-707x342.png "Firmusazd")
I. Introduction
The EU remains firmly committed to upholding the fundamental rights and freedoms of natural persons in relation to the processing of personal data, in particular their right to personal data protection. At the same time, it fully safeguards the free flow of personal data within the EU and resolutely opposes any unreasonable restrictions or prohibitions. This Privacy Policy is formulated in strict accordance with the EU General Data Protection Regulation (GDPR) and related EU regulations. Its core purpose is to clarify the lawful boundaries of personal data processing, the rights and obligations of all parties involved, provide comprehensive protection for the rights and interests of data subjects, and standardize the operational procedures of controllers and processors.
II. Scope of Application
(I) Processing Methods Applicable
This Policy covers all processing activities related to personal data, including:
Processing of personal data conducted wholly or partly by automated means (such as algorithmic analysis and cloud storage);
Non-automated processing that forms part of a "structured collection of personal data" (such as customer information in a paper-based record management system).
Regardless of the technical means used for processing activities, all operations involving the collection, use, and storage of personal data are subject to this Policy. (II) Exclusions
This clause does not apply to the following:
Processing of personal data outside the jurisdiction of EU law (e.g., processing activities carried out independently in non-EU countries and not linked to the EU);
Processing of personal data by Member States under Book V, Chapter 2 of the Treaty on European Union (Common Foreign and Security Policy);
Processing by natural persons in purely personal/family settings (e.g., managing private address books, storing family photos);
Processing of data by competent authorities for the prevention/investigation of criminal offences, the execution of criminal penalties, or the protection of public security (subject to EU specific criminal justice regulations).
(III) Supplementary Processing of Personal Data by EU institutions, the Commission, and other official entities must also comply with the EU Data Protection Regulation (Regulation (EU) 2018/1725) and must not conflict with the core principles of this clause.
Online service providers (e.g., e-commerce platforms, social media platforms) must also comply with the supplementary requirements on data retention and user information rights in the E-Commerce Directive (2000/31/EC).
III. Territorial Effect
(I) EU Entities
If a controller/processor has an establishment in any EU member state, this clause applies regardless of whether its data processing actually occurs within the EU or outside the EU (e.g., storing data on servers in non-EU countries). For example, if an EU company establishes a data center in Singapore, its processing of EU user data is still subject to this clause.
(II) "Long-Arm Jurisdiction" for Foreign Entities
This clause also applies to controllers/processors outside the EU if they meet the following conditions:
Providing goods/services (whether or not charged) to EU data subjects, such as a Chinese e-commerce platform selling goods to German consumers and collecting delivery information;
Monitoring the behavior of EU data subjects (e.g., tracking EU users' web browsing history through cookies).
(III) Special Jurisdiction Exceptions
If the processing activities of a foreign controller are solely related to activities outside the EU and do not affect the interests of EU data subjects, this clause does not apply (sufficient evidence must be provided to demonstrate that there is no connection to the EU).
IV. Core Definitions (Supplementary and Improved)
(I) Sensitive Personal Data
Refers to personal data requiring additional stringent protection, including:
Racial/ethnic origin, political opinions, religious/philosophical beliefs, and trade union membership;
Genetic data, biometric data (for unique identification);
Health data, and data related to sex life or sexual orientation.
The processing of such data requires a stricter lawful basis (such as the data subject's explicit written consent or legally mandated requirements).
(II) Data Protection Impact Assessment (DPIA)
This refers to a systematic assessment of the lawfulness, necessity, and potential risks of processing activities (such as large-scale surveillance and automated decision-making) conducted by a controller before engaging in high-risk processing activities, including risk mitigation measures and subsequent monitoring plans.
(III) Data Protection Officer (DPO)
This refers to a professional appointed by a controller/processor to oversee data protection compliance. They must have knowledge of data protection laws and perform their duties independently (without interference from other departments). The appointment of a DPO is mandatory in the following circumstances:
Core business involves large-scale processing of sensitive data;
Conducting systematic, large-scale surveillance activities (such as facial recognition in public areas).
