Promulgated by: People’s Bank of China.
Document No.: PBOC Order [2025] No. 3.
Adopted at the 5th Executive Meeting of the People’s Bank of China on April 2, 2025. Promulgated May 1, 2025. Effective June 30, 2025.
Promulgation Order
The Measures for the Administration of Data Security in the Business Fields of the People’s Bank of China, having been deliberated and adopted at the 5th Executive Meeting of the People’s Bank of China on April 2, 2025, are hereby promulgated and shall come into force as of June 30, 2025.
Governor Pan Gongsheng
May 1, 2025
Measures for the Administration of Data Security in the Business Fields of the People’s Bank of China
Chapter 1 General Provisions
Article 1. In order to regulate the security administration of data in the business fields of the People’s Bank of China and to promote its development and utilization, these Measures are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Law of the People’s Republic of China on the People’s Bank of China, the Regulations on the Administration of Network Data Security and other laws and administrative regulations.
Article 2. These Measures shall apply to the carrying out, within the territory of the People’s Republic of China, of processing activities relating to data in the business fields of the People’s Bank of China and the security supervision and administration thereof. Where other competent authorities have provisions, such provisions shall also be complied with in accordance with the law.
The “business fields of the People’s Bank of China” as used in these Measures means the business fields for which the People’s Bank of China undertakes supervision and administration responsibilities pursuant to laws and administrative regulations and the decisions of the CPC Central Committee and the State Council.
“Data in the business fields of the People’s Bank of China” as used in these Measures means network data not involving State secrets that is generated and collected within the business fields of the People’s Bank of China (hereinafter referred to as business data).
“Data processors” as used in these Measures means financial institutions as well as other institutions established or recognized upon the approval of the People’s Bank of China.
Article 3. Business data security work shall follow the principle of “whoever administers the business administers the business data, and whoever administers the business data administers the data security.” The People’s Bank of China bears the responsibility for guiding and supervising business data security. Data processors shall perform data security protection obligations, guard against risks such as the tampering, damage or leakage of business data or its unlawful acquisition or unlawful use, safeguard national security, the public interest and the lawful rights and interests of individuals and organizations, respect social morality and ethics, observe commercial ethics and professional ethics, and ensure the lawful, orderly and free flow of business data.
Article 4. Under the overall coordination of the national data security work coordination mechanism, the People’s Bank of China and its branches shall carry out business data security supervision and administration work in accordance with these Measures, and strengthen collaboration and cooperation as well as information communication on data security supervision and administration with other relevant competent authorities.
The relevant financial industry associations shall strengthen self-discipline administration, formulate codes of conduct and group standards for business data security in accordance with the law, and guide their members to strengthen business data security protection.
Article 5. Data processors are encouraged to actively carry out innovative applications of business data security, to promote, on the premise of ensuring security and compliance, the efficient circulation, development and utilization of business data, and to promote outstanding innovative achievements throughout the industry.
Chapter 2 Classification and Grading of Business Data and Overall Requirements
Article 6. The People’s Bank of China shall be responsible for formulating the relevant norms and standards for the classified and graded protection of business data, guiding the classified and graded protection of business data, and organizing the compilation of the catalogue of important data in the business fields of the People’s Bank of China and implementing dynamic management thereof.
Article 7. Data processors shall establish and improve a system and operating procedures for the classification and grading of business data. The implementation of business data classification and grading shall follow the system and procedures, and the classification and grading results shall undergo internal approval procedures.
Article 8. Data processors shall establish a business data resource catalogue and properly classify business data respectively from the aspects of business relevance, sensitivity and availability:
(I) identifying, for each data item, whether it is personal information, whether it is collected or generated externally, the list of information systems storing such data item, and the associated business categories.
