China: National standard GB/T 45574-2025 on Information Security Technology—Security Requirements for Processing Sensitive Personal Information enters into force

On 1 November 2025, the national standard GB/T 45574-2025 Information Security Technology—Security Requirements for Processing Sensitive Personal Information enters into force, requiring full compliance with its provisions for processing sensitive personal information. The standard defines sensitive personal information as data that, if misused or leaked, may compromise an individual’s dignity, safety, or property, including biometric, medical, financial, and location data. It sets out requirements for lawful collection, separate consent, explicit notification, encryption, access control, and de-identification, with additional rules for biometric data, minors, and cross-border transfers. Processors must conduct impact assessments, retain audit logs, and comply with related standards such as GB/T 35273, GB/T 40660, and GB/T 37988. Technical measures include field-level access control, encryption, and watermarking. Separate consent is mandatory for biometric, religious, and medical data. For minors under 14, the standard requires guardian verification and restricted access. Cross-border transfers must follow regulatory procedures. Processors handling sensitive personal data of over 100'000 individuals must appoint a data protection officer.