China DPOs: Act now and register with the CAC

After much anticipation, the Cyberspace Administration of China (“CAC”) has finally issued the much-needed guidance (available here) for Data Protection Officers (“DPO”) (个人信息保护负责人) to register with the CAC.

Here are the key headline items for your reference:

Who needs to register?	Controllers who are processing personal information of 1 million individuals are required to register their personal in charge of personal information protection (a.k.a DPO, “个人信息保护负责人” in Chinese). This is consistent with the DPO registration requirements under Article 52 of the Personal Information Protection Law (“PIPL”) and Article 12 of the Administrative Measures for Compliance Audits on Personal Information Protection. Interestingly, the CAC remains silent on the registration process of the local specialised agency or designated representative (境内专门机构或指定代表) (“Local Representative”) under Article 53 of the PIPL. Under Article 53, offshore controllers who process personal information of PRC residents – either to provide products or services or to analyze or evaluate their behavior – are subject to the law's extra-territorial application and must appoint a Local Representative within Mainland China. Further guidance on this matter has yet to be issued.
When do we need to register by?	Controllers who, prior to 18 July 2025, have already been processing personal information of 1 million individuals are required to register by 29 August 2025. Controllers who process personal information of 1 million individuals at any point on or after 18 July 2025 are required to register within 30 working days after that quantitative threshold is met. If there are any material changes to the registration information previously submitted, these material changes should be reported within 30 working days after the material changes have occurred.
What documents do we need to submit?	The CAC has provided a handful of template forms which organizations will need to complete prior to submission. These templates are available for download in the CAC’s designated web portal. Interestingly, the registration is not a simple “name submission” exercise. Rather, the template forms require controllers to submit results from its data mapping exercises – e.g. types of personal information processed, volume of personal information, types of minors’ personal information involved (if any), avenue of collecting personal information, domain names and IP addresses used to collect personal information, etc.. In addition to these template forms, controllers are expected to provide corporate documents (e.g. business license / certificate of incorporation). Controllers are also expected to identify their DPO, legal representative and an authorized handler (经办人), and provide copies of their identification documents.
How should the application for registration be submitted?	Applications should be submitted through a dedicated web portal made available by the CAC
Do we also need to register if my company is based outside Mainland China?	Yes, if your company falls under the extraterritorial scope of the PIPL and has processed the personal information of at least one million PRC individuals, the registration requirement will apply – even if your company is entirely based outside Mainland China. The CAC’s web portal contains an option for offshore companies to create an account with the CAC and complete the application, with a note that the registration of such offshore companies must be completed by the Local Representative they have appointed pursuant to Article 53 of the PIPL.
Can a PRC group company submit registration applications on behalf of its local branches?	Yes, a group company can submit the DPO registration application with the CAC on behalf of its branch companies in the PRC.
Are there any specific qualification requirements for DPO?	Based on the template forms made available by the CAC, we can draw inferences on the following DPO requirements: Corporate DPOs are not permitted – rather it must be a natural person. The DPO should hold a position in the controller entity. In particular, the template forms require the controller to fill in the DPO’s job title. The same requirement goes to the authorized handler (经办人). Both the PIPL and latest notice do not require the DPO to be a PRC citizen. Separately, with reference to the Administrative Measures for Compliance Audits on Personal Information Protection, DPOs are expected to have relevant work experience and professional knowledge and be familiar with the relevant laws and regulations. DPOs are also expected to have clearly defined responsibilities and generally have the authority to manage matters in relation to personal information processing within the organisation.

What’s next?

It is important for controllers processing personal information of 1 million individuals to act now. In particular, if a data mapping exercise has not been completed, this is an opportunity to complete the exercise. This is because these data mapping results will need to be submitted as part of the DPO registration.

Of course, if you would like to understand more on what this means to your organisation, please don’t hesitate to contact us for more information.

The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.