Take-Away Messages and Trade Secrets Checklist

• Pages: 9-9

6. Case Study

Case Study

SME X is a German-based company specialised in dairy products. It is established in China via a WFOE which employs 5

people. The employees’ personal data are shared with the HR department in Berlin. Customer data are also transferred

to Europe for users proling and R&D. Moreover, SME X is involved in an R&D program in China to develop a scientic

study on Chinese consumers’ new health habits. In accordance with the R&D contract signed with its Chinese partner,

the study will require the collection of health data from a panel of Chinese consumers. The contract also provides that

SME X will be the co-owner of the study, including all the data. SME X is planning to use the study for developing new

products in its R&D department in Germany.

This case raises the question of compliance with the CSL provisions relating to the protection of personal data, in this

case personal data of employees and customers, as well as the protection of important data, in this case health-related

data of Chinese consumers.

To assess compliance, it is rst necessary to ask what current data practices are applied in SME X and its Chinese partner

when collecting personal data: did the SME obtain consent for the collection and use of the data? Did it make publicly

available a data privacy notice? Did it adopt proper measures to keep the data condential?

With regards to cross-border transfers of personal data, SME X should check whether it can be qualied as a CII

Operator. As the SME is not active in key industry sectors, it might only be qualied as a Network Operator. As a result,

SME X can transfer the personal data but must address the risks arising from such transfers.

Mitigation measures should include updating employment contracts so that employees agree to the cross-border

transfer of their data, revising consent and privacy notices for customer data, draing a data sharing agreement

between both sending and receiving entities, as well as conducting regular security assessments. SME X might also set

an incident response plan in case of data breach as well as train its employees regarding cybersecurity breaches. Those

measures should allow SME X to comply with the CSL requirements concerning personal data.

Regarding the cross-border transfer of the developed study, including health data, in accordance with the CSL, such data

is considered as “important data” and as a result must be stored within the territory of China. SME X, even as the co-

owner of the study, wont’ be able to transfer it to its headquarters in Germany except if it can prove that cross-border

transfer of such information is truly necessary for business reasons and only aer a security assessment is carried out.

9