(II) carrying out sensitivity classification according to the degree of harm caused to the lawful rights and interests of individuals or organizations or to the public interest where business data is leaked or unlawfully acquired or unlawfully used. The sensitivity of structured data items of business data shall be identified one by one; the sensitivity of unstructured data items of business data shall preferentially be identified according to the highest sensitivity identified among the divisible structured data items. Sensitive personal information, customer business information that may involve commercial secrets, and business information for which the scope of awareness should be strictly controlled within the business fields of the People’s Bank of China shall be identified as high-sensitivity data items.
(III) defining differentiated recovery point objectives (RPOs) for information systems according to the degree of impact on the normal operation of business caused after business data is tampered with or damaged, which shall be deemed the availability classification of business data.
Article 9. In accordance with relevant State provisions, business data shall be divided into three grades: general data, important data and core data. Important data means data in specific fields, of specific groups, in specific regions, or reaching a certain degree of precision and scale, that, once tampered with, damaged, leaked, or unlawfully acquired or unlawfully used, may directly endanger national security, economic operation, social stability, and public health and safety. Core data means important data that has a relatively high degree of coverage of, or reaches a relatively high degree of precision, a relatively large scale or a certain depth with respect to, a field, group or region, and that, once unlawfully used or shared, may directly affect political security.
The People’s Bank of China shall organize the determination of the specific catalogue of important data in accordance with relevant State provisions, and data processors shall accurately identify and declare whether the full set of business data stored by their institution constitutes important data or core data, and complete and report the content of the specific catalogue of important data.
The People’s Bank of China shall consolidate and form the specific catalogue of important data, and after it is examined and approved by the national data security work coordination mechanism, shall determine the processors of important data and inform them of their corresponding important data.
Except where separately specified, the protection obligations for important data set out in these Measures shall apply to core data.
Article 10. Data processors shall update the business data resource catalogue at least once a year, completely and accurately recording the data items stored in information systems and the corresponding identification content.
Article 11. Data processors shall earnestly perform the responsibility for business data security protection, clarify the responsibilities of the relevant internal departments for business data security protection, equip themselves with data security professionals commensurate with their business scope and service scale, and refine the rules and procedures for rewards and punishments in business data security protection.
Data processors that provide products or services to the public shall establish convenient channels for complaints and reports, and promptly accept and handle complaints and reports relating to business data security.
Processors of important data shall designate a security officer and a management institution for business data. The management institution shall earnestly perform the various responsibilities already specified by laws and administrative regulations. The business data security officer shall satisfy the conditions already specified as required by laws and administrative regulations, and shall be ensured to be able to effectively perform data security protection obligations and shall have the right to directly report the business data security situation to the People’s Bank of China.
Article 12. Data processors shall establish and improve a full-process business data security management system, clarify differentiated security protection measures in light of the classification and grading of business data, formulate operating procedures for business data processing activities and internal approval and authorization procedures relating to business data security, and clarify the retention requirements for records of operational implementation and approval authorization.
Where data items of different sensitivities are processed within the same business data processing activity and it is difficult to adopt differentiated security protection measures, the security protection measures corresponding to the high-sensitivity data items shall be adopted.
Article 13. Data processors shall, according to the division of duties among positions, formulate an annual training plan for business data security, and shall organize relevant education and training each year for the personnel participating in business data processing activities. The training content shall include the systems and standards relating to business data security, common knowledge of risk prevention, position responsibilities, protection measures and emergency response requirements for incidents.
Chapter 3 Full-Process Business Data Security Management Requirements
Article 14. Data processors shall strictly administer the privileged accounts, such as database administrator accounts of the information systems relating to the processing of business data, and the privileges of various business processing accounts, and shall immediately adjust privileges upon personnel changes. Data processors shall conclude confidentiality agreements with personnel whose accounts may use high-sensitivity data items.
Where a data processor stores core data, it shall conduct security background checks on the business data security officer and the key-position personnel who may use core data.
Article 15. Data processors shall adopt the following security protection management measures when collecting business data:
(I) except in the situation of collecting business data that has been disclosed on one’s own initiative or has otherwise been lawfully disclosed, when collecting business data, the consent of the individual or the authorization of the organization shall be obtained in accordance with laws and administrative regulations and the relevant provisions of the People’s Bank of China, and the corresponding notification obligation shall be fulfilled.
