Asia-Pacific Privacy Packs¶
This page covers 6 Asia-Pacific country packs with 61 controls total.
Singapore — PDPA (2012, amended 2020/2021)¶
Pack ID: sg-pdpa | Framework: PDPA-SG | Regulator: PDPC
Controls: 12 (4 critical, 5 high, 3 medium)
PDPA-SG-01: Data Protection Officer (Singapore)¶
Critical
Appoint a DPO and publish their contact information as required by PDPA.
Legal Reference: PDPA Section 11
Appoint at least one DPO. Make business contact information publicly available on the website. DPO ensures PDPA compliance, handles complaints, liaises with PDPC.
| Check | Description |
|---|---|
| PDPA-SG-01-C1 | DPO appointed and contact information published |
| PDPA-SG-01-C2 | DPO responsibilities documented |
PDPA-SG-02: Consent Obligation¶
Critical
Obtain clear, informed consent for collection, use, and disclosure of personal data.
Legal Reference: PDPA Sections 13-15
Consent must be: given for a purpose reasonably related to the notified purpose, clear and unambiguous, obtained by affirmative act. Notify purposes at collection. Do not require consent as a condition of service unless necessary.
| Check | Description |
|---|---|
| PDPA-SG-02-C1 | Consent obtained for each specific purpose |
| PDPA-SG-02-C2 | Purpose notification at point of collection |
| PDPA-SG-02-C3 | Consent records maintained |
PDPA-SG-03: Purpose Limitation¶
High
Limit collection, use, and disclosure to purposes for which consent was obtained.
Legal Reference: PDPA Section 18
Document purposes. Only use data for consented purposes or reasonably related purposes. Obtain new consent for new purposes. Implement technical controls preventing use beyond stated purposes.
| Check | Description |
|---|---|
| PDPA-SG-03-C1 | Purposes documented per data collection |
| PDPA-SG-03-C2 | New consent obtained for new purposes |
PDPA-SG-04: Notification Obligation¶
High
Inform individuals of the purposes for collection, use, or disclosure.
Legal Reference: PDPA Section 20
Notify at or before collection of: data items, purposes, expected disclosure recipients, retention. For third-party data, notify within a reasonable time. Clear, plain-language notices.
| Check | Description |
|---|---|
| PDPA-SG-04-C1 | Collection notices provided at point of collection |
| PDPA-SG-04-C2 | Third-party data subjects notified |
PDPA-SG-05: Access and Correction Rights¶
High
Provide individuals access to and correction of their personal data.
Legal Reference: PDPA Sections 21-22
Respond to access within 30 days. Provide: personal data held, purposes, disclosure info for past year. Respond to correction within 30 days. Notify recipients of corrections. Charge reasonable fees for access if disclosed.
| Check | Description |
|---|---|
| PDPA-SG-05-C1 | Access request process within 30 days |
| PDPA-SG-05-C2 | Correction request process within 30 days |
| PDPA-SG-05-C3 | Correction recipients notified |
PDPA-SG-06: Accuracy Obligation¶
Medium
Ensure personal data is accurate and complete before use or disclosure.
Legal Reference: PDPA Section 23
Implement reasonable steps to ensure accuracy. Consider data source reliability, purpose, potential impact. Provide self-service correction mechanisms. Verify at collection.
| Check | Description |
|---|---|
| PDPA-SG-06-C1 | Accuracy verification procedures implemented |
| PDPA-SG-06-C2 | Self-service correction available |
PDPA-SG-07: Protection Obligation¶
Critical
Implement reasonable security arrangements to protect personal data.
Legal Reference: PDPA Section 24; PDPC Security Guidelines
Consider: nature of data, impact of breach, format, cost. Include access controls, encryption, network security, data minimization, endpoint protection, incident response. Follow PDPC's Guide to Data Protection Practices for ICT Systems.
| Check | Description |
|---|---|
| PDPA-SG-07-C1 | Security arrangements documented and risk-assessed |
| PDPA-SG-07-C2 | Access controls and encryption implemented |
| PDPA-SG-07-C3 | PDPC ICT security guidelines followed |
PDPA-SG-08: Retention Limitation¶
High
Cease retention of personal data when no longer needed.
Legal Reference: PDPA Section 25
Cease retention when: purpose fulfilled, consent withdrawn, no business/legal need. Automated deletion or anonymisation. Review annually. Document disposal methods.
| Check | Description |
|---|---|
| PDPA-SG-08-C1 | Retention periods defined and documented |
| PDPA-SG-08-C2 | Automated deletion/anonymisation implemented |
PDPA-SG-09: Transfer Limitation¶
High
Ensure comparable protection for personal data transferred outside Singapore.
