Our Expert in China
Dear Client,
In light of recent developments in China’s cybersecurity and data protection regulatory environment, we would like to bring to your attention a significant enforcement case concerning Dior (Shanghai) Co., Ltd. Given the relevance of this case to foreign-invested companies operating in China—especially those engaged in cross-border data transfer—we have summarized below the key facts, regulatory implications, and practical recommendations. We hope this alert can assist your team in proactively assessing and enhancing your internal compliance practices.
On September 11, 2025, the National Cybersecurity Notification Center of China officially confirmed that Dior (Shanghai) Co., Ltd. has been subject to administrative penalties for violations of the Personal Information Protection Law (“PIPL”). The violations concern several core compliance obligations, including cross-border data transfers (“CBDT”), user notification and consent mechanisms, and technical security safeguards. This case represents one of the most notable enforcement actions against a foreign-invested enterprise in recent years.
Please find below a summary of the key facts of this case and its compliance implications for foreign-invested enterprises operating in China.
I. Case Overview
As stated in the official notice, several media outlets report in May 2025 indicated that the French luxury brand Dior had experienced a data breach incident, with customers in mainland China receiving warning messages from Dior on May 7. Dior identified that unauthorized third parties had accessed certain customer data relating to Chinese customers. The leaked data comprised names, gender, mobile numbers, email addresses, mailing addresses, purchase amounts and preferences, and other customer-related information. Dior confirmed that no financial information had been affected.
Following the incident, local public security organs and cybersecurity authorities conducted an administrative investigation into Dior (Shanghai) and identified the following three legal violations:
Ÿ Unlawful cross-border transfer of personal information: Dior (Shanghai) transferred customers’ personal information to its French headquarters without completing any of the legally required procedures—namely, a security assessment declaration, SCC filing, or personal information protection certification.
Ÿ Failure to obtain separate consent: Prior to transferring personal information to its overseas headquarters, Dior failed to adequately inform customers about how the overseas recipient would process their data and did not obtain their separate consent.
Ÿ Failure to implement necessary technical safeguards: Dior did not apply encryption, de-identification, or other necessary technical measures to protect personal information.
The local public security bureau has imposed an administrative penalty pursuant to the PIPL, though the specific amount of the fine has not yet been made public.
II. Regulatory Outlooks and Compliance Implications
The Dior case serves as a representative example of enforcement action against a foreign-invested enterprise for violations of CBDT and the obligation of protecting personal information. While the penalties stem from Dior’s own compliance deficiencies, the case reflects the heightened regulatory sensitivity toward foreign-invested companies transferring personal information from China to overseas recipients.
Against this backdrop, enforcement action is expected to become more stringent for companies whose operations involve centralized processing of Chinese customer/user personal information by overseas headquarters, particularly in sectors such as consumer goods, internet services, and SaaS platforms, which typically handle large volumes of personal information, as well as industries under closer regulatory scrutiny, such as healthcare and finance. Foreign-invested enterprises in these sectors are advised to proactively review their internal compliance and rectify any gaps related to CBDT and personal information protection obligations.
III. GLO Recommendations
Given current enforcement trends, foreign-invested enterprises in China are advised to undertake internal compliance self-assessments and remedial actions such as:
Ÿ Conducting data mapping on cross-border data transfer scenarios: Reviewing all internal systems and data flows to identify whether data collected or generated in China is synchronized or transferred to overseas headquarters or third-country service providers (e.g., HR management platforms, Cloud-based office system, CRM systems, membership platforms, cloud services), as such transfers constitute regulated CBDT.
Ÿ Implementing the appropriate CBDT mechanism: For any identified CBDT scenarios, companies must implement a legally compliant mechanism—such as security assessment declaration, SCC filing, or personal information protection certification based on the nature, scale, and sensitivity of the data being transferred.
Ÿ Verifying security assessment’s validity: For companies that have already completed a security assessment, it is critical to confirm whether the three-year validity period has expired. If so, enterprises should prepare and submit an extension request in accordance with the latest “Guidelines for Security Assessment Filing for Data Cross-Border Transfers (Third Edition)”.
Ÿ Reviewing data subject consent and notification mechanisms: Prior to transferring personal information overseas, companies must ensure that valid separate consent has been obtained and that data subjects have been fully informed of the overseas recipient’s name, contact details, purpose and method of processing, data fields involved, and the means by which data subjects can exercise their rights with the overseas recipient.
Ÿ Strengthening technical safeguards: Companies should classify, and grade personal information based on sensitivity, and implement appropriate technical measures, including encryption, de-identification, access controls and management, maintaining audit logs and internal access traceability. It is essential that these measures are fully implemented in live systems and not merely documented on paper.
If you need support reviewing your CBDT mechanisms, drafting and filing standard contracts, optimizing data subject consent flows, or implementing technical and governance measures and safeguards, our team is ready to assist. We would be delighted to support your organization in meeting all your data compliance and digitization needs.
Please contact us (mengjie@glo.com.cn) if you require further information or assistance.
Cybersecurity & Data Compliance Team
Global Law Office
posted 9 minutes ago
posted 9 minutes ago
posted 33 minutes ago
posted 50 minutes ago
posted 56 minutes ago
posted 1 hour ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 5 hours ago
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message
