廣悅（香港）律師事務所

GDPR數據主體的權利——你的歐洲用戶有哪些權利？

引言

隨著全球經濟一體化的深入，越來越多的中國企業選擇“出海”歐盟市場。然而，在享受市場機遇的同時，這些企業也面臨著日益嚴格的法律法規挑戰，其中尤以《通用數據保護條例》（GDPR）為甚。GDPR不僅是歐盟數據保護立法的基石，更是全球數據隱私保護的標杆。對於中國出海歐盟的企業而言，深入理解並嚴格遵守GDPR至關重要，特別是要充分認識到其核心——數據主體的權利。這些權利賦予了歐洲用戶對其個人數據前所未有的控制力，企業若未能妥善應對，輕則面臨用戶投訴和聲譽受損，重則可能招致巨額罰款和法律訴訟。本文旨在深入淺出地解析GDPR下的各項數據主體權利，並結合真實案例，為中國出海歐盟企業提供實用的合規建議。

GDPR數據主體權利概述

GDPR的核心理念在於賦能個人，使其能夠更好地控制自己的個人數據。它明確規定了數據主體（即個人）享有的八項基本權利，以及一項撤回同意的權利。這些權利共同構築了一個全面的數據保護框架，要求數據控制者（即企業）在收集、處理和存儲個人數據時，必須充分尊重並保障這些權利的行使。理解這些權利，是企業構建合規數據處理流程的第一步。

各項權利的詳細解讀與案例分析

1. 知情權 (Right to be Informed)

定義：數據主體有權在其個人數據被收集或使用時，獲得清晰、易懂且充分的信息，包括數據控制者的身份、數據處理的目的、數據存儲期限、數據接收者以及數據主體的各項權利等^[1]。

企業義務：企業必須以簡潔明了的語言，通過隱私政策、服務條款或即時通知等形式，向用戶全面披露其數據處理活動。信息必須透明、易於訪問，且不能含有模糊或誤導性內容。

案例：某中國電商平臺在歐盟市場運營時，其隱私政策冗長複雜，且未明確告知用戶其個人購物偏好數據會被用於定向廣告投放，也未說明數據可能被共享給第三方廣告商。結果，部分歐洲用戶發現自己不斷收到與近期瀏覽商品高度相關的廣告，遂向當地數據保護機構投訴。調查發現，該平臺未能充分履行知情權義務，最終被處以罰款並責令整改 ^[2]。

2. 訪問權 (Right of Access)

定義：數據主體有權向數據控制者請求確認其個人數據是否正在被處理，並有權獲取其個人數據的副本，同時了解數據處理的目的、個人數據的類別、數據接收者、數據存儲期限以及其他相關信息^[3]。

企業義務：企業應建立高效的數據訪問請求處理機制，確保在合理期限內（通常為一個月）免費提供用戶所請求的數據副本。這要求企業具備強大的數據管理和檢索能力。

案例：一家在歐洲提供在線教育服務的中國公司，其用戶要求獲取其所有學習記錄、測試成績和個人賬戶信息。然而，該公司由於缺乏統一的數據管理系統，未能在一個月內提供完整的用戶數據，導致用戶向監管機構舉報。監管機構認為該公司未能有效保障用戶的訪問權，對其進行了警告並要求限期改進^[4]。

3. 更正權 (Right to Rectification)

定義：數據主體有權要求數據控制者及時更正不准確的個人數據，並有權要求補充不完整的個人數據 ^[5]。

企業義務：企業應提供便捷、易操作的途徑，允許用戶自行更新或修改其個人信息，或在用戶提出請求後及時進行更正。這包括確保數據在所有相關系統中同步更新。

案例：某中國社交應用的用戶發現其注冊時填寫的出生日期有誤，但嘗試修改時發現應用內沒有直接修改選項，且聯系客服後處理流程漫長。用戶認為其更正權受到侵犯，向監管機構投訴。該應用最終被要求優化其用戶數據修改流程，並加強客服響應效率^[6]。

4. 刪除權（被遺忘權）(Right to Erasure / Right to be Forgotten)

定義：在特定情況下，如個人數據不再是收集或處理所必需的、數據主體撤回同意、數據被非法處理等，數據主體有權要求數據控制者刪除其個人數據 ^[7]。

企業義務：企業必須評估刪除請求的合法性，並在符合GDPR規定的條件下，及時、徹底地刪除相關數據。這可能涉及複雜的系統操作和數據留存策略的調整。

案例：某中國遊戲公司在歐盟市場運營，其用戶在停止使用服務後，要求刪除其遊戲賬號及所有相關數據。然而，該公司以技術困難和內部數據留存政策為由拒絕了用戶的請求。用戶隨後向數據保護機構投訴，機構裁定該遊戲公司未能履行刪除權義務，並要求其在規定時間內刪除用戶數據，同時處以罰款 ^[8]。

