Key Takeaways
- Readers researching PIPL compliance topics should treat this page as a source-reading reference map, not as an operational assessment.
- PIPL research commonly separates processing inventory, processing conditions, transparency, consent, individual rights, sensitive personal information, cross-border provision, and impact assessment topics.
- Cross-border provision, sensitive personal information, individual rights, entrustment, sharing, public disclosure, and impact assessment topics should be separated.
- This overview does not provide legal advice or a compliance conclusion.
This page is a general reference overview only. It is not legal advice, a regulatory filing instruction, an operational tool, or a company-specific assessment.
Readers researching PIPL compliance topics can use this page as a source-reading map, but it should not be treated as a complete operational assessment. It identifies recurring PIPL topics and points readers to official-source materials and related article pages.
This overview describes commonly discussed Personal Information Protection Law reference areas. It is based on the official PIPL source tracked by this site and related official-source context. It does not provide a legal audit, legal advice, or a compliance conclusion.
PIPL compliance research often separates the processing inventory, processing conditions, transparency, consent and separate consent issues, individual rights, sensitive personal information, cross-border provision, impact assessment records, security measures, and ongoing governance.
This page is designed as a source-reading map. It identifies topic areas and related article pages, but it does not provide operational implementation steps or final wording for privacy policies, consent forms, contracts, or audit reports.
How to Use This PIPL Compliance Reference
Use this page to organize research questions before reading the official law text. A careful public-source review usually separates the following questions:
- what personal information is processed and where it is stored or accessed;
- which processing purposes, methods, and personal information categories are recorded;
- whether sensitive personal information, automated decision-making, public disclosure, entrustment, sharing, or overseas provision is involved;
- which PIPL article pages and supporting official rules should be read next;
- what remains uncertain and should be reviewed against the official Chinese text.
This page can help identify source-based topics. It cannot determine whether a real organization is compliant or whether a particular document set is sufficient.
Official Source Basis
| Official document | Chinese title | Authority | Date | Official source |
|---|---|---|---|---|
| Personal Information Protection Law | 中华人民共和国个人信息保护法 | Standing Committee of the National People’s Congress | Effective 2021-11-01 | https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm |
| Network Data Security Regulation | 网络数据安全管理条例 | State Council, Order No. 790 | Effective 2025-01-01 | https://www.cac.gov.cn/2024-09/30/c_1729384452307680.htm |
| Personal Information Protection Compliance Audit Measures | 个人信息保护合规审计管理办法 | CAC, Order No. 18 | Effective 2025-05-01 | https://www.cac.gov.cn/2025-02/14/c_1741233507681519.htm |
Source status: the PIPL is the primary source anchor for this overview. The Network Data Security Regulation and 2025 compliance audit measures are included as related governance sources.
Processing Inventory
PIPL reference analysis commonly starts with a factual processing inventory covering:
- data subjects;
- personal information categories;
- sensitive personal information categories;
- processing purposes;
- processing methods;
- systems, applications, databases, external service providers, and data locations;
- retention periods and deletion arrangements;
- internal owners and responsible teams.
The inventory should be factual. Do not force a legal conclusion into the inventory stage.
Source-based Reference Map
| Reference area | PIPL source points to read | Related site pages | What this page does not decide |
|---|---|---|---|
| Processing conditions | Article 13 and related consent provisions. | PIPL Article 13, PIPL Article 14 | Whether a selected processing condition fits a real activity. |
| Notification and transparency | Article 17 and related notification / inform provisions. | PIPL Article 17 | Whether notification timing, scope, or wording is sufficient. |
| Sensitive personal information | Articles 28 to 32 and related requirements. | PIPL Article 28, Sensitive Personal Information | Whether a dataset is sensitive personal information in a specific case. |
| Cross-border provision | Articles 38, 39, and 40. | China CBDT Guide, PIPL Article 38, Security Assessment vs SCC vs Certification | Which mechanism may be relevant or whether further source review is required. |
| Personal information protection impact assessment | Articles 55 and 56. | PIPL Impact Assessment Overview | Whether an assessment record is complete, sufficient, or regulator-ready. |
| Important data overlap | Important data is mainly a DSL / data security topic, but may matter where datasets are mixed. | Important Data, Data Security Law | Whether data is officially identified as important data. |
Processing Condition Reference
For each processing activity, readers often compare the activity against PIPL processing conditions. Avoid assuming that GDPR categories map directly to PIPL terms.
Common reference categories include:
- processing purpose;
- processing condition recorded by the organization;
- whether consent is used;
- whether non-consent processing conditions are asserted;
- documentation supporting the selected condition;
- changes to purpose, method, or scope.
Notification and Transparency
Public-source review often distinguishes what individuals are told about:
- privacy notification or equivalent transparency materials;
- processing purpose, method, and scope;
- personal information categories;
- retention period where described;
- contact method for rights requests;
- notification of material changes to processing where relevant.
