Assessment Report Regarding Data Compliance

Privileged and Confidential

[To: Company A]

[From: Law Firm F, Shanghai]

Tel: 86-21 xxxx xxxx

Fax: 86-21 xxxx xxxx

[Date: December 7, 2022]

Re: Assessment Report Regarding Data Compliance of Corporate G
China¹

To: Company A

We are a law firm duly qualified and authorized to practice Chinese law
in the People’s Republic of China (the “PRC”). We have been
requested by Company A to provide a legal assessment regarding the data
compliance management of Corporate G China.

For this purpose, we investigated and assessed the data compliance
management of Corporate G China through the following steps, and issue
this report for your reference:

Review various relevant documents, policies, contracts and / or
templates provided by the four Corporate G entities in the PRC;
Collecting further information through the meetings, communications
and other written exchanges with the relevant teams of the four
Corporate G entities in the PRC.

This report is produced in accordance with the valid PRC laws,
regulations, applicable circulars, and policies, as well as by reference
to the publication on governmental websites and material provided by the
company as of the date of this report and is solely for the above
purpose. Any factual change or changes of legislation or otherwise
governmental information thereafter may alter our view and analysis
hereunder. This report shall not be viewed as a guarantee of any
particular outcome.

Executive Summary

Corporate G SE ("Corporate G ") is a professional sensor company
with a long reputation in the global automation industry and a global
sensor supplier with outstanding research and supplying with
high-quality products from inductive sensors to ultrasonic sensors, from
photoelectric sensors to rotary encoders, from identification systems to
fieldbus systems, from liquid level and material level sensors to safety
light screens, from explosion-proof sensors to safety grids, isolation
grids and other sensors. Corporate G SE has invested and set up a number
of business entities in China, among which the entities that fall within
the scope of this data compliance assessment include: Company A
(“Company A”), Corporate G (Beijing) Process Automation Co., Ltd.
(“Company B”), Corporate G (Shanghai) Automation Engineering Co., Ltd.
(“Company C”), Company D(“Company D”) (collectively referred to as
“Assessed Entities” or the “Company”).

Based on the business of the Assessed Entities and the types of data
they processed, as well as other information we learned in the
assessment, we understand that currently, the Company is not a “Critical
Information Infrastructure Operator” under the Cybersecurity Law. In
addition, among the data that the Company has accessed and processed so
far, apart from personal information data, the data processed and
accessed by the Company does not involve “important data” under the
Data Security Law. Therefore, at present, the focus of the Company’s
data compliance management is personal information protection. However,
considering that the Company may access “important data” in its future
business, we also put forward some preliminary suggestions for the
identification and compliance management of important data in the
Company’s business for the Company’s reference in this report. In this
report, we will analyze the Company’s information systems, products and
services, supplier data, internal employee data, data storage and
transfer, data use and sharing, network security and data compliance
management, etc. In this executive summary, we selected and listed some
major compliance risks we identified in the assessment and provided the
corresponding suggestions for improvement and prepare a summary table as
follows. We would like to kindly remind that this summary only lists the
major compliance risks and please refer to the full version of the
assessment report and suggestions for improvement set out in the main
text.

Main Text

Corporate G SE ("Corporate G ") is a well-known company
specializing in sensor technology in the global automation industry
which conducts distinguished research and provides high-quality
products from inductive sensors to ultrasonic sensors, from
photoelectric sensors to rotary encoders, from identification
systems to fieldbus systems, from liquid level and material level
sensors to safety light curtains, from explosion-proof sensors to
safety barriers, isolation barriers and other sensors. Corporate G
has invested and established some business operation entities in the
PRC, and amongst them, the entities falling within the scope of this
data compliance assessment include: the three foreign legal person
sole proprietorship limited liability company directly invested by
Corporate G SE, i.e., Company A (“Company A”), Corporate G (Beijing)
Process Automation Co., Ltd. (“Company B”), Corporate G (Shanghai)
Automation Engineering Co., Ltd. (“Company C”), and an affiliated
business entity, i.e., Company D Vision Technology (Shanghai) Co.,
Ltd. (“Company D”) (collectively referred to as “Assessed
Entities” or the “Company”). Amongst them:

