Independent editorial reference. This page is based on official Chinese source links for general informational purposes only. It is not legal advice, and the official Chinese text prevails.

Key Takeaways

  • Readers researching PIPL compliance topics should treat this page as a source-reading reference map, not as an operational assessment.
  • PIPL research commonly separates processing inventory, processing conditions, transparency, consent, individual rights, sensitive personal information, cross-border provision, and impact assessment topics.
  • Cross-border provision, sensitive personal information, individual rights, entrustment, sharing, public disclosure, and impact assessment topics should be separated.
  • This overview does not provide legal advice or a compliance conclusion.

This page is a general reference overview only. It is not legal advice, a regulatory filing instruction, an operational tool, or a company-specific assessment.

Readers researching PIPL compliance topics can use this page as a source-reading map, but it should not be treated as a complete operational assessment. It identifies recurring PIPL topics and points readers to official-source materials and related article pages.

This overview describes commonly discussed Personal Information Protection Law reference areas. It is based on the official PIPL source tracked by this site and related official-source context. It does not provide a legal audit, legal advice, or a compliance conclusion.

PIPL compliance research often separates the processing inventory, processing conditions, transparency, consent and separate consent issues, individual rights, sensitive personal information, cross-border provision, impact assessment records, security measures, and ongoing governance.

This page is designed as a source-reading map. It identifies topic areas and related article pages, but it does not provide operational implementation steps or final wording for privacy policies, consent forms, contracts, or audit reports.

How to Use This PIPL Compliance Reference

Use this page to organize research questions before reading the official law text. A careful public-source review usually separates the following questions:

  • what personal information is processed and where it is stored or accessed;
  • which processing purposes, methods, and personal information categories are recorded;
  • whether sensitive personal information, automated decision-making, public disclosure, entrustment, sharing, or overseas provision is involved;
  • which PIPL article pages and supporting official rules should be read next;
  • what remains uncertain and should be reviewed against the official Chinese text.

This page can help identify source-based topics. It cannot determine whether a real organization is compliant or whether a particular document set is sufficient.

Official Source Basis

Official documentChinese titleAuthorityDateOfficial source
Personal Information Protection Law中华人民共和国个人信息保护法Standing Committee of the National People’s CongressEffective 2021-11-01https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm
Network Data Security Regulation网络数据安全管理条例State Council, Order No. 790Effective 2025-01-01https://www.cac.gov.cn/2024-09/30/c_1729384452307680.htm
Personal Information Protection Compliance Audit Measures个人信息保护合规审计管理办法CAC, Order No. 18Effective 2025-05-01https://www.cac.gov.cn/2025-02/14/c_1741233507681519.htm

Source status: the PIPL is the primary source anchor for this overview. The Network Data Security Regulation and 2025 compliance audit measures are included as related governance sources.

Processing Inventory

PIPL reference analysis commonly starts with a factual processing inventory covering:

  • data subjects;
  • personal information categories;
  • sensitive personal information categories;
  • processing purposes;
  • processing methods;
  • systems, applications, databases, external service providers, and data locations;
  • retention periods and deletion arrangements;
  • internal owners and responsible teams.

The inventory should be factual. Do not force a legal conclusion into the inventory stage.

Source-based Reference Map

Reference areaPIPL source points to readRelated site pagesWhat this page does not decide
Processing conditionsArticle 13 and related consent provisions.PIPL Article 13, PIPL Article 14Whether a selected processing condition fits a real activity.
Notification and transparencyArticle 17 and related notification / inform provisions.PIPL Article 17Whether notification timing, scope, or wording is sufficient.
Sensitive personal informationArticles 28 to 32 and related requirements.PIPL Article 28, Sensitive Personal InformationWhether a dataset is sensitive personal information in a specific case.
Cross-border provisionArticles 38, 39, and 40.China CBDT Guide, PIPL Article 38, Security Assessment vs SCC vs CertificationWhich mechanism may be relevant or whether further source review is required.
Personal information protection impact assessmentArticles 55 and 56.PIPL Impact Assessment OverviewWhether an assessment record is complete, sufficient, or regulator-ready.
Important data overlapImportant data is mainly a DSL / data security topic, but may matter where datasets are mixed.Important Data, Data Security LawWhether data is officially identified as important data.

Processing Condition Reference

For each processing activity, readers often compare the activity against PIPL processing conditions. Avoid assuming that GDPR categories map directly to PIPL terms.

Common reference categories include:

  • processing purpose;
  • processing condition recorded by the organization;
  • whether consent is used;
  • whether non-consent processing conditions are asserted;
  • documentation supporting the selected condition;
  • changes to purpose, method, or scope.

Notification and Transparency

Public-source review often distinguishes what individuals are told about:

  • privacy notification or equivalent transparency materials;
  • processing purpose, method, and scope;
  • personal information categories;
  • retention period where described;
  • contact method for rights requests;
  • notification of material changes to processing where relevant.

This overview does not provide final wording.

PIPL discussions often separate ordinary consent issues from separate consent issues. Common reference topics include:

  • consent records where consent is used;
  • separate consent records where relevant;
  • sensitive personal information scenarios;
  • overseas provision scenarios;
  • public disclosure scenarios;
  • withdrawal mechanism and withdrawal handling records.

Read the relevant PIPL article pages before making conclusions:

Individual Rights

Individual rights topics commonly include:

  • access and copying requests;
  • correction and supplementation requests;
  • deletion requests;
  • withdrawal of consent;
  • explanation requests;
  • response time tracking and escalation process.

Public-reference reading should distinguish written process from actual handling records.

Sensitive Personal Information

For sensitive personal information, source-based discussions commonly focus on:

  • the specific category involved;
  • necessity explanation;
  • specific processing purpose;
  • protection measures;
  • separate consent records where relevant;
  • additional notification materials where relevant;
  • impact assessment records if maintained.

The classification and required measures should be checked against the official PIPL text and current source materials.

Automated Decision-making, Public Disclosure, Entrustment, and Sharing

Where relevant, source-based research commonly separates:

  • automated decision-making descriptions and safeguards;
  • public disclosure records and basis;
  • entrusted processing agreements and processor management records;
  • sharing arrangements and recipient details;
  • change history for recipients, purposes, or processing methods.

These topics should be tied back to specific PIPL article text rather than treated as generic privacy controls.

Cross-border Provision

For overseas provision of personal information, commonly discussed reference topics include:

  • transfer purpose and overseas recipient;
  • recipient identity and contact information where relevant;
  • Article 39 notification and separate consent materials where relevant;
  • route analysis inputs under Article 38;
  • Article 40 domestic storage and assessment issues where relevant;
  • prior filings, assessments, certification materials, or standard contract records.

Related pages:

Personal Information Protection Impact Assessment and Records

Impact assessment or internal review records may be relevant for higher-risk processing topics. Common reference topics include:

  • what triggered the assessment;
  • what processing activity was assessed;
  • what risk controls were recorded;
  • who approved the assessment;
  • whether follow-up actions were tracked;
  • retention of assessment records.

This overview does not determine whether an assessment is legally sufficient.

Security Measures and Incident Response

Commonly discussed security and incident-response topics include:

  • personal information protection management system materials;
  • access control and authorization records;
  • security measures and technical controls;
  • incident response process;
  • breach or incident history;
  • employee training and accountability records.

Where network data processing issues are relevant, read the Network Data Security Regulation Overview.

Compliance Audit and Ongoing Governance

PIPL governance is not limited to one-time paperwork. Commonly discussed governance records include:

  • prior audit or review records;
  • rectification plans and completion status;
  • policy update history;
  • external recipient and service-provider review history;
  • governance committee or responsible person records where relevant.

For the 2025 CAC compliance audit measures, see Personal Information Protection Compliance Audit 2025 Overview.

FAQ

Can this page confirm PIPL compliance?

No. It is a public-reference map that helps readers identify PIPL topics and article pages to review, but it does not determine whether an organization is compliant.

What is the difference between this page and the PIPL full text?

The PIPL full-text page provides article-by-article Chinese and unofficial English reference text. This page groups common research topics such as notification, consent, sensitive personal information, individual rights, cross-border provision, and impact assessment.

Does PIPL compliance require a personal information protection impact assessment?

PIPL Articles 55 and 56 address personal information protection impact assessment topics. This page does not decide whether a specific activity triggers or satisfies an assessment requirement. See the PIPL Impact Assessment Overview and read the official article text.

How does this guide relate to China cross-border data transfer?

Cross-border provision of personal information should be read with PIPL Articles 38, 39, and 40, the standard contract route, CAC security assessment rules, certification references, and later data flow provisions. Start with the China CBDT Guide.

No. It is an independent editorial reference for general information only. The official Chinese text prevails.

Reference Use

This overview can help readers locate PIPL topic areas and related official-source pages. It cannot decide whether an organization is compliant.

Source and Review Note

This overview is an independent editorial reference for general informational purposes only. It does not constitute legal advice, does not certify compliance, and does not guarantee any regulatory outcome. The official Chinese text prevails.