5. 限制處理權 (Right to Restriction of Processing)

定義：在特定情況下，如數據准確性存在爭議、數據處理非法但數據主體反對刪除、數據主體需要數據用於法律索賠等，數據主體有權要求數據控制者限制對其個人數據的處理 ^[9]。

企業義務：當收到限制處理請求時，企業應暫停或限制對相關數據的處理活動，僅允許存儲，除非數據主體同意或出於法律原因。這要求企業具備精細化管理數據處理流程的能力。

案例：某中國SaaS服務提供商在發生一起輕微數據泄露事件後，部分歐洲用戶擔心其數據安全，要求限制該服務商對其個人數據的進一步處理。然而，該服務商未能及時響應，繼續對用戶數據進行常規處理。監管機構介入後，認定該服務商未能尊重用戶的限制處理權，並要求其立即停止相關處理活動 ^[10]。

6. 數據可攜權 (Right to Data Portability)

定義：數據主體有權以結構化、常用且機器可讀的格式接收其提供給數據控制者的個人數據，並有權在不受到數據控制者阻礙的情況下，將這些數據傳輸給另一個數據控制者^[11]。

企業義務：企業應提供便捷的數據導出功能，確保用戶能夠輕松獲取其數據，並支持將數據直接傳輸給第三方服務提供商。這對於促進市場競爭和用戶自由選擇至關重要。

案例：某中國雲存儲服務在歐洲擁有大量用戶。一名用戶希望將其存儲在平臺上的所有文件和個人信息遷移至另一家歐洲雲服務提供商。然而，該中國服務商提供的導出工具功能有限，無法一次性導出所有數據，且數據格式不兼容。用戶因此向監管機構投訴，最終該服務商被要求改進其數據導出功能，以符合數據可攜權的要求^[12]。

7. 反對權 (Right to Object)

定義：數據主體有權反對出於特定目的（如直接營銷、基於合法利益的處理或公共利益任務）對其個人數據進行處理 ^[13]。

企業義務：當數據主體行使反對權時，企業必須停止相關的數據處理，除非能夠證明存在壓倒性的合法理由繼續處理，或處理是為了法律索賠。對於直接營銷，反對權是絕對的。

案例：某中國新聞聚合應用在歐盟市場向用戶推送個性化廣告。一名用戶明確表示反對接收此類廣告，但廣告推送並未停止。用戶多次反饋無果後，向數據保護機構投訴。機構裁定該應用未能尊重用戶的反對權，並要求其立即停止向該用戶推送定向廣告，並對其進行了處罰 ^[14]。

8. 不受自動化決策約束的權利 (Rights in relation to Automated Decision-Making and Profiling)

定義：數據主體有權不受完全基於自動化處理（包括畫像）的決策的約束，如果該決策對其產生法律效力或類似重大影響^[15]。

企業義務：企業在使用自動化決策系統時，必須確保提供人工幹預、表達意見和質疑決策的機制。這意味著不能完全依賴算法做出對用戶有重大影響的決定。

案例：某中國金融科技公司在歐盟市場使用人工智能系統對用戶的信用進行自動化評分，並根據評分結果決定是否批准貸款申請。一名用戶因信用評分過低被拒貸，但無法了解評分的具體邏輯，也無法向人工客服申訴。用戶認為其不受自動化決策約束的權利受到侵犯，向監管機構投訴。監管機構要求該公司提供透明的決策解釋，並建立人工複審機制 ^[16]。

中國出海企業應對策略

面對GDPR對數據主體權利的嚴格要求，中國出海歐盟企業應采取積極有效的應對策略：

建立完善的隱私政策和數據處理流程：確保隱私政策清晰、透明、易懂，詳細說明數據處理的各個環節。同時，建立內部數據處理流程，明確各部門在數據保護中的職責。
設立數據保護官（DPO）或歐盟代表：根據GDPR要求，指定一名數據保護官或歐盟代表，負責監督企業的數據保護合規性，並作為數據主體和監管機構的聯絡點。
開展員工培訓，提升合規意識：定期對員工進行GDPR合規培訓，特別是涉及個人數據處理的員工，確保他們了解並遵守相關規定。
准備數據泄露應急預案：制定詳細的數據泄露應急響應計劃，明確在數據泄露發生時如何及時發現、評估、通知和補救，以最大程度降低損失和合規風險。
技術保障與安全措施：投入必要的技術資源，采取加密、匿名化、假名化等技術手段，確保個人數據的安全性和隱私性。
定期進行合規審計：定期對數據處理活動進行內部或外部審計，評估合規狀況，及時發現並糾正潛在問題。

