Anyone operating in China faces a dual compliance burden that many companies underestimate. A practical guide to simultaneously and seamlessly complying with the European GDPR and China’s PIPL.
China is not just another country when it comes to data protection law. It operates an entirely separate regulatory system — one that exists in parallel to, and frequently in direct tension with, European data protection law. For any company with even a minimal footprint in China, understanding both frameworks is not optional — it is a legal obligation.
The Dual Compliance Landscape
When a European company operates in China — whether through a local subsidiary, an employee on assignment, a distribution partnership, or simply by offering goods and services to Chinese users — this typically triggers obligations under two entirely separate legal frameworks simultaneously:
GDPR
Protects the personal data of EU citizens. Applies extraterritorially when a non-EU company offers goods or services to individuals in the EU or monitors their behaviour. A fundamental-rights-oriented, principles-based framework.
PIPL
China’s comprehensive data protection law, in force since November 2021. Governs the processing of personal data within China and extraterritorially where Chinese citizens are specifically targeted. A state-centric, rules-based framework.
Both laws share a common objective — protecting individuals from harm caused by the misuse of their personal data — but they stem from fundamentally different legal philosophies, and the practical compliance requirements diverge in ways that carry significant weight in day-to-day business operations.
Practical reality: A routine, low-risk cross-border transfer of employee data to a payroll service provider — a transaction that would rarely require a formal DPIA under the GDPR — will always trigger a PIPIA and a CAC filing under PIPL. The operational burden under Chinese law is considerably higher.
Understanding PIPL: China’s Data Protection Framework
The Personal Information Protection Law (PIPL) entered into force on 1 November 2021 and is enforced by the Cyberspace Administration of China (CAC) — the country’s competent data protection and internet regulatory authority. It applies to any processing of personal data of individuals located in China, regardless of where the processing entity is established.
What counts as “personal information” under PIPL?
The PIPL concept of personal information is broadly defined: it covers all information recorded electronically or otherwise that relates to an identified or identifiable natural person, excluding anonymised data. This includes names, contact details, employment records, location data, IP addresses, and business contact details of distributor or hospital representatives — categories that many companies handle routinely without any data protection classification. PIPL also defines a category of sensitive personal information (SPI) which is subject to enhanced regulatory requirements and stricter processing conditions. SPI includes biometric data, religious beliefs, health and medical data, financial account data, location tracking data, and personal data of children under the age of 14. Processing SPI requires explicit, separate consent and triggers mandatory impact assessment obligations.
Extraterritorial scope
Like the GDPR, PIPL reaches beyond China’s borders. It applies to entities outside China that offer products or services to individuals in China or that analyse or assess the behaviour of individuals in China. This means: a US or European parent company that receives data from its Chinese subsidiary may itself be subject to PIPL obligations — not merely by virtue of contractual arrangement, but by operation of law.
The absence of an EU adequacy decision for China means: every transfer of personal data from the EEA to China requires an appropriate safeguard under Art. 46 GDPR — and every transfer from China in the opposite direction requires a separate mechanism under PIPL.
Cross-Border Data Transfers: The Central Compliance Challenge
For most companies operating in China, the greatest practical challenge is managing cross-border data flows. The two legal systems impose obligations in opposite directions — and both must be satisfied simultaneously.
Transfers from the EEA to China (GDPR perspective)
The European Commission has not issued an adequacy decision for China. China is therefore treated as an “unsafe third country” under the GDPR, and any transfer of personal data from the EEA to China requires an appropriate safeguard under Art. 46. In practice, this means: EU Standard Contractual Clauses (EU SCCs). The EU Standard Contractual Clauses (2021) adopted in June 2021 must be executed under the module that reflects the actual data processing relationship—most commonly Module 1 for controller-to-controller transfers or Module 4 for processor-to-controller scenarios. The correct module selection depends on the factual roles and responsibilities of the parties involved.
In addition, a Transfer Impact Assessment (TIA) should be conducted to document whether the legal framework in China provides a level of data protection that is “essentially equivalent” to that guaranteed under the GDPR.This is inherently challenging for China, given the extensive government access rights under the National Intelligence Law and related legislation — a circumstance that must be addressed honestly in the TIA and mitigated through supplementary measures.
