Joint answer given by Mr Reynders on behalf of the European Commission
21.1.2021
The Commission is aware of media reports related to the collection, by Zhenhua Data Company, of personal information about a large number of individuals, but has no additional information as to whether the Chinese government might be using this database for surveillance.
In case General Data Protection Regulation (GDPR)[1] rules apply, the company must in principle appoint a representative in the EU to act on its behalf with respect to its GDPR obligations, cooperate with the supervisory authorities and ensure the exercise of data subjects’ rights.
This includes the possibility for supervisory authorities to address corrective measures or administrative fines imposed on the company to the representative.
The Commission stressed in the GDPR evaluation report[2] of 24 June 2020 that ‘[w]here [such foreign] operators fail to meet their obligation to appoint a representative, supervisory authorities should make use of the full enforcement toolbox in Article 58 of the GDPR (e.g. public warnings, temporary or definitive bans on processing in the EU, enforcement against joint controllers established in the EU).’
While Member States’ national authorities are responsible for monitoring GDPR application, the Commission insists on the importance of appropriately handling European citizens’ data in line with the GDPR.
- [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1.
- [2] COM(2020) 264 final — Communication from the Commission to the European Parliament and the Council, ‘Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition — two years of application of the General Data Protection Regulation’, 24.6.2020.