The People's Bank of China issues the "Administrative Measures for Data Security in the Business Area of the People's Bank of China."

May 9th, the "Administrative Measures for Data Security Management in the Business Field of the People's Bank of China" was deliberated and passed at the 5th meeting of the People's Bank of China on April 2, 2025, and is now announced. It will be implemented from June 30, 2025. The work of data security in business follows the principle of "who manages the business, who manages the business data, who manages the data security." The People's Bank of China bears the responsibility of guiding and supervising business data security. Data processors should fulfill the obligation of data security protection, prevent risks such as alteration, destruction, leakage, illegal access, and illegal use of business data, safeguard national security, public interests, legitimate rights and interests of individuals and organizations, respect social morals and ethics, abide by business ethics and professional ethics, and ensure that business data flows orderly and freely in accordance with the law. According to relevant national regulations, business data is classified into general data, important data, and core data. The original text is as follows: Administrative Measures for Data Security Management in the Business Field of the People's Bank of China Chapter I General Provisions Article 1 In order to regulate the security management of data in the business field of the People's Bank of China and promote development and utilization, these measures are formulated in accordance with the laws and regulations such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the People's Bank of China Law of the People's Republic of China, and the Regulations on Cybersecurity Management. Article 2 These measures shall apply to the activities related to the processing of data in the business field of the People's Bank of China within the territory of the People's Republic of China and their security supervision and management. If there are provisions by other relevant competent authorities, the provisions shall be complied with in accordance with the law. The business field of the People's Bank of China referred to in these measures refers to the business area for which the People's Bank of China undertakes supervision and management responsibilities in accordance with laws and regulations and decisions of the Central Committee of the Communist Party of China and the State Council. The data in the business field of the People's Bank of China referred to in these measures refers to the network data (hereinafter referred to as business data) that are generated and collected within the business field of the People's Bank of China and do not involve state secrets. The data processor referred to in these measures refers to financial institutions and other institutions established or recognized with the approval of the People's Bank of China. Article 3 The work of data security in business follows the principle of "who manages the business, who manages the business data, who manages the data security." The People's Bank of China bears the responsibility of guiding and supervising business data security. Data processors should fulfill the obligation of data security protection, prevent risks such as alteration, destruction, leakage, illegal access, and illegal use of business data, safeguard national security, public interests, legitimate rights and interests of individuals and organizations, respect social morals and ethics, abide by business ethics and professional ethics, and ensure that business data flows orderly and freely in accordance with the law. Article 4 Under the overall coordination of the national data security work coordination mechanism, the People's Bank of China and its branches shall carry out the supervision and management of business data security in accordance with these measures, strengthen cooperation and communication with other relevant competent authorities in the supervision and management of data security. Relevant financial industry associations shall strengthen self-discipline and formulate business data security behavior norms and industry standards in accordance with the law to guide their members to strengthen business data security protection. Article 5 Data processors are encouraged to actively carry out innovative applications of business data security, promote efficient circulation and development of business data under the premise of security and compliance, and promote excellent innovative results within the industry. Chapter II Classification and Grading of Business Data and General Requirements Article 6 The People's Bank of China is responsible for formulating relevant norms and standards for the classification and grading protection of business data, guiding the classification and grading protection work of business data, compiling the directory of important data in the business field of the People's Bank of China, and implementing dynamic management. Article 7 Data processors should establish and improve the system and procedures for the classification and grading of business data. The implementation of the classification and grading of business data should follow the system and procedures, and the results of the classification and grading should go through internal approval procedures. Article 8 Data processors should establish a directory of business data resources and classify business data based on business relevance, sensitivity, and availability: (1) Identify whether each data item is personal information, whether it is externally generated or collected, a list of information systems storing the data items, and the related business categories. (2) According to the sensitivity classification of the harm caused to individuals, organizations' legitimate rights and interests, or public interests in the event of leakage or illegal access and use of business data, sensitive classification should be carried out. Structured data items should be labeled for sensitivity one by one, and unstructured data items should be prioritized based on the highest sensitivity identified by each separable