(II) where business data that has not yet been disclosed is collected other than directly from the individual or organization, the obligation of the data provider to ensure the lawfulness and authenticity of the source of the business data shall be specified in the contract or agreement. Where the data provider has not obtained the written consent of the individual or the written authorization of the organization, it shall also be required to produce the necessary supporting materials evidencing that the source of the business data is lawful and compliant and that the data is authentic.
(III) where business data is collected by means of manual entry, necessary verification measures shall be taken to ensure the accuracy of the business data entry, and the original vouchers for the collection of business data shall be retained in accordance with relevant management requirements.
(IV) in principle, original personal biometric information such as images shall not be collected. Where it is genuinely necessary to collect it, the relevant requirement scenarios shall be uniformly and normatively administered.
(V) collection and subsequent business data processing activities shall be carried out in accordance with the processing purposes, methods, scope and security protection obligations agreed in the contract or agreement with the data provider.
Article 16. Data processors shall, according to business needs, clarify the retention period of business data. Except for the performance of statutory duties or statutory obligations, high-sensitivity data items shall in principle not be stored on terminal devices or mobile media; where storage is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios.
Article 17. In business data use activities, data processors shall in principle not adopt an export method when using high-sensitivity data items, and shall in principle adopt only a verification method when using data items used for identity authentication. Where it is genuinely necessary to use high-sensitivity data items by an export method or to use data items used for identity authentication by other methods, the data processor shall uniformly and normatively administer the relevant requirement scenarios.
Except where displaying to an individual the business data relating to that individual at the individual’s request, and except as needed for the performance of statutory duties or statutory obligations, data processors shall in principle de-identify high-sensitivity data items before displaying them. Where display without de-identification is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios.
Article 18. Data processors shall examine whether the purpose of business data processing (加工) is consistent with the agreement under which the business data was collected; where business data needs to be used for training, they shall examine the authenticity, accuracy, objectivity and diversity of the training business data; where business data needs to be labeled, they shall examine, on a sampling basis, the reasonableness and accuracy of the labeling; where model evaluation and incentive rules need to be established, they shall examine whether the evaluation and incentive rules respect social morality and ethics and observe commercial ethics and professional ethics.
In business data processing activities, where a data processor processes high-sensitivity data items, it shall further clarify the security protection measures to be adopted and perform internal approval procedures; where automated decision-making services are provided to individuals based on data items generated from such processing, the data processor shall, in an appropriate manner, explain to the individuals the purpose of processing, the categories of personal information used for the processing, and the processing rules.
Article 19. Where a new data item generated by a business data processing activity is assessed to be of significantly lower sensitivity than the data item used for the processing, the data processor may, in accordance with the procedures, lower its sensitivity identification, so as to promote lawful and compliant development and utilization.
Where a new data item generated by a business data processing activity is assessed to be of significantly higher sensitivity than the data item used for the processing, the data processor shall raise its sensitivity identification and strengthen business data security protection.
Article 20. Except where transmitting to an individual the business data relating to that individual at the individual’s request, data processors shall in principle not use Internet information services such as email, instant messaging and online file storage, or mobile media, to transmit high-sensitivity data items. Where there is a genuine need, the data processor shall uniformly and normatively administer the relevant requirement scenarios.
Article 21. For business data provision activities required for conducting business, data processors shall verify the identity of the data recipient and adopt the following security protection management measures:
(I) for business data provision activities involving personal information, an assessment shall be made of whether the requirements of laws and administrative regulations are complied with. For other business data provision activities, an assessment shall be made of whether the agreement to keep commercial secrets is complied with.
(II) where the provision of business data to another data processor involves personal information and important data, the respective data security protection obligations of each party, the security protection measures to be adopted, the purpose, method and scope of data provision, the permitted data storage period, the restrictions on providing the data to third parties, and the obligation to notify of data security incidents shall be specified in the contract or agreement, and the performance by the data recipient of its agreed obligations shall be supervised.
