---
title_en: "Data Security Technology — Guide for Personal Information Protection by Small Personal Information Processors (Draft for Public Consultation)"
title_zh: "数据安全技术 小型个人信息处理者个人信息保护指南（征求意见稿）"
abbreviation: "Small PI Processor Protection Guide (Draft)"
hierarchy: "draft"
issuing_body: "National Information Security Standardization Technical Committee (TC260)"
status: "draft"
related_laws: ["pipl", "gbt-35273-pi-security-specification", "gbt-39335-pi-impact-assessment-guide", "gbt-45574-sensitive-pi-processing-security", "gbt-46068-cross-border-pi-certification-requirements"]
domains: ["personal-information"]
url: https://datacompliancechina.com/laws/small-pi-processor-protection-guide-draft/
summary: "A TC260 draft national standard implementing PIPL Article 62's mandate to write simplified personal-information rules for small processors — those handling fewer than 100,000 people's personal information, such as small merchants, sole proprietors, and community-service providers. It systematically scales down compliance expectations: oral or posted-notice consent in place of layered privacy policies, a five-year (rather than annual) compliance-audit cycle, a one-page impact-assessment worksheet (Annex D) instead of a formal PIPIA report, and SMS or phone verification for identity checks on rights requests. It also sets out four cross-border exemption scenarios and an audit exemption for processors already holding personal information protection certification. For overseas counsel, this is the practitioner-level document defining what proportionate PIPL compliance looks like at the smallest end of the market — the small merchants, franchisees, and local service providers that portfolio companies and platform counterparties often deal with in China."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/small-pi-processor-protection-guide-draft/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Data Security Technology — Guide for Personal Information Protection by Small Personal Information Processors (Draft for Public Consultation)", https://datacompliancechina.com/laws/small-pi-processor-protection-guide-draft/
**Promulgated by:** National Information Security Standardization Technical Committee (TC260), through the Guobiao (GB/T) recommended national standard process.
**Document No.:** GB/T XXXXX—XXXX (standard number and dates not yet assigned).
**Status:** Draft for public consultation (征求意见稿), issued April 30, 2026 (as reflected in the source draft filename); not yet adopted or effective.

---

## Foreword

This document is drafted in accordance with the rules set out in GB/T 1.1—2020, *Directives for Standardization — Part 1: Rules for the Structure and Drafting of Standardizing Documents*.

This document is proposed and administered by the National Information Security Standardization Technical Committee (SAC/TC260).

This document was drafted by the National Computer Network Emergency Response Technical Team/Coordination Center of China and its Beijing sub-center, the China Electronics Standardization Institute, Beijing Institute of Technology, Hisense Group Holding Co., Ltd., Beijing Kuaishou Technology Co., Ltd., the Data and Technology Support Center of the Office of the Central Cyberspace Affairs Commission, the State Information Center, the China Cybersecurity Review, Certification and Market Regulation Big Data Center, the National Information Technology Security Research Center, the China Industrial Information Security Development Research Center, Alibaba (Beijing) Software Services Co., Ltd., the China Institute of Cyberspace Studies, the China Academy of Industrial Internet (Cryptography Application Research Center, MIIT), Beijing Topsec Network Security Technology Co., Ltd., the 15th Research Institute of China Electronics Technology Group Corporation, the Shaanxi Network and Information Security Evaluation Center, the China Academy of Information and Communications Technology (CAICT), Ant Group Co., Ltd., Lenovo (Beijing) Co., Ltd., Beijing DeHeng Law Offices, Sangfor Technologies Inc., Beijing Shufeng Technology Co., Ltd., Zhengzhou Yunzhixin'an Security Technology Co., Ltd., Beijing Shu'anhang Technology Co., Ltd., Beijing Weihu Technology Co., Ltd., the National Computer Virus Emergency Response Center, Xi'an University of Posts and Telecommunications, Zhengzhou Xinda Jiean Information Technology Co., Ltd., China United Network Communications Group Co., Ltd., Shenzhen Lalamove Technology Co., Ltd., Venustech Group Inc., Shanghai Xunmeng Information Technology Co., Ltd., the Third Research Institute of the Ministry of Public Security, Beijing UnionPay Card Technology Co., Ltd., Jinlianhuitong Information Technology Co., Ltd., Rockontrol Technology Group Co., Ltd., and Shanghai Electronic Certification Authority Center Co., Ltd.

*(Editor's note: the original Foreword also names roughly 70 individual drafters; DCC omits that personal-name roster as immaterial to overseas counsel and retains the institutional drafting-unit list above.)*

## Introduction

Because small personal information processors operate at a smaller business scale, handle personal information concerning a smaller number of natural persons, and generally carry out simpler processing activities, they face a very different risk profile — and a very different protective capacity — from large platforms, and the harm to individuals' rights and interests from a security incident at a small processor differs sharply from harm at scale. This standard is issued to implement the requirement in Article 62 of the Personal Information Protection Law of the People's Republic of China (PIPL) that specialized personal information protection rules and standards be formulated for small personal information processors, and to provide concrete, technical implementation guidance for the (forthcoming) *Provisions on Simplified Personal Information Protection Measures for Small Personal Information Processors*. Its purpose is to guide small personal information processors toward a reasonable configuration of personal information protection measures while appropriately lowering compliance costs, and to promote lawful and compliant personal information processing by this group.

---

## 1. Scope

This document establishes the security protection principles applicable to small personal information processors when they process personal information, and sets out convenient security protection measures that small personal information processors are advised to adopt in their personal information processing activities.

This document applies to guiding personal information protection in the personal information processing activities of small personal information processors.

## 2. Normative References

The content of the following documents, through normative references in the text, constitutes indispensable provisions of this document. For dated references, only the edition corresponding to that date applies to this document; for undated references, the latest edition (including all amendments) applies to this document.

GB/T 25069, *Information Security Technology — Terminology*

GB/T 35273, *Information Security Technology — Personal Information Security Specification*

GB/T 39335, *Information Security Technology — Guide for Personal Information Security Impact Assessment*

GB/T 45574, *Data Security Technology — Security Requirements for the Processing of Sensitive Personal Information*

GB/T 46068, *Data Security Technology — Security Certification Requirements for Cross-Border Processing Activities Involving Personal Information*

## 3. Terms and Definitions

The terms and definitions established in GB/T 25069 and GB/T 35273, together with the following term and definition, apply to this document.

**Small personal information processors (small personal information processors):** personal information handlers that process the personal information of not more than 100,000 people.

## 4. Overview

This standard first sets out the definition and scope of small personal information processors. It then establishes the overall security protection requirements applicable to small processors, including protection principles and the allocation of responsibility. It next provides specific, targeted guidance on the technical personal information protection measures small processors should apply across the personal information processing activities of collection, storage, use, processing, transmission, transfer, provision, disclosure, and deletion. In parallel, it provides specific, targeted guidance on the management measures small processors should apply in the areas of internal rules, personnel management, personal information impact assessment, compliance audit, security-incident response, and safeguarding the rights of individuals. Finally, its annexes provide concise, practical, and highly operable template examples for small processors to use as a reference.

