How to transfer personal data outside of China compared to the German regulations
Data security – a term everyone has heard over and over again nowadays. How to save personal data, to whom am I allowed to give my data, what do I need to consider when giving my personal data to a third party? These and so on are very common questions one will come across, for personal or work matters. Having an overview about the local data security can already be a hurdle, but what about data transfers to other countries? Outside the EU? Let’s pick China as an example: the newly implemented PIPL (Personal Information Protection Law) does come with many new regulations and has certain similarities to the German data security system (called DSGVO: “Datenschutzgrundverordnung). Focusing on data transfer outside the EU (between Germany and China), the following paragraphs will emphasize on the legal frame of this process for companies.
Contact
China
For comparison, lets have a look at the legal situation basic framework of data security in China. This is also quite a hot topic at the moment.
In 2021, the “Personal Information Protection Law” (个人信息保护法) came into force. It implemented a series of regulations on the provisions regarding sensitive personal information abroad such such as if personal information crosses borders, one of the prerequisites must be met
- Security assessment by the National Cyber Information Department
- Certification of personal information protection by a professional body
- Conclusion of standard contract with the recipient abroad
Two years later, on 24th February 2023 the CAC (“Cyberspace Administration of China” or 国家互联网信息办公室) published the “Provisions on the Standard Contract for Exports of Personal Information” (个人信息出镜标准合同办法); taking effect from 1st June 2023 on. It clarifies the requirements of how to conclude and file standard contracts for transferring personal data outside of China. The base of this law is the “Personal Information Protection Law” of 2021.
A few questions to our lawyer
What does cross-border compliance of personal data mean in Chinese law?
The “Personal Information Protection Law” stipulates the following: “If an individual (since 1st January of the previous year) has provided personal information to less than 100,000 people or to less than 10,000 people with sensitive personal information”, the individual needs a standard contract in order to export personal data.
In practice it basically means the following. A company providing personal information to a parent company overseas (or for example an international HR company) is obliged to sign a contract with the company abroad. Provided that the employee gave his / her consent in accordance with the standard contract attached to the above-mentioned act.
Are there requirements for personal information to leave the Chinese borders? If so, what are they?
Yes there are. Personal information needs to meet any of the prerequisites for leaving the country:
- Passing of security assessment by the CAC
- Certification by a professional authority for personal information protection
- Concluding a contract with the overseas recipient in accordance with the standard contra established by the CAC
- Other conditions stipulated by laws, administrative regulations or the CAC regarding export of personal data
How is “personal and sensitive data” defined?
All sorts of personal information that if leaked or used illegally, could easily lead to the infringement of a natural person’s human dignity or endanger the safety of his or her person or property. Additionally, types of personal information are the following:
- biometric,
- religious beliefs,
- specific identity,
- medical and health,
- financial accounts,
- whereabouts, etc.,
- as well as personal information of minors under 14 years of age.
For businesses, we always remind our clients to pay particularly more attention to their passports and e. g. financial accounts (these are confidential as well).
What actually are the guidelines of a standard contract?
Article 61 of the “Personal Information Protection Law” states the following: Standard contracts shall be concluded in strict accordance with the Annexes to these Measures. The CAC may make adjustments to the Annexes in accordance with the actual situation”
Hereby we can understand, that the terms of the Standard Contract should not be modified, but non-conflicting terms may be added to the Standard Contract.
The “Provisions on the Standard Contract for Exports of Personal Information” undoubtedly makes companies more pressure while exporting personal information; for more security.
Germany
Countries outside of Europe are considered to not have the data security level of the German data security regulation. Hence, international data transfer is limited by the DSGVO. Transfer of personal data is allowed, when the receiving country has an appropriate security level. What exactly is personal data after German data security law?
How is personal (or individual) data defined?
These are all the information which can be traced back to a natural person. Including not only external features or character traits, but also digital data from e. g. online services (cybersecurity!). Name, all kind of IDs and locations are an example as well as physical, psychological, economic, cultural of social features of a person. The law states a difference between personal and sensitive personal data. Second are information about ethnicity, political orientation, biometric data for a distinct identification of a person, health information or sexual orientation of an individual.
How to transfer data abroad?
There are different instruments by the DSGVO for defining data transfer from the EU to third countries. Generally with a resolution by the European Commission, it can be determined if the third country has the adequate security level needed. If this is the case, companies can transfer data into a third country and the data-exporting-party does not require to fulfil any additional requirements.
Opposite, if this is not the case certain guarantees are needed.
What about giving personal data to a third person, not a third country?
If I have to send data from someone else to a third party, only with active consent of the person to whom the data belongs. This is the basic principle of transferring personal information to a third party by the German DSGVO.
Passing on personal data to third parties requires an approval of the affected person; otherwise it is not permitted. In exceptional cases, the information can be encrypted or separated. So illegal tapping of data can be prevented and not too much information about a person is published all at once.
Data has to be deleted if they are obsolete and no longer entrusted for a specific purpose.
ECOVIS Heidelberg and Shanghai Ruide advises companies to take the legal provisions of this approach very seriously in terms of the continued and stable development of their business. So, avoid situations where companies are required to terminate data exports due to failure to meet regulatory requirements, or even incur corresponding legal liability as a result. The legal provisions of the law should be taken seriously from the point from the very beginning for a continuously and stable development of your business.
Do you have any more unclarities or something you need a consultation for? Please do not hesitate to contact us and leave a message here. Ecovis Richard Hoffmann has also experience in being a supervisor in China. Through years of experience and specific knowledge of the German, international, and Chinese business environment, Richard Hoffmann has successfully supported several hundred companies to navigate through the complexity of legal, tax and compliance issues in China.
