Fines up to $HKD190,000,000 or up to 4% of the total worldwide annual turnover and other sanctions. Should you care?
The answer to this question is one you typically get from lawyers: it depends. But keep calm and ‘mou man tai’, for the statutory requirements are not rocket science.
As of May 25th, private or public Chinese companies, including of course the ones established in China or in any of its S.A.R.s, shall be subject to the new European Union (EU) data protection regulation (GDPR) and its penalties, if they process personal data:
– offering of goods or services to such data subjects in the EU, irrespective of whether a payment of the data subject is required; or
– monitoring of the behaviour of data subjects if their behaviour takes place within the EU.
It is important to stress that, for the purposes above, ‘establishment’ must be understood as an economic unit, which engages in commercial/economic activities, regardless of the legal person involved.
For the purposes of the GDPR, ‘personal data’ means any information relating to a natural person who can be identified or identifiable, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier such as an IP address, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The GDPR also applies to pseudonymized data, as it is also considered personal data, as well as to backup and archived data.
Among several other differences and depending on the specific case, the fundamental new aspects established by the new regulation are increased obligations in regards to data security, extended rights of the data subjects, keeping of records related to data processing activities, including by cloud service providers, reporting obligations to the competent supervisory authority and to the affected persons in the event of breaches of data protection, designation of a data protection officer and also data protection impact assessment to estimate risks regarding the protection of personal data.
In principle, data controllers and data processors shall be liable for their own actions. However, the new personal data protection rules explicitly stipulate the data processor’s direct liability to the data subject and that the data controller and data processor are jointly and severally liable for any incidents related with data infringements.
The consent granted by data subjects in connection with ongoing data processing does not need to be re-obtained if the previously given consent conforms to the new requirements. However, this and many other issues related with the GDPR must be evaluated case by case – so you should consider getting legal expert advice in case your ‘establishment’ falls in one of the cases above.