(III) business data cleaning and conversion shall be carried out as agreed, the authenticity of the provided data shall be necessarily examined, and the data recipient shall not be misled.
(IV) except in cases of entrusted processing, high-sensitivity data items shall in principle not be provided to other data processors by an export method, and data items used for identity authentication shall in principle be provided by a verification method. Where it is genuinely necessary to provide high-sensitivity data items by an export method or to use data items used for identity authentication by other methods, the data processor shall uniformly and normatively administer the relevant requirement scenarios.
Article 22. Before providing important data to another data processor, or entrusting another data processor with the processing thereof, or jointly processing it, a data processor shall conduct a risk assessment in accordance with laws and administrative regulations and the relevant provisions of the People’s Bank of China, focusing on assessing the lawfulness and legitimacy of the data recipient’s data processing purposes and methods, the reasonableness of the need for the list of data items, the potential security risks of the data activities, the integrity and law-abidingness of the data recipient, the completeness of the content of the contract or agreement, and the security protection measures to be adopted.
Except for the performance of statutory duties or statutory obligations, where a data processor provides core data to another data processor in a situation reaching that prescribed by the State, it shall, before providing the business data, undergo a risk assessment carried out by the national data security work coordination mechanism via report by the People’s Bank of China. Data processors shall not evade the foregoing obligations by means such as splitting or conversion.
Where a processor of important data may affect the security of important data due to merger, division, dissolution, bankruptcy or the like, it shall, in accordance with the requirements of laws and administrative regulations, report in advance to the People’s Bank of China or the provincial branch of the People’s Bank of China at the place of its domicile a disposal plan for the important data, and shall explain in the plan the update of the content of the important data catalogue, the name and contact information of the data recipient, and other matters.
Article 23. Where a data processor adopts technologies such as privacy-enhancing computing (隐私计算) to promote the integration and innovative application of business data, it shall implement the requirements of items (I) through (III) of Article 21 of these Measures, and shall confirm that data processors other than its own institution cannot use the unencrypted original data, and that conducting correlation analysis with other data integration and innovative application activities cannot leak information beyond the agreed scope.
Article 24. Where a data processor provides data to outside the territory of the People’s Republic of China due to business or other needs, and a situation prescribed by the national cyberspace authority exists, it shall strictly comply with the relevant provisions thereof; where laws and administrative regulations and the relevant provisions of the People’s Bank of China contain domestic storage requirements, the business data shall also be stored simultaneously within the territory of the People’s Republic of China.
Where a situation requiring the declaration of a data export security assessment or the carrying out of protection certification or the like as prescribed by the national cyberspace authority is met, the data processor shall not adopt means such as splitting or conversion of business data to evade the relevant obligations.
Article 25. The People’s Bank of China shall, in accordance with relevant laws and the international treaties and agreements concluded or acceded to by the People’s Republic of China, or on the principle of equality and reciprocity, handle requests from foreign financial law-enforcement authorities for the provision of business data.
Article 26. Data processors shall review the purpose, list of data items, channels, time limits and de-identification of business data public disclosure activities, analyze and assess the possible adverse impacts, examine the lawfulness and authenticity of the business data, and disclose business data through the official channels specified by their institution. Where disclosure through other channels is genuinely necessary, the security protection measures to be adopted shall be specified and internal approval procedures performed.
In business data processing activities, data processors shall not disclose data items used for identity authentication, and shall in principle de-identify other high-sensitivity data items before disclosing them. Where disclosure without de-identification is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios.
Article 27. Data processors shall, in accordance with laws and administrative regulations and the relevant provisions of the People’s Bank of China, proactively delete business data where the processing purpose has been achieved, the processing purpose cannot be achieved, it is no longer necessary for achieving the processing purpose, or the agreed retention period has expired, and similar situations.
