出海歐洲 | GDPR是什麼？為什麼中國企業必須重視它？

歐盟的《通用數據保護條例》（GDPR）自2018年5月生效以來，對全球企業，特別是“出海”歐盟市場的中國企業，產生了深遠影響。本文旨在解釋GDPR的核心要義，並通過真實案例，闡明中國企業為何必須高度重視並積極應對GDPR合規挑戰。

GDPR旨在加強歐盟公民個人數據保護，為個人數據的收集、處理、存儲和傳輸設定了嚴格標准，並賦予數據主體對其個人數據更大的控制權。其核心理念是“隱私設計”和“默認隱私”。

GDPR規定了數據處理的七項核心原則^[1]：合法性、公平性和透明性；目的限制；數據最小化；准確性；存儲限制；完整性和保密性；問責制。數據主體享有一系列重要權利，包括知情權、訪問權、更正權、刪除權（被遺忘權）、限制處理權、數據可攜帶權、反對權和反對自動化決策權^[1]。

GDPR區分了數據控制者（決定數據處理目的和方式）和數據處理者（代表數據控制者處理數據）。兩者均需承擔合規責任，包括保存記錄、實施安全措施、數據泄露通知，以及在某些情況下任命數據保護官（DPO）[1]。

GDPR的獨特之處在於其域外適用性，即使企業不在歐盟境內，只要其業務活動涉及歐盟居民的個人數據，就可能受到GDPR的管轄^[2]。

根據GDPR第三條第二款，非歐盟企業滿足以下任一條件，則需遵守GDPR^[2]：

1. 向歐盟境內的數據主體提供商品或服務：例如，中國電商平臺向歐盟消費者銷售商品，或中國在線遊戲公司向歐盟玩家提供服務。

2. 監控歐盟境內數據主體的行為：例如，中國互聯網公司通過追蹤Cookie、IP地址、用戶行為數據等方式，對歐盟境內的用戶進行畫像分析、定向廣告投放或市場調研。

這意味著，許多面向全球市場、擁有歐盟用戶的中國互聯網公司、電商平臺、軟件服務提供商、SaaS企業等，都可能在GDPR的管轄範圍之內。

GDPR對違規行為設定了極其嚴厲的罰款，旨在震懾企業。罰款分為兩級^[1]：

• 第一级：最高可達1000萬歐元或企業全球年營業額的2%（以較高者為准）。

• 第二级：最高可達2000萬歐元或企業全球年營業額的4%（以較高者為准）。

除了巨額罰款，違規企業還可能面臨數據主體的損害賠償要求、聲譽受損、業務中斷等嚴重後果。

近年來，多起涉及中國企業的GDPR合規案例，為我們敲響了警鐘。

2025年1月，奧地利隱私倡導組織Noyb對包括TikTok、AliExpress、SHEIN、Temu、WeChat和Xiaomi在內的六家中國科技公司提起了GDPR投訴。Noyb指控這些公司在未經用戶同意的情況下，將歐盟用戶的個人數據非法傳輸到中國，並利用法律漏洞規避GDPR的嚴格要求^[3]。

2021年，荷蘭數據保護局對TikTok處以75萬歐元的罰款。原因是TikTok的隱私聲明僅提供英文版本，未能以荷蘭語向荷蘭用戶提供，違反了GDPR的透明性原則^[4]。

Meta（Facebook母公司）在2023年因非法將歐盟用戶數據傳輸到美國而被愛爾蘭數據保護委員會處以12億歐元的巨額罰款，並被勒令停止此類數據傳輸^[5]。此案警示中國企業，在處理歐盟用戶數據時，必須確保數據傳輸機制的合法性和安全性。

面對GDPR的嚴格要求和潛在風險，中國企業應采取積極主動的策略，構建健全的數據合規體系：：

1. 全面評估與風險識別：梳理涉及歐盟居民個人數據的所有環節，識別潛在合規風險。

2. 建立合規管理體系：任命數據保護官（DPO），建立內部數據保護政策和流程。

3. 加強數據安全措施：采取加密、匿名化等技術手段，以及嚴格的訪問控制等管理措施。

4. 透明化數據處理：以清晰、簡潔的語言向用戶告知數據處理信息，確保隱私政策多語言版本可用性。

5. 合法化跨境數據傳輸：確保采用合法的傳輸機制，如標准合同條款（SCCs）。

6. 響應數據主體請求：建立高效機制，及時響應數據主體行使其權利的請求。

7. 定期審計與培訓：定期對數據處理活動進行審計，並對員工進行GDPR相關知識培訓。

GDPR不僅是一項法律挑戰，更是一個促使中國企業提升數據治理水平、贏得歐盟市場信任的機遇。忽視GDPR可能導致巨額罰款、聲譽受損乃至市場准入受限。因此，中國出海歐盟的企業必須將GDPR合規視為一項戰略性任務，投入必要的資源，建立健全的合規體系，從而在激烈的國際競爭中行穩致遠，實現可持續發展。