FA was established in 2006 and is mainly engaged in the research,
development, design, production, sales, supporting services,
technical consulting and other business of sensors, encoders,
identification systems and optical data transfer systems in the
field of automated components and systems.
PA was established in 2009 and is mainly engaged in the research,
development, design, production, sales, supporting services,
technical consulting and other business of explosion-proof
electrical equipment and lamps, customized terminal boxes, junction
boxes and cabinets, controlling equipment products and components of
process automation equipment.
SEC was established in 2015, and is mainly engaged in the
production, sales, supporting services, technical consulting and
other business of automation instruments and meters, explosion-proof
electrical equipment and lamps, terminal boxes, junction boxes and
cabinets, automation equipment and accessories.
VMT was established in 2014 and is mainly engaged in the research
and development of technology, design, system integration and sales
in the field of image technology and automation technology research
and development of industrial image processing technology and
supporting software, wholesale, supporting services, technical
consulting, and other business of image processing equipment and
supporting facilities.

During this assessment, the management team of the Assessed Entities
divided the Assessed Entities into two groups based on relevancy of
management team and business among the Assessed Entities, i.e.,
Company A and Company D are assessed as one group, and Company B and
Company C are assessed as another group. The two groups separately
provided responses to the questionnaires on the data processing
activities prepared by us (unless explained otherwise in the
responses). Therefore, this compliance assessment report will
analyze the various data process activities of the Assessed Entities
in their daily business and assess the risks of any based on the
responses and information provided by the Assessed Entities pursuant
to the above group allocation.

1. Information System Compliance

According to the information provided by the Assessed Entities, the
ERP system used by the Assessed Entities is the Sales and Finance
modules of M3 provided by Infor; the CRM system used by the Assessed
Entities is the CRM module of Siebel provided by Oracle; the above
modules are globally purchased and provided by Corporate G . The HR
system and workflow software used by the Assessed Entities are
purchased from the PRC domestic software vendors (specifically, the
Assessed Entities use DigiWin on-leave request and reimbursement
system, and Company A and Company D also purchased an information
system for payroll calculation from Cityray). The Assessed Entities
provided us with two software procurement contracts, including the
DigiWin Workflow Software V3.1 Maintenance Contract signed with
Digiwin Software Co., Ltd. and the Sales Contract signed with
SoftwareOne (Shanghai) Software Trading Co., Ltd. The above two
software procurement contracts do not contain specific clauses
related to data protection, and even if the contracts contain
confidentiality clauses, the purpose of the confidentiality clauses
is only for the protection of trade secrets.
In terms of the access to information systems, the Assessed Entities
set general accessing permission primarily based on the employee’s
position/job role and temporary accessing permission based on the
direct supervisor’s approval and process owner’s authorization.
Amongst them, the DigiWin system and the Cityray system cannot be
access by the Corporate G ’ headquarters and other offshore
affiliates of the Assessed Entities. In conclusion, we understand
that the above practice of the Assessed Entities regarding the
access permission setting basically complies with the necessity
principle and minimization principle regarding the use of data.
In addition, the four Assessed Entities have provided us with the
ZVEI-VDMA Code of Conduct (updated in January 2022), which,
according to the information provided by the Assessed Entities, is
applicable to all the subsidiaries of Corporate G including the four
Assessed Entities and is published on Corporate G official
website². This document briefly introduces Corporate G ’
compliance management principles, and Article 3.5 Data Protection
Clause of this document includes the protection of personal
information³. It shows that Corporate G attaches great importance
to data compliance.

