What Privacy Impact Assessments Are Required for Foreign Companies Using Biometrics in China?

Date:

Share post:






What Privacy Impact Assessments Are Required for Foreign Companies Using Biometrics in China?


What Privacy Impact Assessments Are Required for Foreign Companies Using Biometrics in China?

Foreign companies deploying biometric systems in China — whether for employee attendance tracking, customer identity verification, access control, surveillance, or payment authentication — must complete a formal Personal Information Protection Impact Assessment (PIPIA) before processing can begin. This requirement is not merely a best-practice recommendation; it is a legal obligation under the Personal Information Protection Law (PIPL) of China, which came into full effect on November 1, 2021.

This FAQ explains exactly what a PIPIA entails, when it is required specifically for biometric data processing, what the assessment must cover, how to conduct one, and what foreign companies commonly get wrong.

What Is a Personal Information Protection Impact Assessment (PIPIA)?

A PIPIA is a systematic process — analogous to a Data Protection Impact Assessment (DPIA) under the EU’s GDPR — designed to identify, evaluate, and mitigate privacy risks associated with personal information processing activities. Under Article 55 of the PIPL, a PIPIA is mandatory in the following scenarios:

  • Processing of sensitive personal information (including biometric data)
  • Automated decision-making that may significantly affect individual rights
  • Entrusting processing of personal information to a third party
  • Transferring personal information to a third party
  • Disclosing personal information to the public
  • Transferring personal information outside of China
  • Other processing activities that may significantly affect the rights and interests of individuals

For foreign companies using biometric technologies in China, nearly every biometric use case triggers at least two — and often three or more — of these conditions simultaneously. A PIPIA is therefore mandatory in virtually every scenario.

When Exactly Is a PIPIA Required for Biometrics?

The following biometric processing activities by foreign companies in China definitely require a PIPIA:

Biometric Use Case PIPL Trigger(s) PIPIA Required?
Employee fingerprint/face attendance tracking Sensitive PI processing (Art. 28, 55) Yes — always
Customer face recognition for payments Sensitive PI + automated decision-making Yes — always
Visitor biometric access control Sensitive PI processing Yes — always
Voiceprint authentication for call centers Sensitive PI + entrustment Yes — always
Cross-border transfer of biometric HR data Sensitive PI + cross-border transfer Yes — always (dual trigger)
Biometric data used for statistical analysis (anonymized) May not trigger if truly anonymized Usually no, but proof of anonymization is required
Biometric data stored only on local device, no network transmission Sensitive PI processing still triggered Yes — processing itself is the trigger

The key point is that the threshold for triggering a PIPIA under PIPL is lower than under GDPR. Under GDPR, a DPIA is required only when processing is “likely to result in high risk.” Under PIPL, processing any category of sensitive personal information — including biometric data — creates a mandatory obligation to conduct a PIPIA, regardless of the risk level.

What Must a PIPIA Cover?

Article 56 of the PIPL specifies the minimum content of a PIPIA. For biometric processing activities, the assessment must include:

1. Necessity and Proportionality of the Processing

The assessor must demonstrate that the collection and processing of biometric data is necessary for the stated purpose and proportionate to the objective. For example: if an attendance system uses fingerprint scanning, the business must explain why a less invasive method (badge swiping, PIN entry) would not be sufficient. Chinese regulators increasingly expect foreign companies to adopt the principle of “data minimization” — collect the least amount of biometric data needed for the purpose.

2. Impact on Individual Rights and Interests

The assessment must evaluate how the biometric processing affects the data subjects. This includes not only privacy risks but also risks of identity theft, discrimination, social sorting, exclusion from services, and reputational harm. For foreign companies, this section should also consider the heightened concerns of Chinese citizens regarding foreign entities processing their biometric data.

3. Security Measures Implemented

The business must document the technical and organizational security measures in place to protect biometric data, including:

  • Encryption standards for biometric data at rest and in transit (minimum: AES-256 for storage, TLS 1.3 for transmission)
  • Access control mechanisms and role-based permissions
  • Pseudonymization or anonymization techniques applied
  • Incident response and breach notification procedures
  • Data retention and secure deletion protocols
  • Physical security for on-premises biometric databases

4. Cross-Border Transfer Conditions (if applicable)

If biometric data will be transferred outside China, the PIPIA must include an assessment of whether the overseas recipient provides adequate data protection. This requires a detailed analysis of the recipient country’s legal framework, the contractual protections in place, and any risks specific to biometric data leakage or misuse abroad.

5. Records of the Assessment

The PIPL requires that the PIPIA report be kept on file for at least three years from the completion of the processing activity. The report must be made available to the CAC or other regulatory authorities upon request. Failure to produce a PIPIA upon inspection carries the same penalties as failure to conduct one.

How Should Foreign Companies Conduct a PIPIA for Biometrics?

While there is no single mandated format for a PIPIA under Chinese law, the national standard GB/T 39335-2020 (“Personal Information Security Impact Assessment Specification”) provides a detailed methodology. Here is a step-by-step approach recommended for foreign companies:

Step 1: Define the Processing Scope

Document precisely what biometric data is being collected (fingerprint templates, facial recognition vectors, iris scans, voiceprints, gait patterns), for what purpose, by whom, through what means, and where it is stored.