structured data item for sensitivity labeling. Sensitive personal information within the business field of the People's Bank of China, customer operation information that may involve trade secrets, and business information with strictly controlled disclosure boundaries should be identified as highly sensitive data items. (3) According to the impact on the normal operation of the business after data tampering or destruction, clarify the differentiated data recovery point targets of the information system and regard it as the availability classification of business data. Article 9 According to the relevant national regulations, business data is classified into general data, important data, and core data. Important data refers to data that, once tampered with, destroyed, leaked, illegally accessed, or illegally utilized, may directly endanger national security, economic operation, social stability, public health, and safety, within specific fields, specific groups, specific regions, or reaching a certain accuracy and scale. Core data refers to important data that, if illegally used or shared, may directly affect political security. The People's Bank of China organizes the determination of the specific directory of important data according to national regulations, and data processors should accurately identify, declare whether the full business data stored by their organization belongs to important data, core data, and submit the content of the specific directory of important data. The People's Bank of China compiles the specific directory of important data, determines the handlers of important data after approval by the national data security work coordination mechanism, and informs them of the corresponding important data. Unless otherwise specified, the obligations to protect the important data listed in these measures shall apply to core data. Article 10 Data processors should update the directory of business data resources at least once a year, accurately record the data items stored in the information system, and their relPlease label the content.Article 11 Data processors shall effectively fulfill the responsibility of business data security protection, clearly define the responsibilities of internal departments related to business data security protection, equip data security professionals appropriate to the business scope and service scale, and detail the rewards and penalties for business data security protection. Data processors providing products and services to the public should establish convenient channels for complaints and reports, promptly accept and handle complaints and reports related to business data security. Data processors handling important data shall clearly define the security personnel and management organizations responsible for business data. The management organization shall effectively fulfill all responsibilities as specified by laws and administrative regulations. The security personnel for business data shall meet the conditions required by laws and administrative regulations and ensure that they can effectively fulfill the obligation of data security protection, and have the right to report the business data security situation directly to the People's Bank of China. Article 12 Data processors shall establish a sound overall process business data security management system, combine business data classification and grading to specify differentiated security protection measures, formulate operational procedures for business data processing activities and internal approval authorization procedures related to business data security, and specify retention requirements for operational implementation and approval authorization records. If different sensitive data items are processed in the same business data processing activity and it is difficult to adopt differentiated security protection measures, security measures corresponding to high-sensitive data items should be taken. Article 13 Data processors shall formulate an annual business data security training plan based on job responsibilities, organize relevant education and training for personnel participating in business data processing activities each year. Training content should include institutional standards related to business data security, risk prevention knowledge, job responsibilities, protective measures, and emergency response requirements. Chapter III Requirements for Comprehensive Business Data Security Management Article 14 Data processors shall strictly manage the privileges of information system database administrators and various types of business processing account accounts, adjust permissions immediately when personnel changes occur. Data processors should sign confidentiality agreements with personnel who can use accounts with high-sensitive data items. If data processors store core data, they should conduct security background checks on the security personnel for business data and on key positions personnel who can use core data. Article 15 Data processors collecting business data shall adopt the following security protection management measures: (1) Except for collecting business data publicly disclosed by oneself or other legal means, data processors shall obtain personal consent or organizational authorization in accordance with laws, administrative regulations, and relevant regulations of the People's Bank of China when collecting business data, and fulfill the corresponding notification obligations. (2) For collecting business data not yet publicly disclosed to individuals or organizations indirectly, data processors should clearly specify the obligation of the data provider to ensure the legality and authenticity of the business data in contracts or agreements. If the data provider has not obtained written consent from individuals or written authorization from organizations, they should also require the data provider to provide necessary evidence materials for the legality and authenticity of the business data source. (3) For collecting business data through manual entry, necessary verification measures should be taken to ensure the accuracy of data entry, and original vouchers for collecting business data should be kept