作者： zeno

Data Protection Officer (DPO) in International Enterprises

Frequently Asked Questions About DPO (Data Protection Officer)

ONECOMPLIANCE Facilitates German Company’s Achievement of Chinese Market Data Compliance

ONECOMPLIANCE has recently unveiled its partnership with a German-owned enterprise to successfully execute a comprehensive data compliance initiative in China. The completion of this project signifies a substantial resolution of compliance challenges within the Chinese market, fostering heightened awareness among employees and establishing a resilient framework for the company’s continual and stable operations, earning commendation from stakeholders.

The main components of China’s data security legal framework include laws such as the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. Addressing cross-border data flow, China has also introduced regulatory documents such as the Measures for Security Assessment of Cross-Border Data Transfer, Provisions on Standard Contracts for Cross-Border Transfer of Personal Information, and relevant guidelines. These collectively establish a regulatory mechanism for overseeing data outbound from China.

Navigating data compliance has perennially posed a significant legal hurdle for foreign-backed businesses operating in China. These challenges have been accentuated in the current intricate international socio-political and economic milieu.

Owing to the distinct landscape of China’s data regulations and oversight, many foreign entities encounter compliance complexities. This includes：

Inability to ascertain compliance with data regulations；
Lack of understanding regarding the types of data being collected and processed, particularly the concept of “important data”；
Uncertainty about regulatory agencies, requirements, methods, and standards for data governance；
Absence of documentation, systems, and procedures for data management；
Confusion regarding cross-border data processing；
Uncertainty about how to efficiently and cost-effectively conduct compliance management, particularly for small and medium-sized enterprises.

Prior to engaging our services, the client lacked a foundation in data compliance, impeding their ability to accurately gauge potential risks. Their concerns extended to discerning data categories processed by the company, verifying the presence of critical data, formulating internal data protection frameworks, and ensuring the lawfulness and compliance of ongoing data processing activities.

Upon receiving the client’s commission, ONECOMPLIANCE’s compliance task force swiftly acclimated to the client’s requirements, leveraging internationally recognized data governance methodologies. Key tasks encompassed:

Comprehensive due diligence to comprehend the company’s operations and requisites
Systematic data categorization and inventory management, facilitating structured data lists
Cultivating employee compliance awareness through training sessions and addressing pertinent queries
Development and implementation of robust data compliance systems and protocols
Preparation of detailed data compliance reports
Provision of recommendations for corrective measures and continued guidance

This successful collaboration marks an instrumental stride for ONECOMPLIANCE in the realm of data compliance, solidifying our commitment to deliver comprehensive services and assurances to our esteemed Chinese clientele. This project signifies a commencement rather than a culmination. ONECOMPLIANCE remains dedicated to providing steadfast support. As a response to client demands, we assume the role of a Data Compliance Officer (DPO), offering ongoing compliance services and aiding clients in adapting to the intricate and ever-evolving regulatory landscape.

China’s Evolving Data Governance: Relaxing Controls and Promoting Data Mobility

The Draft of the “Regulations on Regulating and Promoting Cross-border Data Flows” issued by the Cyberspace Administration of China (the “CAC”) on September 28 2023 seems aims to update the existing data export rules and facilitate data circulation of China.

Meeting Mauritius, the fintech hub of Africa

Last week, Singapore fintech association, the SFA, together with Mauritius Economy Development Board, hosted a session to share insights and opportunities in Mauritius. OneCompliance as the introducer of Mauritius Fintech regulation consultant joined the session.

The exclusive session, brought together high-level executives from the Economic Development Board of Mauritius, including the Deputy CEO, to delve into the promising landscape of fintech in Mauritius. The event aimed to provide insights into the vast opportunities available in the region and shed light on why East Africa is becoming increasingly attractive to fintech companies around world.

**Session Recap**

1. **Exploring Investment Opportunities in Mauritius:** The session emphasized Mauritius as a gateway to Africa, comparable to Singapore in ASEAN, highlighting its emergence as a financial center. The Economic Development Board has played a pivotal role in this transformation.

2. **Digital Laws and Regulations: ** Mauritius has enacted forward-thinking digital laws and regulations in the realms of digital banking, payment services, and virtual assets. These measures are aimed at positioning Mauritius as the Fintech Hub of the region.

3. **Virtual Asset Licenses: ** Attendees gained valuable knowledge about the five classes of Virtual Asset licenses available, including exchange, broker-dealer, wallet services, and more.

4. **Case Study: Coins PH:** The session featured a compelling case study of Coins PH, a successful Asian company that has expanded and established its fintech presence in Mauritius, Thailand and Philippine. Mr. Zhou, the CEO of Coins, shared his story of business growth in fast growing markets with the propel of license and compliance.

The event offered attendees a comprehensive understanding of Mauritius as a burgeoning fintech hub in East Africa. It highlighted the robust regulatory framework and the wealth of opportunities available to Singapore-based fintech companies. With a dynamic and diverse market, Africa is nurturing a thriving ecosystem of fintech solutions that are reshaping banking, payments, and investments.

The participants were encouraged not to miss out on the tremendous potential that fintech in Mauritius offers. The session concluded on an optimistic note, with the promise of unlocking the vibrant continent’s potential and embracing the future of finance.

For more information and inquiries, please feel free to reach out at

grace.chen@1compliance.group

**Think Africa, Choose Mauritius! 🌍🇲🇺**

Manage Cross Border Data Flow Risks Out of China: China Data Cybersecurity Assessment

Doing the business in China in the times of geopolitical tension and post covid, you are required to meet China increasing data compliance regulatory challenges and meanwhile keep your company and your client data in secure.

