---
title_en: "Implementation Rules for Personal Information Protection Certification"
title_zh: "个人信息保护认证实施规则"
abbreviation: "PI Certification Rules"
hierarchy: "rule"
issuing_body: "State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC)"
adopted_date: 2022-11-18
effective_date: 2022-11-18
status: "effective"
source_url: "https://www.cac.gov.cn/2022-11/18/c_1670399936983876.htm"
related_laws: ["pipl", "cross-border-pi-certification-measures", "pi-protection-certification-announcement"]
domains: ["personal-information", "cross-border"]
url: https://datacompliancechina.com/laws/pi-protection-certification-implementation-rules/
summary: "The Implementation Rules for Personal Information Protection Certification, issued as the annex to SAMR and CAC Joint Announcement No. 37 of 2022 on November 18, 2022, operationalize the certification pathway that PIPL Article 38(2) authorizes for cross-border transfers of personal information and that simultaneously governs domestic personal information protection certification. The Rules establish a three-stage certification model — technical verification, on-site audit, and post-certification supervision — grounded in GB/T 35273 (Personal Information Security Specification) for all personal information handlers, with the additional requirement that handlers engaged in cross-border processing activities comply with TC260-PG-20222A (Security Certification Specification for Cross-border Personal Information Processing Activities). Certification certificates are valid for three years, subject to ongoing supervisory audits, and may be suspended or revoked for non-compliance; certified handlers may display the corresponding certification mark (with a distinct cross-border variant). The Rules were subsequently supplemented by the Measures for the Certification of the Cross-border Provision of Personal Information (effective January 1, 2026), which specifically governs the cross-border certification route; overseas counsel advising on cross-border transfers should read the two instruments together, as the Implementation Rules set the foundational procedural framework that the 2026 Measures build upon."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/pi-protection-certification-implementation-rules/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Implementation Rules for Personal Information Protection Certification", https://datacompliancechina.com/laws/pi-protection-certification-implementation-rules/
**Promulgated jointly by:** State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC).
**Document No.:** Annex to Joint Announcement No. 37 of 2022 of the State Administration for Market Regulation and the Cyberspace Administration of China.
**Published on November 18, 2022. Effective November 18, 2022.**

---

**1. Scope of Application**

These Rules are formulated in accordance with the Regulations of the People's Republic of China on Certification and Accreditation. They set out the basic principles and requirements for conducting certification of personal information handlers' activities of collecting, storing, using, processing, transmitting, providing, disclosing, deleting, and cross-border transferring personal information and other processing activities.

**2. Certification Basis**

Personal information handlers shall meet the requirements of GB/T 35273 *Information Security Technology — Personal Information Security Specification*. Personal information handlers that engage in cross-border processing activities shall additionally meet the requirements of TC260-PG-20222A *Security Certification Specification for Cross-border Personal Information Processing Activities*. As a general rule, the latest versions of the foregoing standards and specifications shall apply.

**3. Certification Model**

The certification model for Personal Information Protection Certification is: **Technical Verification + On-site Audit + Post-certification Supervision**.

**4. Certification Implementation Procedures**

**4.1 Certification Application**

A certification body shall set out its requirements for certification application materials, including but not limited to basic materials of the certification applicant, the certification application form, and relevant supporting documents. The certification applicant shall submit certification application materials in accordance with the certification body's requirements. After reviewing the application materials, the certification body shall promptly notify the applicant whether the application has been accepted. Based on the application materials, the certification body shall determine the certification scheme — including the type and volume of personal information, the scope of personal information processing activities involved, and the information of the technical verification institution — and shall notify the certification applicant accordingly.

**4.2 Technical Verification**

The technical verification institution shall conduct technical verification in accordance with the certification scheme and shall issue a technical verification report to the certification body and the certification applicant.

**4.3 On-site Audit**

The certification body shall conduct an on-site audit and shall issue an on-site audit report to the certification applicant.

