In our previous articles, we analyzed the Measures for Data Export Security Assessment (available here) and the Guidelines for the application of such Measures (available here). In order to guide controllers of personal information to comply with the Personal Information Protection Law (the "PIPL"), which came into effect as of 1st November 2021, and to carry out cross-border data transfer activities, the Cyberspace Administration of China (“CAC”) and the State Administration of Market Regulation (“SAMR”), the last 18th November 2022, issued the Implementation Rules for Personal Information Protection Certification (in Chinese “个人信息保护认证实施规则”, briefly “Certification Rules”). The Certification Rules contain the implementation rules about the process that controllers of personal information shall carry out to obtain the certification for certifying the collection, storage, use, processing, transmission, provision, disclosure, deletion, and cross-border transfer of personal information. Pursuant to the Certification Rules, controllers shall comply: Moreover, the Certification Rules outline requirements for on-site audits, the technical evaluation and approval of certification results, post-certification supervision, as well as certification period of validity, specifying that the certification process is divided into different steps: According to the Certification Rules, the certification shall be valid for 3 years and it is renewable if the requirements are still satisfied. The certified controller shall use the relevant certification mark (as provided in the Certification Rules) in advertisements and other publicity in accordance with relevant regulations, and shall not mislead the public. You can read the notice here and the implementation rules here, both only available in Chinese. [1] GB/T 35273 Information Security Technology Personal Information Security Specifications is a document that specifies the principles and security requirements for the collection, storage, use, sharing, transfer, public disclosure and deletion of personal information. The document is applicable to personal information processing activities carried out by all kinds of organizations and can also be used by competent authorities, third party assessment agencies and other organizations to supervise, manage and evaluate personal information processing activities. [2] Specifications for Security Certification of Cross-Border Processing of Personal Information is a practice guideline that propose basic principles and requirements for the security of cross-border processing of personal information, as well as the protection of the rights and interests of personal information subjects. On this regard, the National Information Security Standardisation Technical Committee of China ("TC260") issued, on 16th December 2022, its revised practice guidelines for Specifications for Security Certification of Cross-Border Processing of Personal Information, following public consultations.