## 5. Overall Security Protection Requirements

### 5.1 General Requirements

A small personal information processor's processing of personal information shall follow the principles of lawfulness, legitimacy, necessity, and good faith. The processor is responsible for its own personal information processing activities and shall take necessary measures to safeguard the security of the personal information it processes; simplifying personal information protection processes and lowering compliance costs must not create additional security risk.

### 5.2 Security Protection Principles

A small personal information processor carrying out personal information processing activities is advised to follow the following principles:

- **Baseline security principle** — a small processor should build security capability commensurate with its own business scale and the order of magnitude of the personal information it processes, and adopt necessary technical and management measures to safeguard the security of personal information.
- **Convenience and effectiveness principle** — on the premise of remaining compliant and effective, a small processor may reduce its cost burden through simplified means of giving and withdrawing consent and through convenient channels for safeguarding individuals' rights over their personal information.
- **Clear responsibility principle** — a small processor shall delineate clear boundaries of security responsibility, clarify its own security rights and obligations and those of related parties in personal information processing activities, and ensure that responsibility is traceable and risk is controllable, so that responsibility for personal information security is effectively discharged.

### 5.3 Implementing Personal Information Protection

When carrying out personal information protection work, a small processor is advised to reasonably select protection measures based on its own business scale, the order of magnitude of the personal information it processes, and the sensitivity of that personal information. Annex A sets out an implementation process for personal information protection by small processors.

When implementing personal information protection work, a small processor is advised to satisfy the following rules. Annex B sets out convenience guidance for small processors' data-processing scenarios.

- Where personal information processing activities rely on an internet platform, the small processor should give priority to a platform system that has passed a security assessment or certification, and should choose, or require, the platform to adopt necessary security measures to safeguard personal information security; the small processor itself adopts necessary security measures to discharge its own personal information protection obligations.
- Where personal information processing activities rely on a standardized system provided by a third party, the small processor is advised to choose, or require, the system service provider to adopt necessary security technical measures to assist the small processor in discharging its personal information protection obligations.
- Where personal information processing activities rely on the small processor's own technical capability, and the data-processing scenario is a single, simple function, the small processor shall ensure its personal information collection and processing activities fall within a necessary scope, and may adopt simple and convenient means of implementing consent, withdrawal of consent, and other protection measures.
- Where personal information is collected and processed by offline registration, the small processor is advised to keep paper registration materials in a filing cabinet accessible only to authorized personnel, and, once such materials are no longer in use, to destroy them by shredding, incineration, or similar means and retain a destruction record.

## 6. Technical Measures for Personal Information Protection

### 6.1 Personal Information Collection

Where a small personal information processor collects personal information on the basis of the individual's consent as the lawful basis for processing, it is advised to consider the following factors:

- Truthfully, accurately, and completely inform the individual of the small processor's name, the personnel handling personal-information-protection complaints and reports and their contact details, the purpose and method of processing the personal information, the categories of personal information processed, the retention period, and other matters — using notice methods that are as simple, convenient, and clear as possible, including but not limited to: for offline collection, oral notice or a notice posted in a prominent location at the place of business; for online collection, a service agreement, an audio or video message, or a pop-up reminder; where processing relies solely on a platform and the platform has already discharged the notice obligation, the small processor need not give separate notice.
- When ceasing operation of its product or service, avoid continuing to collect personal information on any ground.
- Collect only the personal information directly related to realizing the business function of the product or service.
- "Directly related" means that, without the participation of that item of personal information, the function of the product or service cannot be realized.

### 6.2 Personal Information Storage

A small personal information processor that stores personal information is advised to satisfy the following requirements:

- When storing personal information, apply protective measures to storage devices, media, and files — for example, placing them in a secure environment or setting a secure password.
- Other than necessary backups, minimize the copying and storage of personal information.
- The retention period for personal information shall be the shortest time necessary to achieve the purpose authorized by the individual concerned.
- Once the retention period has expired, delete the personal information directly.

### 6.3 Personal Information Use and Processing

A small personal information processor that uses and processes personal information is advised to satisfy the following requirements:

- Use and process personal information in accordance with the purpose, scope, method, and means already disclosed at the collection stage.
- Prevent personal information from being learned by any individual, organization, or institution unrelated to the processing purpose.
- Establish an approval procedure for material operations on personal information, such as bulk modification, copying, or downloading.
- Where personal information is processed using a third-party system, platform, or tool, retain basic information such as the name and provider of that third-party system, platform, or tool.
- Avoid using personal information to conduct automated decision-making; where necessary, avoid unfair differential treatment of different users in transaction price, transaction opportunity, or other transaction conditions when using personal information for automated decision-making, and, where information push notifications or marketing are conducted through automated decision-making, provide the individual with a convenient means of refusal.
- "Automated decision-making" means the activity of automatically analyzing and assessing an individual's behavioral habits, interests, or economic, health, or credit status through a computer program, and using that analysis to make decisions.

### 6.4 Personal Information Transmission and Transfer

A small personal information processor is advised to avoid publicly transmitting personal information over a network; when transmitting personal information, it is advised to avoid plaintext transmission, or to adopt certain security measures, such as encrypting the transmitted content or using an encrypted channel. Where the individual concerned requests that personal information be transferred to a personal information processor of their designation, the small processor is advised to provide a corresponding transfer channel; where this is technically difficult to achieve, the small processor should clearly inform the individual of that fact.

### 6.5 Entrusted Processing, Provision, and Disclosure of Personal Information

A small personal information processor is advised to avoid entrusting the processing of, providing, or disclosing personal information; where business needs make this genuinely necessary, it is advised to satisfy the following requirements:

- Where personal information processing is entrusted to a third party, avoid exceeding the scope of authorization and consent already obtained from the individual concerned.
- Where personal information is provided to another party, inform the individual concerned of the purpose and category of the information provided and its impact on the individual's rights and interests, obtain the individual's authorization and consent, and adopt necessary security measures for the personal information provided.
- Where personal information is disclosed, inform the individual concerned of the purpose and category of the disclosure and obtain the individual's separate consent, and it is advised that de-identification or other protective measures be applied to the disclosed personal information.

### 6.6 Deletion of Personal Information

A small personal information processor that deletes personal information is advised to satisfy the following requirements:

- Delete personal information promptly once the retention period disclosed at the collection stage has been exceeded, once the processing purpose disclosed at the collection stage has been achieved, or once the individual concerned has legitimate grounds to request that the small processor delete their personal information.
- Delete the personal information it holds promptly upon its own bankruptcy or dissolution, or where it can no longer continue to fulfill the personal-information processing purpose it committed to.
- Where deletion of personal information is technically difficult to achieve, the small processor may request technical assistance from the relevant authorities.

