How to Manage Biometric Employee Data in China: 2026 Guide for Foreign Businesses

Date:

Share post:






How to Manage Biometric Employee Data in China: 2026 Guide for Foreign Businesses


How to Manage Biometric Employee Data in China: 2026 Guide for Foreign Businesses

Compliance Snapshot: Foreign companies in China must navigate the Personal Information Protection Law (PIPL), Cybersecurity Law, and specific data export regulations when collecting and processing employee biometric data. Non-compliance can result in fines of up to 5% of annual revenue or revocation of business licenses. This guide provides a step-by-step framework for compliant biometric data management in the workplace.

China’s regulatory framework for biometric data has matured significantly since the PIPL took effect in 2021. By 2026, enforcement has intensified, and the definition of “sensitive personal information” under Article 28 of the PIPL explicitly includes fingerprints, facial recognition data, iris scans, palm prints, and voiceprints used for employee identification or access control.

The key regulatory instruments governing biometric employee data are:

  • Personal Information Protection Law (PIPL) — The primary data privacy law. Articles 28–32 specifically address sensitive personal information, including biometric data.
  • Cybersecurity Law (CSL) — Sets requirements for network security and data classification when biometric systems are connected to corporate networks.
  • Data Security Law (DSL) — Establishes data classification and protection obligations, particularly for “important data” that may include aggregated biometric datasets.
  • Measures on the Security Assessment of Cross-Border Data Transfers — Governs the transfer of employee biometric data outside China.
  • Regulations on the Management of Facial Recognition in Public Places (2024) — Restricts the use of facial recognition technology in workplace and public settings.
2026 Update: China’s Cyberspace Administration (CAC) has intensified inspections of foreign-invested enterprises (FIEs) using biometric systems. In 2025, over 40 companies were fined for non-compliant biometric data collection in the workplace, with penalties averaging ¥500,000–¥5 million (approximately $70,000–$700,000).

2. Before You Collect: Consent and Notification Requirements

Under Article 29 of the PIPL, biometric data qualifies as “sensitive personal information,” requiring separate, explicit, and informed consent from each employee. This is distinct from the general consent obtained in employment contracts.

2.1 Elements of Valid Consent

  • Separate consent document: Cannot be buried in an employee handbook or general privacy policy. Must be a standalone consent form specifically addressing biometric data collection.
  • Specific purpose: Clearly state why biometric data is collected (e.g., “for time and attendance recording via fingerprint scanning”).
  • Data retention period: Specify how long the data will be kept and the deletion timeline after the employment relationship ends.
  • Third-party sharing: Disclose whether biometric data will be shared with any third parties, including HR software providers, cloud storage vendors, or headquarters abroad.
  • Consequences of refusal: Inform employees that refusing biometric data collection will not result in adverse employment actions, and alternative methods (e.g., PIN code, access card) will be provided.
  • Right to withdraw: Employees must be informed of their right to withdraw consent at any time and the process for doing so.

2.2 Notification Requirements

Before initiating biometric data collection, foreign companies must provide employees with a privacy notice that includes:

  • The name and contact information of the data processor (the company’s legal entity in China)
  • The purposes and methods of biometric data processing
  • The types of biometric data collected and the retention period
  • The procedures for exercising data subject rights under the PIPL
  • The potential risks associated with biometric data processing
Common Pitfall: Many foreign companies use a single consent form covering all types of personal data. Regulators have increasingly flagged this as non-compliant. Biometric consent must be separated from general personal data consent. A 2025 CAC enforcement action against a German automotive supplier in Shanghai specifically cited the lack of separate biometric consent as a primary violation.

3. Processing and Storage Best Practices

Article 6 of the PIPL requires that data collection be limited to the minimum necessary for the stated purpose. For employee biometric data, this means:

3.1 Minimization Principles

  • Purpose limitation: If the purpose is time and attendance, collect only the biometric data needed for that purpose. Do not repurpose data for security surveillance, performance monitoring, or other uses without additional consent.
  • Data minimization: Store biometric templates (mathematical representations derived from the original biometric sample) rather than raw images. Template storage significantly reduces privacy risk and is viewed more favorably by regulators.
  • Access controls: Limit access to biometric data to the minimum number of authorized personnel. HR and IT administrators should not have unfettered access to biometric databases.

