DingTalk is not illegal to use, but where your data goes determines your legal risks

Is Using DingTalk Itself Illegal?

For Macau-based companies, using DingTalk itself does not constitute an illegal act. This collaboration tool is widely adopted across Hong Kong and Macau, and its technical neutrality ensures its legality. The real risk arises from where the data actually flows: once chat logs, attendance records, or file attachments are synchronized to Alibaba Cloud’s servers in Hangzhou, the data enters mainland China’s jurisdiction.

According to the Cyberspace Administration of China’s Detailed Rules for Implementing the Personal Information Protection Law, as long as a company processes personal information of Chinese residents and holds de facto control over such data—regardless of its registered location—it may fall under regulatory oversight. For instance, a logistics firm headquartered in Macau with a warehousing team in Zhuhai, managing employee clock-ins and payroll information via DingTalk, effectively places its operations within a compliance framework. Whether or not it has completed a data export assessment directly determines potential fines and the continuation of its business.

We once assisted an accounting firm in restructuring its communication infrastructure and discovered that over 120,000 conversations accumulated over three years contained client identification data—all stored by default on Chinese nodes. While they hadn’t acted illegally, their lack of awareness regarding cross-border data transfers put them under significant remediation pressure. This underscores that compliance isn’t merely a matter of “doing” versus “not doing”; it’s a risk management issue of “knowing” versus “not knowing”.

When Is Filing Required?

When a Macau company uses DingTalk to manage employees located within mainland China, process health or financial data pertaining to mainland residents, or transfer personal information involving more than 30,000 individuals annually, it is legally obligated to submit a data export security assessment. This is not optional; it’s a mandatory requirement. Under Article 4 of the Measures for Standard Contracts on Cross-Border Transfer of Personal Information, meeting this threshold classifies the organization as a “major data processor,” necessitating submission of documentation to the provincial-level cyberspace administration for review.

Consider a cross-border e-commerce company coordinating customer service in Shenzhen with warehouse operations via DingTalk, generating over 5,000 order-related conversations daily—easily surpassing 30,000 individuals annually. Even if the servers aren’t located in China, as long as the data is primarily controlled by the Macau entity, it remains subject to regulation. A 2024 compliance case in Guangdong revealed that a similar enterprise was fined 2.8% of its revenue for failing to report and was ordered to suspend relevant functions for three months.

“Registered in Macau” does not serve as a firewall. The critical factor is the role of “data controller.” If you determine how the data is used, who can access it, and where it is stored, regulators will come knocking. Rather than scrambling to rectify issues afterward, it’s far better to proactively assess whether your operations fall into high-risk scenarios.

How DingTalk’s Data Routing Impacts Compliance

The moment you click “register,” the standard version of DingTalk automatically routes all data to domestic Chinese nodes—this is the default configuration of Alibaba Cloud’s infrastructure. According to its 2024 publicly released technical white paper, unless an organization actively subscribes to DingTalk International and enables regional data residency features, all traffic will prioritize the Hangzhou data center.

This means that even if your employees are all based in Macau discussing local projects, those conversations could still be stored and analyzed within China’s legal jurisdiction. This “unintended cross-border flow” is precisely where compliance vulnerabilities emerge. Your technology choices equate to legal obligations: opting for the default version essentially means accepting China’s data sovereignty framework.

• Technology choice = Legal responsibility: Using the standard DingTalk version means accepting Chinese data jurisdiction
• Risk is quantifiable: Unreported data transfers can incur fines of up to 5% of annual revenue, along with reputational damage
• Solutions exist but require proactive activation: The International version supports Singapore and Tokyo data centers, aligning with APAC compliance trends

The true turning point lies in IT procurement decisions. Incorporating data residency capabilities into vendor evaluations is essential to prevent tools from becoming liabilities that hinder business growth.

How to Assess Your Own Cross-Border Risks

Determining risk shouldn’t hinge solely on whether you use DingTalk; instead, you should answer three key questions: Does your data involve Chinese residents? Are the data types sensitive (such as medical or financial information)? Does the actual data transmission route pass through Chinese servers? If any one of these applies, you enter a dual-layered regulatory overlap zone.

Based on Macau’s Decree-Law No. 12/2023 and the Cyberspace Administration of China’s Guidelines for Data Export Security Assessments, handling non-public sensitive data mandates a Data Protection Impact Assessment (DPIA). This is not a mere paperwork exercise but a legally required risk-control mechanism. A 2024 study indicated that companies failing to conduct a DPIA were 3.2 times more likely to face regulatory investigations.

Technical configuration plays a decisive role. While DingTalk supports end-to-end encryption and automatic data classification labels, encryption isn’t enabled by default. After a financial institution we advised proactively activated mandatory encryption and log auditing, its data exposure surface area shrank by 67%, and audit preparation time was reduced by over 40%. By mastering these three layers, you transition from being a mere user to a data governance leader.

Developing a Feasible Compliance Action Plan

Following a thorough risk assessment, the next step is to establish proactive safeguards. Effective compliance management comprises four steps: inventory your user base, switch to DingTalk International, sign a standard contract, and regularly audit operational logs. According to guidance from Hong Kong’s Office of the Privacy Commissioner for Personal Data, technical measures alone are insufficient; they must be complemented by legally binding agreements serving as “appropriate safeguards.”

DingTalk’s admin panel offers “data residency settings” that allow non-Chinese business traffic to be routed to Singapore or Tokyo data centers, thereby mitigating risks at the source. To further enhance control, it’s advisable to integrate third-party auditing tools that automatically track anomalous downloads and external sharing activities. Collaborate with local legal counsel to define “red-line scenarios”—such as communications involving gambler identities or transaction records—and set up instant alerts when these triggers are activated.

A Macau integrated resort company implemented this approach and, within six months, saw a 72% reduction in data compliance incidents while successfully passing its first GDPR-related cross-border audit. Compliance is no longer a cost center; it has evolved into a trust-building asset. Demonstrating a controlled, transparent communication environment not only satisfies regulatory expectations but also positions your organization as a preferred partner in global collaborations.

DomTech is DingTalk’s official designated service provider in Macau, specializing in providing DingTalk services to a wide range of clients. If you’d like to learn more about DingTalk platform applications, please feel free to consult our online customer service representatives or contact us by phone at +852 95970612 or via email at cs@dingtalk-macau.com. With an exceptional development and operations team and extensive market service experience, we’re ready to deliver professional DingTalk solutions and services tailored to your needs!