China PIPO reporting obligation: Post-implementation practical guidelines & compliance checklist

Who Must Report and by When?

Under the CAC PIPO Reporting Announcement, Handlers that have handled personal information of one million or more individuals before 18 July 2025 must complete the submission of their PIPO information ("PIPO Filing") by 29 August 2025 to the municipal/city-level CAC in the location where the Handler is situated. If the threshold is reached on or after 18 July 2025, reporting must be completed within 30 working days of crossing the one-million-individual threshold. When determining whether the threshold has been met, the total number of individuals whose personal information is handled by the Handler shall be deduplicated, and deleted or anonymized personal information shall not be taken into account.

The one-million-individual threshold is assessed on a per-legal-entity basis, not across the entire corporate group. Each independent legal entity (e.g., a PRC subsidiary) shall determine whether it, on its own account, processes data of one million or more individuals. Per our discussion with some local CACs, personal information originating from outside China - including personal information of foreign nationals - should be included in the count if it is processed within China, and mere storage of personal information on servers in China will also be regarded as a processing in China. However, we were advised by the CACs' officials, when determining whether the threshold for the PIPO reporting obligation is triggered, the data processed as a data processor shall not be counted toward the total volume.

Notably, per our discussion with some local CACs, the reporting obligation also applies to foreign entities subject to the PIPL under Article 3(2)—those offering goods or services to individuals in China or analyzing their behavior. The reporting obligation shall be fulfilled by its representative designated in accordance with Article 53 of the PIPL.

In our communications with local CACs across different provinces, we have observed variations in their interpretations and guidance on the PIPO Filing for offshore Handlers and the collective PIPO Filing of a foreign parent company and its domestic subsidiary (when both fall under the scope of the PIPL). As a result, the exact pathway for PIPO Filing may differ depending on the location of the company's Chinese operation. We strongly recommend confirming the submission process and any entity-specific questions directly with the local CAC office to ensure full compliance.

Who Is Eligible to Serve as a PIPO?

Must the PIPO Be an Employee?

While the PIPL, the Audit Measures and the CAC PIPO Reporting Announcement do not explicitly require the PIPO to be a direct employee of the organization, the reporting form requests personal details such as name, job title, nationality, and contact information—strongly implying that the role is expected to be filled by a natural person within the company's organizational structure. Foreign nationals may serve in this role, provided that they are affiliated with the reporting entity or its group.

Applicants must upload proof of appointment, such as an official letter of designation, internal announcement, or job offer. The current system does not require the submission of employment contracts or work permits.

How Many PIPO May You Appoint?

Handlers may designate one PIPO to be responsible for personal information protection across all business lines, or they may designate one overall personal information protection officer while also designating corresponding personal information protection officers for different applications/businesses/systems.

Can the EU Data Protection Officer (DPO) Also Serve as PIPO?

While the roles may appear similar, the PIPO under China’s PIPL differs significantly from the DPO under the EU’s General Data Protection Regulation (GDPR), which may make it difficult to appoint an individual to take both roles. The roles differ significantly in the following aspects:

Independence

The GDPR mandates that the DPO operates independently and not receive instructions regarding their data protection duties. Internal DPO shall not be subject to a conflict of interest due to his work in the IT Department, HR Department or senior management, where he would have to supervise himself. While PIPO is responsible for supervising the personal information processing activities and relevant protective measures, suggesting a need for operational independence, the position is still in the early stages of development and does not yet have statutory independence on the same level as that required under the GDPR.

Liability

Under the PIPL, the PIPO may be deemed a “directly responsible supervisor” or “other directly responsible personnel” under Article 66 of PIPL if she/he was directly responsible for any specific violations of PIPL. When the Handler violates the provisions of the PIPL or fails to fulfil the personal information protection obligations, the PIPO may face fines and professional disqualification, in addition to the administrative penalties imposed on the Handler (see details in Section 3). The GDPR, however, places liability primarily on the data controller or processor and explicitly protects the DPO from dismissal or penalty for performing their duties.

What Are the Responsibilties and Liabilities of the PIPO?

According to Article 22 of the Audit Measures, the roles and responsibilities of a PIPO include coordinating relevant departments and personnel, raising opinions and suggestions before major decisions related to personal information processing are made, stopping non-compliant processing activities and taking necessary corrective measures. Before appointing a PIPO, Handlers should ensure the appointee fully understands the scope of the role and its associated risks. To support effective performance, Handlers should grant the PIPO adequate authority, resources, and access to relevant data systems.

As discussed above, the PIPO may be held personally liable as a “directly responsible supervisor” or “other directly responsible personnel” under Article 66 of the PIPL, potentially facing fines (RMB 10,000–1,000,000) and disqualification from holding certain management positions. Handlers may consider providing professional liability insurance for the PIPO to mitigate personal risk.

