Data Protected - People's Republic of China

Last updated October 2022

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws

Personal Information Protection Law

The Personal Information Protection Law of the People’s Republic of China (the “PIPL”) is the primary personal data protection legislation in the People’s Republic of China (the “PRC” or “China”).

This summary mainly focuses on requirements under the PIPL, rather than other sector-specific laws and regulations.

Other sector-specific laws and regulations relating to data protection

The PRC Cybersecurity Law (the “CSL”) regulates cybersecurity in China. Despite its focus on cybersecurity, the CSL also contains general provisions relating to personal data protection. Most of these provisions are repeated in or supplemented by PIPL.

The PRC Data Security Law (the “DSL”) regulates data processing activities, particularly seeking to enhance the security of data and facilitates the development and utilisation of data. While the DSL applies to data generally, it focuses on protection of “important data” and “core data” that are relevant to the PRC’s national security, national economy, and public interest. The majority of important data and core data is non-personal data.

In addition, there are principles and rules relating to data protection that can be found in other laws, regulations and local provisions, including: (i) general principles and provisions relating to privacy in the Chinese Constitution, the Civil Code, the Tort Liability Law and the Criminal Law; (ii) sector-specific provisions, such as laws and regulations relating to the credit reference, internet, financial, telecommunications, automotive, e-commerce and consumer protection sectors; (iii) legislation in connection with personal data protection at the local level, such as the Shenzhen Special Economic Zone Data Regulations and the Shanghai Municipal Data Regulations; and (iv) various implementing rules under the CSL, DSL and PIPL (together, the “Personal Data Protection Regulations”).

There are also national and local guidelines on protection of personal data, such as the guidelines on protection of personal data jointly issued by the General Administration of Quality Supervision, Inspection and Quarantine and the State Standardisation Administration (the “TC260”) in 2017 and amended in 2020 (the “Personal Data Protection Guidelines”). Although the Personal Data Protection Guidelines do not have force of law, they are considered by market participants to set out the best practice that is likely to be expected by Chinese regulators.

Finally, in January 2019, the Ministry of Industry and Information Technology (the “MIIT”), the Cyberspace Administration of China (the “CAC”), the Ministry of Public Security (the “MPS”) and the State Administration of Market Supervision (the “SAMR”) jointly announced a rectification programme targeting the misuse of personal data by operators of mobile internet applications in China (the “App Rectification Announcement”). Following release of the App Rectification Announcement, various implementing rules have been issued and apps generally remain under scrutiny by the relevant Chinese authorities.

References to China or the PRC in this summary are references to the People’s Republic of China excluding Taiwan and the Hong Kong and Macau Special Administrative Regions.

Entry into force

The PIPL came into force on 1 November 2021.

The CSL came into force on 1 June 2017.

The Personal Data Protection Guidelines came into effect on 1 October 2020.

The DSL came into force on 1 September 2021.

The Personal Data Protection Regulations have varying dates on which they entered into force.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

There is no independent data protection authority.

However, the CAC is responsible for the overall planning and co-ordination of personal data protection work and related supervision and administration, so is generally regarded as the leading data protection authority.

In addition, there are also competent authorities in some industries monitoring the enforcement of the Personal Data Protection Regulations in their respective areas. In practice, these authorities typically include the MIIT, the MPS, the SAMR and their respective local branches.

Notification or registration scheme and timing

There is currently no general notification or registration obligation triggered by the collection of personal data.

However, there are some reporting requirements under the PIPL that may be applicable to certain organisations’ data processing activities in the PRC. For example, certain organisations are required to report to their supervisory authority information relating to their appointed local representative and/or data protection officers.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The PIPL applies to the processing of personal data within the PRC.

It also applies on an extraterritorial basis to processing activities outside the PRC: (i) for the purpose of providing products or services to natural persons located within the PRC; (ii) to analyse or assess behaviour of natural persons within the PRC; or (iii) under any other circumstance as provided by any law or administrative regulation.

Is there a concept of a controller and a processor?

Yes. The PIPL uses the terms “personal information processor” (similar to a controller) and “entrusted party” (similar to a processor).

