Following Art. 3(2) of the European General Data Protection Regulation (GDPR), the law still applies to a company outside the territory of the European Union (for instance located in China) if it offers goods or services or monitors the behavior of data subject (e.g., customers) in Europe. In addition, by virtue of Art. 44, the transfer of personal information to a third country (including China) for the activity of processing (qualified as a “transfer”) must comply with Chapter V. In the first three years of GDPR, it was unclear what rules should be followed by controllers or processors outside the EU but subject to the GDPR by Art. 3(2), which process data from controllers or processors inside the EU. In other words, it is unclear whether such a process will constitute transfer and require the application of Chapter V even though the recipient should be already GDPR compliant.
In this regard, the Guidelines specifies three cumulative criteria that qualify processing as transfers:- a controller or a processor (“exporter”) is subject to the GDPR for the given processing;- this controller or processor transmits or makes personal data available to (a joint) controller, or processor (“importer”);- the importer is in a third country or is an international organization.Example: An Italian company provides personal data of its customers to a cloud service provider established in China who is already subject to the GDPR by virtue of the Art. 3(2) due to its offering of hosting services to data subjects in the EU. The processing of such data will be considered as a transfer to a processor in a third country and therefore, subject to Chapter V of the GDPR although the processor in China is already subject to the GDPR via Art. 3(2).
As a consequence, the controller or processor in an “international transfer” situation needs to comply with the conditions of Chapter V of the GDPR to protect personal information that would be transferred to a third country or an international organization.
So far, since China has not been recognized by the European Commission as a country providing adequate protection (Art. 45 of the GDPR), controllers and/or processors transferring data to China shall implement appropriate safeguards provided for in Article 46 before the transfer, including:- Standard Contractual Clauses (SCCs);- Binding Corporate Rules (BCRs);- Certification Mechanisms;- Ad hoc contractual clauses ;- International agreements/administrative arrangements.In the absence of an adequacy decision under Art. 45 or appropriate safeguards pursuant to Art. 46, a transfer of personal data may take place if:- the data subject gives explicit consent after being informed of risks of transfer;- the transfer is necessary for the performance of a contract between data subjects and controllers or processors or implementation of pre-contractual measures;- the transfer is necessary for the conclusion or performance of a contract between the controller or the processor and a third party but the contract is made in the interest of the data subject;- the transfer is necessary for the important reason of public interests;- the transfer is necessary for legal claims;- the transfer is necessary to protect the vital interests of data subjects or other persons, where the data subject is physically or legally incapable of giving consent;- the transfer is made from a register which, according to Union or Member State law, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest.
In addition, the EDPB also clarified that the collection of personal information directly abroad shall not constitute international transfer but shall follow in any case Art. 3(2) of the GDPR if there is an offering of goods, services, or monitor of behavior. However, in case such foreigner receiver transfers the personal information to a processor established in the same country, this will constitute transfer and follow Chapter V rules.
Example: A Chinese e-commerce company receives personal data from its customers directly on its server in China and transfers the same data to its processor in China (e.g., for storage purposes). The collection of data will be subject to Art. 3(2) if there is an offering of goods, services, or monitor of the behavior of data subject in the EU, whereas the transfer to the Chinese processor shall follow Chapter V of the GDPR although the processor and controller are both in the same country.
If these Guidelines will be formally adopted by the EDPB as they are, they will have a huge impact on Chinese companies processing or collecting data from Europe. At Wang Jing & GH Law Firm we are always ready to assist our clients regarding new trends and rules that may have a major impact on your business in China and abroad. If you believe you could be subject to the above rules, please don’t hesitate to reach us to the below contact information for a consultation.
