China Regulatory Compliance | Regulatory Highlights in China

China is materializing significant regulatory specifics with a continued emphasis on hardening for National Security, Data Security,
and protecting Personal Information. SAP continues to be viewed as a thought leader and partner in the industry.
Before 2021

Coverage and sophistication of the cyber regulatory framework is expanding In particular in areas of personal information and data
security.

Data Security Law
China Cybersecurity Law
Export Control Law
Personal Information
Security Specification
Personal Information Protection Law
Cybersecurity Classified Protection
Scheme (CCPS)
Anti-Foreign Sanctions Law
CBDT Security Review Measures
Rules on Administration of Network
Product Security Vulnerabilities
Standard Contracts for CBDT Guide to Data Categorization and
Classification
Commercial Cryptography
Regulation （Revised) Amended Cybersecurity Review
Measures
Interim Measures for the Regulation
of Generative AI Services Network Data Security Management
Regulation
The Foreign Relations Law
The Catalogue of Critical Network
Equipment and Exclusive
Cybersecurity Products

Expected
Before 2023 2023 in 2024

Selection of major Laws, Regulations and Specifications during 2020 - 2023

Cyber Security Data Security, Privacy & Protection Others

CONFIDENTIAL 1
Market regulations: China Data Protection and Privacy Laws and Regulations
Landscape
China SCCs Measures
China SCCs
What does PIPL contain?
It contains provisions relating to personal
data protection and relevant cross-border
CCSL DSL CBDT Measures data transfer compliance requirements at
Data generated by CAC security very high level.
Important data
CIIOs Data security assessment

What are the Cross-border data Transfer

rules/regulations?
Personal Data handler (equal to data
Jun 2017 Jan 2020 Jun 2021 Nov 2021 Sept 2022 Mar 2023 June 2023
controller under GDPR ) having cross-board
data transfer shall conduct self- assessment
to decide either to conduct CBDT Security
CL PIPL 3rd Party Assessment or sign China SCCs with
Data security Certification oversea recipients depending on
Personal information
protection Voluntary CBDT Cert. transferred data type, volume and other
conditions defined by Chinese
Authorities/relevant laws and regulations.
• CCSL: China Cybersecurity Law
• CL: Cryptography Law
• DSL: Data Security Law
• PIPL: Personal Information Protection Law
• CBDT: Cross-border Data Transfer
• SCCs: Standard Contract Clauses
• CAC: Cyberspace Administration of China

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | Public 2

 Data Export Restrictions: China Cross-border Data Transfer Compliance
Mechanisms
Data Controller shall fulfill one of below first two mandatory CBDT compliance mechanisms basing on the applicable threshold
CAC Security
China SCCs 3rd Party Certification
Assessment
• Process more than 1 million • Non-CIIOs (Critical Information
Threshold

individuals’ personal data; Infrastructures Operator);

• China-based Data Controllers who
• Process less than 1 million are transferring data to overseas
• Cumulatively transferred more than
individuals’ personal data; subsidiaries or affiliates for internal
100,000 individuals’ personal
business operation purposes
data/10,000 sensitive personal • Cumulatively transferred less than
data (calculated from January 1 of 100,000 individuals’ personal data/
the preceding year) 10,000 sensitive personal data
controller
SAP as
data

• CAC Security Assessment • Not applicable Not mandatory

SAP as data
Processor

• Provide support to customer’s • Provide support to customer’s PIA Not mandatory

CAC Security Assessment • Fulfill data processor's obligations
• Fulfill data processor's obligations

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | Public 3

Required Action: Data Localization and Cross-border Data Transfer Compliance

Data localization CBDT Self-assessment

CAC Self-Assessment
CAC Security Report/PIA Report
CIIOs Assessment

CAC Security
Important data* Assessment

Large volume CAC Security

Assessment Security Measures
Personal data

Low volume Personal Based on business

needs China SCCs Data
data
inventory/Information
SAP Support Collection
• *DSL Article 21
• Important data means any data, the tampering, damage, leakage, or illegal acquisition or
use of which, if it happens, may endanger national security, the operation of the economy,
social stability, public health and security, etc.
• Important Data Identification Guidelines (draft for comments, 2022), e.g. energy reserve
data, Inventory /production /resource information, etc. CAC Approval

© 2023 SAP SE or an SAP affiliate company. All rights reserved. | Public 4