《环球律师事务所:2022年全球化与隐私保护指南(英文版)(146页).pdf》由会员分享,可在线阅读,更多相关《环球律师事务所:2022年全球化与隐私保护指南(英文版)(146页).pdf(146页珍藏版)》请在三个皮匠报告上搜索。
1、Globalization andPrivacy Protection Guide2020 Wolters Kluwer China Law&Reference Compliance Guide SeriesForewordBasing on the needs of Chinas legal service market and Wolters Kluwers 180 years of professional service experience,we present 2020 Wolters Kluwer China Law&Reference Compliance Guide Seri
2、es to Chinas legal professionals.Authors of the series are experienced and outstanding teams of lawyer from various practice firlds.The 2020 Wolters Kluwer China Law&Reference Compliance Guide Series include four spotlight topics of Cyber Security,Finance,Anti-Bribery and Labor Law.With ideas drawn
3、from multi-dimensional views,we aim to provide practical legal guidance to empower Chinas legal community.About GLO-The First Chinese Law FirmFirst law firm in China:The history of Global Law Office(hereinafter the GLO)dates back to the establishment of the Legal Consultant Office of China Council f
4、or the Promotion of International Trade(hereinafter the“CCPIT”)in 1979,when it became the first law firm of China to take an international perspective on its business,fully embracing the outside world.After over 40 years of persistent efforts and development,we have become one of the most prominent
5、large comprehensive law firms in China legal industry.Among the most prominent large comprehensive law firms in China:GLO has been committing to the mission of serving domestic and foreign clients with globalized vision,globalized team and globalized quality since its inception,allowing us to always
6、 maintain leading position in the industry in the midst of ever-changing global economic environment.We are proud to be one of Chinese most respected and well-connected law firms,recognized as such by both international and domestic league tables and legal institutions for consecutive years,includin
7、g the Chambers and Partners,The Legal 500 and Asian Legal Business,etc.Professional and excellent lawyer team:all lawyers of GLO are graduates from first-tier domestic and/or international law schools,most of whom hold LLM or higher degrees.Many partners have the qualification to practice law in the
8、 U.S.,UK,Australia,Switzerland,New Zealand,Hong Kong,among others.Our lawyer team has excellent professional backgrounds,and many lawyers have experience of working at courts,domestic and foreign first-tier law firms or leading enterprises and organizations in the industry.Comprehensive one-stop leg
9、al services:we provide comprehensive one-stop legal services for domestic and foreign clients from various sectors and industries.We are committed to a variety of industries,including but not limited to sub sectors such as banking,finance,insurance,securities,investment,trade,energy,mining,chemical
10、engineering,steel,manufacturing,transportation,infrastructure and public facilities,life science and healthcare,telecommunication,media,and high technology,culture,entertainment&sports,real estate,hotel&leisure,catering and large consumption,and etc.Innovative problem-solving abilities:our lawyers a
11、re able to apply practical and constructive comprehensive legal solutions by integrating excellent professional law skills with sophisticated business knowledge so as to solve various complex and fast-changing matters.With leading professional innovative capabilities,we are adept at creatively desig
12、ning transaction structures as well as details.Over the last three decades,our expertise has helped set the agenda for change through precedents involving many of the countrys firsts.Client oriented service philosophy:over the past three decades,with profound legal knowledge,extensive practice exper
13、ience,high professional dedication and strong professional ethics sense,we have demonstrated and proved our values and won trust from domestic and foreign clients.In the future,we will continue to help domestic and foreign clients get enduring and long-term success via our unique advantages.AuthorsM
14、aggie Meng is a Partner of Global Law Office(Beijing Office).She mainly practiced in cybersecurity,personal information security,internet,e-commerce compliance,and anti-corruption and anti-commercial bribery.She previously worked at Fortune 500 companies like Nokia and a well-known law firm for more
15、 than ten years.She was also the General Counsel and Data Protection Officer(DPO)of Mobvoi.Maggie has served large multinational companies,well-known network enterprise,automobile companies as well as companies in IoT,telecommunications,cloud services,AI,finance,medical industries and help them buil
16、d the domestic/international data compliance scheme or provide professional advice on specific projects.During her practice,Maggie has concluded a lot of feasible practical methodlogy which is highly endorsed by the clients.Maggies is also the co-chairman of IAPP China and rewarded with the“Legal 50
17、0-the specailly recommended lawyer of 2020 in TMT industry,”together with“the top 1000 expert lawyers for the foreign affairs”by the China Lawyers Association.She has translated the data protection laws of the US,Europe,India,Brazil,Russia and other countries,and has authored hundreds of academic ar
18、ticles and books on major magazines,newspapers,and WeChat official accounts,such as White Paper of SDK Security and Compliance(V1.0&V2.0)and Personalised Dislay Securtity and Compliance Report.Koh Kok Shen is a senior consultant of global law firm.He has more than 20 years of experience in the comme
19、rcial and compliance field of telecommunications,IT and financial services.He is familiar with U.S.compliance law and justice department practices and has a deep knowledge of cross-culture legal compliance issues and cooperation.Mr.Koh was formerly the Asia Pacific Compliance Director at Diebold Inc
20、.and China Compliance Director Nokia,Mr.Koh has also many years of experience leading commercial negotiations in Asia.He is admitted to both the UK and Singapore Bar.Mr.Koh was also practice law in Singapore where he advised internet companies and start-ups on internet and IT law for many years for
21、many years before relocating to China in 2005.Wang Cheng is an Associate of Global Law Office.She mainly practices in data compliance,intellectual property and dispute resolution.She previously worked at the legal department of Citibank and practiced in New York state as a litigation attoreny.She is
22、 qualified to practice law in the State of New York and in the Federal District Court for the Northern District of New York.Ms.Wang graduated from Shanghai International Studies University and the Law School of Emory University where she respectively received her bachelor degree of laws and master d
23、egree of laws.Chen Ziqian is a Paralegal at Global Law Office.He has rich experience in cybersecurity,data compliance,and personal information protection areas.He has been responsible for legal research on data compliance,and has published many academic articles on data protection law in various cou
24、ntries while doing internship at Mobvoi.Mr.Chen graduated from Southwest University of Political Science,and is able to work in Chinese and English.Zhang Shuyi is a Paralegal at Global Law Office.She has rich experience in the field of cybersecurity,data compliance,and personal information protectio
25、n.She has published many articles regarding the analysis of data protection laws.Ms.Zhang graduated from China Foreign Affairs University and the University of Edinburgh,and received bachelor degree of laws.Special Thanks to:Liu Shujun,Yin Kun,Shi Xiaowei,Liu Xinyi,Ye Ouyi,and Wang Ruohan.Everything
26、 is connected.With more than 1,350 lawyers and legal practitioners across a worldwide network of 29 offices,Bird&Bird specialises in delivering expertise across a full range of legal services.Our specialisms include advising on commercial,corporate,EU and competition,intellectual property,dispute re
27、solution,employment,finance and real estate matters.The key to our success is our constantly evolving sector-focused approach.Our clients build their businesses on technology and intangible assets,and operate in regulated markets.To better meet their needs we have developed deep industry understandi
28、ng of key sectors,including automotive,aviation&defence,energy&utilities,financial services,life sciences&healthcare,retail&consumer,media,entertainment&sport and tech&comms.International reachBird&Bird has offices in key business centres across the globe:Europe:Amsterdam,Bratislava,Brussels,Budapes
29、t,Copenhagen,Dsseldorf,Frankfurt,The Hague,Hamburg,Helsinki,London,Luxembourg,Lyon,Madrid,Milan,Munich,Paris,Prague,Rome,Stockholm and Warsaw.Middle East&Asia:Abu Dhabi,Beijing,Dubai,Hong Kong,Shanghai,Singapore and Sydney.North America:San FranciscoWe were the first truly international firm with a
30、presence in Denmark,Finland and Sweden,ideally positioning us to support companies looking to invest in the Nordic region.Additional focus groups for Africa,India,Japan and Russia,and extensive cooperation agreements with local firms increase our reach to other key jurisdictions.We have recently ope
31、ned a representative office in San Francisco to support our US clients with their non-US legal needs.Excellence in client serviceBird&Bird operates as one truly international partnership:our goals,accounting and profit pool are all shared,as is our commitment to providing our clients with advice fro
32、m the right lawyers,in the right locations.Our open and flexible business culture allows us to configure ourselves to respond as quickly and effectively as possible to the commercial pressures faced by our clients.Our priority is providing excellent client service,however they themselves define exce
33、llence.Deep industry knowledge Expertise in the legal and regulatory framework relating to each sector.A more practical,commercial approach,supported by advisors with decades of experience working in the relevant industriesChina ContactTed Chwu Greater China Managing Partner;About Bird&BirdBird&Bird
34、 is a truly international firm,organised around our clients.We match our passion and practical expertise to your vision to achieve real commercial advantage.Experts and Counsels:Ruth BoardmanPartner,LMichelle ChanPartner,Hong KHamish FraserPartner,SAriane MolePartner,FDr.Fabian NiemannPartner,GJerem
35、y TanPartner,SLupe SampedroPartner,LBerend Van Der EijkAssociate,N Clarice YueCounsel,Hong KLisa VanderwalCounsel,SDr.Lena El-MalakAssociate,UAEDr.Natallia KarniyevichAssociate,GChester LimAssociate,SWilly MikalefAssociate,FTiantian KeAssociate,SEster VidalAssociate,SAbout Nishimura&AsahiThe merger
36、of several Top law firms that evolved into a firm capable of providing a full range of legal services.Nishimura&Asahi evolved into its present form through the integration of several diverse law firms each offering highly specialized services.By utilizing each others strengths,experience and knowled
37、ge,Nishimura&Asahi have expanded our areas of expertise and enhanced our ability to act swiftly,giving us the capability to handle any unforeseen changes in the socio-economic circumstances or legal systems.Over 600 lawyers,the largest law firm in Japan.Our firm comprises over 600 Japanese and forei
38、gn lawyers,with a total number of members exceeding 1,600 including licensed tax counsel,patent attorneys,paralegals,and support staff.Each member of the firm possesses diverse specialized skills and can handle a broad range of legal areas.Their abilities form the collective strength of Nishimura&As
39、ahi.Building a solid network to meet the challenges and opportunities of globalization.As experts in international law,Nishimura&Asahi has created a network covering many countries in Europe,the United States,and beyond.Since 2010,Nishimura&Asahi have opened offices in various countries,starting wit
40、h Asia,as Japanese corporations have adopted new overseas expansion strategies.At the same time,Nishimura&Asahi have established close affiliations with major law firms overseas,enabling us to provide legal services tailored to the laws and circumstances of those countries.Nishimura&Asahi have also
41、opened three additional offices in Japan to support our clients from various locations within Japan to expand overseas.As a consequence,Nishimura&Asahi have a flexible structure to address diverse global business issues.About Personal Data&Privacy/Big Data BusinessesWith the rapid evolution of infor
42、mation technology,companies are increasingly making use of big data.However,such utilization is a cause for concern for many individuals.Accordingly,many countries and jurisdictions,including Japan and the EU,recognize the importance of protecting personal data and privacy,and have implemented legis
43、lation restricting the use of data in certain circumstances.Nishimura&Asahi follows the latest developments in this area,analyzes them from a holistic perspective and provides practical advice relating to the utilization of personal data and other data in various contexts,including the financial,med
44、ical,IT and other industrial sectors.Nishimura&Asahi also has considerable experience in advising clients in cases of data breach,privacy infringement or other similar incidents,as well as cybersecurity.In the case where other countries or jurisdictions are involved,Nishimura&Asahi collaborate with
45、local counsel in the respective countries and jurisdictions.Nishimura&Asahi-Data Privacy Practice Group Contact:Yuko Kawai(partner)y_kawaijurists.co.jpContentsPerface.1Part I.Data Globalization Challenges and Opportunities for Businesses.3I.Trends and Developments.3II.Challenges for Businesses.4Part
46、 II.Preliminary planning for Chinas companies going global.6I.Data Compliance of Cross-Border Commerce for Business.61.Clarify the Companys Business Types and Data Collection.72.Reasonably Choose the Target Country .153.Being familiar with the laws,regulations,judicial precedents,and contract requir
47、ements of the target country or region.17II.Conclusion.181.Establish a compliance system.182.Continuous compliance:monitor and adjust.18Part III.Global Data Protection and Privacy.19I.Europe.191.GDPR Overview.192.United Kingdom.283.Germany.324.France.375.Netherlands.416.Spain.44II.North America.481.
