On 18 July 2025, the Cyberspace Administration of China (CAC) introduced a centralised online system for reporting the appointment of a Personal Information Protection Officer (PIPO). Organisations that had already met the threshold of processing personal data of over one million individuals before this date must submit their PIPO details by 29 August 2025 to comply with national requirements. 

Who must report and by when 

Based on Article 52 of the Personal Information Protection Law (PIPL) and Article 12 of the Measures for the Administration of Compliance Audits, the Personal Information Protection CAC’s notice of 18 July 2025 defines the required steps for organisations - both domestic and overseas - that process the personal data of more than one million individuals (including data from users, employees, customers, or any other data subjects) to register their designated Personal Information Protection Officer (PIPO). 

Organisations that crossed the one-million threshold before 18 July 2025 should submit the details of their PIPO before 29 August 2025. Those that meet the threshold after 18 July 2025, or experience material changes (such as a new PIPO or updated contact information), must submit updated details within 30 working days of the triggering event. Reporting must be completed through the CAC’s official online portal - Personal Information Protection Business System (https://grxxbh.cacdtsc.cn – only accessible from inside China).  

What needs to be submitted 

Organisations must prepare a comprehensive submission package using CAC-issued templates, which should be stamped with the company seal and uploaded through the system. The required documents include basic business and identity verification materials, and official statements confirming the internal designation of the PIPO and the authenticity of submitted data. 

The core materials include: 

  • The Personal Information Handler Basic Information Form, detailing the organisation’s legal representative, governance structure, and reporting agent. If reporting on behalf of a group or across multiple business units, all relevant entities must be listed with their licence codes. 

  • The PIPO Information Form, which requires detailed inputs on the PIPO’s identity, role, and responsibilities, as well as organisational data such as headcount, types of personal data processed, and the volume of children’s data, including data of individuals under 14. 

  • System-specific disclosures for each app or business platform that handles personal information, including the number of monthly active users (MAU), associated domains and IP addresses, and types of personal data involved. If a separate PIPO has been assigned to oversee privacy matters for a specific business unit, system, or platform, their information should also be provided. Where no such system-level PIPO roles exist, these sections of the template may be left blank.  

All data categories reported should follow the national classification standard GB/T 43697-2024. Additional materials such as the company’s business licence, identity documents for the PIPO and legal representative, the appointment letter, agent authorisation letter, and a signed letter of undertaking must also be included to complete the process. 

How to prepare 

To meet the upcoming deadline and avoid delays, organisations should immediately assess whether they fall within the reporting scope and begin gathering materials. Internal coordination between privacy, legal, and administrative teams is essential, particularly to confirm the appointment of a qualified PIPO and to ensure all forms are completed accurately. 

Organisations should also verify that required templates are sourced directly from the CAC system and ensure that each document is properly stamped and signed. System-specific data—such as MAU, data categories, and privacy team details—must be prepared in line with the system requirements. If the organisation is relying on a local agent to submit the report, authorisation must be formally documented and submitted along with the agent’s identity verification. 

Given the complexity of the submission and the risk of rejection for incomplete or inconsistent documents, early preparation is strongly recommended. Submitting ahead of the deadline allows sufficient time to correct any issues flagged during system validation or regulator review.  

Looking ahead 

The PIPO reporting requirement reflects China’s increased focus on proactive privacy oversight and individual responsibility. With limited time before the deadline and extensive documentation requirements, companies should begin preparations as early as possible. The entire submission process must be completed through a Chinese-language online portal, which may present additional challenges for multinational organisations. This is especially relevant for firms that lack internal Chinese-speaking resources or familiarity with the CAC’s reporting system. 

HewardMills assists organisations in navigating China’s evolving regulatory environment by providing end-to-end compliance support, including documentation review and bilingual submission assistance. Our team includes native Chinese speakers and local partners, enabling us to guide clients through Chinese-language systems and ensure alignment with both local and international privacy standards.