in accordance with relevant management requirements. (4) In principle, original personal biometric information such as images should not be collected. If collection is necessary, unified management requirements for related scenarios should be established. (5) Conduct collection and subsequent business data processing activities according to the processing purposes, methods, scope, and security protection obligations stipulated in contracts or agreements with the data provider. Article 16 Data processors should specify the retention period of business data according to business needs. In principle, high-sensitive data items should not be stored in terminal devices and mobile media, and if storage is necessary, data processors should establish unified management requirements for related scenarios. Article 17 In business data usage activities, data processors should not export high-sensitive data items in principle, and for data items used for identity verification, verification methods should be used in principle. If it is necessary to export high-sensitive data items or use data items for identity verification in other ways, data processors should establish unified management requirements for related scenarios. Except for showing business data related to individuals upon request, or fulfilling legal obligations, data processors should implement desensitization before displaying high-sensitive data items. If it is necessary to display without desensitization, data processors should establish unified management requirements for related scenarios. Article 18 Data processors should review whether the purpose of business data processing is consistent with the agreed data collection; if training of business data is required, they should review the truth, accuracy, objectivity, and diversity of the training business data; If labeling of business data is required, they should sample and review the reasonableness and accuracy of the labeling; If establishing model evaluation and incentive rules is required, they should review whether the evaluation and incentive rules respect social moral ethics, comply with business ethics, and professional ethics. In business data processing activities, when data processors process high-sensitive data items, they should further clarify the security protection measures to be taken, and follow internal approval procedures; If data items generated based on processing are used to provide automated decision-making services to individuals, they should explain the processing purposes, types of personal information used for processing, and processing rules to individuals in an appropriate manner. Article 19 For new data items generated from business data processing activities, if their sensitivity is significantly lower than the data items used for processing, data processors may follow procedures to reduce their sensitive identification to promote compliance and utilization according to law. For new data items generated from business data processing activities, if their sensitivity is significantly higher than the data items used for processing, data processors should increase their sensitive identification and strengthen business data security protection. Article 20 In addition to transmitting business data related to individuals upon request, data processors should not use internet information services such as email, instant messaging, online file storage, or mobile media to transmit high-sensitive data items in principle. If necessary, data processors should establish unified management requirements for related scenarios. Article 21 For business data supply activities necessary for business operations, data processors shouldVerify the identity of the data recipient and implement the following security protection measures:For business data activities involving personal information, an evaluation should be conducted to determine if legal and regulatory requirements are being followed. For other business data activities, an evaluation should be conducted to determine if confidentiality agreements are being adhered to. When providing business data involving personal information and important data to other data processors, each party's data security protection obligations, necessary security measures to be taken, purpose, method, scope of data provision, data storage time limits, restrictions on data provided to third parties, obligations to notify of data security incidents, and supervision of the data recipient's performance of contractual obligations should be clearly specified in the contract or agreement. Comply with the agreed-upon business data cleaning and conversion procedures, conduct necessary reviews of data authenticity, and avoid misleading the data recipient. Except in cases of delegated processing, sensitive data items should not be provided to other data processors in an unencrypted form. Data items used for identity verification should be provided through verification methods. If it is necessary to provide sensitive data items in an unencrypted form or use data items for identity verification in other ways, data processors should establish unified management regulations for the related scenarios. Article 22 Before providing, entrusting processing, or jointly processing important data to other data processors, an evaluation of risks should be conducted in accordance with laws, regulations, relevant requirements of the People's Bank of China, focusing on the legality and legitimacy of data processing purposes and methods by the data recipient, the reasonableness of the list of data items, potential security risks of data activities, the integrity and compliance of the data recipient, the completeness of the contract or agreement contents, and the security protection measures to be taken. Except for fulfilling statutory duties or legal obligations, if a data processor is providing core data in a manner specified by the state, a risk assessment should be conducted through the national data security coordination mechanism established by the People's Bank of China before providing business data. Data processors should not evade these obligations through splitting or transformation methods. If the