China Desk Newsletter - Privacy and Data Protection Reform – GDPR

2016年4月14日, 欧盟通过了全面的隐私和数据保护改革, 此改革将对大多数在欧洲有业务的公司有所影响。

On April 14 2016 EU adopted a comprehensive privacy and data protection reform with impact on most companies doing business in Europe.

Chinese version (PDF)

Introduction

On April 14 2016 EU adopted a comprehensive privacy and data protection reform with impact on most companies doing business in Europe. The EU General Data Protection Regulation (GDPR) has many new elements and significant enhancements compared to the current regime. The regulation will apply in Norway from May 2018.

The GDPR relates to companies' electronic processing of personal data – in most cases customer data and employee data. In essence, the GDPR entails that companies doing business in Norway will have to do some things differently than today. This will also impact Chinese companies with operations in Norway.

The GDPR will impose stricter requirements regarding processing of information about individuals, and introduces larger fines for any non-compliance. The GDPR also places greater emphasis on the documentation that companies must keep to demonstrate compliance.

For Chinese businesses planning to set up a local office in Norway, and for Chinese businesses which intend to process information about Norwegian individuals in connection with goods and services offered to such persons, understanding the GDPR is an important part of the process. It will be required to know what types of personal data that are processed, where it is stored and for how long the business must retain the information comprised by the GDPR.

Main regulations

What is new?

  • Companies must have routines for handling individual's rights such as access requests and deletion of personal data that cannot be stored, and procedures for data portability.
  • Companies must have policies, contracts and other arrangements on personal data. Employment agreements need to have privacy clauses.
  • Some companies are required to appoint a data protection officer.
  • Companies must have routines for data breaches. Security incidents must be reported to the Norwegian Data Protection Authority within 72 hours.
  • International groups must have intragroup data processing agreements and risk assessments for cross-border data transfers.
  • Companies will be exposed for significantly heavier fines. Today, Norwegian authorities may impose fines up to EUR 100,000. According to GDPR, for very serious breaches, the authorities may impose fines up to EUR 20 million or 4% of corporate global revenue.

Who does the new regulation apply to?

The GDPR will apply to any company that processes information or assessments that can be directly or indirectly linked to individuals, i.e. physical persons. This means that companies doing business in Norway which have stored customer data or employee data on servers, or have outsourced its data management, will be covered by the GDPR.

The GDPR applies to any company dealing with EU residents' or citizen's data. As such, Chinese companies handling data about Norwegian individuals will be subject to GDPR, regardless of having established a legal entity in Norway or not.

What will the new regulation mean to Chinese investors

The stricter requirements and possibility of large fines upon breach entails a significant risk when either i) establishing a local office in Norway, or ii) handling data about Norwegian citizens in connection with goods and services offered to such persons. Compliance is the key factor of mitigating the risk.

Chinese investors should decide if the intended business model will include either establishing a local office in Norway, or if the intended business model will include handling Norwegian citizen's information. The risks can be mitigated through mapping data flows, reviewing contracts and establishing adequate routines for compliance with the GDPR. The risks can also be mitigated through a legal due diligence by vetting the target's compliance with the GDPR.

Schjødt has extensive experience with advising international clients on matters related to privacy and data protection requirements. Our expert team is accomplished at advising international businesses on regulatory compliance and preparing for the GDPR.

Related practice areas

Primary Contacts

Erling Christiansen
Elise Chen
Jeppe Songe-Møller
Mathias M. Teir
Henrik Aadnesen
Andreas F. Busch
Nancy Liu

Published

Thursday, November 16, 2017