The EU General Data Protection Regulation (“GDPR”) affects a broad range of people outside the EU. Certain Chinese businesses are very likely to be bound by GDPR. This article briefly discusses how GDPR affects Chinese businesses and what Chinese businesses should do to comply with GDPR.

1. The Application of GDPR to Chinese Businesses

This is a matter of applicability. GDPR applies to the following people.

(a) People established in the EU who control or process data and process personal data while doing business regardless of where these data are processed.  

As stated therein GDPR applies to people who control or process data and process personal data through an “establishment” within the EU. The “establishment” means effective activities carried out through stable arrangements. The legal form of these stable arrangements and the subsidiary or branch company through which these stable arrangements are made are not decisive factors.        

(b) People established outside the EU who control or process data and process personal data of a natural person in the EU while supplying goods or services (whether paid or not) to such person or monitoring such person’s activities in the EU

(c) People established outside the EU who control data in a place where laws of a EU country apply according to public international law.

In addition, in certain circumstances GDPR also applies to Chinese businesses which are planning to do/doing business worldwide (especially in the EU) and Chinese branches of multinational groups with their headquarters in the EU are regulated by GDPR. The following businesses may be bound and/or affected by GDPR.

(a) EU branches of Chinese businesses collecting and processing personal data in the EU while doing business are bound by GDPR regardless of whether such personal data are processed in the EU or not. Most of these businesses are in the traditional finance industry such as banks and insurance companies and in the tourism industry such as airlines and travel agencies and also include EU branches in other industries.

In addition, GDPR also governs decisions and/or actions taken in the EU by Chinese businesses which have no legal branches in the EU to collect or process personal data in the EU.

(b) GDPR applies to Chinese businesses which have no EU branches, provide services or goods to natural people in the EU (whether paid or not) and collect and process personal data of natural people in the EU. Most of these businesses do business through the internet, serving natural people in the EU or collecting and processing data of natural people in the EU.

(c) Chinese businesses which have no EU branches and monitor EU natural people’s activities in the EU (especially using software). Most of these businesses are internet businesses collecting and processing personal data of natural people in the EU for a particular purpose including not limited to analyzing big data/marketing or business data.

(d) Foreign funded businesses in China working together with their headquarters or other affiliate in the EU to process personal data of people including natural people within the EU.

(e) GDPR also applies to (domestic or foreign) businesses in China which provide data processing services to businesses in the EU. Businesses within or outside the EU bound by GDPR that have made a data processing service contract with another business in China are obligated to require the business in China comply with data protection requirements under GDPR, which must be included in the data processing service contract mentioned above.

Local businesses that may be bound by GDPR need to study GDPR rules and requirements and take compliance measures to meet GDPR requirements and avoid punishment from relevant authorities.

2. Countermeasures Available to Chinese Businesses Affected by GDPR

Due to the effect of GDPR in the extended territories, Some of the Chinese businesses are bound by both GDPR and Chinese data protection laws, especially the Cyber Security Law of the People’s Republic of China (“Cyber Security Law”). Based on this, these Chinese businesses should generally ensure that their data collection and processing policies comply with GDPR and relevant Chinese laws and regulations.  

Personal data protection principles under GDPR and the Cyber Security Law are partially different. The affected Chinese businesses should comply with both “common and different requirements” under them. On one hand, the common requirements must be included in data protection/privacy policies and clauses known by people whose information is collected. On the other hand, all the different requirements should be met and implemented.  

This article will discuss what the affected Chinese business should do to meet GDPR requirements in the following areas without comparing GDPR with the Cyber Security Law.

(1) Labor/human resources

Foreign funded or wholly Chinese funded businesses, including international headhunters, with a global human resource (talent) management database need to study and take compliance measures according to GDPR requirements. Please note that:

(a) Chinese businesses collecting/processing employees’ information, especially personal data of people from the EU or non-EU countries or areas where GDPR applies should inform them of the bounds and purpose of the personal data collection for their definite consent.

(b) Only information needed for the informed purpose can be collected. Legal and reasonable action should be taken to ensure the safety of employees’ personal data. The personal data collected can only be used and processed for the original purpose informed. The personal data collected cannot be used for any non-informed purpose unless they are suitable for the non-informed purpose or can be used subject to a new definite consent.

(c) Personal data collected of employees who are not employed or have left the company should be removed immediately unless otherwise required by law or to the extent permitted by GDPR.

(d) In order to share or enable Chinese businesses to visit and process human resource information (including employees’ personal data) of large multinational groups, definite consent for transfer and visit of such information from people within the EU should be obtained. In addition, technology and rules should be developed to protect foreign people’s data transferred to or accessible in China.    

(e) Nothing (including devices such as cellphones given by the company to its employees that can locate, monitor or track them) can be used to monitor employees’ behavior without prior written consent of the employees, and such data cannot be collected unless they are needed for the running and administration of the business and not harmful for the employees’ privacy.

(f) Chinese businesses providing employees’ personal data to external parties such as human resource agencies should cause the external parties to protect the personal data, and above all, the external parties should have technology, reliability and resources needed to protect the data and be bound by contract and verified to have internal data protection rules.

(2) Business operation

This part is about what internet companies and businesses providing products or services to individuals within the EU should pay attention to when monitoring EU individuals’ activities within the EU through website, software, etc. or collecting personal data of EU individuals while doing business. (In other cases that are not mentioned in this article, businesses should meet GDPR requirements when considering qualities of their business activities and industry)   

(a) In broad terms, Chinese businesses should be acquainted with GDPR requirements, develop a data protection system/policy, include a notice in the website or app and use data protection technology to ensure data security.

(b) In this case Chinese businesses should inform EU people whose personal data are collected and obtain their definite consent in the same way as mentioned in the above paragraph (1). Websites or software (including cellphone apps) collecting these people’s information should contain a clear, accessible and definite notice in a language accessible to EU people with proof of these people’s consent maintained by technical means. Definite consent of EU people is also required for cross-border transfer of personal data.  

(c) Businesses that need to process personal data of people outside the EU for business purpose should have technology and rules (including a data protection officer (DPO) as required by GDPR) needed to protect the data security. If the data are processed by a third party (including affiliate outside the EU), it is necessary to verify the third party’s technology and reliability and include data protection requirements in the third-party contract.  

Legal opinions connected with GDPR, a foreign rule that applies to some of Chinese businesses within the extended territories should be issued or confirmed by a foreign lawyer practising in this area. Chinese businesses bound by the Cyber Security Law of China, data protection laws and regulations and GDPR need to follow a Chinese lawyer’s advice on making and improving their privacy policies, internal procedures, business arrangements, etc. in compliance with relevant Chinese laws and regulations, regulatory requirements and GDPR in order to minimize data compliance risks.