Legal Reference: PDPA Section 26; PDPC Transfer Limitation Guidelines
Ensure overseas recipients are bound by legally enforceable obligations providing comparable protection. Use contractual clauses, BCRs, or certifications. Conduct transfer assessments.
| Check | Description |
|---|---|
| PDPA-SG-09-C1 | Legally enforceable transfer mechanisms in place |
| PDPA-SG-09-C2 | Comparable protection assessment documented |
PDPA-SG-10: Data Breach Notification (PDPA Amendment 2021)¶
Critical
Notify PDPC and affected individuals of notifiable data breaches within 3 calendar days.
Legal Reference: PDPA Sections 26B-26E; PDPC Breach Notification Guidelines
Assess for notifiability (500+ individuals, or significant harm). Notify PDPC within 3 calendar days. Notify individuals if significant harm likely. Maintain breach register. Document assessment rationale.
| Check | Description |
|---|---|
| PDPA-SG-10-C1 | Breach notifiability assessment procedure |
| PDPA-SG-10-C2 | PDPC notification within 3 calendar days |
| PDPA-SG-10-C3 | Individual notification for significant harm |
| PDPA-SG-10-C4 | Breach register maintained |
PDPA-SG-11: Data Portability (PDPA Amendment)¶
Medium
Implement data portability allowing individuals to request data transmission.
Legal Reference: PDPA Sections 26F-26H
Provide personal data in structured, commonly used, machine-readable format. Enable direct transmission to another organization where feasible.
| Check | Description |
|---|---|
| PDPA-SG-11-C1 | Data portability request mechanism implemented |
| PDPA-SG-11-C2 | Machine-readable export format available |
PDPA-SG-12: Do Not Call Registry¶
Medium
Comply with DNC registry requirements for telemarketing.
Legal Reference: PDPA Part IXA; DNC Registry Rules
Check DNC registry before marketing messages to Singapore numbers (voice, text, fax). Maintain clear, written consent. Honor DNC entries and opt-outs. Appoint DNC compliance officer.
| Check | Description |
|---|---|
| PDPA-SG-12-C1 | DNC registry checked before each telemarketing campaign |
| PDPA-SG-12-C2 | Clear, written telemarketing consent maintained |
| PDPA-SG-12-C3 | Opt-out requests honored within 21 days |
Philippines — Data Privacy Act of 2012¶
Pack ID: ph-dpa | Framework: DPA-PH | Regulator: NPC
Controls: 10 (4 critical, 5 high, 1 medium)
DPA-PH-01: PIC and PIP Designation¶
Critical
Designate Personal Information Controller (PIC) and Personal Information Processor (PIP) roles.
Legal Reference: DPA Section 3; IRR Article 4
PIC determines purposes and means. PIP processes on behalf of PIC. PIC is accountable. Ensure PIC-PIP contracts define obligations. Document accountability chain.
| Check | Description |
|---|---|
| DPA-PH-01-C1 | PIC and PIP roles documented for each processing |
| DPA-PH-01-C2 | PIC-PIP contracts executed with DPA obligations |
DPA-PH-02: Data Protection Officer (Philippines)¶
High
Designate a DPO and register with the NPC.
Legal Reference: DPA Section 11; IRR Article 7; NPC Circular 17-01
DPO ensures compliance, advises on PIAs, cooperates with NPC, serves as contact. Register with NPC. Should have sufficient DPA knowledge.
| Check | Description |
|---|---|
| DPA-PH-02-C1 | DPO designated and registered with NPC |
| DPA-PH-02-C2 | DPO responsibilities documented |
DPA-PH-03: NPC Registration¶
High
Register personal data processing systems with NPC if processing 1,000+ records.
Legal Reference: NPC Circular 17-01; DPA IRR Article 7
Submit registration forms: PIC details, DPO information, processing system descriptions, data categories. Renew annually. Update within 30 days of material changes.
| Check | Description |
|---|---|
| DPA-PH-03-C1 | NPC registration completed if applicable |
| DPA-PH-03-C2 | Annual renewal process established |
DPA-PH-04: Criteria for Lawful Processing¶
Critical
Document the lawful criteria for processing personal data and sensitive personal information.
Legal Reference: DPA Sections 12-13
For personal data: consent, contract, legal obligation, vital interests, public interest, legitimate interests. For sensitive PI (race, marital status, age, color, religious/philosophical/political affiliations, health, education, genetics, sexual life, SSN, licenses): specific, affirmed consent.
| Check | Description |
|---|---|
| DPA-PH-04-C1 | Lawful criteria documented per processing |
| DPA-PH-04-C2 | Specific consent for sensitive personal information |
DPA-PH-05: Data Subject Rights (Philippines)¶
High
Implement DPA data subject rights including bequeathal rights for deceased persons.
