---
title_en: "Data Security Technology — Security Requirements for Automated Decision-Making Based on Personal Information (GB/T 45392-2025)"
title_zh: "数据安全技术 基于个人信息的自动化决策安全要求 (GB/T 45392-2025)"
abbreviation: "GB/T 45392"
hierarchy: "standard"
issuing_body: "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)"
status: "effective"
related_laws: ["pipl"]
domains: ["personal-information", "algorithm-recommendation"]
url: https://datacompliancechina.com/laws/gbt-45392-automated-decision-security/
summary: "GB/T 45392-2025 is a recommended national standard setting security requirements for automated decision-making (自动化决策) that is based on personal information. It operationalizes PIPL's automated-decision-making rules — transparency, fairness, the prohibition on unreasonable differential treatment, opt-out for personalized push and marketing, and the right to an explanation and to refuse decisions made solely by automated means. It is a 2025 'Data Security Technology' series standard that complements the algorithmic-recommendation regime."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/gbt-45392-automated-decision-security/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Data Security Technology — Security Requirements for Automated Decision-Making Based on Personal Information (GB/T 45392-2025)", https://datacompliancechina.com/laws/gbt-45392-automated-decision-security/
> *DCC summary, not a translation.* GB/T 45392-2025 is a copyrighted national standard. The structured summary below is DCC's own paraphrase grounded in the standard's title and number; specific clauses should be checked against the published text.

## Scope

GB/T 45392-2025 specifies **security requirements for automated decision-making that relies on personal information** — that is, the use of personal information by computer programs to automatically analyze or assess individuals' behavior, habits, interests or status and to make decisions. It applies to handlers that conduct such automated decision-making, and is a reference for regulators and assessors.

It is a **recommended** standard in the "Data Security Technology" (数据安全技术) series, sitting at the intersection of personal-information protection and the algorithm-governance regime.

## Key contents

At a structural level the standard is expected to cover:

- **General security requirements** for automated decision-making based on personal information, applying PIPL's transparency and fairness principles.
- **Transparency and fairness of outcomes** — requirements aimed at ensuring decision logic is appropriately disclosed and that results are reasonable and non-discriminatory.
- **Prohibition on unreasonable differential treatment** — controls against using automated decisions to apply unjustified differences in transaction price or terms to individuals (the "big-data price discrimination" concern).
- **Personalized push and marketing** — requirements to offer options not targeted to personal characteristics, or a convenient means to refuse.
- **Individual rights** — supporting the right to an explanation and the right to refuse decisions made solely through automated means where they significantly affect the individual.
- **Risk assessment, security measures and governance** for automated-decision systems.

> *Editor: verify specific clauses against the published standard.*

## How it fits the regime

GB/T 45392 operationalizes **PIPL Article 24**, which governs automated decision-making: it requires transparency and fair, reasonable outcomes; prohibits unreasonable differential treatment in transaction terms; requires that information push and commercial marketing using automated decision-making offer options not targeted to personal characteristics or an easy way to decline; and gives individuals the right to an explanation and to refuse decisions made *solely* by automated means where those decisions have a significant effect on their rights and interests. A PIPIA is required before automated decision-making under Article 55.

The standard supplies the security and implementation detail behind these duties, and dovetails with the **Provisions on the Administration of Algorithmic Recommendation in Internet Information Services** and the broader algorithm-governance framework. For overseas compliance teams running recommendation, pricing, scoring or profiling systems in China, it is the reference for designing those systems to meet both the personal-information and algorithm-governance expectations.
