September 2021

1. Preface

The General Data Protection Regulation (GDPR) of the European Union entered into force on May 25, 2018, aiming to harmonize the data protection laws of all Member States of the European Union. The GDPR sets out rules related to the protection of natural persons with regard to the processing of personal data and rules related to the free movement of personal data.

1.1. Guidelines

The European Data Protection Board (EDPB) has issued the following guidelines:

• Recommendation No. 01/2020 on supplementary transfer tools to ensure compliance with the level of EU personal data protection (June 18, 2021);

• Guidelines No. 01/2020 on the processing of personal data in connected vehicles and mobile related applications (March 9, 2021);

• Guidelines No. 09/2020 on relevant and reasonable objections under Regulation (EU) 2016/679 (March 9, 2021);

• Guidelines No. 06/2020 on the interaction between the Second Payment Services Directive and the GDPR (December 15, 2020);

• Guidelines No. 2/2020 on the transfer of personal data between public authorities and institutions of the European Economic Area and those of non-EU countries under Article 46(2)(a) and Article 46(3)(b) of Regulation (EU) 2016/679 (December 15, 2020);

• Recommendation No. 02/2020 on fundamental guarantees of the European supervision measures (November 10, 2020);

• Guidelines on consent under Regulation (EU) 2016/679, No. 05/2020 (May 4, 2020);

• Guideline 3/2019: Processing personal data through video equipment (January 29, 2020);

• Guidelines on the territorial scope of the GDPR, No. 3/2018 (Article 3) (November 12, 2019);

• Guidelines on the design and default data protection under Article 25, No. 4/2019 (November 13, 2019);

• Guidelines on the processing of personal data in the provision of online services in accordance with Article 6(1)(b) of the GDPR, No. 2/2019;

• Guidelines on the derogation under Article 49 of Regulation (EU) 2016/679, No. 2/2018 (May 30, 2018);

• Guidelines on personal data breach notification under Regulation (EU) 2016/679 (August 8, 2018);

• Guidelines on the right to data portability;

• Guidelines for Data Protection Impact Assessment (DPIA) and determination of whether processing may 'result in a high risk' under Regulation (EU) 2016/679;

• Guidance for Data Protection Officers;

• Guideline 07/2020 on the concepts of controller and processor under GDPR 2.0 (7 July 2021);

• Guideline 5/2019 on standards for the case of the 'right to be forgotten' under the GDPR (7 July 2020); and

• Guidelines on automated individual decision-making and profiling under Regulation (EU) 2016/679 (13 February 2018).

1.2. Case Law

General case law under the GDPR can be found on the websites of EDPB and the European Data Protection Supervisor (‘EUPS’).

2. Scope of Application

2.1. Scope of Individuals

The GDPR establishes rules for the protection of natural persons in the processing of personal data and rules related to the free movement of personal data.
However, the GDPR does not apply to the processing of personal data involving legal persons, in particular as legal entities established, including the name and contact details of the legal entity.

2.2. Scope of Territory

The GDPR applies to the processing of personal data in the context of activities of controllers or processors established in the EU, regardless of whether the processing takes place in the EU.
In addition, the GDPR applies to the processing of personal data of data subjects located in the EU by controllers or processors not established in the EU, where the processing activities are related to the following:

• Provide goods or services to EU data subjects, regardless of whether the data subject needs to pay;

• Monitor their behavior, as long as their behavior occurs within the EU.

2.3. Scope of Material

The GDPR applies to the processing of personal data by automated means.
The GDPR does not apply to the processing of personal data in the following situations:

• In the course of activities outside the scope of EU law;

• When Member States carry out activities within the scope of Chapter 2 of Title V of the Treaty on the European Union;

• Implemented by natural persons in the course of purely personal or family activities;

• Implemented by the competent authorities for the prevention, investigation, detection, or prosecution of criminal offenses or the enforcement of criminal penalties, including the prevention and prevention of threats to public safety.

