What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
The People’s Republic of China’s (PRC’s) Personal Information Protection Law (PIPL) requires controllers (such as employers processing employee data) to appoint a DPO only if the entity processes more than a certain threshold of personal data. While this threshold has yet to be officially determined, under the Draft Network Data Security Management Regulations, processors of important data, including those who process data of more than 1 million individuals, must designate a DPO.
When a DPO is required, the designated person will be responsible for supervising personal information processing activities and protective measures. The DPO’s contact details should be published and registered with the relevant regulator. Additionally, data controllers based outside of Mainland China, but processing China personal information are required to designate a specific organization or representative within China and, report the representative’s contact details to the regulator.
Separately, the 2020 Specification includes the recommendation to appoint a specific institution and specific personnel to be responsible for the internal management of personal data protection when:
- the main business involves processing personal information and there are 200 or more employees;
- the business has processed personal data on more than 1million individuals or is expecting to process data on more than 1million individuals within 12 months; or,
- the business has processed personal sensitive information for over 100,000 individuals.