New Guidelines on Sensitive Personal Data in China Effective November 1

Written by

admin

in

A new set of recomendatory standards on handling sensitive personal data in China will come into effect on November 1. The new standards provide companies with helpful guidance on how to identify sensitive personal information, and the security procedures they must take to ensure the protection of the data throughout the entire lifecycle. As more and more legal cases are brought against multinationals over breaches of China’s personal information protection regulations, companies are advised to adhere to the guidelines to ensure compliance.

In April 2025, China’s National Standardization Administration released a new set of national standards titled Data Security Technical Requirements for the Processing of Sensitive Personal Information (GB/T 45574-2025, hereinafer the “standards”). These standards, which will come into effect on November 1, 2025 and are nonmandatory, provide useful clarification for companies on how to handle sensitive personal data in China, building upon existing laws like the Personal Information Protection Law (PIPL).

The new standards are based on a previous set of standards released in 2020 (GB/T 35273—2020) – also nonmandatory – but do not replace them.

In China’s PI protection legal framework, sensitive PI refers to PI that, if leaked or misused, could infringe on a person’s dignity or endanger their personal or property safety. This includes categories such as biometric data, religious beliefs, medical and financial records, information on a person’s whereabouts, and any data related to minors under the age of 14. 

Despite being only recommendatory in nature, the new detail what constitutes sensitive PI across the various categories and set out specific compliance requirements that companies must follow at each stage of the PI lifecycle. These include ensuring lawful collection based on necessity and separate consent, applying enhanced security controls such as encryption and access restrictions, and assigning responsible personnel when processing large volumes of sensitive PI.

Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge.
Start exploring

Definition and categories of sensitive PI 

The definition of sensitive PI in the standards is the same as that stipulated in the PIPL: “PI that, once leaked or illegally used, is likely to infringe upon the personal dignity of a natural person or endanger the personal safety or the safety of property”. This includes: 

  • Biometrics
  • Information on religious beliefs
  • Information on specific identities
  • Medical information
  • Financial accounts
  • A person’s whereabouts
  • Any PI of minors under the age of 14 

The standards provide a more detailed explanation and concrete examples of what constitutes these different categories of sensitive PI. They also stipulate specific requirements for processing these different types of data.The categories and specific requirements for their processing are summarized in the table below. 

Categories of Sensitive PI
Category  Definition  Examples  Special requirements 
Biometric information  PI obtained through the technical processing of a natural person’s physical, biological, or behavioral characteristics, which can be used alone or in combination with other information to identify the natural person’s identity.  Genes, face, voiceprint, gait, fingerprints, palm prints, eye prints, ear, iris, and other biometric information. 
  • Must offer alternative (non-biometric) identification methods (biometric cannot be default).
  • Cannot publicly disclose biometric data without explicit request or written consent.
  • Written consent is required if biometric data is collected without cooperation.
  • Must extract features/summaries directly from collected data (not store raw data).
  • Original data (e.g., images, videos) must be deleted after purpose is achieved.
  • Written consent required for scientific research use.
Religious beliefs  Information related to religion, religious organizations, and religious activities one believes in.  PI regarding an individual’s religious beliefs, religious organizations they have joined, positions held within those organizations, participation in religious activities, and specific religious customs. 
  • Must comply with religious organizations’ rules.
  • Separate, explicit consent required for collection.
  • Processing generally not allowed except within religious organizations with explicit consent.
  • Cannot disclose or use religious data without separate consent.
  • Prohibited from using it to build user profiles. 
Information on specific identities  Identity information that significantly affects personal dignity and social evaluation, especially specific identity information that may lead to social discrimination.  PI such as identity information of disabled persons and occupational identity information that is not suitable for public disclosure. 
  • Cannot collect if non-identity data suffices.
  • Must delete data after use unless legally required to retain.
  • Must display in a de-identified form unless full display is verified by the subject or authorized personnel.
  • Cannot disclose or profile users based on identity data without explicit separate consent.
Medical information  Information related to the health status and medical treatment of natural persons. 
  • Information related to an individual’s physical or mental injury, illness, disability, risk of illness, or privacy, such as symptoms, medical history, family medical history, history of infectious diseases, physical examination reports, and reproductive information.
  • PI collected and generated during the provision of medical services such as disease prevention, diagnosis, treatment, nursing, and rehabilitation, including medical records (e.g., medical opinions, hospitalization records, physician orders, surgical and anesthesia records, nursing notes, and medication records), and test and examination data (e.g., laboratory reports and imaging reports). 
  • Must follow laws and classify data by sensitivity and risk.
  • Must have access control for sensitive info (e.g., HIV, STDs restricted to attending medical staff).
  • Preferably displayed in de-identified form; full access requires verification.
  • For research, data should be de-identified per GB/T 37964.
Financial account information  Information related to bank, securities, and other account and transaction information  Account numbers and passwords for individual bank, securities, fund, insurance, and provident fund accounts; joint provident fund account numbers; payment account numbers; bank card magnetic track data (or chip-equivalent information); payment tag information generated based on account information; and details of personal income. 
  • Must follow laws and classify by sensitivity and risk. Data collected via software or terminals must be encrypted.
  • Cannot retain third-party account identifiers unless authorized by user and account institution.
  • Terminals must not store payment-sensitive data (e.g., card tracks, CVVs).
  • Must de-identify display of data; full display requires identity verification.
  • De-identification must apply to UI, management, and logs at both frontend and server. 
Information on whereabouts  Information related to the geographic location, activity location, and activity trajectory of individuals.  Continuous precise location tracking information, vehicle travel trajectory information, and continuous activity trajectory information of individuals. 
  • Ongoing collection requires continuous user prompts.
  • Must avoid tagging sensitive locations per state regulations.
  • Must minimize frequency and scope of access.
  • If processed into trajectories, it must be treated as trajectory info.
  • UI display should use de-identification techniques. 
PI of individuals under the age of 14.  Any PI of individuals under the age of 14.  Any PI of individuals under the age of 14. 
  • Can only collect when required by law.
  • Must verify age and, if under 14, verify guardian’s identity via reasonable means (SMS, video, email, written confirmation, etc.).
  • Must enable guardians to view, copy, correct, supplement, or delete the child’s PI.
  • Requests must be processed within 15 working days with written justification for rejections.
  • Must publish dedicated PI rules for minors.
  • Must clarify collection functions and highlight differences between minor/adult modes. 
Other sensitive PI  Information other than the above that should be protected as sensitive PI.  PI such as precise positioning information, ID card photo, sexual orientation, sex life, credit information, criminal record information, and photos or videos showing private parts of an individual’s body. 
  • Must implement appropriate technical and organizational measures based on characteristics of the specific data type.
  • Ensure full protection of individual rights.