48、United States.482.Canada.60III.Asia-Pacific.661.Japan.662.Hong Kong.723.Singapore.784.Malaysia.865.Thailand.946.India.1027.The United Arab Emirates(UAE).1078.Kingdom of Saudi Arabia(KSA).115IV.Oceania.1201.Australia.1202.New Zealand.126Part IV.Legal Framework for Cross-border Data flow.131I.European
49、 Union.131II.Multilateral Framework.1321.CPTPP Framework.1322.CBPR for APEC Countries.132Globalization and Privacy Protection Guide1The“Guidelines for the Protection of Personal Data Privacy and Cross-border Flows”published by OECD has proposed to encourage the free data flows while promoting the tr
50、ade flows(except for special circumstances).In this way,a balance of interests for all parties may be achieved by establishing a common standard for cross-border data flows to improve the“interactivity”of global privacy regulations.The“Comprehensive Progressive Trans-Pacific Partnership”emphasizes t
51、hat data shall flow freely along with free trade in goods and services.As a symbol of the current digital society and information age,the emergence of the“digital economy”,the progress of the“Belt and Road”strategy,network patterns are being created whereby China is more closely associated with the
52、world.Data has been firmly established as a core asset driving future economic growth and efficiencies,which has become an element of new productivity together with“oil,minerals,natural gas,and etc.”.There is an increasing occurance of cross-border acquisitions,overseas investments,cross-border e-co
53、mmerce and after-sales support,cross-border payments and logistics,and global versions of applications,which rely on data collected from the all over the world for analysis,calculation,and decision-making.Large multinational enterpries manage and operate their global business and employees in a unif
54、ied manner.Services will be procured locally or outsourced to overseas third-parties.Cross-border data transfer is suppoted by the deployment of global data centers and participation of third-country cloud service partners.At the same time,the need for greater privacy and data protection has receive
55、d increasing recognition.Since the European“General Data Protection Regulation”(“GDPR”)came into force,legislation on privacy and data protection in many jurisdictions have been developing rapidly and vigorously.This“Globalization and Privacy Protection Guide”is divided into four parts.From the pers
56、pective of the companies in China who plan to expand to overseas,this Guide will will provide practical compliance guidelines and introduce(1)the current challenges and opportunities under data globalization that are encountered by companies,(2)how to pre-plan for their overseas business(including s
57、orting out the requirements for data exportation and inventory of such data,drafting and assessing contracts,accomplishing special approval procedures and determining target jurisdictions,etc.),(3)interpretation of data and privacy protection laws in key target jurisdictions and regions,and(4)an ove
58、rview of the cross-border data flow systems among regions.PerfaceGlobalization and Privacy Protection Guide2From this Guide,it can be noted that some laws have been largely inspired by and designed to align with the GDPR,while others take a different approach to serve their specific needs.Except for
59、 special categories of data that are subject to data localization,cross-border data transfer is in principle allowed in most jurisdictions,while some prescribe different conditions for cross-border data transfer due to their national conditions:in some jurisdictions,data exportation is basically all
60、owed while special categories of data are prohibited to be exported abroad;while in some jurisdictions,data exportation is prohibited in principle and is only permitted in exceptional cases.For domestic companies which plan to go overseas and foreign companies that are expanding into China,we presen
61、t thisGuide to provide a reference so as to assist them in learning the privacy protection laws and regulatory policies in various jurisdictions in advance.In this way,these companies may avoid oversight while trying to localize or globalize their operations.Meanwhile,we also expect a comprehensive,
62、high-level,and multilateral cooperation framework in data privacy to be built among different jurisdictions,to explore the compatibility of privacy protection laws and regulations and their implementation.Only with consistency can the digital economy advance in a harmonious,sufficient,and orderly ma
63、nner.A multilateral win-win situation will then be ensured on the basis of national security.According to Article 12 of“Personal Information Protection Law(Draft)”,China shall actively participate in the formulation of international rules for personal information protection,promote international exc
64、hanges and cooperation,and promote mutual recognition with other countries,regions and international organizations regarding rules and standards to protect personal information.It is also one of our motives if this Guide may contribute ideas and information to the academies and legislation.It will b
65、e our honor if we may receive comments from peers and friends and thank you for staying with us all the way!Maggie MengWritten in the early morning of November 8,2020,Tower 1,China Central Place(Email:)Copyright:Global Law Office reserves all rights to the report.Without the written permission of Gl
66、obal Law Office,no one shall copy or reprint any copyrighted content of this report in any form or by any means.Disclaimer:This report does not represent the legal opinions of Global Law Office on related issues.Whoever makes action or omission decisions only in accordance with all or part of the re
67、port content shall bear the consequences resulting therefrom.If you need legal advice or other expert advice,you should contact us or a qualified professional.Globalization and Privacy Protection Guide3I.Trends and DevelopmentsIn the digital society and information age,data has been firmly establish
68、ed as a core asset driving future economic growth and efficiencies,along with the increasing recognition of privacy and data protection.The coming into force of the EU General Data Protection Regulation(“GDPR”)-the EUs cornerstone data protection law-has not only changed the landscape in Europe,but
69、also served as the global reference point for privacy and data protection laws,shaping legislation worldwide.Following the EU stance,a wave of new privacy and data protection legislation in the US,China,India,Southeast Asia,and many other regions has emerged.Some laws have been largely inspired by a
70、nd designed to align with the GDPR,while others take a different approach that serves the need of their jurisdictions.As privacy and data protection regimes across the globe have developed,we can see a number of common features,including broader territorial and exterritorial application,stepped-up e
71、nforcement or sanction provisions,stronger protection for data subject rights,and rising awareness of national and cyberspace sovereignty.Privacy and data protection law is expected to continue to be one of the most dynamic and fast-evolving areas of law over the next few years.1Part IData Globaliza
72、tion Challenges and Opportunities for BusinessesGlobalization and Privacy Protection Guide4II.Challenges for BusinessesAs privacy and data protection laws and regulations surge across the globe,nearly all businesses are struggling to effectively address the multi-faceted and broad range of regulator
73、y and operational risks associated with the data lifecycle,including the collection,use,sharing and disclosure,and otherwise processing of data.Some primary challenges for businesses are further set out below.1.No“all-in-one”method for businesses data protection compliance worldwide.Though most rece
74、nt updates to privacy and data protection regimes have been inspired by the GDPR to an extent,merely aiming to comply with the GDPR will be insufficient for a global compliance strategy because local variations will need to be taken into account.Even among European countries,the GDPR does not fully
75、harmonise the rules it allows EU Member States to legislate on certain data protection matters.Meeting such country-specific derogations can be viable,but businesses should get ready to comply with increasingly stringent local requirements.2.Cross-border data transfer is facing increasing difficulti
76、es.Despite the benefits for businesses,consumers,and national economies benefit from the free flow of data across borders,many countries have erected barriers to cross-border data flows,such as data localization requirements that prohibit or restrict certain or all data export.Businesses should be e
77、quipped with a good understanding of the applicable data export regulations in the jurisdictions where their businesses operate.3.Enforcement under the data privacy law is making headlines.Non-compliance with privacy and data protection laws may result in a range of damaging consequences for an orga
78、nization,including large monetary fines,reputational damage,loss of customer trust,and consumer or employee group and individual actions etc.In addition,a crippling data breach could greatly affect the successful and continuous operation of a business.4.Emerging technology and innovation may encount
79、er legal challenges from privacy and data protection laws.There is a tension between new technology and privacy and data protection law when the precise impact of the technology is hard to anticipate with certainty.It could be challenging for businesses to find a way to develop and adopt such new te
80、chnology data-privacy-compliant manner.To help businesses navigate through various privacy and data protection requirements among different jurisdictions,we are pleased to present this Guide of Data Globalization and Privacy Protection.In the following sections,this Guide will introduce the privacy
81、and data protection regimes in a number of jurisdictions,including Globalization and Privacy Protection Guide5 Europe(including the U.K.,Germany,France,the Netherlands,and Spain)North America(including U.S.,Canada)Asia(including Japan,China,Hong Kong(China),Macao(China),Taiwan(China),Singapore,Males
82、ia,Thailand,India,United Arab Emirates,Saudi Arabia)and Oceania(Australia and New Zealand).For each jurisdiction,we summary typical questions that have been frequently asked by companies about privacy and data protection laws,i.e.How does the legal system of data protection work in a certain jurisdi
83、ction?Who is/are responsible for supervision and enforcement of the law?How does the law apply to my company?What are the data protection principles?What legal basis can my company rely on?How is personal data defined?When is my company a controller or a processor?What rights does a data subject hav
84、e?What information should be provided in a privacy notice?What direct marketing regulations should my company be aware of?What are the requirements for data sharing and processing?Is there any special protection for childrens data?What measures should my company adopt to ensure accountability?Is the
85、re a requirement for data breach notification?What are the cross-border data transfer rules?How is the data privacy law enforced in a jurisdiction?Globalization and Privacy Protection Guide6I.Data Compliance of Cross-Border Commerce for BusinessAs the core of the cybersecurity legal system at this s
86、tage,the Cyber Security Law of China only restricts the cross-border transfer of personal information and important data collected and generated by Critical Information Infrastructure Operators within the territory of China.Simultaneously,the restrictions for“general”network operators are not explic
87、it,and other current laws and regulations restrict data cross-border transfer in certain industries.China has imposed stricter restrictions on the data cross-border transfer from the drafts for comments of various regulations or national standards.Through clear and reasonable regulations,data can be
88、 transferred in an orderly and safe manner without infringing cyberspace sovereignty,national security,data security,corporate and individual rights.The recently issued the Data Security Law(Draft)also bears this out.Articles 1 and 2 of the draft clarify the promotion of data mining and utilization,