3. Data Protection Regulatory Authorities

3.1. Main Regulatory Authority for Data Protection

EDPB
EDPB is an independent European institution committed to the consistent application of data protection rules throughout the EU and to promoting cooperation between EU data protection authorities.
National data protection authorities
Under the guidance of EUPB, data protection authorities of Member States supervise and monitor GDPR compliance within their respective jurisdictions.

3.2. Main Powers, Responsibilities and Liabilities

EDPB
The main powers and responsibilities of EDPB include:

• Provide general guidance (including guidelines, recommendations, and best practices) to clarify the law and promote consensus;

• By submitting opinions to the Commission or national supervisory authorities:

  • Provide advice to the Commission on any issues related to EU legislation; and

  • Ensure consistency in the activities of national regulatory authorities in cross-border matters.

• Through binding decisions aimed at resolving disputes arising from their cooperation in the enforcement of the GDPR, ensuring its correct and consistent application in individual cases;

• Promote and support cooperation between national supervisory authorities.

National data protection authorities
Chapter 6 of GDPR stipulates the responsibilities and functions of data protection authorities. This includes the following tasks:

• Monitoring and enforcing the implementation of GDPR;

• Cooperating with other supervisory authorities to ensure the consistency of the application and enforcement of GDPR;

• Establishing and maintaining lists related to the requirements of data protection impact assessment (‘DPIA’);

• Regularly reviewing the certifications issued;

• Authorizing the contract terms and conditions under Article 46(3) of GDPR;

• Approving binding corporate rules under Article 47 of GDPR;

Investigative powers
The data protection authority has the power to investigate, including:

• Issuing a warning to the controller or processor, indicating that the processing operation may violate GDPR provisions;

• Ordering the controller to inform the data subject of a personal data breach;

• Imposing temporary or final restrictions, including the prohibition of processing;

• Revoking certification or ordering the certification body to withdraw the certification issued;

• Administrative fines

• Order the suspension of data flows to recipients in third countries or international organizations.

4. Key Definitions

• Data controller: refers to a natural person or legal entity, public authority or other body that alone or jointly with others determines the purposes and means of processing personal data.

• Data processor: refers to a natural person or legal entity, public authority or other body that processes personal data on behalf of the controller.

• Personal data: refers to any information relating to an identified or identifiable natural person, such as name, ID card number, location data, online identifiers, etc., or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

• Sensitive data: GDPR does not define 'sensitive data' explicitly. However, special categories of data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as personal data concerning genetic data, biometric data used for uniquely identifying a natural person, data concerning health or data concerning a natural person's sexual life or sexual orientation.

• Biometric data: refers to personal data generated by specific technical processing related to the physical, physiological or behavioral characteristics of a natural person, which confirms the unique identity of that natural person, such as facial images or fingerprint data.

• Pseudonymization: means that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures.

• Processing: refers to any operation or set of operations performed on personal data or a set of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.

5. Legal basis

5.1. Consent

If the data subject consents to the processing of their personal data for one or more specific purposes, the processing of personal data will be lawful.
The consent of the data subject means that the data subject agrees to the processing of their personal data by means of a declaration or an explicit positive action, under the condition that they are fully aware of it.
Conditions for consent
The controller must be able to demonstrate that the data subject has given consent to the processing of their personal data.
If the consent of the data subject is given in the context of a written statement and also relates to other matters, the request for consent must be presented in a manner which is clearly comprehensible and accessible, using clear and plain language, and in a way that distinguishes it clearly from the other matters.
Withdrawal of consent
The data subject shall have the right to withdraw consent at any time, and the withdrawal shall be as easy as giving consent.
However, withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

5.2. Contract with the data subject

The processing of personal data is lawful if the controller demonstrates that it is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract.

