verified_user
Standardful
首页chevron_right标准chevron_rightPIPL
有效国际标准update 标准更新:2021年11月fact_check 事实核查:2026年6月28日

PIPL

个人信息保护法

apartment发布组织:国家互联网信息办公室 (CAC)

标准简介

PIPL 是由 国家互联网信息办公室 (CAC) 发布的有效标准,常用于科技、金融银行、零售、医疗健康、服务业等行业,并适用于中国等市场。

本页汇总了 PIPL 的官方文档、当前状态以及常见相关认证或评估机构,便于快速理解要求与落地路径。

public

Extraterritorial Application

Applies to processing of personal information of individuals within China, even when the data processor is located outside China — covering foreign companies offering products or services to Chinese residents.

warning

Severe Penalties

Grave violations can incur fines up to RMB 50 million or 5% of the previous year's annual revenue, plus personal liability for responsible individuals up to RMB 1 million and bans from senior positions.

lock

Strict Cross-Border Rules

Cross-border data transfers require security assessments, standard contracts, or certification — with mandatory CAC security assessment for critical information infrastructure operators and large-scale processors.

list_alt Core Principles

  • Lawfulness, legitimacy, necessity, and good faith
  • Purpose limitation and data minimization
  • Transparency and openness
  • Data quality and accuracy
  • Accountability and security
  • Separate consent for sensitive personal information
  • Restrictions on automated decision-making
  • Special protections for minors under 14

谁需要合规?

groups

Any organization that processes personal information of individuals within China — including Chinese companies, foreign companies with operations in China, and foreign companies that offer products or services to or analyze behavior of individuals in China.

关键要求

1

Legal Basis for Processing

Establish a lawful basis before processing personal information — individual consent, contract necessity, legal obligation, public health emergency, public interest, or information already made public by the individual.

2

Separate Consent for Sensitive Data

Obtain specific, informed separate consent before processing sensitive personal information including biometrics, religious beliefs, medical health data, financial accounts, location tracking, and data of minors under 14.

3

Cross-Border Data Transfer Compliance

For transferring personal information outside of China, complete a CAC security assessment (for CII operators or large-scale data), enter into standard contracts, or obtain personal information protection certification.

4

Personal Information Protection Impact Assessment

Conduct impact assessments before processing sensitive data, using personal information for automated decision-making, transferring data cross-border, or any processing that may significantly affect individuals' rights.

5

Incident Notification

Immediately take remedial measures upon discovering a personal information security incident. Notify the relevant regulatory authority and affected individuals, including the types of information involved, causes, and remediation measures.

实施路线图

1
阶段 1schedule 预计周期: 3-6 周

定义中国个人信息范围

映射涉及中国境内个人的个人信息处理,识别个人信息处理者和受托方,分类敏感个人信息、自动化决策、未成年人数据和跨境传输场景。

2
阶段 2schedule 预计周期: 4-8 周

建立合法处理和告知

记录处理目的、必要性、法律依据、单独同意场景、隐私告知、保留期限、个人权利流程,以及适用情况下的负责人或境内代表。

3
阶段 3schedule 预计周期: 8-20 周

控制敏感数据和传输

实施同意获取、个人信息保护影响评估、安全措施、委托处理合同、自动化决策保护,以及安全评估、认证或标准合同等跨境传输机制。

4
阶段 4schedule 预计周期: 持续进行

保持检查和变更控制

在产品、供应商、目的、法律或网信部门指引变化时刷新影响评估、记录、告知和传输备案。准备审核、投诉和监管询问所需证据。

合规检查清单

0 / 12

checklist 范围和法律依据

checklist 个人权利和同意

checklist 安全和传输

处罚与执行

warning

For serious violations: fines up to RMB 50 million (approximately USD 7 million) or 5% of the prior year's annual revenue, suspension or termination of business, and revocation of business licenses. Responsible individuals face fines of RMB 100,000 to RMB 1 million and may be banned from holding senior management or DPO positions.

常见问题解答

PIPL 何时适用于中国境外?

expand_more

当境外组织处理中国境内个人信息,用于提供产品或服务、分析或评估行为,或法律规定的其他情形时,PIPL 可能适用。

什么是单独同意?

expand_more

单独同意是针对较高风险活动要求的独立同意,例如处理敏感个人信息、向其他处理者提供个人信息、公开披露或跨境传输。

个人在 PIPL 下有哪些权利?

expand_more

个人享有知情、决定、限制或拒绝处理、访问和复制个人信息、更正或补充不准确数据、在特定情形下删除数据,以及要求解释处理规则的权利。

跨境传输如何处理?

expand_more

根据处理者类型、数量和数据情况,传输可能需要网信部门安全评估、个人信息保护认证或标准合同备案。个人信息保护影响评估和个人告知也很重要。

处理者应保留哪些证据?

expand_more

应保留数据映射、告知、同意记录、影响评估、传输文件、委托处理协议、安全控制、事件记录,以及个人请求处理记录。

官方文档

查看全部

实施时间线

edit_document
2020年10月
PIPL draft published for public comment
gavel
2021年8月
PIPL adopted by the Standing Committee of the National People's Congress
check_circle
2021年11月
PIPL entered into force
description
2023年2月
Standard Contract Measures for cross-border personal information transfer took effect
update
2024年3月
Regulations on Promoting and Regulating Cross-Border Data Flows issued, relaxing some transfer requirements

相关分类