Cross-border Data Transfer

Cross-border Data Transfer

Covers core mandatory requirements for Sino-EU cross-border data transfer and personal information protection — the core compliance basis for Jiumo's ”Supply Chain Landing“ service when handling China-Netherlands data flows.

 

1. Personal data must be processed according to seven principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, and storage limitation.——GDPR Art.5 Regulation (EU) 2016/679 Effective 25 May 2018‘

2. Processing of personal data requires at least one lawful basis: consent, contractual necessity, legal obligation, legitimate interest, etc.——GDPR Art.6

3. Transfers of personal data outside the EU require one of: adequacy decision, Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), etc.——GDPR Art.44-49

4. GDPR fines: up to €10M or 2% global turnover for general violations; up to €20M or 4% for serious violations.——GDPR Art.83

5. Providing personal information overseas requires one of: passing CAC security assessment, signing the standard contract, or obtaining certification.——PIPL Art.38
Effective 1 Nov 2021

6. Overseas provision of personal information requires informing the data subject of the recipient's name, contact, and processing purpose, and obtaining separate consent.——PIPL Art.39

7. Critical information infrastructure operators providing important data overseas must pass a security assessment by the Cyberspace Administration of China (CAC).——DSL Art.31 Effective 1 Sep 2021

8. Data subjects have the right to access their personal data, request rectification, and request erasure (right to be forgotten).——GDPR Art.15-17

9. Data subjects may withdraw consent at any time; withdrawal does not affect the legality of processing based on consent prior to withdrawal.——GDPR Art.7(3)

10. Websites must disclose in the privacy policy whether cookies are used and their types, and obtain user consent (except for essential cookies).——EU ePrivacy Directive 2002/58/EC+ national Cookie laws

11. Websites must identify the data controller with contact details and DPO (Data Protection Officer) information if applicable.——GDPR Art.13(1)(a) & Art.37

12. Data subjects have the right to lodge a complaint with a supervisory authority; the authority's contact must be provided in the privacy policy.——GDPR Art.13(2)(d)

Back to blog