5.3. Legal obligation

The processing of personal data is lawful if the controller demonstrates that it is necessary for compliance with a legal obligation to which the controller is subject.
Processing shall be lawful if it is based on a legal obligation of the controller or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

5.4. Interests of the data subject

The processing of personal data is lawful if the controller demonstrates that it is necessary for the protection of the vital interests of the data subject or of another natural person.

5.5. Public interest

The processing of personal data is lawful if the controller demonstrates that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

5.6. Legitimate interests of the data controller

The processing of personal data is lawful if the controller demonstrates that it is necessary for pursuing the legitimate interests of the controller or a third party, unless such interests are incompatible with the interests or fundamental rights and freedoms of the data subject, in particular children.

6. Principles

According to the GDPR, the principles of personal data processing include:

• Lawful, fair and transparent;

• Purpose limitation;

• Data minimization;

• Accuracy;

• Storage limitation;

• Integrity and Confidentiality; and

• Accountability.

Lawful, fair, and transparent
Personal data must be processed in a manner that is lawful, fair, and transparent in relation to the data subject.
Purpose limitation
Personal data must be collected for specific, explicit, and legitimate purposes.
Data minimization
Personal data must be limited to what is necessary for the purposes for which it is processed.
Accuracy
Personal data must be accurate, and, where necessary, kept up to date; every effort must be made to ensure that inaccurate personal data is erased or rectified without delay.
Storage limitation
The retention of personal data must not exceed the period necessary for the purposes for which the personal data is processed.
Integrity and Confidentiality
Appropriate technical or organizational measures must be taken to prevent unauthorized or illegal processing, as well as accidental loss, destruction, or damage, of personal data.
Accountability
The controller is responsible and must be able to demonstrate compliance with Article 5(1) of the GDPR.

7. Obligations of Controller and Processor

7.1. Data Cross-border Transmission

Transmission of personal information to third countries or international organizations (including transferring personal data from one third country to another), requires compliance with the following requirements:
Sufficient protection
If the Committee determines that a third country or organization ensures an adequate level of protection, personal data may be transferred to third countries or international organizations.
Appropriate safeguards
Without an adequacy decision, controllers or processors may only transfer personal data to third countries or international organizations in appropriate safeguard situations, and when data subjects can exercise their rights and effective legal remedies.
These appropriate safeguards include:

• Legally binding and enforceable contracts between public authorities or institutions;

• Binding corporate rules ("BCR");

• Standard data protection clauses approved by the Committee;

• Explicit consent of the data subject.

7.2. Data Processing Record

Controller
The controller must retain records of processing activities. Such records must contain the following information:

• The name and contact information of the controller, joint controllers, controller representatives, and Data Protection Officer ("DPO"),

• The purpose of processing;

• Description of the categories of data subjects and categories of personal data;

• Categories of recipients of personal data, including recipients in third countries or international organizations;

• Transfer of personal data to third countries or international organizations, including the identity of the third country or international organization, and the documents providing appropriate safeguards;

• Retention periods for different categories of data;

• Description of technical and organizational security measures.

Processor
The processor must retain records of all categories of processing activities performed on behalf of the controller, including:

• The name and contact information of the processor, as well as the name and contact information of each controller represented by the processor, and in applicable cases, the representative of the controller or processor and the DPO;

• Processing categories performed on behalf of each controller;

• Description of the transfer of personal data to third countries or international organizations, including the identity of the third country or international organization, and the documents providing appropriate safeguards;

• General description of technical and organizational security measures.

7.3. Data Protection Impact Assessment

If the processing may pose a high risk to the rights and freedoms of natural persons, the controller must carry out a data protection impact assessment before processing. More specifically, DPIA is required in the following cases:

• Conduct systematic and comprehensive assessments of individuals, which are based on automated processing and have legal effects on natural persons or have a significant impact on natural persons;

• Large-scale processing of special category data, or personal data related to criminal conviction and crime;

• Conduct large-scale system monitoring.