• 参考文献

^[1] Cloudflare. (未知). 什麼是《通用數據保護條例》(GDPR)？ [在線]. 訪問地址：https://www.cloudflare.com/zh-cn/learning/privacy/what-is-the-gdpr/ 

^[2] GDPR.eu. (未知). Does the GDPR apply to companies outside of the EU? [在線]. 訪問地址：https://gdpr.eu/companies-outside-of-europe/ 

^[3] GDPR.eu. (未知). Chinese Tech Giants Under Fire: Complaints Over Data Transfers to China. [在線]. 訪問地址：https://www.gdpreu.org/chinese-tech-giants-under-fire-complaints-over-data-transfers-to-china/ 

^[4] Sohu. (2025年9月17日). GDPR下中國企業被罰十大案例｜9月18日「合規三人行」在線… [在線]. 訪問地址：https://www.sohu.com/a/935951672_121123736?utm_source=chatgpt.com 

^[5] Reuters. (2023年5月22日). Meta fined record 1.2 bln euros for transferring EU user data to U.S. [在線]. 訪問地址：https://www.reuters.com/technology/meta-fined-record-12-bln-euros-transferring-eu-user-data-us-2023-05-22/

With the vigorous development of the global digital economy, data has become a core asset for business operations. The European Union’s General Data Protection Regulation (GDPR), effective since May 25, 2018, has profoundly impacted enterprises worldwide, especially Chinese enterprises expanding into the EU market, due to its strict regulations and broad extraterritorial applicability. This article aims to explain the core tenets of GDPR in an accessible manner and, through real-world case studies, clarify why Chinese enterprises must attach great importance to and actively address GDPR compliance challenges.

GDPR is a legal framework designed to strengthen the protection of personal data for EU citizens. It sets strict standards for the collection, processing, storage, and transfer of personal data, granting data subjects greater control over their personal data. Its core philosophy is “Privacy by Design” and “Privacy by Default.”

GDPR stipulates seven core principles for data processing ^[1]:

1. Lawfulness, Fairness, and Transparency: Data processing must be lawful, fair, and transparent.

2. Purpose Limitation: Data should be collected and processed only for specified, explicit, and legitimate purposes.

3. Data Minimization: The data collected should be limited to what is necessary for the purposes for which they are processed.

4. Accuracy: Personal data must be accurate and kept up to date.

5. Storage Limitation: Data should not be stored for longer than is necessary for the purposes for which the personal data are processed.

6. Integrity and Confidentiality (Security): Ensure the security of personal data, including protection against unauthorized access, disclosure, or destruction.

7. Accountability: The data controller is responsible for demonstrating compliance with the above principles.

GDPR defines “personal data” broadly, including any information directly or indirectly identifying a natural person, such as names, IP addresses, and Cookie identifiers ^[1]. Data subjects enjoy a series of important rights, including the right to be informed, right of access, right to rectification, right to erasure (right to be forgotten), right to restriction of processing, right to data portability, right to object, and right to object to automated decision-making. ^[1]

GDPR distinguishes between data controllers (entities that determine the purposes and means of processing personal data) and data processors (entities that process data on behalf of the data controller). Both bear compliance responsibilities, including maintaining records, implementing security measures, data breach notification, and in some cases, appointing a Data Protection Officer (DPO) ^[1].

GDPR’s uniqueness lies in its extra-territorial applicability, meaning that even if an enterprise is not located within the EU, it may still be subject to GDPR if its business activities involve the personal data of EU residents ^[2].

According to Article 3(2) of the GDPR, a non-EU enterprise must comply with GDPR if it meets either of the following conditions ^[2]:

1. Offering goods or services to data subjects in the EU: For example, by supporting EU languages on its website or offering Euro payment options.

2. Monitoring the behavior of data subjects within the EU: For example, by tracking cookies or IP addresses for user profiling or targeted advertising.