### 6.7 Processing of Sensitive Personal Information

A small personal information processor that processes sensitive personal information for a specific purpose is advised to satisfy the following requirements:

- Inform the individual of the necessity of processing sensitive personal information and its impact on the individual's rights and interests.
- Where an individual, with full knowledge, voluntarily cooperates in providing sensitive information such as facial or biological-sample information, the small processor may process that sensitive personal information in accordance with the purpose, method, and category already disclosed.
- A small processor whose activities involve the processing of sensitive personal information may refer to GB/T 45574, *Security Requirements for the Processing of Sensitive Personal Information*, and similar standards.

### 6.8 Cross-Border Provision of Personal Information

A small personal information processor providing personal information (excluding important data) outside China's borders is exempt from filing a declaration for the Data Export Security Assessment, executing the personal information Standard Contract, or obtaining Personal Information Protection Certification where it meets any one of the following conditions:

- The cross-border provision of personal information is genuinely necessary to conclude or perform a contract to which the individual is a party — for example, cross-border shopping, cross-border courier delivery, cross-border remittance, cross-border payment, cross-border account opening, flight or hotel booking, visa processing, or examination services.
- The cross-border provision of employee personal information is genuinely necessary to implement cross-border human-resources management under labor rules lawfully formulated and a collective contract lawfully concluded.
- The cross-border provision of personal information is genuinely necessary, in an emergency, to protect the life, health, or property safety of a natural person.
- The personal information handler, other than a critical information infrastructure operator, has provided outside China's borders, cumulatively since January 1 of the current year, the personal information (excluding sensitive personal information) of fewer than 100,000 people.
- A small processor whose activities involve cross-border processing of personal information may refer to GB/T 46068, *Security Certification Requirements for Cross-Border Processing Activities Involving Personal Information*, and similar standards.

## 7. Management Measures for Personal Information Protection

### 7.1 Internal Rules

A small personal information processor is advised to promptly formulate and issue internal management rules for personal information protection, covering necessary protection measures for personal information processing, personnel management, compliance audit, security-incident response, and safeguarding individuals' rights over personal information. A small processor's personal information processing rules may stand as an independent document or be included within its broader organizational management documents; a template is provided at Annex C.

### 7.2 Personnel Management

A small personal information processor is advised to properly establish a personnel management mechanism, satisfying the following requirements:

- Provide relevant security education to personnel involved in processing personal information, so that they understand the internal rules and their awareness of personal information protection is raised.
- Designate personnel responsible for personal information protection work.
- Based on actual need, set differentiated access and processing-operation permissions for personnel involved in processing personal information, and promptly revoke the accounts and permissions of personnel who leave their post or the organization.

### 7.3 Personal Information Impact Assessment

Where a small personal information processor uses personal information for automated decision-making, or entrusts the processing of, provides, or discloses personal information, it is advised to carry out a personal information protection impact assessment beforehand:

- The processor may simply complete the simplified personal information protection impact assessment worksheet in Annex D to record the processing situation, retaining it for at least three years, without the need to produce a standalone report, and adopt targeted protective measures based on the assessment result.
- Where this is technically difficult to achieve, the processor may entrust a third party to assist in completing it.

### 7.4 Compliance Audit

A small personal information processor, taking account of its own actual circumstances, is advised to periodically conduct an internal compliance audit of its compliance with laws and administrative regulations in processing personal information, considering the following factors:

- Conduct a personal information protection compliance audit at least once every five years.
- The processor may select the key items of a personal information protection compliance audit and prepare a streamlined self-inspection checklist covering those key items to carry out self-inspection; the self-inspection checklist shall be retained for at least five years.
- Where this is technically difficult to achieve, the processor may entrust a third party to assist in completing it.
- A small processor may pursue personal information protection certification through a personal information protection certification body; a small processor that has obtained personal information protection certification may, during the validity period of the certification, be exempted from conducting a personal information protection compliance audit.

### 7.5 Security-Incident Response

In responding to security incidents such as the leakage, tampering, or loss of personal information, a small personal information processor is advised to consider the following factors:

- Formulate an emergency response plan for personal information security incidents; once a security incident has occurred, or the processor discovers that one may have occurred, promptly report the relevant details of the incident to the relevant authorities (see the template at Annex E).
- Promptly take remedial measures in response to a security incident that has occurred or may occur; where the processor lacks the capacity to remedy the incident, it is advised to promptly report to and seek assistance from the relevant authorities.
- Where a security incident that has occurred or may occur endangers individuals' rights and interests in their personal information, promptly inform the affected individuals by an appropriate means such as orally, by SMS, or by telephone. Where it is difficult to notify each individual concerned individually, the processor may adopt a reasonable and effective means of issuing a public warning notice relevant to the affected public — for example, posting a notice in a prominent location at the place of business, or issuing an announcement by pop-up window within the client end of the product or service.
- Where the incident involves a criminal offense, promptly report it to the public security organs.

### 7.6 Safeguarding the Rights of Individuals over Their Personal Information

In responding to an individual's request to access, copy, correct, supplement, or delete their personal information, a small personal information processor is advised to consider the following factors:

- Respond promptly to the individual's rights request, providing the requested service after a simple verification of the individual's identity; identity verification may be conducted by telephone or SMS verification, and, where the processor relies on a mini-program or similar channel to provide its service, a corresponding function may be added within the mini-program's development.
- Where the processor's own technical conditions cannot currently accommodate the request, promptly and truthfully inform the individual of that fact and handle the request by the means that has the least impact on the individual's rights and interests — for example, where the processor relies on a mini-program or similar channel to provide its service, it may entrust the mini-program's development provider to assist in completing the request.

---

## Annex A (Informative) — Implementation Steps for Personal Information Protection by Small Personal Information Processors

Annex A sets out a general implementation process for personal information protection by small personal information processors, illustrated in Figure A.1. Using a supermarket as an illustrative scenario — a supermarket that processes the personal information of not more than 100,000 people cumulatively over the course of a year qualifies as a small personal information processor — its implementation steps proceed as follows:

- **Step 1:** Determine, against the definition of a small personal information processor, whether the supermarket qualifies as one. If it does, proceed to Step 2; if not, the process ends.
- **Step 2:** Identify what personal information the supermarket processes. Applying Annexes A and B of GB/T 35273, determine whether sensitive personal information or cross-border personal information processing is involved.
  - Where sensitive personal information processing is involved, refer to GB/T 45574-2025, *Security Requirements for the Processing of Sensitive Personal Information*; where cross-border personal information processing is involved, the exemptions available under the relevant national rules apply.
  - Where sensitive personal information processing is not involved, proceed to Step 3. Example: name and mobile number collected when registering a supermarket membership card are general personal information; facial-feature information captured by in-store cameras is sensitive personal information.
- **Step 3:** Identify which stages of general personal-information processing the supermarket's activities involve, and what measures should be taken at each stage.
  - Where personal information is used for automated decision-making, or is entrusted for processing, provided to others, disclosed, or otherwise involved in personal information processing activities that materially affect individuals' rights and interests, conduct a personal information protection impact assessment with reference to Annex D.
  - For the example supermarket, the relevant processing stages and corresponding measures are:
    - **Collection** (membership registration): post a notice in a prominent location in-store informing customers that registering a membership card requires collecting their name and mobile number, that this information is used only for the membership card, and that no other information is collected.
    - **Storage** (retaining member information): set passwords, updated periodically, on the computer and membership-management system storing member information, and prevent personnel unrelated to processing member information from knowing the password.
    - **Use and processing** (checkout with the membership card, balance inquiries, promotional push notifications to members): respond promptly to a member's balance inquiry, and may charge a reasonable fee for unusually frequent inquiries within a given period; obtain the member's own consent before sending (or mass-sending) in-store promotional discount messages, and restrict sending to designated in-store staff only.
    - **Deletion** (member cancels their membership; store closes): delete the member's personal information from the computer or membership-management system storing it, and format or physically destroy the hard drive, seeking technical guidance from the relevant authorities where necessary.
  - What management measures should be adopted?
    - **Rules and personnel requirements:** post the internal management rules in a prominent location in-store, and ensure in-store personnel understand their content (template at Annex C).
    - **Education and training:** reinforce day-to-day reminders and clarify points requiring attention, to raise in-store personnel's awareness of personal information protection.
    - **Routine management:** periodically inspect stored member personal information and the computers or devices storing it; once a security incident such as a personal information leak is discovered, proceed to Step 4.
- **Step 4:** What measures should be taken once a personal information security incident occurs?
  - Understand the circumstances of the incident.
  - Promptly report to the relevant authorities in accordance with the content set out in the security-incident report template at Annex E.
  - Where the leak, tampering, or loss of personal information could not be effectively prevented and has caused harm, notify affected members by SMS, telephone, or similar means; where a member cannot be reached, post a notice at the entrance disclosing the circumstances of the incident.

## Annex B (Informative) — Convenience Guidance for Typical Personal Information Processing Scenarios of Small Personal Information Processors

### B.1 General Personal Information Processing Scenarios

**B.1.1 Reliance on an internet platform.** By integrating internet-platform services, or operating a storefront on an internet platform, a small processor can lower its own development costs and the complexity of meeting compliance requirements.

- *Onboarding and reliance:* when operating on an internet platform (e-commerce, food delivery, intermediary platforms, etc.), expressly invoke and follow the platform's published privacy policy, emphasize to users that information will not be used beyond the platform's authorized scope, and set up a brief, clear privacy-commitment module on the storefront page.
- *Pop-up confirmation and logging:* when using platform services such as mini-programs, set an unavoidable notice pop-up or link on key pages (order page, registration page) that prompts the user to click to confirm, with the platform's backend automatically retaining a record of the user's consent action (IP address, timestamp, etc.).
- *Platform-embedded automated tools:* rely on functions the platform already provides — the statutory notice pop-up and click-logging built into a platform's order page, an e-commerce platform's "automatic clean-up on transaction completion" mechanism, cloud backup within chat tools, and similar features — to ease the burden on individual operators of keeping records and demonstrating compliance on their own.

**B.1.2 Reliance on a standardized system.** By adopting a standardized information system or management tool, a small processor can establish a process-driven personal information processing mechanism.

- *Self-service functions for users:* build a standardized "personal center" or "privacy management" module into the information system, letting users query, correct, or export their information, set notification preferences, and unbind, cancel, or pause the service with one click.
- *Structured display and layered consent:* in electronic agreements or online forms, use a standardized four-column table ("information type — processing purpose — recipient — retention period"), an embedded notice box, and layered opt-in consent (distinguishing necessary information from sensitive information) to display processing rules clearly and in structured form.
- *Automated deletion triggers:* build a systematic information-deletion mechanism — for example, "automatic clean-up seven days after parcel receipt," "system anonymization 90 days after successful payment," or "seller-side address automatically cleared 30 days after transaction completion" — driven by system rules to reduce manual intervention and the risk of oversight.

**B.1.3 Reliance on the processor's own technical capability.** Through self-developed or custom-commissioned digital tools, a small processor can improve user experience and its own control over information.

- *Diversified notice and confirmation channels:* use SMS, instant-messaging apps, and other technical means to give notice and obtain confirmation — for example, sending a standard SMS template with a link the user must click to confirm, or, in a WeChat group, using a sign-up ("接龙") tool combined with upfront notice, an opt-in checkbox, and an automatic timestamp.
- *Information grading and encryption management:* apply tiered technical management by sensitivity — for example, encrypted storage and access controls for sensitive information such as exercise prescriptions or fitness-test data; for online bookings, allowing users to provide only a building number rather than a precise unit number, with staff confirming the exact address on-site, reducing the granularity of information exposed.
- *Alternatives and user-selectable preferences:* offer technically implemented options on the front end of the service — for example, a choice of facial recognition, an access card, or a passcode for building-entry systems; or, for payment and notification scenarios, letting users choose their own payment method (per-use, membership, ETC) and notification channel (SMS, WeChat, phone), switchable at any time.

**B.1.4 Offline methods.** Simple interaction can also be achieved through physical media and face-to-face communication, without relying on any digitized system.

- *Prominent posted notices:* post a clearly printed *Brief Personal Information Processing Notice*, *Informed Consent Form*, *Notice*, or an illustrated *Vehicle Information Processing Disclosure* at the entrance, front desk, pickup counter, or bulletin board of the place of business.
- *Printed and standardized documents:* include a standalone personal information processing clause or attachment, in bold print, in registration forms and service agreements; use standardized paper documents such as a *Separate Consent Confirmation Form* or a *Supplementary Information Collection Notice*, signed or handwritten by the user on-site, and keep a paper file.
- *In-person window service and oral notice:* keep a physical service window or telephone hotline offering prompt in-person correction (verify identity, then correct and confirm on the spot), access (verify identity, then provide a paper copy), and deletion requests (phone or written request, with a response on the outcome); supplement telephone orders, on-site registration, or first contact with standardized oral notice.

### B.2 Typical Personal Information Processing Scenarios

#### B.2.1 Community Clinics and Small Medical Institutions

*Typical processing scenario and necessary personal information collected:* collection, during a patient visit, of the patient's name, contact details, medical history, visit records, biometric information, and similar data.

*Convenience guidance:*

1. It is advised that, on the registration form used at the visit, printed clauses in a prominent location set out the core elements — the personal information handler's name and contact details, the categories and purpose of the information collected, the retention period, and how the patient may exercise their rights. Beyond disclosure on the registration form and in the electronic system, it is advised that a *Brief Personal Information Processing Notice* be posted in a prominent location in the waiting area, listing in table form the categories of information, the processing purpose, the retention period, and how patients may exercise their rights. For an online booking system, it is advised that, before the user clicks "agree," the core content be displayed by pop-up window or an expandable menu, avoiding a lengthy, fully embedded privacy policy. For sensitive personal information such as medical history or biometric information, it is advised that a *Separate Consent Confirmation Form* be used, marking in bold the specific purpose of using the information and the consequences of refusal, confirmed by the patient's signature or electronic handwritten signature.
2. For non-core treatment purposes (such as health promotion or satisfaction follow-up), it is advised that the registration form include a separate "do not agree to receive non-treatment information" option, allowing the patient to selectively decline. For secondary use of information for research purposes, express opt-in consent should be obtained, and the patient should be informed that consent may be withdrawn at any time through the visit window, telephone, or online system, and that withdrawal will not affect the patient's ordinary course of treatment.