Where the deletion of business data is technically difficult to achieve, the data processor shall cease business data processing activities other than storage and the adoption of necessary security protection measures, and shall conduct a review at least once a year to confirm that the relevant business data cannot be used.
Article 28. Where a data processor entrusts the processing of business data, in addition to implementing the requirements of item (II) of Article 21 of these Measures, it shall also specify in the contract or agreement the important matters that the entrusted party is required to report, the implementation method and time-limit requirements for the transmission and deletion of business data after the completion of the entrusted processing matters, the obligation to cooperate with the institution’s supervision of its entrusted processing activities, and other matters, and shall supervise the entrusted party’s performance by means such as periodic assessment. For entrusted processing activities involving core data, the data processor shall conduct due diligence on the entrusted party in advance and further strengthen its supervision thereof.
Data processors shall incorporate business data entrusted processing activities into their business or information technology outsourcing management system, and strengthen risk management.
Where the People’s Bank of China has expressly required that a business not be carried out in the form of outsourcing, the relevant business data shall not be entrusted for processing.
Chapter 4 Full-Process Business Data Security Technical Requirements
Article 29. Data processors shall strengthen access control, adopt effective technical measures to control the data-use privileges of business data processing accounts, clarify the use scenarios of privileged accounts, and strengthen internal approval and authorization when they are used. When a privileged account is used to perform manual operations such as adding, deleting or modifying business data, prior approval and ex post review shall be carried out one by one. Before a privileged account is used to carry out automated operations, the correctness and security of the operation shall be necessarily checked.
Data processors shall strengthen security authentication, ensure the strength of the authentication passwords of business data processing accounts and privileged accounts, limit the number of retries after authentication failure, and accounts that may use high-sensitivity data items shall support multi-factor authentication or secondary authorization confirmation, and a re-authentication mechanism shall be established for situations such as timeout exit and changes in the access communication address.
Article 30. Data processors shall standardize log recording, clarify the information to be logged for business data processing activities, and meet the needs of data security risk tracing and incident handling.
The high-sensitivity data items recorded in the logs of business data processing activities shall in principle be de-identified. Where processing without de-identification is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios.
Data processors shall incorporate the logs of business data processing activities into the classified and graded management of business data, and implement security protection requirements.
Data processors shall retain the logs of business data processing activities for at least six months; for the logs of business data processing activities relating to information systems storing important data, they shall be retained for at least one year; for the logs of business data processing activities relating to information systems storing core data, they shall be retained for at least three years.
Records such as the logs of business data processing activities for the provision to another data processor, or the entrusted processing, of personal information and important data shall be retained for at least three years.
Article 31. Data processors shall preferentially collect business data by means of direct entry or interaction between information systems. Where business data is collected by means of direct entry, the identity of the person entering the data shall be verified; where high-sensitivity data items are collected by means of interaction between information systems, the identity of the data provider shall be verified.
Data processors shall adopt technical measures such as cross-verification of associated information to ensure, to the greatest extent possible, the accuracy of the business data collected.
Where a data processor collects business data from another data processor by means of an automated tool, it shall comply with the latter’s control rules for data collection, shall not interfere with the normal operation of network services, and shall not infringe upon the lawful operating rights and interests of other institutions’ network services.
Article 32. Data processors shall adopt the following security protection measures with respect to business data storage activities:
(I) effectively isolating the development and testing environment of information systems from the production environment.
(II) information systems storing important data shall meet the requirements of Level 3 of cybersecurity multi-level protection, and information systems storing core data shall meet the requirements of Level 4 of cybersecurity multi-level protection or the requirements for critical information infrastructure protection, and secure and trustworthy network products and services shall be preferentially procured.
(III) in principle, high-sensitivity data items shall be stored encrypted; where storage without encryption is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios. Where the People’s Bank of China has special provisions on the use of commercial cryptography to protect business data storage, such provisions shall be implemented.
