The EU’s General Data Protection Regulation 2016 (GDPR) took effect on 25 May 2018. This is a wide-ranging piece of legislation with global reach. All Chinese companies processing the personal data of EU citizens, selling or offering services to EU citizens, or monitoring their behavior, will need to comply, even if they are not based in the EU. Chinese subsidiaries of multinational corporations headquartered in the EU will also be impacted where they process EU personal data and we constantly receive inquiries as to how affected Chinese subsidiaries should best cooperate at a group level with a GDPR compliance exercise.
While there is a temptation to think that China is too far away from Europe for businesses to worry about GDPR compliance, particularly where there are budget constraints, they need to remember that penalties for non-compliance can reach up to the higher of 4% of annual global turnover or EUR 20,000,000, regardless of where a business is based.
The National Information Security Standardization Technical Committee recently published a high-level Guidance on Cyber Security Best Practice for the EU’s GDPR (Guidance), aimed at helping Chinese companies evaluate their practices and bring them in line with GDPR requirements.
The Guidance outlines the key aspects of the GDPR which Chinese businesses should take into account. Irrespective of the tips given in the Guidance, businesses should bear in mind that GDPR compliance is a complicated topic which requires substantial legal as well as practical expertise and experience. If you have a business presence in, or business ties with the EU, you should seek local legal advice. Taylor Wessing has a strong global data protection practice and our team in Europe is well placed to help.
The Guidance – highlights
The Guidance provides a series of top compliance tips.
1. Does the GDPR apply to you?
Article 3 of the GDPR provides that “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”, and “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union”.
Tip: If you, as an organization, conduct any activity involving overseas business, global operations or business cooperation, especially providing products or services to the EU, consider whether you are subject to the GDPR.
2. What data is relevant?
The GDPR applies to personal data (data which identifies an individual, either directly or indirectly, e.g. an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person). Additional protection is given to special categories of personal data e.g. racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation (sensitive data).
Tip: Before processing any personal data or sensitive data, you should identify the specific type of data subject to the processing.
3. Basic principles of data processing
Tip: You should ensure that data processing activities comply with the basic data processing principles. [TW note: regulated under Article 5 of the GDPR].
4. Valid legal grounds for data processing
Tip: Ensure that data processing is carried out under one of the lawful bases for processing. [TW note: legal bases are set out in Article 6 and 9 (in relation to sensitive data) of the GDPR]
5. Special protection of children
Tip: Special protection should be given when processing personal data of children.
6. Data subject rights
Tip: As the GDPR grants data subjects extensive rights to control their data, please ensure you identify the relevant data subject rights according to the characteristics of your business and the legal basis for processing. [TW note: ensure you have mechanisms in place to give effect to the data subject rights set out in Chapter 3 of the GDPR.]
Tip: If profiling is involved, you need to focus not only on the legal basis for processing but also on the corresponding rights of data subjects [TW note: especially the right to object to profiling under certain circumstances].
8. Data processors
Tip: If you are a data processor, you should process personal data only in accordance with specific instructions from the data controller. You will also need to comply with confidentiality obligations and, at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing. In addition, you will have to allow for and contribute to audits conducted by the controller or another auditor mandated by the controller.
9. Data Protection Officers and EU representative
Tip: Consider whether you are required to or should appoint a Data Protection Officer or EU representative.
10. Data Protection Impact Assessment (DPIA)
Tip: You should consider carrying out a DPIA [TW note: under Article 35 of the GDPR].
11. Data protection by design
Tip: It is a requirement under the GDPR that privacy protections are built into the design concept of your products and services.
12. Notification of a personal data breach
Tip: Data breaches need to be reported to regulators and to affected individuals under certain circumstances. [TW note: If you are a data processor, you will need to report any breach to the relevant data controller. If you suffer a data breach, you need to consider whether you are obliged to report it and to whom.]
13. Cross-border transmission of data
Tip: If you are importing EU personal data, you need to ensure the appropriate GDPR-approved data export mechanism is in place.
Tip: Penalties for breach of the GDPR including administrative fines, may be imposed, even where the breach occurs outside the EU. [TW note: For example, if an international company without an establishment in the EU but offering goods, services or monitoring the behavior of individuals in the EU, fails to appoint an EU representative (Art. 27 of the GDPR), it could be subject to fines of up to the higher of EUR 10,000,000 or up 2% of its annual global turnover for the preceding financial year.] Make sure your officers and employees are aware of the penalties under the GDPR and what could happen if they don't take GDPR compliance sufficiently seriously.