Legal Reference: DPA Sections 16-18
Rights: information, objection, access, rectification, erasure/blocking, portability, damages. Honor bequeathal rights (rights of heirs of deceased). Respond within reasonable time. Provide complaint mechanisms.
| Check | Description |
|---|---|
| DPA-PH-05-C1 | All DPA rights implemented with request mechanisms |
| DPA-PH-05-C2 | Bequeathal rights procedure documented |
| DPA-PH-05-C3 | Complaint filing mechanism available |
DPA-PH-06: Security Measures (NPC Circular 16-03)¶
Critical
Implement physical, organizational, and technical security measures.
Legal Reference: NPC Circular 16-03 Parts 3-5
Organizational: policies, access control, data mapping. Physical: facility access, environmental controls. Technical: authentication, encryption, network security, logging. Appoint Information Security Officer. Annual reviews.
| Check | Description |
|---|---|
| DPA-PH-06-C1 | Organizational security measures documented |
| DPA-PH-06-C2 | Physical security measures implemented |
| DPA-PH-06-C3 | Technical security measures implemented |
| DPA-PH-06-C4 | Annual security review conducted |
DPA-PH-07: Privacy Impact Assessment¶
High
Conduct Privacy Impact Assessments (PIAs) for processing systems and new projects.
Legal Reference: DPA IRR Article 8; NPC PIA Guidelines
Required for: new processing systems, significant changes, automated processing/profiling, sensitive PI, large-scale processing. Document: processing description, necessity, risks, mitigation. Submit to NPC if requested.
| Check | Description |
|---|---|
| DPA-PH-07-C1 | PIA criteria established for new/changed processing |
| DPA-PH-07-C2 | PIAs documented with risk assessments |
DPA-PH-08: NPC Breach Notification¶
Critical
Report personal data breaches to the NPC within 72 hours and notify affected individuals.
Legal Reference: NPC Circular 16-03 Section 9; DPA IRR Article 9
Notify NPC within 72 hours for breaches involving sensitive PI or affecting 100+ individuals. Include: breach nature, data, date/time, circumstances, mitigation. Notify individuals within reasonable time. Document all breaches.
| Check | Description |
|---|---|
| DPA-PH-08-C1 | NPC 72-hour breach notification procedure |
| DPA-PH-08-C2 | Individual notification procedures |
| DPA-PH-08-C3 | Breach register maintained |
DPA-PH-09: Data Sharing and Outsourcing¶
High
Ensure lawful data sharing and outsourcing of personal data processing.
Legal Reference: DPA Sections 20, 32-36; IRR Articles 21, 28
Execute data sharing agreements with PICs (purpose, data categories, security, rights, termination). For outsourcing to PIPs: processing scope, security obligations, sub-processor controls, data return/deletion.
| Check | Description |
|---|---|
| DPA-PH-09-C1 | Data sharing agreements with PICs executed |
| DPA-PH-09-C2 | Outsourcing contracts with PIPs executed |
DPA-PH-10: Cross-Border Transfers (Philippines)¶
High
Ensure appropriate safeguards for international transfers.
Legal Reference: DPA Section 21; IRR Article 27
Overseas recipients must provide protection comparable to DPA. Use contractual safeguards. Inform data subjects of cross-border transfers. Conduct transfer risk assessments.
| Check | Description |
|---|---|
| DPA-PH-10-C1 | Cross-border transfer safeguards documented |
| DPA-PH-10-C2 | Comparable protection ensured |
Japan — APPI (2022 Amendment)¶
Pack ID: jp-appi | Framework: APPI | Regulator: PPC
Controls: 10 (3 critical, 5 high, 2 medium)
APPI-01: Purpose of Use Specification¶
Critical
Specify the purpose of use for personal information and publicly announce or notify it.
Legal Reference: APPI Article 17
Specify as specifically as possible. Not improperly associated with the individual. Publish on website or notify directly. Obtain consent before changing purpose beyond reasonable scope.
| Check | Description |
|---|---|
| APPI-01-C1 | Purpose of use specified for each data category |
| APPI-01-C2 | Purposes published or notified to data subjects |
| APPI-01-C3 | Purpose change consent obtained |
APPI-02: Proper Acquisition¶
High
Acquire personal information by lawful and fair means, not deceptive means.
Legal Reference: APPI Articles 18-19
For sensitive PI (race, creed, social status, medical history, criminal record, crime victim): obtain consent unless exception applies. Notify or publish purpose when acquiring sensitive data.
| Check | Description |
|---|---|
| APPI-02-C1 | Data acquisition methods reviewed for lawfulness |
| APPI-02-C2 | Consent obtained for sensitive personal information |
APPI-03: Security Control Measures¶
Critical
Implement security control measures to prevent leakage, loss, or damage.
