Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 21
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
Administration (NFRA), stipulate that the
NFRA will develop a catalogue of important
data for the banking and insurance sectors
based on national data classification and
grading requirements. The NFRA will also
propose a core data catalog and supervise
and guide banking and insurance institutions
in data classification, grading management,
and data protection. The Measures for Data
Security Management in the Field of Natural
Resources, issued on March 22, 2024, further
defines important data in the natural resources
sectors and proposes systematic compliance
requirements for important data.
Localisation
Further to the CSL, DSL’s localisation
requirements mandate that certain types of
data, particularly important and critical data,
must be stored and processed within China.
This includes:
· CIIO (already included in the CSL): CIIO
must store personal data and important
data collected and generated within China
domestically. If there is a need to transfer
such data abroad, it must undergo a
security assessment.
· Important Data: The cross-border transfer
of important data collected and generated
within China by organisations other
than CIIO shall comply with relevant
requirements (which were specified in 2022
and relaxed afterwards in 2024 in the CBDT
Provisions), with an aim to enhance data
security and protect national interests by
preventing unauthorised access to China’s
important data and potential risks associated
with cross-border transfers of such data.
Personal Information Protection Law
The PIPL is China’s first comprehensive data
protection law, taking effect November 1, 2021.
Drawing on the principles of GDPR, PIPL
21
