Countdown to the new Personal Data Protection Regulation in Europe

Fines up to $HKD190,000,000 or up to 4% of the total worldwide annual turnover and other sanctions. Should you care?

May 21,2018

by: João Gonçalves de Assunção

The answer to this question is one you typically get from lawyers: it depends. But keep calm and ‘mou man tai’, for the statutory requirements are not rocket science.

As of May 25th, private or public Chinese companies, including of course the ones established in China or in any of its S.A.R.s, shall be subject to the new European Union (EU) data protection regulation (GDPR) and its penalties, if they process personal data:

  • within the context of the activities of an establishment located in the EU, even if the processing of the data takes place in another country or region;
  • belonging to data subjects within the EU, despite the establishment being located outside the EU, if the processing activities are related to:

– offering of goods or services to such data subjects in the EU, irrespective of whether a payment of the data subject is required; or
– monitoring of the behaviour of data subjects if their behaviour takes place within the EU.

It is important to stress that, for the purposes above, ‘establishment’ must be understood as an economic unit, which engages in commercial/economic activities, regardless of the legal person involved.

For the purposes of the GDPR, ‘personal data’ means any information relating to a natural person who can be identified or identifiable, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier such as an IP address, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The GDPR also applies to pseudonymized data, as it is also considered personal data, as well as to backup and archived data.

Among several other differences and depending on the specific case, the fundamental new aspects established by the new regulation are increased obligations in regards to data security, extended rights of the data subjects, keeping of records related to data processing activities, including by cloud service providers, reporting obligations to the competent supervisory authority and to the affected persons in the event of breaches of data protection, designation of a data protection officer and also data protection impact assessment to estimate risks regarding the protection of personal data.

In principle, data controllers and data processors shall be liable for their own actions. However, the new personal data protection rules explicitly stipulate the data processor’s direct liability to the data subject and that the data controller and data processor are jointly and severally liable for any incidents related with data infringements.

The consent granted by data subjects in connection with ongoing data processing does not need to be re-obtained if the previously given consent conforms to the new requirements. However, this and many other issues related with the GDPR must be evaluated case by case – so you should consider getting legal expert advice in case your ‘establishment’ falls in one of the cases above.

Releated Stories
September 28, 2022 -

AllBright (Qingdao) Law office’s visit to C&C Lawyers Macau

[su_row][su_column size="1/3"] On September 27, 2022, eight representatives of the Chinese law firm AllBright Qingdao office were warmly welcomed by ...

May 19, 2022 -

C&C Lawyers’ Senior Partner Nuno Sardinha da Mata and other Macau Financial Law Association experts visited the Hengqin Guangdong-Macao In-Depth Cooperation Zone

On May 13th, the Zhuhai Hengqin Qin Ao Financial Services Co., Ltd. hosted experts from the Macau Financial Law Association in the Hengqin Guangdong-M...

April 29, 2022 -

C&C Lawyers and Dentons sign strategic cooperation agreement

On April 28, 2022, C&C Lawyers and Notaries and international law firm Dentons signed a strategic cooperation agreement. C&C Lawyers and Dent...

March 23, 2022 -

Macau Consumer Rights Protection Law: Understanding Contracts for the supply of consumer goods

by: Kimi Chan, Jurist Law no. 9/2021, "Law for the protection of consumer rights and interests", currently in force, regulates contracts for the supp...

February 16, 2022 -

Macau Consumer Rights Protection Law: Improper Business Practices against Consumers

by: Nuno Sardinha da Mata, Senior Partner & Ng Pui U, Trainee Lawyer The Macau Consumer Rights and Interests Protection Law (Law 09/2021) (CRPL) ...

January 27, 2022 -

The Macau Trust Law

by: António Isóo de Azeredo, Senior Associate Lawyer Macau is finally taking the last steps of a long legislative path to approve and implement a tru...