Public Security Cybersecurity Department Penalizes Dior (Shanghai) Company

Zhuan Su Shi Jie has learned that on September 9, the National Cybersecurity Notification Center issued a notice stating that the public security and cybersecurity departments have lawfully investigated and dealt with the case of Dior (Shanghai) Company for failing to fulfill its personal information protection obligations according to the law.

In May of this year, multiple media outlets reported a data breach incident involving the French fashion consumer brand Dior, with users in mainland China also receiving official warning messages from Dior. In response, the public security cyber departments organized an administrative investigation into Dior (Shanghai) Company in accordance with the law.

After investigation, Dior (Shanghai) Company was found to have committed three violations: First, without conducting a data export security assessment, signing a standard contract for the export of personal information, or obtaining personal information protection certification, the company illegally transmitted users’ personal information to Dior’s headquarters in France. Second, before providing users’ personal information to Dior’s headquarters in France, the company failed to fully inform users of how their personal information would be handled by overseas recipients and failed to obtain users’ “separate consent.” Third, the company did not adopt security technical measures such as encryption or de-identification for the collected personal information. The local public security authorities have imposed administrative penalties on Dior (Shanghai) Company in accordance with the Personal Information Protection Law.

Safety Notice: Citizens' personal information is protected by law. Personal information handlers should take this case as a lesson, adhere to the principles of legality, legitimacy, necessity, and good faith, implement the relevant provisions of the Personal Information Protection Law regarding personal information processing and cross-border provision, standardize the entire lifecycle of personal information activities including collection, storage, use, processing, transmission, provision, disclosure, and deletion, and effectively protect users' personal information security.

Previous reports—

On May 12th, Dior, a core brand under luxury giant LVMH, experienced a customer data breach in the Chinese market. Starting from the evening of May 12th, multiple Dior customers in China gradually received official warning messages informing them that their personal data might have been compromised.

According to the information disclosed by Dior in a text message, on May 7, 2025, the brand detected that unauthorized external individuals had successfully accessed and obtained some of the customer data held by Dior. The scope of the leaked data is extensive, covering customers’ names, genders, mobile phone numbers, email addresses, mailing addresses, as well as highly sensitive information such as purchase amounts, consumption preferences, and other user information collected by the brand.