China Personal Information Protection Law (PIPL)

People's Republic of China

v2021

8 domains

52 controls

China's comprehensive personal information protection statute (effective 1 November 2021), administered by the Cyberspace Administration of China. Establishes legal bases for handling personal information, sensitive-PI and minors' rules, cross-border transfer mechanisms, individual rights, handler obligations (PIPIA, DPO, breach notification, audits) and legal liability.

Unverified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (8)

PIPL: Cross-Border Provision (Ch III)

6 controls

Controls in the PIPL: Cross-Border Provision (Ch III) domain of China Personal Information Protection Law (PIPL) — 6 controls
Code	Title	Description
PIPL-Art38	Cross-Border Transfer Legal Mechanisms	Cross-border provision of PI requires one of: a CAC security assessment; a professional-body personal-information protec...
PIPL-Art39	Notice and Separate Consent for Cross-Border	Before cross-border provision the individual must be informed of the overseas recipient identity/contact, purpose, metho...
PIPL-Art40	Data Localisation and Security Assessment for CIIOs	Critical information infrastructure operators and handlers reaching the CAC-specified volume must store PI collected/gen...
PIPL-Art41	Foreign Authority Requests Require Approval	Without approval of the competent Chinese authority, handlers may not provide PI stored in China to foreign judicial or...
PIPL-Art42	Blocklist of Overseas Recipients	The CAC may list overseas recipients that harm Chinese citizens' rights or national security and restrict or prohibit pr...
PIPL-Art43	Reciprocal Countermeasures	China may take reciprocal measures against countries/regions that adopt discriminatory prohibitions or restrictions agai...

PIPL: General Provisions (Ch I)

7 controls

Controls in the PIPL: General Provisions (Ch I) domain of China Personal Information Protection Law (PIPL) — 7 controls
Code	Title	Description
PIPL-Art3	Scope and Extraterritorial Application	Applies to processing of personal information of natural persons within China, and to processing outside China that aims...
PIPL-Art4	Definition of Personal Information and Handling	Personal information is any information related to identified or identifiable natural persons recorded electronically or...
PIPL-Art5	Lawfulness, Good Faith, Necessity	PI must be handled under principles of lawfulness, propriety, necessity and good faith; misleading, fraudulent or coerci...
PIPL-Art6	Purpose Limitation and Minimisation	Handling must have a clear and reasonable purpose, be directly related to that purpose, and use the method with the leas...
PIPL-Art7	Openness and Transparency	Handlers must observe principles of openness and transparency, disclosing handling rules and clearly indicating purpose,...
PIPL-Art8	Quality of Personal Information	PI handled must be accurate and kept up to date to avoid adverse effects on individual rights and interests from inaccur...
PIPL-Art9	Security Responsibility of Handlers	Handlers are responsible for their handling activities and must adopt necessary measures to safeguard the security of th...

PIPL: Handler Obligations (Ch V)

8 controls

Controls in the PIPL: Handler Obligations (Ch V) domain of China Personal Information Protection Law (PIPL) — 8 controls
Code	Title	Description
PIPL-Art51	Security Measures and Management System	Handlers must adopt measures to ensure handling complies with law and to prevent unauthorised access, leakage, tampering...
PIPL-Art52	Designation of a DPO	Handlers reaching the CAC-specified processing volume must designate a person in charge of personal-information protecti...
PIPL-Art53	Domestic Representative for Overseas Handlers	Overseas handlers in scope of Art.3 must establish a dedicated entity or designate a representative in China to handle P...
PIPL-Art54	Regular Compliance Audits	Handlers must periodically audit their compliance of PI handling with laws and administrative regulations.
PIPL-Art55	Personal Information Protection Impact Assessment	A PIPIA must be conducted in advance, and records kept, before handling sensitive PI, automated decision-making, entrust...
PIPL-Art56	PIPIA Content and Retention	The PIPIA must assess the lawfulness/necessity of purpose and method, the impact and risk to individuals, and whether pr...
PIPL-Art57	Breach Remediation and Notification	On a leak, tampering or loss (or risk thereof) handlers must immediately take remedial measures and notify the authoriti...
PIPL-Art58	Large Platform Obligations	Handlers of important internet platforms with large user numbers and complex business must establish an independent over...

