Published at: 2025-10-30
Compliance Settings Overview
What is GDPR
The General Data Protection Regulation (GDPR) is a new regulation established by the European Union (EU) concerning the protection and free movement of personal data, as well as the rights of individuals (including children). This set of rules replaces the existing Data Protection Directive (Directive 95/46/EC) and will be enforced across the entire EU. GDPR empowers EU residents to directly control how their data is processed and safeguards their data privacy.
When Chinese Enterprises Need to Comply with GDPR
Scope of GDPR
Any business operating within the EU that involves the collection, storage, transmission, or analysis of personal privacy information (including Chinese enterprises) must comply with GDPR.
Penalties
Minor violations may result in fines of up to €10 million (approximately RMB 75 million) or 2% of the company’s global revenue from the previous year (whichever is higher). Severe violations may incur fines of up to €20 million (approximately RMB 150 million) or 4% of the company’s global revenue from the previous year (whichever is higher).
Key Requirements of GDPR (Summary)
-
GDPR Emphasizes Data Owners’ Right to Know
Data usage must obtain prior consent from data subjects, and such “Agree” must be specific, clear, and freely given with full awareness. If the scope of data usage expands—whether by sharing data with third parties or as part of external services—data subjects must reauthorize and provide consent. Data subjects also retain the right to withdraw consent at any time. -
Data Collection Must Specify Its Purpose
Businesses must not collect data beyond what is necessary for service provision and must not misuse collected data. They are also obligated to protect user data. Data controllers must explain how personal data is collected and processed, including recipient types, retention periods, and justifications for such periods. -
GDPR Emphasizes Data Subjects’ “Right to Be Forgotten” and “Data Portability”
The “Right to Be Forgotten” requires businesses to locate and delete data upon request. If data has been shared with third parties, the business must notify them to delete it as well. The “Data Portability” right allows data subjects to request their data in a structured, commonly used format. -
Automated Data Processing Requirements
For automated data processing (e.g., profiling), data controllers must provide the underlying algorithm logic and individual-specific results. -
Data Breach Notification
In the event of a data breach, businesses must notify relevant authorities within 72 hours of discovery.
Fundamental Principles for Processing Personal Data
Personal data must be processed in a transparent and lawful manner. GDPR defines six legal bases for data processing, none of which is inherently superior. Choose the most appropriate basis based on your processing purpose and business needs.
| Principle Name | Description | Example |
|---|---|---|
| Agree | Obtain consent from the data subject before processing their personal data. The data subject must perform an explicit action to confirm or agree. | Collecting and processing personal data for marketing or sending newsletters. |
| Contract | Processing data to fulfill a contract with the individual for goods or services they requested. | A customer emails for more information, and the organization processes their data to respond. |
| Legal Obligation | Processing data as required by law. | Government agencies requiring employee salary details or investigations mandating data processing. |
| Vital Interests | Processing data to protect someone’s life or handle emergencies. | Collecting personal details to ensure safety during emergencies or fires. |
| Public Task | Performing tasks in the public interest (typically by government agencies or political parties). | Authorities processing data for scientific research, surveys, or public health studies. |
| Legitimate Interests | The organization has a genuine and lawful reason to process data without infringing on the data subject’s rights. | A company processes a client’s data to collect unpaid invoices, or an organization processes employee data for payroll management. |
The Three Parties in Data Processing
Data Controller: The entity or individual responsible for determining the purpose and means of personal data processing. Typically, the data controller may engage external service providers or other organizations to process data but retains control over the collected data without transferring it to others.
Data Processor: An organization that processes personal data on behalf of the data controller. The processor has no authority over data operations and cannot alter the purpose of data collection. They perform limited processing tasks strictly based on the controller’s instructions.
Data Subject: The owner of the personal data—the individual whose information is collected. In a business context, data subjects may include customers or employees. Their information (e.g., name, address, phone number, email) is collected for processing and business interactions.
These concepts are critical in data protection and privacy regulations. The data controller ensures lawful processing and protects data subjects’ privacy rights. The data processor follows the controller’s requirements while safeguarding data security and confidentiality. Data subjects have the right to understand and control how their data is used and to exercise relevant data protection rights.
Note: As a Data Processor, ShareCRM must employ secure systems, tools, and methods to collect and store personal data. The ShareCRM system helps customers protect data subjects’ information by providing options that meet GDPR’s security and privacy standards.