Compliance & Data Privacy in China

5 Minutes

Will China's changes to its legal landscape make investigations and litigation involving information stored in the Country much more difficult?


China is moving forward with its first exhaustive privacy law.

Already in 2016, the People's Republic instituted the Cybersecurity Law (CSL), its main purpose was to protect and regulate the Country's Critical Information Infrastructure. To further address the rising concerns related to the protection of personal information and “important data”, two additional laws were introduced: Data Security Law (DSL) and Personal Information Protection Law (PIPL).

The DSL's main intent was to regulate data processing activities that could have a national security impact, in particular those related to “important data,” while the PIPL was created to protect personal information. Both laws have an important meaning for businesses operating in China that, broadly defined, collect, store, and use data/personal information. On April 29, 2021, the Standing Committee of the National People's Congress of China (NPC) the country's top legislator, released the 2nd draft of the DSL and PIPL for public comment, until May 28, 2021. Once finalized, these three laws, the CSL, DSL, and PIPL, are going to build a convoluted data protection and cybersecurity regulatory framework ruling cross-border transfers of personal and non-personal data.

In particular, the proposed arrangements in the 2nd draft of the DSL and PIPL would add features to already existing laws in several ways.

Here you can find a short overview of the key aspects of the 2nd draft of the DSL and PIPL.


Data Security Law, DSL


1) Data processing activities

The first draft of the DSL points out that this law applies to entities carrying out “data activity” on data that “covers all electronic and non-electronic records of information.” The second draft replaces this term with “data processing activity,” which, according to Article 3 incorporate “the collection, storage, use, refining, transmission, provision, or public disclosure of data”. This revision lines up with the term of “processing” under the PIPL, which is similarly defined as “the collection, storage, use, refining, transmission, provision, or public disclosure of personal information.”

2) Provide the data classification and categorization protection system

The 2nd draft of the DSL demands the central government to implement a “data categorization and classification system”, on national level in order to govern data. Moreover, the central government shall release a catalogue of “important data” and enforce increased protection requirements on “important data”, Article 20.

3) Emphasizing the importance of multi-level protection system

The 2nd draft of the DSL particularly underlines that entities undertaking data processing activities need to implement an internal data security program, which comprehends training personnel and the enforcement of other technical measures, in compliance with the requirements under the Multi-Level Protection Scheme (short “MLPS”), a cybersecurity framework, according to Article 26, under which the government classifies companies' networks physically located in China.

4) Cross-border transfer of important data

Furthermore, the new law prescribes notice and consent for cross-border transfers. Companies must undertake an internal risk assessment prior to transferring data out of China and must also record these transfers. A legitimate transfer mechanism such as a standard transfer agreement, or a security assessment administered by the Cyberspace Administration of China is also mandatory.

5) Request for data by foreign judicial or law enforcement organs

According to Article 35 of the 2nd draft of the DSL, if a foreign judicial or law enforcement organ demands of data that is “stored” within China, such data shall not be provided unless China’s “competent government agency” has authorised such a provision. If treaties or agreements concluded or participated in by China have pertinent provisions about transferring data based on foreign requests, it is permitted to act in line with those provisions. Although, the DSL specifies that it does not apply to state secrets, personal information, or military data, but it applies to all other scenarios in which companies process non-personal data.

6) Penalties for unauthorized provision of data to overseas authorities

Article 46 of the 2nd draft of the DSL states the penalties for the violation regarding Art. 35 of the DSL, starting from a warning to a fine between RMB 100,000 and RMB 1 million for companies and a fine ranging between RMB 20,000 and RMB 200,000 for responsible employees.


Personal Information Protection Law, PIPL


1) Highlighting the principle of minimum necessary

Article 6 of the 2nd draft of the PIPL stress the principle of minimum necessary, by demanding that personal information processing shall be restricted to the minimum scope necessary to fulfil the processing purpose, and shall be performed through a method with the smallest influence on the individual’s rights and interests.

2) A new legal basis for processing personal information

The 2nd draft of the PIPL introduces in its Article 13 a new legal basis for processing personal information, by stating that, when processing previously disclosed personal information within a logical scope, consent is not compulsory. Remarkably, processing personal information on this basis shall also apply to Article 28 of the PIPL, which prescribes the rules for using disclosed personal information.

3) Rules for withdrawing consent

The 1st draft of the PIPL has granted the withdrawal of consent by the data subject. In the 2nd draft, Article 16 of the PIPL prescribes in addiction, that personal information handler (which is alike to the “data controller” under the GDPR) shall allow individuals to withdraw their consent in an easy way. Further, the withdrawal of consent shall not have any repercussions regarding personal information processing activities already begun before the data subject withdraw his or her consent.

4) Cross-border transfer of personal information

The only change established in the 2nd draft of the PIPL regarding cross-border transfer of personal information is that, if a processing entity wants to transfer personal information overseas by signing a transfer agreement, it has to use the “standard contract” published by the Cyberspace Administration of China (short CAC).