Legal Reference: APPI Article 23; PPC Guidelines
Organizational (policies, training), personnel (agreements, access control), physical (facility, equipment), technical (access control, encryption, IDS). Follow PPC Basic Policy. Conduct regular audits.
| Check | Description |
|---|---|
| APPI-03-C1 | Organizational and personnel security measures implemented |
| APPI-03-C2 | Physical and technical security measures implemented |
| APPI-03-C3 | Regular security audits conducted |
APPI-04: Outsourcing Supervision¶
High
Exercise necessary and appropriate supervision over outsourced personal data processing.
Legal Reference: APPI Article 22
Select qualified contractors. Execute contracts specifying purpose, security measures, sub-contractor restrictions, data handling. Conduct regular compliance assessments.
| Check | Description |
|---|---|
| APPI-04-C1 | Outsourcing contracts executed with required clauses |
| APPI-04-C2 | Regular contractor compliance assessments |
APPI-05: Third-Party Provision Restriction¶
High
Obtain consent before providing personal data to third parties.
Legal Reference: APPI Articles 27-28
Prior consent unless exception applies. Record: recipient, data items, date. Verify acquisition circumstances when receiving. Maintain opt-out mechanism with PPC notification.
| Check | Description |
|---|---|
| APPI-05-C1 | Consent obtained before third-party provision |
| APPI-05-C2 | Provision records maintained |
| APPI-05-C3 | Opt-out mechanism with PPC notification |
APPI-06: Cross-Border Transfer Requirements¶
Critical
Obtain prior consent for providing personal data to third parties in foreign countries.
Legal Reference: APPI Article 28
Prior consent for transfers to countries without equivalent protection. Inform of: destination country, recipient information, data categories. Countries with equivalent protection (currently none recognized by PPC) or exceptions do not require consent.
| Check | Description |
|---|---|
| APPI-06-C1 | Prior consent obtained for cross-border transfers |
| APPI-06-C2 | Transfer information provided to data subjects |
APPI-07: Individual Rights (Disclosure, Correction, Suspension)¶
High
Implement rights to disclosure, correction, and suspension of use.
Legal Reference: APPI Articles 32-37
Right to request disclosure, correction/addition/deletion (with proof), suspension of use/third-party provision. Disclosure: prompt response. Correction: within 2 weeks. Document refusal reasons.
| Check | Description |
|---|---|
| APPI-07-C1 | Disclosure request mechanism implemented |
| APPI-07-C2 | Correction/addition/deletion request mechanism |
| APPI-07-C3 | Suspension of use/provision request mechanism |
APPI-08: Personal Data Breach Notification (PPC)¶
Critical
Notify PPC and affected individuals of breaches meeting threshold.
Legal Reference: APPI Article 26; PPC Breach Reporting Guidelines
Report to PPC promptly when involving sensitive information, potential financial damage, or 1,000+ individuals. Report within 3-5 days ideally. Include: incident facts, data items, cause, damage, countermeasures. Notify individuals for harmful breaches.
| Check | Description |
|---|---|
| APPI-08-C1 | PPC breach notification procedure for threshold breaches |
| APPI-08-C2 | Individual notification for harmful breaches |
| APPI-08-C3 | Breach records maintained |
APPI-09: Personal Information Protection Officer¶
High
Designate a Protection Officer and establish internal structures.
Legal Reference: APPI Article 25; PPC Management Guidelines
Designate person responsible. Establish contact point for requests/complaints. Maintain processing description. Train employees handling personal data.
| Check | Description |
|---|---|
| APPI-09-C1 | Protection officer designated and documented |
| APPI-09-C2 | Internal request/complaint handling structure |
APPI-10: Anonymously Processed Information¶
Medium
Comply with requirements when creating and providing anonymously processed information.
Legal Reference: APPI Articles 36-38
Delete or alter identifying descriptions. Prevent re-identification. Document anonymisation methods. Conduct checks before providing. Avoid combining with other data.
| Check | Description |
|---|---|
| APPI-10-C1 | Anonymisation procedures documented |
| APPI-10-C2 | Re-identification risk assessed |
South Korea — PIPA (2023 Amendment)¶
Pack ID: kr-pipa | Framework: PIPA | Regulator: PIPC
Controls: 10 (4 critical, 5 high, 1 medium)
PIPA-01: Personal Information Processing Policy¶
Critical
Draft, publish, and maintain a personal information processing policy in Korean.