processor of important data undergoes mergers, splits, dissolution, bankruptcy or other events that may affect the security of important data, they should report the handling plan of important data to the People's Bank of China or its provincial branches in advance in accordance with legal and regulatory requirements. The plan should include updates to the content of important data catalogs, the names or contact information of data recipients, etc. Article 23 When data processors use privacy computing and other technologies to facilitate business data integration and innovative applications, they should adhere to the requirements of Articles 21(1) to 21(3) of these regulations. They should also ensure that outside entities, other than their own organization, cannot use unencrypted original data, and their activities should not disclose information beyond the agreed-upon scope in fusion and innovation applications with other data sources. Article 24 If a data processor needs to provide data to entities outside the territory of the People's Republic of China for business reasons, they should strictly follow the relevant regulations of the Ministry of Cyberspace Administration of China. If there are requirements for onshore storage in laws, regulations, and relevant rules of the People's Bank of China, business data should also be stored within the territory of the People's Republic of China. If a data processor needs to report data outflow security assessments, conduct protection certifications, etc., as stipulated by the Ministry of Cyberspace Administration of China, they should not evade related obligations by splitting or transformation methods. Article 25 In accordance with relevant laws and regulations and rules of the People's Bank of China, the People's Bank of China will handle requests from foreign financial law enforcement agencies regarding the provision of business data based on international treaties or agreements in which the People's Republic of China is a signatory or participant, or based on principles of equality and reciprocity. Article 26 Data processors must evaluate the purpose, data item list, channel, time frame, and de-identification process of business data public activities. They should analyze potential negative impacts, review the legality and authenticity of business data, and publicly disclose business data through official channels of the organization. If public disclosure is necessary through other channels, they should clearly specify the security protection measures to be used and follow internal approval procedures. Data processors should not publicly disclose data items used for identity verification. Generally, high-sensitivity data items should be de-identified before public disclosure. If de-identification is not possible, data processors should establish unified management regulations for the related scenarios. Article 27 Data processors should proactively delete business data in situations where the processing purpose has been achieved, the processing purpose cannot be achieved, the data is no longer necessary to achieve the purpose, or the agreed storage period has expired, in accordance with laws, regulations, and rules of the People's Bank of China. If it is technically difficult to delete business data, data processors should cease business data processing activities beyond storage and take necessary security protection measures. They should also conduct annual reviews to confirm that the relevant business data cannot be used. Article 28 In addition to fulfilling the requirements of Article 21(2) of these regulations, when entrusting the processing of business data, data processors should clearly specify in the contract or agreement the important matters that the entrusted party needs to report, the methods and time limits for transmitting and deleting business data after the completion of entrusted processing matters, cooperation with the organization in supervising entrusted processing activities, and the obligation to conduct regular evaluations to supervise the performance of the entrusted party. For entrusted processing activities involving core data, data processors should conduct due diligence on the entrusting party beforehand and further strengthen their supervision. Data processors should incorporate entrusted processing activities of business data into their outsourcing management system for business or information technology, enhancing risk management. If the People's Bank of China expressly prohibits outsourcing of certain business activities, business data related to those activities should not be entrusted for processing. Chapter Four Technical Requirements for Business Data Security throughout the Process Article 29 Data processors should strengthen access control, implement effective technical measures to control data usage permissions of business data processing accounts, specify the usage scenarios of privileged accounts, and enhance internal approval authorization when using privileged accounts for manual operations such as adding, deleting, or modifying business data. Prior approval and post-review should be conducted for each operation done with privileged accounts. Necessary checks should be conducted for the correctness and security of operations before using privileged accounts for automated operations. Data processors should enhance security authentication to ensure the strength of authentication passwords for business data processing accounts and privileged accounts, restrict the number of retries for authentication failures, and conduct necessary checks on the correctness and security of operations before using privileged accounts for automated operations.Sensitive data items should support multi-factor authentication or dual-authorization confirmation for account access, and establish a re-verification mechanism for scenarios such as timeout logout and access from changing communication addresses.Article 30 Data processors should standardize log recording, clearly define information about business data processing activities in logs, and meet the needs of data security risk tracing and event handling. Sensitive data items in business data processing