Countdown to the new Personal Data Protection Regulation in Europe

Fines up to $HKD190,000,000 or up to 4% of the total worldwide annual turnover and other sanctions. Should you care?

May 21,2018

by: João Gonçalves de Assunção

The answer to this question is one you typically get from lawyers: it depends. But keep calm and ‘mou man tai’, for the statutory requirements are not rocket science.

As of May 25th, private or public Chinese companies, including of course the ones established in China or in any of its S.A.R.s, shall be subject to the new European Union (EU) data protection regulation (GDPR) and its penalties, if they process personal data:

  • within the context of the activities of an establishment located in the EU, even if the processing of the data takes place in another country or region;
  • belonging to data subjects within the EU, despite the establishment being located outside the EU, if the processing activities are related to:

– offering of goods or services to such data subjects in the EU, irrespective of whether a payment of the data subject is required; or
– monitoring of the behaviour of data subjects if their behaviour takes place within the EU.

It is important to stress that, for the purposes above, ‘establishment’ must be understood as an economic unit, which engages in commercial/economic activities, regardless of the legal person involved.

For the purposes of the GDPR, ‘personal data’ means any information relating to a natural person who can be identified or identifiable, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier such as an IP address, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The GDPR also applies to pseudonymized data, as it is also considered personal data, as well as to backup and archived data.

Among several other differences and depending on the specific case, the fundamental new aspects established by the new regulation are increased obligations in regards to data security, extended rights of the data subjects, keeping of records related to data processing activities, including by cloud service providers, reporting obligations to the competent supervisory authority and to the affected persons in the event of breaches of data protection, designation of a data protection officer and also data protection impact assessment to estimate risks regarding the protection of personal data.

In principle, data controllers and data processors shall be liable for their own actions. However, the new personal data protection rules explicitly stipulate the data processor’s direct liability to the data subject and that the data controller and data processor are jointly and severally liable for any incidents related with data infringements.

The consent granted by data subjects in connection with ongoing data processing does not need to be re-obtained if the previously given consent conforms to the new requirements. However, this and many other issues related with the GDPR must be evaluated case by case – so you should consider getting legal expert advice in case your ‘establishment’ falls in one of the cases above.

Releated Stories
September 23, 2020 -

[UPDATED] Update of the Macau Insurance Companies Ordinance

by António Isóo de Azeredo (Senior Associate Lawyer) and José J. Rodrigues (Jurist) Around one year ago,  we shared an overview of what was, at the t...

February 20, 2020 -

The new Guideline on Cybersecurity for the Insurance Sector

by António Isóo de Azeredo and José Rodrigues The Macau Monetary Authority (AMCM) recently issued a new Guideline on Cybersecurity for the insurance ...

October 31, 2019 -

Who will be impacted by Macau’s new plastic bag law?

by: João Nogueira Marques and José Rodrigues This Law aims to reduce the negative impact of plastic bags on the environment and will apply to sales b...

September 26, 2019 -

New Regime on the Trade of Rough Diamonds in Macau

by: Nuno Sardinha da Mata & Gonçalo Figueiredo The KPCS was established in 2003 after the United Nations General Assembly Resolution A/RES/55/56 ...

September 11, 2019 -

Update of the Macau Insurance Companies Ordinance

by António Isóo de Azeredo and José J. Rodrigues Applicable since September 1997, MICO has been effective in facing the challenges and rapid evolutio...

August 19, 2019 -

Running a business in Macau

by: Vera Bastos Macau is known for its multiculturality and diversity – and this uniqueness is also reflected in the legal system. From the very begi...