3.2 Technical Safeguards

  • Encryption: Encrypt biometric data both at rest (AES-256 or equivalent) and in transit (TLS 1.3 or higher).
  • Local storage: Where possible, store biometric data on local terminals rather than centralized servers. Many attendance systems now offer on-device template matching that never transmits biometric data over the network.
  • Access logging: Maintain detailed logs of who accesses biometric data, when, and for what purpose. Retain logs for at least 6 months for audit purposes.
  • Regular security assessments: Conduct annual (at minimum) security assessments of biometric systems by a qualified third party.

3.3 Vendor Management

When foreign companies procure biometric systems from Chinese vendors (e.g., ZKTeco, Hikvision, Dahua), they must:

  • Include data processing clauses in vendor contracts that comply with PIPL requirements
  • Verify that the vendor has implemented appropriate technical and organizational measures
  • Ensure the vendor does not retain or repurpose biometric data beyond the scope of the service agreement
  • Conduct vendor due diligence on data security practices before deployment

4. Employee Rights and Access Requests

Under the PIPL, employees have the following rights regarding their biometric data:

Right Description Response Timeline
Right to know Be informed about the collection and processing of biometric data Prior to collection
Right to consent Provide explicit, separate consent At the point of collection
Right to withdraw Withdraw consent at any time Immediately upon request
Right to access Request a copy of stored biometric data Within 15 working days
Right to rectification Correct inaccurate biometric data Within 15 working days
Right to deletion Request deletion of biometric data Within 15 working days
Right to portability Transfer biometric data to another processor Within 30 working days
Practical Tip: Establish a dedicated email address (e.g., privacy@company.com.cn) for employee data subject requests. Train HR staff to recognize and escalate biometric data requests within 24 hours. The CAC has noted that delayed responses to data subject requests are a common compliance failure among foreign companies.

5. Cross-Border Data Transfer Rules

One of the most complex aspects of managing employee biometric data for foreign companies is the restriction on cross-border transfers. Under China’s data export regime, biometric data — as sensitive personal information — faces the strictest transfer requirements.

5.1 Transfer Routes

Foreign companies that need to transfer employee biometric data to their overseas headquarters must use one of three legally recognized transfer mechanisms:

  1. Security Assessment (via the CAC) — Required when the data processor processes the personal information of more than 1 million individuals, or when sensitive personal information of more than 10,000 individuals is transferred abroad. Most FIEs with more than 10,000 employees will fall into this category.
  2. Standard Contract for Cross-Border Transfers (SCC) — For companies below the Security Assessment thresholds. Requires filing with provincial CAC authorities and conducting a personal information protection impact assessment (PIPIA).
  3. Certification by a professional institution — Under Article 38 of the PIPL, companies can obtain third-party certification as an alternative transfer mechanism. However, this route is less commonly used for biometric data due to the stringent certification criteria.

5.2 Practical Considerations

Most foreign companies with operations in China find that the most practical approach is to store employee biometric data locally within China and only transmit de-identified or aggregated data overseas. This significantly reduces the regulatory burden while still allowing headquarters to maintain oversight.

Critical Note: Simply storing biometric data on a cloud server hosted outside China (e.g., AWS Singapore, Azure East Asia) constitutes a cross-border data transfer and triggers the full security assessment or SCC filing requirements, regardless of whether the data is actively accessed from abroad.