Changes from the 2020 standards 

The different examples of sensitive PI provided in an annex to the standards differ slightly from the previous version that came into effect in 2020 (GB/T 35273—2020). For instance, the 2025 standards omit several categories that were explicitly included in 2020. Virtual property, such as virtual currencies, online transactions, and game redemption codes, is no longer listed. Similarly, communication and social data that were once recognized as sensitive, including communication records, address books, friend lists, group lists, and web browsing history, are absent from the 2025 framework. Other types of information have also been removed, such as lodging and accommodation details, marital history, and specific health-related data like drug and food allergies.

Find Business Support

Meanwhile, the 2025 standards introduce several new and more detailed categories of sensitive information. Financial information is expanded to include securities, fund, insurance, and public fund account details, as well as chip and magnetic stripe data from bank cards, payment tokens, and income details. Health information now explicitly covers psychological health, disability-related health conditions, disease risk assessments, and physical exam reports. Biometric categories have also been expanded to include new identifiers such as gait recognition and eye pattern recognition.  

In terms of identity, the new standards highlight sensitive or unpublishable occupational identities, disability status, and resident ID photos, rather than focusing on the different types of official documents as in the 2020 standards. Religious information has also been broadened to include organizational membership, positions, activities, and customs. In the realm of personal life, sexual activity and intimate photos or videos are now explicitly considered sensitive. 

Rules for identifying sensitive PI 

The standards stipulate a set of rules that companies must follow to identify sensitive PI. Accurately identifying sensitive PI is important for companies to ensure they comply with the PIPL and other relevant regulations on handling sensitive PI and avoiding possible penalties or other legal repercussions. 

The rules set out in the standards also provide additional clarity for the scope of information that is considered sensitive PI in China.

Under the rules, PI that meets any of the following conditions must be identified as sensitive PI: 

  1. Any information that, once leaked or illegally used, is likely to infringe upon the personal dignity of natural persons. This includes:
    1. Crowdsourcing information on a person.
    2. Illegal intrusion into internet accounts.
    3. Telecommunications fraud.
    4. Damage to personal reputation and discriminatory differential treatment. Discriminatory differential treatment may be caused by the leakage of information such as a person’s specific identity, religious beliefs, sexual orientation, and illnesses or health status.
  2. Any information that, once leaked or illegally used, is likely to endanger the personal safety of natural persons. For example, where the leakage or illegal use of information on a person’s whereabouts could risk their personal safety.
  3. Any information that, once leaked or illegally used, is likely to endanger the safety of the property of a natural person. For instance, where the leakage or illegal use of financial account information could lead to losses of a person’s property. 

