Obligations for personal information protection appointments

By Sharon Shi and Wu Pengfei, AllBright Law Offices

Companies are increasingly concerned about if they are obliged to establish appointments such as cybersecurity officer, personal information protection officer and data security officer, pursuant to updated cybersecurity, personal information protection and data security laws.

They also enquire about the requirements and legal liabilities of these positions, and several foreign-invested enterprises have also engaged law firms or lawyers to the positions, as with requirements for an external data protection officer (DPO) under the General Data Protection Regulation (GDPR), which are optional. This article compares these positions under the law, and a DPO under the GDPR, from the perspectives of responsibilities, mandatory positions or not, requirements and potential legal liabilities. The table on the right indicates the main characteristics of these key positions under relevant laws.

Sharon Shi, AllBright Law Offices
Sharon Shi
Senior Partner
AllBright Law Offices

Most enterprises, as the network operator, are obliged to appoint a cybersecurity officer. The definition of network operator is broad, including network owners, managers and network service providers. Only enterprises that meet certain conditions are obliged to appoint a head of cybersecurity management, personal information protection officer or data security officer. A critical information infrastructure operator should appoint a person in charge and set up a dedicated security management body. National standards stipulate that enterprises processing personal information of more than a million persons, or sensitive personal information of more than 100,000 persons, shall designate a person in charge of personal information protection. Processors of important data shall identify the person and management body responsible for data security.

Enterprises failing to set up relevant positions may face penalties such as warnings and fines. The authors have observed cases of enterprises sanctioned for not appointing a cybersecurity officer. The Personal Information Protection Law does not directly stipulate legal consequences for failing to set up a personal information protection officer, but the enterprise may be deemed as failing to fulfill personal information protection obligations, and may assume the liabilities. The Data Security Law stipulates severe penalties for important data processors who fail to appoint the person and management body responsible for data security.


Wu Pengfei, AllBright Law Offices
Wu Pengfei
AllBright Law Offices

These positions have specific requirements, and external engagement may not be feasible. Relevant laws stipulate that candidates for these positions should have professional knowledge and relevant work experience. Although not directly specified, the authors regard these positions as not open to external recruitment, unlike the DPO.

If enterprises violate relevant laws, their officers holding these positions may assume personal legal liabilities. Relevant laws stipulate that the offending company bears administrative liabilities, while the head and other main officers in those positions shall face administrative penalties such as fines.


Enterprises meeting certain conditions should set up relevant positions according to the laws to meet compliance requirements. Enterprises should carefully select competent candidates, considering the requirements for these positions and corresponding personal legal liabilities. For individuals holding these positions, the best way to avoid personal liabilities is to perform their duties correctly pursuant to relevant laws and regulations.

Sharon Shi is a senior partner and Wu Pengfei is a counsel at AllBright Law Offices

Allbright Logo

AllBright Law Offices
11/F and 12/F, Shanghai Tower
No. 501 Yincheng Middle Road
Pudong New Area, Shanghai 200120, China
Contact details:
Tel: +86 21 2051 1000
Fax: +86 21 2051 1999