On 18 July 2025, the Cyberspace Administration of China (CAC) issued an official notice requiring the personal information protection officer (referred to as “DPO” in this article in sync with international practice) of qualifying businesses to complete a mandatory personal data compliance filing (DPO Filing) by a strict deadline of 29 August 2025 (DPO Filing Notice).
Failure to complete the DPO Filing may result in penalties. Companies and DPOs must act immediately to assess their obligations and meet the filing deadline.
This client alert summarises the key points of the DPO Filing Notice and outlines practical steps for qualifying companies to complete the filing.
Background
The filing requirement originates from the Personal Information Protection Law of China (PIPL), which requires personal data handlers to designate a person in charge of data compliance if processing personal data exceeds certain thresholds.
As required by the PIPL, personal data controllers must disclose the DPO’s name and contact details and file them with the CAC.
The Administrative Measures for Personal Information Protection Compliance Audits (Audit Measures) further clarify the threshold: a personal data handler must designate a DPO if it processes the personal data of more than one million individuals.
Qualification and responsibilities of DPOs
There are no mandatory qualification requirements for DPOs under the PIPL, the Audit Measures or the DPO Filing Notice. DPOs may be either Chinese or foreign citizens. However, they are expected to have professional knowledge of personal data protection and relevant work experience.
DPOs are responsible for a company’s personal data processing activities. To fulfil this role, they must be authorised to coordinate with other internal departments, advise on key data processing matters and take corrective action to address compliance issues.
Who must file?
In line with the threshold specified under the Audit Measures, companies processing the personal data of more than one million individuals must file their DPO information with the local bureau of the CAC. This obligation primarily applies to enterprises engaged in consumer-facing (B2C) activities and large online platform operators, while small and medium-sized enterprises focused on business-to-business (B2B) activities generally fall outside the scope.
For multinational corporations with multiple subsidiaries or affiliates in China, the Chinese headquarters may file on behalf of the group companies and affiliates located in China.
It is important to note that overseas entities without a presence in China must also file the DPO’s details if they collect and process the personal data of more than one million Chinese residents when providing products or services to them. Under the PIPL, such entities must designate a local agent or representative to handle the filing.
Deadline for filing
Qualifying companies must complete the filing by one of the following deadlines:
(a) Within 30 working days after reaching the one million threshold
(b) By 29 August 2025, if the threshold was already exceeded prior to 18 July 2025
(c) Within 30 working days after any material change to previously reported information
What information must be filed with the local CAC?
Qualifying companies must file the following information:
(a) Basic company information, including the company name, office address, legal representative, and whether it is a domestic company or a foreign-invested enterprise
(b) Details of the DPO, including their name, position, nationality and contact details
(c) Details of personal data processing activities, including the nature, category, volume and sensitivity of personal data collected and processed, the industry involved, the method of collection and processing, and the applications used
(d) Letter of compliance undertaking
How should the information be filed?
The filing can be completed online via either of the following CAC websites:
(a) CAC Personal Information Protection Administration System
(b) CAC Homepage
Liabilities for non-compliance
A failure to complete, or delay in completing, the DPO Filing is subject to liability under the PIPL. Companies may face fines of up to RMB 50 million (approx. US$7 million) or 5% of the previous year’s revenue, as well as other penalties such as business suspension or licence revocation.
The DPO and other people with direct responsibility may be fined up to RMB 1 million (approx. US$140,000) and banned from serving as senior management or DPO for a specified period.
Practical takeaways
Regulators in China are likely to launch enforcement actions against non-compliance after the deadline of 29 August 2025. Given that the deadline for filing is approaching, multinational corporations, in particular those engaged in B2C business, should take the following prompt action to meet the DPO Filing requirements:
(a) Companies are recommended to immediately review and map their personal data collection and processing activities in China, and to identify whether the one million threshold has been or will be met, thereby triggering the filing.
(b) Where the threshold has been met, companies must designate the DPO, if one has not already been designated, prepare the filing information and documents without delay, and submit the filing to the competent CAC authority by 29 August 2025.
(c) Qualifying companies must establish clear responsibilities for the DPO, including defining their day-to-day duties, authorising them to coordinate with internal departments, and specifying the range of matters on which they may provide advice or make decisions.
Client Alert 2025-217