#### B.2.2 Community Property-Management Terminals

*Typical processing scenario and necessary personal information collected:* collecting the owner's name, contact details, and property information, used for access-control management, property-fee notices, and similar purposes.

*Convenience guidance:*

1. It is advised that the *Property Services Agreement* include, as a standalone attachment or dedicated section, a four-column table — "information type — processing purpose — recipient — retention period" — clearly presenting the personal information processing clauses. For new owners moving in, it is advised that a *Personal Information Processing Informed Consent Form* be issued at the time of handover, with the owner's signature confirming that they have been informed of the processing rules. For day-to-day services such as access control and fee notices, it is advised that a QR code be posted on the community bulletin board and at unit entrances, which owners may scan to view a simplified privacy policy. Where services are provided through a WeChat mini-program or app, the complete notice content should be displayed by "pop-up plus link" at the user's first registration or login, with the system backend automatically retaining a record of the confirmation once the user clicks to confirm.
2. It is advised that property service points maintain a service window covering an "information correction" function, so that an owner presenting proof of property ownership and identification may have their contact details or emergency contact updated on the spot, confirmed by the handling staff member's signature and updated in the property system.
3. For sensitive data such as facial information used in access control, it is advised that both online and offline withdrawal mechanisms be provided: an owner may submit a request to delete biometric information through the "privacy settings" module of the property's app, or submit a written request to the property service center, with technical deletion completed and the outcome reported back within three working days.
4. For access-control management, it is advised that a "choice of alternative method" be offered, letting owners choose facial recognition, an access card, or a passcode, without compelling the collection of biometric information; for fee-notice services, it is advised that a choice of notification channel (SMS, WeChat, paper notice) be offered at move-in registration, with owners permitted to adjust their preference at any time through the app.

#### B.2.3 Domestic-Service, Cleaning, Repair, and Locksmith Companies

*Typical processing scenario and necessary personal information collected:* collecting the user's name, contact details, and address in the course of providing an on-site service.

*Convenience guidance:*

1. It is advised that, on the order-confirmation page, an embedded information box concisely set out the necessity and retention period of collecting the name, phone number, and address (for example, "automatically deleted 30 days after the service is completed"). For customers who place orders by phone, it is advised that a standard SMS notice template be sent: "[Company name] will collect your address and phone number to provide the service, and will delete them 30 days after the service is completed." It is advised that the service technician give supplementary oral notice of the scope of information use before entering the home, and present the company's *Personal Information Protection Undertaking*.
2. The customer may request immediate deletion through the mini-program's "My Orders — Privacy Management" function or by calling the service hotline, and the company should respond within 24 hours.
3. For an order placed but not yet serviced, it is advised that a "one-click cancellation" function be provided, allowing the user to cancel the order and simultaneously withdraw authorization for use of their information within the app or mini-program, with the system automatically blocking the service technician's access to the information.
4. It is advised that the order-placement interface offer a choice of information granularity, allowing the user to provide only a building number and phone number rather than a precise unit number, with the exact unit confirmed by the technician on arrival; for post-service follow-up review requests, it is advised that a "default not agreed" preset option be used, requiring the user to actively opt in before receiving coupons or a satisfaction survey, so as to avoid default marketing push notifications.

#### B.2.4 Fitness and Wellness Providers (Gyms, Dance Studios, Yoga Studios, etc.)

*Typical processing scenario and necessary personal information collected:* collecting the user's personal information, contact details, and health data at membership registration.

*Convenience guidance:*

1. It is advised that the membership registration agreement attach an "information collection checklist" clearly distinguishing "necessary information" from "sensitive information" (such as health data), with collection of sensitive information requiring an "active opt-in plus second confirmation." For behavioral-trace information captured by in-store cameras, it is advised that a *Video Collection Notice* be posted in a prominent location at the entrance, stating the monitoring scope, retention period (e.g., "recordings retained for 30 days"), and how to access them. It is advised that a front-desk tablet or similar device be used to present the full processing flow in simple form, such as a short video or plain text. For an institution offering online booking or course management, the registration page of the app or mini-program should provide a notice link, requiring the user to check "I have read and agree to the Personal Information Protection Policy" before completing registration, with the system backend automatically recording the user's consent action along with IP address, time, and similar details.
2. For marketing push notifications, it is advised that both an SMS "unsubscribe code" and an in-app "turn off push notifications" option be offered; for membership cancellation, it is advised that a "one-click cancellation" flow be set up at the front desk or in the app, with system deletion completed within 15 days of confirmation, and biometric-information caches associated with turnstiles, lockers, and similar systems cleared within a defined period thereafter.
3. Sensitive information such as fitness-test data and exercise prescriptions should be stored under encryption (for example, on dedicated hardware) with access restricted to the designated personal trainer, and access permissions should be revoked when staff transfer or leave.
4. Depending on membership tier, basic members need only provide contact details, while premium members or those taking personal-training courses may optionally provide health data, but must separately sign a *Health Information Processing Authorization*, and must be clearly informed that "declining to provide it does not affect basic membership rights." For group-class recordings used for promotion, it is advised that a "consent checked class-by-class" mechanism be used, with each student independently consenting to use of their image before each session, and those who decline still able to be seated outside the filming area.

#### B.2.5 Small Training Institutions, Adult Night Schools, and Interest Classes

*Typical processing scenario and necessary personal information collected:* collecting and storing the student's and parent's name, mobile number, ID number, and similar information.

*Convenience guidance:*

1. Beyond what the contract provides, it is advised that a *Brief Personal Information Processing Disclosure* be posted in a prominent location at the reception desk and classroom entrance, in a "information category — processing purpose — recipient — retention period" four-column table listing the necessary information collected (student name, contact details, learning progress, etc.), and stating that "this institution does not provide personal information to outside parties, except where necessarily shared with a bank or payment platform for refunds or class-hour reconciliation." For an online enrollment system, the core clauses should be displayed by pop-up, link, or annotation before the user fills in their information, avoiding a lengthy privacy policy embedded in full. For minors' information, it is advised that a separate *Parental Informed Consent Form* be printed, stating in bold that "the guardian has the right to withdraw consent at any time, and withdrawal will not affect teaching services already provided."
2. It is advised that a "self-service personal information inquiry" entry point be set up in the institution's official account or student system, allowing the student or parent to export their course agreement, payment records, and attendance data in real time using their registered mobile number and a verification code.
3. For changes to a student's contact details or emergency contact, it is advised that both "phone confirmation for immediate correction" and "online request for asynchronous correction" be offered; after the front desk verifies identity by phone, the system update should be completed within one working day, with the outcome confirmed by SMS.
4. It is advised that the *Withdrawal Application Form* embed a "withdrawal of consent to personal information processing" checkbox, allowing the student, when withdrawing, to also request deletion of non-essential information such as class-hour records and grades. The institution should complete deletion within 15 working days and issue a confirmation document.