PIPL: Individual Rights (Ch IV)

7 controls

Controls in the PIPL: Individual Rights (Ch IV) domain of China Personal Information Protection Law (PIPL) — 7 controls
Code	Title	Description
PIPL-Art44	Right to Know and Decide	Individuals have the right to know and to decide about the handling of their PI, and to restrict or refuse handling by o...
PIPL-Art45	Right to Access, Copy and Portability	Individuals may access and copy their PI from handlers (responded to promptly), and may request transfer of PI to a desi...
PIPL-Art46	Right to Correction and Completion	Individuals may request correction or completion of inaccurate or incomplete PI; handlers must verify and correct in a t...
PIPL-Art47	Right to Deletion	Handlers must proactively delete PI where the purpose is achieved/impossible or no longer necessary, retention period ex...
PIPL-Art48	Right to Explanation of Handling Rules	Individuals have the right to request that handlers explain their personal-information handling rules.
PIPL-Art49	Rights of Deceased's Next of Kin	Close relatives of a deceased natural person may, for their own lawful and legitimate interests, exercise access, copy,...
PIPL-Art50	Request-Handling Mechanism and Remedy	Handlers must establish convenient mechanisms to accept and handle rights requests; refusals must state reasons, and ind...

PIPL: Legal Liability (Ch VII)

4 controls

Controls in the PIPL: Legal Liability (Ch VII) domain of China Personal Information Protection Law (PIPL) — 4 controls
Code	Title	Description
PIPL-Art66	Administrative Penalties	Unlawful handling is subject to rectification orders, warnings, confiscation of gains and fines; for serious violations...
PIPL-Art69	Civil Liability (Fault Presumed)	Where handling infringes PI rights and causes harm, the handler is liable unless it proves it was not at fault; compensa...
PIPL-Art70	Public Interest Litigation	Where a handler's violation harms the rights of many individuals, the procuratorate, consumer organisations and CAC-desi...
PIPL-Art71	Public Security and Criminal Liability	Violations constituting public-security administration offences incur such penalties; conduct constituting a crime incur...

PIPL: PI Handling Rules (Ch II)

14 controls

Controls in the PIPL: PI Handling Rules (Ch II) domain of China Personal Information Protection Law (PIPL) — 14 controls
Code	Title	Description
PIPL-Art13	Legal Bases for Handling	Handling is permitted only on one of the legal bases: individual consent; necessity for a contract or HR management; sta...
PIPL-Art14	Consent Requirements	Where consent is the basis it must be given voluntarily and explicitly by a fully informed individual; separate consent...
PIPL-Art15	Right to Withdraw Consent	Individuals may withdraw consent; handlers must provide a convenient way to do so. Withdrawal does not affect prior lawf...
PIPL-Art16	No Coerced Consent / No Service Refusal	Handlers may not refuse to provide products or services because an individual declines consent or withdraws it, unless t...
PIPL-Art17	Notice Content Before Handling	Before handling, individuals must be truthfully, accurately and fully informed of the handler identity/contact, purpose...
PIPL-Art19	Retention Period Limitation	Retention period must be the minimum necessary to achieve the handling purpose unless laws/regulations provide otherwise...
PIPL-Art20	Joint Handlers	Where two or more handlers jointly decide purpose and method they must agree their respective rights and obligations; th...
PIPL-Art21	Entrusted Handling (Processors)	When entrusting handling, the handler must agree purpose, period, method, categories and protection measures with, and s...
PIPL-Art22	Transfer Due to Merger or Restructuring	When PI is transferred due to merger, division, dissolution or bankruptcy, individuals must be notified of the recipient...
PIPL-Art23	Provision of PI to Third Parties	Providing PI to another handler requires informing individuals of the recipient identity/contact, purpose, method and ca...
PIPL-Art24	Automated Decision-Making	Automated decision-making must be transparent and fair; no unreasonable differential treatment in transaction terms; dec...
PIPL-Art25	Public Disclosure Prohibited Without Consent	Handlers may not disclose the PI they handle unless they obtain separate consent.
PIPL-Art26	Image Collection in Public Places	Image-collection and personal-identity-recognition equipment in public places may be installed only as needed for public...
PIPL-Art27	Handling Already-Disclosed PI	Handlers may handle PI already lawfully disclosed within a reasonable scope unless the individual explicitly refuses; ha...