**4.4 Evaluation of Certification Results and Approval**

Based on the certification application materials, the technical verification report, the on-site audit report, and other relevant information, the certification body shall conduct a comprehensive evaluation and make a certification decision. Where certification requirements are met, a certification certificate shall be issued. Where certification requirements are not yet met, the certification body may require the certification applicant to rectify within a specified period; if the applicant still fails to meet the requirements after rectification, the certification body shall notify the certification applicant in writing that the certification process is terminated. Where it is discovered that the certification applicant or the personal information handler has engaged in conduct such as deception, concealment of information, or deliberate violation of certification requirements that materially affects the conduct of certification, the certification shall not be approved.

**4.5 Post-certification Supervision**

**4.5.1 Frequency of Supervision**

During the validity period of a certification, the certification body shall conduct ongoing supervision of the certified personal information handler and shall determine the supervision frequency on a reasonable basis.

**4.5.2 Content of Supervision**

The certification body shall adopt appropriate means to conduct post-certification supervision, to ensure that the certified personal information handler continues to meet certification requirements.

**4.5.3 Evaluation of Post-certification Supervision Results**

The certification body shall conduct a comprehensive evaluation of the post-certification supervision findings and other relevant information. Where the evaluation is passed, the certification certificate may continue to be maintained. Where the evaluation is not passed, the certification body shall take action to suspend or revoke the certification certificate according to the applicable circumstances.

**4.6 Certification Time Limits**

The certification body shall establish clear time limits for each stage of the certification process and shall ensure that the relevant work is completed within the required time limits. The certification applicant shall cooperate actively with the certification activities.

**5. Certification Certificates and Certification Marks**

**5.1 Certification Certificate**

**5.1.1 Maintenance of the Certification Certificate**

The validity period of a certification certificate is **three years**. During the validity period, the certification certificate is maintained in validity through post-certification supervision by the certification body. Where the certification applicant wishes to continue using the certificate after its expiry, the applicant shall submit a certification application to the certification body within six months before the expiry date. The certification body shall adopt the post-certification supervision approach and, for applicants that meet certification requirements, issue a new certificate.

**5.1.2 Variation of the Certification Certificate**

During the validity period of the certification certificate, where there is a change to the name or registered address of the certified personal information handler, or to the certification requirements or certification scope, the certification applicant shall submit a variation application to the certification body. The certification body shall, based on the content of the change, evaluate the variation application materials and determine whether the variation may be approved. Where technical verification and/or an on-site audit are required, these shall be conducted before the variation is approved.

**5.1.3 Cancellation, Suspension, and Revocation of the Certification Certificate**

Where a certified personal information handler no longer meets certification requirements, the certification body shall promptly suspend or revoke the certification certificate as appropriate. During the validity period of the certification certificate, the certification applicant may apply for suspension or cancellation of the certification certificate.

**5.1.4 Publication of the Certification Certificate**

The certification body shall publish information on the issuance, variation, suspension, cancellation, and revocation of certification certificates using appropriate means.

**5.2 Certification Marks**

Two categories of certification mark are established:

**(1) Personal Information Protection Certification Mark** — for use by certified personal information handlers that do not engage in cross-border processing activities. The mark displays the certification body identification code (ABCD).

**(2) Personal Information Protection Certification Mark (Cross-border)** — for use by certified personal information handlers that engage in cross-border processing activities. The mark displays the certification body identification code (ABCD).

**5.3 Use of Certification Certificates and Certification Marks**

During the validity period of the certification certificate, a certified personal information handler shall use the certification certificate and certification mark correctly in advertisements and other promotional materials in accordance with relevant regulations, and shall not mislead the public.

**6. Detailed Certification Implementation Rules**

A certification body shall, in accordance with the relevant requirements of these Rules, refine the certification implementation procedures and formulate scientifically sound, reasonable, and operationally workable detailed certification implementation rules, which shall be published and implemented.

**7. Certification Responsibilities**

The certification body shall be responsible for the on-site audit conclusions and the certification conclusions. The technical verification institution shall be responsible for the technical verification conclusions. The certification applicant shall be responsible for the authenticity and legality of the certification application materials.