Legal Reference: PIPA Article 17
Include: items collected, purpose, retention/use period, third-party provision, outsourcing, cross-border transfer, data subject rights, DPO contact. Publish on homepage. Plain Korean. Review annually.
| Check | Description |
|---|---|
| PIPA-01-C1 | Privacy policy published in Korean on homepage |
| PIPA-01-C2 | All PIPA-required items included |
| PIPA-01-C3 | Annual review documented |
PIPA-02: Separate Consent Requirements¶
Critical
Obtain separate consent for each purpose, sensitive data, third-party provision, and cross-border transfers.
Legal Reference: PIPA Articles 17, 23, 24, 28
Separate consent for: each purpose, sensitive information (ideology, creed, union, political, health, sexual life, biometric, criminal records), unique identifiers (RRN, passport), third-party provision, cross-border transfers. Non-pre-checked boxes. Opt-out mechanisms.
| Check | Description |
|---|---|
| PIPA-02-C1 | Separate consent per purpose, sensitive data, third-party, and transfer |
| PIPA-02-C2 | Non-pre-checked boxes used |
| PIPA-02-C3 | Consent withdrawal mechanisms available |
PIPA-03: Privacy Impact Assessment¶
High
Conduct PIAs for processing likely to infringe on privacy rights.
Legal Reference: PIPA Article 33; Enforcement Decree Article 25
For: public agencies, large-scale processing, sensitive information, new technologies (AI, IoT), systematic profiling. Submit to PIPC if public sector. Implement mitigation. Review periodically.
| Check | Description |
|---|---|
| PIPA-03-C1 | PIA criteria established |
| PIPA-03-C2 | PIAs conducted and documented |
PIPA-04: Data Protection Officer (Korea)¶
High
Designate a Chief Privacy Officer (CPO) if required by scale thresholds.
Legal Reference: PIPA Article 30
CPO required if: 10,000+ data subjects (public), 10,000+ (private with 50+ employees), or 1,000+ sensitive information. CPO establishes policies, conducts audits, handles complaints, liaises with PIPC. Register with PIPC.
| Check | Description |
|---|---|
| PIPA-04-C1 | CPO designated if threshold met |
| PIPA-04-C2 | CPO registered with PIPC |
PIPA-05: Security Measures (Technical, Physical, Administrative)¶
Critical
Implement three-tier security measures for personal information.
Legal Reference: PIPA Article 29; Enforcement Rule Article 14
Technical: access control, encryption, security programs. Physical: facility access, document security. Administrative: internal policies, training, access privilege management, regular audits. Special measures for RRN.
| Check | Description |
|---|---|
| PIPA-05-C1 | Technical security measures implemented and documented |
| PIPA-05-C2 | Physical security measures implemented |
| PIPA-05-C3 | Administrative security measures implemented |
| PIPA-05-C4 | Special RRN protection measures |
PIPA-06: KISA/PIPC Breach Notification¶
Critical
Notify PIPC/KISA and affected individuals of breaches without delay.
Legal Reference: PIPA Article 34
Notify PIPC when breach involves: 1,000+ subjects, sensitive information, or RRN. Notify individuals when likely to cause harm. Include: items leaked, time/place, countermeasures, damage mitigation. Written report within 5 days.
| Check | Description |
|---|---|
| PIPA-06-C1 | PIPC notification procedure for threshold breaches |
| PIPA-06-C2 | Individual notification for harmful breaches |
| PIPA-06-C3 | Written report within 5 days |
PIPA-07: Data Subject Rights (Korea)¶
High
Implement PIPA data subject rights including reading and suspension requests.
Legal Reference: PIPA Articles 35-38
Rights: access, suspension of processing, correction/deletion, deletion of consented data. Respond within 10-15 days. Provide reasons for refusal. Digital request mechanisms. Ensure portability.
| Check | Description |
|---|---|
| PIPA-07-C1 | All PIPA rights implemented |
| PIPA-07-C2 | Response within 10-15 days |
| PIPA-07-C3 | Suspension of processing mechanism available |
PIPA-08: Resident Registration Number (RRN) Protection¶
Critical
Implement special protections for Resident Registration Numbers and unique identifiers.
Legal Reference: PIPA Article 24; Enforcement Decree Article 19
Do not collect RRN unless legally permitted. Store encrypted with strong key management. Limit access to authorized personnel. Audit log all RRN access. Never use beyond legally permitted purposes. Delete when purpose fulfilled.
| Check | Description |
|---|---|
| PIPA-08-C1 | RRN collection limited to legally permitted purposes |
| PIPA-08-C2 | RRN encrypted with strong key management |
| PIPA-08-C3 | RRN access audit logging implemented |
PIPA-09: Cross-Border Transfer (Korea)¶
High
Obtain separate consent and document safeguards for cross-border transfers.
