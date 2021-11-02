Imagine smaller and less attentive realities. Yes, because the problem is that many companies don’t even have a clear picture of the situation.

The self-analysis of companies

We should do a sort of self-analysis, suggests Laura Formichella, sinologist, lawyer of Nctm.

Here is a slew of mandatory questions. Does this new legislation affect me? Do I sell products / services to persons resident in China through my site? Is the data I collect transferred abroad? Does the foreign subject to whom I transfer the data, also for the purpose of their processing, meet the security requirements in the processing of data? Is there a person responsible for data protection in my company? Are there privacy and consent disclosures for employees, customers and suppliers? Do I have a consent form for the collection, transfer and processing of personal data? Do I have a consent form for the collection, transfer and processing of data abroad? Are my employees working on the personal data of customers or employees aware of the obligations imposed by the new law? Are my clients under 14 years old?

This is, of course, just the beginning. “Failure to comply, as well as heavy fines can result in the loss of the license to operate – confirms Laura Formichella. Consent is always required for obtaining and processing personal data. Each subject has the right to know and make decisions on the processing of their data, as well as the right to withdraw their consent to their processing at any time. “Sensitive information” (information such as biometric data, religious beliefs, financial information, which, if disclosed, can harm the person, dignity or property of the data subject) require separate consent. Information concerning minors under the age of 14 requires separate consent from parents or guardians ”.

The channel to foreign countries

For the transfer of data to foreign subjects it is necessary to pass a conformity assessment by the Cyberspace Administration of China. A certification from a specialized agency for the protection of personal data authorized by the CAC is required. A contractual model for the transfer of data adopted by the CAC must be adopted; a further separate consent is required from the interested party who authorizes the processing of their personal data abroad.