Transfers from China to third countries (PIPL perspective)
Under Art. 38 PIPL, any transfer of personal information from mainland China requires one of three recognised mechanisms. For most companies with a limited China presence, the appropriate route is the PIPL Standard Contract:
Step 1 — Conduct a PIPIA (Personal Information Protection Impact Assessment) This must be completed before the Standard Contract is executed. It is a structured assessment of the lawfulness, necessity, and proportionality of the transfer, as well as an evaluation of risks to data subjects and the adequacy of protective measures.
Step 2 — Execute the PIPL Standard Contract The CAC has published a binding standard form (in force since 1 June 2023) that must be used without substantive amendment. It is a single contract type that applies regardless of the roles of the parties. Additional clauses are permitted, provided they do not contradict the standard terms.
Unlike EU SCCs, which require no submission to any authority, the PIPL Standard Contract must be filed — together with the PIPIA report — with the competent CAC branch at provincial level at the seat of the Chinese entity. The CAC reviews the submission and may request amendments or reject the filing. All documentation must be submitted in Chinese.
Important: The CAC filing is not a mere formality. It establishes an ongoing compliance relationship with a Chinese regulatory authority. The overseas recipient (e.g. the parent company in the US or EU) must expressly consent in the Standard Contract to CAC supervision — including the obligation to respond to enquiries, cooperate with inspections, and report data breaches. This is a commitment that the parent company’s legal team must fully understand before signing.
For larger operations, different thresholds apply: companies transferring personal data of more than 100,000 individuals (or sensitive data of more than 10,000 individuals) must undergo a mandatory CAC security assessment instead of the Standard Contract route.
A Common Scenario: The International Assignment
One of the most frequently overlooked compliance scenarios in China operations is the internationally assigned employee — for example, a German or US national working in China under a local employment arrangement. This single individual creates a web of obligations in both directions:
| Data Flow | GDPR Requirement | PIPL Requirement |
| Home country HQ → China (HR, payroll, and assignment data) | EU SCCs + TIA required (EEA-to-China transfer, no adequacy decision) | Not applicable — PIPL governs outbound, not inbound transfers |
| China → Home country HQ (timesheets, tax, visa data) | Receiving entity must ensure lawful basis | PIPL Standard Contract + PIPIA + CAC filing required |
The key takeaway: a single assignment triggers obligations under both frameworks — EU SCCs in one direction, a PIPL Standard Contract in the other. For the vast majority of companies operating in China, neither mechanism is in place.
The Distributor Gap: An Underestimated Risk
Companies operating in China exclusively through a master distributor often believe their data protection exposure is limited. In our experience, this assumption is almost always wrong. What a typical distribution partnership actually involves:
Lead & contact data
Marketing leads, contact form submissions, and business contact data processed in global CRM systems (e.g. HubSpot) are routinely forwarded to local distributors for follow-up. The distributor receives personal data of Chinese individuals from the company’s global systems.
Adverse event & complaint data
In regulated industries (particularly medical devices), distributors monitor government platforms for adverse events and forward reports — including hospital names and case details — to the global complaints management team. This constitutes a cross-border transfer from China within the meaning of PIPL.
In both scenarios, the distributor is processing personal data either as a data processor acting on the company’s instructions or as a joint controller. Under both GDPR (Art. 28) and PIPL, a formal data processing agreement (DPA) — with a clear allocation of roles, obligations, and liability — is required. In practice, most distributor contracts in China contain no data protection provisions whatsoever.
Note on the allocation of responsibility: Under PIPL, the question of whether data protection obligations fall primarily on the Chinese entity or on the distributor is a contractual matter. However, the entity that determines the purposes of processing remains liable under PIPL, regardless of how the distributor contract is structured. A contractual allocation of responsibility reduces practical risk; it does not eliminate statutory liability.
Impact Assessments: DPIA vs. PIPIA
Both GDPR and PIPL require documented risk assessments for certain types of processing — but the triggers and operational consequences differ fundamentally.
| Processing Activity | GDPR DPIA | PIPL PIPIA |
| Processing sensitive personal data | Only at large scale or in combination with other risk factors | Always required, regardless of scale |
| Use of a third-party vendor / data processor | Only if the overall processing presents a high risk | Always required when entrusting processing to a third party |
| Cross-border data transfers | Only if the transfer is part of a high-risk processing activity | Always required for any transfer outside mainland China |
| Automated decision-making | Only where legally significant or similarly significant effects arise | Always required when using personal data for automated decisions |
| Sharing data with another controller | Not a standalone trigger | Always required |
The practical consequence: under PIPL, the PIPIA is not a strategic exercise reserved for high-risk initiatives. It is a routine transactional requirement that must be embedded as a standard step in procurement, HR, IT, and legal processes. Every vendor contract involving personal data, every cross-border transfer, every HR benefits process involving sensitive employee data — each requires a documented PIPIA. PIPIA reports must be retained for a minimum of three years — a hard, auditable requirement under Art. 56 PIPL. The GDPR imposes no equivalent minimum retention period, although the accountability principle implies similar discipline.
