[Company Name] Global Data Governance and Privacy Policy

Document Control

• Effective Date: [Date]
• Version: 1.0
• Policy Owner: Global Chief Data Officer (CDO) / Global Chief Information Security Officer (CISO)
• Applicability: All employees, contractors, third-party vendors, and affiliates of [Company Name] globally.

---

1. Purpose

The purpose of this Data Governance Policy is to establish a unified framework for the management, protection, and compliant use of data across [Company Name]’s global operations. Because the Company operates across multiple jurisdictions—specifically the European Union (EU) and the People’s Republic of China (PRC)—this policy explicitly integrates the rigorous legal requirements of the EU General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL).

2. Scope

This policy applies to all electronic and physical data processed, stored, or transmitted by [Company Name], with a specific focus on Personal Data / Personal Information (PI). It covers the entire data lifecycle: collection, storage, usage, access, cross-border transfer, archiving, and destruction.

3. Key Definitions

• Personal Data (GDPR) / Personal Information (PIPL): Any information relating to an identified or identifiable natural person (Data Subject).
• Sensitive Personal Data/Information: Data requiring elevated protection, including biometric data, religious beliefs, medical health, financial accounts, and data of minors under 14 (PIPL specific).
• Data Controller (GDPR) / Personal Information Handler (PIPL): The entity determining the purposes and means of processing personal data.
• Role-Based Access Control (RBAC): The policy of restricting system access to authorized users based on their role and business requirements.
• CAC: The Cyberspace Administration of China.
• Supervisory Authority (SA): The relevant national privacy regulator in the EU.

---

4. Data Governance Framework and Responsibilities

To ensure accountability, [Company Name] establishes the following governance structure:

1. Global Chief Data Officer (CDO): Holds ultimate responsibility for global data strategy and governance.
2. Data Protection Officer (DPO - EU): Monitors and ensures compliance with the GDPR. Acts as the liaison with EU Supervisory Authorities.
3. Personal Information Protection Officer (PIPO - China): Appointed specifically to oversee PIPL compliance within China, acting as the liaison with the CAC.
4. Data Owners: Senior leaders responsible for classifying and defining access rules for data within their specific business units.
5. Data Custodians: Usually IT administrators who implement and maintain the technical controls (e.g., RBAC, encryption) dictated by Data Owners.

---

5. Data Classification

All data within [Company Name] must be classified into one of four tiers to dictate its handling, encryption, and access controls:

• Tier 1: Public: Freely distributable safely (e.g., marketing materials).
• Tier 2: Internal: Routine business operations data; unauthorized disclosure causes minimal impact.
• Tier 3: Confidential: Standard Personal Data, intellectual property, financial records.
• Tier 4: Restricted / Highly Sensitive: Special category data (GDPR), Sensitive Personal Information (PIPL), highly guarded trade secrets. Unauthorized disclosure causes severe legal/financial damage.

---

6. Role-Based Access Controls (RBAC)

Access to Tier 2, Tier 3, and Tier 4 data is strictly governed by RBAC principles to prevent unauthorized internal and external access.

• Principle of Least Privilege (PoLP): Employees and vendors will only be granted access to the specific data necessary to perform their job functions.
• Separation of Duties (SoD): Critical processes requiring access to sensitive data must be divided among multiple roles to prevent fraud or unilateral data misuse.
• Authentication Requirements: Multi-Factor Authentication (MFA) is mandatory for accessing Tier 3 and Tier 4 systems globally.
• Access Lifecycle: Access rights must be provisioned upon hiring/transfer, immediately revoked upon termination, and rigorously audited by Data Custodians on a quarterly basis.

---

7. Cross-Border Data Transfers

As an MNC, [Company Name] restricts cross-border data transfers to mitigate regulatory risks. No personal data may be transferred across international borders without prior authorization from the Legal/Compliance Department.

7.1. EU to Non-EU Transfers (GDPR Compliance)

Data originating in the European Economic Area (EEA) may only be transferred out of the EEA if one of the following mechanisms is implemented:

• Adequacy Decision: The destination country has been deemed "adequate" by the European Commission.
• Standard Contractual Clauses (SCCs): Execution of the latest EU-approved SCCs between the exporting and importing entities.
• Transfer Impact Assessment (TIA): A TIA must be conducted prior to using SCCs to ensure the destination country’s laws do not undermine GDPR protections.

