On April 25, 2025, China’s National Technical Committee on Cybersecurity of the Standardization Administration of China (SAC/TC260) released the national recommended standard, GB/T 45574-2025 Data security technology-Security requirements for processing of sensitive personal information (hereinafter referred to as the Standard). The Standard, taking effect in December 1, 2025, aims to guide and regulate personal information processors in identifying and handling sensitive personal information, thereby enhancing their personal information protection capabilities. It was developed by the China Electronics Standardization Institute (CESI) in collaboration with other 30 organizations.

Overview of the Standard

Aligning with the provisions in Section 2, Chapter II of China’s Personal Information Protection Law (PIPL), the Standard defines the definition and category of sensitive personal information and specifies general and specialized security requirements for processing such data. It applies to personal information processors handling sensitive data and regulators and third-party assessors conducting compliance evaluations, supervision, or audits.

The key highlights of the Standard include:

Definition of Sensitive Personal Information

(1) Personal data is classified as sensitive if its leakage or misuse could:

(2) Infringe human dignity,

(3) Endanger personal safety,

(4) Cause financial harm,

(5) Collectively impact individual rights when aggregated (if meeting the above criteria), or

(6) Be legally designated as sensitive under applicable regulations.

Category of Sensitive Personal Information

(1) Biometric Data: Processed physical, biological or behavioral characteristics that can identify an individual.

(2) Religious Beliefs: Affiliations and activities related to faith organizations.

(3) Identity Data: Information affecting personal dignity/social standing, particular data that may lead to discrimination.

(4) Health Data: Medical treatment records and physical/mental health status.

(5) Financial Data: Bank/security accounts and transaction records.

(6) Location Trajectories: Continuous movement patterns based on geographical positioning.

(7) Minors’ Data: All personal information of children under 14.

(8) Other High-Risk Data: Any other information whose leakage could endanger dignity, safety or property.

General Requirements for Personal Data Processing

(1) Core Rules

  • Process only with specific purpose and explicit, separate consent (no bundled opt-ins).
  • Minimize collection (essential data only; prefer non-sensitive alternatives).
  • Ban hidden/deceptive collection and fully automated gathering.

(2) Security Measures

  • Isolate storage from identifiable data.
  • Track & control access (approvals, audits, updated inventory).
  • Assess risks even for public sensitive data.

Specialized Requirements for Personal Data Processing

(1) Key Prohibitions

  • Biometric Data: Cannot be default; requires explicit consent for disclosure; must be deleted after use.
  • Religious/Identity Data: No collection without consent; strict ban on profiling or recommendations.
  • Minors’ Data: Only collect if legally required; must publish dedicated processing rule.

(2) Critical Technical Requirements

  • Health Data: De-identify using GB/T 37964; restrict access with approval workflows.
  • Financial Data: Encrypt & dual pseudonymize (client + server); never store external credentials.
  • Location Data: Provide real-time collection notices; exclude sensitive areas; minimize collection frequency.

In conclusion, the Standard establishes China’s compliance benchmarks for sensitive data processing and provides foreign stakeholders with clear operational guidelines for compliant sensitive data processing in China, helping mitigate regulatory risks while maintaining market access.

 

Chinese source of the article: https://mp.weixin.qq.com/s/AF8-02Ty3gc3_P99DZsfBQ