China: CAC announces implementation of personal information protection certification

In our previous articles, we analyzed the Measures for Data Export Security Assessment (available here) and the Guidelines for the application of such Measures (available here).

In order to guide controllers of personal information to comply with the Personal Information Protection Law (the "PIPL"), which came into effect as of 1^st November 2021, and to carry out cross-border data transfer activities, the Cyberspace Administration of China (“CAC”) and the State Administration of Market Regulation (“SAMR”), the last 18^th November 2022, issued the Implementation Rules for Personal Information Protection Certification (in Chinese “个人信息保护认证实施规则”, briefly “Certification Rules”).

The Certification Rules contain the implementation rules about the process that controllers of personal information shall carry out to obtain the certification for certifying the collection, storage, use, processing, transmission, provision, disclosure, deletion, and cross-border transfer of personal information.  

Pursuant to the Certification Rules, controllers shall comply:

• for collection, use and processing of personal information, with the requirements of GB/T 35273 Information Security Technology Personal Information Security Specifications (in Chinese “信息安全技术 个人信息安全规范”)[1]; and, additionally
• for cross-border data transfer, also with the Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (in Chinese: “个人信息跨境处理活动安全认证规范”)[2].

Moreover, the Certification Rules outline requirements for on-site audits, the technical evaluation and approval of certification results, post-certification supervision, as well as certification period of validity, specifying that the certification process is divided into different steps:

1. the certification agency shall determine the documents and materials that the controller shall submit;
2. the controller shall submit all the required documents and materials to the certification agency and the latter, after a review of the submitted materials, shall give feedback to the controller;
3. the certification agency determines the certification plan on the basis of the certification materials submitted by the controller, including the type and quantity of personal information, the scope of processing activities involved, and the information of the technical verification agency;
4. the technical verification agency shall carry out the technical verification, according to the certification plan, and issue a report to the certification agency and to the controller;

5. the certification agency shall conduct on-site audit and issue a report to the controller;
6. the certification agency shall conduct a comprehensive evaluation on the basis of the certification materials, technical verification report, on-site audit report and other relevant materials and information, and take the final decision. In case the requirements are met, the certification agency will issue the certification. On the other side, where the requirements are not satisfied, the certification agency can require a rectification by the controller, within a time limit;
7. after the issue of the certification, the certification agency may conduct continuous supervision of the certified controller. Where the certification agency identified irregularities, the certification can be revoked.

According to the Certification Rules, the certification shall be valid for 3 years and it is renewable if the requirements are still satisfied.

The certified controller shall use the relevant certification mark (as provided in the Certification Rules) in advertisements and other publicity in accordance with relevant regulations, and shall not mislead the public. You can read the notice here and the implementation rules here, both only available in Chinese.

[1] GB/T 35273 Information Security Technology Personal Information Security Specifications is a document that specifies the principles and security requirements for the collection, storage, use, sharing, transfer, public disclosure and deletion of personal information. The document is applicable to personal information processing activities carried out by all kinds of organizations and can also be used by competent authorities, third party assessment agencies and other organizations to supervise, manage and evaluate personal information processing activities.

[2] Specifications for Security Certification of Cross-Border Processing of Personal Information is a practice guideline that propose basic principles and requirements for the security of cross-border processing of personal information, as well as the protection of the rights and interests of personal information subjects. On this regard, the National Information Security Standardisation Technical Committee of China ("TC260") issued, on 16^th December 2022, its revised practice guidelines for Specifications for Security Certification of Cross-Border Processing of Personal Information, following public consultations.