This implies that many Chinese internet companies, e-commerce platforms, software service providers, and others targeting global markets with EU users may fall within the scope of GDPR.

GDPR imposes extremely severe fines for violations, aiming to deter enterprises. Fines are categorized into two tiers ^[1]:

• Tier 1: Up to €10 million or 2% of the enterprise’s global annual turnover, whichever is higher.

• Tier 2: Up to €20 million or 4% of the enterprise’s global annual turnover, whichever is higher.

In addition to hefty fines, non-compliant enterprises may also face claims for damages from data subjects, reputational damage, business disruption, and other serious consequences.

In recent years, several GDPR compliance cases involving Chinese enterprises have served as a wake-up call.

In January 2025, the Austrian privacy advocacy organization Noyb filed GDPR complaints against six Chinese tech companies, including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi. Noyb accused these companies of unlawfully transferring personal data of EU users to China without their consent and exploiting legal loopholes to circumvent strict GDPR requirements ^[3]. This series of complaints highlights the complexity and compliance challenges of cross-border data transfers.

In 2021, the Dutch Data Protection Authority fined TikTok €750,000. The reason was that TikTok’s privacy statement was only available in English and not in Dutch for Dutch users, violating the GDPR’s transparency principle ^[4]. This case reminds Chinese enterprises that even seemingly minor details can lead to GDPR violations.

Although not a Chinese enterprise, Meta (Facebook’s parent company) was fined a staggering €1.2 billion by the Irish Data Protection Commission in 2023 for unlawfully transferring EU user data to the United States and was ordered to cease such data transfers ^[5]. This case fully demonstrates the GDPR enforcement agencies’ zero-tolerance attitude towards cross-border data transfer violations and their powerful punitive measures. For Chinese enterprises, this is a strong signal that when handling EU user data, the legality and security of data transfer mechanisms must be ensured.

Facing the strict requirements and potential risks of GDPR, Chinese enterprises should adopt proactive strategies to build a sound data compliance system:

1. Comprehensive Assessment and Risk Identification: Review all aspects of existing business operations involving personal data of EU residents to identify potential compliance risks.

2. Establish a Compliance Management System: Appoint a Data Protection Officer (DPO), establish internal data protection policies and procedures.

3. Strengthen Data Security Measures: Implement technical measures such as encryption, anonymization, and strict access controls.

4. Transparent Data Processing: Inform users in clear, concise language about data processing information, ensuring multi-language privacy policies.

5. Legitimize Cross-Border Data Transfers: Ensure the use of legitimate transfer mechanisms, such as Standard Contractual Clauses (SCCs).

6. Respond to Data Subject Requests: Establish efficient mechanisms to promptly respond to data subjects’ requests to exercise their rights.

7. Regular Audits and Training: Regularly audit data processing activities and provide GDPR-related training to employees.

GDPR is not only a legal challenge but also an opportunity for Chinese enterprises to enhance their data governance capabilities and gain trust in the EU market. Ignoring GDPR can lead to hefty fines, reputational damage, and even restricted market access. Therefore, Chinese enterprises expanding into the EU must treat GDPR compliance as a strategic task, invest necessary resources, and establish a sound compliance system to achieve steady and sustainable development in fierce international competition.

• References

^[1]Cloudflare. (Undated). What is the General Data Protection Regulation (GDPR)? [Online]. Available at: https://www.cloudflare.com/zh-cn/learning/privacy/what-is-the-gdpr/ 

^[2] GDPR.eu. (Undated). Does the GDPR apply to companies outside of the EU? [Online]. Available at: https://gdpr.eu/companies-outside-of-europe/ 

^[3] GDPR.eu. (Undated). Chinese Tech Giants Under Fire: Complaints Over Data Transfers to China. [Online]. Available at: https://www.gdpreu.org/chinese-tech-giants-under-fire-complaints-over-data-transfers-to-china/ 

^[4] Sohu. (September 17, 2025). Top 10 GDPR Fines for Chinese Companies | September 18 “Compliance Trio” Online… [Online]. Available at: https://www.sohu.com/a/935951672_121123736?utm_source=chatgpt.com 

^[5] Reuters. (May 22, 2023). Meta fined record 1.2 bln euros for transferring EU user data to U.S. [Online]. Available at: https://www.reuters.com/technology/meta-fined-record-12-bln-euros-transferring-eu-user-data-us-2023-05-22/