A “personal information processor” (a “PI Processor”) refers to an organisation or individual that independently decides on the processing purposes and processing methods during personal data processing activities.

An “entrusted party” is not specifically defined in the PIPL but generally refers to a party that processes personal data on the PI Processor’s behalf, and must process personal data in line with the purpose, period and means as agreed upon with the PI Processor. Certain PIPL obligations also apply to an entrusted party.

Are both manual and electronic records subject to data protection legislation?

Yes.

Are there any national derogations?

Yes. In general, disclosure obligations under Chinese law override personal data protection laws. Disclosure of data may be required by government authorities and courts under different circumstances.

Some key disclosure situations include: (i) entities and individuals are under an obligation to disclose information to regulators in regulatory investigations; (ii) the courts, public security organs and procuratorates may request entities and individuals involved in legal proceedings to give access to documents and information relating to such proceedings; (iii) the disclosure of government-held information if non-disclosure of which would have a material adverse impact on the public interest; and (iv) the disclosure of the identity of dishonest debtors in court enforcement proceedings.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Personal data (or more specifically, to use the term in the PIPL, “personal information”) refers to all kinds of information relating to identified or identifiable natural persons recorded by electronic or other means, excluding anonymised information.

Is information about legal entities personal data?

No.

What are the rules for processing personal data?

Processing of personal data must comply with the general data protection principles under the PIPL: (i) Lawfulness, legitimacy, necessity and good faith principle: personal data must be processed under the principles of lawfulness, legitimacy, necessity and good faith and shall not be processed in a deceptive and misleading manner; (ii) Purpose limitation and data minimisation: personal data must be processed with clear and reasonable purposes and directly relevant to the processing purpose; (iii) Transparency: PI Processors must be open and transparent in personal data processing and rules on personal data processing; (iv) Accuracy: personal data to be processed must be accurate and updated in a timely manner; (v) Accountability and security: PI Processors must be responsible for their data processing activities and take necessary measures to protect the security of personal data being processed; and (vi) Storage limitation: personal data should only be retained to the minimum period necessary to fulfil the purpose of data processing, unless applicable laws provide otherwise.

The processing of personal data must also satisfy at least one condition for processing personal data. These conditions are that the processing is: (i) necessary for the conclusion or performance of a contract; (ii) necessary for human resources management in accordance with the law; (iii) necessary for the performance of statutory duties or obligations; (iv) necessary for the response to public health or other emergencies; (v) within a reasonable scope for news reporting, media supervision, and other activities conducted in the public interest; (vi) related to publicly available personal information and within a reasonable scope (yet to be defined) in accordance with the PIPL; and (vii) other circumstances as provided by laws or administrative regulations.

Are there any formalities to obtain consent to process personal data?

Yes. Consent must be voluntarily and explicitly given by the data subject on a fully informed basis.

As a general principle, to obtain consent, PI Processors must truthfully, accurately, and completely notify data subjects in a conspicuous way and in clear and easily understood language. In some cases, such as the processing of sensitive personal data, “separate consent” must be obtained, i.e. the consent cannot be bundled with the general consent to other processing activities.

Consent can be withdrawn by the data subject.

Are there any special rules when processing personal data about children?

Yes. Under the PIPL, a child is someone of 13 years of age or less. Consent from a child in relation to processing of his or her personal data will only be valid if authorised by a parent or other guardian.

The personal data of children is treated under the PIPL as sensitive personal data so the additional obligations applicable to sensitive personal data would apply to the processing of personal data of children under the age of 14. There are also special rules protecting the criminal records of juveniles under the age of 18 (see below).

Are there any special rules when processing personal data about employees?

Apart from the legal basis under the PIPL of processing personal data as is necessary for human resources management in accordance with the law (see above), there are no specific rules regulating the processing of personal data about employees.

There are, however, restrictions relating to collection of personal data of employees. Under the Employment Contract Law, an employer is entitled to assess the basic situation of an employee related to his or her employment contract, and the employee must provide information as requested accordingly. While there is no guidance on the meaning of “the basic situation of an employee related to an employee’s employment contract”, in practice an employer may not collect an employee’s personal data which bears no relationship to his or her employment, such as his or her religious belief, details of personal property, etc. In addition, if the processing involves sensitive personal data, which is common in an employment context, additional obligations applicable to sensitive personal data would apply to such processing (see below).