89、but if data activities carried out by overseas organizations or individuals harm national security,public interests,or the rights and interests of citizens or organizations,they will be held liable in accordance with the law.This provision shows the legislative purpose of not only encouraging data c
90、irculation but also safeguarding national security and data sovereignty,which endows the Data Security Law(Draft)with necessary extraterritorial effects.The second paragraph of Article 3 of the Personal Information Protection Law(Draft)issued in October 2020 also clearly stipulates that this law sha
91、ll apply to the processing of domestic personal information outside China when providing products or services to domestic individuals,or apply to the analysis and 2Part IIPreliminary planning for Chinas companies going globalGlobalization and Privacy Protection Guide7evaluation of the behavior of do
92、mestic individuals.Therefore,data cross-border transfer is not strictly prohibited or difficult to achieve under the current Chinese legal system compared with other countries.Businesses can export data after fulfilling the corresponding compliance obligations.Businesses should pay attention to the
93、following points before planning data cross-border transfer.1.Clarify the Companys Business Types and Data Collection1.1 Data LocalizationAccording to Article 37 of the Cyber Security Law,personal information and important data collected and produced by critical information infrastructure operators
94、during their operations within Chinas territory shall be stored within China.Only when necessary for business requirements can the data be cross-border transferred after being evaluated by relevant regulatory authorities.Article 40 of the Personal Information Protection Law(Draft)on critical informa
95、tion infrastructure operators is basically consistent with Article 37 of the Cyber Security Law.However,the data localization threshold has been raised;that is,where the personal information obtained reaches a certain amount,the personal information shall be stored in China.The cyberspace authority
96、may issue specific requirements on this requirement in the future.If the company meets the criteria of a Critical Information Infrastructure Operator,and after the evaluation,it is confirmed that the data cross-border transfer is“indeed required.”In that case,the self-assessment must be kept for two
97、 years and reported to the relevant administrative department.Therefore,businesses should make advance preparations and evaluate their business in a timely manner.They should clarify whether they will be deemed a Critical Information Infrastructure Operator and pay attention to the amount of persona
98、l information they process to ensure the compliance of their data cross-border transfer.According to documents such as the draft for comments issued recently,general network operators should also conduct self-assessment in advance.However,unlike critical information infrastructure operators,network
99、operators only need to be evaluated by the regulatory authority when they meet particular conditions.In other cases,they can complete the evaluation by themselves.Although such regulations have not yet come into effect and have no binding force,they represent the legislatures attitude on data cross-
100、border transfer.These draft regulations will likely come into effect in the near future.Therefore,businesses should develop an evaluation system for data cross-border transfer as soon as possible.1.2 Data TypeAccording to the Law of the Peoples Republic of China on Guarding State Secrets and relevan
101、t laws,regulations,and national standards,not all data can be transferred cross-border.There are specific restrictions on certain data cross-border transfer.To complete Globalization and Privacy Protection Guide8cross-border commerce,businesses should fully consider business scenarios,types of data,
102、and data restrictions in their planning before conducting data cross-border transfer to avoid obstacles and violations of relevant laws and regulations and reduce unnecessary losses.1.2.1 Types of restricted data for cross-border transferLaws and RegulationsData TypeRestriction for Data Cross-border
103、 Transfer1.Law of the Peoples Republic of China on Guarding State SecretsState Secret DataProhibits cross-border transfer2.Regulation on Map Manage-mentMap DataRequires servers to be located in China3.Regulation on the Adminis-tration of Credit Investiga-tion IndustryData Collected by Credit Agencie
104、s in ChinaInformation collected by credit agencies in China should be sorted,stored,and processed in China.4.Notice by the Peoples Bank of China Regarding the Ef-fective Protection of Person-al Financial Information by Banking InstitutionsPersonal Financial DataThe personal financial data collected
105、in China should be stored,processed,and ana-lyzed in China.Except as otherwise specified by laws and regulations and the Peoples Bank of China,banking financial institutions shall not conduct cross-border transfers of domestic personal financial data.5.Interim Measures for the Ad-ministration of Onl
106、ine Taxi Booking Business Operations and Services(2019 Amend-ment)Personal Data and Business-Generat-ed DataPersonal data and busi-ness-generated data should be stored and used in mainland China for no less than two years.Unless otherwise provid-ed by laws and regulations,the data mentioned above sh
107、all not be transferred abroad.7.Measures for the Adminis-tration of Population Health Information Population Health InformationEntities in charge must not store population health infor-mation in any server outside China and may not host or lease any server outside China.Globalization and Privacy Pro
108、tection Guide98.Interim Measures for the Management of Human Ge-netic ResourcesHuman Genetic ResourcesWithout permission,no enti-ty or individual is allowed to gather,collect,trade,export,supply cross-border or by other means important genetic pedi-grees and genetic resources of specific regions.9.M
109、easures for the Administra-tion of National Health and Medical Big Data Standards,Security and Service(Trial)Health and Medi-cal Big DataHealth and medical big data shall be stored on a secure server in China.If data needs to be transferred cross-border due to business needs,a secu-rity assessment r
110、eview shall be conducted in accordance with relevant laws,regulations,and requirements.10.Measures for the Adminis-tration of the Real-Name Re-ceipt and Delivery of Mails and Express MailsUser information and important data collected and generated during sending and receiving activity using real nam
111、esUser information and import-ant data collected and gener-ated by a delivery enterprise during the real-name receipt and delivery activities in China shall be stored in the territory of China.11.Measures for the Admin-istration of Information Technology Management of Securities Fund Trading Institu
112、tionsMeasures for the Adminis-tration of Foreign-Funded Futures CompaniesMeasures for the Administra-tion of Private Investment Fund Service Business(Trial)Regulation on Strengthening the Confidentiality and File Management Related to the Issuance and Listing of Secu-rities OverseasClients informa-t
113、ion and business dataWork papers and other files created in China by secu-rities companies and securities service institu-tions that provide relevant securities servicesUnless it is otherwise pre-scribed by any law or regu-lation or the provision of the CSRC,the securities fund trading institution s
114、hall not allow or cooperate with any other institution or individual to intercept and retain the clients information and shall not provide the clients infor-mation to any other institution or individual in any form.The core servers of informa-tion systems such as trans-action,settlement,and risk con
115、trol,and data equipment for recording and storing client information of a foreign-fund-ed futures company shall be set up in China.In the process of overseas securities issuance and listing,Work papers and other files created in China by securities companies and securities ser-vice institutions that
116、 provide relevant securities services shall be stored in China.Globalization and Privacy Protection Guide101.2.2 Personal Information Cross-Border Transfer1.2.2.1 Authorization and consent of the subject of personal informationThe basic principle for Data Cross-Border Transfer is to obtain consent f
117、rom the personal information subject.According to the Cybersecurity Law of China,network operators shall obtain approval from the relevant right subject of personal information before they“use”personal information,and the term“use”is defined to include“cross-border transmission.”Therefore,no persona
118、l information can be exported without the authorization of the personal information subject.The provisions in the Measures for the Security Evaluation of the Export of Personal Information and Important Data(Draft for Comment)are more specific.According to this document,the network operators shall i
119、nform the personal information subject of the purpose of data cross-border transfer,the scope and content of personal information,the recipient and its nationality or location.Operators cannot export personal information without the consent of the right subject.In addition,before the cross-border tr
120、ansfer of personal information of minors,operators must obtain their guardians consent.The provisions in the Measures for the Security Evaluation of the Export of Personal Information and Important Data(Draft for Comment)are more specific.According to this document,the network operators shall inform
121、 the personal information subject of the purpose of data cross-border transfer,the scope and content of personal information,the recipient and its nationality or location.Operators cannot export personal information without the consent of the right subject.In addition,before the cross-border transfe
122、r of personal information of minors,operators must obtain their guardians consent.According to the Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment(Draft for Comment),the explicit consent in the data cross-border transfer process means that the personal i
123、nformation subject should:proactively make a paper or electronic statement by using,for example,written or verbal means;or take an affirmative action autonomously to authorize operators to perform specific processing of their personal information.The Guidelines also lists the situations that can be
124、considered valid consent in practice,including making international and roaming calls,sending international e-mails,and conducting global instant messaging.The Personal Information Protection Law(Draft)stipulates that when companies transfer personal information to the territory outside China,they s
125、hould inform individuals of the recipients identity,contact information,processing purpose,processing method,and types of personal information,and the way for individuals to exercise their rights to overseas recipients.The businesses shall obtain individuals separate consents,that is,the personal in
126、formation subject should voluntarily and clearly express intention with full knowledge.Strong reminders are required for personal information subjects to be fully aware of the risks as well as careful consideration and affirmative action such as ticking or signing,to ensure that the subject has made
127、 a sufficient expression of intention.This process cannot be replaced by general authorization.Globalization and Privacy Protection Guide11The operator may conduct cross-border transfer of personal information without the personal information subjects consent under certain situations,such as emergen
128、cies endangering citizens life and property.However,this situation hardly occurs during daily operations.Therefore,the businesses are recommended to obtain the consent of the subject of personal information when they cross-border transfer personal information.Businesses should also note that for cro
129、ss-border transfer of personal information,they should obtain the personal information subjects consent and may also need the competent authoritys approval.For details,please refer to section 1.2.2.3 below.1.2.2.2 Complete and Comprehensive ContractIn addition to consent,signing a cooperation agreem
