How GDPR affects Companies in China


Table of Contents

This article intends to provide an overall insight into the GDPR compliance for companies operating in China. The Regulation aims at strengthening laws on data protection, thereby giving European Union (EU) citizens control over their personal data while protecting fundamental rights and freedoms, security, and equality within the EU.

Although the GDPR is European legislation, it is also relevant to the rest of the world. Therefore, it is directly applicable to companies that operate in China, consequently granting the regulation an extraterritorial effect. This means that a controller or processor in China that processes data related to the offering of goods and services to data subjects in the European Union (EU), must comply with GDPR.

Overview of GDPR

The GDPR is a European Union (EU) data regulation Law that protects the personal data of EU citizens and directly influences the internal operations of companies. The GDPR obligates data processors and data controllers located in the EU, companies with workers in the EU, and/or companies that supply goods and services to individuals in the EU to comply with this Regulation. Compliance includes managing and transferring encrypted digital data with the highest levels of security. Controllers and processors must consider appropriate security measures such as encryption and evaluate the effectiveness of the measures in place.

This new regulatory framework that controls how data is managed and shared, provides a comprehensive framework of how to be compliant. It addresses issues around ‘what constitutes important data and cross-border data flows. For example, the GDPR specifies that companies should implement appropriate technical and organizational measures such as data minimization and encryption to ensure a level of security appropriate to risks. This further protects the right of data subjects and gives Chinese companies an indication of what protective measures consist of.

To ensure the implementation of the GDPR, different entities have been created within the European Union.

1. The user

The user owns all the data that he/she produces. The user can ask any of the entities below for information about data and processes.

2. European Board

The European Data Protection Board is composed of the head of the supervisory authority from each Member State and of the European Data Protection Supervisor.

3. Supervisory Authority

A public authority must be established in each Member State. The supervisory authority is responsible for monitoring the application of the Regulation, to protect the fundamental rights and freedom of users in relation to processing.

4. Processor

Any individual, company, or organisation that handles personal data

5. Controller

Controller- The controller is any company or organization in charge of ensuring and documenting that the users’ data is processed in accordance with the Regulation.

‘Controllers’ are entities that determine the purposes and means of processing personal data in comparison to ‘processors’ who carry out the processing on behalf of the controllers. In this, Chinese companies that have no direct business operation in any of the 28-member states of the European union but have a web presence, will also have to implement GDPR into their privacy policies. This is because personal data or behavioural information is being collected and if those individuals are EU residents, then the company is subject to the requirements of GDPR.

What counts as Personal Data

The definition of personal data has been expanded under the GDPR to reflect the type of data that is being collected by organisations. Under the GDPR, ‘personal data’ is defined as any information or type of data that can directly or indirectly identify a natural person’s identity. These include but are not limited to IP addresses, cookies, economic, cultural and mental health information. Processing special categories of data such as race, religion, sexual orientation, political opinions are prohibited unless explicit consent has been obtained.


The regulation specifies that consent must be freely given by the data subjects. Therefore, consent must be requested in language that is clear, precise and not ambiguous. In addition, consent must be distinguishable and accessible. The data subjects have the right to withdraw consent at any time, withdrawal must be as simple as it was to give consent.

Right to Access/ Right to rectify

GDPR gives EU Citizens the right to access the data in which an organisation holds on them and query why and how the data is being processed. The controllers and processors have a month to comply with the requests. Further requests may include how long the information is stored for and who has access to it.

The GDPR also requires that companies use plain and simply language to convey things clearly such as the terms and conditions. In addition, the data subject has the right to modify any personal data retained about them. Companies are expected to provide a secure process in which individuals can have direct access to their data.

Right to Erasure

EU citizens can now ask companies to erase their personal data from the company’s servers. Companies have a right to keep a record of data for a period should in case a legal claim arises. In compliance with GDPR requirements, personal data must be destroyed securely after the time has elapsed. In addition, technical and organizational measures to ensure data is disposed securely.

Right to Lodge Complaint for non-Compliance

The regulation aims to protect EU citizens when companies infringe their rights. An individual has the right to lodge a complaint to the supervisory authority if they are dissatisfied with the controller. The supervisory authority is then obligated to investigate accordingly. If a company fails to deal with a complaint within three months, The EU citizen has the right to take the case to court in their country.

The data subject also has the right to compensation, and free legal advice. Failure to comply with the regulation may result in big financial penalties. The supervisory authority can fine controllers and processors up to 4% of their annual turnover of the preceding year, for non- compliance. There is a greater emphasis on being able to demonstrate compliance to a regulator.  For organisations in China, this means a privacy compliance plan that can be inspected. The enhanced data subject rights (right to access, modify and erasure) must be respected by organisation as to avoid being reported to the relevant supervisory authority.

Data Breach

In the event of a security breach that may result in a high risk, the controller must inform both the supervisory authority and the data subjects affected, within 72 hours.  The description of the data breach must be clear and accurate. Furthermore, companies must consider improvements to the security measures to avoid further data breach.


In conclusion, there are significant fines for non-compliance of the GDPR. Companies can be fined for violating data subjects’ rights and not reporting a breach to a regulator within 72 hours. Failure to comply possess a significantly high financial cost therefore, Chinese companies need to carefully evaluate if their business presence falls under GDPR.

Scroll to Top