Take-Away Messages and Trade Secrets Checklist

6. Case Study
Case Study
SME X is a German-based company specialised in dairy products. It is established in China via a WFOE which employs 5
people. The employees’ personal data are shared with the HR department in Berlin. Customer data are also transferred
to Europe for users proling and R&D. Moreover, SME X is involved in an R&D program in China to develop a scientic
study on Chinese consumers’ new health habits. In accordance with the R&D contract signed with its Chinese partner,
the study will require the collection of health data from a panel of Chinese consumers. The contract also provides that
SME X will be the co-owner of the study, including all the data. SME X is planning to use the study for developing new
products in its R&D department in Germany.
This case raises the question of compliance with the CSL provisions relating to the protection of personal data, in this
case personal data of employees and customers, as well as the protection of important data, in this case health-related
data of Chinese consumers.
To assess compliance, it is rst necessary to ask what current data practices are applied in SME X and its Chinese partner
when collecting personal data: did the SME obtain consent for the collection and use of the data? Did it make publicly
available a data privacy notice? Did it adopt proper measures to keep the data condential?
With regards to cross-border transfers of personal data, SME X should check whether it can be qualied as a CII
Operator. As the SME is not active in key industry sectors, it might only be qualied as a Network Operator. As a result,
SME X can transfer the personal data but must address the risks arising from such transfers.
Mitigation measures should include updating employment contracts so that employees agree to the cross-border
transfer of their data, revising consent and privacy notices for customer data, draing a data sharing agreement
between both sending and receiving entities, as well as conducting regular security assessments. SME X might also set
an incident response plan in case of data breach as well as train its employees regarding cybersecurity breaches. Those
measures should allow SME X to comply with the CSL requirements concerning personal data.
Regarding the cross-border transfer of the developed study, including health data, in accordance with the CSL, such data
is considered as “important data” and as a result must be stored within the territory of China. SME X, even as the co-
owner of the study, wont’ be able to transfer it to its headquarters in Germany except if it can prove that cross-border
transfer of such information is truly necessary for business reasons and only aer a security assessment is carried out.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT