{"id":2875,"date":"2021-08-25T10:09:00","date_gmt":"2021-08-25T16:09:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&#038;p=2875"},"modified":"2025-05-13T11:12:38","modified_gmt":"2025-05-13T16:12:38","slug":"getting-started-pipl-compliance","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/getting-started-pipl-compliance\/","title":{"rendered":"Getting Started with PIPL Compliance"},"content":{"rendered":"\t\t<section id=\"block_b9f26ae69788f9bccab9c483fd6a1f25\" class=\"resource-intro intro-simple\">\n\t\t\t<div class=\"container\">\n\t\t\t\t\t\t\t\t\t<strong class=\"sub-title block uppercase\">Articles<\/strong>\n\t\t\t\t\t\t\t\t\t\t<h1>Getting Started with PIPL Compliance<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t<section id=\"block_9752fc44f9f2dc667158210b99982a06\" class=\"columns-content\">\n\t\t<div class=\"container\">\n\t\t\t<div class=\"left\">\n\t\t\t\t\t\t<div class=\"person-wrap\">\n\t\t\t<span>\t\t\t\t\t\t\t<div class=\"img-holder\">\n\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"110\" height=\"110\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/people-placeholder-lt-blue.png\" class=\"attachment-full size-full wp-post-image\" alt=\"\" \/>\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"text-holder\">\n\t\t\t\t\t\t\t\t\t\t\t<strong class=\"block name\">Annie Greenley-Giudici<\/strong>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/span>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t<div class=\"middle\">\n\t\t\t\t<div class=\"content\">\n\t\t\t\t\t<p>Although the Chinese Personal Information Protection Law (PIPL) went into effect on November 1, 2021, many organizations still wonder if they meet PIPL compliance.<\/p>\n<p>To provide details on many elements,\u00a0<strong>PIPL relies heavily upon further guidance and administrative regulations.<\/strong><\/p>\n<p>With serious sanctions that can be imposed if organizations do not comply, a massive effort is necessary for compliance with the main PIPL requirements by November.<\/p>\n<h2>Scope of the Chinese Personal Information Protection Law (PIPL)<\/h2>\n<p><a href=\"\/regulations\/china-pipl\/\">PIPL<\/a> applies to all personal data processed within the People\u2019s Republic of China if products or services are provided to people in China, their activities are assessed or analyzed, and where Chinese laws and regulations apply.<\/p>\n<p>The scope of the law is\u00a0<strong>comparable to the EU GDPR,<\/strong>\u00a0including a household exemption and no nationality requirement.<\/p>\n<p>Due to globalization and many businesses with operations in China,\u00a0<strong>understanding PIPL compliance is imperative for business in today\u2019s economy.<\/strong><\/p>\n<p>Need help understanding how PIPL fits into the bigger picture of China\u2019s data protection ecosystem? Get the full breakdown of how PIPL, the Data Security Law, and Cybersecurity Law work together in <a href=\"https:\/\/trustarc.com\/resource\/navigating-chinas-privacy-framework\/\" target=\"_blank\" rel=\"noopener\"><em>Navigating China\u2019s Privacy Framework<\/em><\/a>.<\/p>\n<h2>Important definitions to know for PIPL compliance<\/h2>\n<p>Contrary to many modern data protection laws, the PIPL does not include an extensive section of definitions.<\/p>\n<p>Some terms are defined in the relevant provisions, and some are featured in an official explanation included in article 73.<\/p>\n<p>The most important of these is the\u00a0<strong><i>Personal Information Handler<\/i><\/strong><strong>\u00a0or the organization or individual that autonomously decides on the handling purposes of personal data<\/strong>, like that of the Data Controller (GDPR, LGPD) or the Business (CCPA).<\/p>\n<h3>PIPL Article 4 includes two key definitions<\/h3>\n<p><i>Personal data handling<\/i>\u00a0is the terminology used in the PIPL for the processing of personal data, which includes anything from collection to deletion.<\/p>\n<p><i>Personal data<\/i>, which refers to all information, electronic or not, that relates to an identified or identifiable natural person.\u00a0<strong>Anonymous data is explicitly excluded<\/strong>.<\/p>\n<p>A processor or service provider is known under the PIPL as an\u00a0<i>entrusted person<\/i>\u00a0(article 21).<\/p>\n<h2>Personal data processing<\/h2>\n<p>The handling or processing of personal data is bound to a series of principles, which include legality, propriety, necessity and sincerity, as well as purpose limitation, data minimization, data quality, and accountability.