130、ent with the data recipient is the second core element for smooth cross-border personal information transfer.Businesses should stipulate data recipients rights and obligations in contracts to ensure personal information safe and safeguard the legitimate rights and interests of personal information s
131、ubjects and the enterprise itself.Firstly,the business should pay attention to itself and the recipients roles when cooperating under the contract,not only in relation to the distribution of responsibilities in the event of data security incidents but also affects such important aspects the business
132、s internal policies and protection measures.The relationship between the businesses and the data recipient may be a relationship involving a data controller and the entrusted processor or a relationship involving joint data controllers.This needs to be analyzed according to the specific data collect
133、ion and processing scenarios specified in the contract.According to Article 3.4 of the Information Security Technology Personal Information Security Specification,a personal information controller is an“organization or individual capable of determining the purpose and method of processing personal i
134、nformation.”Therefore,the core point of judging the roles between the enterprise and the data recipient is to confirm whether the data recipient has autonomy in the purpose and method of data use.When the two parties are“joint controllers,”the data receiver is able to determine by itself the collect
135、ion and use of the data.The data receiver is not required to destroy or return the data according to the enterprises instructions after the data receiver obtains the data.Some data receivers will request to become“joint data controllers”for subsequent development and data realization.Companies shoul
136、d consider their business needs and evaluate the specific type of data involved.After determining the two parties roles,the business should focus on the provisions of the Measures for the Security Assessment for Cross-border Transfer of Personal Information(Draft for Comment).It requires companies t
137、o clarity the basic situation in contract,such as the purpose,data type for the cross-border data transfer.It also provides specific and Globalization and Privacy Protection Guide12clear regulations on the relief measures of personal information subjects,the responsibilities and obligations of the r
138、ecipient and the provider and whether the target countrys legal environment is appropriate.It is recommended that when a company intends to sign a contract with an overseas data recipient,it should pay attention to the contract clauses mentioned above.If required by the subject of personal informati
139、on,the company should provide a copy of the contract.The contract is an essential reference document for the regulatory authority to conduct security assessments.It is therefore recommended that companies pay attention to such agreements and improve the contract terms.1.2.2.3 Provincial Cyberspace A
140、dministrations to Conduct Security Assessments for Personal InformationAccording to the Measures for the Security Assessment for Cross-border Transfer of Personal Information(Draft for Comment),network operators should report to the local provincial cyberspace administrations for cross-border transf
141、er security assessment of personal information before cross-border transfer of the data.The assessment conducted by the provincial cyberspace administrations is a required procedure for personal information cross-border transfer.Only upon the evaluation and consent of provincial cyberspace administr
142、ations,can cross-border data transfer be allowed.Therefore,it is recommended that companies conduct a self-assessment before proceeding with personal information cross-border transfer to find potential risks and rectify them in time and consequently improve the assessment approval rate by the compet
143、ent authority.Consent of the personal information subject is needed for the security assessment.Therefore,businesses can conduct the assessment after confirming the personal information subjects consent.A company should focus on evaluating the following items:Whether it has developed a plan for data
144、 cross-border transfer Whether it complies with national laws,regulations,and policies.Whether the contract terms can fully protect the legal rights and interests of the personal information subject.Whether the contract can be effectively executed.Whether the company or the recipient has a history o
145、f infringing the rights and interests of information subjects,and whether the company or the recipient has experienced major network security incidents.Globalization and Privacy Protection Guide13 Whether the company has obtained the personal information legally and properly.If personal information
146、is allowed to leave the country,the enterprise shall establish a cross-border personal information transfer record and keep it for at least 5 years.At the same time,the enterprise shall report the current years cross-border personal information transfer situation and contract performance to the loca
147、l provincial network and information department before December 31 of each year.It should be noted that the Personal Information Protection Law(Draft)draws on the relevant regulations on SCC and certification in the GDPR to avoid a one-size-fits-all approach.This law stipulates three situations,name
148、ly evaluation by the Office of the Cyberspace Administration of China;personal information protection certification conducted by professional institutions,and signing of contracts with overseas recipients.If a business needs to transfer personal information to the territory outside China due to busi
149、ness needs,it shall meet at least any of the above conditions.This change promotes data circulation and provides more choices for companies to transfer personal information cross-border in normal commercial trade.The Personal Information Protection Law(Draft)marks Chinas progress in the protection o
150、f personal information.Although the draft is currently in the request for comments stage,it still reflects Chinas trend towards protecting personal information.At the same time,in view of the high costs for non-compliance imposed by the Personal Information Protection Law(Draft),it is recommended th
151、at companies conduct self-inspection as soon as possible.Companies should focus on security impact assessments,formulating internal management systems,implementing security measures such as classification and encrypted storage of personal information,determining internal operating rights,recording p
152、rocessing activities,formulating emergency plans,regularly conducting audits and training drills to develop a comprehensive and sustainable cross-border data transfer compliance system.1.2.3 Cross-border important data transfer1.2.3.1 Identify dataBased on the Measures for the Administration of Data
153、 Security(Draft for comments),the term“important data”means data whose divulgation may directly affect national security,economic security,social stability,public health and security,such as undisclosed government information and extensive population,genetic health,geographical,and mineral resources
154、.Important data shall generally not cover information on the production,operation,and internal management of an enterprise and personal information.The types of important data are listed in Appendix A of Guidelines for Data Cross-border Transfer Security Assessment and should be the main reference f
155、or businesses to determine what is important data.1.2.3.2 Self-assessment Globalization and Privacy Protection Guide14The security impact assessment for important data before cross-border transfer is different from that for personal information.Businesses should conduct self-assessments before perso
156、nal information cross-border transfer and be responsible for the results of the assessment.During the assessment process,a company should pay attention to the following points:The legality,legitimacy,and necessity of data cross-border transfer.Basic statistics for personal information,including the
157、amount,scope,type,and sensitivity of personal information,whether the subject of personal information consent for their personal information cross-border transfer,etc.Basic statistics for important data,including the quantity,scope,type,and sensitivity of important data.The security protection measu
158、res,capabilities and level of the data recipient,and the network security environment of the target country and region.Risks of data being leaked,damaged,tampered with,abused,etc.,after being cross-border transferred and re-transferred.Risks of data cross-border transfer and data aggregation to nati
159、onal security,public interests,and individual legitimate interests.After completing the self-assessment,the business shall retain the self-assessment report for at least two years and conduct at least one self-assessment every year and report the assessment to the industry supervisor or regulatory a
160、uthority promptly.Although the important data cross-border transfer does not have to be assessed by the administrative and regulatory department,it differs from personal information cross-border transfer.However,according to Article 28 of the Measures for the Administration of Data Security(Draft fo
161、r comments),the network operator shall,before releasing,sharing,trading,or exporting important data,assess possible security risks resulting therefrom and report to the regulatory authority having jurisdiction over the industry for approval,or in the absence of such regulatory authority,to the provi
162、ncial cyberspace authority.Therefore,China has increased the control of the authority in data cross-border transfer and holds the principle of transfer data by legally and orderly means.1.2.3.3 Submission for Competent Authority AssessmentUnder particular circumstances,such as where a large volume o
163、f data is involved,sensitive data types,and other situations that may endanger national security and public interests,conducting self-assessments is insufficient to meet reasonable security expectations.In Globalization and Privacy Protection Guide15this case,the network operator should submit a req
164、uest to the competent authority for an assessment.The Cyberspace Administration of China and the competent authority determine the assessments scope,formulate an assessment plan,establish an assessment working group,and make a competent authority assessment report.The expert committee will review th
165、e competent authority assessment report and the self-assessment report and give recommendations on whether to approve data cross-border transfer.Finally,the Cyberspace Administration of China and the competent department will make decisions based on these recommendations.In this case,the business sh
166、ould conduct a comprehensive self-assessment in advance and make rectifications based on the self-assessment results.To increase the probability of passing the assessment,we recommended that the enterprise ensure that it has adequately addressed the assessment indicators before submitting to compete
167、nt authority assessment.2.Reasonably Choose the Target Country A business should make careful considerations and analysis before choosing the target country for data cross-border transfer.Many factors need to be evaluated to decide,such as customer groups needs,the cost of data cross-border transfer
168、,and the convenience of the company operations.In addition to commercial considerations,the provisions of Chinese laws,regulations,and national standards for data cross-border transfer should not be ignored,especially the requirements,rules,and restrictions on target countries that are contained in
169、these provisions.The Guidelines for Information Security Technology Guidelines for Data Cross-border Transfer Security Assessment(Draft for Comment)(Guidelines for Data Cross-border Transfer Security Assessment)has detailed the requirements for cross-border data transfer security,which provides more
170、 specified guidelines for businesses and institutions.Article 5.2.6 stipulates that for the target country,the critical points of the cross-border data transfer security assessment should include“the political and legal system of country or region where the data recipient is located.”After assessing
