Data Transfer Security to China: German GDPR Tactics for Safe Passage

German companies looking to expand into China or carry out cross-border data transfers must observe numerous data protection regulations and develop strategies for compliance. Failure to do so may result in significant penalties. The experts from ECOVIS Rechtsanwaltskanzlei Richard Hoffmann provide an overview of the regulations and strategies for secure data traffic.

In an increasingly connected digital landscape, the need for robust data protection strategies is paramount. Navigating the complicated web of regulations, particularly under the General Data Protection Regulation (GDPR), is both a challenge and an opportunity.

Data regulations in Germany

Under the German legal framework, the safeguarding of an individual’s privacy is of the utmost importance as privacy is considered a fundamental right. This is manifested in the European Union’s General Data Protection Regulation (GDPR) as well as in national legislation. The GDPR is a pivotal piece of legislation and a unified framework for data protection across the EU Member States. Its emphasis is on transparency and accountability and the rights of individuals concerning their personal data.

In Germany, the GDPR is supplemented and supported by the Federal Data Protection Act (BDSG). This contains the specific German regulations detailing the obligations of data controllers and processors, the rights of data subjects and the processing of personal data which ensure compliance with the GDPR.

We can assist you in developing a legally compliant data protection concept.

Richard Hoffmann, Lawyer, ECOVIS Rechtsanwaltskanzlei Richard Hoffmann, Heidelberg, Germany

What data is affected?

The GDPR only affects “personal” data. This means information relating to identifiable natural people. Anonymous data cannot be used to draw conclusions about the identity of individuals and is therefore not covered by the provisions of the GDPR, other than pseudonymised data, which contains for example ID-numbers or codes, as these can be traced to a specific person.

Data transfer from EU China

There are two regulations to comply with:

1. The data transfer itself must be permissible

According to Art. 6 GDPR, data processing in only permitted under specific conditions:

• Consent for a specific purpose
• Contract necessities (the individual is part of the contract (contracting party), and the processing is due to the nature of the contract)
• Legal obligations (legal requirements that require data processing)
• Protection of vital interests
• Public tasks or interest

One of these is enough and it is not necessary to combine them in practice.

2. Data transfer to China must be permissible

Data transfer outside the EU is strictly regulated by the GDPR to ensure compliance. It is only permissible if the recipient country guarantees the lawful processing of personal data in line with the GDPR. But how can this be achieved? As the Ecovis experts know, this is possible with either an adequacy decision or by implementing safeguards.

No additional precautions are needed if adequacy decisions exist for the third country. This is certified by the EU Commission. Currently, there is no adequacy decision for data transfer from the EU to China. Therefore, suitable safeguards must be implemented before transferring data, for example in the form of Binding Corporate Rules (BCRs). These are a type of self-regulation within an international company for regulating data transfer internally within their corporate structure. The supervisory authority in this context is the data protection supervisory authority of an EU Member State. This is usually the authority in whose jurisdiction the company wanting to introduce the BCRs has its headquarters or where the main data processing will take place.

Adding specific contractual clauses called Standard Data Protection Clauses (SCCs) facilitates data transfer outside of the EEA (European Economic Area) in accordance with the GDPR. SCCs are approved by the EU commission or supervisory authority. They are similar to the Chinese standard contractual clauses. SCCs must be contractually agreed with the data recipient in the third country.

The GDPR offers the option to legitimise data transfers through industry-specific codes of conduct approved by the competent supervisory authority, provided that these include legally binding and enforceable obligations for the data controller or processor.

Violations against the GDPR

Under Article 83 of the GDPR, companies can face substantial fines for data breaches. These fines can be as high as EUR 20,000,000 or 4% of a company’s total worldwide turnover from the previous financial year, whichever is higher. Such repercussions highlight the serious consequences of GDPR violations for any organisation.

Best practices for German and Chinese companies

Germany’s robust data protection framework, centred around the GDPR and bolstered by domestic laws, demonstrates a persistent dedication to protecting privacy. Compliance with these regulations is essential for businesses, particularly concerning data transfers to non-EU nations, given the substantial penalties for non-compliance. Within the intricate landscape of data protection, the Standard Data Protection Model (SDM) serves as a valuable tool, translating legal mandates into actionable steps. Ultimately, Germany’s unwavering commitment to safeguarding privacy sets a benchmark for fostering trust and prioritising privacy in the digital realm.

For further information please contact:

Richard Hoffmann, Lawyer, ECOVIS Rechtsanwaltskanzlei Richard Hoffmann, Heidelberg, Germany
Email: richard.hoffmann@ecovis.com