#### B.2.6 Offline Event Organizers (e.g., Lecture Hosts)

*Typical processing scenario and necessary personal information collected:* collecting participants' name and phone number for registration, potentially including event photographs.

*Convenience guidance:*

1. It is advised that the registration page include a concise notice box (recommended not to exceed 100 characters) stating that "the name and phone number collected will be used only for verification and contact for this event, and will be deleted within 30 days after the event ends," with the user's submission of their information deemed consent. For on-site registration, it is advised that a paper *Personal Information Processing Disclosure* be placed at the check-in table, with staff giving oral notice of the purpose for the participant's voluntary reading. For photography or video recording and archiving of the event, it is advised that an *Image Collection Notice* be posted prominently at the venue entrance, stating the scope of filming, the purpose of use (e.g., "for use in an event recap post"), the retention period, and how to decline (e.g., "you may be seated in an unfilmed area at the back").
2. *Right to deletion and withdrawal of consent:* it is advised that an email contact channel for withdrawal be provided, allowing a participant to cancel their registration and request deletion of their information via the contact email on the registration link before the event; after the event, it is advised that a dedicated mailbox be opened to handle photo-deletion requests, with staff completing an internal check and deleting the relevant images within five working days and confirming deletion by email.
3. For information such as group photos or close-up shots from the event that might reveal identity, it is advised that a "notice at the time, prompt deletion afterward" mechanism be used: the host announces on-site, "we will be photographing the event; anyone who does not wish to be photographed, please let a staff member know," and images of those who declined to be photographed are proactively deleted within seven days after the event.
4. At registration, it is advised that a choice between "basic information" and "full information" be offered — basic information being only name and phone number, with full information optionally adding organization, title, and similar details — letting participants decide for themselves which to provide. For use of event photographs, it is advised that "archival retention" and "promotional use" be treated as two separate layers of consent: the former, necessary for event organization, relies on contractual performance and needs no separate consent; the latter, used for official-account posts or institutional promotion, requires express consent, and those who decline to be filmed may still attend normally without discrimination in seating. For subsequent course promotion or lecture-notice push messages, it is advised that the registration form include a separate "willing to receive future event information" option, unchecked by default, with participants receiving such messages only after actively opting in, and each promotional SMS ending with a simple opt-out instruction such as "reply T to unsubscribe."

#### B.2.7 Food-Delivery Storefronts

*Typical processing scenario and necessary personal information collected:* obtaining the customer's delivery address, phone number, and order preferences through a third-party platform or a self-operated channel.

*Convenience guidance:*

1. It is advised that a combination of platform-rule incorporation and self-operated-channel supplementary notice be used. For orders received through a third-party platform (such as Meituan or Ele.me), the storefront should, when signing the platform's merchant-onboarding agreement, expressly incorporate the platform's published privacy policy, and use bold text or underlining to tell users "this store undertakes not to use your personal information beyond the platform's authorized scope," with the store's person in charge signing to confirm and retaining the agreement or an electronic screenshot. A privacy-commitment module should be set up in a prominent location on the storefront page, using plain text of no more than 150 characters stating "this store uses your information only for order delivery, for no other purpose." Where orders are taken through a self-operated mini-program, official account, or phone, an unavoidable notice pop-up should be set on the user's first order page, covering the store's name and contact details, the categories of information collected (delivery address, phone number), the processing purpose (order delivery), the retention period (deleted 30 days after order completion), and the user's rights. All notice records should be archived by screenshot or recording. In addition to consent obtained via the platform, it is advised that a *Brief Personal Information Processing Disclosure* be posted in a prominent location at the register or pickup counter, stating clearly that "this store obtains only the information necessary for order delivery through the platform, and does not separately collect other personal information from customers."
2. Where a delivery address is incorrect, it is advised that the user be allowed to correct it directly through the platform or by calling the store before delivery, with the store noting the correction in its order system and completing the update within one hour to avoid affecting delivery.
3. For historical order information, it is advised that both a "platform channel" and a "direct store deletion" path be offered; in addition to deleting through the platform, the user may call the store to request immediate deletion, with the store completing internal system clean-up and confirming deletion within 24 hours.
4. It is advised that the platform's order-remarks field or the mini-program's order page offer an "information retention preference" option, letting the user choose "delete contact details immediately after the meal" or "retain for 30 days for after-sales service." For the store's own membership program, it is advised that membership registration be kept separate from consent to marketing: the user's registration should collect only their mobile number, and marketing SMS or community invitations must use an "active opt-in" mechanism, unchecked by default, with each marketing SMS ending with a simple opt-out instruction such as "reply N to unsubscribe."

#### B.2.8 Community Group-Buying Organizers

*Typical processing scenario and necessary personal information collected:* compiling residents' purchase lists, delivery addresses, and home addresses.

*Convenience guidance:*

1. When a group is formed, the organizer should post a *Personal Information Processing Rules* announcement in the group, concisely stating the organizer's identity and contact details, the categories and purpose of information collected, the retention period, and members' rights, and requesting members to reply to confirm. For tools such as sign-up mini-programs or group-buying apps used to collect information, a notice summary should appear at the top of the sign-up page, with a QR code linking to the full notice content embedded, and participants must actively check "I have read and agree to the personal information processing rules" before first entering their information, with the system backend automatically recording the timestamp of the checkbox action. For new group members, the organizer should periodically (e.g., monthly) re-push the notice announcement to ensure continuity of disclosure. All notice screenshots and system records should be archived by month.
2. It is advised that an "my information" query entry be set up within the group-buying mini-program, letting residents self-check their participation records and delivery address; for a purely offline sign-up model, the group leader should maintain a *Participant Information Register* for reference, verifying identity before providing a photo or paper copy within three days when a resident requests to view their information.
3. It is advised that a rule be made clear that "leaving the group-buying group is deemed withdrawal of consent," with the group leader deleting the departing resident's address, phone number, and other information stored in the group's sign-up tool and the leader's own devices.
4. Where a resident needs to change their delivery address or phone number, it is advised that they be allowed to re-submit directly via the sign-up mini-program or group chat before the cut-off time, with the group leader updating the tally accordingly; for orders past the cut-off date, it is advised that the correction be confirmed by phone with the group leader and made manually, with the outcome communicated to the resident.
5. When providing their address, residents may choose to "provide only the building and unit number, with the exact door number confirmed on-site by the group leader at delivery," reducing the risk of exposing a precise address. For post-group-buying satisfaction follow-up or notice of the next group, it is advised that a "default not agreed" preset option be used; if the group leader wishes to contact residents after the group period ends, separate private consent must be obtained, and the leader must not publicly @-mention or mass-message marketing information in the group.

#### B.2.9 Parcel Pickup Stations

*Typical processing scenario and necessary personal information collected:* delivery address, contact details, and home address.

