Does Your Business Need to File DPO Information With the CAC?

Posted by Written by Qian Zhou Reading Time: 6 minutes

China’s data protection officer (DPO) reporting requirements have been tightened following a new notice from the CAC, making it mandatory for companies processing the data of over one million individuals to appoint and register a DPO. This article explains who must comply, what to submit, deadlines, and how the DPO system operates under China’s data laws.

On July 18, 2025, the Cyberspace Administration of China (CAC) issued a public notice introducing new requirements for reporting the details of personal information protection officers—commonly known as data protection officers (DPOs). This update is especially relevant for businesses that process the personal data of one million or more individuals in China.

In this article, we break down the key points from the announcement, explain what your company needs to do to stay compliant, and provide context on the broader DPO system in China.

Who needs to file DPO information?

According to the notice, any personal information processor handling the data of one million or more individuals is required to report information about their designated DPO. The report must be submitted to the municipal-level cyberspace authority in the city where the business is located.

When do you need to report?

The announcement sets out clear timelines for compliance:

  • For businesses that reach the one million data subject threshold after July 18, 2025: You must submit your DPO information within 30 working days from the date the threshold is reached.
  • For businesses that already reached the threshold before July 18, 2025: You must complete your submission by August 29, 2025.
  • If there are material changes to previously submitted information: These updates must be reported within 30 working days of the change.

What counts as a material change?

According to the notice, the following situations are considered material changes and require updated reporting:

  • Changes to any fields in the Basic Information Form, including the personal information processor’s core details, legal representative (or responsible person), or authorized handling agent;
  • Significant changes to the DPO Information Reporting Form, such as updates to the overall situation, DPO details for specific applications, business lines, or systems; this also includes adding or removing any such applications or systems; and
  • Other major changes to submitted materials.

If the company continues to process the personal data of one million or more individuals after such changes, it must log in to the reporting system, go to the DPO Information Reporting page,re-upload the updated documents, and submit them for review.

However, if the company ceases to process personal information or the number of individuals affected falls below the one million threshold after the change, no further reporting is required.

How to file your DPO information?

The entire process is handled online via the official Personal Information Protection Business System.

Personal information processors fulfilling the reporting requirements may do so centrally through their headquarters if operating as a group company or having multiple branches. If there are affiliated entities (such as multiple subsidiaries, offices, chain stores, or third-party service providers), the reporting can be consolidated.

Before submitting, download and review the official user manual: Instructions for Filling Out the Data Protection Officer Information Reporting System (Version 1), available on the system homepage. Make sure you prepare all relevant materials in advance to ensure a smooth submission.

Preparation for submission

The personal information processor must submit the following materials:

  • Basic Information Form of the Personal Information Processor (template available in the filing system);
  • DPO (Data Protection Officer) Information Reporting Form (template available in the filing system);
  • Original or photocopy of the Unified Social Credit Code certificate (scanned and stamped with the official seal);
  • Scanned copy of the legal representative’s or responsible person’s ID;
  • Scanned copy of the DPO’s ID;
  • Proof of appointment of the DPO (scanned and stamped with the official seal);
  • Scanned copy of the handling agent’s ID;
  • Power of attorney for the handling agent (scanned and stamped with the official seal; template in Appendix 3);
  • Letter of commitment (scanned and stamped with the official seal; template in Appendix 4); and
  • Other relevant scanned materials.

Templates for the above documents can be downloaded from the system during the submission process.

Step-by-step reporting process

The reporting process for submitting DPO information through the Personal Information Protection Business System involves three main steps:

1. Register and log in

Visit the system homepage and create an account. After logging in, fill in the basic information of the reporting entity.

  • The “Province” field must match the province where the business address or place of registration, as shown on the Unified Social Credit Code certificate, is located.
  • The “Location” field must align with the city or district indicated on the same certificate.

2. Submit the required materials

Upload all required documents as outlined in the preparation section. After verifying that all information is accurate, submit the materials.

If the submission has not yet entered the review stage, you can retrieve and revise the materials. Once edited, the submission can be resubmitted.

3. Track your review status

The system will complete the material review within 15 working days from the date of submission. The Review Status column will display one of three outcomes:

  • Submission complete (“信息报送完成”): The submission meets all reporting requirements.
  • Returned for completion (“退回完善”): Materials need further improvement. You must resubmit the corrected materials within 10 working days.
  • Review not approved (“审核未通过”): The submission fails to meet requirements, and the process is automatically terminated.