V. Data Subject Rights (Supplementary and Improved)
(I) Right not to be subject to automated decision-making (continued)
Data subjects have the right to object to decisions based solely on automated processing (such as algorithmic scoring) that have legal consequences for them (such as loan rejections, employment discrimination) or significantly impact their interests (such as insurance premium adjustments). If such decisions are necessary, the controller must ensure that:
The decision is necessary for the conclusion or performance of a contract and that a manual review mechanism is provided (such as allowing data subjects to request manual review);
The decision logic, data sources, and channels for appeal are disclosed to data subjects;
Automated decisions based on sensitive data must not be made (unless otherwise required by law). (2) Right to Complain
If a data subject believes that the processing of their personal data violates these Terms, they have the right to:
Lodge a complaint with the data protection supervisory authority of the EU Member State where the processing occurs;
Lodge a complaint in any EU Member State (supervisory authorities must collaborate across regions);
If the supervisory authority fails to adequately address the complaint within three months, the data subject may bring proceedings before the courts of that Member State.
(3) Right to Claim Damages
If a data subject suffers damages due to a breach of these Terms by a controller/processor, the data subject has the right to seek compensation for damages, including direct damages (such as financial loss) and indirect damages (such as damage to reputation). If the processor is at fault, it shall be jointly and severally liable with the controller. VI. Obligations of Controllers and Processors
(I) Core Obligations of Controllers
Lawful Basis Retention: The lawful basis for each type of data processing (e.g., consent, contractual necessity, legitimate interests) must be documented and retained for at least five years.
Privacy by Design and Default: Incorporate data protection measures into product/service design (e.g., turning off non-essential data collection by default) to ensure a "shift left" approach to data protection.
Cross-border Data Transfer Compliance: When transferring data to non-EU countries, compliance must be ensured through one of the following methods:
A "adequacy country" designated by the European Commission (e.g., Canada, Japan);
Entering into EU Standard Contractual Clauses (SCCs);
Adopting approved Binding Corporate Rules (BCRs). (II) Core Obligations of Processors
Processing must be strictly in accordance with the entrustment: Data processing must be carried out only within the scope of the controller's authorization, and the purpose or method of processing must not be changed without authorization.
Subcontracting Restrictions: If data processing is to be outsourced to another organization (subcontractor), the controller's written consent must be obtained in advance, and the subcontractor must meet the same data protection standards.
Data Breach Notification: Upon discovery of a data breach, the controller must be notified within 72 hours, providing details of the breach (such as the scope of impact and potential risks) and response measures. 7. Lawful Basis for Data Processing
Controllers must satisfy at least one of the following lawful bases for processing personal data, which must be documented in writing:
Consent of the data subject: Consent must be clear and specific (not contained in general terms and conditions) and can be withdrawn at any time by the data subject (withdrawal must be no more difficult than consent);
Necessary for entering into/performing a contract: e.g., collecting shipping addresses to fulfill an order or collecting identity information for hiring employees;
Legal obligation: e.g., tax authorities collecting employee salary data to fulfill tax supervision responsibilities;
Protecting the vital interests of the data subject: e.g., medical institutions collecting patient health data for emergency treatment;
Performing a public task: e.g., government departments collecting resident information for the census;
Legitimate interests of the controller: This must satisfy the principle that "interests outweigh the interests of the data subject" (e.g., a company collecting transaction data to prevent fraud), and the data subject must be informed of their right to object in advance.
VIII. Data Retention and Destruction
Retention Period Principle: Personal data may only be retained for the minimum period necessary to achieve the purpose for which it is processed. For example, order data may be retained after a transaction is completed until the end of the after-sales warranty period, and customer inquiry records may be retained until disputes are resolved.
Destruction Requirements: After the expiration of the data retention period, data must be securely destroyed (such as permanently deleting electronic data or shredding paper documents), and the time, method, and responsible party must be recorded.
Anonymization Exception: If data is anonymized so that the data subject cannot be identified (and cannot be restored using additional information), it is no longer considered personal data and is not subject to retention period restrictions (such as anonymized user behavior data used for statistical analysis). IX. Penalties for Violations
EU member state data protection regulators have the authority to impose fines for violations, which are categorized into two tiers:
General violations (e.g., failure to fulfill data subjects' right to information, failure to maintain data processing records): fines capped at €20 million or 4% of the company's global annual turnover (whichever is higher);
Serious violations (e.g., unlawful processing of sensitive data, denial of data subjects' access rights, cross-border data transfer violations): fines capped at €10 million or 2% of the company's global annual turnover (whichever is higher).
In addition, regulators may impose interim measures (e.g., suspension of data processing activities) and mandatory rectification requirements.
X. Supplementary Provisions
Matters not covered by this clause are subject to the EU General Data Protection Regulation (GDPR) and the data protection implementing regulations of each member state.
In the event of a conflict between this clause and subsequent EU legislation, the latter shall prevail.
Data subjects may consult the official website of the European Data Protection Board (EDPB) for contact information and the latest compliance guidance for each member state's regulators.