7.2. Outbound Transfers from China (PIPL Compliance)

Data originating in mainland China is subject to strict localization and transfer laws. Transfers are strictly prohibited unless the following conditions are met:

• Data Localization: Critical Information Infrastructure Operators (CIIOs) or entities processing PI exceeding volume thresholds set by the CAC must store data locally within China. Cross-border transfer requires passing a formal Security Assessment by the CAC.
• Standard Contract / Certification: For volumes below the CAC threshold, the Company must enter into a standard contract formulated by the CAC with the overseas recipient or obtain a Personal Information Protection Certification.
• Separate Consent: Under PIPL, the Company must obtain separate, explicit consent from the Chinese individual specifically for the cross-border transfer, clearly stating the destination, recipient, purpose, and method of transfer.
• PIPIA: A Personal Information Protection Impact Assessment must be conducted before any outbound transfer from China.

---

8. Distinct Regulatory Compliance Requirements

8.1. Legal Basis & Consent Management

• GDPR: The Company may rely on multiple lawful bases, including Legitimate Interest, Contractual Necessity, or Consent.
• PIPL: Consent is the primary lawful basis. The Company must obtain "Separate Consent" (explicit opt-in) from Chinese individuals for specific actions: cross-border transfers, providing PI to third parties, publicly disclosing PI, or processing Sensitive PI. Legitimate Interest is not formally recognized under PIPL.

8.2. Data Subject Rights

[Company Name] guarantees the rights of individuals under both regimes through a unified Data Subject Request (DSR) portal. Rights include:

• The Right to Know / Receive access to data.
• The Right to Rectification (correction).
• The Right to Erasure / Deletion (Right to be Forgotten).
• The Right to Restrict Processing or object to automated decision-making.
• Response Time: GDPR requests must be fulfilled within 30 days. PIPL requires responses in a "timely manner" (generally interpreted as 15 working days).

---

9. Data Retention and Minimization

• Data will only be collected for specified, explicit, and legitimate purposes.
• Data must not be retained longer than legally necessary or business-justified.
• Once the retention period expires, data must be securely and irreversibly anonymized or destroyed using cryptographic wiping or physical destruction methods.

---

10. Data Breach and Incident Response

In the event of a suspected or confirmed data breach (loss, alteration, unauthorized disclosure, or access), employees must immediately notify the IT Security team.

• GDPR Timelines: The DPO must notify the relevant EU Supervisory Authority within 72 hours of becoming aware of a breach that poses a risk to data subjects.
• PIPL Timelines: The PIPO must notify the CAC and affected individuals immediately (effectively within 24 hours).
• Internal Response: The [Company Name] Global Incident Response Team will be activated to contain, eradicate, and recover from the breach while preserving forensic evidence.

---

11. Third-Party Vendor Management

Any third party processing data on behalf of [Company Name] (Data Processors / Entrusted Parties) must undergo strict security vetting.

• Vendors must sign a Data Processing Agreement (DPA) under GDPR.
• Vendors operating in China must sign an Entrusted Processing Agreement stipulating specific liabilities under PIPL.
• Vendors must prove adherence to RBAC and data encryption standards matching or exceeding this policy.

---

12. Training, Auditing, and Enforcement

• Training: All employees must complete mandatory Data Privacy and Information Security training upon hire and annually thereafter. Specialized training will be provided to HR, IT, and regional teams handling EU or Chinese data.
• Auditing: Internal audits will be conducted bi-annually by the Internal Audit group to verify adherence to RBAC provisioning, cross-border transfer documentation, and data retention schedules.
• Enforcement: Violations of this policy, particularly unauthorized data access or unapproved cross-border transfers, will result in disciplinary action up to and including termination of employment and legal prosecution.

---

Approval Signatures:

---

[Name], Global Chief Data Officer Date: ______________

---

[Name], Global Chief Legal Counsel Date: ______________

Disclaimer: This document serves as a comprehensive template for a Data Governance Policy. It is intended for informational purposes and does not constitute legal advice. Multinational corporations must consult with qualified legal counsel in all relevant jurisdictions (specifically the EU and China) to ensure full compliance with local laws, as regulations such as GDPR and PIPL are subject to regulatory guidance and enforcement nuances.

---

GLOBAL DATA GOVERNANCE AND PRIVACY POLICY

Document Owner	Chief Data Officer (CDO) / General Counsel
Version	1.0
Effective Date	[Date]
Review Cycle	Annual or upon Regulatory Change
Applicability	Global (All Entities, Employees, Contractors, Processors)

---

1. PURPOSE AND OBJECTIVE

The purpose of this Data Governance Policy ("Policy") is to establish the framework for managing, protecting, and utilizing [Company Name] ("the Company") data assets. This Policy ensures the integrity, confidentiality, and availability of data while guaranteeing compliance with applicable global privacy laws, specifically the EU General Data Protection Regulation (GDPR) and the People's Republic of China Personal Information Protection Law (PIPL).

