Get compliant today


By submitting this form, you consent to be contacted about products and services from members of Relentless. Relentless is committed to safeguarding your privacy. If you require  further  information on how we collect and use your personal data, please read our Privacy Policy


China’s National Standards on Information Security Technology Personal Information Security Specification came into force May 1 2018 which changed the way many businesses manage, collect, and store data

Personal information”

Information, recorded electronically or otherwise, that can be used separately or in combination with other information to identify a particular natural person or to reflect a person’s activities.

Personal Information includes a person’s name, date of birth, ID number, personal biometric information, address, contact means, content of communication, account number and password, property information, credit information, whereabouts, residence, health and transaction information.

The Personal Information Specification also recognizes the category of “Personal Sensitive Information” which is any information which, if unlawfully disclosed, may endanger a person’s physical and mental wellbeing, their reputation and/or their property and/or lead to discrimination.  This category of data is subject to tighter restrictions on collection and processing.

Sensitive data 

PI that, once leaked, illegally provided, or abused, can threaten personal and property security and/or easily cause personal reputational damage, physical and mental health damage, or discrimination.

Personal sensitive information includes identity card numbers, biometric information, bank account numbers, communication records and contents, property information, credit information, location data, accommodation information, health and physiological information, transaction data, and the PI of children 14 years of age or under.

The Personal Information National Standards further clarify the rights of personal information subjects, including the following:

Right to access

Personal information subjects shall have the right to access their personal information controlled by a personal information controller and obtain confirmation from the personal information controller where and for what purpose their personal information is being processed.

Right to rectification

Personal information subjects may request the personal information controller to either rectify the personal information or provide the means for the personal information subject to rectify their personal information when personal information subjects find that their personal information controlled by personal information controller is incorrect or incomplete.

Right to erasure (also known as the “right to be forgotten”)

Personal information subjects have the right to request the personal information controller to erase their personal information, cease further dissemination of the personal information and have the third parties halt processing of the personal information if the personal information controller terminates its service or products or if the processing of personal information by the personal information controller is against applicable laws and administrative regulations or the agreed scope with the personal information subjects.


Upon the request of a personal information subject, the personal information controller is required to provide the personal information subject with a copy of following personal information or, at the request of the personal information subject, transmit such copy to a third party provided it is technically feasible:

Personal basic information and personal identity information

Personal health and physiological information and personal education information.

Personal information controllers should have in place internal policies in place to handle requests made by personal information subjects when exercising such rights.

Requirements for PI controllers include

a) PI controllers should establish privacy policies with contents including but not limited to:

  • the basic information of the PI controller, including the registered name and address, the usual place of business, the contact details of a person in charge, etc.;
  • the purposes of the collection and use of PI, and the business functions covered by each purpose. For example, using PI to deliver commercial advertisements, or using PI to form direct user profiles, etc.;
  • the PI collected respectively by each business function, the processing rules such as the manner and frequency of the PI collection, the storage location and the storage time limit, and the actual scope of the collection of PI;
  • the purposes of sharing, transfer, and public disclosure of the PI, the types of the involved PI, the type of the third-party recipient, and the corresponding legal responsibilities;
  • the basic principles followed for PI security, the data security capabilities, and the PI security measures taken;
  • PI subjects’ rights and mechanisms to use them, such as the methods to access, correct, or delete data; to deactivate the account, to withdraw consent; to obtain a copy of the data; to restrain automated decision-making by the information system; etc.;
  • the potential security risks after the provision of the PI, and the potential impact of not providing the PI;
  • the channels and mechanism to handle requests and complaints by PI subjects, and the external organizations and contact details for dispute resolution.

b) The information in the privacy policy should be true, accurate, and complete;

c) The contents of the privacy policy should be clear and intelligible, follow common language usage, and use standardized numbers, graphical forms, etc. Ambiguous language should be avoided, and a summary should be provided at the beginning to briefly lay out the key contents.

d) The privacy policy should be public and easy to access. For example, hyperlinks are provided in conspicuous places such as the main webpage, the installation page of mobile apps, the homepage of social media, etc.

e) The privacy policy shall be delivered to each PI subject. When the cost may become excessive or there is significant difficulty, it may be publicized in the form of public announcement.

f) Whenever any changes occur to the items listed in section a) above, the privacy policy should be updated promptly and a notification should be sent to the PI subject.

Personal Information Access Control Measures

Requirements for PI controllers include:

a) Internal data operations personnel authorized to access PI should, according to the principle of minimum authorization, only be able to access the minimum amount of PI necessary and have the minimum data operation privileges necessary to carry out their duties.

b) Set up internal approval processes for important PI operations such as such as batch modification, copying, download, etc.

c) Security managers, data operators, and auditors should be set up as separate personnel roles;

d) If it is truly necessary for work requirements to authorize specific personnel to exceed their privileges to process PI, the person responsible for PI protection or the PI protection work organization should conduct assessment and approval and make a record.

e) Regarding access, modification, or other action with personal sensitive information, on the foundation of privilege control by role, operational authorization is triggered based on business process requirements. For example, for those handling user complaints, only when processing user complaints can personnel access a given customer’s relevant information.

Companies that violate the CSL can face fines of between 50,000 and 500,000 RMB (7,500 – 75,000 USD) and the required termination of company website and revocation of business licenses or permits. Personnel that were directly in charge can receive individual fines of between 10,000 and 100,000 RMB (1,500 – 15,000 USD). Network operators are subject to imprisonment of 5 to 15 days for violating certain provisions. These monetary fines are significantly smaller than those of the GDPR, though the GDPR does not invoke imprisonment or penalties on individuals.

Relentless Your CNS Partner of Choice

Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity services to companies of all sizes.


Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.


We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.

With a tailor-made approach, we work with our clients in executing each project to their specific need and help maximize the long-term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.

Relentless CNSDPA Service What's Included?

Our China National Standard Service Includes the Following

  • CNS Assessment
  • Dedicated DPO
  • Unlimited Support Calls
  • Unlimited Email Support
  • Data Mapping
  • Record of Processing Activities
  • Subject Access Request Service
  • Data Risk Assessments
  • Data Breach Support
  • Data Protection Policy Writing
  • CNS Framework Design
  • CNS Privacy Maturity Gap Analysis and Remediation Report
china cnsdpa


At relentless we have helped companies from startups to PLC’s our
services are rich, comprehensive, and built for every budget

RDP 01 scaled
Call Us

+44 (0) 121 582 0192

Reach Us

Colmore House, Queensway, Birmingham B4 6AT

Open Hours

Mon-Fri 08:00 - 18:00

error: Content is protected !!