While appointing and registering a DPO has been mandatory in China for many years, a portal has now finally been established for organisations to register those DPOs with the China data protection authority. This resolves long-standing uncertainty over how DPOs must be registered, and over relevant qualifications and location of the DPO. The deadline for registration is 29 August 2025. The scope of information to be reported as part of the registration goes beyond the DPO’s contact information. As such, organisations must act now.
We set out below some practical steps for appointing and registering China DPOs.
Who must appoint a DPO? A data controller must appoint a DPO if, and as soon as, it processes the personal data of more than one million data subjects in total.
In practice, many organisations who do not meet these thresholds nonetheless informally appoint a China DPO, but these will not need to be registered with the China data protection authority (i.e. the Cyberspace Administration of China, or CAC).
It is unclear whether the 1 million threshold is the only one requiring the appointment of a DPO and the reporting of the relevant information to the CAC. For example, some thresholds included in a national recommended standard Personal Information Security Specification (e.g. a data controller having more than 200 employees and its main business line involves data processing; or a data controller processing sensitive personal information of more than 100,000 individuals) have not been mentioned in this new guidance.
Who must register their DPO? Those organisations who meet the DPO appointment threshold (see above).
How do we register our China DPO? The CAC has now published an official online portal through which data controllers can report DPO information.
In order to complete the report (i.e. registration), a data controller must complete and upload a set of template forms.
Rather unexpectedly, these forms require more than just the DPO’s contact information, but also require information such as (this is not an exhaustive list): total and per-month numbers of data subjects; categories of personal data processed; whether personal data of minors (under 14 years old) is processed, and if so, the number of minors involved; and the domain name of any public websites or portals via which personal data is collected or processed.
In terms of practicalities for group and multinational entities operating in China:
- Group registrations: If an organisation’s group headquarters/parent entity handles China data protection matters on behalf of a number of group affiliates, the registration may be made at a group level by the headquarters/parent entity on behalf of all of the group entities. However, the guidance does not clarify whether, under these circumstances, the calculation of the one million threshold should be on a per-group basis rather than a per-controller basis.
- Joint registrations: Multiple data controllers with close business relationships (e.g. franchisees under the same franchising arrangement, or different vendors providing services to the same data controller) may submit a joint DPO registration report. Again, it is not clear whether the registration threshold should be on a combined or per-controller basis.
- Foreign (non-China) entities: Data controllers located outside of China processing China residents’ personal data (i.e. which trigger the extra-territorial effect of China data protection law) must also appoint and register their China DPO in the same manner. There is a specific column in the online reporting system where a data controller can indicate whether it is a Chinese or foreign entity.
What is the registration deadline? Data controllers who processed personal data of more than one million data subjects before 18 July 2025 must complete the DPO registration by 29 August 2025. Those who meet the threshold after that date must complete the report within 30 working days of reaching the threshold, reiterating the importance of closely morning China data processing activities and volumes.
Who can be a China DPO? Helpful guidance is provided by the registration templates, namely:
- A DPO must be a natural person, i.e. not an organisation. This is because the DPO’s family name and given name are required.
- A DPO does not necessarily need to be a Chinese citizen. This is because the data controller can input the DPO’s nationality into the template report.
The new portal and templates do not provide further details regarding qualifications or appointment of a China DPO, but, based on an existing data protection regulation, a DPO must at least have:
- relevant work experience and professional knowledge, and be familiar with data protection law requirements;
- clear and well-defined responsibilities, and be granted sufficient authority to coordinate with relevant departments and personnel within the organisation;
- the right to express opinions and raise suggestions before major decisions on personal data processing are made; and
- the authority to stop non-compliant personal data processing activities and take necessary corrective measures.
[View source.]
