廣悅（香港）律師事務所

引言

隨著全球經濟一體化的深入，越來越多的中國企業將目光投向了廣闊的歐盟市場。然而，在享受市場機遇的同時，這些企業也面臨著歐盟嚴格的數據保護法規——《通用數據保護條例》（General Data Protection Regulation, 簡稱GDPR）帶來的挑戰。GDPR自2018年5月25日生效以來，以其廣泛的地域適用範圍和嚴厲的罰款機制，對全球範圍內處理歐盟公民個人數據的企業產生了深遠影響。對於中國出海歐盟的企業而言，理解並遵守GDPR不僅是法律義務，更是維護企業聲譽、贏得消費者信任、實現可持續發展的關鍵。不合規的代價是巨大的，最高可達全球年營業額的4%或2000萬歐元（以較高者為准）的罰款，足以讓任何企業望而卻步。因此，制定一份清晰的GDPR合規路線圖，成為中國企業成功進軍歐盟市場的當務之急。

一、GDPR適用範圍自查：你是否在合規射程內？

GDPR的域外適用效力是其最顯著的特征之一。即使中國企業在歐盟沒有設立實體機構，只要滿足以下任一條件，就可能受到GDPR的管轄：

處理歐盟公民個人數據：無論數據處理發生在哪裏，只要涉及歐盟境內數據主體的個人數據，GDPR就可能適用。
向歐盟公民提供商品或服務：如果企業明確或暗示地向歐盟境內的個人提供商品或服務（無論是否收費），則需遵守GDPR。
監控歐盟公民行為：如果企業對歐盟境內個人的行為進行監控，例如通過網站Cookie追蹤用戶行為，GDPR同樣適用。
在歐盟境內設有分支機構：在歐盟設立的任何形式的機構，其數據處理活動均直接受GDPR管轄。

案例分析：許多中國電商平臺和社交媒體應用，如TikTok、SHEIN、Temu等，雖然總部在中國，但其用戶遍布歐盟，並向歐盟用戶提供服務。這些企業無疑都落入了GDPR的管轄範圍。因此，中國企業首先需要進行徹底的自我評估，明確自身業務活動是否觸及GDPR的適用紅線。

二、數據處理基本原則：合規的基石

GDPR確立了七項核心數據處理原則，它們是企業所有數據處理活動的指導方針：

合法性、公平性、透明性：個人數據的處理必須有合法依據，以公平的方式進行，並對數據主體透明。
目的限制：個人數據只能為特定、明確和合法的目的而收集，並且不得以與這些目的不符的方式進一步處理。
數據最小化：處理的個人數據應限於實現目的所必需的範圍，不多不少。
准確性：個人數據必須准確，並在必要時保持最新。不准確的數據應及時刪除或更正。
存儲限制：個人數據存儲的時間不應超過實現目的所需的時間。
完整性和保密性：采取適當的技術或組織措施，確保個人數據的安全，防止未經授權或非法處理，以及意外丟失、銷毀或損壞。
問責制：數據控制者有責任證明其遵守了上述原則。

三、合法處理數據的法律基礎：規避風險的關鍵

在處理歐盟公民個人數據時，企業必須確保其數據處理活動具有GDPR規定的合法基礎。常見的合法基礎包括：

征得數據主體同意：這是最常見的合法基礎之一，但同意必須是自由給出、具體、知情且明確的。例如，用戶注冊時勾選同意隱私政策。
履行合同義務：為履行與數據主體簽訂的合同而必須進行的數據處理。例如，電商平臺處理用戶訂單信息以完成商品配送。
遵守法律義務：為遵守歐盟或成員國法律而必須進行的數據處理。例如，稅務合規要求。
保護數據主體或他人的重大利益：在緊急情況下，為保護數據主體或他人的生命安全等重大利益而進行的數據處理。
公共利益：為執行公共利益任務或行使官方權力而進行的數據處理。
合法利益：數據控制者或第三方追求的合法利益，但前提是這些利益不淩駕於數據主體的基本權利和自由之上。例如，欺詐預防、網絡安全等。

企業應仔細評估每項數據處理活動的合法基礎，並做好記錄，以備監管機構審查。

四、數據主體權利保障：尊重個人數據控制權

GDPR賦予了數據主體廣泛的權利，企業必須建立相應的機制來響應這些權利請求：

知情權：數據主體有權了解其個人數據如何被處理。
訪問權：數據主體有權獲取其個人數據的副本。
更正權：數據主體有權要求更正不准確的個人數據。
刪除權（被遺忘權）：在特定條件下，數據主體有權要求刪除其個人數據。
限制處理權：在特定條件下，數據主體有權要求限制對其個人數據的處理。
數據可攜權：數據主體有權以結構化、常用和機器可讀的格式接收其個人數據，並有權將這些數據傳輸給其他控制者。
反對權：數據主體有權反對基於合法利益或公共利益進行的數據處理，以及用於直接營銷目的的數據處理。
不受自動化決策約束的權利：數據主體有權不受僅基於自動化處理（包括畫像分析）的決策的影響，如果該決策對其產生法律效力或類似重大影響。

