The European Data Protection Board (EDPB) recently published the minutes of the 54th Plenary Meeting held in September 2021, which shed light on how the EDPB may address the issue of data transfers from Europe to third countries (including China). In the past, direct collection of personal data from European consumers were not considered as data “transfer” under the General Data Protection Regulation (GDPR). However, the EDPB new minutes indicates that companies that have no physical presence in Europe (therefore including Chinese companies) but need to collect data from European consumers are indeed subject to the GDPR by virtue of Art. 3(2)“Territorial Scope”, and therefore shall abide by Chapter V of data transfer mechanisms and related requirements. The minutes suggests that the EDPB is likely to adopt guidelines requiring Chapter V data transfer mechanisms to be put in place in this direct data collection scenario.
欧洲数据保护委员会(EDPB)最近公布了2021年9月举行的第54次全体会议纪要,其中阐明了欧洲数据委员会将如何规制从欧洲传输数据至第三方国家(包括中国)的问题。过去,从欧洲消费者直接收集个人数据并不被视为欧盟《一般数据保护条例》(“条例“)含义下的数据"传输"。然而,根据这份新会议纪要,即使是在欧洲没有实体业务但需要从欧洲消费者收集数据的中国企业,会根据《条例》第3条第2款“地域适用范围”而可能受到《条例》第五章关于数据传输机制及相关要求的约束。该会议纪要表明,欧洲数据保护委员会可将会会制定新的准则,细化《条例》第五章数据传输应用于前述直接收集数据行为的规则。
It remains to be seen how the soon-to-be issued guidelines will regulate direct data collection. However, Chinese companies offering products or services to European consumers shall bear in mind that, if the GDPR Chapter V becomes applicable to them, it raises higher data compliance requirements. Administrative fines up to 20,000,000 EUR or upon to 4% of the total worldwide annal turnover (whichever is higher) will be imposed on companies for infringement of Chapter V of the GDPR.
这些即将发布的准则将规范直接数据收集行为,但其对企业的应用及影响仍待观察。但是,向欧洲消费者提供产品或服务的中国企业应了解到,如果《条例》第五章适用于他们,则会提高数据合规性要求。违反《条例》第五章的企业将被处以最高2000万欧元或等同于前一财务年度全球年营业总额4%的行政罚款(以较高者为准)。
EDPB Clarifications on transfers to importers subject to GDPR
作者:广悦律师事务所来源:广悦律师事务所

The European Data Protection Board (EDPB) recently published the minutes of the 54th Plenary Meeting