Data Localization/Residency
Are there data localization / data residency or other types of laws that may require the retention and storage of personal data in the local jurisdiction?

Last review date: 1 January 2024

Yes.

  a)              data localization/data residency laws that mandate retention of personal data or a copy thereof in the local jurisdiction (include whether copies or the original data may be also be stored outside of the jurisdiction):

As set out above, a CIIO is required to store personal information in the PRC that it collects and generates in the course of operations conducted in the PRC. Transfer of personal information overseas is subject to security review assessment. In addition, a controller processing personal information above the statutory thresholds is also required under the PIPL to store and process personal information within the PRC.

☒  b)           other laws that may require the retention and storage of personal data (including, for example, where such data is part of another type of record or dataset) in the local jurisdiction or otherwise prohibit the transfer or disclosure of the personal data outside of the local jurisdiction:

☒        national security laws
☒        anti-investigatory/blocking statutes that restrict any activity on local territory that aids a foreign government investigation
☐        tax or financial record laws
☐        employment laws
☐        export control laws
☐        other

National security laws If the personal information is regarded as or forms part of a state secret, such personal information must not be transmitted abroad unless prior approval from the relevant government authorities is obtained.

Banking laws Banking/financial institutions need to store, process and analyze, within the territory of China, the personal information of financial customers that is collected and generated domestically.

Vehicle data security rules Vehicle companies must store and process vehicle data (broadly defined to include personal information and other data) within the PRC.

Healthcare big data rules Companies that process big healthcare data (which is broadly defined to include healthcare-related data generated in the course of disease prevention, health management and other activities) should store such big data at the secured servers located within China and should complete the security review in accordance with the relevant laws and regulations if there is a genuine business need to transfer the data out of China.