---
title: "First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing"
author: "DCC Editorial"
published: 2026-07-02T02:00:00.000Z
url: https://datacompliancechina.com/posts/shanghai-data-export-negative-list-first-filing/
description: "On June 26, 2026, ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司) — the Inditex group entity behind ZARA and Pull&Bear in China — received Shanghai's first data-export negative-list filing result notice (数据出境负面清单备案结果通知书) issued under the Shanghai Data-Export Negative List Administrative Measures, cleared jointly by the Shanghai CAC and the Shanghai Data Bureau after same-day district-level initial review at the Jing'an District Cross-Border Data Service Center. The practical effect: member-information exports that previously sat in Data Export Security Assessment territory now clear on a Personal Information Standard Contract filing. DCC reads the case as the first operational proof of Shanghai's two policy moves — negative-list eligibility extended citywide beyond Pudong-registered enterprises, and volume thresholds inside listed scenarios (retail member management) raised so that non-sensitive member data between 1 and 10 million individuals falls to the standard-contract/certification tier. For overseas retail groups running membership programs out of China, this is the template case."
tags: ["cross-border", "negative-list", "shanghai", "standard-contract", "security-assessment"]
laws_cited: ["cross-border-data-flows-provisions", "personal-info-standard-contract-measures", "data-export-security-assessment-measures", "personal-info-standard-contract-filing-guide"]
domains: ["cross-border", "personal-information"]
account: "data-he-gui"
original_title: "上海负面清单扩大政策首例落地"
original_author: "网信上海 (Cyberspace Administration Shanghai)"
original_publication: "数据何规 WeChat Official Account (reposting 网信上海)"
original_url: "https://mp.weixin.qq.com/s/dYIENxSBmLDgaxeLBu7vvg"
source_language: "zh"
---

> **Source: Data Compliance China** — https://datacompliancechina.com/posts/shanghai-data-export-negative-list-first-filing/ · China data law, translated and annotated for overseas counsel. Cite as: Data Compliance China, "First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing", https://datacompliancechina.com/posts/shanghai-data-export-negative-list-first-filing/
> *Editor's Note — DCC.*
>
> This brief covers a single government press item: **网信上海** (the official
> account of the **Shanghai municipal cyberspace administration**) announced on
> **June 26, 2026** the first filing completed under Shanghai's expanded
> data-export negative-list policy. DCC read it via the **数据何规** repost,
> whose editor added a short gloss and two threshold-table excerpts from the
> underlying negative list; the structural framing below is DCC's.
>
> For the mechanism itself — Article 6 of the 2024 Provisions on Promoting and
> Regulating Cross-border Data Flows and the FTZ negative lists it authorized —
> see DCC's explainer on the
> [17-sector FTZ negative-list landscape](/posts/compliance-talker-ftz-negative-lists-important-data/).

## What happened

On **June 26, 2026**, **ITX Asia Pacific Enterprise Management Co., Ltd.
(爱特思亚太企业管理有限公司)** — the China management entity of **Inditex**, the
world's largest fashion retailer and owner of ZARA and Pull&Bear — passed the
filing review conducted by the **Shanghai CAC** and the **Shanghai Data
Bureau** and received the city's **first data-export negative-list filing
result notice (数据出境负面清单备案结果通知书)** issued since the *Shanghai
Data-Export Negative List Administrative Measures*
(上海市数据出境负面清单管理办法) and its supporting documents took effect.

The filing was prepared under the guidance of the **Jing'an District
Cross-Border Data Service Center (静安区数据跨境服务中心)**, which the press
release credits with policy interpretation, helping the company map its
outbound data items against the negative list, and answering
scope-and-counting questions (whether order information counts as personal
information; how to count outbound volume). District-level initial review was
completed **the same day the materials were submitted**.

The substantive effect, per the press release: ITX Asia Pacific's
**member-information exports** — cross-border order processing, customer
communications, supply-chain coordination — previously required a **Data
Export Security Assessment** declaration. Under the negative-list rules, the
same flows now clear on a
**[Personal Information Standard Contract](/laws/personal-info-standard-contract-measures/) filing**
— one tier down, with what the company describes as substantial savings in
time and compliance cost for cross-border operations and unified global
management.

## The two policy moves the case proves out

The 数据何规 editor's gloss identifies the first move: Shanghai had earlier
**expanded the applicable scope of its data-export negative list citywide** —
an enterprise no longer needs to be registered in Pudong to invoke it. ITX
Asia Pacific filed through **Jing'an**, not Pudong; the first case is itself
the demonstration that the citywide extension is operational.