(IV) promptly assessing and adjusting the business data storage capacity. In accordance with the data recovery point objectives of information systems, properly performing redundant backups of production-environment business data, and periodically verifying, as required by the People’s Bank of China, the availability of the redundantly backed-up business data. Assessing whether the backup technical measures have the capability to guard against risks such as the production-environment business data and the redundantly backed-up business data being tampered with or damaged simultaneously, and strengthening security protection measures accordingly.
Article 33. Data processors shall clarify the de-identification processing strategy for high-sensitivity data items, and earnestly reduce the risk that de-identified business data can still be re-identified to a specific individual or organization.
Data processors shall establish a security control strategy for terminal devices and clarify the requirements for security protection measures. When business data is displayed or printed, technical measures shall be taken to identify the business processing account currently using the business data and the time of use.
Except where the security protection measures of the development and testing environment and the production environment are completely identical, where production-environment data items are used in the development and testing environment, internal approval procedures shall be performed and de-identification carried out.
Article 34. Data processors shall establish a risk assessment and control strategy for business data processing algorithms, and clarify the prevention or mitigation measures corresponding to risks such as interpretability and vulnerability, as well as the alternative plan for when the use of a processing algorithm to carry out automated decision-making is ceased.
Article 35. Data processors shall adopt the following security protection measures with respect to business data transmission activities:
(I) preferentially adopting technologies such as dedicated lines and virtual private networks to strengthen the security protection of business data transmission.
(II) improving access control and security isolation strategies, and strengthening admission control for the relevant terminal devices.
(III) in principle, high-sensitivity data items shall be transmitted encrypted to other data processors, other data centers or the Internet. Where transmission without encryption is genuinely necessary, the data processor shall uniformly and normatively administer the relevant requirement scenarios. Where the People’s Bank of China has special provisions on the use of commercial cryptography to protect business data transmission, such provisions shall be implemented.
(IV) promptly assessing and adjusting the transmission carrying capacity of communication lines, and strengthening the redundant backup of communication lines and the relevant software and hardware equipment.
Article 36. Data processors shall dynamically maintain the list of front-end gateways and application programming interfaces (APIs) through which their institution provides business data, and shall carry out security testing before the front-end gateways and APIs are changed and put into production, and immediately take remedial measures upon discovering risks or hidden dangers.
Where a data processor provides business data by adopting technologies such as privacy-enhancing computing, it shall establish a technical risk assessment and control strategy, and clarify the response measures for risks such as security being unverifiable and performance being unacceptable.
Article 37. Data processors shall formulate control rules on whether the business data disclosed by their institution may be collected by automated tools, and shall adopt necessary technical measures to ensure that the disclosed business data is not tampered with.
Article 38. Data processors shall clarify the destruction strategy for business data storage media, and standardize the destruction implementation method and process supervision procedures.
Chapter 5 Business Data Security Risk and Incident Management
Article 39. Data processors shall strengthen risk monitoring of business data processing activities, effectively identify the following risks and immediately take remedial measures:
(I) the existence of information whose publication or transmission is prohibited by laws and administrative regulations.
(II) the existence of malicious programs such as computer viruses, Trojans and ransomware, or defects such as data security vulnerabilities or low authentication password strength.
(III) failure of the security protection measures for high-sensitivity data items.
(IV) abnormal business data processing activities.
(V) insufficient carrying capacity for business data transmission or storage.
Article 40. Data processors shall strengthen risk monitoring of business data leakage, the unlawful peddling of business data, the processing of business data by impersonating the identity of their institution, and other negative public opinion concerning business data security relating to their institution, and shall immediately verify and dispose of relevant risks upon discovery.
Article 41. Where the People’s Bank of China and its branches notify of risks such as data security defects or vulnerabilities relating to business data, the data processor shall immediately verify and dispose of them, and provide accurate feedback on the situation in a timely manner as required by the notification.
Data processors are encouraged to provide the People’s Bank of China and its branches with business data security risk intelligence of industry-sharing value.