activities logs should, in principle, be desensitized. In cases where desensitization is not necessary, data processors should uniformly manage related requirement scenarios. Data processors should classify and manage business data processing activity logs according to the level of business data, and implement security protection requirements. Data processors should retain business data processing activity logs for at least six months; for business data processing activity logs related to important data storage information systems, they should be retained for at least one year; for business data processing activity logs related to core data storage information systems, they should be retained for at least three years. Data processors should retain business data processing activity logs, including logs of handling personal information and important data, provided to or processed by other data processors, for at least three years. Article 31 Data processors should prioritize collecting business data through direct input or interaction between information systems. When collecting business data through direct input, the identity of the input person should be verified; when collecting sensitive data items through interaction between information systems, the identity of the data provider should be verified. Data processors should take technical measures such as cross-checking information to ensure the accuracy of collected business data. When using automated tools to collect business data from other data processors, data processors should comply with their data collection control rules, not interfere with the normal operation of network services, and not infringe upon the legitimate operational rights of other institutions. Article 32 Data processors should take the following security protection measures for business data storage activities: (1) Effectively isolate the development testing environment from the production environment of information systems. (2) Information systems storing important data should meet the requirements of Level three network security protection, while information systems storing core data should meet the requirements of Level four network security protection or requirements for protecting critical information infrastructure, and prioritize the purchase of secure and trustworthy network products and services. (3) In principle, sensitive data items should be stored in encrypted form. In cases where encryption is not required, data processors should uniformly manage related requirement scenarios. If there are special requirements for using commercial passwords to protect business data storage by the People's Bank of China, they should be followed. (4) Timely evaluate and adjust the capacity of business data storage. In accordance with the system data recovery point objectives, establish redundant backups of business data in the production environment, and regularly verify the availability of redundant business data backups according to the requirements of the People's Bank of China. Evaluate whether backup technical measures have the ability to prevent both the production environment and redundant backup business data from being simultaneously tampered with, destroyed, etc., and strengthen security protection measures accordingly. Article 33 Data processors should clarify desensitization strategies for sensitive data items, effectively reducing the risk of desensitized business data still being identifiable to specific individuals or organizations. Data processors should establish endpoint security control strategies, clearly defining security protection requirements. When displaying or printing business data, technical measures should be taken to identify the business processing account and usage time. Except in cases where the business data security protection measures between development and production environments are completely consistent, when using production environment data items for development testing environments, internal approval procedures should be followed and desensitization should be implemented. Article 34 Data processors should establish risk assessment and control strategies for business data processing algorithms, clearly defining preventive or mitigating measures, and alternative solutions when ceasing the use of processing algorithms for automated decision-making due to risks such as interpretability and vulnerability. Article 35 Data processors should take the following security protection measures for business data transmission activities: (1) Prioritize the use of dedicated lines, virtual private networks, and other technologies to strengthen the security protection of business data transmission. (2) Establish access control and security isolation strategies, strengthen access control for relevant terminal devices. (3) In principle, sensitive data items should be encrypted when transmitted to other data processors, other data centers, or the internet. In cases where encryption is not required, data processors should uniformly manage related requirement scenarios. If there are special requirements for using commercial passwords to protect business data transmission by the People's Bank of China, they should be followed. (4) Timely evaluate and adjust the transmission capacity of communication lines, strengthen redundant backups of communication lines and related hardware and software devices. Article 36 Data processors should dynamically maintain a list of front-end gateways and application programming interfaces that provide business data for their organization, conduct security testing before the deployment of changes to front-end gateways and application programming interfaces, and immediately take remedial measures if risks are identified. When using privacy computing and other technologies to provide business data, data processors should establish technical risk assessment and control strategies and clearly define measures to address risks such as security verification and unacceptable performance. Article 37 Data processors should establish control rules for whether automated tools are allowed to collect business data publicly, and take necessary technical measures to ensure that