---
title_en: "Data Security Technology — Security Requirements for Processing Sensitive Personal Information (GB/T 45574-2025)"
title_zh: "数据安全技术 敏感个人信息处理安全要求 (GB/T 45574-2025)"
abbreviation: "GB/T 45574"
hierarchy: "standard"
issuing_body: "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)"
status: "effective"
related_laws: ["pipl"]
domains: ["personal-information"]
url: https://datacompliancechina.com/laws/gbt-45574-sensitive-pi-processing-security/
summary: "GB/T 45574-2025 is a recommended national standard setting security requirements for processing sensitive personal information (敏感个人信息) as defined by PIPL Article 28. It addresses the heightened safeguards that attach across the lifecycle when handling sensitive PI — separate (and where required written) consent, specific-purpose and strict-necessity limits, intensified impact assessment, and enhanced technical and organizational controls. It complements the TC260 sensitive-PI identification guide by specifying how, once identified, sensitive PI must be protected."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/gbt-45574-sensitive-pi-processing-security/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Data Security Technology — Security Requirements for Processing Sensitive Personal Information (GB/T 45574-2025)", https://datacompliancechina.com/laws/gbt-45574-sensitive-pi-processing-security/
> *DCC summary, not a translation.* GB/T 45574-2025 is a copyrighted national standard. The structured summary below is DCC's own paraphrase grounded in the standard's title and number; specific clauses should be checked against the published text.

## Scope

GB/T 45574-2025 specifies **security requirements for processing sensitive personal information** — personal information that, if leaked or unlawfully used, would readily harm a natural person's dignity or endanger personal or property safety (PIPL Article 28). It applies to handlers that process sensitive personal information, and is a reference for regulators and assessors.

It is a **recommended** standard in the "Data Security Technology" (数据安全技术) series, and is the protection-requirements counterpart to the TC260 *Sensitive Personal Information Identification Guide* (which addresses how to recognize sensitive PI in the first place).

## Key contents

At a structural level the standard is expected to cover:

- **General requirements** for handling sensitive personal information, applying PIPL's specific-purpose, strict-necessity and heightened-protection principles.
- **Lawful basis and consent** — implementation of separate consent, and written consent where laws or regulations so require, plus guardian consent for minors under 14.
- **Notice obligations** — the additional matters that must be disclosed when processing sensitive PI, including necessity and the impact on the individual.
- **Lifecycle security controls** — enhanced safeguards for collection, storage (e.g., encryption, access control), use, provision, public disclosure and deletion of sensitive PI.
- **Impact assessment** — the intensified PIPIA expected before processing sensitive PI.
- **Governance and accountability** — organizational measures, recordkeeping and oversight specific to sensitive-PI processing.

> *Editor: verify specific clauses against the published standard.*

## How it fits the regime

GB/T 45574 operationalizes the **sensitive-personal-information regime of PIPL**. PIPL **Article 28** defines sensitive personal information and limits its processing to specific purposes with strict necessity and protective measures; **Article 29** requires **separate consent** (and written consent where law requires); **Article 30** adds notice obligations (the necessity of processing and its impact on the individual); and **Article 55** requires a PIPIA before processing sensitive PI.

This standard supplies the security and implementation detail behind those statutory duties — the "how to protect" half of the sensitive-PI picture, where the **TC260 Sensitive Personal Information Identification Guide** supplies the "how to identify" half. For overseas compliance teams, it is the reference for engineering and governing the handling of biometric, health, financial, whereabouts, minors' and other sensitive data in China, and it builds on GB/T 35273, the notice-and-consent guide, and the impact-assessment standard.
