Cybersecurity and Data Protection Issues for Enterprises in the Health and Medical Fields

In addition to the general personal information, important data, core data and cybersecurity protection obligations stipulated under Personal Information Protection Law, Data Security Law, Cybersecurity Law and its supporting regulations, health and medical enterprises also face more stringent and targeted regulations affecting medical big data, medical records and human genetic resources. These regulations bring challenges to health and medical enterprises in areas such as data collection, processing, usage, transfer, sharing, cross-border transmission, clinical trials, technology development, and international cooperation. With developments in medical big data, the increasing use of online medical treatment platforms and tools, and the deepening of the application of medical AI, healthcare enterprises face unique issues and challenges in complying with these new data and cybersecurity regulations.


JunHe provides legal services on data protection and cybersecurity to several life health and medical companies, based on the latest developments in the industry. The breadth and depth of legal services required by health and medical companies continues to expand. This includes the collection and usage of the personal information of patients and clients in daily business, compliance analysis for business cooperation, the drafting and revision of data transfer agreements, and daily staff training. There are also concerns around the use of third-party databases in pharmaceutical economics, the development of medical AI projects, and international cooperation on research and development. We have a wealth of experience in assisting companies to deal with legal issues in daily business, cutting-edge technologies and new business development, and we can assist companies in exploring their legal requirements and propose constructive solutions.

We Provide the Following Services:

Data examination and compliance advice:

  • Providing comprehensive data combing services for health and medical enterprises;

  • On the basis of data combing, assisting health and medical enterprises in implementing comprehensive compliance in the fields of data and cybersecurity.

Compliance advice on the special requirements for health and medical enterprises, and assisting in applying for government approvals, such as:

  • Conducting legal compliance analysis on data collection, data use and data sharing, etc., based on the requirements of population health information and health care big data, medical record management, human genetic resources information management, clinical trial quality management, biomedical research ethics management, etc.;

  • Providing legal advice in the fields of data and cybersecurity for Internet hospital preparation and operation;

  • Drafting relevant informed consent forms for the collection of personal information and medical data in the course of daily business, in order to meet the regulatory requirements for the collection of medical and health data;

  • Providing legal advice on cooperation between Chinese and foreign medical projects and data exportation;

  • Providing advice on compliance and project approval requirements involving human genetic resources and assisting in obtaining government approval.

Draft, review and assist companies in negotiating data-related business agreements, such as:

  • Third-party data transfer agreements;

  • Data cooperation agreements;

  • Purchase agreements with suppliers of technology products or services, etc.

Draft due diligence and transaction documents of data for medical, pharmaceutical and health enterprises’ partnerships, investments and mergers and acquisitions.

  • Conduct data due diligence on all aspects including collection, use and ownership of data;

  • Draft transaction documents involved in the process of investment and M&As.

Compliance investigations

  • Provide advice and document reviews on data, cybersecurity and data export compliance for medical and pharmaceutical companies’ compliance investigations.

Compliance training

  • Assist in internal training for company management and employees regarding data protection and network security.

Recent Representative Cases

Multiple data and cybersecurity compliance projects

JunHe has provided services to many renowned pharmaceutical, medical, biotechnology, medical device and Internet hospital companies. These services include drafting and reviewing data transfer agreements and clinical research collaboration agreements, drafting and reviewing individual informed consent documents, pharma economic project compliance analysis, and drafting and reviewing related transaction documents. We have also provided internal training for employees on personal information and cybersecurity protection, CSL compliance, and compliance on data exports, cloud services and human genetic resource matters.

Strategic partnership between a renowned biotech company and a medical AI company

JunHe represented and provided legal advice to a prominent international biotechnology company on its technical cooperation with a high-profile domestic Internet company on the application of AI diagnostics. This included an analysis of key issues such as data collection, transmission and storage, personal information protection, use of human genetic resources information and medical devices.

Strategic investment by a well-known medical device group on a strategic medical AI project

JunHe represented a high-profile medical device group to enter into a strategic cooperation with a medical technology company on an AI assistance project, and we provided whole-process legal services including agreement drafting and executing, and advice on key issues related to data collection and personal information protection.

Investment in a medical imaging company by a renowned industrial instrumentation and equipment company

JunHe represented a leading industrial instrumentation and equipment multinational company in investigating a medical imaging company, providing whole-process legal services including DD, agreement drafting and executing, and advice on key issues related to data collection and personal information protection.