Issued by: National Internet Information Office
Issue No.: Order No. 18 of the National Internet Information Office 
Issue Date: February 12, 2025
Effective date: May 1, 2025
Links: https://www.cac.gov.cn/2025-02/14/c_1741233507681519.htm

The Measures clarify the relevant provisions for personal information protection compliance audits (the “Compliance Audit”). The main contents are as follows:
Compliance Audit is divided into two types: self-conducted compliance audits by personal information processors, namely self-audits; and compliance audits conducted in accordance with the requirements of the National Internet Information Office and other departments responsible for personal information protection (the "Protection Authorities"), namely regulatory audits.
1. Self-audit provisions:
a. Personal information processors may choose to have their internal departments or third-party professional institutions conduct regular Compliance Audits.
b. Processors processing personal information of over 10 million individuals must conduct a Compliance Audit at least once every two years. There is no mandatory requirement on frequency of Compliance Audit for other personal information processors.

2. Regulatory audit provisions:
a. If serious personal information security incidents occur or significant risks are found in the processing activities of a personal information processor, the Protection Authorities may require the processor to commission a professional institution to conduct the Compliance Audit.
b. Personal information processors must select professional institutions as required by the Protection Authorities, complete the Compliance Audit within the specified time, and bear the audit costs.
c. Personal information processors must rectify issues identified in the Compliance Audit in accordance with the requirements of the Protection Authorities and submit a rectification report to the Protection Authorities upon completion.

3. Other provisions:
a. Personal information processors processing personal information of over 1 million individuals must designate a personal information protection officer responsible for the compliance audit work.
b. Personal information processors providing important internet platform services, with massive user bases and complex business types, must establish an independent department, mainly composed of external members, to supervise Compliance Audit situation.
c. The same professional institution and its affiliates, as well as the same Compliance Audit head, may not conduct more than three consecutive Compliance Audits for the same audit subject.