Pre-consultation
High-risk situations that controllers cannot handle should be negotiated with regulators in advance. If the DPIA results show a high risk and the data controller has no effective measures to reduce the risk, the data controller shall negotiate with the relevant data protection regulatory authorities in advance on data processing activities. The regulatory authorities shall propose processing opinions within a specified period of time after receiving the negotiation application, and may take corrective measures.

7.4. Appointment of data protection officer

When the controller and the processor process sensitive personal data on a large scale, they should appoint a data protection officer (DPO). The contact information of the DPO must be disclosed, and it must be reported to the supervisory authority.

7.5. Data breach notification

When a data breach occurs, the data controller should notify the supervisory authority within 72 hours, unless it is unlikely that the personal data breach will pose a risk to the rights and freedoms of natural persons. Immediate notification to the data subject must be made if the data breach may pose a high risk to the rights and freedoms of natural persons.
The processor must immediately notify the controller upon becoming aware of a personal data breach.
Notification to the supervisory authority
The notification sent to the supervisory authority must include the following content:

• a) Description of the data breach, the total amount, type of data subjects involved, and the total number of data records;

• b) The name and contact information of the enterprise data protection officer,

• c) The possible consequences of the leak,

• d) Loss mitigation measures already taken by the enterprise,

Notification to the data subject is not required if any of the following conditions are met:

• The data controller has taken appropriate technical and organizational protection measures, such as encryption.

• The subsequent measures taken by the data controller can prevent the threat from becoming a real result.

• It is difficult to notify the data subject. In this case, measures such as announcements should be taken to notify the data subject.

7.6. Children's data

If the child is under the age of 16, processing is only lawful if the consent or authorization of the parents or guardians is obtained.
Member States may, by law, lower the age for this purpose, provided that the lower age is not less than 13 years.

7.7. Personal data of special categories

Personal information of special categories may be processed in the following cases:

• The data subject has explicitly agreed to the processing of these personal data for one or more specific purposes;

• Processing is necessary for the performance of the obligations of the controller or the data subject in the field of employment, social security, and social protection laws, and for the exercise of specific rights;

• If the data subject is unable to give consent physically or legally, and processing is necessary for the protection of the vital interests of the data subject or other natural persons;

• Processing of personal data of the data subject that is obviously publicly available;

• Processing is necessary for the establishment, exercise, or defense of legal claims or for the court to act in a judicial capacity;

• Processing is necessary for the assessment of the employee's work ability, medical diagnosis, provision of health or social care or treatment;

• Processing is necessary for the purposes of public interest, scientific or historical research, or statistical purposes.

7.8. Contract between the controller and the processor

The controller shall agree with the processor the processing requirements through the contract, such as the purpose of data processing, the term, the type of personal data, the category of data subjects, and the rights and obligations of both parties.
The contract or other legal act must stipulate the obligations of the processor to assume the following:

1. Process personal data only on the written instructions of the controller;

2. Ensure that personnel handling personal data have undertaken confidentiality obligations;

3. Take all measures provided for in Article 32 of the GDPR;

4. Assist the controller in responding to the data subject's requests through appropriate technical and organizational measures;

5. According to the controller's requirements, delete or return all personal data to the controller after processing, and delete existing copies;

6. Provide evidence of compliance with the above obligations to the controller and allow the controller to conduct an audit.

If the processor believes that the controller's instruction violates the GDPR, it must notify the controller immediately.

8. Rights of the Data Subject

The controller shall respond to the data subject's request for rights within one month; the response shall be free or based on reasonable costs; if necessary, the controller shall verify the identity of the data subject.

