GDPR and China: what do we need to know? ( 《欧盟—般数据保护条例》与中国：我们应当了解什么？)

The European General Data Protection Regulation (GDPR) is a leading legislation aiming to level up and harmonize personal data protection law across the European Union (EU). Due to GDPR’s exterritorial applicability, the data protection obligations and liabilities will have multiple, in-depth legal and economic impacts on foreign data controllers and processors beyond the EU borders. This includes data controllers and processors who are on the Chinese territory but process personal data of natural persons in the EU.

Chinese transnational corporations with establishments in the EU may have already taken the needed measures for legal compliance. However, many controllers and processors in China - especially small and medium-sized enterprises (SMEs) - may not even be aware of the GDPR, not to mention the specific data protection obligations they should comply with in their processing practices, especially when they process EU residents’ or citizens’ personal data in the context of providing products or services via the Internet. The lack of awareness might be caused by a language barrier, geographic distance or resource shortage. After 25th May 2018 the controllers and processors in China may risk breaching the law and encounter large financial sanctions.

Since no official Chinese version of the GDPR is available, this brochure tries to provide data controllers and processors in China with an overview of the data protection obligations and duties in trans-border processing under the GDPR. We hope this brochure may help controllers and processors in China understand GDPR’s major data processing principles and the level of data protection that is expected from the EU community. We hope they may act accordingly in future processing practices to better protect data subjects, whether they are from the EU or China. This brochure focuses more on controllers and processors in the private sector, rather than those of public bodies. It does not provide legal advice on law compliance, for which controllers and processors shoud consult legal experts in the field.

This brochure is structured as follows. First we briefly introduce the GDPR and the key processing principles. Then we discuss data subject’s rights and the related duties of controllers. We go on to explain in detail some common obligations of controllers and processors, discuss their special duties, and the specific requirements for transferring personal data outside the EU. After that, we also shortly present data protection supervisory authorities and their powers, as well as remedies, liability and penalties in case of GDPR violations.

Dr. Bo Zhao, Magda Brewczyńska and Weiquan Chen created this brochure.