*Convenience guidance:*

1. It is advised that a combination of on-site disclosure and individual notice at pickup be used. Specifically, a *Personal Information Processing Notice* should be posted in a prominent location at the station's entrance, shelving, and pickup counter, covering the station's name and contact details, the source of the information (provided by the courier company), the processing purpose (parcel receipt and dispatch on behalf of the sender/recipient), the retention period (deleted seven days after parcel pickup), and the user's rights, in type no smaller than a specified minimum size, with a record kept by video surveillance or written log. Where the station notifies users of a pickup by SMS or WeChat, the message should embed a notice link or QR code, with the user's act of viewing it deemed receipt, and the corresponding send records archived.
2. It is advised that a "pickup automatically triggers deletion" mechanism be established, with the system automatically clearing the user's phone number and address 30 days after confirming the parcel has been collected. Users may also apply through the station's mini-program or by phone for earlier deletion, with the station completing internal system and SMS-record clean-up within three working days.
3. For long-term storage users, it is advised that a "pause collection service" function be provided, allowing the user to pause the pickup service with one click in the mini-program, upon which the station should immediately stop sending notification SMS and delete the reserved address information.
4. Users should be allowed to choose their preferred notification method — SMS, WeChat, Alipay, or phone — and to switch it at any time in "privacy settings." For a "photograph on pickup" service, it is advised that a "default not agreed" option be used, requiring the user's active authorization before a photo of the parcel is taken, with the photo used only for dispute resolution and automatically deleted within seven days of pickup; users may also request pickup without a photograph.

#### B.2.10 Parking-Lot Operators

*Typical processing scenario and necessary personal information collected:* collecting the license plate number and payment information via QR code, for fee calculation and payment-success notification.

*Convenience guidance:*

1. Beyond the notice on the QR-code payment page, it is advised that a *Vehicle Information Processing Disclosure* be posted in a prominent location at the parking lot's entrance booth, beside payment QR codes, and on interior pillars, using text and images to disclose that "the license plate is scanned to calculate the parking fee, the QR code is scanned for payment, and information is retained for 90 days after payment is completed." For contactless-payment users, it is advised that an "SMS notice plus click-to-confirm" approach be used at first sign-up, sending a notice message that the user must click a link to confirm. It is advised that a notice summary be embedded in the remarks field of the electronic invoice or payment receipt issued after successful payment, to reinforce user awareness.
2. Beyond cancellation via customer service, it is advised that an "unbind license plate" self-service function be set up in the mini-program, allowing the user to delete their license-plate information with one click in "my vehicles," with the system completing deletion and ending the billing association within 24 hours. For parking-surveillance footage, it is advised that the notice clearly state the retention period and how to access the footage, letting users request to view the segment involving their own vehicle, with the parking lot providing it and logging the access within five working days.
3. It is advised that the payment page offer a choice of payment method and information-retention preference: users may choose "single scan-and-pay (no information retained)," "membership contactless payment (license plate and payment information retained)," or "ETC-linked payment," each with different information-processing rules, switchable at any time. For long-term parkers, users may be allowed to choose their own retention period for parking records, with the system automatically anonymizing the data once that period expires.

#### B.2.11 Freelancers and Individual Service Providers (e.g., Photographers, Personal Trainers)

*Typical processing scenario and necessary personal information collected:* retaining the client's contact details via social media or a contract, with a photographer, for example, additionally retaining the client's facial-image information.

*Convenience guidance:*

1. It is advised that the *Service Contract* or electronic order include a "personal information processing clause," in bold or underlined form, listing the service provider's name and contact details, the categories of information collected (client name, phone number, address, portrait photographs, health data), the processing purpose (service performance, delivery of work product, after-sales communication), the retention period, and the client's rights, confirmed by the client's signature or electronic signature. Where a transaction is concluded through a social tool such as WeChat or Alipay, a standardized notice text should be sent at first contact (for example: "To protect your personal information, this service will collect and use your name, phone number, and address only for service performance, and you may request deletion at any time"). For sensitive personal information such as facial images or health data, a separate *Sensitive Information Processing Notice* should be sent, clearly stating the scope of use (e.g., "photographs are used only for retouching and delivery, not for commercial use"), with the client's separate written or verbal confirmation obtained (a verbal confirmation should be transcribed and the transcript screenshotted).
2. Where the client's contact details change, it is advised that correction be permitted via WeChat, SMS, or similar means, with the individual service provider verifying identity and updating the information, with confirmation, within two days.
3. It is advised that it be made clear that "a client's oral or written request triggers withdrawal," with the individual service provider deleting the client's information within 15 days of receiving the withdrawal request (except where retention is legally required), and reporting the outcome to the client by a deletion-confirmation notice or similar means. For facial-image information, it is advised that the provider commit to "deleting the original material immediately after the project ends, retaining only the finished images confirmed by the client," with the client entitled to request complete deletion of the raw files after the finished images are delivered.
4. For contact details necessary for a basic service (such as booking a shoot date or scheduling personal-training sessions), a lawful basis of service performance may be relied on, without compelled separate consent; for value-added uses (such as using the work for the provider's own promotion or client case studies), an "active opt-in" model must be used, separately itemized in the contract, allowing the client to authorize on a scenario-by-scenario basis. For video outtakes filmed by a photographer or training videos recorded by a personal trainer, it is advised that tiered authorization options be offered: (1) for the client's personal viewing only; (2) usable in the provider's portfolio (anonymized); (3) usable for social-media promotion (with the client's nickname credited). The client may choose their authorization level before the service begins and adjust the scope of authorization at any time during the service via WeChat or a similar channel.

#### B.2.12 Homestay and Short-Term-Rental Hosts

*Typical processing scenario and necessary personal information collected:* registering a guest's ID number, ID photograph, or photocopy of the ID, and check-in time.

*Convenience guidance:*

1. It is advised that a combination of platform-rule incorporation and on-site notice be used. The listing page should state that the host follows the platform's privacy policy, with notice and confirmation given for the legally required collection of ID information at check-in. For the statutorily required collection of ID-document information, it is advised that the check-in registration page or paper register carry the wording, "Pursuant to Article 6 of the Administrative Measures for Public Security in the Hotel Industry, I consent to providing and registering my identity-document information," confirmed by the guest's signature, with the register bound and filed annually. For non-mandatory information (such as license plate number, co-occupant information, or stay preferences), a separate *Supplementary Information Collection Notice* should be used, listing in handwritten or printed form the type of information, its use (e.g., "license plate number used for a complimentary parking record"), and its retention period (deleted seven days after check-out), with the guest separately checking a box or signing to consent. A *Personal Information Processing Notice Card*, in type no smaller than a specified minimum size, may also be placed in a prominent location in the room (such as the coffee table or bedside).
2. It is advised that a guest-information record function be maintained at the front desk or on a management platform; where a guest requests to view their information, the host should verify the guest's ID against the check-in record and then provide, on the spot, the portion of the check-in registration form pertaining to that guest.
3. Where a guest needs to change their contact details or add a co-occupant during their stay, it is advised that this be allowed via the front desk or the host's WeChat in real time.
4. It is advised that "accepting withdrawal of consent at check-out" be a standard procedure: a guest checking out may proactively request "deletion of non-essential information," and the host should delete information the guest voluntarily provided — such as an email address or license plate number — within 15 days, while information required to be retained by law (ID-document information) continues to be retained, with the guest informed of the retention period. For surveillance footage, it is advised that the notice clearly state the retention period (e.g., 30 days) and the channel for viewing and deletion requests, with a guest able to request to view footage involving themselves and the host providing it within five working days. ID-document information and check-in time are subject to mandatory legal collection and need no separate consent, but the notice should clearly state the legal basis and purpose; for matters such as "smart in-room controls (e.g., a smart speaker)" or "subsequent marketing push notifications," an "active opt-in" mechanism must be used, off by default. At check-in, it is advised that guests be offered an "information-channel preference" setting, allowing them to select only an "emergency contact number" while declining to receive coupons, holiday greetings, or other marketing messages. For "guest reviews and photographs used for platform display," it is advised that a "per-stay authorization" model be used, with the guest independently choosing after each stay whether to consent to publication of their review and photographs, and a guest who declines suffering no effect on check-out or deposit refund.