8.1. Right to Know

Personal data obtained directly from the data subject
If personal data is obtained directly from the data subject, the following information must be provided:

• The identity and contact information of the controller, as well as the identity and contact information of the representative of the controller;

• The contact information of the DPO (if applicable);

• The purpose of processing and the legal basis for processing;

• The recipient or category of recipients of personal data (if any);

• The circumstances in which the controller transfers personal data to a third country or an international organization, and:

  • Whether there is a sufficientfulness decision by the committee; or

  • Description of cybersecurity measures;

• The storage period of personal data, if it is difficult to determine, then the standards used to determine the period should be described;

• How users can exercise the rights to access, correct or delete personal data, or to limit the processing, or to object to the processing, as well as the right to data portability;

• The right to withdraw consent at any time, without affecting the legality of the processing based on consent before the withdrawal;

• The right to complain to the supervisory authority;

• Whether the provision of personal data is a legal or contractual requirement, or a necessary requirement for entering into a contract, whether the data subject has an obligation to provide personal data and the possible consequences of not providing such data;

• Whether there is automated decision-making and the importance and expected consequences of automated decision-making for the data subject.

Personal data obtained from third parties
If the personal data is not obtained directly from the data subject, the above requirements shall still apply, but the following exceptions apply:

• The controller is not required to provide information on whether the provision of personal data is a legal requirement or a contractual requirement;

• The controller must notify the data subject:

  • The categories of related personal data; and

  • The source of personal data and whether it comes from public access.

8.2. Right of Access

The data controller shall provide the corresponding process for the user to realize the right of access, and if the request is made in electronic form, it shall also be provided in electronic form.

8.3. Right to Rectification

The data subject has the right to request the controller to correct or supplement inaccurate or incomplete personal information, and the controller shall respond and feedback in a timely manner. The data subject shall have the right to perfect personal data based on the processing purpose, including through the means of providing additional statements.

8.4. Right to Erasure

The data subject shall have the right to require the controller to delete his or her personal data immediately, and in the following cases, the controller shall have the obligation to delete personal data immediately:

• The personal data is no longer necessary for the purposes of processing;

• The data subject withdraws consent and there is no other legal basis for processing;

• Personal data is processed unlawfully;

• The collection of personal data is related to the provision of information society services as referred to in Article 8(1) of the GDPR.

Exceptions
This right does not apply in the following cases:

• Exercising the right to freedom of expression and information;

• Processing for compliance with a legal obligation which requires processing by the controller under Union or Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

• Processing for reasons of public interest in the field of public health;

• Archiving for purposes of public interest, scientific or historical research, or statistical purposes;

• For establishing, exercising, or defending legal claims.

8.5. Right to Object/Right to Opt-Out

The data subject may exercise the right to object when personal data is processed based on the data subject's consent, public interest, or the legitimate interests of the controller.
Direct Marketing
If personal data is processed for direct marketing purposes, the data subject has the right at any time to object to the processing for such purposes, including profiling related to such direct marketing.

8.6. Right to Data Portability

The data subject has the right to receive his or her personal data in a structured, commonly used and machine-readable format, and has the right to transmit such data to another controller, without hindrance from the controller who provided the personal data, under the conditions for exercising the right to data portability:

• Processing is based on consent;

• Processing is based on the performance of a contract;

• Processing is carried out by automated means.

8.7. Right Not to Be Subject to Automated Decision-Making

The data subject has the right to object to automated decisions, including decisions that are solely based on automated processing (including profiling) that have legal or similarly significant effects on the data subject.
The data subject has the right not to be subject to decisions based solely on automated processing (including profiling), where such decisions produce legal effects concerning him or her or similarly significantly affect him or her.
Exemptions
If:

• It is necessary for the conclusion or performance of a contract between the data subject and the data controller;

• Based on the explicit consent of the data subject.

8.8. Right to Limit Processing

When the data subject files a complaint (for example, regarding the accuracy of the data), the data subject does not require the deletion of the data, but can limit the data controller from further processing the data.

9. Penalties

1. Lesser penalties are up to 10 million euros or 2% of global turnover, whichever is higher, for regulations that do not require identification, as well as general obligations, etc.;

2. Heavier penalties are up to 20 million euros or 4% of global turnover, whichever is higher, for violations of principles regarding the processing of personal information, data subject rights, and the like.