Legal Reference: PIPA Article 28
Separate consent specifying: destination country, recipient, purpose, data items, retention. Implement safeguards (contracts, equivalent protection). Allow withdrawal. Maintain transfer register.
| Check | Description |
|---|---|
| PIPA-09-C1 | Separate consent for cross-border transfers |
| PIPA-09-C2 | Transfer register maintained |
PIPA-10: Outsourcing Management¶
High
Execute contracts with outsourced processors and maintain an outsourcing register.
Legal Reference: PIPA Article 27
Contracts specifying: processing scope, security measures, sub-contractor restrictions, data handling. Maintain outsourcing register published on website. Conduct periodic assessments. Notify data subjects.
| Check | Description |
|---|---|
| PIPA-10-C1 | Outsourcing contracts executed |
| PIPA-10-C2 | Outsourcing register published |
China — PIPL (2021)¶
Pack ID: cn-pipl | Framework: PIPL | Regulator: CAC
Controls: 11 (5 critical, 4 high, 2 medium)
PIPL-01: Legal Basis and Consent¶
Critical
Identify legal basis and obtain valid consent for personal information processing.
Legal Reference: PIPL Articles 13-14
Consent: freely given, informed, voluntary, clear. Alternatively: contract performance, legal obligations, public health, news reporting, legally permitted circumstances. Specific purposes, affirmative action. No bundled consent.
| Check | Description |
|---|---|
| PIPL-01-C1 | Legal basis documented per processing activity |
| PIPL-01-C2 | Consent is freely given, informed, voluntary, clear |
| PIPL-01-C3 | No bundled consent for multiple purposes |
PIPL-02: Privacy Policy (Chinese Language)¶
Critical
Publish a comprehensive privacy policy in clear, plain Chinese.
Legal Reference: PIPL Article 17
Include: handler identity, contact person, processing purposes/methods, data categories, retention, data subject rights, mechanisms. Clear, plain Chinese. Prominent display. Accessible, easy to read, convenient to save.
| Check | Description |
|---|---|
| PIPL-02-C1 | Privacy policy published in Chinese with all required items |
| PIPL-02-C2 | Policy displayed prominently and accessible |
PIPL-03: Sensitive Personal Information Controls¶
Critical
Obtain separate consent and implement stricter controls for sensitive PI.
Legal Reference: PIPL Articles 28-32
Sensitive PI: biometrics, religious beliefs, specific identity, medical health, financial accounts, location tracking, minors under 14. Separate consent with necessity explanation. Stricter access controls and encryption. Conduct PIPIA. Minimize collection.
| Check | Description |
|---|---|
| PIPL-03-C1 | Sensitive PI identified and classified |
| PIPL-03-C2 | Separate consent with necessity explanation |
| PIPL-03-C3 | Stricter security controls for sensitive PI |
| PIPL-03-C4 | PIPIA conducted for sensitive data processing |
PIPL-04: Data Localization¶
Critical
Store personal information of Chinese residents within mainland China when required.
Legal Reference: PIPL Article 40; Data Export Security Assessment Measures
Required for: Critical Information Infrastructure Operators (CIIO), handlers processing PI of 1,000,000+ individuals, or transferring 100,000+ non-sensitive or 10,000+ sensitive PI abroad. Implement technical controls for China data residency.
| Check | Description |
|---|---|
| PIPL-04-C1 | Data localization thresholds assessed |
| PIPL-04-C2 | Technical controls enforce China data residency |
PIPL-05: CAC Cross-Border Transfer Assessment¶
Critical
Complete required CAC assessments before transferring personal information abroad.
Legal Reference: PIPL Articles 38-39; CAC Standard Contract Measures
Complete: CAC Security Assessment for large-scale, CAC Standard Contract filing, or CAC certification. Obtain separate informed consent. Inform: purpose, recipient, data items, retention, rights. Conduct PIPIA before transfer.
| Check | Description |
|---|---|
| PIPL-05-C1 | Appropriate CAC mechanism completed |
| PIPL-05-C2 | Separate consent from individuals obtained |
| PIPL-05-C3 | PIPIA conducted before transfer |
PIPL-06: PIPL Individual Rights¶
High
Implement all PIPL data subject rights including right to refuse profiling.
Legal Reference: PIPL Articles 44-49
Rights: know/access, copy, correct, delete, restrict, portability, explain/refuse automated decisions, withdraw consent, delete deceased user's data. Respond within 15 working days. Clear mechanisms. Do not refuse on technical grounds.
| Check | Description |
|---|---|
| PIPL-06-C1 | All PIPL rights implemented |
| PIPL-06-C2 | Automated decision explanation and refusal |
| PIPL-06-C3 | Responses within 15 working days |
PIPL-07: Personal Information Protection Impact Assessment (PIPIA)¶
High
Conduct PIPIA before high-risk processing activities.
