards (impact assessment, de-identification, notice-and-consent) that build on its vocabulary.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

1 brief references this law.

  • § 01 · GBT-35273

    From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard

    On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027.

    gbt-35273 · personal-information · pipl
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.