The second move is inside the list: the thresholds. The baseline regime that
the press release recites is the familiar one under the
[Provisions on Promoting and Regulating Cross-border Data Flows](/laws/cross-border-data-flows-provisions/) —
cumulative outbound personal information of **100,000+ individuals** in a
calendar year requires a Standard Contract filing with the provincial
cyberspace administration; **1,000,000+** pushes the handler up into the
[Data Export Security Assessment](/laws/data-export-security-assessment-measures/).
The negative list re-draws those bands for listed scenarios. The excerpt
tables attached to the repost — from the retail/catering/accommodation
sector list, **member-management scenario (会员管理场景)** — show the
standard-contract/certification tier reaching much higher:

- **Non-sensitive member personal information of 1,000,000 to under
  10,000,000 individuals** (cumulative from January 1 of the current year)
  sits in the **Standard Contract filing / Personal Information Protection
  Certification tier** — volumes that under the baseline rules would have
  required a security assessment. The listed data items are the standard
  membership-CRM inventory: name, nickname, contact details, member account
  and user ID, membership level, birthday, order numbers, product
  preferences, and purchase records that do not directly reveal personal
  asset positions.
- Narrow bands of **sensitive personal information** tied to the same
  scenario (member login credentials; card information limited to last four
  digits plus validity) get their own raised band, and residual personal
  information outside those items follows a band tracking the baseline
  (100,000 to under 1,000,000 non-sensitive, or under 10,000 sensitive).
- Counting is **deduplicated by natural person**, and flows falling within
  the exemption articles of the 2024 Provisions (Articles 3, 4, and 5(1)(i)
  through (iii)) are **not counted toward the volumes**.

That is the mechanics of "首例落地": the company's member-data volume put it
in assessment territory under the baseline bands, and the negative list's
scenario-specific bands moved the same flows down to a filing.

## Why the case matters beyond one retailer

- **The archetype is the foreign retail membership program.** The first
  negative-list beneficiary is not a Chinese platform but a foreign
  multinational's China entity exporting **member/CRM data** for global
  operations. That is precisely the fact pattern the retail-sector list's
  member-management scenario was written for, and it is the fact pattern
  shared by most overseas consumer-brand groups operating in China.
- **The district service center is the operational interface.** The filing
  ran through a **district** cross-border data service center — policy
  briefings (Jing'an has held four, covering 100+ enterprises), item-mapping
  guidance, same-day district initial review — before the municipal-level
  review by the Shanghai CAC and the Shanghai Data Bureau. Enterprises
  planning a filing should expect and use that front door.
- **Citywide eligibility is confirmed in practice.** The negative list began
  as an FTZ instrument under Article 6 of the 2024 Provisions. Shanghai has
  now shown a non-Pudong-registered enterprise completing the process
  end-to-end. The press release closes with the Shanghai CAC instructing
  districts to keep promoting negative-list adoption — this is a policy the
  city wants used.

## What overseas compliance teams should do with it

1. **Re-run the tier analysis for Shanghai entities.** If a Shanghai-registered
   entity (any district) exports scenario-listed data — retail membership
   data being the proven example — check whether the negative list's bands
   move a planned or completed security-assessment posture down to a
   Standard Contract filing, or a filing posture down to exemption.
2. **Mind the counting rules.** Volumes are counted cumulatively from
   January 1, deduplicated by natural person, and exclude flows already
   exempt under the 2024 Provisions — the arithmetic that decides the tier
   is itself defined by the list.
3. **The filing still gets reviewed.** This is a 备案 (filing) with a result
   notice issued after joint review by the Shanghai CAC and the Shanghai Data
   Bureau — lighter than an assessment, but not a self-declaration. Item
   mapping against the list (which data items, which scenario, which band)
   is the substance of the review.

---

— *网信上海 (Cyberspace Administration Shanghai), 上海负面清单扩大政策首例落地
(First Case Lands Under Shanghai's Expanded Negative-List Policy), June 26,
2026, read via the 数据何规 WeChat Official Account repost.
[Repost with editor's gloss (Chinese).](https://mp.weixin.qq.com/s/dYIENxSBmLDgaxeLBu7vvg)*

*Not legal advice. Threshold descriptions above are transcribed from excerpt
images attached to the repost and may be partial; the published Shanghai
negative list and its supporting documents are authoritative.*