These two new drafts leave many questions open, among others, what non-China agencies may define as “judicial and enforcement agencies”. Also the planned restrictions in the DSL and PIPL make even more difficult for multinational companies to decide, in case of a government request or judicial order to produce data or documents stored in China, if they must comply with the request and confront potential penalties and hardship for infringing Chinese law, wait for approval from the Chinese government, or recline to comply with the request and face negative consequences under the laws of the requesting country. In this regard, companies must keep in mind several factors when they deal with a request from a judicial or enforcement agency to produce data stored in China. These two laws are by the way, expected to be enacted within 2021 and will enter into effect in 2022, although companies operating in China ought to get prepared for them without delay.

Privacy Settings


Paramètres de confidentialité

Configuración de privacidad

Configurações de privacidade

Impostazioni sulla privacy

Ustawienia prywatności

Nastavení ochrany osobních údajů

Nastavenia ochrany osobných údajov

On our website we use cookies that are necessary for technical reasons, for example to save your cookie settings and, after you have provided your consent, also marketing cookies, which help us to improve our web presence and implement advertising campaigns.

In this regard, we also use technology by third-party providers (Google, LinkedIn, Microsoft), with which data processing in the USA, where there is no adequate level of data protection, cannot be excluded. IP address data is anonymised by abbreviation.

Your consent is provided on a voluntary basis and may be revoked at any time. Please note that this information applies only to our company website. In order to guarantee absolute confidentiality, we still do not use third-party provider cookies or other marketing technologies in the BKMS® Compliance System.

You can find more information in the data protection policy.

Auf unserer Webseite verwenden wir technisch notwendige Cookies, etwa zur Speicherung Ihrer Cookie-Einstellungen und, nach Ihrer Einwilligung, auch Marketing Cookies, die uns helfen, unseren Internetauftritt zu verbessern sowie Werbekampagnen durchzuführen.

Dabei nutzen wir auch Technologien von Drittanbietern (Google, LinkedIn, Microsoft), bei denen eine Datenverarbeitung in den USA, wo kein angemessenes Datenschutzniveau gewährleistet ist, nicht ausgeschlossen werden kann. IP-Adressdaten werden durch Kürzung anonymisiert.

Ihre Einwilligung ist freiwillig und jeder Zeit widerrufbar. Bitte beachten Sie, dass dieser Hinweis nur für unsere Unternehmenswebseite gilt. Zur Gewährleistung absoluter Vertraulichkeit verwenden wir im BKMS® Compliance System weiterhin weder Drittanbieter-Cookies noch sonstige Marketing Technologien.

Weitere Informationen finden Sie im Datenschutzhinweis.

Sur notre site web, nous utilisons des cookies techniquement nécessaires par exemple pour enregistrer vos réglages en matière de cookies et, après avoir reçu votre consentement, également des cookies de marketing qui nous aident à améliorer notre présence sur Internet et à réaliser des campagnes publicitaires.

Nous utilisons aussi des technologies de fournisseurs tiers (Google, LinkedIn, Microsoft) au cours de l’emploi desquelles ne peut être exclu un traitement des données aux États-Unis, pays où aucun niveau raisonnable de protection des données n’est garanti. Les données d’adresse IP sont tronquées pour les anonymiser.

Votre consentement est facultatif et révocable à tout moment. Veuillez noter que cette remarque ne vaut que pour notre site web d’entreprise. Pour garantir une confidentialité absolue et comme par le passé, nous n’utilisons dans le BKMS® Compliance System ni cookies de tiers ni technologies de marketing diverses.

Vous trouverez d’autres informations dans l’avis relatif à la protection des données.

En nuestra página web utilizamos cookies técnicamente necesarias, como las que se usan para almacenar sus ajustes de cookies, y, tras recabar su consentimiento, utilizamos también cookies de marketing que nos ayudan a mejorar nuestro sitio web y a llevar a cabo campañas publicitarias.

Para ello, hacemos uso también de tecnologías de terceros (Google, LinkedIn, Microsoft), en cuyo caso no se puede descartar que el tratamiento de datos se lleve a cabo en los EE. UU., donde no se garantiza un nivel adecuado de protección de datos. Los datos de las direcciones IP se anonimizan mediante acortamiento.

Su consentimiento es voluntario y puede ser revocado en cualquier momento. Tenga en cuenta que este aviso solo es de aplicación para la página web de nuestra empresa. Para garantizar una confidencialidad absoluta, en el BKMS® Compliance System no utilizamos cookies de terceros ni otras tecnologías de marketing.

Puede encontrar más información en el aviso de protección de datos.

Na nossa página de internet, utilizamos cookies necessários do ponto de vista técnico, por exemplo, para o armazenamento das suas definições de cookies e, após a sua autorização, também cookies de marketing que nos ajudam a melhorar a nossa presença na internet , bem como a realizar campanhas publicitárias.

No processo utilizamos também tecnologias de outros fornecedores (Google, LinkedIn, Microsoft), nos quais não é possível excluir um tratamento de dados nos EUA, onde não é garantido um nível de proteção de dados adequado. Os dados do endereço IP são anonimizados através de redução.

