verified_user
Standardful
首頁chevron_right標準chevron_rightPIPL
現行有效國際標準update 標準更新:2021年11月fact_check 事實核查:2026年6月28日

PIPL

個人資訊保護法

apartment發布組織:國家互聯網信息辦公室 (CAC)

標準簡介

PIPL 是由 國家互聯網信息辦公室 (CAC) 發布的現行有效標準,常用於科技、金融銀行、零售、醫療健康、服務業等產業,並適用於中國等市場。

本頁整理了 PIPL 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。

public

Extraterritorial Application

Applies to processing of personal information of individuals within China, even when the data processor is located outside China — covering foreign companies offering products or services to Chinese residents.

warning

Severe Penalties

Grave violations can incur fines up to RMB 50 million or 5% of the previous year's annual revenue, plus personal liability for responsible individuals up to RMB 1 million and bans from senior positions.

lock

Strict Cross-Border Rules

Cross-border data transfers require security assessments, standard contracts, or certification — with mandatory CAC security assessment for critical information infrastructure operators and large-scale processors.

list_alt Core Principles

  • Lawfulness, legitimacy, necessity, and good faith
  • Purpose limitation and data minimization
  • Transparency and openness
  • Data quality and accuracy
  • Accountability and security
  • Separate consent for sensitive personal information
  • Restrictions on automated decision-making
  • Special protections for minors under 14

誰需要合規?

groups

Any organization that processes personal information of individuals within China — including Chinese companies, foreign companies with operations in China, and foreign companies that offer products or services to or analyze behavior of individuals in China.

關鍵要求

1

Legal Basis for Processing

Establish a lawful basis before processing personal information — individual consent, contract necessity, legal obligation, public health emergency, public interest, or information already made public by the individual.

2

Separate Consent for Sensitive Data

Obtain specific, informed separate consent before processing sensitive personal information including biometrics, religious beliefs, medical health data, financial accounts, location tracking, and data of minors under 14.

3

Cross-Border Data Transfer Compliance

For transferring personal information outside of China, complete a CAC security assessment (for CII operators or large-scale data), enter into standard contracts, or obtain personal information protection certification.

4

Personal Information Protection Impact Assessment

Conduct impact assessments before processing sensitive data, using personal information for automated decision-making, transferring data cross-border, or any processing that may significantly affect individuals' rights.

5

Incident Notification

Immediately take remedial measures upon discovering a personal information security incident. Notify the relevant regulatory authority and affected individuals, including the types of information involved, causes, and remediation measures.

實施路線圖

1
階段 1schedule 預計週期: 3-6 周

定義中國個人信息範圍

映射涉及中國境內個人的個人信息處理,識別個人信息處理者和受託方,分類敏感個人信息、自動化決策、未成年人數據和跨境傳輸場景。

2
階段 2schedule 預計週期: 4-8 周

建立合法處理和告知

記錄處理目的、必要性、法律依據、單獨同意場景、隱私告知、保留期限、個人權利流程,以及適用情況下的負責人或境內代表。

3
階段 3schedule 預計週期: 8-20 周

控制敏感數據和傳輸

實施同意獲取、個人信息保護影響評估、安全措施、委託處理合同、自動化決策保護,以及安全評估、認證或標準合同等跨境傳輸機制。

4
階段 4schedule 預計週期: 持續進行

保持檢查和變更控制

在產品、供應商、目的、法律或網信部門指引變化時刷新影響評估、記錄、告知和傳輸備案。準備審覈、投訴和監管詢問所需證據。

合規檢查清單

0 / 12

checklist 範圍和法律依據

checklist 個人權利和同意

checklist 安全和傳輸

處罰與執行

warning

For serious violations: fines up to RMB 50 million (approximately USD 7 million) or 5% of the prior year's annual revenue, suspension or termination of business, and revocation of business licenses. Responsible individuals face fines of RMB 100,000 to RMB 1 million and may be banned from holding senior management or DPO positions.

常見問題解答

PIPL 何時適用於中國境外?

expand_more

當境外組織處理中國境內個人信息,用於提供產品或服務、分析或評估行爲,或法律規定的其他情形時,PIPL 可能適用。

什麼是單獨同意?

expand_more

單獨同意是針對較高風險活動要求的獨立同意,例如處理敏感個人信息、向其他處理者提供個人信息、公開披露或跨境傳輸。

個人在 PIPL 下有哪些權利?

expand_more

個人享有知情、決定、限制或拒絕處理、訪問和複製個人信息、更正或補充不準確數據、在特定情形下刪除數據,以及要求解釋處理規則的權利。

跨境傳輸如何處理?

expand_more

根據處理者類型、數量和數據情況,傳輸可能需要網信部門安全評估、個人信息保護認證或標準合同備案。個人信息保護影響評估和個人告知也很重要。

處理者應保留哪些證據?

expand_more

應保留數據映射、告知、同意記錄、影響評估、傳輸文件、委託處理協議、安全控制、事件記錄,以及個人請求處理記錄。

官方文件

查看全部

實施時間線

edit_document
2020年10月
PIPL draft published for public comment
gavel
2021年8月
PIPL adopted by the Standing Committee of the National People's Congress
check_circle
2021年11月
PIPL entered into force
description
2023年2月
Standard Contract Measures for cross-border personal information transfer took effect
update
2024年3月
Regulations on Promoting and Regulating Cross-Border Data Flows issued, relaxing some transfer requirements

相關分類