171、,reviewing,and confirming that the data cross-border transfer requirements are met,companies should focus on the laws,regulations,judicial precedents,and contract requirements of personal information and privacy protection in the target country or region to ensure that data storage,processing,sharin
172、g,and transfer in the target country or region comply with local rules.2.1 The Assessment Requirements of the Target CountryThe Guidelines for Data Cross-border Transfer Security Assessment further distinguishes the assessment requirements of the target country.For personal information cross-border
173、Globalization and Privacy Protection Guide16transfer,businesses should evaluate the following aspects of the target country:Differences between the current personal information protection laws,regulations,or standards of the target country or region and that of China.The regional or global personal
174、information protection mechanisms joined by the target country or region,and the binding commitments made by it.The implementation of personal information protection mechanisms in the target country or region.For example,whether there are specific law enforcement or supervision agencies,industry sel
175、f-discipline system,administrative or judicial relief measures for data subjects,etc.When the exported data is the important data specified in Appendix A of the Guidelines for Data Cross-border Transfer Security Assessment1,in addition to the above three aspects,government agencies also should evalu
176、ate the following aspects of the target country or region:Current laws,regulations,and standards in data security in the target country or region.The implementation of the data security mechanism in the target country or region,such as competent departments,judicial mechanisms,industry level self-re
177、gulation,in cybersecurity or data security.Countries or regions bilateral or multilateral agreements on data transferring and sharing.2.2 Evaluation resultsAccording to the Article B.3.3 in Appendix B of the Guidelines for Data Cross-border Transfer Security Assessment,the laws of the target country
178、 or region is classified into three levels of protection capability(high,medium,and low)according to specific conditions and are regarded as the basis for assessing the overall security risk level of the target country or 1That is,data,excluding state secrets,collected and generated by relevant orga
179、nizations,institutions and individuals within the territory and closely related to national security,economic development,and public interests(including raw data and derivative data).Once the data is disclosed,lost,abused,tampered,destroyed,aggregation,integration,or analysis without authorization,w
180、hich may cause the following consequences,the data should be deemed important data:a)Endanger national security,national defense interests,and disrupt international relations.b)Damage to national property,public interest,and individual rights.c)Influencing the country to prevent and combat economic
181、and military espionage,political infiltration,organized crime,etc.d)Influencing administrative agencies to investigate and handle illegal,dereliction of duty,or suspected illegal or dereliction of duty according to law.e)Interfering with administrative activities such as supervision,management,inspe
182、ction,and auditing carried out by government departments in accordance with the law and hindering government departments from performing their duties.f)Compromise the system security of critical infrastructure,critical information infrastructure,and government information systems.g)Affect or endange
183、r national economic order and financial security.h)State secrets or sensitive information can be analyzed from the data.i)Affect or endanger other national security issues such as national politics,territory,military,economy,culture,society,science and technology,information,ecology,resources,nuclea
184、r facilities,etc.Globalization and Privacy Protection Guide17region.The overall security risk level of a target country or region may also significantly impact the process of data cross-border transfer.Therefore,before selecting a target country or region,businesses should analyze their business ret
185、urns and the cybersecurity legal systems of the target country to ensure that the data security risks of the country are controllable,so that the data can be transferred smoothly.If the risk is uncontrollable,it means that the protection measures for the target country or regions data security are i
186、nsufficient.If the businesses still decide to transfer data to the target country,it may suffer losses caused by data security incidents and may even be punished by relevant government departments.3.Being familiar with the laws,regulations,judicial precedents,and contract requirements of the target
187、country or regionAfter assessing,reviewing,and confirming that the data cross-border transfer requirements are met,companies should focus on the laws,regulations,judicial precedents,and contract requirements of personal information and privacy protection in the target country or region to ensure tha
188、t data storage,processing,sharing,and transfer in the target country or region comply with local rules.With the rapid development of the digital economy and big data,countries are actively exploring the regulatory system to realize the commercial value of data without harming personal information su
189、bjects rights.The major target countries or regions for domestic businesses are the European Union,the United States,and the Asia-Pacific region.These jurisdictions have already issued laws for data protection.For example,the EUs General Data Protection Regulation(GDPR)and opinions and guidelines is
190、sued by EDPB have established a new legal system for data protection in the EU with unified protection standards;the United States has not made a unified data protection law at the federal level,but it has adopted specific regulations for certain types of data for various industries in different reg
191、ulations,such as the COPPA for child protection,the HIPAA for the medical field,etc.Laws for personal information protection and privacy are being implemented at the state level,such as the California Consumer Privacy Act(CCPA),which regulates the collection and processing of personal information fr
192、om the perspective of consumer protection,clarifying data protection rules and obligations to subjects.Countries in the Asia-Pacific region also generally attach importance to personal information protection and privacy security issues and have issued laws,such as South Koreas Personal Information P
193、rotection Act(PIPA),Indias Personal Data Protection Bill(PDPB).Companies that violate the laws mentioned above will bear relatively severe liabilities and consequences.It is recommended that companies should pay attention to the personal information protection laws,regulations,and policies of the ta
194、rget country in advance and complete the follow-up processing procedures legally and compliantly after the data goes abroad to prevent or reduce unnecessary losses.For details,please refer to the analysis of Globalization and Privacy Protection Guide18the personal information protection laws and reg
195、ulations of different countries and regions in this Guides remaining chapters.II.Conclusion1.Establish a compliance systemTo sum up,operators must carry out a series of considerations and evaluations before conducting data cross-border transfer.Firstly,operators should analyze the business and data
196、involved in overseas trade and determine the target country.Secondly,operators should evaluate data cross-border transfers purpose and confirm the legality,legitimacy,and necessity of data cross-border transfer.Thirdly,operators should complete data cross-border transfer plans and carry out data sec
197、urity self-assessment.If necessary,operators should obtain the approval of the national cyberspace administration and competent authority.Even if the compliance system has satisfied all legal requirements,operators should identify their role during data collection and processing and take adequate me
198、asures to protect user data.Also,the compliance work of the target country cannot be ignored.For operators,ensuring data security can reduce unnecessary penalties for violations.Therefore,operators should establish a standardized compliance system with complete procedures and documents for the data
199、cross-border transfer,including but not limited to online agreements,self-assessment process templates,internal security protection systems,and cooperation agreement templates for cross-border data transfer.Operators should also complete regular self-assessments and fulfill reporting obligations to
200、ensure that the process of data cross-border transfer is safe,controllable,and legally compliant.2.Continuous compliance:monitor and adjustIt should be noted that data cross-border transfer compliance is a continuous and dynamic process.The operators should establish a data cross-border transfer com
201、pliance system and monitor updates of related laws and regulations,changes in the data types,purposes,and recipients of data cross-border transfer.A long-term monitoring system is crucial for operators which includes:self-assessments for security protection capabilities,assessments for data security
202、 protection capabilities of the data recipient,the monitoring for laws,regulations,and the political environment of the target country.Operators should promptly adjust the data cross-border transfer compliance system according to the requirements of relevant laws and regulations after any change of
203、monitored elements.Continuous compliance is the key to control the risk of data cross-border transfer within a controllable range for operators.Globalization and Privacy Protection Guide19I.Europe1.GDPR Overview1.1 Overview1.1.1 Legal SystemThe EU General Data Protection Regulation(“GDPR”)2 replaced
204、 the EU Data Protection Directive3 and all data protection laws of member states when it became applicable from 25 May 2018.It is a law with the nature of“regulation.”As a Regulation,the GDPR is directly,unitively,and primarily effective in Member States without the need for implementing legislation
205、.However,on numerous occasions(pliance with a legal obligation,performance of a public task,employee data processing),the GDPR allows/requires Member States to legislate on data protection matters.In addition to the GDPR,other legislation is also of importance for organisations under the EU regime,i
206、ncluding,for example,i)the e-Privacy Directive4 as amended which applies to the processing of personal data in the electronic communications sector,and ii)the 2Regulation(EU)2016/6793Directive95/46/EC4Directive2002/58/EC3Part IIIGlobal Data Protection and PrivacyGlobalization and Privacy Protection
207、Guide20Law Enforcement Directive5 which applies to personal data processing by criminal law enforcement authorities for law enforcement purposes.1.1.2 Supervisory AuthoritiesLocal data protection authorities(“DPAs”)in each EU member state continue to exist and to enforce data protection law.These ar
208、e referred to in GDPR as supervisory authorities.The European Data Protection Board(“EDPB”)is an independent EU body responsible for issuing guidelines and providing advice on matters relating to the GDPR.The EDPB also has a role in ensuring consistency between its member DPAs;it has to issue opinio
209、ns on certain activities undertaken by the DPAs and,in the event of disputes between DPAs,it has a dispute resolution role.The DPAs of all EU member states participate in full in the EDPB.The DPAs of European Economic Area states(Norway,Iceland,and Liechtenstein)participate in a more limited way.The
210、 European Data Protection Supervisor(“EDPS”)is also a member of the EDPB.The EDPS is responsible for monitoring the application of data protection rules within European Institutions.1.1.3 Material and Territorial Scopea)Material ScopeThe GDPR applies to the processing of personal data by i)wholly or
211、 partly by automated means,or ii)other than by automated means,which form part of or are intended to form part of a filing system,except those that are:outside the scope of EU law(e.g.activities concerning national security);in relation to the EUs common foreign and security policy;carried out by co
