A Q&A discussing obligations for private-sector data controllers in China to notify, register with, or obtain authorisation from the data protection authority under China's comprehensive data protection law before processing personal data. It also discusses any requirements for data controllers to appoint a data protection officer (DPO) and any applicable notification or registration obligations relating to DPO appointments. This Q&A does not cover notification, registration, or authorisation requirements for data processors or arising under sectoral laws. For an overview of the data protection law in China, see Practice note, Data privacy in China: overview.