This overview does not provide final wording.
Consent and Separate Consent
PIPL discussions often separate ordinary consent issues from separate consent issues. Common reference topics include:
- consent records where consent is used;
- separate consent records where relevant;
- sensitive personal information scenarios;
- overseas provision scenarios;
- public disclosure scenarios;
- withdrawal mechanism and withdrawal handling records.
Read the relevant PIPL article pages before making conclusions:
Individual Rights
Individual rights topics commonly include:
- access and copying requests;
- correction and supplementation requests;
- deletion requests;
- withdrawal of consent;
- explanation requests;
- response time tracking and escalation process.
Public-reference reading should distinguish written process from actual handling records.
Sensitive Personal Information
For sensitive personal information, source-based discussions commonly focus on:
- the specific category involved;
- necessity explanation;
- specific processing purpose;
- protection measures;
- separate consent records where relevant;
- additional notification materials where relevant;
- impact assessment records if maintained.
The classification and required measures should be checked against the official PIPL text and current source materials.
Automated Decision-making, Public Disclosure, Entrustment, and Sharing
Where relevant, source-based research commonly separates:
- automated decision-making descriptions and safeguards;
- public disclosure records and basis;
- entrusted processing agreements and processor management records;
- sharing arrangements and recipient details;
- change history for recipients, purposes, or processing methods.
These topics should be tied back to specific PIPL article text rather than treated as generic privacy controls.
Cross-border Provision
For overseas provision of personal information, commonly discussed reference topics include:
- transfer purpose and overseas recipient;
- recipient identity and contact information where relevant;
- Article 39 notification and separate consent materials where relevant;
- route analysis inputs under Article 38;
- Article 40 domestic storage and assessment issues where relevant;
- prior filings, assessments, certification materials, or standard contract records.
Related pages:
- PIPL Article 38 Explained
- China Cross-border Data Transfer Readiness Overview
- China Cross-border Data Transfer Mechanisms Overview
Personal Information Protection Impact Assessment and Records
Impact assessment or internal review records may be relevant for higher-risk processing topics. Common reference topics include:
- what triggered the assessment;
- what processing activity was assessed;
- what risk controls were recorded;
- who approved the assessment;
- whether follow-up actions were tracked;
- retention of assessment records.
This overview does not determine whether an assessment is legally sufficient.
Security Measures and Incident Response
Commonly discussed security and incident-response topics include:
- personal information protection management system materials;
- access control and authorization records;
- security measures and technical controls;
- incident response process;
- breach or incident history;
- employee training and accountability records.
Where network data processing issues are relevant, read the Network Data Security Regulation Overview.
Compliance Audit and Ongoing Governance
PIPL governance is not limited to one-time paperwork. Commonly discussed governance records include:
- prior audit or review records;
- rectification plans and completion status;
- policy update history;
- external recipient and service-provider review history;
- governance committee or responsible person records where relevant.
For the 2025 CAC compliance audit measures, see Personal Information Protection Compliance Audit 2025 Overview.
FAQ
Can this page confirm PIPL compliance?
No. It is a public-reference map that helps readers identify PIPL topics and article pages to review, but it does not determine whether an organization is compliant.
What is the difference between this page and the PIPL full text?
The PIPL full-text page provides article-by-article Chinese and unofficial English reference text. This page groups common research topics such as notification, consent, sensitive personal information, individual rights, cross-border provision, and impact assessment.
Does PIPL compliance require a personal information protection impact assessment?
PIPL Articles 55 and 56 address personal information protection impact assessment topics. This page does not decide whether a specific activity triggers or satisfies an assessment requirement. See the PIPL Impact Assessment Overview and read the official article text.
How does this guide relate to China cross-border data transfer?
Cross-border provision of personal information should be read with PIPL Articles 38, 39, and 40, the standard contract route, CAC security assessment rules, certification references, and later data flow provisions. Start with the China CBDT Guide.
Does this page provide legal advice?
No. It is an independent editorial reference for general information only. The official Chinese text prevails.
Reference Use
This overview can help readers locate PIPL topic areas and related official-source pages. It cannot decide whether an organization is compliant.
Related Pages
- Personal Information Protection Law
- PIPL full-text bilingual reference
- PIPL Impact Assessment Overview
- PIPL Article 38 Explained
- China Cross-border Data Transfer Readiness Overview
- Security Assessment vs SCC vs Certification
- Standard Contract Measures Overview
- Sensitive Personal Information
- Important Data
- Network Data Security Regulation Overview
- Personal Information Protection Compliance Audit 2025 Overview
Source and Review Note
This overview is an independent editorial reference for general informational purposes only. It does not constitute legal advice, does not certify compliance, and does not guarantee any regulatory outcome. The official Chinese text prevails.