Step 2: Identify the Legal Basis

Determine which legal ground under PIPL supports the processing. For biometric data, typical legal bases include separate consent (Article 13(1)), human resources management necessity (Article 13(2)), or contract performance necessity (Article 13(2)). Document the basis clearly.

Step 3: Map the Data Flow

Create a complete data flow diagram showing how biometric data moves from collection through storage, processing, sharing, transfer, and deletion. Identify all third parties (cloud providers, software vendors, payroll processors) with access to biometric data.

Step 4: Identify and Assess Risks

For each processing activity, identify privacy risks specific to biometric data. Common risks include:

  • Reidentification risk: Even anonymized biometric templates can potentially be matched back to individuals through cross-referencing with other databases
  • Function creep: Biometric data collected for one purpose (e.g., access control) being reused for another (e.g., employee monitoring)
  • Breach exposure: Unlike passwords, compromised biometric data cannot be replaced — the risk is permanent
  • Discrimination risk: Biometric systems may have differing accuracy rates across demographic groups

Step 5: Identify Mitigation Measures

For each identified risk, document the specific measures taken to reduce or eliminate it. This may include technical controls (encryption, on-device processing, template protection techniques), organizational controls (policies, training, audits), and contractual controls (data processing agreements, cross-border transfer safeguards).

Step 6: Document and Approve

Formalize the PIPIA report, obtain sign-off from the company’s data protection officer (or equivalent) and senior management, and store the report in accordance with the three-year retention requirement. The report should be reviewed and updated whenever there is a material change to the processing activity.

Common Mistakes Foreign Companies Make

Foreign businesses conducting PIPIAs for biometric processing in China frequently fall into these traps:

  • Treating PIPIA as a one-time exercise: The PIPL requires that PIPIAs be conducted before processing begins, but also that they be updated when circumstances change — such as adding a new biometric modality, expanding the number of data subjects, or introducing a new overseas data processor
  • Copying GDPR DPIAs: While the methodology is similar, PIPL requirements differ in key areas. For example, PIPL places greater emphasis on the “necessity” analysis and expects more detailed documentation of security measures. A GDPR DPIA is not a substitute for a PIPL-compliant PIPIA
  • Overlooking third-party processors: Many foreign companies use third-party biometric systems (e.g., cloud-based facial recognition APIs from Chinese or international vendors). The PIPIA must cover the entire processing chain, including the security measures of each third party
  • Failing to involve local counsel: PIPL enforcement is still evolving in China. Assessments that would be acceptable in one jurisdiction may fail inspection in another. Local Chinese data privacy counsel should review every PIPIA before biometric processing begins
  • Inadequate consent records: The PIPIA should cross-reference the consent management system to demonstrate that separate, specific consent was obtained for biometric processing as required under Article 28

What Are the Consequences of Not Conducting a PIPIA?

Failure to conduct a mandatory PIPIA before processing biometric data in China exposes foreign companies to the full range of PIPL penalties:

  • Corrective orders: Regulators can order the immediate cessation of biometric processing and deletion of all collected data (Article 66)
  • Fines of up to RMB 50 million or 5% of annual revenue: For serious violations involving sensitive personal information
  • Suspension of business operations: In the most severe cases, Chinese authorities can order the suspension of the company’s China operations
  • Personal liability for management: Fines of RMB 100,000 to RMB 1 million for responsible individuals, plus potential prohibition from holding data-related positions
  • Civil damages: Individuals are entitled to claim compensation for PIPL violations, and class-action mechanisms are increasingly being used in China

Key Takeaway

Bottom line: Foreign companies using biometrics in China are legally obligated to conduct a Personal Information Protection Impact Assessment before processing begins. The PIPIA must be comprehensive — covering necessity, proportionality, individual impact, security measures, and cross-border transfer conditions — and must be updated whenever processing changes. It is not a GDPR-style “high risk” trigger requirement; it applies to all biometric data processing, regardless of scale or risk level. The report must be retained for three years and produced upon regulatory demand. Engaging specialized Chinese data privacy counsel to oversee the PIPIA process is strongly recommended, as the regulatory landscape continues to develop.

Related Resources

  • PIPL Articles 55–56: Mandatory PIPIA requirements and content specifications
  • GB/T 39335-2020: National standard for Personal Information Security Impact Assessment methodology
  • GB/T 35273-2020: National standard for Personal Information Security — the primary security specification
  • Cybersecurity Administration of China (CAC): Regulatory guidance on impact assessments for sensitive data processing
© 2026 China Gateway 360 — CG360-BIOMETRICS-FAQ-016


Related articles

Incineration vs Landfill: Which Waste Treatment Approach for Industrial Waste in China?

Incineration vs Landfill: Which Waste Treatment Approach for Industrial Waste in China? China's industrial sector generates over 3.5 billion metric to

In-House ESG Reporting vs Third-Party Auditing: Which Sustainability Approach in China?

In-House ESG Reporting vs Third-Party Auditing: Which Sustainability Approach in China? Last updated: July 2026 | Category: Environmental Compliance |

China National ETS vs Voluntary Carbon Market: Which Carbon Trading Approach for Foreign Firms?

China National ETS vs Voluntary Carbon Market: Which Carbon Trading Approach for Foreign Firms? Last updated: July 2026 | Category: Environmental Comp

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreign Firms

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreig