Since 25 May 2018, the General Data Protection Regulation (GDPR — EU Regulation 2016/679) has been in force throughout the European Union. For any organisation — Italian, foreign, or based outside the EU — that collects, processes or stores personal data of individuals residing in Europe, GDPR compliance is mandatory. Non-compliance exposes the organisation to fines of up to €20 million or 4% of global annual turnover, whichever is higher.
Who must comply with the GDPR
The GDPR applies to any organisation that processes personal data of individuals residing in the EU, regardless of where the organisation is established. This means that a Chinese company selling products to Italian customers online, managing employees in Italy, or collecting data through a website accessible in Europe is subject to the GDPR.
Key obligations for companies
— Privacy notice: every collection of personal data must be accompanied by a clear and complete notice explaining the purposes, legal basis, retention periods, and data subject rights.
— Legal basis for processing: all data processing must rest on a valid legal basis: consent, contract, legal obligation, vital interest, public interest, or legitimate interest.
— Record of processing activities: companies with more than 250 employees, or those processing sensitive data or doing so systematically, are required to maintain an internal register of processing activities.
— Data Protection Officer (DPO): certain categories of organisations are required to appoint a DPO. Even when not mandatory, it is advisable for companies handling large volumes of data.
— Breach notification: in the event of a data breach, the organisation must notify the supervisory authority within 72 hours of becoming aware of it.
— Data transfers to third countries: transferring personal data to China requires specific additional safeguards, as China is not recognised by the EU as providing an adequate level of data protection.
The critical issue for Chinese companies: transfers to China
Many Chinese companies operating in Europe regularly transfer data (of employees, customers, suppliers) to the parent company’s IT systems in China. This transfer is subject to specific GDPR restrictions. The most common solutions include the Standard Contractual Clauses (SCCs) approved by the European Commission, or Binding Corporate Rules (BCRs) for multinational groups.
Rxconsult, working with its legal partners, supports Chinese companies in assessing their GDPR position, drafting the required documentation, and implementing processes that comply with European regulations.
