Why does this matter to me? 为什么这对我很重要?

From May 25 2018, non-compliance with the new EU General Data Protection Regulation (GDPR) could lead to fines of RMB150 million or 4% of your annual global group turnover, along with significant reputational damage and adverse publicity.

从2018 年5月25日起,不遵守欧盟新的《一般信息保护条例》(“GDPR”)可能会导致人民币1.5亿元人民币或集团全球全年营业额4%的罚款,以及严重的声誉损害和不利的宣传。

GDPR "Contamination Risk" - how does an EU law apply to a Chinese business? GDPR “污染风险”- 欧盟法律如何适用于中国企业?

Even if you are not physically present in Europe, the GDPR is applicable if you:-

  • send your data to Europe - potentially even if it is data about Chinese citizens living in China !!
  • offer or deliver goods or services to consumers in the EU
  • target or monitor the behavior of EU residents
  • provide services to EU businesses and collect or handle their customer data. The "mere processor" argument no longer works


  • 发送您的信息到欧洲 - 甚至有可能是有关在中国居住的中国公民之信息 !!
  • 向欧盟的消费者提供或发送货物或服务
  • 针对或监测欧盟居民的行为
  • 为欧盟企业提供服务,并收集或处理其客户信息。依赖“纯粹处理者”的基础不再奏效

What does this mean for your China business? 这跟您的中国企业有什么关系?

The important compliance and risk management activities you should be doing:-

  • redesigning your data flows and data storage to minimize GDPR contamination risk
  • updating data protection notices and privacy policies
  • putting data transfer agreements in place in your corporate group
  • updating procurement and supply agreements with key vendors and customers
  • considering the suitability of GDPR insurance policies
  • implementing data incident management and data breach notification processes

The detailed GDPR compliance requirements are explained in our General Data Protection Regulation Guide. You can also download our GDPR app (English and Simplified Chinese language versions are available).


  • 重新设计您的信息流程和信息存储方式,务求最大限度地减少GDPR污染的风险
  • 更新信息保护声明和隐私政策
  • 于您公司集团内订立信息传输协议
  • 更新与主要供应商和客户的采购和供应协议
  • 考虑GDPR保险是否适用
  • 实施信息安全事件管理和信息泄露事件通报程序

GDPR的合规要求在我们的《一般信息保护条例 》有详细解释。您也可以下载我们的GDPR应用程序(有英文和简体中文版本)。

Can I align my China data protection and GDPR compliance program? 我可以如何调整中国信息保护合规方案使之与GDPR合规方案一致吗?

There are some key differences between the GDPR and China's data protection and cybersecurity framework which makes it difficult to build and implement a program which achieves compliance with both sets of laws:-

  • China requires data subject consent, GDPR generally does not
  • it is increasing difficult to transfer or retransfer data out of China
  • data retention and data anonymization requirements are not consistent


  • 在中国您需要信息主体的同意但GDPR一般没有这样的要求
  • 现在越来越难以传输或再传输信息到中国境外
  • 信息保留和信息匿名化的要求不一致

How to look at GDPR as an opportunity? 将GDPR作为机会?

GDPR compliance brings a competitive advantage to Chinese companies in European and other markets, as consumers in the EU and elsewhere will recognise and trust companies that seek to protect their personal data in accordance with the high data privacy standards under the GDPR.

The differences in the legal frameworks also means China is now an easier place to develop and operate information based activities such as artificial intelligence, data lakes and data analytics. Seizing on this opportunity, organizations are building dual China-GDPR compliance program which include operational steps such as data segmentation and a risk-based analysis of data collection policies practices.