However, personal liability is not automatic. As clarified in Article 13 of the Guidelines on the Exercise of Administrative Penalty Discretion by Cyberspace Authorities (effective 1 August 2025), when a Handler commits a violation, regulators will assess liability of relevant personnel based on the following factors:

• The individual’s job responsibilities and tenure;
• The extent to which their actions contributed to the violation;
• Their level of intent or negligence;
• Whether they should assume primary or secondary responsibility; and
• Whether they attempted to mitigate or correct the violation.

What Materials Must Be Submitted?

Handlers must complete the reporting using official templates issued by the CAC. All documents must be stamped with the company seal and uploaded via the online system. The headquarters may uniformly organize branches, subsidiaries, and other affiliated entities to collectively submit the information of all PIPO involved if the following conditions are met:

• The group company or headquarter understands the personal information processing activities of each entity, is able to manage and supervise such activities, and can assume corresponding responsibilities;
• The purpose is not to evade regulatory responsibilities or legal applicability;
• There is an appropriate legal or business relationship between the entities involved in the consolidated reporting; and
• Each entity complies with a unified personal information compliance policy, and there is a high degree of consistency in terms of personnel, systems, facilities, brands, etc.

Among others, the key items required for submitting PIPO information include:

• Basic Information of the Handler: Name, organizational nature and nature of investors of the Handler, office location, details on the legal representative and authorized reporting agent. If multiple branches, subsidiaries, or other affiliated entities submit information collectively, the names of the entities included in the collective report (including their Unified Social Credit Codes) shall be specified in the remarks column of the status form; if they submit information separately, separate basic information forms shall be filled out accordingly.
• PIPO Information: Comprehensive data on the appointed officer, including name, role, nationality, contact information, and organization metrics such as name of personal information protection organization (not mandatory) and employee count.
• Processing details: The details of personal information processing activities shall be filled in form together with PIPO information, which include:
  • Total volume of personal information processed (based on the number of natural persons after deduplication);
  • Volume of monthly active users;
  • Categories of information processed;
  • Volume and categories of data involving minors and minors under 14 years old;
  • Industry sectors in which the Handler is engaged;
  • Channels for collecting information; and
  • Associated domains and IP addresses.

If a dedicated PIPO has been assigned to a specific system or business unit, the processing details of each system or business unit shall be filled out separately with the corresponding PIPO. Otherwise, these fields may be left blank.

The reporting process requires robust internal data mapping and processing activity assessments. Handlers that have not conducted data inventories or mapped processing scenarios since the PIPL’s enactment may face significant challenges in completing accurate submissions.

When drafting the forms for PIPO reporting, Handlers shall ensure alignment between the reported information and other public or regulatory filings, including ICP license records, filings related to cross-border data transfers and privacy policies. Discrepancies may trigger regulatory scrutiny. After the Handler submits the information, the municipal/city-level CAC will conduct a review. The possible results include “submission completed”, “review not passed”, and “submission terminated”. During the review process, the CAC may return the application for improvement, requiring the Handler to supplement the relevant information. The CAC will specify the requirements for supplementation, and the Handler can consult the CAC by phone for details. The supplementary materials shall be submitted within 10 working days.

Forward-looking Considerations

Will the PIPO’s Information Be Made Public?

The CAC’s reporting system does not currently publish PIPO details. However, Article 52 of the PIPL requires Handlers to publicly disclose the PIPO’s contact information (e.g., phone number, email). Future public disclosure of PIPO details by CAC cannot be ruled out. Therefore, we recommend using business contact details rather than personal information when submitting the report.

When Must You Update or Re-File?

Under the CAC PIPO Reporting Announcement, Handlers must submit a change of record filing within 30 working days following any material change to the submitted information, including:

• Changes to the basic information;
• Significant changes to the PIPO information and processing details (except where the data volume falls below one million after the updates); and
• Any other significant changes affecting the reported data.

The change of record filing requires re-uploading all materials and undergoing a new review process—similar to an initial submission. Therefore, we strongly advise Handlers to carefully select the PIPO and authorized reporting agent and use a company-managed mobile number for account registration (SMS verification is required for each login and submission).

Next Steps

Handlers that process personal data of one million or more individuals in China should act promptly to appoint a qualified PIPO, gather required documentation, and complete the online submission. Otherwise, as a legal matter, failure to comply with the PIPO appointment obligation may result in administrative penalties under PIPL.

Given the complexity of the reporting process and the potential personal liability involved, we recommend conducting a thorough internal review of data processing activities and governance structures well in advance of submission.

Hogan Lovells’ Privacy and Cybersecurity Team is actively monitoring governmental activities that could affect the PIPO Filing. We are committed to keeping our clients updated on the latest developments and providing strategic, practical advice and assistance on relevant matters.

Authored by Sherry Gong, Flora Feng, and Xun Li.