2023 China further raises bars on data export from China

With the effectiveness of the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information on 1 June 2023, China’s legislature on data export from China further raises the bar. Together with 2017 Cybersecurity Law, 2022 cross border Data Transfer Guidelines and 2021 Personal Information Protection Law and 2021 Data Security Law constitutes current China data export legislature (the “China Data Export Laws”).

According to China Data Export Laws, unlike GDPR enacts adequacy principle adopted between country or region with the EU, the data export mechanism of China will be authority which is local Cybersecurity Administration of China (the “CAC) on a case-by-case basis cybersecurity assessment or standard contract filing in accordance with China Data Export Laws. No matter which approvals categories your entity subject to, China’s methodology toward data export mechanism means that the burden of getting the respective approval from CAC will be assumed by the entity individually.

Under what’s scenario your entity will subject to CAC Cybersecurity Assessment Approval

According to China Data Export Laws, a CAC security assessment is required for cross-border data transfers in ANY of the following circumstances:

Cross-border transfers of “important data”
Cross-border transfers of personal data by critical information infrastructure (CII) operators
Cross-border transfers by data exporter processing the personal data of 1 million or more individuals
Any transfer (in aggregate) of the personal data of more than 100,000 individuals or the sensitive personal data of more than 10,000 individuals that has occurred since 1 January of the preceding year
Other situations requiring security assessment in accordance with PRC laws and regulations

Under what’s scenario your entity will subject to CAC Standard Contract Filing Approval

According to China Data Export Laws, if your entity needs transfer personal information cross border and not reach the cybersecurity assessment bar, is required to get the standard contract filing approval.

For example:

Non-CII operator
Annually processed personal information no more than 1 million individuals
From 1 January last year to date, cross border transfer personal information out of China no more than 100,000 individuals
From 1 January last year to date, cross border transfer personal sensitive information out of China no more than 10,000 individuals

The data exporter shall not split the cross border transfer measures avoiding get the prior standard contract filing approval.

However, what highlights in this approval is the entity is required to take data privacy impact assessment first as this assessment will be one of important documents supporting your entity to apply this approval.

Legal Consequences if NOT Complying with Data Export Laws

Before we move to legal consequences toward either of cybersecurity assessment approval or standard contract filing approval, two points should make clear.

The approvals not regulate foreign invested companies in China but also Chinese local business owners which has overseas data flow requirements; and
CAC has the right to reject your application for approval until your entity meets the CAC requirements case by case

To date, we only see no more than 10 approval cases for either approval category.

However, your entity will face the severe legal consequences if not meeting Data Export Laws of China.

For example:

Ban your system/App from using
Fine no more than 5% of your entity annual revenue or no more than 50 million RMB
Ban your entity’s operation or deregister your entity from business registration

Your Actions Required Even NOT Required to Get Approvals

Even your entity not required to achieve the approvals from CAC, you are still required to meet the basics regulated in accordance with Data Export Laws of China when you need cross border flow for your financial or HR information in managing your business in China.

Some basics you need to know when planning your export data out of China:

Data Inventory Check

The purpose is to know the current data inventory whether there is “important data” in the business operation or volumes of data cross border flow reaching the approval bar

Building up Internal Data Processing Guidelines

The purpose of doing this is to draw the “red line” for your Chinese employees when handling financial or HR data flow. It is the specific procedures to define and urge your Chinese employees to follow when dealing with HR data or business data cross border transfer.

Add China chapter to your privacy policy or cookie policy for your website or system

Although there are some similarity between Data Export Laws of China and GDPR, there are significant differences between two legislature system.

To avoid any conflict, we suggest your website or APP has special sector when regulating export data from China mainland.

IT Risk Assessments for Wechat platform or Your Chinese website

If your entity using Wechat platform to promote the business or Chinese website, we suggest you do the regular IT risks assessment to protect your client data and your company data in secure.

Considering Outsourcing Data Protection Officer Services

Hire a local data expert to deal with daily China data utilization issues will be time and cost saving in the context that China is strengthening data export control.

Considering Data Localization and Segregate Your Chinese System/Platform Strategy

We understand that deploy a separate system, server or Chinese version platform will be a burden and costly to your entity.

However, in the long run, if your entity has a vision to treat its Chinese subsidiary as an isolated external entity for the system wise, it may finally contribute the data you collect within China mainland territory.

We can assist client to deploy data localization and system segregate strategy to prepare and balance the challenges of cross border data transfer concerns.

Our Team

Our team delivers only the best professional services in data security and privacy protection.

We are experts in regulatory understanding and built-in regulatory requirements for your products and services.
We are familiar with major technical security tools and apply the technology tools to multiple data compliance frameworks.
We are cross-border experts that have both legal and technical backgrounds and understand technical terminology and product design logic.
We have multinational knowledge and certifications that cover ASEAN, Europe, India, and North America. We are qualified and certified compliance professionals with CEPE L CIPP/E, CIPP/A, HITRUST CCSFP, CDPSE and CISO.
Our team has an ongoing interest and passion to dedicate our time and resources to research and follow up on the newest developments in data security and privacy protection regulatory changes. In addition, all our professionals have trans fields knowledge and practice backgrounds.

If you have further inquiries, please contact grace.chen@1compliance.group