Português
English
Are There Legal Risks in Using DingTalk?
For you, using DingTalk itself to operate a Macau-registered company is not illegal. However, if your employees upload customer data, employee communication records, or meeting recordings—and these files are routed through Alibaba Cloud to servers in Hangzhou or Shenzhen—the issue arises: you would be deemed to have “transferred personal information abroad.”
According to Article 38 of China’s Personal Information Protection Law, if you process personal information involving more than 10,000 individuals or transfer 100,000 records cross-border within a year, you must either file a record or sign a standard contract. Failure to do so could result in a fine of up to 5% of your annual revenue. In 2024, a Zhuhai construction company was required to undertake comprehensive rectification and faced a two-month project delay because an engineering progress schedule containing workers’ ID numbers was synchronized via DingTalk.
Thus, the risk does not stem from the tool itself but rather from “where the data actually ends up.” You may assume that operating within Macau ensures compliance, but it is the system architecture that determines jurisdiction.
How DingTalk’s Data Storage Location Impacts Compliance
DingTalk Enterprise Edition defaults to storing data on nodes in East China 1 (Hangzhou) and South China 1 (Shenzhen). This means that even if your entire team is based in a Macau office, as long as you use standard accounts, all files, chat logs, and call content effectively “land” within mainland China.
This configuration implies that your customers’ contact details, draft contracts, and even internal meeting summaries are all subject to China’s Measures for Security Assessment of Cross-Border Data Transfer. Once sensitive data—such as health records or financial information—is involved, you must obtain individual consent, complete a security assessment, or sign a standard contract approved by the Cyberspace Administration of China.
A solution exists: switch to DingTalk International. Under this version, data is routed to Singapore or Japan, thereby avoiding Chinese jurisdiction. We’ve seen a private bank in Macau reduce its compliance review time from three months to six weeks after adopting DingTalk International, significantly accelerating the launch of projects with mainland partners.
Which Industries Should Be Most Cautious?
The highest risks are associated with finance, healthcare, cross-border e-commerce, and educational institutions. The reason is straightforward: you handle sensitive data such as customer ID cards, bank accounts, and medical records on a daily basis, often collaborating with teams in Zhuhai and Guangzhou.
For example, a dental clinic in Macau used DingTalk to send patient X-rays to a prosthetic lab in Shenzhen for denture fabrication. While seemingly convenient, this practice actually violates both local and mainland regulations. China requires a security assessment before transferring sensitive data abroad, while Macau’s Personal Data Protection Law, Article 12, mandates that the receiving party provide an equivalent level of protection.
The 2024 Asia-Pacific Compliance Cost Report indicates that compensation for healthcare data breaches is, on average, 47% higher than for other types of incidents. High-risk industries can no longer view DingTalk merely as a communication tool; instead, they should regard it as a “data channel,” where every message carries legal weight.
How to Determine Whether You Need to File a Record
Instead of asking, “Do I need to file a record?” it’s better to ask, “Have we crossed the threshold?” You can conduct a self-assessment in three steps:
- Over the past year, have you transmitted data pertaining to more than 10,000 individuals via DingTalk? (e.g., employees, customers, members)
- Has the total volume of personal information you’ve processed exceeded 100,000 records?
- Have you transferred any sensitive data—such as ID cards, bank account numbers, or medical records—to non-local teams?
If the answer to any one of these questions is “yes,” you should initiate compliance procedures. More importantly, map out your “data flow diagram”—which departments are using DingTalk to transmit what, to whom, and how it is encrypted. We once conducted a review for a Macau travel agency and discovered that tour guides routinely uploaded scans of mainland tourists’ ID cards, accumulating over 12,000 records per month—well above the reporting threshold.
Only by understanding the facts can you choose the appropriate course of action: restricting usage, switching platforms, or formally filing a record.
Four Steps to Navigate the Compliance Threshold
Truly savvy companies don’t wait until problems arise to act. We recommend immediately following this four-step approach:
Step 1: Assess the current situation—identify which departments are using DingTalk, what data is being transmitted, and where it is going. Step 2: Switch versions—have high-risk units migrate to DingTalk International to isolate jurisdictional risks. Step 3: Sign a standard contract—if cross-border transmission is unavoidable, follow the framework established by the Cyberspace Administration of China to prepare the necessary documentation. This approach is cost-effective and efficient. Step 4: Conduct regular audits—revisit your data flow patterns every six months to ensure nothing has been overlooked.
A 2024 Deloitte survey reveals that companies that proactively implement compliance measures enjoy a 40% faster market entry and 60% lower compliance costs. Compliance is no longer a burden; it has become a competitive advantage. Customers know you take data protection seriously, making them more willing to collaborate.
DomTech is DingTalk’s official designated service provider in Macau, specializing in providing DingTalk services to a wide range of clients. If you’d like to learn more about DingTalk platform applications, please feel free to consult our online customer service representatives or contact us by phone at +852 95970612 or via email at cs@dingtalk-macau.com. Our skilled development and operations teams bring extensive market experience to deliver professional DingTalk solutions and services!