#### B.2.13 Individual Sellers on Online Second-Hand Marketplaces (e.g., Xianyu Sellers and Storefronts)

*Typical processing scenario and necessary personal information collected:* in an online second-hand transaction, the seller obtains the buyer's contact details and delivery address.

*Convenience guidance:*

1. The seller should include, once, in the product description or an auto-reply, a concise notice that "the delivery information collected is used only for shipping," with the buyer's submission of an order deemed consent, without the need for confirmation on each occasion; the platform should embed a statutory notice pop-up on the order page and have the system log the user's click, so that an individual seller, relying on the platform's transaction records and cloud-backed chat logs, can meet its evidentiary burden without needing to separately maintain its own archive.
2. Where the buyer's delivery information is entered incorrectly, it is advised that correction be allowed directly via chat before shipment, with the seller updating the courier waybill and confirming within one day.
3. It is advised that the seller work with the platform to establish a "transaction-completion automatic clean-up" mechanism, under which the seller proactively deletes the buyer's address, phone number, and other information from the chat log within 30 days of confirmed receipt, and clears any locally saved order spreadsheet, retaining only information needed for after-sales service. The buyer may also, at any point during the transaction, send a "delete my information" instruction via chat, with the seller completing deletion and replying with a screenshot within seven days.

*(Editor's note: Annex B is informative (non-mandatory) guidance illustrating how the technical and management measures in the body of the standard might be applied in thirteen common small-business settings. The pattern is consistent across all thirteen: short, prominently displayed notice in place of a full privacy policy; a higher, separately-confirmed consent bar for sensitive categories such as facial images, health data, and ID documents; fast, low-cost identity verification for correction and deletion requests; and automatic, event-triggered deletion rather than indefinite retention.)*

## Annex C (Informative) — Template Internal Rules for Personal Information Processing by Small Personal Information Processors

Annex C provides a template for a small processor's internal personal information processing management rules, including:

- A statement that the rules are adopted under the Data Security Law, the Cybersecurity Law, and the Personal Information Protection Law to strengthen the enterprise's personal information security management and protect individuals' rights and interests in their personal information.
- A statement that personal information management shall follow the principles of lawfulness, legitimacy, and necessity, and safeguard the authenticity, accuracy, and completeness of the data.
- A statement that the enterprise's legal representative bears responsibility for personal information protection and is responsible for organizing, coordinating, and supervising the enterprise's personal information management.
- Management requirements for personal information processing activities, including:
  - **Notice requirements** — informing individuals of the processing of their personal information and related matters, with notice content covering, at minimum: on first collection, the name and contact details of the personal information handler, and the purpose, method, category, and retention period of the processing, together with the manner and procedure for individuals to exercise their rights; and renewed notice whenever the processing activity changes.
  - **Requirements applicable to processing activities** — collecting personal information only within the minimum scope necessary to achieve the processing purpose and with the individual's authorization and consent; storing personal information under encryption, for the shortest period necessary to achieve the purpose authorized by the individual; establishing an approval process for material operations on personal information and keeping a record of such operations; where information is pushed or marketing is conducted through automated decision-making, simultaneously offering an option that does not target the individual's personal characteristics; where personal information is provided to another personal information handler, informing the individual of the recipient's name, contact details, processing purpose, processing method, and category of personal information, and obtaining the individual's separate consent — with the recipient confined to processing within that disclosed purpose, method, and category, and required to obtain the individual's renewed consent if it changes them; promptly providing functions for individuals to exercise their rights to access and copy/export their personal information; and promptly deleting personal information once the service is complete or the individual requests deletion.
- Responsibilities and obligations, including: establishing a sound compliance-management mechanism for personal information protection and refining the management processes and operating requirements for each stage — collection, use, storage, processing, transmission, and deletion — to discharge primary responsibility for personal information protection; periodically organizing personal-information-protection education and training and clarifying compliance responsibilities, methods, and processes; periodically carrying out personal information protection impact assessments and compliance audits; formulating an emergency response plan for personal information security incidents; upon a personal information leak, promptly informing affected individuals of matters including the content and impact of the incident, the remedial measures taken or to be taken, remedies available to the individual, and the contact details of the person in charge of personal information protection and the personal-information-protection working body; and voluntarily accepting oversight from the public and cooperating actively with the competent authorities in handling incidents.

## Annex D (Informative) — Simplified Personal Information Protection Impact Assessment Worksheet for Small Personal Information Processors

Annex D provides a simplified personal information protection impact assessment worksheet for small processors, drawing on GB/T 39335-2020 and adapted to a small processor's actual circumstances (Table D.1).

The worksheet covers five triggering scenarios: (1) processing sensitive personal information; (2) using personal information for automated decision-making; (3) entrusting the processing of, providing to others, or disclosing personal information; (4) providing personal information outside China's borders; and (5) any other personal information processing activity that materially affects individuals' rights and interests.

For each scenario, the processor records, by checkbox, three assessment items: (a) whether the purpose and method of processing are lawful, legitimate, and necessary (yes / no / not applicable); (b) the impact on individuals' rights and interests and the associated security risk (no impact / impact / not applicable); and (c) whether the protective measures adopted are lawful, effective, and commensurate with the degree of risk (yes / no / not applicable) — together with a conclusion and remarks field for each.

## Annex E (Informative) — Template Personal Information Security Incident Report and Notice for Small Personal Information Processors

Annex E provides a template report/notice for a personal information security incident (Table E.1), consisting of nine fields: (1) time of the incident; (2) location (the specific address of the store or office); (3) a description of the incident — a brief description of the personal information leak, tampering, or loss that occurred or may have occurred; (4) the categories of personal information involved (e.g., name, mobile number); (5) the probable cause of the incident (e.g., inadequate safekeeping; if the cause is unclear, this may be explained to the relevant authorities); (6) the possible harm the incident may cause (e.g., inconvenience to customers from the disclosure of their information); (7) remedial measures taken (e.g., powering off the device, cutting power, or disconnecting from the network); (8) the contact person (the person in charge at the store); and (9) the contact telephone number.
