Article

Isolation or freedom? The access to the data of your Chinese Subsidiary

Since the Cybersecurity Law of PRC came into force in 2017, China has been gradually building up a regulatory system for data transfer and is constantly updating the corresponding laws and regulations. For many German parent companies, it is sometimes puzzling whether and how they can access the data of their Chinese subsidiaries. Sometimes, we also have this problem that Chinese subsidiaries prevent German parent companies from accessing data on the grounds of cross-border data regulation to hinder the management of the German parent company to become aware of certain facts. With this Q&A we aim to answer common questions in practice and help you to get a clear overview of where the bar is and thus increase transparency in the management of your Chinese subsidiaries.

In principle, however, the GDPR applies to the (receiving) EU company. It must ensure processing in accordance with the local principles of the GDPR, including

  • Lawfulness, fairness and transparency (Art. 5 para. 1 lit. a GDPR), purpose limitation (Art. 5 para. 1 lit. b GDPR), data minimization (Art. 5 para. 1 lit. c GDPR), integrity and confidentiality (Art. 5 para. 1 lit. f GDPR).
  • If the receiving company processes the data on behalf of the transferring company, a data processing agreement must be concluded (Art. 28 GDPR). If there is joint responsibility, a corresponding agreement pursuant to Art. 26 GDPR is required.

 

 

Can data be collected and processed by a Chinese subsidiary and at the end be transferred to the German parent company? Do all transfers have to be approved by the competent Chinese authorities?

Data can be transferred across borders. Manufacturing-related data of Chinese subsidiaries can be transferred freely without authorization from the competent Chinese authorities. Personal data of employees of Chinese subsidiaries may also be freely transferred to the German parent company without any evaluation, declaration or approval, provided that such data have been processed and collected based upon on rules and regulations, contracts etc (e.g. employment contracts), and it is necessary for the German parent company to carry out human resources management tasks based upon the corresponding data.

Specifically, there are several possibilities to legalize the cross-border flow of data, depending on the data processor, and the different types of data to be transferred, as follows:

 

Nota bene: Personal data processors shall not transfer personal data to foreign countries that should be subject to an export security evaluation through quantitative division by entering into a standard contract.

 

Is it a cross-border transfer of data when Chinese subsidiaries send data to their German parent company via email, upload them to a network or database , or when the German parent company accesses the data of its Chinese subsidiaries?

Yes. Cross-border data transfer includes the transfer of data collected and generated by a data processor in the course of its operations in the territory to a place outside the territory, regardless of the mode of transfer; it also includes the storage of data collected and generated by a data processor within the Chinese territory but queried, accessed, downloaded or exported by entities, organizations or individuals outside the Chinese territory by any other means. Strictly speaking, it will be also regarded as a cross-border transfer if employees of the German parent company fly to China to access the data of the Chinese subsidiary on site.

 

Does the cross-border transfer of data from a Chinese subsidiary to a German parent company trigger the legal restrictions on the transfer of Critical Information Infrastructure (CII) data abroad?

Usually not. Critical information infrastructure refers to important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, electronic government services, national defense, science and technology, and other important network facilities and information systems that may seriously jeopardize national security, the people's livelihood, and the public interest in the event of damage, loss of functionality, or data leakage. The competent Chinese authorities are responsible for organizing the determination of critical information infrastructures in their respective industries and fields in accordance with the recognition rules and will promptly notify the operators of the results of the recognition and inform the public security department of the State Council. If your Chinese subsidiary has not been notified of the above recognition, it is not a critical information infrastructure operator, but a general data processor.

 

Does the cross-border transfer of data from a Chinese subsidiary to a German parent company trigger legal restrictions on the transfer of “important information” abroad?

Usually not. Important data refers to data that may jeopardize China's national security, economic operation, social stability, public health and safety if the data are falsified, damaged, leaked or illegally acquired or illegally utilized. Important data generally does not relate to manufacturing and internal management information, personal information, etc. If the Chinese subsidiary has not been informed by the relevant departments or regions or publicly announced that its data being regarded as important data, the production and management data and personal information of employees transferred to the German parent company will not fall into this category.

For the automotive industry, it should be noted that the following types of data have been defined as important data through “Certain Provisions on Automotive Data Security Management (for Trial Implementation)”:

(i) Data such as geographic information, personnel flow, vehicle flow and other data in important and sensitive areas such as military administrative zones, national defense science and industry units, and party and government organs at or above the county level;
(ii) Data reflecting economic operation such as vehicle flow and logistics;
(iii) Data on the operation of the automobile charging network;
(iv) Out-of-vehicle video and image data containing face information, license plate information, etc.; and
(v) Personal data concerning more than 100,000 persons.

 

Is it possible to transfer the technical development data of the Chinese subsidiary to the German parent company completely free of restriction if it is not part of the important data mentioned above?

No. For technical data, you also need to be aware of its possible inclusion in China's “Catalog of Prohibited and Restricted Technologies for Export”. For example, technologies for personalized information services based on data analysis are export-restricted technologies that require prior approval from the China's trade authorities before they can be exported. This also includes personalized user preference learning technologies based on continuous training and optimization of mass data, real-time perception of personalized user preferences, and large-scale distributed real-time computation technologies to support recommendation algorithms.

