The investigation was launched after a data breach in May 2025 (impacted personal data of Dior’s customers - names, gender, phone, email, addresses, purchase, shopping preferences).
In September 2025, Dior's Shanghai subsidiary was penalized for PIPL violations
- unauthorized cross-border data transfers
- inadequate user consent practices
- insufficient technical security measures
PIPL cross border CBDT:
Privacy Impact Assessments (PIAs);
Standard Contractual Clauses (SCCs) with the CAC;
"Sufficient Notice" & "Separate Consent" such as Employee privacy notices, consent letters;
Data Processing Agreements (DPAs) for B2B data-sharing arrangements;
Outward-facing privacy policies for B2C scenarios.
Other reference:
- https://www.china-briefing.com/news/diors-pipl-violations-china-key-lessons/