五、關鍵合規措施：構建堅實防線

除了上述原則和權利，中國企業還需要實施一系列關鍵合規措施：

數據保護官（DPO）和歐盟代表：如果企業的數據處理活動涉及大規模、系統性地監控數據主體，或處理特殊類別的個人數據，則可能需要任命DPO。對於在歐盟沒有實體機構但受GDPR管轄的企業，通常需要指定一名歐盟代表，作為數據主體和監管機構的聯絡點。
數據保護影響評估（DPIA）：當數據處理活動可能對數據主體的權利和自由造成高風險時，企業必須進行DPIA。例如，使用新技術進行大規模畫像分析或公共場所視頻監控。
隱私設計（Privacy by Design）： GDPR強調將隱私保護融入產品和服務的整個生命周期，從設計之初就考慮數據保護，而非事後補救。
數據泄露通知：一旦發生個人數據泄露，企業必須在72小時內通知相關監管機構，並在高風險情況下通知受影響的數據主體。

案例分析： 2025年1月，歐洲隱私倡導組織noyb對TikTok、AliExpress、SHEIN、Temu、WeChat和小米等中國科技巨頭提出了GDPR投訴，指控它們非法將歐洲用戶數據傳輸至中國。這些投訴凸顯了跨境數據傳輸合規的重要性，以及企業在隱私政策透明度、數據主體權利響應等方面的不足。2025年5月，TikTok因未能證明其妥善處理歐盟用戶個人數據而被愛爾蘭數據保護委員會處以5.3億歐元的巨額罰款，這再次敲響了警鐘，提醒中國企業GDPR合規絕非兒戲。

六、跨境數據傳輸：安全合規的橋梁

將歐盟公民的個人數據傳輸到歐盟以外的國家（包括中國）是GDPR合規的重點和難點。企業必須確保數據傳輸符合GDPR的規定，通常需要依賴以下機制：

充分性認定：歐盟委員會認定某些國家或地區的數據保護水平與歐盟相當，數據可以自由傳輸。目前中國尚未獲得充分性認定。
標准合同條款（SCCs）：這是最常用的跨境數據傳輸機制，通過在數據傳輸方和接收方之間簽訂歐盟委員會批准的合同條款，確保數據在傳輸後仍能獲得GDPR同等水平的保護。
約束性公司規則（BCRs）：適用於跨國企業集團內部的跨境數據傳輸，需要獲得監管機構的批准。
行為准則和認證機制：經歐盟委員會批准的行為准則或認證機制也可以作為數據傳輸的依據。

中國企業在進行跨境數據傳輸時，必須選擇合適的傳輸機制，並確保其有效性，例如定期審查SCCs的適用性，並根據需要采取補充措施。

七、合規行動清單總結：落地實施

為了有效應對GDPR挑戰，中國企業應制定並執行一份全面的合規行動清單：

建立內部GDPR合規團隊：明確責任人，組建跨部門團隊，確保合規工作有人負責、有人推動。
進行數據資產盤點和風險評估：識別所有處理的個人數據類型、數據來源、處理目的、存儲位置、傳輸路徑等，並評估潛在的合規風險。
制定和完善數據處理政策和流程：建立清晰的隱私政策、數據保留政策、數據泄露響應計劃、數據主體權利響應流程等。
加強員工培訓：定期對員工進行GDPR知識和合規操作培訓，提高全員的數據保護意識。
定期進行合規審計和評估：持續監控合規狀況，及時發現並糾正問題，確保合規體系的有效運行。

結論

GDPR合規對於中國出海歐盟的企業而言，是一項長期而複雜的系統工程。它不僅僅是法律條文的遵守，更是企業文化和價值觀的體現。通過建立健全的合規體系，中國企業不僅可以規避高額罰款和聲譽風險，更能在全球市場中樹立負責任、值得信賴的品牌形象，為企業的國際化發展奠定堅實基礎。積極擁抱GDPR，將其視為提升企業競爭力的契機，中國企業必將在歐盟市場行穩致遠。

GDPR Compliance Roadmap: An Action Checklist for Chinese Enterprises Expanding into the EU

