PIPIA - Personal Information Protection Impact Assessment

PIPIA RoPA 封面页

Record of Processing Activities 记录数据处理活动

PIPIA Reference No. / PIPIA参考编号

Data Controller / 数据处理者

The Company

本公司

Other

其他

Date of Assessment / 评估日期

Responsible Business Function / 负责的业务部门

Project Name / 项目名称

Information Protection Classification / 信息保护等级

Secret 机密 Strictly Confidential 严格保密 Confidential 保密 Non-public 非公开 Public 公开

Author & Reviewer 填写人与审阅人

Author from Business & DPO/Legal review

Author from Business / 业务部分填写人

DPO/Legal Reviewer / 数据合规审阅人

Assessment Type / 评估类型

Prior PIPIA and content scope

Any PIPIA has been conducted for this case? / 以前是否就该事项做过PIPIA？

No 否 Yes 是

Content of PIPIA / PIPIA的内容

Full version PIPIA 完整版本 Specific module review 仅就部分模块

Step 1. Data Collection 数据收集

Data creation, ingestion, or capture / 数据创造、吸收、获取

ℹ️ Select all relevant data fields from the multi-select dropdown below. Fields are auto-classified based on GB/T 35273 as personal information or sensitive personal information, with the corresponding security level assigned automatically. You only need to specify one shared processing purpose for all selected fields.
从下方多选下拉菜单中选择所有相关数据字段。每个字段根据GB/T 35273自动分类。所有选中字段共享一个处理目的。

Select Data Fields / 选择数据字段 Click to open dropdown, select multiple fields 点击打开下拉菜单，可多选

-- Click to select data fields 点击选择数据字段 --

Shared Processing Purpose for All Selected Fields / 所有选中字段的共同处理目的 Since these fields are collected for the same purpose, specify it once here 这些字段基于同一目的收集，在此统一填写

Data Details 数据详情

Data Quantities / 数据数量 Volume, frequency of collection, or amount of users involved

Business Dependency / 业务对数据处理的依赖性

High 高 Medium 中 Low 低

Network Type / 网络类型

Intranet 内部网络 External Internet 外部互联网

User Interface / 与用户的交互界面

Feature Description / 功能描述

Data Using Department / 数据使用部门

Step II. Processing 数据处理

Storage and processing details

Storage System / 存储系统

Location/Mode of Storage / 存储位置/方式

Offline Processing / 线下处理

Data will be processed offline

数据将通过线下方式处理 → Module 5 Required

Online system NOT reviewed by IT security

非经IT安全评估的线上系统处理 → Module 5 Required

Online system reviewed and approved by IT security

经IT安全评估通过的线上系统处理 → N/A

Responsible Dept & Personnel / 负责部门和负责人

Backup & Restore Capability / 备份恢复能力

Yes 是 No 否

Data Flow Diagram 数据流向图

Visually map how data flows through your systems 可视化数据在系统中的流向

ℹ️ Click a node type in the toolbar, then click on the canvas to place it. Drag nodes to reposition. Click the dot at the bottom of a node, then click another node to draw an arrow. Double-click a node to edit its label.
点击工具栏中的节点类型，然后在画布上点击放置。拖拽节点可移动位置。点击节点底部圆点再点击另一个节点可画箭头。双击节点可编辑标签。

Step III & IV. Archiving & Deletion 备份与销毁

Data Disposal Method / 数据处置方式

Physical destroy

物理销毁

Anonymization

匿名化处理

Not further processed, stored

不再进一步处理，存储

Retention Period & Reason / 存储期限及原因

Retention in Privacy Policy / 隐私政策中的表述

Clearly stated with specific period

已明确表述，有明确期限

Mentioned without specific period

有表述但没有明确期限

Not mentioned

未提及

Module Trigger Analysis 模块触发分析

Based on your inputs, the following modules are triggered / 基于您的输入，以下模块被触发

The system has automatically determined which PIPIA modules are required based on your answers in the RoPA. Module 1 + Module 8 are always required.
系统已根据封面页的回答自动判断需要完成的PIPIA模块。模块1+模块8始终必须完成。

Third Party Processing / 第三方处理数据

Only processed by Data Processor itself, no outsourcing/sharing/cross-border

仅被数据处理者处理 → Module 5

Also processed by third parties

第三方也会处理数据 → See below

Special Circumstances / 特殊情况

Data merging

数据融合 → Module 7

Algorithms or automated decision-making

算法或自动化决策 → Module 6

Triggered Modules Summary 触发模块总览

Module Assessment 模块评估

Complete the triggered modules below / 请完成以下被触发的模块

DPO Evaluation 数据保护官评估

To be filled out by DPO/Legal / 由数据合规审阅人填写

Overall Assessment 整体评估

Double check the following items / 再次检查以下事项：

The proposal regarding retention period is reasonable

数据存储期限是合理的

Understanding is consistent with law requirements

理解与法律要求相符

Recommend consent into current privacy policy

建议当前隐私政策中增加同意

Recommend separate consent

建议单独同意

Recommended Changes / 推荐变更

Follow-up Date / 追踪审核日期

If separate consent is needed / 如需要单独同意：

Separate Consent installed into interface systems

单独同意已添加至相关界面系统

Systems to differentiate refusing data subjects are ready

已准备系统以区分拒绝同意的数据主体

Cross-border Transfer Requirements / 跨境传输要求

Pass government security assessment review

通过网信部门安全评估审查

Personal information protection accreditation

个人信息保护认证

Sign standard contract formulated by CAC

签订网信部门制定的标准合同

Other Comments / 其他评价

Assessment Summary 评估总结

Review and export your PIPIA assessment

Data Fields & Classification 数据字段与分类

Triggered Modules 触发模块

Security Measures Required 所需安全措施

⚡ Action Items 行动项目

PIPIA Assessment Tool

Overall Assessment 整体评估