<\/p>\n<p><strong>Transparency<\/strong>\u00a0is a key element of the law, requiring organizations to provide notice to individuals when processing their data with details on how personal data is processed and which\u00a0<i>personal information handling rules\u00a0<\/i>(such as standard operating procedures) apply.<\/p>\n<p>The legal basis to process personal data are also inspired by those found in other laws, ranging from consent, necessity to conclude or fulfill a contract (including HR), compliance with legal requirements, and urgent medical needs.<\/p>\n<p><strong>Data can also be processed in these situations:<\/strong><\/p>\n<ul>\n<li>To secure the property of an individual in case of emergencies<\/li>\n<li>For news reporting and similar activities in the public interest<\/li>\n<li>When the information has already been made public in a lawful way, either by the individual or a third party<\/li>\n<\/ul>\n<h3>Consent and data processing<\/h3>\n<p>If an organization relies upon consent, it needs to be freely given with an explicit statement, based on full knowledge of the processing operation.<\/p>\n<p>Consent can be withdrawn and needs to be validated if anything changes in the processing operation.<\/p>\n<p><strong>There are specific requirements for all\u00a0<i>important Internet platform services\u00a0<\/i><\/strong><strong>(think of major tech companies).<\/strong><\/p>\n<p>They will for example need to create a compliance infrastructure in line with forthcoming State regulations, establish their own independent supervision body, and clarify the standards for intra-platform data handling.<\/p>\n<p>Curious how China\u2019s consent requirements stack up to other frameworks like GDPR? Explore consent, legal bases, and cross-border transfer rules in <a href=\"https:\/\/trustarc.com\/resource\/navigating-chinas-privacy-framework\/\" target=\"_blank\" rel=\"noopener\"><em>Navigating China\u2019s Privacy Framework<\/em><\/a>.<\/p>\n<h2>Three PIPL compliance friendly methods for international transfers<\/h2>\n<p>Personal data covered by the law should only be processed in China.<\/p>\n<p>Processing personal data in another country where\u00a0<i>truly needed<\/i>\u00a0 is permitted under one of three conditions, each governed by the State Cybersecurity and Informatization Department:<\/p>\n<ul>\n<li>Passing a security assessment;<\/li>\n<li>Obtaining a certification by a specialized body; or<\/li>\n<li>Under an approved standardized contract.<\/li>\n<\/ul>\n<p>Large\u00a0<i>information infrastructure operators<\/i><strong>\u00a0reaching a certain amount of personal data being processed<\/strong>\u00a0(yet to be determined)\u00a0<strong>can only qualify under the security assessment element<\/strong>.<\/p>\n<p>Once these mechanisms are available \u2013 there are no indications of a timeline so far \u2013 the foreign receiving party will need to meet the PIPL standards.<\/p>\n<p>Interestingly, the law also includes that any discriminatory provisions or limitations against China by other countries may be reciprocated.<\/p>\n<p><strong>Planning data transfers from China?<\/strong> Understand your options for security assessments, certifications, and standard contracts in <em><a href=\"https:\/\/trustarc.com\/resource\/navigating-chinas-privacy-framework\/\" target=\"_blank\" rel=\"noopener\">Navigating China\u2019s Privacy Framework<\/a><\/em>, including detailed guidance on China\u2019s cross-border rules.<\/p>\n<h2>Data breaches<\/h2>\n<p>A general data breach notification to authorities and individuals is effective in China as of 1 September 2021, under article 29 of the\u00a0<a href=\"https:\/\/digichina.stanford.edu\/news\/translation-data-security-law-peoples-republic-china\" target=\"_blank\" rel=\"noopener\">Chinese Data Security Law<\/a>.<\/p>\n<p>This provision is further supplemented by article 57 PIPL, which stipulates that\u00a0<strong>the notification needs to include:<\/strong><\/p>\n<ul>\n<li>The information categories, causes, and possible harm caused by the (suspected) breach;<\/li>\n<li>Measures taken by the organization to mitigate these risks, and what measures individuals could take themselves; and<\/li>\n<li>How to contact the organization.<\/li>\n<\/ul>\n<p>Individuals need not to be notified if sufficient measures were taken to prevent harm to individuals.