In addition, in February 2019 nine central governmental authorities issued a circular promoting the employment of females and putting an express ban on gender discrimination during recruitment. Under this circular, during a job interview, an employer is not permitted to ask a female candidate about her marital status or her circumstances relating to childbirth or children. Similarly, pregnancy tests are now prohibited as part of any pre-employment medical check.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data refers to the personal data that can easily lead to the infringement of the personal dignity of natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and information of minors under the age of 14.

This is different to the standard types of sensitive personal data (though there are some similarities).

Are there additional rules for processing sensitive personal data?

Yes. Processing of sensitive personal data can only be conducted as necessary for specific purposes and under strict protection. Additional notification should be provided to data subjects about the necessity of the processing and the impact on their rights and interests except where notification is not necessary in accordance with law. Where PI Processors rely on consent, they must obtain data subjects’ separate consent or, if required by relevant laws, written consent.

Finally, a PIPIA (as defined below) must be conducted before the processing of sensitive personal data.

Are there additional rules for processing information about criminal offences?

Information about criminal offences is likely treated as sensitive personal data thus subject to the additional rules for processing sensitive personal data (see above). There are no other specific rules regulating the processing of information about criminal offences.

However, there are special rules relating to criminal records of juveniles under 18 years old who commit a criminal offence and are sentenced to imprisonment for 5 years or less or receive lighter penalties. These records must be kept strictly confidential and may not be provided to any entity or individual unless such provision is required according to applicable law.

In addition, any individual who has received a criminal penalty must actively report such information when enlisted or employed. Juveniles under 18 years old who commit a criminal offence, and are sentenced to imprisonment for 5 years or less or receive lighter penalties, are exempted from such reporting obligations.

Are there any formalities to obtain consent to process sensitive personal data?

Yes. Where personal data is processed on the basis of consent, a “separate consent” must be obtained, i.e. consent to the processing of personal information should not be bundled with consent to other processing activities.

Furthermore, where laws or administrative regulations other than the PIPL provide that written consent must be obtained for the processing of sensitive personal data, those provisions will prevail.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

When a PI Processor processes personal data reaching or exceeding a certain volume (to be specified by the CAC) they must appoint a person in charge for personal data protection, commonly referred to as a data protection officer (a “DPO”).

The DPO’s contact details must be made public, and his or her name and contact details must be provided to the authority.

However, further details relating to the qualifications of any DPO remain to be released in implementation rules under the PIPL.

Although it is only best practice guidance, the Personal Data Protection Guidelines suggest that a data protection officer should be appointed to supervise personal data protection processes where a controller either: (i) has a principal business that involves processing of personal data and an aggregate number of employees in excess of 200; or (ii) processes personal data of more than 1,000,000 data subjects or expects to process personal data of more than 1,000,000 data subjects within 12 months, or processes the sensitive personal data of more than 100,000 data subjects.

What are the duties of a data protection officer?

A DPO is in charge of an organisation’s personal data protection, responsible for overseeing personal data processing activities as well as the protection measures taken.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Yes. The PIPL introduced accountability obligations, stating that PI Processors must be responsible for their data processing activities and take necessary measures to protect the security of personal data being processed.

Following this principle, organisations are mandated to formulate internal management systems and operational procedures, implement classified management of personal information, adopt corresponding security technical measures, conduct regular safety education and training for practitioners, etc.

PI Processors are also required to keep records of certain processing activities, similar to the record keeping obligations in the GDPR.

Are privacy impact assessments mandatory?

Yes. The PIPL requires PI Processors to conduct a personal information protection impact assessment (“PIPIA”) where it: (i) processes sensitive personal data; (ii) uses personal data to conduct automated decision-making; (iii) entrusts personal data processing, provides personal data to other PI Processors, or discloses personal data to the public; (iv) provides personal data to an overseas recipient; or (v) conducts other personal data processing activities which have major impacts on data subjects' rights and interests.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Before processing personal data, a PI Processor must truthfully, accurately, and completely notify data subjects of the processing in a conspicuous way and in clear and easily understood language (with limited exceptions and qualifications).

