Data privacy and cybersecurity in a transactional context | China | Global Data and Cyber Handbook | Baker McKenzie Resource Hub

Start Comparison

Data privacy and cybersecurity in a transactional context

Jump to

Data privacy and cybersecurity in a transactional context Start Comparison

Has the data privacy authority issued any guidance on data privacy compliance in the context of transactional activity (including, but not limited to, share sales, asset sales, reorganizations or spinouts)?

Last review date: 13 January 2025

Yes

If yes, please provide a link

The PIPL generally provides that a controller who needs to transfer personal information of any individual due to a merger, division, dissolution, declaration of bankruptcy or any other reason shall inform the individual of the organizational or personal name and contact information of the receiving party. The receiving party shall continue to perform obligations as a personal information processor. For any change of the original purpose or method of processing, the receiving party shall obtain consent from the individual anew in accordance with the PIPL.

In the context of an asset sale (the sale of a separate business unit as a going concern), does the acquiring entity inherit liability for pre-acquisition data privacy or cybersecurity breaches (connected with the assets that are the subject of the asset sale)?

Last review date: 13 January 2025

It depends (for example, on the way the asset sale is structured, and/or the assets being acquired)

If so, how would any regulatory fines be calculated?

Last review date: 13 January 2025

Unclear

In the context of a share sale (where the acquiring entity acquires 100% of the shares of a target company), does the acquiring entity inherit liability for pre-acquisition data privacy or cybersecurity breaches (connected with the target company)?

Last review date: 13 January 2025

Yes

If so, how would any regulatory fines be calculated?

Last review date: 13 January 2025

Unclear