212、mpetent authorities for criminal law enforcement purposes(where a separate Directive applies);carried out by EU institutions(where a separate Regulation applies);carried out by a natural person as part of a“purely personal or household activity”.(Art.2,GDPR)b)Territorial ScopeThe GDPR can apply to a
213、n organization in two types of ways:5Directive(EU)2016/680Globalization and Privacy Protection Guide21 Establishment Criterion:GDPR applies to an organization which has an EEA“establishment”,where personal data are processed“in the context of the activities”of such an establishment.(Art.3(1),GDPR)Ta
214、rgeting or Monitoring Criterion:Non-EEA established organizations will be subject to the GDPR where they process personal data about individuals in the EEA in connection with:the“offering of goods or services”(payment is not required);or“monitoring”their behavior within the EEA.(Art.3(2),GDPR)The ED
215、PB clarifies that,i)it should be apparent that organizations intend to offer goods or services-(e.g.using an EEA language or EEA currency on its website),and ii)monitoring suggests that the controller is doing this to achieve a purpose(e.g.behavioral advertising and geo-localization of content,onlin
216、e tracking through cookies and device fingerprinting).The monitoring criterion applies whether or not the organization intends to monitor someone in the EEA.1.1.4 Data Processing PrinciplesGDPR sets out seven data processing principles,i.e.i)lawfulness,fairness,and transparency,ii)purpose limitation
217、,iii)data minimization,iv)accuracy,v)storage limitation,vi)integrity and confidentiality and vii)accountability.The accountability principle is a newly added one which requires organizations to be responsible for,and be able to demonstrate data compliance.(Art.5 GDPR)Please refer to Section viii“Acc
218、ountability”below for further analysis on the accountability principle.1.1.5 Lawful basis for processingIn order for processing of personal data to be allowed under the GDPR,data controllers must have a legal basis for each purpose of processing:Consent of the data subject.Consent must be specified,
219、informed,distinguishable,revocable,granular,and otherwise freely given in other words,the data subject must not experience a detriment if she or he does not give,or revokes,consent.Necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract.Proce
220、ssing must be necessary for the entry into or performance of a contract with the data subject.Necessary for compliance with a legal obligation under Member State or EU law.A legal obligation need not be statutory,but it should be clear and precise with foreseeable application.Globalization and Priva
221、cy Protection Guide22 Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent,e.g.emergency treatment,disaster response.Necessary for the performance of a task carried out in the public interest or in the exercise of official
222、 authority vested in the controller.Necessary for the purposes of legitimate interests.This can be the most flexible legal basis for data controllers,e.g.processing for direct marketing purposes or preventing fraud.Data controllers have to identify what“interest”that they are pursuing;ensure this is
223、 legitimate;and balance this against the impact of the processing on individuals.This legitimate interest assessment should be documented.(Art.6,GDPR).1.2 Key Definitions1.2.1 Personal Data and Special Categories of Personal DataPersonal data is defined as“any information relating to an identified o
224、r identifiable natural person”;a person may be identified in a wide variety of ways such as a name,an identification number,location data,an online identifier etc.(Art.4(1),GDPR)Special Categories of Personal Data include:racial or ethnic origin,political opinions,religious or philosophical beliefs,
225、trade union membership,data concerning health or sex life and sexual orientation,genetic data,and biometric data where processed to uniquely identify a person.(Art.9(1),GDPR)In addition,processing data relating to criminal convictions and offences are restricted similarly to special categories of da
226、ta.GDPR only permits the processing of special categories of personal data if certain specifically listed exceptions apply,e.g.explicit consent,employment and social security and social protection under EU or Member State law,etc.1.2.2 Controller and ProcessorA controller is a“natural or legal perso
227、n,public authority,agency or other body which,alone or jointly with others,determines the purposes and means of the processing of personal data”.(Art.4(7),GDPR).Processors are those who process“personal data on behalf of the controller”.Employees are not processors.(Art.4(8),GDPR).Please refer to Se
228、ction vi“Data Sharing and Processing”below for more discussion on the relationship between controllers and processors.1.3 Data Subject Rights Globalization and Privacy Protection Guide23GDPR substantially extends data subject rights with respect to their personal data including:Rights to information
229、 and access(i.e.to obtain a copy);Right to rectification of inaccuracies in personal data;Right to erasure of personal data where the processing fails to satisfy the GDPR requirements(e.g.processing is no longer necessary;the individual withdraws consents;unlawful processing,etc.);Right to data port
230、ability,i.e.to receive the personal data concerning him or her,which he or she has provided to the controllers,in a structured commonly used and machine readable form,and to transmit those data to another controller without hindrance or to have the data transmitted directly from one controller to an
231、other(where technically feasible),where the processing i)is carried out by automatic means,ii)is based on consent or to perform a contract;Right to restriction when the processing is challenged(e.g.data accuracy is disputed,or an individual has objected to the processing,etc.);Right to object to spe
232、cific types of processing,including direct marketing(absolute right),processing based on legitimate interests or public tasks and research or statistical purposes.When it comes to solely automated decision making,including profiling,with legal effects or similarly significant,on the data subjects,th
233、e data subjects have additional rights not to be subject to such decision.The right to lodge a complaint with the competent DPA.The controller must comply“without undue delay”and“at the latest within one month”,although there are some possibilities to extend this and,requests to exercise data subjec
234、t rights could be limited in certain circumstances(e.g.right to access should not adversely affect others,including the protection of intellectual property rights and trade secrets etc.;right to erasure does not apply if processing is necessary for the exercise of the right of freedom of expression
235、or compliance with legal obligation etc.).Additionally,data subject requests should be responded to free of charge.1.4 Privacy NoticeA Privacy Notice(often also referred to as a Privacy Policy)is an information notice that should be given to data subjects,to meet their right to information and to en
236、sure Globalization and Privacy Protection Guide24transparency of processing.The GDPR requires extensive information to be provided to data subjects“in a concise,transparent,intelligible and easily accessible form,using clear and plain language,in particular for any information addressed specifically
237、 to a child”,including for example:Identity and contact details of the controller;Purposes of processing and legal basis for processing;Where special categories of data are processed,the lawful basis should be specified;Recipients or categories of recipients;Details of data transfers outside the EU;
238、The data retention period(or if not possible,the criteria used to set this);Data subject rights;Whether there is a statutory or contractual requirement to provide the data and the consequences of not providing the data;If there will be any automated decision taking,information about the logic involv
239、ed and the significance and consequences of the processing for the individual;and In case of indirect data collection,the categories of information and sources of information.(Articles 13 and 14 of the GDPR).1.5 Direct Marketing Legal basis:Consent and legitimate interests are the legal bases most l
240、ikely to be relied on under the GDPR to justify direct marketing.For direct marketing by email,the EU e-Privacy Directive mandates opt-in consent for almost all kinds of electronic direct marketing.However,in the context of the sale of a product or a service marketing email may be sent with the opt-
241、out mechanism subject to more limited conditions for the direct marketing.Where direct marketing is based on cookies,or other techniques which involve the storage of information on,or the retrieval of information from,a device which is being used on a public electronic communications service,then co
242、nsent is also required for this.As a result,consent is needed for online behavioral advertising.Globalization and Privacy Protection Guide25Right to object:Under the GDPR,data subjects have the absolute right to object to processing for purposes of direct marketing,or profiling for purposes of direc
243、t marketing,which must be“explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.1.6 Data Sharing and ProcessingGDPR imposes a high duty of care on controllers in engaging data processors.Processing by a processor shall be go
244、verned by a written contract that sets out a range of information(e.g.the data processed and the duration for processing)and obligations(e.g.assistance where a personal data breach occurs,appropriate technical and organizational measures taken and audit assistance obligations).This also applies wher
245、e a processor further engages a sub-processor.(Art.28,GDPR).The controller must also check the ability of the processor to meet its obligations.GDPR also sets out requirements for joint-controllership,i.e.two or more controllers who jointly determine the purpose and means of processing.Joint-control
246、lers are required to arrange between themselves their respective responsibilities for compliance with the GDPR,particularly the exercise of data subject rights and provision of transparency information to individuals.The arrangement must set out the parties roles and responsibilities with respect to
247、 data subjects,and the essence of the arrangement must be made available to data subjects.(Art.26,GDPR)1.7 Childrens Privacy ProtectionGDPR sets out a number of child-specific provisions.For example,if an organization offers information society services directly to a child(broadly,online services)an
248、d if the lawful basis for processing the childs data is consent,then the organization has to obtain parental consent.In this context,a child is someone under the age of 16(while Member State may provide by law for an age as low as 13);information notices addressed to children must be child-friendly;
249、processing child data may trigger the need for the Data Protection Impact Assessments,etc.In these latter cases,the child means anyone under 18.1.8 Accountability 1.8.1 Data Protection by Design&DefaultControllers are required to put in place appropriate technical and organizational measures(e.g.pse
250、udonymization)which are designed to implement data protection principles,and to integrate safeguards for the protection of data subjects right(“Privacy by Design”);and ensure that,by default,only personal data necessary for the specific purpose of the processing are processed(“Privacy by Default”).(
251、Art.25,GDPR).Globalization and Privacy Protection Guide261.8.2 Data Protection Impact Assessment(DPIA)A DPIA is an assessment through which organizations identify and mitigate risks to individuals arising out of a data processing activity.The GDPR requires organizations to carry out a DPIA before co
252、mmencing any“high risk”processing activity,e.g.systematic and extensive processing activities(e.g.profiling)and where decisions have legal/significant effects on individuals large scale,systematic monitoring of public areas through CCTV.If such risks cannot be mitigated and remain high,the controlle
253、r should consult the DPA prior to the processing.(Art.35-36,GDPR).DPAs have issued their own lists of activities requiring DPIAs in each member state.1.8.3 Record of Processing Activities Controllers are required to maintain a record of processing activities which includes mandatory information,e.g.