PIPL: Sensitive PI (Ch II Sec 2)

5 controls

Controls in the PIPL: Sensitive PI (Ch II Sec 2) domain of China Personal Information Protection Law (PIPL) — 5 controls
Code	Title	Description
PIPL-Art28	Sensitive PI Definition and Threshold	Sensitive PI is information that, if leaked or unlawfully used, may endanger personal dignity or safety, including biome...
PIPL-Art29	Separate Consent for Sensitive PI	Handling sensitive PI on consent requires separate consent, and written consent where laws/regulations so provide.
PIPL-Art30	Enhanced Notice for Sensitive PI	When handling sensitive PI, individuals must additionally be informed of the necessity and the impact on their rights an...
PIPL-Art31	Minors Under 14	Handling PI of minors under 14 requires the consent of a parent or guardian and a dedicated set of handling rules.
PIPL-Art32	Sectoral and Administrative Restrictions	Where laws or administrative regulations set out restrictions, approvals or other conditions on handling sensitive PI, t...

PIPL: State Organs (Ch II Sec 3)

1 controls

Controls in the PIPL: State Organs (Ch II Sec 3) domain of China Personal Information Protection Law (PIPL) — 1 controls
Code	Title	Description
PIPL-Art35	State Organs Handling for Statutory Duties	State organs handling PI to fulfil statutory duties must do so within the scope and limits necessary, and must inform in...

Your Compliance Coverage

If you comply with China Personal Information Protection Law (PIPL), you already cover:

GDPR

52%

27 controls mapped

Compare →

CCPA/CPRA

13%

7 controls mapped

Compare →

China Cybersecurity Law (CSL)

4 controls mapped

Compare →

+ 4 more: NIST Cybersecurity Framework 2.0 (8%), ISO 27001:2022 (8%)

See all 7 mapped frameworks ↓

Maps to 7 other frameworks

52 total controls

GDPR

27 source controls mapped|15 target controls covered

52%

CCPA/CPRA

7 source controls mapped|6 target controls covered

13%

China Cybersecurity Law (CSL)

4 source controls mapped|3 target controls covered

NIST Cybersecurity Framework 2.0

4 source controls mapped|4 target controls covered

ISO 27001:2022

4 source controls mapped|3 target controls covered

China Data Security Law (DSL)

4 source controls mapped|3 target controls covered

ISO/IEC 17050-2:2004

1 source controls mapped|1 target controls covered

Compare China Personal Information Protection Law (PIPL) with GDPR

Frequently Asked Questions

What is China Personal Information Protection Law (PIPL)?

China Personal Information Protection Law (PIPL) is a compliance framework from People's Republic of China with 8 domains and 52 controls. China's comprehensive personal information protection statute (effective 1 November 2021), administered by the Cyberspace Administration of China. Establishes legal bases for handling personal information, sensitive-PI and minors' rules, cross-border transfer mechanisms, individual rights, handler obligations (PIPIA, DPO, breach notification, audits) and legal liability. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does China Personal Information Protection Law (PIPL) have?

China Personal Information Protection Law (PIPL) has 52 controls organised across 8 domains. The largest domains are PIPL: PI Handling Rules (Ch II) (14 controls), PIPL: Handler Obligations (Ch V) (8 controls), PIPL: General Provisions (Ch I) (7 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does China Personal Information Protection Law (PIPL) map to?

China Personal Information Protection Law (PIPL) maps to 7 other compliance frameworks. The top mapping partners are GDPR (52% coverage), CCPA/CPRA (13% coverage), China Cybersecurity Law (CSL) (8% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with China Personal Information Protection Law (PIPL) compliance?

Start your China Personal Information Protection Law (PIPL) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about China Personal Information Protection Law (PIPL) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 52 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 706 frameworks.

Get Started Free →

Free forever — no credit card required