China: State Administration for Market Regulation and Standardisation Administration of China adopted national standard GB/T 45574-2025 on Information Security Technology—Security Requirements for Processing Sensitive Personal Information

On 25 April 2025, the State Administration for Market Regulation and the Standardization Administration of China adopted national standard GB/T 45574-2025, Information Security Technology—Security Requirements for Processing Sensitive Personal Information. The standard defines sensitive personal information as data that, if misused or leaked, may compromise an individual’s dignity, safety, or property, including biometric, medical, financial, and location data. It sets out requirements for lawful collection, separate consent, explicit notification, encryption, access control, and de-identification, with additional rules for biometric data, minors, and cross-border transfers. Processors must conduct impact assessments, retain audit logs, and comply with related standards such as GB/T 35273, GB/T 40660, and GB/T 37988. Technical measures include field-level access control, encryption, and watermarking. Separate consent is mandatory for biometric, religious, and medical data. For minors under 14, the standard requires guardian verification and restricted access. Cross-border transfers must follow regulatory procedures. Processors handling sensitive personal data of over 100'000 individuals must appoint a data protection officer.