The standards note that if there are sufficient reason and evidence to show that the processed PI does not meet the conditions for identifying sensitive PI outlined above, then it does not need to be identified as such. 

Companies must also consider both the identification of sensitive PI of individuals and the overall attributes aggregated sensitive PI, and analyze the possible impact on personal rights and interests if it is leaked or illegally used. If it meets the conditions for identifying sensitive PI outlined above, the aggregated PI should be identified as sensitive and protected as a whole. 

Companies should identify the sensitive PI collected and generated in accordance with the sensitive PI categories outlined in the standards, summarized in the table above. 

General security requirements for processing sensitive PI 

The processing of sensitive PI must meet the basic requirements for processing general PI set out in the 2020 standards GB/T 35273—2020. 

These standards outline the rules for the collection and storage of PI, display restrictions, the rights of PI holders, the sharing, transfer, and public disclosure of PI, the handling of security incidents related to PI, and organizational PI security management requirements, among other matters. 

Collection of sensitive PI 

The collection of sensitive PI must also meet the basic requirements for the collection of general PI outlined in the standard GB/T 35273—2020.  

In general, under the 2025 standards, companies may only process sensitive PI when there is a specific purpose and sufficient necessity to do so, and strict protection measures have been taken. 

Requirements for Collection of sensitive PI
Requirement category  Specific requirements  
Legality of sensitive PI collection 
  1. Must not conceal sensitive PI collection functionality; must clearly disclose sensitive PI type, scope, purpose, necessity, and impact on individual rights (e.g., via privacy policy).
  2. Must not collect sensitive PI through fraud, deception, coercion, or illegal means—whether directly or through third parties.
  3. Must not use technical tools (e.g., scripts, crawlers) to automatically collect* sensitive PI from websites or apps (e.g., transmitted, stored, or displayed data).
  4. Must not collect sensitive PI for purposes that violate laws or regulations** (e.g., illegal sale, national security threats, IP/personality rights violations).
  5. Must not collect or use sensitive PI for criminal activities (e.g., cyberbullying, defamation, telecom fraud, extortion, or identity theft). 
Necessity and scope of sensitive PI collection 
  1. Must not collect sensitive PI if the intended processing goal can be achieved with non-sensitive PI.
  2. Must only collect sensitive PI during the actual use of the specific business function that requires it.
  3. Must collect sensitive PI based on distinct functions or service scenarios (i.e., segment collection accordingly).
  4. For mobile apps, sensitive PI collection must comply with GB/T 41391 standards. 
* Automatic collection refers to the activity of automatically obtaining specific web page information or data and extracting the corresponding content according to specified rules through technical means such as automatically downloading programs and scripts. 

** Purposes that violate laws and regulations include but are not limited to illegal buying, selling, provision, or disclosure of other people’s PI, engaging in PI processing activities that endanger national security and public interests, and infringing on other people’s intellectual property rights or personality rights. 

Consent for collection of sensitive PI 

Before collecting sensitive PI, companies must meet certain requirements for obtaining consent, which will depend on the manner in which consent is obtained. 

When personal consent is used to process sensitive PI, the company must obtain separate consent from the individual. To obtain separate consent, the individual can either proactively fill out and submit the consent, or the company can inform the individual through a dedicated page, phone call, SMS, or other means, to obtain consent via explicit affirmative actions, such as clicking or checking individual options.

In some cases, companies will be required to obtain written consent from the individual, such as for the collection of biometrics, requesting PI from credit reporting agencies, provision of credit information to other entities by institutions engaged in credit business, and provision of information related to real estate transactions during the use of real estate brokerage services.

Find Business Support

To obtain written consent, the company can provide the terms to the individual in a tangible way, such as on paper or in digital text, and the individual can give consent by providing a signature, seal, or electronic signature.  

If a single piece of sensitive PI is used for multiple processing purposes or business functions, consent for the different purposes must not be bundled.

When image acquisition or personal identification equipment is installed in public places, a prominent reminder sign should be set up to inform people of its use. In principle, the collected sensitive PI, such as personal images and information on a person’s identity, can only be used for the purpose of maintaining public security, and should not be used for other purposes, except for obtaining the separate consent of the individual. 

When the company processes publicly disclosed sensitive PI and it is assessed that it has a significant impact on the rights and interests of the individual, the individual’s separate consent should be obtained. 

Finally, when processing sensitive PI based on individual consent, the company should provide the individual with a convenient way to withdraw consent. It is also advisable to explain to the individual the impact that the withdrawal of consent may have on them. 

