Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GB/T 45574

Data Security Technology — Security Requirements for Processing Sensitive Personal Information (GB/T 45574-2025).

数据安全技术 敏感个人信息处理安全要求 (GB/T 45574-2025)

FILED UNDER · Personal Information

DCC summary, not a translation. GB/T 45574-2025 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase grounded in the standard’s title and number; specific clauses should be checked against the published text.

Scope

GB/T 45574-2025 specifies security requirements for processing sensitive personal information — personal information that, if leaked or unlawfully used, would readily harm a natural person’s dignity or endanger personal or property safety (PIPL Article 28). It applies to handlers that process sensitive personal information, and is a reference for regulators and assessors.

It is a recommended standard in the “Data Security Technology” (数据安全技术) series, and is the protection-requirements counterpart to the TC260 Sensitive Personal Information Identification Guide (which addresses how to recognize sensitive PI in the first place).

Key contents

At a structural level the standard is expected to cover:

  • General requirements for handling sensitive personal information, applying PIPL’s specific-purpose, strict-necessity and heightened-protection principles.
  • Lawful basis and consent — implementation of separate consent, and written consent where laws or regulations so require, plus guardian consent for minors under 14.
  • Notice obligations — the additional matters that must be disclosed when processing sensitive PI, including necessity and the impact on the individual.
  • Lifecycle security controls — enhanced safeguards for collection, storage (e.g., encryption, access control), use, provision, public disclosure and deletion of sensitive PI.
  • Impact assessment — the intensified PIPIA expected before processing sensitive PI.
  • Governance and accountability — organizational measures, recordkeeping and oversight specific to sensitive-PI processing.

Editor: verify specific clauses against the published standard.

How it fits the regime

GB/T 45574 operationalizes the sensitive-personal-information regime of PIPL. PIPL Article 28 defines sensitive personal information and limits its processing to specific purposes with strict necessity and protective measures; Article 29 requires separate consent (and written consent where law requires); Article 30 adds notice obligations (the necessity of processing and its impact on the individual); and Article 55 requires a PIPIA before processing sensitive PI.

This standard supplies the security and implementation detail behind those statutory duties — the “how to protect” half of the sensitive-PI picture, where the TC260 Sensitive Personal Information Identification Guide supplies the “how to identify” half. For overseas compliance teams, it is the reference for engineering and governing the handling of biometric, health, financial, whereabouts, minors’ and other sensitive data in China, and it builds on GB/T 35273, the notice-and-consent guide, and the impact-assessment standard.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

1 brief references this law.

  • § 01 · GBT-35273

    From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard

    On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027.

    gbt-35273 · personal-information · pipl
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.