254、type of data processed,purposes,etc.Processors are also required to keep a record of all categories of processing activities carried out on behalf of the controllers.Whilst the GDPR stipulates that organizations with less than 250 employees could be exempted,such exemption would not be applied if th
255、e data processing involves criminal convictions or special categories of personal data.(Art.30,GDPR).1.8.4 Data Protection Officer(“DPO”)and GDPR RepresentativeThe GDPR requires organizations to appoint a DPO if their core activities consist of large-scale processing of special categories of persona
256、l data or of data relating to criminal offences or regular and systematic monitoring of individuals on a large scale.A DPO must have sufficient expertise,be independent,and have adequate support and resources.If the DPO fulfils other tasks,she or he must be free from conflicts of interest.The DPO ap
257、pointment must be publicized generally and to the DPA.The role of the DPO is to inform/advise,monitor compliance and be a single contact point with the organization.(Art.37-39,GDPR).Additionally,organizations that are based outside the EEA but are subject to the GDPR pursuant to the targeting/monito
258、ring criterion are required to appoint an EEA-based“GDPR Representative”.The GDPR Representative acts as a point of contact in the EEA,handling requests from the data subjects and DPAs as well as helping maintain the record of data processing.(Art.27,30,GDPR).1.9 Security and Data Breach Notificatio
259、nThe GDPR defines a personal data breach as“a breach of security leading to the accidental or unlawful destruction,loss,alteration,unauthorized disclosure of,or access to,personal data transmitted,stored or otherwise processed”.In case of a personal data breach,the controller shall without undue del
260、ay(where feasible,not later than 72 hours)after having Globalization and Privacy Protection Guide27become aware of it,notify the personal data breach to the competent DPA,unless the breach is“unlikely”to pose a risk to data subjects;where the breach is likely to result in a high risk to the rights a
261、nd freedoms of data subjects,the controller must notify them.The processor must report to the controller without undue delay after becoming aware of a personal data breach.Moreover,GDPR requires that data controllers must maintain an internal breach register.(Art.33-34,GDPR)1.10 Cross-border Data Tr
262、ansferPlease refer to the Part IV-Legal Framework for Cross-border Data flow,the EU section.1.11 EnforcementThe GDPR established a two-tier administrative fines system.For certain violations,organizations can be fined by competent DPA up to 10 million or 2%of their global annual turnover,whichever i
263、s higher;for the most significant infringements of the GDPR,regulators can impose fines of up to 20 million or 4%of an organizations global annual turnover,whichever is higher.In some member states,breaches of data protection legislation can also lead to criminal sanctions.In addition,individuals ha
264、ve the rights to lodge a complaint with competent DPAs,to seek effective judicial remedy,and to receive compensation from a relevant controller or processor for material or immaterial damage resulting from infringement of the GDPR.Globalization and Privacy Protection Guide282.United Kingdom2.1 Overv
265、iew2.1.1 Legal SystemAt the date of writing,the GDPR is directly applicable in the UK,as though it were still an EU member state.In the UK,the Data Protection Act 2018(“DPA 2018”)has been introduced to replace the Data Protection Act 1998 and to supplement the GDPR with UK specific provisions for ex
266、ample,relating to the processing of special category data and to introduce exemptions for matters such as freedom of expression.In addition,the DPA 2018 contains additional provisions to implement the Law Enforcement Directive;covers processing of personal data by intelligence services;and covers pr
267、ocessing of personal data which is out of scope of EU law.Brexit Note:Although the UK left the EU on 31 January 2020,the GDPR continues to apply directly in the UK until the end of the transition period(31 December 2020).After the transition period,the European Union(Withdrawal)Act 2018 provides tha
268、t GDPR will be written into UK law and known as the“UK GDPR”.Certain consequential amendments will be made to the GDPR and to the DPA 2018 for example to remove references to the European Commission.a)Supervisory AuthoritiesThe Information Commissioner is the independent supervisory body for data pr
269、otection.The Information Commissioner has an Office to support her(the Information Commissioners Office(“ICO”).Unusually,the ICO has a requirement that controllers,which are established in the United Kingdom,must pay an annual fee to register that they are processing personal data.There are some exe
270、mptions to this requirement.More detail is available here.b)Material and Territorial ScopeThe UK GDPR takes a similar approach to territorial scope as the GDPR:it has an establishment criterion and a targeting or monitoring criterion.The targeting/monitoring criterion applies to organizations which
271、do not have an establishment in the United Kingdom.c)Data Processing PrinciplesN/A.Globalization and Privacy Protection Guide29d)Lawful Basis for ProcessingAdditional derogations that allow for the processing of special categories of personal data and criminal conviction data were introduced in the
272、DPA 2018.There are 16 pages of derogations,which allow processing of special category data for purposes such as research,prevention,and detection of fraud,and for employment law purposes.In order to rely on most of the derogations,the controller must adopt a supplemental“appropriate policy document”
273、which sets out how the controller will comply with principles of the GDPR and retention and erasure.Additional information about the processing of special category data must also be included in the record of processing activities.2.2 Key DefinitionsN/A.2.3 Data Subject RightsThe DPA 2018 maintains s
274、pecial provisions for credit reference agencies,requiring them to provide access to credit files.It also introduces derogations from individual rights(for example,if fulfilling an access request would tip someone off about an investigation,so prejudicing the prevention and detection of crime)and int
275、roduces special procedures for access requests involving health social work and education records.2.4 Privacy NoticeN/A.2.5 Direct MarketingThe Privacy and Electronic Communications(EC Directive)Regulations 2003(“PECR”)(as amended)is the UK implementation of the EU e-Privacy Directive.The ICO issued
276、 the draft direct marketing code of practice in January 2020.There can be personal liability for company management if the direct marketing rules under the PECR are breached due to the consent,connivance,or neglect of management.2.6 Data Sharing and ProcessingN/A.2.7 Childrens Privacy ProtectionIn t
277、he UK,the protections for information society services offered to children,on the basis of consent,apply to children who are under the age of 13.Globalization and Privacy Protection Guide30In January 2020,the ICO published a draft code of practice on standards of age-appropriate design for informati
278、on society services likely to be accessed by children.The code is currently subject to the Parliamentary approval.This has a wide scope and applies to online services likely to be accessed by children under 18.2.8 Accountabilitya)Data Protection by Design&DefaultN/A.b)Data Protection Impact Assessme
279、nt(DPIA)N/A.c)Record of Processing ActivitiesIf special category data is processed in reliance on a derogation in the DPA 2018,there is usually a requirement to include additional information about this in the record of processing activities.See Section 1.8.3 above.d)Data Protection Officer(“DPO”)an
280、d GDPR RepresentativeBrexit Note on the GDPR Representative:After Brexit,organizations which are subject to the UK GDPR on the basis of the targeting/monitoring criterion,but which are established outside the UK,must appoint a UK representative.2.9 Security and Data Breach NotificationN/A.2.10 Cross
281、-border Data TransferBrexit Note:Unless the EU Commission grants an adequacy decision,the UK will become a third country at the end of the Brexit transition period which will require alternative safeguards such as SCCs to be put in place to address data transfers from the EEA to the UK.In terms of t
282、ransfers from the UK at the end of the Brexit transition period,the UK has adopted secondary legislation which confirms that transfers to the EEA will be regarded as made with adequate protection.This is on a provisional basis,so it could be changed.This legislation also confirms that UK based estab
283、lishments can continue to rely on the SCCs and can continue to transfer personal data to countries determined by the EU to be adequate.Again,this is expressed to be on a provisional basis,so could be changed if the UK decides to Globalization and Privacy Protection Guide31take a different approach t
284、o data transfers in future.2.11 EnforcementThe DPA 2018 also creates certain criminal offences(i.e.deleting personal data in order to avoid providing it in response to an access or portability request,to knowingly or recklessly obtaining or disclosing personal data without the consent of the control
285、ler,obstructing the exercise of a warrant by the ICO,etc.)and the responsible directors liability for an offence committed by an organization.Globalization and Privacy Protection Guide323.Germany3.1 Overview3.1.1 Legal SystemThe German Data Protection Amendment Act which implemented the new German F
286、ederal Data Protection Act(“FDPA”)was passed on 5 July 2017 and entered into force on 25 May 2018.In this Act,the German legislator has made extensive use of the opening clauses set out in the GDPR and introduced a number of provisions to supplement it for example,relating to the processing of speci
287、al categories of data and rules relevant in connection with a designation of a data protection officer.In addition,the FDPA contains provisions to implement the Law Enforcement Directive.At the federal level,the Second German Data Protection Amendment and Implementation Act dated 20 November 2019 ad
288、apted more than 150 federal laws(including i.e.the Freedom of Information Act,eGovernment Act,BSI-Act,Social Security Codes,etc.)to the GDPR requirements.The Federal States have also updated their laws.3.1.2 Supervisory AuthoritiesThe federal system of Germany(federation of 16 states)affects the sup
289、ervision of data protection.Data protection supervision comes under the responsibility of the states.However,there is one exception:the telecommunications and postal services companies.Those companies are monitored by the federal government which has assigned that task to the Federal Data Protection
290、 Commissioner.In most states,the supervision is exercised by the Data Protection Commissioners.A company is supervised by the authority that has jurisdiction over the district where the company has its headquarters.3.1.3 Material and Territorial ScopeThe FDPA applies to private bodies if i.the contr
291、oller or processor processes personal data in Germany,ii.personal data is processed in the context of the activities of an establishment of the controller or processor in Germany,or if,iii.although the controller or processor has no establishment in the EU or another contracting state of the EEA,it
292、does fall within the scope of the GDPR,i.e.offers goods or services to individuals in Germany or monitors the behavior of individuals in Germany.Globalization and Privacy Protection Guide333.1.4 Data Processing PrinciplesN/A.3.1.5 Lawful basis for processingThe German legislator has made extensive u
293、se of opening clauses and introduced a number of provisions that allow for the processing of special categories of personal data and employee data,including inter alia:The processing of employee data is generally allowed if necessary for establishing or carrying out the employment relationship.The F