public business data is not tampered with. Article 38 Data processors should clarify the strategy for destroying business data storage media, standardize the implementation method, and supervise the process. Chapter 5 Business Data Security Risk and Event Management Article 39 Data processors should strengthen the monitoring of risks in business data processing activities, effectively identify the following risks, and immediately take remedial measures: (1) Information that is prohibited from being published or transmitted by laws and regulations. (2) The existence of malicious programs such as computer viruses, trojans, ransomware, data security vulnerabilities, weak authentication password strength, etc. (3) Failure of security protection measures for sensitive data items. (4) Abnormal business data processing activities. (5) Insufficient capacity for business data transmission or storage. Article 40 Data processors should strengthen the monitoring of risks such as business data leakage, illegal sale of business data, impersonation of the organization to handle business data, and other negative public opinion relating to business data security of the organization. When related risks are identified, they should be immediately verified and addressed.When the People's Bank of China and its branches report data security flaws, vulnerabilities, and other risks related to business data, data processors should immediately verify and handle them, and provide timely and accurate feedback according to the reporting requirements.42nd article Encourage data processors to provide business data security risk intelligence with industry sharing value to the People's Bank of China and its branches. Article 42 Important data processors shall conduct a risk assessment of business data annually, either on their own or through a third-party evaluation agency, and submit the previous year's risk assessment report to the People's Bank of China or the provincial branch of the People's Bank of China at their place of residence before January 15 each year. In addition to the content that must be evaluated as specified by laws and regulations, the risk assessment report should also include personnel training and daily management related to the storage of important data information systems, implementation of job responsibilities related to business data, evaluation and rectification of network security level protection, execution of protection measures, risk monitoring and incident handling in the current year, as well as other assessment contents required by the People's Bank of China. Article 43 Data processors should classify the level of business data security incidents according to the relevant event classification requirements of the national network security emergency plan, considering the scope and severity of the impact: (1) The criteria for the classification of events involving tampering or destruction of business data should consider factors such as the target of information system data recovery points, the duration of service disruption, the number and amount of affected business transactions, the number of affected individuals or organizations, different sensitive data items affected, and the corresponding scale. (2) The criteria for the classification of data leakage events should consider factors such as the number of affected individuals or organizations, different sensitive data items leaked, and the corresponding scale. (3) Security events involving the leakage or tampering of core data or important data should be classified as particularly significant events or significant events. Article 44 Data processors should classify business data security incidents properly. When a business data security incident occurs, measures should be taken immediately, and users should be notified in a timely manner as required and report the incident situation promptly, accurately, and completely according to the requirements of the People's Bank of China. If the data recipient or the entrusted data processor experiences data security incidents related to the business data provided by the data processor, the data processor should conduct an investigation and evaluation, urge the relevant institutions to take remedial measures immediately, and report to the relevant authorities. Important data processors should conduct at least one emergency drill for business data security incidents each year, and other data processors should conduct at least one emergency drill for business data security incidents every three years. Article 45 Data processors should conduct a compliance audit on business data security at least every three years, in accordance with the requirements of laws, administrative regulations, security protection measures, relevant operational procedures and management systems related to business data security in this institution. Important data processors should conduct a compliance audit related to important data security at least once a year. In the event of a major or particularly significant event, a special audit should be conducted. The audit should focus on whether the business data resource directory is updated in a timely manner, whether the account permission management of relevant information systems is strict, whether the contracts or agreements related to business data processing activities are complete, whether the security protection measures for highly sensitive data items are effective, whether the responsibilities of data processors are implemented, whether the front-end gateways and application program interfaces are continuously maintained securely, whether the data security risk monitoring is effective, whether the data security risk and incident handling are timely, whether the data export complies with regulations, and whether the data security complaint handling is timely. Article 46 Data processors should strengthen the management of business data permissions for risk assessment personnel and audit personnel, and take necessary measures to ensure the security of business data during the implementation process. Sensitive data items in risk assessment reports and audit reports related to business data should be de-identified. If