Last review date: 13 January 2025
Yes
a) data localization/data residency laws that mandate retention of personal data or a copy thereof in the local jurisdiction (include whether copies or the original data may be also be stored outside of the jurisdiction):
As set out in the previous section, a CIIO is required to store personal information in the PRC that it collects and generates in the course of operations conducted in the PRC. Transfer of personal information overseas is subject to a security review assessment. In addition, a controller processing personal information above the statutory thresholds is also required under the PIPL to store and process personal information within the PRC.
b) other laws that may require the retention and storage of personal data (including, for example, where such data is part of another type of record or dataset) in the local jurisdiction or otherwise prohibit the transfer or disclosure of the personal data outside of the local jurisdiction:
- national security laws
- anti-investigatory/blocking statutes that restrict any activity on local territory that aids a foreign government investigation
- export control laws
National security laws: If the personal information is regarded as or forms part of a state secret, such personal information must not be transmitted abroad unless prior approval from the relevant government authorities is obtained.
Banking laws: Banking and financial institutions must store, process and analyze the personal information of financial customers collected and generated domestically within the territory of China.
Vehicle data security rules: Vehicle companies must store and process vehicle data (broadly defined to include personal information and other data) within the PRC.
Healthcare big data rules: Companies that process healthcare big data (broadly defined to include healthcare-related data generated in the course of disease prevention, health management and other activities) should store such big data in secured servers located within China and should complete the security review in accordance with the relevant laws and regulations if there is a genuine business need to transfer the data out of China.
Last review date: 13 January 2025
- Obligation for public sector organizations to share or make accessible non-personal data
- Obligation for private organizations to share or make accessible data generated by connected or "IoT" devices
- Obligation for private organizations to share or make accessible non-personal health data
- Obligation for private organizations to share or make accessible non-personal financial data
- Obligation for private organizations to share or make accessible other non-personal data
If so, please provide brief details of the relevant law or regulation.
If a data processor processes data deemed by the relevant departments or local government as important data, or if it is publicly announced as such, the data processor may be subject to the industry-specific data localization requirement.
For example, according to the Several Provisions for the Administration of Security of Vehicle Data (for trial implementation) ("Vehicle Data Provisions"), a vehicle data processor must store important data defined under the Vehicle Data Provisions in China and complete the security assessment before exporting any of such important data.