Introduction

As global economic integration deepens, an increasing number of Chinese enterprises are setting their sights on the vast European Union market. However, while embracing market opportunities, these companies also face challenges posed by the EU’s stringent data protection regulation – the General Data Protection Regulation (GDPR). Since its effective date on May 25, 2018, GDPR, with its broad territorial scope and severe penalty mechanisms, has profoundly impacted enterprises worldwide that process personal data of EU citizens. For Chinese enterprises expanding into the EU, understanding and complying with GDPR is not merely a legal obligation but also crucial for maintaining corporate reputation, winning consumer trust, and achieving sustainable development. The cost of non-compliance is substantial, with fines reaching up to 4% of annual global turnover or €20 million (whichever is higher), which is enough to deter any enterprise. Therefore, developing a clear GDPR compliance roadmap has become an urgent priority for Chinese enterprises to successfully enter the EU market.

I. Self-Assessment of GDPR Applicability: Are You Within the Scope of Compliance?

One of GDPR’s most prominent features is its extraterritorial applicability. Even if a Chinese enterprise does not have a physical establishment in the EU, it may still be subject to GDPR if it meets any of the following conditions:

Processing personal data of EU citizens: Regardless of where data processing occurs, if it involves the personal data of data subjects within the EU, GDPR may apply.
Offering goods or services to EU citizens: If an enterprise explicitly or implicitly offers goods or services (whether paid or free) to individuals within the EU, it must comply with GDPR.
Monitoring the behavior of EU citizens: If an enterprise monitors the behavior of individuals within the EU, for example, by tracking user behavior through website cookies, GDPR also applies.
Having an establishment within the EU: Any form of establishment in the EU is directly subject to GDPR for its data processing activities.

Case Study: Many Chinese e-commerce platforms and social media applications, such as TikTok, SHEIN, and Temu, although headquartered in China, have users across the EU and provide services to them. These enterprises undoubtedly fall within the scope of GDPR. Therefore, Chinese enterprises must first conduct a thorough self-assessment to determine whether their business activities cross the red line of GDPR applicability.

II. Fundamental Principles of Data Processing: The Cornerstone of Compliance

GDPR establishes seven core data processing principles, which serve as guiding principles for all enterprise data processing activities:

Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimization: Personal data processed should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Accountability: The controller shall be responsible for, and be able to demonstrate compliance with, the principles.

III. Lawful Bases for Data Processing: Key to Risk Mitigation

When processing the personal data of EU citizens, enterprises must ensure that their data processing activities have a lawful basis as stipulated by GDPR. Common lawful bases include:

Consent of the data subject: This is one of the most common lawful bases, but consent must be freely given, specific, informed, and unambiguous. For example, a user checking a box to agree to a privacy policy during registration.
Performance of a contract: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. For example, an e-commerce platform processing user order information to complete product delivery.
Compliance with a legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject under EU or Member State law. For example, tax compliance requirements.
Protection of vital interests: Processing is necessary in order to protect the vital interests of the data subject or of another natural person in emergency situations, such as life safety.
Public interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. For example, fraud prevention, cybersecurity, etc.

Enterprises should carefully evaluate the lawful basis for each data processing activity and document it for review by regulatory authorities.

IV. Safeguarding Data Subject Rights: Respecting Individual Data Control

GDPR grants data subjects extensive rights, and enterprises must establish corresponding mechanisms to respond to these rights requests:

Right to be informed: Data subjects have the right to know how their personal data is being processed.
Right of access: Data subjects have the right to obtain a copy of their personal data.
Right to rectification: Data subjects have the right to request the correction of inaccurate personal data.
Right to erasure (right to be forgotten): Under certain conditions, data subjects have the right to request the deletion of their personal data.
Right to restriction of processing: Under certain conditions, data subjects have the right to request the restriction of processing of their personal data.
Right to data portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller.
Right to object: Data subjects have the right to object to processing based on legitimate interests or public interest, and to processing for direct marketing purposes.
Right not to be subject to automated decision-making: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

V. Key Compliance Measures: Building a Solid Defense

In addition to the principles and rights mentioned above, Chinese enterprises also need to implement a series of key compliance measures:

Data Protection Officer (DPO) and EU Representative: If an enterprise’s data processing activities involve large-scale, systematic monitoring of data subjects, or processing special categories of personal data, it may need to appoint a DPO. For enterprises without a physical establishment in the EU but subject to GDPR, an EU representative is usually required to act as a contact point for data subjects and supervisory authorities.
Data Protection Impact Assessment (DPIA): When data processing activities are likely to result in a high risk to the rights and freedoms of data subjects, enterprises must conduct a DPIA. For example, using new technologies for large-scale profiling or video surveillance in public places.
Privacy by Design: GDPR emphasizes integrating privacy protection throughout the entire lifecycle of products and services, considering data protection from the initial design stage rather than as an afterthought.
Data Breach Notification: In the event of a personal data breach, enterprises must notify the relevant supervisory authority within 72 hours, and notify affected data subjects in high-risk situations.