<\/p>\n<h2>Individual rights<\/h2>\n<p>The PIPL provides individual rights such as access, correction and deletion. Furthermore, the law allows for restriction of data processing if deletion is not possible or technically hard to realize.<\/p>\n<p>Other rights under PIPL include a right to know (understand the data processing operations), a right to decide (individual control over processing operations), and a right to limit or refuse data processing,\u00a0<strong>unless it is mandatory under law<\/strong>.<\/p>\n<p>Organizations are required to provide an answer to the individual \u201cin a timely manner\u201d, and if denied, the organization must explain why.<\/p>\n<h2>Accountability<\/h2>\n<p>Accountability plays an important role in the PIPL.<\/p>\n<p><strong>Article 9 includes the basic requirement for organizations to \u201cbear responsibility for their personal information handling activities\u201d.\u00a0<\/strong>This is further explained in Article 51.<\/p>\n<p>Organizations are required to formulate internal management structures and operating rules, to implement categorized management of personal information ( e.g., a register of processing activities), adopt appropriate technical security measures and more.<\/p>\n<p>Furthermore, individuals have the right to request organizations to explain their\u00a0<i>personal information handling rules<\/i>.<\/p>\n<p>The\u00a0<strong>appointment of a DPO will only be mandatory for large organizations<\/strong>, to be defined at a later date.<\/p>\n<p>However, similar to GDPR,\u00a0<strong>organizations without a physical presence in China must appoint a representative<\/strong>\u00a0registered with the Chinese authorities.<\/p>\n<h2>Enforcement<\/h2>\n<p>It is not yet sure which authorities will enforce the PIPL.\u00a0<strong>It is clear that serious sanctions can be imposed for violations of the law<\/strong>.<\/p>\n<p>These could include compliance orders, processing bans, confiscation of unlawful income, and fines of up to 1 million Yuan (~$155,000).<\/p>\n<p>Additionally,\u00a0<strong>persons in charge and\/or directly responsible for the processing operation<\/strong>\u00a0can receive a personal fine between 10,000 and 100,000 Yuan.<\/p>\n<p>For grave violations, the maximum fine for the organization is up to 50 million Yuan (~$7,7 million) or 5% of annual revenue.<\/p>\n<p>The individual sanction would go up to between 100,000 and 1 million Yuan, and could include a prohibition to hold a number of professional positions for a certain period.<\/p>\n<p>Individuals whose data is wrongfully processed have a right to compensation.<\/p>\n<p>In case a large number of individuals is involved, the People\u2019s Procuratorates (comparable to the Public Prosecution Service) can also file a lawsuit against the organization.<\/p>\n<p>The stakes for non-compliance are high. Stay ahead of enforcement risks and explore China\u2019s full regulatory enforcement landscape in <em><a href=\"https:\/\/trustarc.com\/resource\/navigating-chinas-privacy-framework\/\" target=\"_blank\" rel=\"noopener\">Navigating China\u2019s Privacy Framework<\/a><\/em>.<\/p>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t<div class=\"right sm\">\n\t\t\t\t<div class=\"share-it\">\n\t\t\t\t\t<strong class=\"title block uppercase\">Follow us<\/strong>\n\t\t\t\t\t<div class=\"soc-list\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/company\/trustarc\/\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/li-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"\nhttps:\/\/twitter.com\/TrustArc\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/tw-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"javascript:;\" id=\"copy-url\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/link-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<span class=\"copied\" style=\"display:none;\">Link Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"key-topics\">\n\t\t\t\t\t\t<strong class=\"title block uppercase\">Key Topics<\/strong>\n\t\t\t\t\t\t<ul>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/compliance\/\" class=\"badge\">Compliance<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"cta-area\">\n\t\t\t\t\t<p>Get the latest resources sent to your inbox<\/p>\n\t\t\t\t\t<a href=\"\/subscription-center\/\" class=\"cta\">Subscribe<\/a>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t","protected":false},"excerpt":{"rendered":"<p>Although the Chinese Personal Information Protection Law (PIPL) went into effect in 2021 many organizations are still wondering if they meet PIPL compliance. Here&#8217;s what you need to know.