多语言
  • Index
  • News
  • Information Details
  • JAVY Insight | GDPR for cross-border data compliance (I)

    Release Time:2022-07-27

    嘉律师.gif


    01. Background


    Before introducing gdpr, we should first make a preliminary introduction to the EU's legislative mechanism. As a supranational government organization with 27 member states, the EU's legislative bodies are mainly composed of three key parts, namely, the European Commission, the European Parliament and the European Council. The European Commission has the power to draft legislation and is also the actual executive body of the bill. The European Parliament is a parliament composed of elected representatives, similar to the house of Commons, which has the right to make legislative recommendations to the European Commission. The European Council is composed of officials elected by the governments of Member States. Similar to the house of Lords, it also has the right to make legislative recommendations to the European Commission. After the European Commission drafts the draft legislation, it will be submitted to the European Council and the European Parliament for deliberation and amendment. If the European Council and the European Parliament adopt the draft, the draft will enter into force as a formal law. Under this mechanism, the laws adopted by the European Union are divided into three categories, namely, "Regulations" that must be enforced by each member state, "directives" that can be flexibly applied by Member States according to their own circumstances, and "decisions" that only target specific events or objects. The full name of gdpr we are going to discuss is general data protection regulation. As the name suggests, it is a "regulation" that must be enforced in all EU Member States, with the highest legislative status and implementation effect.


    In 1995, the European Union adopted guidance 95/46/ec to regulate the protection of personal information, while gdpr, which took effect in 2018, completely replaced guidance 95/46/ec, and has become a personal data protection legal document with the most extensive and detailed provisions and the most perfect legislative technology in the world. GDPR  has great influence not only in Europe, but also all over the world, not only because its advanced legislative technology is being used for reference by other countries and regions all over the world, but also because its strong extraterritorial effect makes most commercial and non-commercial entities involved in the European market have to face up to the existence of this legislation and abide by it.


    02. Scope of application of GDPR 


    Traditionally, data protection laws have been applied primarily to organizations geographically located in the European Union. However, gdpr has wider applicability than previous legislation. Article 3 of the regulation actually stipulates that the law applies to any activity in the EU (including countries in the European Economic Area (EEA)) that has data protection consequences for individuals. Under this provision, its scope of application mainly includes four understandings:

    ❐ 1. The data processing behavior of personal data controllers and personal data processors that have entities in the EU, regardless of whether the processing behavior itself occurs in the EU;

    ❐ 2. The behavior of processing personal data of individuals in the EU, whether the personal data controller and personal data processor are in the EU or not;

    ❐ 3. For those who sell goods or provide services to individuals in the EU, whether these services are charged or not;

    ❐ 4. Monitor and track personal behavior in the EU, including advertising recommendations based on user behavior.

    In addition, it should be noted that "within the EU" in the above four understandings includes not only the actual territory of the EU, but also the territory legally belonging to the EU, which makes the embassies of member states located in non EU territory also become the scope of "within the EU" in gdpr. Therefore, the data processing in embassies and consulates should also comply with the provisions of gdpr.


    1659603449849.png


    03. Understanding of some terms of GDPR


    ❐ (1) personal data

    Under gdpr, personal data refers to any information related to an identified or identifiable natural person. Identifiable natural persons are "people who can be identified directly or indirectly, especially by referencing identifiers". Under this definition, if a natural person is likely to be identified, even if some information about the natural person cannot be directly identified, these information also constitute personal information. For example, name, identification number, location data, online identifier or one or more factors related to the physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person can constitute personal data, even including location information, personal compilation and network cookies. Therefore, the scope of personal information is actually very, very wide.


    \❐ (2) data processing

    Article 4 of gdpr stipulates that "any operation or a group of operations on personal data or a group of personal data, whether or not carried out automatically, such as collection, recording, organization, construction, storage, adaptation or change, retrieval, consultation, use, disclosure, alignment or combination, restriction, deletion or destruction through transmission, dissemination or other means, constitute data processing". The definition of this processing is very broad. Basically, almost everything an organization can do with data in the life cycle of data, including initial acquisition and final destruction, as well as the storage between them, or any use of information, is equivalent to processing, which should be incorporated into the data protection legal system. It is worth noting that this definition extends to computer hard disk drives, servers, CD ROMs, or any portable storage devices that store information only, including USB flash drives. It also includes activities such as data matching, data sharing, data mining and data warehouse.


