On 1 January 2025, the Network Data Security Management Regulation enters into force. The Regulation implements and further specifies obligations under Cybersecurity Law, Data Security Law, and Personal Information Protection Law (PIPL). Under the Regulation, data may be classified as general data, important data, or core data. In case data processors process the data of more than one million people, the Regulation foresees additional data protection requirements. Furthermore, in order to share or trade important data, as well as to entrust the processing of important data to third parties, governmental authorisation is required. Finally, the data processors must ensure that personal data can be accessed by individuals and transferred to other data processors.
Original source