Legal Reference: PIPL Articles 55-56
Required for: sensitive PI, automated decision-making/profiling, entrusting/outsourcing, public disclosure, cross-border transfers. Document: purpose, necessity, impact assessment, mitigation. Records kept at least 3 years.
| Check | Description |
|---|---|
| PIPL-07-C1 | PIPIA criteria established for triggering activities |
| PIPL-07-C2 | PIPIA records maintained for 3+ years |
PIPL-08: Automated Decision-Making Controls¶
High
Implement safeguards for automated decisions, profiling, and algorithmic recommendations.
Legal Reference: PIPL Article 24; Algorithm Recommendation Management Provisions
Transparency about automated decisions. No unreasonable differential treatment. Opt-out and explanation mechanisms. Non-discrimination based on personal characteristics.
| Check | Description |
|---|---|
| PIPL-08-C1 | Automated decision transparency implemented |
| PIPL-08-C2 | Opt-out and explanation available |
| PIPL-08-C3 | Non-discrimination safeguards in place |
PIPL-09: Personal Information Handler Representative¶
Medium
Designate a person in charge of personal information protection.
Legal Reference: PIPL Article 52
Designate responsible person. Publicize name and contact information. Establish dedicated department or designate personnel for large-scale processing.
| Check | Description |
|---|---|
| PIPL-09-C1 | Protection representative designated |
| PIPL-09-C2 | Contact information publicized |
PIPL-10: Children's Personal Information (Under 14)¶
High
Implement special protections for minors under 14 as sensitive PI.
Legal Reference: PIPL Article 31; Children's PI Network Protection Provisions
Treat as sensitive. Guardian consent. Dedicated handler rule for minors. Appoint person responsible. Minimize collection. No profiling or behavioral advertising targeting children.
| Check | Description |
|---|---|
| PIPL-10-C1 | Guardian consent obtained for minors under 14 |
| PIPL-10-C2 | Dedicated children's PI handling rules established |
| PIPL-10-C3 | No behavioral advertising targeting minors |
PIPL-11: Breach Notification (PIPL)¶
Critical
Notify authorities and affected individuals of personal information security incidents.
Legal Reference: PIPL Article 57
Immediately take remedial measures. Notify authorities and affected individuals when leak/tampering/loss occurs or may cause harm. Include: type of data, cause, harm. Maintain documentation. Report to CAC if required.
| Check | Description |
|---|---|
| PIPL-11-C1 | Incident response and remedial procedures |
| PIPL-11-C2 | Authority notification for harmful incidents |
| PIPL-11-C3 | Individual notification with required details |
India — DPDPA (2023)¶
Pack ID: in-dpdpa | Framework: DPDPA | Regulator: Data Protection Board of India
Controls: 8 (3 critical, 3 high, 2 medium)
DPDPA-01: Consent Manager Framework¶
Critical
Implement interoperable consent management through DPDP-approved Consent Manager platforms.
Legal Reference: DPDPA Sections 5-6
Integrate with interoperable Consent Managers registered with the Data Protection Board. Consent: free, specific, informed, unconditional, unambiguous, clear affirmative action. Withdrawal via same Consent Manager. Verifiable records.
| Check | Description |
|---|---|
| DPDPA-01-C1 | Consent Manager integration implemented |
| DPDPA-01-C2 | Consent withdrawal via Consent Manager |
| DPDPA-01-C3 | Verifiable consent records maintained |
DPDPA-02: Notice Requirements¶
High
Provide clear notice in plain language describing personal data processing.
Legal Reference: DPDPA Section 7
Notice must describe: personal data items, processing purpose, Data Fiduciary identity, Data Principal rights, grievance redressal mechanism. In plain language (English or any language in 8th Schedule of Constitution). Available in accessible formats.
| Check | Description |
|---|---|
| DPDPA-02-C1 | Notice provided with all required items before processing |
| DPDPA-02-C2 | Notice in plain, accessible language |
DPDPA-03: Data Principal Rights¶
High
Implement DPDPA rights: access, correction, erasure, grievance, nomination.
Legal Reference: DPDPA Sections 11-14
Rights: access to processed data, correction/erasure, grievance redressal, nomination (in case of death/incapacity). Provide mechanisms through Consent Manager or directly. Respond within prescribed timeframes.
| Check | Description |
|---|---|
| DPDPA-03-C1 | All DPDPA rights implemented and accessible |
| DPDPA-03-C2 | Nomination mechanism for death/incapacity |
| DPDPA-03-C3 | Grievance redressal officer designated |
DPDPA-04: Data Fiduciary Obligations¶
Critical
Comply with Data Fiduciary obligations: accuracy, security, breach notification.