Article 42. Processors of important data shall, on their own or by entrusting a third-party assessment institution, conduct a risk assessment of business data once a year, and shall submit the risk assessment report for the previous year to the People’s Bank of China or the provincial branch of the People’s Bank of China at the place of their domicile before January 15 each year. In addition to the content already specified by laws and administrative regulations as subject to assessment, the risk assessment report shall also include the personnel training and routine management relating to the information systems storing important data, the implementation of the position responsibilities relating to business data, the cybersecurity multi-level protection evaluation and rectification, the implementation of protection measures, the risk monitoring and incident handling for the year, and other assessment content required by the People’s Bank of China.
Article 43. Data processors shall, in accordance with the incident-grading requirements of the National Cybersecurity Incident Contingency Plan and taking into account the scope and degree of impact, clarify the grading standards corresponding to business data security incidents:
(I) the standards for grading incidents of tampering with or damage to business data shall take into account factors such as the data recovery point objectives of information systems, the duration of inability to provide services normally, the number of affected business transactions and the amounts involved, the number of affected individuals or organizations, and the data items of different sensitivities lost and their corresponding scale.
(II) the standards for grading business data leakage incidents shall take into account factors such as the number of affected individuals or organizations, and the data items of different sensitivities leaked and their corresponding scale.
(III) security incidents involving the leakage, tampering or damage of core data or important data shall be graded as particularly major incidents and major incidents, respectively.
Article 44. Data processors shall properly grade business data security incidents, and upon the occurrence of a business data security incident, shall immediately take disposal measures, promptly notify users in accordance with provisions, and timely, accurately and completely report the incident situation as required by the People’s Bank of China.
Where a data recipient or an entrusted party of entrusted processing experiences a data security incident relating to the business data provided by the data processor, the data processor shall conduct an investigation and assessment, urge the relevant institution to immediately take remedial measures, and report to the relevant competent authority.
Processors of important data shall conduct an emergency response drill for business data security incidents at least once a year, and other data processors shall conduct an emergency response drill for business data security incidents at least once every three years.
Article 45. Data processors shall, against the security protection measure requirements set out in laws and administrative regulations and these Measures, as well as the implementation of their institution’s internal management systems and operating procedures relating to business data security, conduct a business data security compliance audit at least once every three years; processors of important data shall conduct a compliance audit relating to important data security at least once a year. After a major or particularly major incident occurs, a special audit shall be conducted. The audit shall focus on whether the business data resource catalogue is updated in a timely manner, whether the account privilege management of the relevant information systems is rigorous, whether the contracts or agreements relating to business data processing activities are complete, whether the security protection measures for high-sensitivity data items are effective, whether the management responsibilities for entrusted parties of entrusted data processing are implemented, whether the front-end gateways and APIs are continuously and securely maintained, whether data security risk monitoring is effective, whether the disposal of data security risks and incidents is timely, whether data export is compliant, whether the handling of data security complaints is timely, and similar matters.
Article 46. Data processors shall strengthen the management of the business data privileges used by risk-assessment personnel and audit personnel, and adopt necessary measures to ensure the business data security of the implementation process.
The high-sensitivity data items recorded in risk assessment reports and audit reports relating to business data shall be de-identified.
Where a data processor entrusts a third-party assessment institution or audit institution to carry out risk assessment or audit work relating to business data, it shall specify in the contract or agreement its data security protection obligations and corresponding responsibilities, and designate personnel of its institution to participate throughout the process. Where accounting and audit services are involved, the relevant business data security protection shall be further strengthened in accordance with the requirements of the national cyberspace authority and the financial authority.
Chapter 6 Legal Liability
Article 47. Where the People’s Bank of China and its branches discover that the business data processing activities of a data processor present relatively major security risks, they may conduct interviews with it and require it to take measures for rectification; where they discover clues of business data processing activities that affect or may affect national security, they may require the data processor to undergo a national security review in accordance with relevant State provisions.
The People’s Bank of China and its branches may, in accordance with their duties, carry out law-enforcement inspections of the implementation by data processors of their data security protection obligations relating to business data, and may, where necessary, jointly carry out law-enforcement inspections with other relevant competent authorities.
