China’s public security authority has penalised Dior’s Shanghai subsidiary after finding it sent customers’ personal information to France without the required safeguards, according to official notices and state media.

The authority said the branch transferred data to the company’s headquarters in France illegally, leading to a leak in May, and did so without conducting mandated security assessments. It also said the firm failed to notify users or apply encryption as required. An administrative penalty has been imposed, although details of the sanction were not disclosed.

According to the National Cybersecurity Notification Centre, the administrative investigation revealed that Dior (Shanghai) Co., Ltd. committed several violations of China’s Personal Information Protection Law (PIPL).

The investigation found that Dior Shanghai transferred user personal information to Dior headquarters in France without undergoing a data export security assessment, establishing a standard contract for exporting personal information, or obtaining personal information protection certification. The company also failed to fully inform users about how their data would be processed overseas and did not obtain their separate consent for the transfer, as mandated by law.

Additionally, the investigation found that Dior Shanghai did not implement security measures such as encryption or de-identification for the personal information it collected. These failures resulted in a data breach in May, with users in mainland China receiving official warning text messages from Dior regarding the incident.

These findings highlight Beijing’s tightening enforcement of cross-border data transfer regulations. Under China’s data protection regime, companies handling personal information are required to complete security assessments, adopt standard contractual terms, or obtain certification before exporting data. Authorities have increasingly emphasised the importance of clear user notice, explicit consent, and robust technical protections as baseline obligations.

For multinational consumer brands operating in China, the Dior case underscores the operational and legal risks of centralising customer data outside the country. It also raises questions about incident response and notification processes, as customers were alerted to the breach before enforcement action was taken.

---