[China] GB/T 45574-2025 Data Security Technology — Security Requirements for Processing of Sensitive Personal Information
What
On 25 Apr 2025, The State Administration for Market Regulation (SAMR) and Standardisation Administration of China (SAC) issued the “Security Requirements for Processing of Sensitive Personal Information”.
It will take effect from 1 Nov 2025.
Why
The Requirements says that it establishes the identification and classification of sensitive personal information (SPI), and specifies general and specific security requirements for SPI processing.
Key / interesting points
#1. Section 3 contains definitions for “PI”, “SPI”, “PI handler”, “PI subject” “PI processing activities” and “separate consent”. The definitions mostly align with the PIPL, and GB/T 35273-2020’s PI Security Specification.
Section 4 describes how to identify and classify SPI, and this seems to be mostly similar to instructions on the same in TC260-PG-20244A’s Cybersecurity Standard Practice Guide - Guidelines for Identifying Sensitive Personal Information (v1.20-202409).
The same goes for Appendix A of the Requirements, which sets out SPI categories and descriptions, when compared to that in TC260-PG-20244A.
[In the circumstances I’d suggest that practitioners can refer to just the Requirements in future for guidance on identifying SPI, and there’s no need to refer to TC260-PG-20244A.]
#2. Sections 5 and 6 set out general and special security requirements respectively, for processing SPI. While one would expect a document titled “Security Requirements” to contain the usual technical, administrative, or physical security controls, the Requirements reiterate some of the PIPL’s requirements and then add more requirements, both general and granular, some of which would traditionally fall under domains other than security such as privacy and criminal law.
With the current US administration committed to deregulation and the European Commission considering deregulation and simplifying the GDPR to reduce burdens on businesses, will China (and other APAC countries like Vietnam) continue to, and can they afford to continue imposing hundreds of requirements on companies?
#3. PI Handlers must not use technical means to automatically collect SPI transmitted, stored, or displayed by webpages or mobile internet applications.
[Remember - individuals’ and vehicles’ continuous trajectory information constitute SPI.]
#4. SPI can only be collected during the period in which the PI subject is using the relevant business function.1
[This is vague and there’s no explanation for what it issue it’s trying to address. On a very strict interpretation, you might not be able to collect SPI in advance but only at about the time it will be used.]
#5. Where there are multiple SPI processing activities, separate consent mechanisms must be provided according to the purpose of processing and business function.2
If a single item of SPI is used for multiple purposes or functions, consent must not be bundled.3
[I felt that the first requirement by itself was vague. But it makes a little sense at the practical level if I read it and the second requirement together - I would interpret them as saying that if separate consent should be obtained per processing purpose and business function, and it cannot be based on the piece of SPI involved.]
Where PI Handlers are required by law to obtain written consent for SPI processing, they can use the template in Appendix B.4
#6. Before processing SPI, PI Handlers must identify SPI and manage it by category in accordance with the Requirements, establish a catalog of SPI, and update it in a timely manner.5
[Your data inventory can probably be the “catalog”, though you’d need to ensure that all the information required by the Requirements is captured.]
#7. SPI that has been de-identified must be protected as general PI, excluding PI that has been anonymised.6
#8. PI Handlers must establish dedicated management systems and operational procedures for SPI, and an authorisation and approval process for SPI processing, including approvals for critical operations like internal and external sharing, public disclosure, batch querying, downloading etc.7
#9. PI Handlers must maintain records of the processing and handling of SPI. Logs must be kept for 3 years.
[This should be doable in relation to keep a log of access to SPI, and access controls granted. But if it means that PI Handlers must keep 3 years’ worth of different data inventory versions, this could be challenging. AFAIK updates to data inventories in software like OneTrust will overwrite the existing record - no new and separate record is created. I’m not sure if OneTrust logs all changes to data inventory records, but not that I know of.
In comparison if you use Excel, you can keep different versions of your data inventories over time.]
#10. De-identified SPI shall be stored separately from information that can be used to re-identify individuals.
[The Requirements do not say whether segregation should be done on a physical or logical basis, so I’d assume that the latter is fine so long as there are appropriate access controls.]
#11. When SPI is displayed in products or internal systems, de-identification shall be the default.
[I think this will be quite a challenging requirement to meet because it will require their software vendors to modify their products. Even the biggest tech companies offering SaaS solutions to companies operating in China do not currently have all the functionalities required for compliance with China's laws.]
#12. PI Handlers must conduct at least monthly security audits of SPI processing logs and user permissions.
[This will be quite burdensome if done manually, and I wonder if software that flags out unusual events will satisfy this requirement.]
#13. Interfaces displaying SPI shall include watermarks containing the identity of the accessing subject and the access time. Where information is displayed on-screen, copying, printing, and screenshotting functions shall be disabled by default.
[Once again, companies will be highly dependent on vendors to implement these functionalities.]
#14. Article 52 of the PIPL says that PI Handlers who handle PI reaching prescribed quantities must appoint PI protection officers (PIPOs).
I was only aware of one such threshold - Article 12 of the PI Protection Compliance Audit Management Measures requires the appointment of a PIPO if the PI Handler processes >1m persons’ PI. The PIPO would be responsible for compliance audits.
Here, the (non-mandatory) Requirements require the appointment of a PIPO if >100k persons’ sensitive PI is processed.8 The PIPO must have professional knowledge of PI protection and relevant management experience, and must be a member of the PI Handler’s management team.
[This raises the question whether a global or regional DPO, who is usually not part of local management, can be a PIPO. I would lean towards appointing a resident and employee of the local entity as the PIPO.]
#15. Section 6 contains special security requirements for processing specific categories of SPI: biometric, religious belief, specific identity, medical and health, financial account, location and tracking, minors under age 14, and other SPI.
There are some interesting requirements here, for example:
When collecting religious belief information, the relevant regulations of religious belief organisations must be followed.
[Err… so organisations need to do their own research on the requirements of various religions?]In principle, religious belief information shall not be processed, except for PI processing activities conducted internally by religious organisations that have obtained the PI subject’s separate consent.
When processing location and tracking information, sensitive areas defined by competent state authorities must not be marked.
[So companies will need to regularly check with the authorities what the sensitive areas are.]Reasonable measures shall be taken to verify the age of the PI subject and confirm whether the individual is under age 14. If the PI subject is verified to be under 14, reasonable measures should be taken to verify the identity of the guardian.
The strength of verification measures should be tailored to the target audience of different products or services. Verification of guardianship identity should adopt reasonable methods such as SMS verification, phone calls, video verification, email verification, written confirmation, or binding of real-name accounts.
Functions shall be provided for the guardian or the minor to easily copy, correct, supplement, or delete the minor’s PI.
The functions collecting minors’ PI and the differences between minors’ and adults’ modes in handling SPI shall be clearly indicated.
Original Chinese GB/T 45574-2025 Data Security Technology — Security Requirements for Processing of Sensitive Personal Information.
(Note: I could not find the document on TC260’s or SAMR’s websites, and this document is compiled from images posted on WeChat. Do note that it is missing Appendix B - I have not found any copies on WeChat that contains Appendix B.)
Machine-translated English version
Section 5.3(b) of the Requirements.
Section 5.4.2(c) of the Requirements.
Section 5.4.2(d) of the Requirements.
Section 5.4.2(b) of the Requirements.
Section 5.5(a) of the Requirements.
Section 5.5(b) of the Requirements.
Section 5.5(c) and (d) of the Requirements.
Section 5.5(y) of the Requirements.