Security protection requirements for handling sensitive PI 

Before beginning to process sensitive PI, companies must identify and classify sensitive PI, establish and update a dedicated directory, and apply tailored management procedures to ensure their security. 

Find Business Support

Encryption, strict access control, activity logging, regular auditing, and interface protection are mandatory. Additionally, clear authorization procedures must be in place for critical operations such as sharing, exporting, or public disclosure. Companies must also ensure that sensitive PI is stored securely and separately from identifiable information, and they must provide mechanisms for secure deletion or anonymization when the PI is no longer needed.  

Moreover, the standards require companies processing the sensitive PI of over 100,000 individuals must appoint a person in charge of PI protection and designate a management agency to supervise PI processing activities and the protection measures taken. 

The person in charge of PI protection must have professional knowledge of PI protection and relevant management work experience, and must be a member of the management of the processor. They must also undergo a security background check. 

Read also: Does Your Business Need to File DPO Information With the CAC? 

The following table summarizes the specific security protection requirements for handling sensitive PI. 

Security Protection Requirements for Handling Sensitive PI
Requirement  Summary 
Identification and classification  Identify sensitive PI before processing; classify and maintain updated directories. 
De-identification  After de-identification, treat as general PI; anonymized data is excluded. 
Important data handling  If large-scale sensitive PI is classified as important data, follow related protection regulations. 
Policies and procedures  Establish dedicated policies and define security responsibilities across the data lifecycle. 
Authorization and approval  Set approval processes for critical operations (e.g., sharing, exporting, displaying). 
Personnel management  Treat those with sensitive PI access as key personnel and manage securely. 
Impact assessment  Conduct Personal Information Protection Impact Assessments (PIPIA) before new uses; retain reports for 3 years. 
Logging and auditing  Log sensitive PI operations and retain logs for 3 years. 
Data separation  Store sensitive PI separately from identifiable or reversible data. 
Encryption  Encrypt sensitive PI at rest and in transit using national/industry-standard algorithms. 
Key management  Authorize encryption/decryption separately; store keys using compliant cryptographic products. 
Display controls  De-identify sensitive PI by default when displayed. 
Access control  Follow the “minimum necessary” principle for access scope and duration. 
Field-level control  Control access to data at field-level for structured data; file-level for unstructured data. 
Regular audits  Audit logs and permissions at least monthly; address unauthorized actions promptly. 
Compliance audits  Conduct audits per national regulations to assess legal compliance. 
Monitoring and alerts  Monitor for abnormal behavior (e.g., large-scale queries, off-hours access) and respond promptly. 
Watermarking and display restrictions  Add watermarks to display interfaces and disable copy/print/screenshot functions by default. 
Deletion and anonymization  Assess effectiveness; ensure irreversibility after deletion/anonymization. 
Interface security  Secure interfaces with identity verification, access control, encryption, and timestamps. 
Deletion mechanism  Establish deletion processes and allow individuals to delete their sensitive PI unless retention is legally required. 
Security capability level  Meet at least Level 3 of GB/T 37988 data security capability. 
Security engineering  Apply GB/T 41817 security practices during product/service planning and implementation. 
Cross-border transfer  Comply with national data export regulations. 
Large-scale processing responsibility  Appoint a dedicated PI protection officer and management body. 
Officer qualification  Officer must be management-level with PI protection expertise. 
Background checks  Conduct background checks on key personnel. 
Mergers and shutdowns  Plan for PI protection during mergers, splits, dissolution, or bankruptcy. 

Cross-border transfer of sensitive PI 

Under the PIPL and related regulations, companies that wish to export PI from China are required to undergo one of three compliance procedures, which vary in complexity depending on the volume and type of data that is exported. 

The three procedures are: 

In order to qualify for the latter two mechanisms, which are more straightforward, a company must have accumulatively transferred the sensitive PI of less than 10,000 users since January 1 of the current year. Any company that exceeds this threshold must undergo a security review by the CAC. 

Key takeaways 

Although ​​GB/T 45574-2025​​ is a ​​recommended national standard​​, it provides ​​detailed operational guidance​​ on handling ​​sensitive PI​​ in line with China’s ​​PIPL. The Standard translates broad legal principles into ​​practical requirements​​, helping organizations across industries understand and implement expected data protection standards. 

While compliance with this Standard is ​​not legally mandatory​​, ​​regulatory authorities such as the Cyberspace Administration of China (CAC)​​ may conduct ​​random inspections​​ of companies’ personal information practices. Companies that align their policies and safeguards with the principles outlined in ​​the standards​​ will be better positioned to ​​demonstrate good faith compliance​​ with the ​​PIPL and related regulations​​. 

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.

 

Continue Reading

More posts