The matters to be notified to data subjects include: (i) the name and contact information of the PI Processor; (ii) purposes and methods of processing of personal data, categories of personal data to be processed, and the retention periods; (iii) methods and procedures for data subjects to exercise the rights provided in the PIPL; and (iv) other matters that should be notified as provided by laws and administrative regulations. Where any matter as set forth in (i) to (iv) changes, the PI Processor must notify the data subject of the change.

In addition, in March 2019, in connection with the App Rectification Announcement, a special working group commissioned by the CAC, MIIT, MPS and SAMR published more detailed guidance on privacy notices as part of their guidelines for self-assessment of the illegal collection and use of personal data by mobile application operators (the “App Self-Assessment Guidelines”).

In May 2022, TC260 released a draft national standard named Information Security Technology — Requirements of Privacy Policy of Internet Platforms, Products and Services for public consultation which, once implemented, will provide more detailed guidance on drafting privacy notices.

Rights to access information

Data subjects have the right to access, and be given a copy of, their personal data from PI Processors, except under limited circumstances where the laws or administrative regulations provide that the processing must be kept confidential.

Where data subjects request access to or a copy of their personal data, PI Processors must provide such data in a timely manner.

Rights to data portability

Where specific conditions are met (to be specified by the CAC) data subjects can ask a PI Processor to transfer their personal data to another PI Processor.

Right to be forgotten

A data subject has the right to request the PI Processor to delete his or her personal data if: (i) the processing purpose has been achieved or cannot be achieved, or it is no longer necessary to achieve the processing purpose; (ii) the PI Processor ceases the provision of products or services, or the retention period has expired; (iii) the data subject withdraws consent; (iv) the PI Processor processes personal data in violation of any law or administrative regulation or the agreement; or (v) other circumstances as provided by laws and administrative regulations.

Objection to direct marketing

There is no general right to object to direct marketing under the PIPL. However, data subjects have the right to withdraw consent to the processing of their personal data that relies on their consent. As, in general, the processing of personal data for direct marketing purposes can only be conducted with data subjects’ consent, the right to withdraw consent would entail the right to object to direct marketing.

In addition, for marketing conducted by means of automated decision-making, PI Processors must simultaneously provide data subjects with options not targeting individuals' characteristics or convenient ways to object to such processing.

Other rights

The PIPL also provides other types of rights to data subjects (with limited exceptions and qualifications), including: (i) the right to correct or supplement when personal data is found incorrect or incomplete; (ii) the right to request PI Processors to explain their rules for the processing of personal data; (iii) the right to object to decisions made by the PI Processor solely through automated decision-making; and (iv) the right of a deceased person’s close relative to exercise certain rights.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The PIPL contains a general obligation to take necessary measures to protect the security of personal data being processed (see above). Organisations must take measures to prevent unauthorised access to, or breach, tampering or loss of any personal data. As part of this they must formulate an internal management system and operational procedures, implement classified management of personal data and adopt technical measures such as encryption and de-identification.

Specific rules governing processing by third party agents (processors)

Under the PIPL, a PI Processor entrusting the processing of personal data to an entrusted party must oversee the entrusted processing, putting in place an agreement with the entrusted party on a number of matters relating to the processing and rights and obligations between both parties. An entrusted party can only process personal data as agreed and instructed.

Notice of breach laws

The PIPL requires PI Processors to notify the competent authorities and affected data subjects immediately where there is an actual or potential breach, tampering, or loss of personal data.

An exception applies to notifying affected data subjects where measures have been taken to effectively avoid the harm created by the breach. However, the authorities may still require affected data subjects to be notified if they believe the breach may create harm to the data subjects.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

Data localisation: Under the PIPL, personal data collected and generated in the PRC by a critical information infrastructure operator or a PI Processor processing personal data reaching a certain threshold amount must store such data domestically, and export of such personal data is subject to certain restrictions (see below).