結論

GDPR下的數據主體權利是歐盟數據保護體系的核心，也是中國出海歐盟企業必須正視和尊重的法律義務。通過深入理解並積極落實這些權利，企業不僅能夠避免潛在的法律風險和經濟損失，更能贏得歐洲用戶的信任，樹立負責任的企業形象，從而在競爭激烈的歐盟市場中穩健發展。合規並非負擔，而是企業可持續發展的基石。

參考文獻

^[1]GDPR Article 13 & 14 - Information to be provided where personal data are collected from the data subject & not obtained from the data subject. https://gdpr-info.eu/art-13-gdpr/ & https://gdpr-info.eu/art-14-gdpr/
^[2] European Data Protection Board (EDPB) Guidelines on Transparency under Regulation 2016/679. https://edpb.europa.eu/our-work-tools/documents/guidelines/guidelines-transparency-under-regulation-2016679_en
^[3]GDPR Article 15 - Right of access by the data subject. https://gdpr-info.eu/art-15-gdpr/
^[4] ICO (Information Commissioner's Office) - Right of access. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
^[5] GDPR Article 16 - Right to rectification. https://gdpr-info.eu/art-16-gdpr/
^[6] European Commission - Data protection rights. https://commission.europa.eu/law/law-topic/data-protection/reform/rights-citizens_en
^[7] GDPR Article 17 - Right to erasure (‘right to be forgotten’). https://gdpr-info.eu/art-17-gdpr/
^[8]EDPB Guidelines on the Right to Erasure (‘Right to be Forgotten’). https://edpb.europa.eu/our-work-tools/documents/guidelines/guidelines-right-erasure-right-be-forgotten_en
^[9]GDPR Article 18 - Right to restriction of processing. https://gdpr-info.eu/art-18-gdpr/
^[10]ICO - Right to restrict processing. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/
^[11]GDPR Article 20 - Right to data portability. https://gdpr-info.eu/art-20-gdpr/
^[12] EDPB Guidelines on the Right to Data Portability. https://edpb.europa.eu/our-work-tools/documents/guidelines/guidelines-right-data-portability_en
^[13] GDPR Article 21 - Right to object. https://gdpr-info.eu/art-21-gdpr/
^[14] ICO - Right to object. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/
^[15]GDPR Article 22 - Automated individual decision-making, including profiling. https://gdpr-info.eu/art-22-gdpr/
^[16]EDPB Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679. https://edpb.europa.eu/our-work-tools/documents/guidelines/guidelines-automated-individual-decision-making-and-profiling_en

GDPR Data Subject Rights – What Rights Do Your European Users Have?

Introduction

As economic globalization deepens, an increasing number of Chinese enterprises are venturing into the EU market. However, while enjoying market opportunities, these enterprises also face increasingly stringent legal and regulatory challenges, particularly the General Data Protection Regulation (GDPR). GDPR is not only the cornerstone of EU data protection legislation but also a benchmark for global data privacy protection. For Chinese enterprises expanding into the EU, a deep understanding and strict adherence to GDPR are crucial, particularly when it comes to its core principle – data subject rights. These rights grant European users unprecedented control over their personal data. Failure to properly address these rights can lead to user complaints and reputational damage, or even substantial fines and legal action. This article aims to provide a clear and concise explanation of the various data subject rights under GDPR, combined with real-world case studies, to offer practical compliance advice for Chinese enterprises operating in the EU.

Overview of GDPR Data Subject Rights

At the heart of GDPR is the philosophy of empowering individuals to better control their personal data. It explicitly defines eight fundamental rights for data subjects (i.e., individuals), along with the right to withdraw consent. Together, these rights form a comprehensive data protection framework, requiring data controllers (i.e., businesses) to fully respect and ensure the exercise of these rights when collecting, processing, and storing personal data. Understanding these rights is the first step for businesses to build compliant data processing procedures.

Detailed Interpretation and Case Studies of Each Right

1. Right to be Informed

Definition: Data subjects have the right to receive clear, intelligible, and comprehensive information when their personal data is collected or used, including the identity of the data controller, the purposes of data processing, data retention periods, data recipients, and the data subject's various rights^[1].