 

Does the cross-border transfer of data from a Chinese subsidiary to a German parent company trigger any legal restrictions on the transfer of “sensitive personal data” abroad? Does a Chinese subsidiary have to obtain the individual consent of employees for cross-border transfers of their personal data to its German parent company?

Legal restrictions on the transfer of “sensitive personal data” abroad may be triggered. Sensitive personal data refers to personal data that, if leaked or illegally used, could easily lead to the infringement of a natural person's human dignity, or jeopardize the safety of his or her body or property, including information on biometrics, religious beliefs, specific identities, medical and health care, financial accounts, whereabouts and trajectories, as well as the personal data of minors under the age of 14. However, it is not necessary to obtain the consent of the individual if this is required for the conclusion and performance of an employment contract or for the implementation of human resources management in accordance with legal labor regulations and collective agreements.

Labor rules formulated in accordance with the law include employee handbooks and various types of company policies formulated through democratic procedures. It should be noted that such rules should be discussed by the employees' congress or by all employees, with suggestions and opinions put forward and determined in equal consultation with work councils or employee representatives, and it is not sufficient for the Chinese subsidiary as the employer to unilaterally draft and publish the rules. The collective contract, which is a written agreement between the Chinese subsidiary as the employer and the employees through collective bargaining, is usually negotiated by the work council on behalf of the employees and the employer.
Work rules formulated in accordance with the law include employee handbooks and various types of company policies formulated through democratic procedures, here should be noted that such rules should be discussed by the employees' congress or by all employees, with suggestions and opinions put forward and determined in equal consultation with labor unions or employee representatives, and they should not be drafted and published unilaterally by Chinese subsidiaries as employers. A collective bargaining agreement is a written agreement entered into by a Chinese subsidiary as an employer with its employees through collective bargaining, usually negotiated by a labor union on behalf of the employees with the employer.

We recommend that you update your Chinese subsidiary's employee handbook or relevant company policies to include a clause on the cross-border transfer of employees' personal data to provide legal grounds for subsequent transfers. As the above exemptions only apply to employees who have signed labor contracts with Chinese subsidiaries, if the Chinese subsidiaries have various forms of employment, such as interns, outsourced workers, labor dispatchers, service workers, etc., a consent clause for cross-border transfer of personal data should be added to the template of the corresponding contract.

 

上述是否适用于在中国任何地区的中国子公司?

请您注意,各个自贸区可以发布数据跨境传输的负面清单。如果您的中国子公司的注册地址在自贸区内,还应该留意自贸区是否发布了相关负面清单。例如,北京自贸区、上海临港自贸区以及天津自贸区就各自颁布了相关数据(负面)清单。

《中国(北京)自由贸易试验区数据出境管理清单(负面清单)(2024版)》对汽车行业、医药行业、民航业、零售与现代服务业、人工智能训练数据5个领域中的48个数据子类进行了更加细致、具体的说明,也明确了针对这些具体数据的出境监管措施。

上海自贸区管委会发布了《中国(上海)自由贸易试验区临港新片区数据跨境流动分类分级管理办法(试行)》,该办法将跨境数据从高到低依次分为核心数据、重要数据、一般数据3个级别,核心数据禁止跨境,重要数据形成重要数据目录,一般数据形成一般数据清单。其后,临港管委会又分别针对智能网联汽车、生物医药以及公募基金三个领域分别出台了不同数据跨境场景下的一般数据清单,对在一般数据清单内的数据,在向临港新片区管委会申请登记备案后,可在满足相关管理要求下自由流动。

《中国(天津)自由贸易试验区数据出境管理清单(负面清单)(2024版)》对须通过安全评估、个人信息保护认证或者标准合同途径出境的数据类别进行了更加具体、细致的规定。

 

Does the above apply to Chinese subsidiaries in any part of China?

Please note that each Free Trade Zone (FTZ) may issue negative lists for cross-border data transfers. If your Chinese subsidiary's registered address is in an FTZ, you should also be aware of whether the FTZ has issued a negative list. For example, the Beijing FTZ, the Shanghai Lingang FTZ and the Tianjin FTZ have each issued relevant data (negative) lists.

The “China (Beijing) Pilot Free Trade Zone Data Exit Management List (Negative List) (Version 2024)” provides more detailed and specific descriptions of 48 types of data subcategories in five areas, namely, automotive industry, pharmaceutical industry, civil aviation industry, retail and modern service industry, and AI training data, as well as clarifying the outbound regulatory measures for these specific data.

The Administrative Committee of Shanghai FTZ issued the “Measures for Classification and Grading Management of Cross-border Flow of Data in Lingang New Area of China (Shanghai) Pilot Free Trade Zone (for Trial Implementation)”, which classifies cross-border data into 3 levels, from high to low, namely, core data, important data and general data, with core data prohibited from cross-border movement, (for) important data forming the Important Data Catalog, and (for) general data forming the General Data List. Subsequently, the Lingang Administrative Committee has issued General Data List for various cross-border data scenarios in the three areas, namely Intelligent Networked Vehicles, Biomedicine and Public Funds respectively, and the data within the General Data List, after applying for registration and filing with the Administrative Committee of the Lingang New Area, can be freely flowed under the fulfillment of the relevant management requirements.
The “China (Tianjin) Pilot Free Trade Zone Data Export Management List (Negative List) (Version 2024)” provides more specific and detailed regulations on the types of data that must be exported through security evaluation, personal data protection certification, or standard contract routes.

Published: January 2025

Did you find this useful?