How Long Can Foreign Companies Store Biometric Data in China?
One of the most common questions foreign companies face when deploying biometric systems in China is straightforward but carries complex legal implications: how long can we keep this data? The answer is not a fixed number of days, months, or years. Instead, Chinese law requires that biometric data be retained for only as long as is necessary to fulfill the purpose for which it was collected — and not a day longer. This principle, known as the “minimum storage period” requirement, is enforced through multiple overlapping regulations and carries substantial penalties for non-compliance.
This FAQ provides a comprehensive breakdown of biometric data retention rules, sector-specific variations, mandatory deletion obligations, and practical guidance for foreign businesses.
The Core Legal Principle: Purpose-Limited Storage
Article 6 of China’s Personal Information Protection Law (PIPL) establishes the foundational principle that personal information — including sensitive data like biometrics — “shall be retained for the minimum period necessary to achieve the purpose of processing.” Once the processing purpose has been achieved, the data must be deleted.
This principle applies with extra force to biometric data because it is classified as “sensitive personal information” under Article 28 of the PIPL. The law expects businesses to apply stricter standards to sensitive data, including more aggressive retention limits and more secure deletion protocols.
The Data Security Law (DSL) reinforces this requirement through its data classification and protection system. Biometric data that qualifies as “important data” — typically datasets of a certain scale — is subject to additional retention and destruction reporting obligations.
General Retention Guidelines by Use Case
While Chinese law does not prescribe specific day counts for general biometric retention, regulators have provided guidance on reasonable periods for common use cases. The following table summarizes generally accepted retention periods based on CAC guidance, industry practices, and enforcement trends:
| Biometric Use Case | Recommended Maximum Retention | Rationale |
|---|---|---|
| Employee fingerprint/face attendance | Termination of employment + 1 year (for potential labor disputes) | Labor Law limitation period for claims is 1 year |
| Visitor/contractor access control | End of visit + 30 days | Security audit purposes only; no ongoing need |
| Customer identity verification (KYC) | Duration of business relationship + 5 years | Anti-Money Laundering (AML) regulations require 5-year retention of customer identity records |
| Payment authentication (face/voice/fingerprint) | Duration of account + 3 years after closure | Regulatory requirement for financial records retention |
| Hotel/residential facial recognition check-in | Checkout + 1 month | Public security audit requirements |
| Employee biometric data for HR systems shared globally | Termination of employment + data transfer cessation | Once transferred, retention abroad is subject to contract terms, but original must be deleted when domestic purpose ends |
| Surveillance/security CCTV with facial recognition | 30 days (unless under active investigation) | Standards for Security Technology Prevention (GA/T 646-2016) |
| Biometric training data for ML/AI models | Upon completion of model training | Must not be retained after purpose is served |
Important: These are regulatory expectations, not rigid statutory limits. Companies should document the justification for their chosen retention period in their Personal Information Protection Impact Assessment (PIPIA) and must be prepared to defend their rationale to regulators.
Sector-Specific Retention Rules
Several industries have specific biometric data retention rules that override the general “purpose-limited” principle:
Financial Services
The People’s Bank of China (PBOC) requires financial institutions to retain biometric identity verification records — including facial images and fingerprint data collected for KYC purposes — for at least five years after the termination of the business relationship or completion of the transaction (PBOC Administrative Measures for the Record of Financial Institution Customer Identification, Order No. 2 of 2021). This is a minimum requirement; many banks retain for longer under internal risk management policies.
However, the PBOC also requires that biometric data be stored using encryption that separates the biometric template from the identity information, and that access to biometric data be logged and auditable. Retention beyond the mandatory five-year period requires documented justification.
Human Resources and Employment
For employee biometric data used in attendance and access control systems, Chinese labor law provides the primary reference point. The statute of limitations for labor-related claims is one year from the date the right was infringed (Article 27 of the Labor Dispute Mediation and Arbitration Law). Many legal advisors therefore recommend retaining employee biometric data for no longer than one year after termination of employment, after which the risk of retaining sensitive data outweighs any remaining utility for dispute resolution.
The CAC has also indicated in informal guidance that employers should not retain biometric data of employees who have left the organization beyond the period necessary to finalize payroll and benefits, which is typically 3 to 6 months unless there is an active dispute.
Healthcare and Medical Research
Patient biometric data in China is subject to additional controls under the Basic Healthcare and Health Promotion Law (2020) and the Administrative Measures for Medical Records. Medical records, including biometric diagnostic data (e.g., retinal scans, genetic test results, facial thermography), must be retained for at least 15 years under the Regulation on the Management of Medical Institutions (Order No. 35 of the State Council). Outpatient records must be retained for at least 15 years; inpatient records for at least 30 years. These retention requirements override the general PIPL deletion obligation, but impose strict access control and encryption requirements on the stored data.
