Promulgated jointly by: State Administration for Market Regulation (SAMR) and Cyberspace Administration of China (CAC). Document No.: Annex to Joint Announcement No. 37 of 2022 of the State Administration for Market Regulation and the Cyberspace Administration of China. Published on November 18, 2022. Effective November 18, 2022.
1. Scope of Application
These Rules are formulated in accordance with the Regulations of the People’s Republic of China on Certification and Accreditation. They set out the basic principles and requirements for conducting certification of personal information handlers’ activities of collecting, storing, using, processing, transmitting, providing, disclosing, deleting, and cross-border transferring personal information and other processing activities.
2. Certification Basis
Personal information handlers shall meet the requirements of GB/T 35273 Information Security Technology — Personal Information Security Specification. Personal information handlers that engage in cross-border processing activities shall additionally meet the requirements of TC260-PG-20222A Security Certification Specification for Cross-border Personal Information Processing Activities. As a general rule, the latest versions of the foregoing standards and specifications shall apply.
3. Certification Model
The certification model for Personal Information Protection Certification is: Technical Verification + On-site Audit + Post-certification Supervision.
4. Certification Implementation Procedures
4.1 Certification Application
A certification body shall set out its requirements for certification application materials, including but not limited to basic materials of the certification applicant, the certification application form, and relevant supporting documents. The certification applicant shall submit certification application materials in accordance with the certification body’s requirements. After reviewing the application materials, the certification body shall promptly notify the applicant whether the application has been accepted. Based on the application materials, the certification body shall determine the certification scheme — including the type and volume of personal information, the scope of personal information processing activities involved, and the information of the technical verification institution — and shall notify the certification applicant accordingly.
4.2 Technical Verification
The technical verification institution shall conduct technical verification in accordance with the certification scheme and shall issue a technical verification report to the certification body and the certification applicant.
4.3 On-site Audit
The certification body shall conduct an on-site audit and shall issue an on-site audit report to the certification applicant.
4.4 Evaluation of Certification Results and Approval
Based on the certification application materials, the technical verification report, the on-site audit report, and other relevant information, the certification body shall conduct a comprehensive evaluation and make a certification decision. Where certification requirements are met, a certification certificate shall be issued. Where certification requirements are not yet met, the certification body may require the certification applicant to rectify within a specified period; if the applicant still fails to meet the requirements after rectification, the certification body shall notify the certification applicant in writing that the certification process is terminated. Where it is discovered that the certification applicant or the personal information handler has engaged in conduct such as deception, concealment of information, or deliberate violation of certification requirements that materially affects the conduct of certification, the certification shall not be approved.
4.5 Post-certification Supervision
4.5.1 Frequency of Supervision
During the validity period of a certification, the certification body shall conduct ongoing supervision of the certified personal information handler and shall determine the supervision frequency on a reasonable basis.
4.5.2 Content of Supervision
The certification body shall adopt appropriate means to conduct post-certification supervision, to ensure that the certified personal information handler continues to meet certification requirements.
4.5.3 Evaluation of Post-certification Supervision Results
The certification body shall conduct a comprehensive evaluation of the post-certification supervision findings and other relevant information. Where the evaluation is passed, the certification certificate may continue to be maintained. Where the evaluation is not passed, the certification body shall take action to suspend or revoke the certification certificate according to the applicable circumstances.
4.6 Certification Time Limits
The certification body shall establish clear time limits for each stage of the certification process and shall ensure that the relevant work is completed within the required time limits. The certification applicant shall cooperate actively with the certification activities.
5. Certification Certificates and Certification Marks
5.1 Certification Certificate
5.1.1 Maintenance of the Certification Certificate
The validity period of a certification certificate is three years. During the validity period, the certification certificate is maintained in validity through post-certification supervision by the certification body. Where the certification applicant wishes to continue using the certificate after its expiry, the applicant shall submit a certification application to the certification body within six months before the expiry date. The certification body shall adopt the post-certification supervision approach and, for applicants that meet certification requirements, issue a new certificate.
5.1.2 Variation of the Certification Certificate
During the validity period of the certification certificate, where there is a change to the name or registered address of the certified personal information handler, or to the certification requirements or certification scope, the certification applicant shall submit a variation application to the certification body. The certification body shall, based on the content of the change, evaluate the variation application materials and determine whether the variation may be approved. Where technical verification and/or an on-site audit are required, these shall be conducted before the variation is approved.
5.1.3 Cancellation, Suspension, and Revocation of the Certification Certificate
Where a certified personal information handler no longer meets certification requirements, the certification body shall promptly suspend or revoke the certification certificate as appropriate. During the validity period of the certification certificate, the certification applicant may apply for suspension or cancellation of the certification certificate.
5.1.4 Publication of the Certification Certificate
The certification body shall publish information on the issuance, variation, suspension, cancellation, and revocation of certification certificates using appropriate means.
5.2 Certification Marks
Two categories of certification mark are established:
(1) Personal Information Protection Certification Mark — for use by certified personal information handlers that do not engage in cross-border processing activities. The mark displays the certification body identification code (ABCD).
(2) Personal Information Protection Certification Mark (Cross-border) — for use by certified personal information handlers that engage in cross-border processing activities. The mark displays the certification body identification code (ABCD).
5.3 Use of Certification Certificates and Certification Marks
During the validity period of the certification certificate, a certified personal information handler shall use the certification certificate and certification mark correctly in advertisements and other promotional materials in accordance with relevant regulations, and shall not mislead the public.
6. Detailed Certification Implementation Rules
A certification body shall, in accordance with the relevant requirements of these Rules, refine the certification implementation procedures and formulate scientifically sound, reasonable, and operationally workable detailed certification implementation rules, which shall be published and implemented.
7. Certification Responsibilities
The certification body shall be responsible for the on-site audit conclusions and the certification conclusions. The technical verification institution shall be responsible for the technical verification conclusions. The certification applicant shall be responsible for the authenticity and legality of the certification application materials.