Case Study: In January 2025, the European privacy advocacy organization noyb filed GDPR complaints against Chinese tech giants such as TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, accusing them of illegally transferring European user data to China. These complaints highlight the importance of cross-border data transfer compliance and the shortcomings of enterprises in terms of privacy policy transparency and responsiveness to data subject rights. In May 2025, TikTok was fined €530 million by the Irish Data Protection Commission for failing to demonstrate proper handling of EU users’ personal data, once again sounding the alarm and reminding Chinese enterprises that GDPR compliance is not to be taken lightly.

VI. Cross-Border Data Transfer: A Bridge to Secure Compliance

Transferring personal data of EU citizens to countries outside the EU (including China) is a key and challenging aspect of GDPR compliance. Enterprises must ensure that data transfers comply with GDPR provisions, typically relying on the following mechanisms:

Adequacy Decision: The European Commission recognizes that certain countries or regions provide an adequate level of data protection comparable to that in the EU, allowing data to be freely transferred. Currently, China has not not been granted an adequacy decision.
Standard Contractual Clauses (SCCs): This is the most commonly used mechanism for cross-border data transfers. By signing contractual clauses approved by the European Commission between the data exporter and importer, it ensures that data receives the same level of GDPR protection after transfer.
Binding Corporate Rules (BCRs): Applicable to cross-border data transfers within multinational corporate groups, requiring approval from supervisory authorities.
Codes of Conduct and Certification Mechanisms: Codes of conduct or certification mechanisms approved by the European Commission can also serve as a basis for data transfers.

Chinese enterprises must select appropriate and effective transfer mechanisms when conducting cross-border data transfers, such as regularly reviewing the applicability of SCCs and taking supplementary measures as needed.

VII. Compliance Action Checklist: Implementation

To effectively address GDPR challenges, Chinese enterprises should develop and implement a comprehensive compliance action checklist:

Establish an internal GDPR compliance team: Clearly define responsibilities and form a cross-departmental team to ensure that compliance work is managed and driven.
Conduct data asset inventory and risk assessment: Identify all types of personal data processed, data sources, processing purposes, storage locations, transfer paths, etc., and assess potential compliance risks.
Develop and improve data processing policies and procedures: Establish clear privacy policies, data retention policies, data breach response plans, data subject rights response processes, etc.
Strengthen employee training: Regularly provide employees with GDPR knowledge and compliance operation training to enhance data protection awareness across the board.
Regularly conduct compliance audits and evaluations: Continuously monitor compliance status, identify and correct issues in a timely manner, and ensure the effective operation of the compliance system.

Conclusion

GDPR compliance is a long-term and complex systemic project for Chinese enterprises expanding into the EU. It is not merely about adhering to legal provisions but also reflects corporate culture and values. By establishing a sound compliance system, Chinese enterprises can not only avoid hefty fines and reputational risks but also build a responsible and trustworthy brand image in the global market, laying a solid foundation for their international development. Actively embracing GDPR and viewing it as an opportunity to enhance corporate competitiveness, Chinese enterprises are bound to achieve steady and long-term success in the EU market.

聲明

本文僅為交流探討之目的，不代表廣悅律師事務所或其律師出具的任何形式之法律意見或建議。如需轉載或引用本文的任何內容，請與本所溝通授權事宜，並於轉載或引用時注明出處。如您有意就相關業務進一步交流或探討，或需要專業的法律支持，歡迎與本所聯系。

WeChat

聯系人：葉文女士

期待與您的進一步交流！

廣悅律師事務所介紹

廣悅律師事務所成立於2008年，是一家立足大灣區，堅持一體化管理的涉外綜合性律師事務所。發展至今，廣悅建立了由上百位律師及其他法律服務人員組成的專業團隊，打造了多元化的業務體系，可以為客戶提供高品質、全方位、一站式的法律服務。秉承“立足灣區、協同港澳、面向世界”的發展戰略，廣悅已擁有廣州、中國香港、深圳，以及泰國曼穀、美國洛杉磯、澳大利亞悉尼、日本東京、意大利米蘭八個辦公室，客戶遍及境內外多個國家和地區。

供稿丨廣悅米蘭辦公室

編輯丨吳寶渲

審核丨黎麗娜

審定丨品牌宣傳與市場拓展委