data processors entrust third-party evaluation agencies or audit agencies to conduct risk assessments or audits related to business data, they should clearly specify their data security protection obligations and corresponding responsibilities in the contract or agreement, designate personnel from this institution to participate throughout the process. If accounting audit services are involved, further strengthening of relevant business data security protection should be carried out in accordance with the requirements of the national Internet information department and the finance department. Chapter VI Legal Responsibilities Article 47 If the People's Bank of China and its branches find that data processors' business data processing activities pose significant security risks, they may interview them and demand that measures be taken to rectify the situation; if clues are found that may affect or likely to affect national security in business data processing activities, data processors may be required to undergo national security review according to relevant national regulations. The People's Bank of China and its branches may conduct law enforcement inspections on the implementation of data processors' data security protection obligations related to business data in accordance with their responsibilities, and may, when necessary, jointly conduct law enforcement inspections with other relevant regulatory authorities. Article 48 If the People's Bank of China and its branches find that data processors have not fulfilled their obligations regarding data export security assessment or protection certification in business data processing activities, they should transfer relevant case information to the local cyberspace administration department and cooperate in handling it. Article 49 If data processors fail to fulfill their obligations regarding data security protection as stipulated in these regulations, and meet any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks. (6) Failure to take remedial measures immediately upon discovery of business data security risks. (7) Failure to take measures to handle business data security incidents immediately, not promptly informing users, or not reporting the incident according to the requirements. (8) Important data processors fail to conduct a risk assessment of business data annually or fail to submit the risk assessment report as required. Article 50 If data processors fail to fulfill their data security protection obligations as stipulated in these regulations and have any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks. (6) Failure to take remedial measures immediately upon discovery of business data security risks. (7) Failure to take measures to handle business data security incidents immediately, not promptly informing users, or not reporting the incident according to the requirements. (8) Important data processors fail to conduct a risk assessment of business data annually or fail to submit the risk assessment report as required. Article 50 If data processors fail to fulfill their data security protection obligations as stipulated in these regulations and have any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks. (6) Failure to take remedial measures immediately upon discovery of business data security risks. (7) Failure to take measures to handle business data security incidents immediately, not promptly informing users, or not reporting the incident according to the requirements. (8) Important data processors fail to conduct a risk assessment of business data annually or fail to submit the risk assessment report as required. Article 50 If data processors fail to fulfill their data security protection obligations as stipulated in these regulations and have any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks. (6) Failure to take remedial measures immediately upon discovery of business data security risks. (7) Failure to take measures to handle business data security incidents immediately, not promptly informing users, or not reporting the incident according to the requirements. (8) Important data processors fail to conduct a risk assessment of business data annually or fail to submit the risk assessment report as required. Article 50 If data processors fail to fulfill their data security protection obligations as stipulated in these regulations and have any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks. (6) Failure to take remedial measures immediately upon discovery of business data security risks. (7) Failure to take measures to handle business data security incidents immediately, not promptly informing users, or not reporting the incident according to the requirements. (8) Important data processors fail to conduct a risk assessment of business data annually or fail to submit the risk assessment report as required. Article 50 If data processors fail to fulfill their data security protection obligations as stipulated in these regulations and have any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks. (6) Failure to take remedial measures immediately upon discovery of business data security risks. (7) Failure to take measures to handle business data security incidents immediately, not promptly informing users, or not reporting the incident according to the requirements. (8) Important data processors fail to conduct a risk assessment of business data annually or fail to submit the risk assessment report as required. Article 50 If data processors fail to fulfill their data security protection obligations as stipulated in these regulations and have any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks. (6) Failure to take remedial measures immediately upon discovery of business data security risks. (7) Failure to take measures to handle business data security incidents immediately, not promptly informing users, or not reporting the incident according to the requirements. (8) Important data processors fail to conduct a risk assessment of business data annually or fail to submit the risk assessment report as required. Article 50 If data processors fail to fulfill their data security protection obligations as stipulated in these regulations