--- title_en: "China–Singapore Joint Data Compliance Guide: Practical Handbook — China Chapter" title_zh: "中国—新加坡联合数据合规指引:实务手册(中国篇)" abbreviation: "CN-SG Joint Guide" hierarchy: "handbook" issuing_body: "Shenzhen Data Exchange · Asian Business Law Institute (Singapore) · Authority of Qianhai · Shenzhen Bureau of Justice" effective_date: 2025-08-01 status: "effective" domains: ["data-security", "personal-information", "cross-border"] url: https://datacompliancechina.com/laws/cs-joint-data-compliance-guide/ summary: "A 110-page bilingual practitioner handbook on Chinese data compliance, jointly compiled by the Shenzhen Data Exchange and Singapore's Asian Business Law Institute under the guidance of the Qianhai Authority. The China Chapter is structured around the Guide's two-axis compliance model: subject obligations (organizational structure, policy, classification & grading, partners, risk assessment, incident response) crossed with object types (general / important / personal / public / industry-specific data). Includes the regulator map, cross-border path selection trees, and worked examples. Current as of August 2025. This is the single most accessible authoritative reference DCC has identified for overseas counsel approaching the Chinese data regime." --- **Issued by:** Shenzhen Data Exchange (深圳数据交易所) and the Asian Business Law Institute (亚洲商法研究所), Singapore. **Guiding Organizations:** Shenzhen Municipal Service and Data Administration · Shenzhen Municipal Bureau of Justice · Authority of Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone · Shenzhen Law Society. **Supporting Organization:** Network Data Security Compliance Laboratory (Shenzhen Qianhai). **Current as of:** August 2025. > *Editor's Note — DCC.* > > This is the most useful single document DCC has come across for orienting > overseas counsel to the architecture of China's data-compliance regime. > It is not a statute and does not bind anyone — but it is co-authored by > the institution that operates China's national data circulation > infrastructure (Shenzhen Data Exchange) and the most senior China data > bar (Fangda, Han Kun, Zhong Lun, Global Law, KWM, Tianda & Gonghe, > V&T, Simmons & Simmons). Its conceptual contribution — the **two-axis > compliance framework** (subject obligations × object types) — is the > mental model we recommend overseas readers internalize first. > > The Guide explicitly permits non-commercial reproduction with source > attribution. The chapter outline below is reproduced from the Guide's > own Table of Contents; the conceptual summaries are DCC's distillation. > The [DCC Overview page](/overview/) renders the same framework in > visual form for first-time readers. ## Why this matters for overseas teams China's data regime has accumulated more than a decade of statutes, regulations, departmental rules, standards, judicial interpretations, and policy directives. For someone approaching it cold, the volume is the obstacle. The Joint Guide solves this in three ways: - **A single mental model.** The Guide explicitly organizes the regime around a *Subject × Object* grid — what an organization must do (Subject Compliance), crossed with what each type of data requires (Object Compliance). Every detailed obligation in the regime fits into one of the resulting cells. - **A regulator map.** Six categories of regulators with overlapping mandates (CAC, MIIT, MPS, SAMR, industry regulators, and the National Data Security Coordination Mechanism) are mapped in Chapter II with each one's specific authority. - **A path-selection framework for cross-border data.** Chapter V walks through the decision logic that maps a specific data transfer to the right compliance pathway — security assessment, standard contract filing, certification, or exemption. For overseas counsel, the Guide is the closest thing in 2025 to an authoritative single-source orientation to the Chinese data regime. ## Chapter outline The Guide's seven chapters in the China Chapter: ### Chapter I — Overview and User Guide - **I.** Introduction: The Context of China–Singapore Digital Cooperation - *(i) The Practical Basis of China–Singapore Data Cooperation and Enterprise Needs* - *(ii) Evolution and Opening Trends of China's Data Compliance Framework* - **II.** China's Practical Framework and Compliance Logic — the **two-axis model** - *(i) Subject Compliance: Core Obligations of Data Processors* (org structure, policy, classification, partners, risk assessment, incident response) - *(ii) Object Compliance: Special Requirements for Different Types of Data* (general / important / personal / public / industry-specific) - **III.** Guidelines for Use and Practical Tools (content index + usage tips) ### Chapter II — Regulatory System and Departmental Responsibilities - **I.