6. Audit and Compliance Checklist

Foreign companies should conduct a quarterly self-audit of their biometric data management practices against the following checklist:

  1. ☐ Separate consent forms — Are biometric consent forms distinct from general employment consents?
  2. ☐ Purpose documentation — Is the specific purpose of each biometric system documented and communicated?
  3. ☐ Retention schedules — Are biometric data retention periods defined and enforced?
  4. ☐ Deletion protocols — Are departing employees’ biometric data promptly deleted?
  5. ☐ Alternative methods — Are non-biometric alternatives available for all employees who refuse consent?
  6. ☐ Encryption status — Are all biometric databases encrypted at rest and in transit?
  7. ☐ Access controls — Is access to biometric data limited to authorized personnel only?
  8. ☐ Vendor agreements — Do biometric system vendor contracts include PIPL-compliant data processing clauses?
  9. ☐ Cross-border transfers — Has a PIPIA been conducted for any cross-border transfers of biometric data?
  10. ☐ Data subject rights — Is there a documented process for handling employee data subject requests?
  11. ☐ Incident response — Is there a breach notification protocol specifically for biometric data incidents?
  12. ☐ Training records — Have relevant employees (HR, IT, legal) received training on biometric data compliance?

7. Penalties and Enforcement Trends

Enforcement of biometric data regulations has accelerated significantly in 2025–2026. Foreign companies face particular scrutiny because of the cross-border data transfer dimension.

7.1 Penalty Framework Under the PIPL

  • Administrative fines: Up to ¥50 million ($7 million) or 5% of the preceding year’s annual revenue for serious violations
  • Confiscation of illegal gains: Profits derived from non-compliant data processing can be confiscated
  • Suspension of business: Companies may be ordered to suspend relevant business activities
  • Revocation of permits: In severe cases, business licenses may be revoked
  • Personal liability: Directly responsible managers and officers can face personal fines of ¥100,000–¥1 million

7.2 Recent Enforcement Actions (2025–2026)

  • Hangzhou manufacturing JV (2025): Fined ¥2.3 million for using facial recognition for attendance without separate consent. The company also failed to provide alternative check-in methods for employees who objected.
  • Shanghai retail chain (2025): Fined ¥1.8 million for storing raw facial images (rather than templates) on a cloud server accessible from overseas headquarters without completing the cross-border security assessment.
  • Guangdong logistics company (2026): Ordered to cease all biometric data collection for three months after failing to respond to employees’ data deletion requests within the statutory timeline.
Key Takeaway: Proactive compliance is not just about avoiding penalties. A growing number of foreign companies in China are using transparent biometric data practices as a competitive advantage in talent recruitment and retention. Employees increasingly expect their privacy rights to be respected, and companies with strong compliance records report higher trust scores in internal surveys.

Conclusion

Managing biometric employee data in China requires a systematic approach that integrates legal compliance, technical safeguards, and operational practices. Foreign businesses must treat biometric data as the high-risk category it is under Chinese law — distinct from ordinary personal data and subject to heightened protections.

The key pillars of a compliant biometric data management program are: (1) obtaining separate, explicit consent from each employee, (2) implementing data minimization and encryption, (3) establishing clear retention and deletion schedules, (4) navigating cross-border transfer restrictions carefully, and (5) maintaining a robust audit trail to demonstrate compliance to regulators.

As CAC enforcement continues to intensify in 2026, foreign companies that invest in compliant biometric systems — including on-device processing, local data storage, and transparent consent processes — will be best positioned to avoid penalties and maintain employee trust.

This guide was updated in July 2026. Regulatory requirements may change. Consult with qualified legal counsel for advice specific to your company’s circumstances.


Related articles

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreign Firms

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreig

China’s 2025 Environmental Protection Law Amendments: What They Mean for Environmental Compliance

China's 2025 Environmental Protection Law Amendments: What They Mean for Environmental Compliance China's 2025 amendments to the Environmental Protect

How Unilever Met China’s Solid Waste Management Regulations: A Compliance Case Study

How Unilever Met China’s Solid Waste Management Regulations: A Compliance Case Study By 2023, Unilever had reduced its total waste generation across i

How Apple Helped Its China Suppliers Switch to Renewable Energy: Carbon Reduction Case Study

How Apple Helped Its China Suppliers Switch to Renewable Energy: Carbon Reduction Case Study body{font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-se