and have any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks. (6) Failure to take remedial measures immediately upon discovery of business data security risks. (7) Failure to take measures to handle business data security incidents immediately, not promptly informing users, or not reporting the incident according to the requirements. (8) Important data processors fail to conduct a risk assessment of business data annually or fail to submit the risk assessment report as required. Article 50 If data processors fail to fulfill their data security protection obligations as stipulated in these regulations and have any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks. (6) Failure to take remedial measures immediately upon discovery of business data security risks. (7) Failure to take measures to handle business data security incidents immediately, not promptly informing users, or not reporting the incident according to the requirements. (8) Important data processors fail to conduct a risk assessment of business data annually or fail to submit the risk assessment report as required. Article 50 If data processors fail to fulfill their data security protection obligations as stipulated in these regulations and have any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks. (6) Failure to take remedial measures immediately upon discovery of business data security risks. (7) Failure to take measures to handle business data security incidents immediately, not promptly informing users, or not reporting the incident according to the requirements. (8) Important data processors fail to conduct a risk assessment of business data annually or fail to submit the risk assessment report as required. Article 50 If data processors fail to fulfill their data security protection obligations as stipulated in these regulations and have any of the following circumstances, the People's Bank of China and its branches shall impose penalties in accordance with Article 45 of the Data Security Law of the Peoples Republic of China: (1) Failure to establish and improve a comprehensive business data security management system in accordance with the relevant provisions of laws and administrative regulations. (2) Failure to organize and conduct business data security education and training in accordance with the relevant provisions of laws and administrative regulations. (3) Failure to take corresponding technical measures and other necessary measures to ensure the security of business data in accordance with the relevant provisions of laws and administrative regulations. (4) Important data processors fail to designate a business data security officer and management institution. (5) Failure to effectively monitor business data security risks.If the competent authority finds that the data processor conducts business data processing activities that exclude, restrict competition, or harm the legitimate rights and interests of individuals or organizations, it shall handle them in accordance with relevant laws and administrative regulations. If it belongs to the management responsibilities of other relevant competent authorities, it shall transfer the relevant case information and cooperate with them for handling.Article 51 If the People's Bank of China and its branches find that data processors are carrying out business data processing activities that may constitute violations of public security management or crimes, they shall transfer the relevant case information to the same-level public security organs, national security organs, and other relevant competent authorities, and cooperate with them in handling the matter. Article 52 If a data processor causes harm as a result of a business data security incident, and can prove that the organization has taken data security protection measures as required, and immediately taken remedial measures, they shall be given leniency or mitigating administrative penalties. If a data processor actively provides data security risk intelligence, assists in timely identification of major business data security risks, they shall be given leniency or mitigating administrative penalties for failing to fulfill data security protection obligations but have not caused harm. Article 53 If staff of the People's Bank of China and its branches play truant, abuse power, or engage in favoritism, nepotism, and corruption during the supervision and management of business data processing activities, they shall be disciplined according to law. Chapter VII Supplementary Provisions Article 54 Definitions: (1) Data item refers to the most basic and indivisible unit that describes the network data structure. (2) Structured data item refers to a data item with a predefined abstract descriptive data type, usually represented by a field in a two-dimensional logical table in a database. (3) Unstructured data item refers to data items that are not suitable for presentation in a two-dimensional logical table of a database, such as images, videos, audio, document files, etc. (4) Terminal equipment refers to the computer terminals, mobile smart terminals, audio-video and multimedia devices, and other specialized terminal devices used by data processors in business data processing activities. (5) Export method refers to the operation of converting business data, originally with strict access control and access log recording, into document files without strict access control or access log recording during data use or provision activities. (6) Verification method refers to the operation of verifying whether business data matches after verification in business data use or provision activities. (7) Unified standard management refers to data processors including in the institutional rules or operating procedures cases that do not comply with the principled compliance requirements of these measures, explaining the necessity of retaining such cases, the security protection measures that must be taken, and the necessary internal approval procedures to be followed. Article 55 These measures shall be interpreted by the People's Bank of China. Article 56 These measures shall be implemented from June 30, 2025. Source: PBOC website; GMTEight Editor: Chen Xiaoyi.