Public Security and Law Enforcement
Biometric data collected for public security purposes — for example, hotel guest facial recognition required by the Ministry of Public Security, or border control biometrics — is governed by separate regulations. Data collected under legal obligation for public security purposes is generally not subject to the same deletion requirements, but access is strictly limited to authorized law enforcement personnel. Foreign companies operating hotels, transportation hubs, or other venues that collect biometrics for public security purposes should keep their retention to the minimum necessary to comply with local public security bureau requirements and delete the data promptly after the applicable audit period expires.
When Must Biometric Data Be Deleted Immediately?
Beyond the general “purpose fulfilled” trigger, Chinese law requires immediate deletion of biometric data in the following specific circumstances:
- Consent withdrawal: If a data subject withdraws consent and there is no other legal basis for continued processing, the biometric data must be deleted immediately (Article 15(3), PIPL)
- Processing purpose achieved: When the original purpose for collection is fulfilled and no other legal justification exists (Article 47(1), PIPL)
- Collection unlawfully obtained: If biometric data was collected without proper consent or through deceptive means, it must be deleted immediately upon discovery (Article 47(2), PIPL)
- Retention period expired: Upon expiration of the documented retention period (Article 47(3), PIPL)
- Cessation of business operations: If the foreign company ceases its China operations or the specific business unit that processes biometrics, all biometric data must be deleted (Article 47(4), PIPL)
- Regulatory order: If the CAC or a sector regulator orders deletion following a compliance investigation
What About Anonymized or De-Identified Biometric Data?
A common misconception is that biometric data can be retained indefinitely once it has been “anonymized.” Under Article 4 of the PIPL, data that has been irreversibly anonymized is no longer considered personal information and is therefore not subject to retention limits. However, Chinese regulators take a strict view of what constitutes effective anonymization.
For biometric data — especially facial recognition templates and fingerprint minutiae — true anonymization is extremely difficult. Researchers have repeatedly demonstrated that biometric data can be reidentified if the anonymization algorithm or parameters are known. The CAC and the TC260 (National Information Security Standardization Technical Committee) have indicated that for biometric data, pseudonymization (reversible de-identification) is NOT sufficient to exempt data from retention limits. Only irreversible anonymization — where reidentification is computationally and practically infeasible — satisfies the threshold.
Practical implication: Foreign companies should assume that biometric data can never be meaningfully anonymized for retention purposes. Plan for deletion within the applicable retention period rather than hoping to indefinitely retain “anonymized” biometric templates.
Secure Deletion Requirements
When biometric data reaches the end of its retention period, deletion is not simply a matter of clicking “delete” in a software interface. Chinese law requires that deletion be irreversible and verifiable. The national standard GB/T 35273-2020 requires that:
- Biometric data be overwritten using secure deletion algorithms (e.g., multiple-pass overwriting or cryptographic erasure)
- Backup copies, archives, cold storage copies, and disaster recovery snapshots containing biometric data also be deleted or overwritten
- A deletion record be maintained, documenting what was deleted, when, by whom, and the method used
- Third parties who received copies of the biometric data be contractually obligated to delete their copies when the retention period expires
How to Set and Enforce Retention Policies
Practical steps for foreign businesses to manage biometric data retention in China:
- Document retention periods in advance: Include retention periods for each biometric use case in the PIPIA and in privacy notices provided to data subjects
- Implement automated deletion: Configure biometric systems (attendance terminals, access control servers, facial recognition databases) to automatically purge data upon expiration of the retention period
- Audit regularly: Conduct quarterly audits of biometric data stores to ensure deletion policies are being followed and no data is being retained longer than permitted
- Separate biometric from identity data: Store biometric templates in a separate database from identity information (name, ID number, contact details) to reduce the risk profile
- Contract with third parties: Ensure that any third-party biometric system vendors have contractual obligations to delete data at the end of the retention period and provide deletion certificates
- Train staff: Ensure that HR, IT, security, and compliance teams understand retention obligations and deletion procedures for biometric data
Key Takeaway
Related Resources
- PIPL Articles 6, 28, 47: Purpose limitation, sensitive data classification, and deletion obligations
- GB/T 35273-2020: Personal Information Security Specification — detailed guidance on storage, deletion, and anonymization
- PBOC Order No. 2 of 2021: Administrative Measures for Financial Institution Customer Identification Records
- GA/T 646-2016: Standards for Security Technology Prevention — CCTV and surveillance data retention