Once the reporting process is complete, all submitted data—except for the entity name and review status—will be regularly removed from the online system and can no longer be queried or downloaded.

It is strongly advised that personal information processors retain their own backup of the submitted materials for internal record-keeping.

What happens if you don’t comply?

Failure to submit DPO information as required—or to update it when significant changes occur—can result in regulatory penalties under the Personal Information Protection Law (PIPL) and other related regulations.

If your business processes large-scale personal data in China, ignoring these rules could lead to:

  • Fines or administrative sanctions;
  • Increased audit scrutiny; and
  • Potential legal liabilities.

China’s DPO system at a glance

Legal basis for appointing a DPO

Article 52 of the PIPL establishes the legal obligation for certain personal information processors to appoint a DPO:

  • Clause 1 requires processors that meet a threshold set by the CAC to designate a DPO responsible for supervising personal information processing activities and related protective measures.
  • Clause 2 mandates that companies publicly disclose the DPO’s contact information and report the DPO’s name and contact details to the authority responsible for personal information protection.

Is appointing a DPO mandatory?

Yes, for companies that meet specified thresholds. While PIPL makes the appointment mandatory in certain cases, the Personal Information Security Specification (GB/T 35273-2020) provides further guidance on when a full-time DPO and supporting team are recommended. A DPO should be appointed if any of the following apply:

  • The company’s core business involves personal information processing and has more than 200 employees;
  • The company processes personal information of over one million individuals, or expects to do so within 12 months; and
  • The company processes sensitive personal information of over 100,000 individuals.

This is a bit different from the later standard set in Article 12 of the Measures for the Administration of Personal Information Protection Compliance Audits, which requires that personal information processors handling the data of over one million individuals must designate a DPO.

What are DPO’s responsibilities?

The DPO is tasked with implementing and overseeing the organization’s personal information protection framework. Key responsibilities include:

  • Leading the organization’s personal information security efforts and bearing direct accountability;
  • Developing and implementing personal information protection policies and plans;
  • Maintaining a current inventory of all personal data held, including type, source, recipients, and access controls;
  • Conducting data protection impact assessments and advising on corrective actions;
  • Organizing employee training on data security practices;
  • Reviewing new products or services before launch to prevent unauthorized data collection or sharing;
  • Establishing and managing complaints or reporting channels for data protection issues;
  • Performing regular internal audits; and
  • Liaising with regulatory authorities and reporting data incidents as needed.

Who can serve as a DPO?

While PIPL does not prescribe formal qualifications, the Personal Information Security Specification offers guidance:

  • The DPO should have relevant experience in management and professional knowledge in data protection; and
  • The DPO should be involved in important decision-making related to personal information processing and report directly to the company’s top leadership.

Can a DPO be held personally liable?

Yes. Under China’s Cybersecurity Law, Data Security Law, and PIPL, both the organization and the individual DPO may be penalized for non-compliance. This includes:

  • Administrative fines;
  • Industry bans for serious breaches; and
  • In extreme cases, criminal liability.

This dual-penalty mechanism increases the importance of appointing a competent and well-supported DPO.

Can the DPO be outsourced?

Yes. While PIPL does not explicitly address the employment model, it does not prohibit outsourcing.

Outsourcing can enhance independence, mitigate conflicts of interest, and provide specialized data protection expertise. Notably, Article 58 of the PIPL requires major internet platform operators—those with large user bases or complex operations—to appoint external supervision bodies, further reinforcing the legitimacy of outsourced data protection services.

Key takeaway for foreign businesses

This update further reinforces China’s commitment to data governance and regulatory oversight. For foreign businesses operating in China:

  • Appointing a qualified DPO is no longer optional; it’s a legal obligation for large-scale processors.
  • Make sure your internal compliance, legal, and IT teams are aligned on reporting responsibilities and deadlines.
  • Use this opportunity to reassess your data processing activities and ensure all procedures comply with China’s PIPL.

Early compliance not only avoids penalties but also demonstrates good corporate governance and builds trust with regulators and consumers alike. If you need help assessing your data processing obligations or filing the DPO report, please contact china@dezshira.com.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.