A sua autorização é voluntária e revogável em qualquer altura. Por favor, tenha em consideração que esta mensagem só é válida para a página de internet da nossa empresa. Para garantir absoluta confidencialidade, continuaremos a não utilizar no BKMS® Compliance System nem cookies de outros fornecedores nem outras tecnologias de marketing.

Encontrará mais informações no aviso relativo à proteção de dados

Sul nostro sito web utilizziamo cookie necessari dal punto di vista tecnico, ad esempio per salvare le impostazioni dei cookie e, se l'utente ha fornito il suo consenso, utilizziamo anche cookie di marketing che ci aiutano a migliorare il nostro sito web e realizzare campagne pubblicitarie.

A tale scopo, utilizziamo anche tecnologie di terze parti (Google, LinkedIn, Microsoft) per le quali non è possibile escludere il trattamento dei dati negli Stati Uniti, dove non è garantito un livello adeguato di protezione dei dati. I dati dell'indirizzo IP vengono resi anonimi mediante abbreviazione.

Il consenso dell'utente è volontario e revocabile in qualsiasi momento. Questo avviso si applica solo al nostro sito web aziendale. Per garantire la massima riservatezza, non utilizziamo nel BKMS® Compliance System né cookie di terze parti né altre tecnologie di marketing.

Maggiori informazioni sono disponibili nell'informativa sulla protezione dei dati.

Na naszej stronie wykorzystujemy niezbędne technicznie pliki cookie, np. do zapisywania ustawień cookie, oraz – po wyrażeniu zgody, również cookie marketingowe pomagające nam ulepszać naszą witrynę internetową oraz prowadzić kampanie reklamowe.

Wykorzystujemy przy tym również technologie od dostawców zewnętrznych (Google, LinkedIn, Microsoft), w przypadku których nie można wykluczyć przetwarzania danych na terenie USA, gdzie nie jest zapewniony dostatecznie wysoki poziom ochrony danych. Adresy IP są anonimizowane poprzez skrócenie.

Udzielana zgoda jest dobrowolna i można ją odwołać w dowolnym momencie. Prosimy pamiętać, że ta informacja dotyczy całej naszej strony. Dla zapewnienia pełnej poufności w BKMS® Compliance System nadal nie stosujemy plików cookie dostawców zewnętrznych ani innych technologii marketingowych.

Więcej informacji można znaleźć w informacji o ochronie danych.

Na našich webových stránkách používáme technicky nezbytné soubory cookie, například k uložení vašeho nastavení souborů cookie, a s vaším souhlasem také marketingové soubory cookie, které nám pomáhají vylepšovat naše webové stránky a provádět reklamní kampaně.

Při tom používáme technologie třetích stran (Google, LinkedIn, Microsoft), u nichž nelze vyloučit zpracování dat v USA, kde není zaručena adekvátní úroveň ochrany dat. Data IP adresy jsou anonymizována zkrácením.

Váš souhlas je dobrovolný a můžete jej kdykoli odvolat s účinkem do budoucna. Vezměte prosím na vědomí, že toto upozornění se vztahuje pouze na webové stránky naší firmy. Abychom zajistili absolutní důvěrnost, v systému BKMS® Compliance System nadále nepoužíváme žádné soubory cookie třetích stran ani jiné marketingové technologie.

Další informace naleznete v informacích k ochraně dat.

Používame technicky potrebné súbory cookies, napríklad na úschovu vašich nastavení cookie, a s vašim súhlasom tiež marketingové súbory cookies, ktoré nám pomáhajú zlepšovať našu webovú stránku a uskutočňovať reklamné kampane.

Používame tiež technológie od tretích strán (Google, LinkedIn, Microsoft), pre ktoré nemožno vylúčiť spracovanie údajov v USA, kde nie je zaručená primeraná úroveň ochrany údajov. Údaje IP adresy sú anonymizované skrátením.

Váš súhlas je dobrovoľný a je možné ho kedykoľvek odvolať. Upozorňujeme, že toto oznámenie sa týka iba webových stránok našej spoločnosti. Aby sme zaistili absolútnu dôvernosť, v BKMS® Compliance System naďalej nepoužívame súbory cookies tretích strán ani iné marketingové technológie.

Ďalšie informácie nájdete v oznámení o ochrane osobných údajov.

Show detailed settings Ausführliche Einstellungen anzeigen Montrer des paramètres détaillés Mostrar configuración detallada Apresentar configurações detalhadas Mostra le impostazioni dettagliate Pokaż szczegółowe ustawienia Zobrazit podrobná nastavení Zobraziť podrobné nastavenia Hide detailed settings Detaileinstellungen ausblenden Cacher les paramètres détaillés Ocultar los ajustes detallados Apresentar configurações detalhadas Nascondi le impostazioni dettagliate Ukryj szczegółowe ustawienia Ukryj szczegółowe ustawienia Ukryj szczegółowe ustawienia