German-Chinese relations
Data protection is an important issue not only in Germany but also in international business transactions. The EU GDPR and the Federal Data Protection Act both regulate the collection and processing of personal data in Germany.
China has also introduced important data protection and data security legislation.
The Personal Information Protection Law in China: PIPL
The Personal Information Protection Law 个人信息保护法 (PIPL) came into force on November 1, 2021. It protects the rights and interests of data subjects in terms of their personal data, regulates the processing of this data and promotes the proper use thereof.
The PIPL applies to the processing of personal data of natural persons in China. Article 3 (2) of the PIPL states that it also applies to foreign companies which process the data of Chinese citizens. This corresponds to Art. 3 (2) of the GDPR.
If foreign companies intend to provide products or services to Chinese citizens or analyze their data, Article 53 of the PIPL stipulates that they must appoint a representative in China and notify the local data protection authorities.
Processing principles according to PIPL
According to Article 5 of the PIPL, personal data must be handled in accordance with the principles of lawfulness, permissibility, necessity and good faith and must not be collected by misleading, fraudulent or coercive means.
According to Article 6 of the PIPL, the processing of personal data must have a clear and appropriate purpose and be directly related to the purpose of the collection.
The collection of personal data must be limited to the minimum necessary to achieve the purpose of the processing.
Furthermore, processing must also be carried out in accordance with the principles of openness and transparency pursuant to Article 7 of the PIPL. To ensure that the data processing complies with the legal regulations, the rules for handling personal data must be disclosed and the purpose, method and scope must be clearly stated.
Cross-border data transfer
There are three permissible options for cross-border data transfer:
- Standard contractual clauses
In the following cases, the data may be transferred abroad and is subject to standard contractual clauses:- Operators of non-critical information infrastructure transmit data.
- Personal data belonging to less than 1 million persons is processed.
- The cumulative transfer of personal data outside the country since January 1 of the previous year concerns fewer than 100,000 persons.
- The cumulative transfer of sensitive personal data outside the country since January 1 of the previous year concerns fewer than 10,000 persons.
- Authentication of personal data
Processors of personal data abroad can apply to have the processing authenticated by a specialized agency or its representatives in China pursuant to Article 3 (2) of the PIPL. The foreign data processor performs a data protection impact assessment (comparable to Article 35 of the GDPR) and prepares a report that must be retained for at least three years.
- Safety assessment
Cross-border data transfer requires a security assessment in the following cases:- Processors of important data,
- Operators of critical information infrastructure and data processors which process the personal data belonging to more than 1 million people,
- Data processors which have transferred personal data belonging to 100,000 persons or sensitive personal data belonging to a total of 10,000 persons abroad since January 1 of the previous year.
What can we do for you?
Do you have questions about international data transfer with China and Chinese data protection? Do not hesitate to contact us!
Summary of the key facts:
- The PIPL also includes extraterritorial applications.
- The principles of data processing in China are legality, necessity, good faith, minimization, and transparency.
- There are three options for cross-border data transfer: standard contractual clauses, authentication, and a security assessment.