Data export mechanisms: Under the PIPL, PI Processors must satisfy at least one of the following conditions to transfer personal data outside the PRC: (i) passing a security assessment organised by the CAC, to the extent the data localisation requirements above apply; (ii) obtaining a personal data protection certification issued by a specialised institution; (iii) concluding a contract with the overseas recipient incorporating the “standard contract” to be formulated by the CAC; or (iv) fulfilling other conditions provided in law and regulations.

Additional requirements: Apart from the above, the PIPL further prescribes additional requirements applicable to a personal data export, such as to obtain separate consent (where applicable), provide additional notification and conduct a PIPIA.

Specific data export rules remain to be implemented. In June 2022, TC260 released guidance on the personal data protection certification regime, and the CAC released the draft of Personal Information Export Standard Contract (“Standard Contract”) and corresponding draft Standard Contract Provisions. In July 2022, the CAC released the Measures on Data Export Security Assessment, which will take effect from 1 September 2022. This set of measures specify the scope of data processing that would be subject to a data export security assessment and procedures for conducting such security assessment with the CAC.

Notification and approval of national regulator (including notification of use of Model Contracts)

As set out above, a PI Processor will require approval in some cases, e.g. where they need to pass a security assessment organised by the CAC.

Currently there is no obligation under applicable law to obtain approval for the use of the standard contract to be released by the CAC. Nevertheless, the draft Standard Contract Provisions require PI Processors to file their Standard Contracts and respective PIPIA reports with local branches of the CAC within 10 days from the effective date of the Standard Contracts.

Use of binding corporate rules

There are no rules relating to the use of binding corporate rules, albeit a data export certification regime (to be implemented) may introduce similarities in this respect.

_____________________________________________________________________ Top

Enforcement

Fines

The regulators have a range of powers under the PIPL, including directing an organisation to pay a financial penalty of up to RMB 50 million (circa USD 7.5 million) or up to 5% of the previous year’s turnover.

In addition, the directly responsible persons (e.g., directors, senior managers, DPOs or other persons who are in-charge of data processing within the organisation) can be subject to a fine up to RMB 1 million (circa USD 150,000) and prohibited from assuming managerial and DPO roles for a certain period.

Imprisonment

Under the Chinese Criminal Law, any individual may be imprisoned for up to seven years for: (i) illegally selling or providing to others personal data; or (ii) stealing or otherwise illegally accessing personal data, if in either case the relevant circumstances are severe.

Compensation

When the personal data processing infringes upon rights and interests relating to personal data and causes damage, and the organisation cannot prove that it is not at fault, the organisation may have civil liability for damage and other tort liability.

Other powers

Sanctions for contravention of the PIPL will depend on the legal obligation that has been contravened and the nature of that contravention. Sanctions may include administrative sanctions, such as a warning, fines, confiscation of profit arising from the violation, suspension or revocation of operating licences and website or application shutdown.

Practice

App enforcement: Based on publicly disclosed sanctions among enforcement actions in 2021 following the App Rectification Announcement, 1,549 mobile apps across various industries were publicly named for data non-compliance, and 514 apps that failed to rectify issues were removed from app stores and penalised with various sanctions including suspension of services and monetary fines.

Early enforcement under the PIPL: Since the effectiveness of the PIPL from 1 November 2021, several enforcement cases have been heard relating to the PIPL. For example, the Shenzhen public security bureau issued a warning to a Shenzhen technology company that was found to violate the PIPL due to its illegal processing of personal information through its mobile application, and ordered it to take effective measures for rectification. Increasing PIPL enforcement is expected to be observed in the next few years.

Other enforcement action: The number of administrative and criminal cases relating to the violation of the Personal Data Protection Regulations has increased in recent years. There have been some cases of individuals being imprisoned for selling personal data in violation of the Chinese Criminal Law provision outlined above. In addition, there have been some data protection and privacy related civil lawsuits brought by individuals and public interest litigations launched by local procuratorates and consumer associations.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The principal regulation on ePrivacy is the Resolution of the Standing Committee of the National People’s Congress relating to Strengthening the Protection of Information on the internet which was issued at the end of 2012. This is the first general law relating to ePrivacy. Some of the other Personal Data Protection Regulations issued by China’s other competent regulatory authorities (such as the MIIT) also include provisions that relate to electronic privacy. For example, the Measures for the Administration of Internet E-mail Services (promulgated in early 2006) include rules relating to marketing by e-mail, as does the Consumer Protection Law (collectively, the “Electronic Privacy Regulations”).