<\/p>\n","protected":false},"featured_media":1694,"template":"","topic-resource":[61],"type-resource":[6],"class_list":["post-2875","resource","type-resource","status-publish","has-post-thumbnail","hentry","topic-resource-compliance","type-resource-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Getting Started with PIPL Compliance | TrustArc<\/title>\n<meta name=\"description\" content=\"Although the Chinese Personal Information Protection Law (PIPL) went into effect in 2021 many organizations are still wondering if they meet PIPL compliance. Here&#039;s what you need to know.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustarc.com\/resource\/getting-started-pipl-compliance\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/getting-started-pipl-compliance\\\/\",\"url\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/getting-started-pipl-compliance\\\/\",\"name\":\"Getting Started with PIPL Compliance | TrustArc\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/getting-started-pipl-compliance\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/getting-started-pipl-compliance\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-pink.png\",\"datePublished\":\"2021-08-25T16:09:00+00:00\",\"dateModified\":\"2025-05-13T16:12:38+00:00\",\"description\":\"Although the Chinese Personal Information Protection Law (PIPL) went into effect in 2021 many organizations are still wondering if they meet PIPL compliance. Here's what you need to know.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/trustarc.com\\\/resource\\\/getting-started-pipl-compliance\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/getting-started-pipl-compliance\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-pink.png\",\"contentUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-pink.png\",\"width\":610,\"height\":152},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\",\"url\":\"https:\\\/\\\/trustarc.com\\\/\",\"name\":\"TrustArc\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/trustarc.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Getting Started with PIPL Compliance | TrustArc","description":"Although the Chinese Personal Information Protection Law (PIPL) went into effect in 2021 many organizations are still wondering if they meet PIPL compliance. Here's what you need to know.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustarc.com\/resource\/getting-started-pipl-compliance\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustarc.com\/resource\/getting-started-pipl-compliance\/","url":"https:\/\/trustarc.com\/resource\/getting-started-pipl-compliance\/","name":"Getting Started with PIPL Compliance | TrustArc","isPartOf":{"@id":"https:\/\/trustarc.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustarc.com\/resource\/getting-started-pipl-compliance\/#primaryimage"},"image":{"@id":"https:\/\/trustarc.com\/resource\/getting-started-pipl-compliance\/#primaryimage"},"thumbnailUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-pink.png","datePublished":"2021-08-25T16:09:00+00:00","dateModified":"2025-05-13T16:12:38+00:00","description":"Although the Chinese Personal Information Protection Law (PIPL) went into effect in 2021 many organizations are still wondering if they meet PIPL compliance. Here's what you need to know.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustarc.com\/resource\/getting-started-pipl-compliance\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/trustarc.com\/resource\/getting-started-pipl-compliance\/#primaryimage","url":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-pink.png","contentUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-pink.png","width":610,"height":152},{"@type":"WebSite","@id":"https:\/\/trustarc.com\/#website","url":"https:\/\/trustarc.com\/","name":"TrustArc","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustarc.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource\/2875","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media\/1694"}],"wp:attachment":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media?parent=2875"}],"wp:term":[{"taxonomy":"topic-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/topic-resource?post=2875"},{"taxonomy":"type-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/type-resource?post=2875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}