** Cyberspace Administration of China (CAC) - **II.** Ministry of Industry and Information Technology (MIIT) - **III.** Public Security Authorities - **IV.** Market Regulation Authorities - **V.** Industry Regulators and Other Authorities (PBoC, NFRA, NHC, MNR, MoE, MoT, etc.) - **VI.** National Data Security Coordination Mechanism ### Chapter III — Compliance Requirements for Data Processing Entities (the Subject Axis) - **I.** Organizational Structure (PIPO appointments, internal committees, reporting lines) - **II.** Policy Development and Personnel Management (internal rules, training, access controls) - **III.** Data Classification and Grading (per GB/T 43697-2024 and sector-specific catalogues) - **IV.** Management of External Partners (entrusted processing, joint processing, third-party sharing) - **V.** Risk Assessment Mechanisms (PIA, important-data risk assessment, network-data activity assessment) - **VI.** Security Incident Response and Handling ### Chapter IV — Compliance Standards for Data Objects (the Object Axis) - **I.** General Data — common requirements (definition, types, key compliance requirements) - **II.** Important Data — identification, assessment, management obligations (per DSL + Network Data Security Regulation) - **III.** Personal Information — PIPL implementation requirements (lawful bases, individual rights, separate consent, cross-border) - **IV.** Public Data — definition, identification, sharing and opening (per Data 20 Articles + NDA registration regime) - **V.** Special Industry Data - *(i) Surveying, Mapping and Geographic Information Data* - *(ii) Health and Medical Data* - *(iii) Financial Credit Reference Data* - *(iv) Automotive Data* - *(v) Other industry-specific verticals* ### Chapter V — Compliance Paths for Cross-Border Data Flow - **I.** Path Selection for Outbound Data Flow - *(i) Security assessment declarations / standard contract filings / PI protection certifications under the applicable compliance paths* - **II.** Requirements for Data Processors in Outbound Data Flow - **III.** Localization Data Storage Requirements - **IV.** Important Data Cross-Border Transfer (compliance requirements + security assessment for important data export) ### Chapter VI — Good Compliance Practice Guidelines Worked examples, scenario-based recommendations, and benchmark practices observed in foreign-invested-enterprise compliance work. ### Chapter VII — Frequently Asked Questions Practical Q&A clarifying common edge cases (small-volume processors, group structures, vendor cascades, etc.). ## The conceptual contribution: Subject × Object The Guide's most useful idea is also its simplest. Every concrete compliance question can be located on a 2D grid: | | **Org structure** | **Policy** | **Classification** | **Partners** | **Risk assess** | **Incident response** | |------------------------------|:----:|:----:|:----:|:----:|:----:|:----:| | **General data** | · | · | · | · | · | · | | **Important data** | · | · | · | · | · | · | | **Personal information** | · | · | · | · | · | · | | **Public data** | · | · | · | · | · | · | | **Industry-specific data** | · | · | · | · | · | · | The grid's value: every detailed obligation in CSL, DSL, PIPL, NDR, the cross-border provisions, the PI audit measures, the GenAI rules, and the sector-specific regulations slots into one of the cells. Once a compliance team has internalized the grid, the corpus stops feeling like a chaos of rules and starts behaving like a structured matrix. See the [DCC Overview page](/overview/) for the rendered grid with each cell anchored to the underlying laws. ## Editorial choices in DCC's coverage of the Guide - **No full text reproduction.** The Guide is 110+ pages. DCC treats it as a primary reference and links overseas readers to the official PDF for the full text. - **Concept distillation.** DCC's [Overview page](/overview/) renders the Guide's framework visually so first-time readers get the model in five minutes. - **Derivative briefs.** Each of Chapters II–V will be the subject of standalone DCC briefs (1500–2500 words each), credited to the Guide. ## Source Original document: *China–Singapore Joint Data Compliance Guide: Practical Handbook* (中国—新加坡联合数据合规指引:实务手册), China Chapter. Jointly compiled by the Shenzhen Data Exchange (深圳数据交易所) and the Asian Business Law Institute (Singapore), under the guidance of the Authority of Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone. Released August 2025. Official PDF (hosted by Qianhai Authority): [qh.sz.gov.cn/attachment/1/1661/1661659/12551073.pdf](https://qh.sz.gov.cn/attachment/1/1661/1661659/12551073.pdf) The Guide is non-commercial and explicitly permits reproduction with source attribution.