Internal Governance: Who Bears Responsibility in China?
Under PIPL, every organisation processing personal data in China must establish an internal data protection function. This goes beyond the mere designation of a named individual — it requires genuine compliance infrastructure.
Is a formal data protection officer required?
A formal Personal Information Protection Officer (PIPO) is mandatory only for organisations that process personal data of more than one million individuals. For most foreign companies with a limited China presence, this threshold is not reached, and a formal PIPO appointment is not legally required.
Nevertheless, PIPL requires every organisation — regardless of size — to maintain an internal data protection function with clear accountability. This “directly responsible person” must be embedded within the Chinese entity and cannot fulfil this function remotely from the European parent company. They must possess genuine data protection expertise and the authority to ensure compliance.
The local representative requirement
For foreign companies that fall within PIPL’s extraterritorial scope — i.e. those processing personal data of individuals in China from outside China. However, without a local legal entity — PIPL requires the designation of a local representative in China responsible for compliance matters and reachable by Chinese regulatory authorities.
Where a local legal entity already exists, it fulfils this function directly and a separate representative appointment is not required.
Personal liability:
PIPL’s enforcement model provides for direct personal liability for “directly responsible persons” in serious cases. Fines of RMB 100,000 to RMB 1 million may be imposed on individuals — including senior executives. Additionally, they may be prohibited from holding key positions for a specified period. This represents a significant departure from the GDPR, under which liability rests with the organisation rather than with individuals.
Practical Compliance Checklist for Companies Operating in China
- Map your data flows: Identify every category of personal data moving between China and other countries — in both directions. This includes employee data, business contact data, marketing leads, and complaint and adverse event data. The data flow map is the foundation for everything else.
- Execute a data processing agreement with your Chinese distributor: If your distributor receives leads, processes contact data, or forwards complaint information on your behalf, a DPA is required under both GDPR Art. 28 and PIPL. This is the most commonly missing document in China operations.
- Implement the PIPL Standard Contract for outbound transfers from China: First conduct a PIPIA, then execute the CAC standard form contract between the Chinese entity and the overseas recipient. File both documents with the competent provincial CAC within 10 business days of execution.
- Put EU SCCs + TIA in place for EEA-to-China transfers: Where data flows from an EU Member State to China (including data sent to employees on assignment), EU SCCs in the appropriate module are required, supplemented by a Transfer Impact Assessment addressing government access rights under Chinese law.
- Add a China entry to your Record of Processing Activities (RoPA): Your processing register must reflect China operations, even if minimal. Document data subject categories, data categories, purposes, legal bases, and transfer mechanisms for each identified data flow.
- Establish internal accountability in China: Designate an individual within your Chinese entity as responsible for data protection compliance. Ensure they possess genuine expertise and the necessary authority to act. For companies above the one million threshold, a formal PIPO must be appointed.
- Embed PIPIA into standard operating procedures: PIPIA is not a one-off project. It must be triggered automatically whenever the company onboards a new vendor handling personal data, establishes a new cross-border data access, or changes the scope of an existing transfer. Integrate it into procurement, IT, and HR workflows.
Conclusion: Compliance is a Process, Not a Project
The most important insight for companies approaching GDPR and PIPL compliance in China is that neither framework is satisfied by a one-time documentation exercise. Both impose ongoing obligations that must be firmly embedded in the operational fabric of the business.
What distinguishes companies that manage this well from those that do not is typically not the size of their China operations — it is the quality of their data flow mapping and the robustness of their contractual framework with local partners. A company with a single employee and a small distribution partnership can achieve full compliance with comparatively modest effort, provided the right foundations are in place. A company with a larger footprint but no transparency over its data flows is exposed to risks that regulatory action — or a due diligence review by the parent company — will quickly bring to light.
The dual nature of China compliance is genuine complexity — but it is manageable. The starting point is always the same: know what data you hold, know where it goes, and build the right legal architecture around it.
This article is for informational purposes only and does not constitute legal advice. The law in this area is evolving rapidly. Please consult qualified legal counsel before taking any compliance action.
