CDR China Data Regulation

Explainer

PIPL Compliance Checklist

A general informational checklist for organizing PIPL compliance review inputs. It is not a legal audit, legal advice, or compliance guarantee.

Statuspublished
Last updated2026-05-21
Last reviewed2026-05-21
SourceOfficial source
Independent editorial reference. This page is based on official Chinese source links for general informational purposes only. It is not legal advice, and the official Chinese text prevails.

Key Takeaways

  • A PIPL review should start with a processing inventory and source-based mapping of processing conditions.
  • Cross-border provision, sensitive personal information, individual rights, entrustment, sharing, public disclosure, and impact assessment topics should be separated.
  • This checklist organizes review inputs but does not provide legal advice or a compliance conclusion.

This checklist helps organize inputs for a Personal Information Protection Law review. It is based on the official PIPL source tracked by this site and related official-source context. It does not provide a legal audit, legal advice, or a compliance conclusion.

PIPL compliance review should be structured. A useful review separates the processing inventory, processing conditions, transparency, consent and separate consent issues, individual rights, sensitive personal information, cross-border provision, impact assessment records, security measures, and ongoing governance.

This page is designed for preparation. It helps identify what to collect and which PIPL article pages to read next. It does not provide final wording for privacy policies, consent forms, contracts, or audit reports.

Official Source Basis

Official documentChinese titleAuthorityDateOfficial source
Personal Information Protection Law中华人民共和国个人信息保护法Standing Committee of the National People’s CongressEffective 2021-11-01https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm
Network Data Security Regulation网络数据安全管理条例State Council, Order No. 790Effective 2025-01-01https://www.cac.gov.cn/2024-09/30/c_1729384452307680.htm
Personal Information Protection Compliance Audit Measures个人信息保护合规审计管理办法CAC, Order No. 18Effective 2025-05-01https://www.cac.gov.cn/2025-02/14/c_1741233507681519.htm

Source status: the PIPL is the primary source anchor for this checklist. The Network Data Security Regulation and 2025 compliance audit measures are included as related governance sources.

1. Processing Inventory

Collect a current inventory of:

  • data subjects;
  • personal information categories;
  • sensitive personal information categories;
  • processing purposes;
  • processing methods;
  • systems, applications, databases, vendors, and data locations;
  • retention periods and deletion arrangements;
  • internal owners and responsible teams.

The inventory should be factual. Do not force a legal conclusion into the inventory stage.

2. Processing Condition Review

For each processing activity, collect the source basis and internal rationale for the processing condition relied on under PIPL. Avoid assuming that GDPR categories map directly to PIPL terms.

Useful inputs include:

  • processing purpose;
  • processing condition recorded by the organization;
  • whether consent is used;
  • whether non-consent processing conditions are asserted;
  • documentation supporting the selected condition;
  • changes to purpose, method, or scope.

3. Notification and Transparency

Collect materials showing what individuals are told:

  • privacy notification or equivalent transparency materials;
  • processing purpose, method, and scope;
  • personal information categories;
  • retention period where described;
  • contact method for rights requests;
  • notification of material changes to processing where relevant.

This checklist does not provide final wording. It identifies materials for source-based review.

Separate ordinary consent issues from separate consent issues. Collect:

  • consent records where consent is used;
  • separate consent records where relevant;
  • sensitive personal information scenarios;
  • overseas provision scenarios;
  • public disclosure scenarios;
  • withdrawal mechanism and withdrawal handling records.

Read the relevant PIPL article pages before making conclusions:

5. Individual Rights

Collect records and process documents for:

  • access and copying requests;
  • correction and supplementation requests;
  • deletion requests;
  • withdrawal of consent;
  • explanation requests;
  • response time tracking and escalation process.

The review should examine both written process and actual handling records.

6. Sensitive Personal Information

For sensitive personal information, collect:

  • the specific category involved;
  • necessity explanation;
  • specific processing purpose;
  • protection measures;
  • separate consent records where relevant;
  • additional notification materials where relevant;
  • impact assessment records if maintained.

The classification and required measures should be checked against the official PIPL text and current source materials.

7. Automated Decision-making, Public Disclosure, Entrustment, and Sharing

Where relevant, collect:

  • automated decision-making descriptions and safeguards;
  • public disclosure records and basis;
  • entrusted processing agreements and processor management records;
  • sharing arrangements and recipient details;
  • change history for recipients, purposes, or processing methods.

These topics should be tied back to specific PIPL article text rather than treated as generic privacy controls.

8. Cross-border Provision

For overseas provision of personal information, collect:

  • transfer purpose and overseas recipient;
  • recipient identity and contact information where relevant;
  • Article 39 notification and separate consent materials where relevant;
  • route analysis inputs under Article 38;
  • Article 40 domestic storage and assessment issues where relevant;
  • prior filings, assessments, certification materials, or standard contract records.

Related pages:

9. Personal Information Protection Impact Assessment and Records

Collect impact assessment or internal review records for higher-risk processing topics where relevant. The review should identify:

  • what triggered the assessment;
  • what processing activity was assessed;
  • what risk controls were recorded;
  • who approved the assessment;
  • whether follow-up actions were tracked;
  • retention of assessment records.

This checklist does not determine whether an assessment is legally sufficient.

10. Security Measures and Incident Response

Collect:

  • personal information protection management system materials;
  • access control and authorization records;
  • security measures and technical controls;
  • incident response process;
  • breach or incident history;
  • employee training and accountability records.

Where network data processing issues are relevant, read the Network Data Security Regulation Overview.

11. Compliance Audit and Ongoing Governance

PIPL compliance is not a one-time paperwork task. Collect:

  • prior audit or review records;
  • rectification plans and completion status;
  • policy update history;
  • vendor and recipient review history;
  • governance committee or responsible person records where relevant.

For the 2025 CAC compliance audit measures, see Personal Information Protection Compliance Audit 2025 Overview.

Checklist Output

The output should be a structured review file: processing inventory, source map, issue list, supporting documents, and unresolved questions. The checklist can help organize review inputs, but it cannot decide whether the organization is compliant.

Source and Review Note

This checklist is an independent editorial reference for general informational purposes only. It does not constitute legal advice, does not certify compliance, and does not guarantee any regulatory outcome. The official Chinese text prevails.