
For foreign employers with China-based staff, employee data protection under PIPL is now strictly enforced in 2026. The Personal Information Protection Law (PIPL) imposes comprehensive requirements on how employers collect, process, store, transfer, and delete personal information of China-based employees. From privacy notices that must be provided to staff, to cross-border transfer justifications when HR data leaves China, foreign employers face significant legal exposure for non-compliance. Penalties can reach 50 million RMB or 5% of annual revenue, plus personal liability for HR directors. This compliance checklist provides practical, step-by-step guidance to ensure HR data processing for China-based staff meets all PIPL requirements.
1. Legal Bases and Employee Privacy Notices
Legal bases for HR data under PIPL: Consent (for sensitive data), contract necessity (payroll/social insurance), legal obligation (tax/labor law), legitimate interests (limited applicability).
Privacy notice requirements: Must be provided in Chinese + English. Must disclose: employer/DPO contact, data categories, purposes, retention periods, third-party recipients, cross-border transfers, employee rights, consent withdrawal procedures. Employee acknowledgment required (written or digital).
Action items: Conduct HR data inventory. Draft PIPL-compliant privacy notice. Distribute to all China-based employees. Obtain acknowledgments. Review annually.
2. Employee Consent Requirements
When consent is required: Processing sensitive personal information (biometric, health, financial, location) – always requires explicit consent. Cross-border transfers (unless other legal pathway used). Processing beyond employment contract necessity.
Valid consent must be: Freely given (not coerced), specific (separate for each purpose), informed, explicit (written/digital, no pre-checked boxes), revocable (as easy as giving consent).
Action items: Identify consent-triggering activities. Draft separate consent forms per purpose. Implement consent tracking system. Establish withdrawal mechanism (HR portal or email to DPO).
3. Cross-Border Transfer Justifications for HR Data
Permissible transfer mechanisms:
- CAC Security Assessment: Required for sensitive PI or 100K+ individuals. Process: 45-90 working days. NO transfer while pending. Valid 2 years.
- Standard Contractual Clauses (SCCs): For non-sensitive PI. Sign CAC-published template. File with local CAC within 30 days. Conduct DPIA before transfer. Recommended for most foreign employers.
- Certification: Corporate groups only. Valid 3 years. Annual audits required.
- Employee consent: Conditional only – not recommended alone due to power imbalance concerns.
Action items: Map all HR data flows leaving China. Determine applicable mechanism. For SCC pathway: draft DPIA, sign SCCs with global HR provider, file with local CAC within 30 days. Document all transfers.
4. Data Protection Impact Assessments (DPIAs)
When DPIAs are required: Before any cross-border transfer of employee data. Before processing sensitive PI (biometric, health, financial, location). Before automated decision-making affecting employees (AI performance evaluation).
DPIA content requirements: Description of processing activities. Necessity and proportionality assessment. Risk assessment to employee rights. Safeguards and mitigation measures. Conclusion and residual risk level.
Action items: Develop DPIA template. Conduct DPIA for cross-border transfers and sensitive data processing. Review annually. Retain for 3+ years for CAC inspection.
5. Data Subject Rights Response Mechanisms
Employee rights under PIPL (15-day response deadline): Right to access (copy of data), rectification (correct inaccuracies), deletion (when purpose achieved or consent withdrawn), restrict processing, data portability, withdraw consent, reject automated decisions.
Action items: Designate point of contact (HR Director or DPO). Implement request tracking system. Verify requester identity. Coordinate with IT/global HR systems for data retrieval. Train HR team on rights response obligations.
6. Data Security and Breach Notification
Security requirements: Encryption for HR data in transit (TLS 1.2+) and at rest (AES-256). Role-based access controls with least privilege. Multi-factor authentication for HR system admins. Data processing agreements (DPAs) with all HR vendors.
Breach notification (within 48 hours of detection): Notify CAC. Notify affected employees. Notify local PSB for serious breaches. Retain breach records for 3+ years.
Action items: Audit security measures. Execute DPAs with all HR vendors. Develop breach response plan. Train HR/IT staff. Conduct annual tabletop exercise.
7. Practical Roadmap – 4-Month PIPL HR Compliance
- Month 1: HR data inventory + gap assessment.
- Month 2: Privacy notice (Chinese/English) + SCCs + DPIA + employee consents + DPAs with vendors.
- Month 3: Rights response mechanism + security audit + breach response plan.
- Month 4: Annual review setup + ongoing monitoring.
8. Frequently Asked Questions
Q: Does PIPL apply if we have no China entity but hire contractors in China?
A: Yes. PIPL's extraterritorial reach applies. You must designate a representative in China.
Q: Can we use our global HR system (Workday, SAP SuccessFactors) hosted outside China?
A: Yes, with SCC pathway. Sign SCCs, complete DPIA, file with local CAC within 30 days.
Q: Do we need a Data Protection Officer (DPO)?
A: Yes if processing sensitive data at scale, data of 1M+ individuals, or engaging in cross-border transfers. For most foreign employers with 500+ China employees, DPO required.
Q: What are the penalties for non-compliance?
A: Up to 50M RMB or 5% of annual revenue. Individuals face 100k-1M RMB fines and potential industry bans.
Summary: Employee data protection under PIPL requires foreign employers with China-based staff to follow a compliance checklist covering privacy notices, employee consent, cross-border transfer justifications (SCC pathway recommended), DPIAs, rights response mechanisms (15-day deadline), and breach notification (48 hours). Penalties reach 50M RMB or 5% of annual revenue plus individual liability. Practical roadmap: 4 months from data inventory to annual review setup.