Today, according to a post from the WeChat account of China’s National Cybersecurity Notification Center, multiple media outlets reported in May that French fashion and consumer brand Dior experienced a data breach. Users in mainland China subsequently received official warning text messages from Dior. In response, the public security cyber departments launched an administrative investigation into Dior (Shanghai) Co., Ltd.
The investigation found three violations by Dior (Shanghai):
The company unlawfully transferred users’ personal information to Dior’s headquarters in France without conducting a data export security assessment, signing a standard contract for cross-border personal information transfers, or obtaining personal information protection certification.
Before providing users’ personal information to Dior headquarters in France, the company failed to fully inform users about how their data would be handled by the overseas recipient and did not obtain their “separate consent.”
The company did not adopt security measures such as encryption or de-identification for the personal information collected.
The local public security authorities, in accordance with the Personal Information Protection Law, imposed an administrative penalty on Dior (Shanghai).
According to the latest financial report, Dior’s parent company LVMH Group recorded revenue of €39.8 billion in the first half of 2025, down 4% year-on-year. Its perfumes and cosmetics division generated €4.08 billion in revenue during the same period, a 1% decline year-on-year.