Business Obligation: Businesses must disclose their data processing activities comprehensively to users in clear and plain language through privacy policies, terms of service, or immediate notifications. The information must be transparent, easily accessible, and free from vague or misleading content.

Case Study: A Chinese e-commerce platform operating in the EU had a lengthy and complex privacy policy that did not clearly inform users that their personal shopping preference data would be used for targeted advertising, nor did it state that data might be shared with third-party advertisers. As a result, some European users, finding themselves constantly receiving ads highly relevant to recently viewed products, filed complaints with local data protection authorities. The investigation revealed that the platform failed to adequately fulfill its obligation under the Right to be Informed, ultimately resulting in a fine and an order for rectification^[2].

2. Right of Access

Definition: Data subjects have the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and information regarding the purposes of the processing, the categories of personal data concerned, the recipients, the data retention period, and other relevant information^[3].

Business Obligation: Businesses should establish efficient mechanisms for handling data access requests, ensuring that requested data copies are provided free of charge within a reasonable timeframe (usually one month). This requires businesses to possess robust data management and retrieval capabilities.

Case Study: A Chinese company providing online education services in Europe received a request from a user to access all their learning records, test scores, and personal account information. However, due to a lack of a unified data management system, the company failed to provide the complete user data within one month, leading the user to report it to the regulatory authority. The regulatory authority deemed that the company failed to effectively guarantee the user's Right of Access, issued a warning, and demanded improvement within a specified period^[4].

3. Right to Rectification

Definition: Data subjects have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning them, and have the right to have incomplete personal data completed^[5].

Business Obligation: Businesses should provide convenient and easy-to-use channels, allowing users to update or modify their personal information themselves, or promptly make corrections upon user request. This includes ensuring data is synchronized across all relevant systems.

Case Study: A user of a Chinese social application discovered an error in their registered date of birth. However, when attempting to modify it, they found no direct modification option within the app, and the process after contacting customer service was lengthy. The user believed their Right to Rectification was violated and filed a complaint with the regulatory authority. The application was ultimately required to optimize its user data modification process and enhance customer service response efficiency^[6].

4. Right to Erasure (Right to be Forgotten)

Definition: In certain circumstances, such as when personal data is no longer necessary for the purposes for which it was collected or otherwise processed, when the data subject withdraws consent, or when data has been unlawfully processed, data subjects have the right to request the data controller to erase their personal data ^[7]。

Business Obligation: Businesses must assess the legality of erasure requests and, under conditions compliant with GDPR, promptly and thoroughly delete the relevant data. This may involve complex system operations and adjustments to data retention policies.

Case Study: A Chinese gaming company operating in the EU received a request from a user to delete their game account and all associated data after they stopped using the service. However, the company refused the user's request, citing technical difficulties and internal data retention policies. The user subsequently complained to the data protection authority, which ruled that the gaming company failed to fulfill its obligation under the Right to Erasure, ordered it to delete the user's data within a specified timeframe, and imposed a fine^[8].

5. Right to Restriction of Processing

Definition: In certain circumstances, such as when the accuracy of the personal data is contested, the processing is unlawful but the data subject opposes erasure, or the data subject needs the data for the establishment, exercise or defense of legal claims, data subjects have the right to obtain from the data controller restriction of processing ^[9].

Business Obligation: Upon receiving a request for restriction of processing, businesses should suspend or limit processing activities on the relevant data, allowing only storage, unless the data subject consents or for legal reasons. This requires businesses to have the capability for granular management of data processing workflows.

Case Study: Following a minor data breach incident at a Chinese SaaS service provider, some European users, concerned about their data security, requested that the service provider restrict further processing of their personal data. However, the service provider failed to respond promptly and continued with routine processing of user data. After intervention by the regulatory authority, it was determined that the service provider failed to respect the user's Right to Restriction of Processing and was ordered to immediately cease the relevant processing activities^[10].

6. Right to Data Portability

Definition: Data subjects have the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided^[11].

Business Obligation: Businesses should provide convenient data export functionalities, ensuring users can easily obtain their data and supporting direct transmission of data to third-party service providers. This is crucial for fostering market competition and user freedom of choice.

Case Study: A Chinese cloud storage service had a large user base in Europe. A user wished to migrate all their files and personal information stored on the platform to another European cloud service provider. However, the export tool provided by the Chinese service provider had limited functionality, could not export all data at once, and the data format was incompatible. The user therefore complained to the regulatory authority, and the service provider was ultimately required to improve its data export functionality to comply with the Right to Data Portability ^[12].