2. SCOPE

This Policy applies to:

1. All Personnel: Employees, contractors, consultants, and third-party processors globally.
2. All Data: Personal Data, Sensitive Personal Data, and Confidential Business Information processed by the Company.
3. All Systems: IT infrastructure, cloud environments, and physical records handling Company data.

3. DEFINITIONS

• Personal Data (GDPR) / Personal Information (PIPL): Any information relating to an identified or identifiable natural person.
• Sensitive Data: Data revealing racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, financial account info, or location tracking (PIPL specifically includes bank accounts and precise location).
• Data Controller: The entity determining the purpose and means of processing.
• Data Processor: The entity processing data on behalf of the Controller.
• Cross-Border Transfer: Transmission of data from the jurisdiction of collection to a server or entity in another country.

4. DATA GOVERNANCE FRAMEWORK

4.1. Data Governance Steering Committee (DGSC)

A global committee comprising the CDO, CISO, General Counsel, and Regional Privacy Heads shall oversee policy enforcement.

4.2. Data Ownership

• Data Owners: Senior business leaders accountable for specific data domains (e.g., HR, Customer, Finance).
• Data Stewards: Operational roles responsible for data quality and classification.

5. DATA CLASSIFICATION AND HANDLING

All data must be classified into one of four categories to determine security controls and transfer eligibility:

Classification	Description	Handling Requirement
Public	Information intended for public release.	No restriction.
Internal	Business-only information.	Access limited to employees.
Confidential	Sensitive business data or PII.	Encryption required; strict access control.
Restricted	High-risk PII, Sensitive PIPL Data, Trade Secrets.	Strict Localization rules apply. Encryption at rest and in transit.

6. ROLE-BASED ACCESS CONTROL (RBAC)

6.1. Principle of Least Privilege

Access to data shall be granted strictly on a "Need-to-Know" and "Need-to-Do" basis. No user shall have administrative access by default.

6.2. Access Provisioning (Joiners, Movers, Leavers)

• Joiners: Access requests must be approved by the Data Owner and IT Security.
• Movers: Access rights must be reviewed and adjusted immediately upon role change.
• Leavers: All access must be revoked within 24 hours of termination.

6.3. Authentication and Segregation

• MFA: Multi-Factor Authentication is mandatory for all systems containing Confidential or Restricted data.
• Segregation of Duties (SoD): Conflicting roles (e.g., requesting payment and approving payment) must be segregated to prevent fraud and unauthorized data manipulation.

6.4. Access Review

Data Owners must conduct quarterly access reviews to certify that user privileges remain appropriate.

7. CROSS-BORDER DATA TRANSFERS

This section addresses the complex requirements of transferring data across national boundaries, prioritizing data localization where mandated.

7.1. General Transfer Principle

Data should be processed and stored within the region of origin whenever possible. Cross-border transfers are permitted only when necessary for business operations and when compliant with Section 7.2 and 7.3.

7.2. European Union (GDPR Compliance)

Transfers of Personal Data from the EEA/UK to third countries (including China and the US) require:

1. Adequacy Decision: Verification if the destination country has an EU adequacy decision.
2. Transfer Mechanisms: If no adequacy exists, the Company must utilize Standard Contractual Clauses (SCCs) approved by the European Commission.
3. Transfer Impact Assessment (TIA): A TIA must be conducted to assess if local laws in the destination country impinge on the rights of data subjects. Supplementary measures (e.g., encryption where the Company holds the keys) must be implemented if risks are identified.

7.3. China (PIPL Compliance)

Transfers of Personal Information (PI) and Sensitive PI from Mainland China to overseas entities require:

1. Data Localization: Critical Information Infrastructure Operators (CIIO) or entities processing large volumes of data (thresholds defined by CAC) must store data within China.
2. Security Assessment: For entities meeting volume thresholds, a security assessment by the Cyberspace Administration of China (CAC) is mandatory before transfer.
3. Standard Contract: For entities below CAC assessment thresholds, the Company must file the PIPL Standard Contract with the CAC.
4. Consent: Separate, explicit consent must be obtained from the data subject for cross-border transfers, informing them of the overseas recipient's name and contact details.
5. PIA: A Personal Information Protection Impact Assessment (PIA) must be completed and stored for at least 3 years prior to transfer.