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

There are no specific requirements or conditions relating to the use of cookies under the Electronic Privacy Regulations.

Regulatory guidance on the use of cookies

The App Self-Assessment Guidelines provide that, where cookies (and other similar techniques) are used for collecting personal data, app users should be explicitly informed about the purpose and method of collection and the scope of personal data to be collected.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The Electronic Privacy Regulations stipulate that an individual or institution may only send commercial electronic information by e-mail where: (i) it has obtained prior consent from the receiver or the e-mail is at the receiver’s request; (ii) the receiver has not explicitly refused to receive such information; and (iii) the subject heading of the e-mail includes the words “advertisement” or “AD” (or the equivalent in Chinese as prescribed by the regulations).

Furthermore, when sending commercial advertisements by e-mail, a sender must provide recipients with its contact information to allow recipients the ability to ‘opt out’ or ‘unsubscribe’.

Other Personal Data Protection Regulations include provisions relating to direct marketing irrespective of the means of communication used. For example, under the Personal Data Protection Regulations relating to the banking sector, a banking financial institution may not use personal data for marketing purposes other than for those marketing purposes for which the data was collected.

Conditions for direct marketing by e-mail to corporate subscribers

Although not entirely clear on the face of the Electronic Privacy Regulations, the MIIT seems to take the position that the regulations in respect of direct marketing by e-mail generally apply to corporate subscribers as well as individuals (since individuals similarly operate corporate e-mail accounts).

Exemptions and other issues

The Electronic Privacy Regulations do not include more detailed rules or exemptions except for the general requirements set out above.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The Electronic Privacy Regulations stipulate that an individual or institution may only send commercial electronic information through fixed line telephones or mobile phones where: (i) it has obtained the prior consent of the receiver or the call is at the receiver’s request; and (ii) the receiver has not explicitly refused to receive such information.

In addition, it is illegal to operate advertising text message services without obtaining a licence from the MIIT.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The Electronic Privacy Regulations, in respect of direct marketing by telephone, only apply to individuals and not corporate subscribers.

Exemptions and other issues

The effective Electronic Privacy Regulations do not include more detailed rules or exemptions except for the general requirements set out above.

On 31 August 2020, the MIIT promulgated the Draft Administrative Provisions on Communication SMS and Voice Call Services for public consultation, seeking to tighten telephone marketing regulation. In particular, the draft rules prohibit organisations from sending commercial SMS or making commercial calls without a user’s consent or request, or if the user expressly refuses. In addition, if a user does not explicitly agree, this will be deemed as a rejection, and if the user expressly refuses to accept after giving consent, the organisation must stop its activity. However, these draft rules are yet to be implemented.

_____________________________________________________________________ Top

Our lawyers are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a lawyer by name or use one of the filters.

Our business team members are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a business team member by name or use one of the filters.

Data Protected - People's Republic of China

General | Data Protection Laws

National Legislation

Scope of Application

Personal Data

Sensitive Personal Data

Data Protection Officers

Accountability and Privacy Impact Assessments

Rights of Data Subjects

Security

Transfer of Personal Data to Third Countries

Enforcement

ePrivacy | Marketing and cookies

National Legislation

Cookies

Marketing by E-mail

Marketing by Telephone

Contacts

Choose a jurisdiction

Our lawyers are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a lawyer by name or use one of the filters.

Our business team members are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a business team member by name or use one of the filters.

Data Protected - People's Republic of China

General | Data Protection Laws

National Legislation

Scope of Application

Personal Data

Sensitive Personal Data

Data Protection Officers

Accountability and Privacy Impact Assessments

Rights of Data Subjects

Security

Transfer of Personal Data to Third Countries

Enforcement

ePrivacy | Marketing and cookies

National Legislation

Cookies

Marketing by E-mail

Marketing by Telephone

Contacts

Choose a jurisdiction

You will need to log in or register to view the content

Register

Reset password

Log in