Legal Reference: DPDPA Sections 8-10
Ensure data accuracy. Implement reasonable security safeguards. Notify Data Protection Board and affected Data Principals of breaches. Engage only validly registered Data Processors. Comply with additional obligations if Significant Data Fiduciary.
| Check | Description |
|---|---|
| DPDPA-04-C1 | Security safeguards implemented and documented |
| DPDPA-04-C2 | Breach notification procedure established |
| DPDPA-04-C3 | Processor due diligence and contracts |
DPDPA-05: Significant Data Fiduciary Requirements¶
Medium
Comply with additional obligations if notified as a Significant Data Fiduciary.
Legal Reference: DPDPA Section 10
Appoint a Data Protection Officer based in India. Appoint an Independent Data Auditor. Conduct DPIAs. Conduct independent audits. Comply with any additional measures prescribed by the Board.
| Check | Description |
|---|---|
| DPDPA-05-C1 | SDF status assessment conducted |
| DPDPA-05-C2 | DPO and Independent Data Auditor appointed if SDF |
DPDPA-06: Children's Data Protection¶
High
Implement special protections for children's data (under 18).
Legal Reference: DPDPA Section 9
Obtain verifiable consent from parent/lawful guardian. Do not process in a manner likely to cause detriment to child's well-being. Do not undertake tracking, behavioral monitoring, or targeted advertising directed at children.
| Check | Description |
|---|---|
| DPDPA-06-C1 | Verifiable parental consent mechanism implemented |
| DPDPA-06-C2 | No behavioral monitoring/targeted advertising for children |
DPDPA-07: Cross-Border Transfers (India)¶
Critical
Comply with cross-border transfer restrictions based on "blacklist" approach.
Legal Reference: DPDPA Section 16
Transfer personal data outside India only to countries not on the restricted list (notified by Central Government). Monitor the restricted countries list. Implement technical controls preventing transfers to restricted countries. Document transfer decisions.
| Check | Description |
|---|---|
| DPDPA-07-C1 | Restricted countries list monitored |
| DPDPA-07-C2 | Technical controls prevent restricted transfers |
DPDPA-08: Exemptions and Legitimate Uses¶
Medium
Understand and apply DPDPA exemptions for legitimate uses.
Legal Reference: DPDPA Section 7, 17
Process without consent for: voluntarily provided data for specified purpose, employment-related purposes, medical emergency, disaster, law enforcement, judicial proceedings. Document reliance on legitimate uses.
| Check | Description |
|---|---|
| DPDPA-08-C1 | Legitimate use assessments documented |
| DPDPA-08-C2 | Exemption criteria reviewed and updated |
Exercise: Compare Breach Notification Across APAC
| Country | Regulator | Deadline | Threshold |
|---|---|---|---|
| Singapore | PDPC | ? | ? |
| Philippines | NPC | ? | ? |
| Japan | PPC | ? | ? |
| South Korea | PIPC | ? | ? |
| China | CAC | ? | ? |
| India | DPB | ? | ? |
Answers
- Singapore: 3 calendar days / 500+ individuals or significant harm
- Philippines: 72 hours / sensitive PI or 100+ individuals
- Japan: 3-5 days (ideally) / sensitive info, financial damage, or 1,000+ individuals
- South Korea: Without delay (written report within 5 days) / 1,000+ subjects, sensitive info, or RRN
- China: Immediately / when leak/tampering/loss may cause harm
- India: As prescribed by Board / breaches affecting Data Principals
Exercise: China Data Localization Decision Tree
Your company processes personal data of Chinese users. Answer these questions:
- Are you a Critical Information Infrastructure Operator (CIIO)?
- Do you process PI of 1,000,000 or more individuals?
- Do you transfer more than 100,000 non-sensitive PI abroad?
- Do you transfer more than 10,000 sensitive PI abroad?
If you answered yes to any question, data localization applies:
- Store the affected data within mainland China
- Complete a CAC Security Assessment, Standard Contract filing, or certification
- Obtain separate consent from individuals before transfer
- Conduct a PIPIA before the transfer
Exercise: South Korea RRN Compliance
South Korea's Resident Registration Number (RRN) has the strictest protections in APAC.
- Can you require RRN for user registration? (Answer: only if specifically permitted by law)
- How must RRN be stored? (Answer: encrypted with strong key management)
- Who can access RRN? (Answer: authorized personnel only, with audit logging)
- When must RRN be deleted? (Answer: when the collection purpose is fulfilled)
Audit your application: - [ ] Verify RRN is not collected unless legally required - [ ] Verify RRN field is encrypted in database (not just hashed) - [ ] Verify access is restricted to a whitelist of roles - [ ] Verify all RRN access is logged with user ID and timestamp