7.4. Conflict of Law

In the event of a conflict between GDPR and PIPL regarding data transfers:

• Localization Priority: PIPL localization requirements take precedence for data originating in China.
• Protection Standard: The higher standard of protection applies. If GDPR requires deletion but PIPL requires retention (e.g., for labor laws), data shall be retained but access restricted to the minimum necessary.

8. DATA SUBJECT RIGHTS (DSR)

The Company shall establish a global ticketing system to manage Data Subject Requests.

Right	GDPR Requirement	PIPL Requirement	Company Standard
Access/Inquiry	Respond within 30 days.	Respond within 15 working days.	15 Working Days (Global Standard)
Correction	Without undue delay.	Promptly.	Within 15 Working Days.
Deletion (Erasure)	"Right to be Forgotten" upon request/withdrawal.	Right to delete if purpose fulfilled or consent withdrawn.	Executed unless legal retention obligation exists.
Portability	Structured, machine-readable format.	Right to request transfer to a designated third party.	Provided in CSV/JSON format.
Withdrawal of Consent	Must be as easy as giving consent.	Right to withdraw consent; cannot refuse service based solely on withdrawal (unless necessary).	Mechanism provided in all privacy notices.

9. DATA SECURITY AND BREACH NOTIFICATION

9.1. Security Controls

• Encryption: All Restricted data must be encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Anonymization: Data used for testing or analytics must be anonymized or pseudonymized wherever possible.

9.2. Breach Notification

• Internal: All suspected breaches must be reported to the CISO and DPO within 24 hours of discovery.
• GDPR: Regulatory authorities must be notified within 72 hours if risk exists. Data subjects notified if high risk.
• PIPL: Notification must be sent to Chinese authorities and affected individuals immediately upon discovery of a leak.
• Response Plan: The Incident Response Plan (IRP) shall be tested annually via tabletop exercises.

10. ROLES AND RESPONSIBILITIES

10.1. European Data Protection Officer (EU DPO)

• Appointed for EU operations.
• Acts as the contact point for Supervisory Authorities and Data Subjects in the EEA.
• Monitors GDPR compliance.

10.2. Person In Charge (PIC) - China

• Appointed for China operations (mandatory under PIPL for specified volumes).
• Responsible for supervising PIPL compliance and filing reports with the CAC.
• Acts as the local representative for Chinese authorities.

10.3. Third-Party Risk Management

• All vendors processing data must sign a Data Processing Agreement (DPA).
• DPAs must incorporate GDPR SCCs and PIPL Standard Contract clauses where applicable.
• Vendor audits shall be conducted annually for high-risk processors.

11. TRAINING AND AWARENESS

• Mandatory Training: All employees must complete Data Privacy and Security training upon hire and annually thereafter.
• Role-Specific Training: HR, Marketing, and IT staff must undergo advanced training on GDPR and PIPL specific requirements.
• Record Keeping: Training completion records shall be maintained by the LMS and audited by Compliance.

12. ENFORCEMENT AND VIOLATIONS

Violation of this Policy may result in disciplinary action, up to and including termination of employment or contract.

• Negligent Violation: Retraining and written warning.
• Willful Violation: Termination and potential legal action.
• Regulatory Fines: Business units responsible for compliance failures leading to fines may face budgetary penalties.

13. POLICY REVIEW AND AUDIT

• Audit: Internal Audit shall conduct a Data Governance Audit annually.
• Review: This Policy shall be reviewed annually by the DGSC or upon significant regulatory changes (e.g., new CAC guidelines or EU case law).

---

Approval

Chief Data Officer	Chief Legal Officer	Chief Executive Officer
Signature: __________________	Signature: __________________	Signature: __________________
Date: ______________________	Date: ______________________	Date: ______________________

---

Appendix A: Cross-Border Transfer Checklist (Internal Use)

Before initiating any data transfer from EU or China, the Data Owner must complete the following:

1. Is data localization required (PIPL Critical Data)?
2. Has a Personal Information Protection Impact Assessment (PIA/TIA) been completed?
3. Is the legal mechanism (SCC / CAC Contract / Security Assessment) in place?
4. Has "Separate Consent" been obtained (PIPL) or Privacy Notice updated (GDPR)?
5. Is encryption applied such that the recipient cannot decrypt without authorization (if required by TIA)?