    ❐ (3)Similar to personal data suitable for electronic processing, gdpr applies to information contained in certain manuals (paper). Such paper-based records must usually form part of the "filing system".


    ❐ (4) data controller

    Gdpr Article 4 (7) stipulates that "data controller refers to natural or legal person, public authority, institution or other institution that decides the purpose and method of processing personal data alone or jointly with others". Generally speaking, all individual traders, self-employed owners, partnerships and companies will become controllers, including all online or offline entities, such as banks, insurance companies, law firms, supermarkets, gambling stores, opticians, dentists, medical practices, Internet search engines, pharmaceutical companies, telecommunications enterprises (including Internet service providers ('isps')), and construction companies. In addition, unincorporated associations will also become controllers, as well as schools, local authorities, police forces, fire departments, hospitals, government departments, etc. It should be noted that the data controller must also be different from the data processor, which is an entity that processes personal data on behalf of the controller.


    ❐ (5) data processor

    Gdpr Article 4 (8) stipulates that "a data processor is a natural or legal person, public authority, institution or any other institution that processes personal data on behalf of the data controller." Data controllers often use third-party companies to process their data, because this can save time and cost. As long as the third party only executes the instructions of the controller and does not decide the purpose or method of processing data, it is the data processor. On the contrary, the data processor may be classified as the data controller.


    ❐ (6) special category personal data

    Special types of personal data are generally sensitive data. According to Article 9 (1) of gdpr, the data controller cannot process special types of data unless it meets the provisions of Article 9 (2) of gdpr. Special categories of personal data include: 1. Race or ethnic origin; 2. Political views; 3. Religious or philosophical beliefs; 4. Whether he is a member of the trade union; 5 genetic data (used to identify a unique person); 6 biometric data (used to identify a unique person); 7 data on health; 8 data on the sexual life or sexual orientation of natural persons.


    ❐ (7) main business location

    For organizations with more than one institution in the EU, gdpr introduces the concept of "principal institution" (Article 4 (16)). The location of the main institution determines which national data protection regulator will supervise the organization. Generally speaking, the location of the headquarters is the main business location of an organization, unless its decisions are mainly from another business location. If the controller or processor is located outside the EU, it must designate a representative (not required in some exceptional cases) in the EU member state where the data subject (providing goods or services, or whose behavior is monitored) is located to represent the controller or processor and deal with the regulatory authorities and these data subjects.


    ❐ (8) Pseudonymization

    Pseudonymization refers to the processing of personal data so that the data can no longer be attributed to a specific data subject without using additional information. These additional information needs to be stored separately and constrained by technical and organizational measures to ensure that individuals are not identified or identifiable. However, it should be noted that unlike anonymous data, pseudonymized personal data is still personal data, but pseudonymized data is slightly less constrained than ordinary personal data.


    JAVY Law Firm’s Official Website Suggestion Box
    Dear Netizens,Nice to see you!:
    Welcome to the official website of JAVY Law Firm. In order to continuously improve the quality of the website and the service quality of all colleagues in JAVY Law Firm,your suggestions and comments on any aspect of our firm can be put forward here, and we will listen to you carefully. Looking forward to your valuable suggestions in your busy schedule. Your information or idea is only for research and will never be made public. Please feel free to answer.
    *Name:
    *Cellphone:
    1. Where did you get the information about JAVY Law Firm?
    2. Does the content of this website meet your needs? Are there any other suggestions?
    3. What do you think of the environment of JAVY Law Firm? Are there any other suggestions?
    4. Do you think JAVY Law Firm has convenient transportation? Are there any other suggestions?
    5. Does the current business scope of JAVY Law Firm meet your needs? Do you have any other better suggestions?
    6. How about the lawyer's services that contact you? Are there any areas for improvement?
    7. Do you think if there are any shortcomings of JAVY Law Firm? What are the specific suggestions and expectations?