Article 48. Where the People’s Bank of China and its branches discover that a data processor has not performed obligations such as data export security assessment or protection certification in its business data processing activities, they shall transfer the relevant case information to the cyberspace authority at the same level and cooperate with it in the handling thereof.
Article 49. Where a data processor has not performed the data security protection obligations prescribed by these Measures and any of the following situations exists, the People’s Bank of China and its branches shall impose a penalty in accordance with Article 45 of the Data Security Law of the People’s Republic of China:
(I) failing to establish and improve a full-process business data security management system in accordance with the corresponding provisions of laws and administrative regulations.
(II) failing to organize and carry out business data security education and training in accordance with the corresponding provisions of laws and administrative regulations.
(III) failing to adopt corresponding technical measures and other necessary measures to ensure business data security in accordance with the corresponding provisions of laws and administrative regulations.
(IV) where a processor of important data has not designated a business data security officer and management institution.
(V) failing to effectively monitor business data security risks.
(VI) failing to immediately take remedial measures upon discovering business data security risks.
(VII) failing to immediately take disposal measures upon the occurrence of a business data security incident, failing to promptly notify users, or failing to report the incident situation as required.
(VIII) where a processor of important data has not conducted a risk assessment of business data once a year, or has not submitted the risk assessment report as required.
Article 50. Where the People’s Bank of China and its branches discover that a data processor carries out business data processing activities that exclude or restrict competition, or that harm the lawful rights and interests of individuals or organizations, they shall handle the matter in accordance with relevant laws and administrative regulations; where it falls within the administrative duties of other relevant competent authorities, they shall transfer the relevant case information and cooperate with them in the handling thereof.
Article 51. Where the People’s Bank of China and its branches discover that the business data processing activities carried out by a data processor are suspected of constituting an act in violation of public security administration or constituting a crime, they shall transfer the relevant case information to the public security organ, national security organ or other relevant competent authority at the same level, and cooperate with them in the handling thereof.
Article 52. Where a data processor experiences a business data security incident that causes harmful consequences, if it can prove that its institution has adopted data security protection measures in accordance with provisions and has immediately taken remedial measures, it shall be given a lighter or mitigated administrative penalty.
Where a data processor actively provides data security risk intelligence and assists in the timely discovery of major business data security risks, its conduct of failing to perform data security protection obligations but not yet causing harmful consequences shall be given a lighter or mitigated administrative penalty.
Article 53. Where staff of the People’s Bank of China and its branches engage in dereliction of duty, abuse of power or malpractice for personal gain in the course of the security supervision and administration of business data processing activities, they shall be sanctioned in accordance with the law.
Chapter 7 Supplementary Provisions
Article 54. Definitions of terms:
(I) Data item means the most basic and indivisible unit describing the structure of network data.
(II) Structured data item means a data item with a predefined abstract description of the data type, usually referring to a data item designated by a single field of a two-dimensional logical table of a database.
(III) Unstructured data item means a data item not suitable to be presented by a two-dimensional logical table of a database, such as images, video, audio and document files.
(IV) Terminal device means computer terminals, mobile smart terminals, audio-video and multimedia equipment, and other dedicated terminal devices used by a data processor in business data processing activities.
(V) Export method means an operating method in data use or provision activities by which business data that originally has strict access-privilege control and access logging is converted into a document file without strict access control or without access logging.
(VI) Verification method means an operating method in business data use or provision activities by which, after verification and validation, only whether there is a match with the stored business data is fed back.
(VII) Uniform and normative administration means that a data processor centrally enumerates, in its institution’s systems or operating procedures, the situations in which the principle-based compliance requirements set out in these Measures are not implemented, and explains the necessity of retaining such situations, the corresponding security protection measures to be adopted, and the necessary internal approval procedures to be performed.
Article 55. The People’s Bank of China shall be responsible for the interpretation of these Measures.
Article 56. These Measures shall come into force as of June 30, 2025.