294、DPA also provides clarification on consent in an employer-employment relationship.The FDPA further permits the processing of sensitive data if the processing is necessary for the purpose of,for example,preventive medicine,for the assessment of the working capacity of the employee,medical diagnosis,t
295、he provision of health or social care or treatment or the management of health or social care systems and services or pursuant to the data subjects contract with a health professional and if these data is processed by health professionals or other persons subject to the obligation of professional se
296、crecy or under their supervision.These further justifications play an important role in practice for companies that are active in the healthcare sector.However,such processing is only possible if safeguards are taken to protect such data.The FDPA also permits processing of sensitive data without con
297、sent for scientific or historical research and for statistical purposes,if the processing is necessary for these purposes and the data controllers interest to process that data significantly outweighs the data subjects interest in not processing the data.To safeguard the interests of the data subjec
298、t,the data controller must apply“appropriate and specific measures”.In addition,the FDPA contains provisions on scoring,credit checks and consumer loans-these provisions form a basis of the German credit system.3.2 Key DefinitionsN/A.3.3 Data Subject Rights The FDPA introduces derogations from indiv
299、idual rights,including in particular:The obligation to provide information to the individual:in certain limited cases,where Globalization and Privacy Protection Guide34the controller intends to further process the personal data for a purpose other than that for which the personal data was collected,
300、the FDPA exempts the controller from its obligation to inform the individual of their rights.This is,for example,the case if providing information about the planned further use would interfere with the establishment,exercise,or defense of legal claims(provided that there is no overriding interest of
301、 the individual in the provision of the information).The right to access data:in the context of scientific research,there is an exception in relation to the right of access if the data is necessary for purposes of scientific research and the provision of information would involve disproportionate ef
302、fort.In addition,the FDPA contains certain exemptions from the data subjects right to access data if,for example,such data was recorded only because they may not be erased due to legal or statutory provisions on retention,or only serve purposes of monitoring data protection or safeguarding data,and
303、providing information would require a disproportionate effort,and appropriate technical and organizational measures make processing for other purposes impossible.The right to erasure:the FDPA exempts the controller from its obligation to erase personal data where the erasure,in case of non-automatic
304、 data processing,would be impossible,or would involve a disproportionately high effort due to the specific mode of storage and the data subject has a minor interest for erasure.In this case,restriction of processing applies,however,in place of erasure.3.4 Privacy PolicyN/A.3.5 Direct Marketing The d
305、irect marketing rules set out in the Act against Unfair Competition(Gesetz gegen den unlauteren Wettbewerb,UWG)is the German implementation of the EU e-Privacy Directive.These rules contain specific restrictions the companies need to comply with when conducting certain kinds of direct marketing(in p
306、articular promotional electronic communications).These rules apply even if no personal data is involved(e.g.if sending out marketing communications to generic email accounts like ).These rules will be replaced by the proposed Regulation on Privacy and Electronic Communications in due course.3.6 Data
307、 Sharing and ProcessingN/A.Globalization and Privacy Protection Guide353.7 Childrens Privacy ProtectionGermany has not made use of an opening clause providing for the possibility to deviate from the age of 16 as an age limit with respect to the processing of a childs personal data in relation to inf
308、ormation society services.3.8 Accountability a)Data Protection by Design&DefaultN/A.b)Data Protection Impact Assessment(DPIA)N/A.c)Record of Processing Activities N/A.d)Data Protection Officer(DPO)and GDPR RepresentativeThe threshold for the appointment of a DPO is much lower in Germany than compare
309、d to that of the GDPR.In addition to the GDPR requirements,the controller and processor must designate a DPO when(i)they constantly employ as a rule at least 20 persons dealing with the automated processing of personal data;or,regardless of the number of persons involved in the processing of persona
310、l data,(ii)whenever a DPIA has to be carried out;or(iii)whenever personal data is processed to be transferred for commercial reasons,transferred anonymously or for purposes of market research and opinion polls.3.9 Security and Data Breach NotificationN/A.3.10 Cross-border Data TransferN/A.3.11 Enfor
311、cementThe FDPA creates certain criminal offences which foresee imprisonment or fine for:Globalization and Privacy Protection Guide36 deliberate and not authorized transfer/making accessible non-publicly available personal data of a large number of individuals for commercial purposes;not authorized p
312、rocessing of non-publicly available personal data in return for payment or for personal or third-party enrichment purposes or with the intention of harming another person;fraudulent obtainment of non-publicly available personal data in return for payment or for personal or third-party enrichment pur
313、poses or with the intention of harming another person.In addition,in connection with consumer loans,the FDPA sets out administrative fines for failure to handle a data subject access request appropriately or to inform a consumer or to inform them fully and correctly within the prescribed time limits
314、.Globalization and Privacy Protection Guide374.France4.1 Overview4.1.1 Legal SystemIn addition to the GDPR which is directly effective in France,the French legal framework on data protection is set out by the“Loi Informatique et Liberts”(the French Data Protection Act)no.78-17 of 6 January 1978 and
315、its implementing decree.The French Data Protection Act was amended for the last time by the law 20 of June 2018 in order to:ensure proper articulation between with France specific provisions and GDPR provisions,andtranspose the Directive(EU)2016/680 on the protection of natural persons with regard t
316、o the processing of personal data by competent authorities for the purposes of the prevention,investigation,detection or prosecution of criminal offences or the execution of criminal penalties,and on the free movement of such data.The main provisions of the law of 20 June 2018 retroactively entered
317、into force on 25 May 2018,which was the date of entry into force of the GDPR.The decree no.2005-1309 of 20 October 2005 implementing the French Data Protection Act was also amended by a decree of 1st August 2018(the“Decree”).4.1.2 Supervisory AuthoritiesThe Commission Nationale de lInformatique et d
318、es Liberts(“CNIL”)is the independent supervisory authority for data protection in France.The authority was created by the 1978 law.In France,there is no requirement for controllers to pay an annual fee to register that they are processing personal data.The 2018 law abolished the prior declaration an
319、d authorization regimes.Prior authorization requirements have been maintained to a very limited extent in case of processing of health data(Chapter IX,article 54,III).4.1.3 Material and Territorial ScopeThe territorial scope of the French Data Protection Act slightly differs from the GDPR.It applies
320、 to the processing of personal data where the controller or the processor is established on the French territory(no matter if the processing is carried out in France or not)In addition,the provisions of the French Data Protection Act which concern the areas where Globalization and Privacy Protection
321、 Guide38the GDPR allows Member States to legislatively as soon as the data subject is a French resident(no matter if the controller is not established in France).4.1.4 Data Processing PrinciplesN/A.4.1.5 Lawful basis for processingAdditional derogations that allow for the processing of special categ
322、ories of personal data were introduced in the French Data Protection Act.These derogations notably cover:processing carried out by employers or administrations relating to biometric data strictly necessary for controlling access to workplace as well as to devices and applications;processing relating
323、 to the reuse of public information appearing in judgments and decisions provided that such processing has neither the purpose nor the effect of allowing the re-identification of the persons concerned;Processing necessary for public research after a reasoned and published opinion from the CNIL.4.2 K
324、ey DefinitionsN/A.4.3 Data Subject Rights The French Data Protection Act provides additional data protection rights.It provides data subjects a right to set down instructions for the management of their personal data post mortem.It also provides minors with a specific right of erasure as further det
325、ailed below.Data controllers are required to inform data subjects about the existence of these rights.4.4 Privacy PolicyN/A.4.5 Direct Marketing The French rules on direct marketing by way of electronic communications are derived from the European directive 2002/58/EC on privacy and electronic commu
326、nications(“ePrivacy directive”).They have been introduced into the French Post and Electronic Communications Globalization and Privacy Protection Guide39Code(“PECC”)by the 2004 French Act on the Confidence in the Digital Economy(“LCEN”).Pursuant to article L.34-5 of the PECC,“is prohibited the use o
327、f automated electronic communication systems,facsimile machines(fax)or email using the contact details of an individual,subscriber or user,who has not given its prior consent to receive direct marketing through this mean”.The notion of“direct marketing”is very broad and covers any message intended t
328、o promote,directly or indirectly,the goods,the services or the image of a person selling goods or services.4.6 Data Sharing and ProcessingN/A.4.7 Childrens Privacy ProtectionIn France,the protection for information society services offered to children,on the basis of consent,apply to children who ar
329、e under the age of 15.The French Data Protection Act provides minors a specific right to be forgotten.Upon data subject request,data controllers are required to erase as soon as possible personal data collected when data subject was a minor via provision of information society services.If the data c
330、ontroller has communicated the personal data to a third-party controller,it shall take reasonable measures to inform this third party that the person concerned has asked for the erasure of all links towards this data as well as any copy or reproduction.In the event of refusal to respond or of absenc
331、e of response from the data controller to the person within one month of the request,the person may take the matter to CNIL which shall rule on the matter within 3 weeks.4.8 Accountability a)Data Protection by Design&DefaultN/A.b)Data Protection Impact Assessment(DPIA)N/A.c)Record of Processing Acti
332、vities N/AGlobalization and Privacy Protection Guide40d)Data Protection Officer(DPO)and GDPR RepresentativeN/A4.9 Security and Data Breach NotificationN/A.4.10 Cross-border Data TransferN/A4.11 EnforcementBreaches of certain provisions of the French Data Protection Act and the GDPR are also subject
333、to criminal penalties in France.Examples of breaches are violations of the security requirement,unlawful collection of personal,breach of the limited retention principle,etc.Globalization and Privacy Protection Guide415.Netherlands5.1 Overview5.1.1 Legal SystemAt the date of writing,the GDPR is directly applicable in the Netherlands.In addition to that,the Dutch Implementing Act GDPR(Uitvoeringswe