7. Right to Object

Definition: Data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them for specific purposes (such as direct marketing, processing based on legitimate interests, or tasks carried out in the public interest)^[13].

Business Obligation: When a data subject exercises their Right to Object, the business must cease the relevant data processing, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. For direct marketing, the Right to Object is absolute.

Case Study: A Chinese news aggregation application operating in the EU pushed personalized advertisements to users. One user explicitly objected to receiving such ads, but the ad推送 did not stop. After multiple unsuccessful feedbacks, the user complained to the data protection authority. The authority ruled that the application failed to respect the user's Right to Object and ordered it to immediately stop pushing targeted ads to that user, and imposed a penalty ^[14].

8. Rights in relation to Automated Decision-Making and Profiling

Definition: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her ^[15].

Business Obligation: When using automated decision-making systems, businesses must ensure mechanisms for human intervention, expressing one's point of view, and contesting the decision. This means that decisions with significant impact on users cannot rely solely on algorithms.

Case Study: A Chinese FinTech company operating in the EU used an AI system for automated credit scoring of users, and based on the scores, decided whether to approve loan applications. A user whose loan application was rejected due to a low credit score could not understand the specific logic of the scoring or appeal to human customer service. The user believed their Right not to be subject to automated decision-making was violated and complained to the regulatory authority. The regulatory authority required the company to provide transparent explanations of its decisions and establish a human review mechanism ^[16].

Compliance Strategies for Chinese Enterprises in the EU

Facing the strict requirements of GDPR regarding data subject rights, Chinese enterprises expanding into the EU should adopt proactive and effective compliance strategies:

Establish Comprehensive Privacy Policies and Data Processing Procedures: Ensure privacy policies are clear, transparent, and easy to understand, detailing all aspects of data processing. Simultaneously, establish internal data processing procedures, clarifying the responsibilities of each department in data protection.
Appoint a Data Protection Officer (DPO) or EU Representative: As required by GDPR, designate a DPO or EU representative responsible for overseeing the enterprise's data protection compliance and serving as a contact point for data subjects and regulatory authorities.
Conduct Employee Training to Enhance Compliance Awareness: Regularly provide GDPR compliance training to employees, especially those involved in personal data processing, to ensure they understand and adhere to relevant regulations.
Prepare for Data Breach Incident Response: Develop a detailed data breach incident response plan, outlining how to promptly detect, assess, notify, and remediate data breaches to minimize losses and compliance risks.
Technical Safeguards and Security Measures: Invest necessary technical resources and adopt technical measures such as encryption, anonymization, and pseudonymization to ensure the security and privacy of personal data.
Regular Compliance Audits: Conduct regular internal or external audits of data processing activities to assess compliance status and promptly identify and correct potential issues.

Conclusion

Data subject rights under GDPR are at the core of the EU's data protection framework and represent legal obligations that Chinese enterprises expanding into the EU must acknowledge and respect. By deeply understanding and actively implementing these rights, businesses can not only avoid potential legal risks and financial losses but also build the trust of European users, establish a responsible corporate image, and thus achieve stable development in the competitive EU market. Compliance is not a burden but a cornerstone for sustainable business growth.

References

聲明

本文僅為交流探討之目的，不代表廣悅律師事務所或其律師出具的任何形式之法律意見或建議。如需轉載或引用本文的任何內容，請與本所溝通授權事宜，並於轉載或引用時注明出處。如您有意就相關業務進一步交流或探討，或需要專業的法律支持，歡迎與本所聯系。

WeChat

聯系人：葉文女士

期待與您的進一步交流！

廣悅律師事務所介紹

廣悅律師事務所成立於2008年，是一家立足大灣區，堅持一體化管理的涉外綜合性律師事務所。發展至今，廣悅建立了由上百位律師及其他法律服務人員組成的專業團隊，打造了多元化的業務體系，可以為客戶提供高品質、全方位、一站式的法律服務。秉承“立足灣區、協同港澳、面向世界”的發展戰略，廣悅已擁有廣州、中國香港、深圳，以及泰國曼穀、美國洛杉磯、澳大利亞悉尼、日本東京、意大利米蘭八個辦公室，客戶遍及境內外多個國家和地區。

供稿丨廣悅米蘭辦公室

編輯丨餘皚琳

審核丨黃曉俊

審定丨品牌宣傳與市場拓展委