[Potential Compliance Risks:]

The software procurement contracts signed by the Assessed Entities
and external third parties do not contain special clauses related to
data protection, and even if they contain confidentiality clauses,
the purpose is only for the protection of trade secrets. In the
process of using outsourced software, according to the answers
provided by the Assessed Entities, in general, the supplier cannot
access the data stored in the software used by the Assessed
Entities⁴, but it does not rule out the possibility that the
supplier may access some data of the Assessed Entities in the
process of providing software operation and maintenance services.
Therefore, the contract with the supplier should include a
miscellaneous provision on data compliance and personal information
protection. However, at present, there are no compliance clauses
regarding data security and personal information protection in the
contracts signed with software suppliers.

[Primary Suggestions:]

Software is generally a standardized product, and its procurement
contract is often a standard contract provided by the software
supplier. Before signing such standard contracts, it is recommended
that the Assessed Entities review and revise it. If the Assessed
Entities find that there is no stipulation on data protection, they
shall add the stipulation accordingly and require the software
supplier to comply with it. Under this circumstance, if a data
security incident or dispute occurs, such stipulation in the
contract would provide convenience for the Assessed Entities to
protect their rights. In addition, the Company is recommended to add
relevant data protection clauses to the contracts with the existing
software suppliers⁵.

2. Products and Services-related Data Compliance

Basic Information of Products and Services
According to the information provided by the Assessed Entities, the
products provided by Company B and Company C to the market include e
explosive-proof interface modules, engineered solutions,
explosive-proof mobile & communication, ethernet-APL & fieldbus,
wireless solution, remote I/O, bus, power supply, software product.
In addition, Company B and Company C also provide supporting
services such as sales, technical training, on-site service, repair,
return.
The products provided by Company A and Company D to the market
mainly include proximity sensors, photoelectric sensors, ultrasonic
sensors, rotary encoders and system products including RFID, filed
bus modular and vision products. For engineering projects, Company A
and Company D also provide installation, programing and system
integrate service based on Corporate G hardware products. In
addition to the aforementioned services, VMT’s product line also
includes customized vision solutions and services such as
measurement, positioning and recognition of 2D and 3D.
1. **Basic Information of Customers and Customer Information
  
  Protection**
According to the information provided by the Assessed Entities, the
buyers/end-users of the products and services from Company B and
Company C are typically market participants in the following
industries: petrochemical, oil & gas, utilities, pharmaceutical,
biochemistry, offshore and marine, wastewater, power generation,
food & beverage, and Company B also has certain business dealings
with customers in the nuclear industry, but the business volume
involved is relatively limited. We also learned that the market
roles of buyers purchasing the products and services from Company B
and Company C include the following categories: DCS companies,
system integrators, agency/distributors, end users, OEMs, research
institutes. From the perspective of the ownership type of the
enterprises, the above-mentioned customers include state-owned
enterprises and private enterprises. From the perspective of the
flow of products and services, most of the products and services of
Company B and Company C are provided to the Chinese customers, and
only about 1% of the products and services are provided to customers
located in Southeast Asia.
Buyers/end-users of products and services of Company A and Company D
are generally the market participants in the following industries:
automotive, machinery, logistics, gate control, process equipment,
food packaging industry, electronics, metallurgy, tobacco, new
energy, robotics and transport. From the perspective of the
ownership type of the enterprises, FA’s and VMT’s customers include
state-owned enterprises and private enterprises. In addition,
colleagues from the Company A team mentioned that Company A and
Company D have very few customers in the military industry, such as
the Shanghai Electric Control Research Institute (i.e., 218 Research
Institute, affiliated to China Ordnance Equipment Group). From the
perspective of the flow of the products and services, FA’s products
and services are only sold to the domestic customers in China, while
VMT’s products and services mainly served in China, a few products
and services are sold to foreign customers, which mainly include the
customers in India, Thailand, and Vietnam.
During the process of providing the above-mentioned products and
services by the four Assessed Entities of Corporate G , they
accumulated about 42,000 customers (about 11.7% are Company B
customers and 88.3% are Company A customers) over a period of about
15 years and contact about 100,000 business contact persons (about
9.35% are business contacts of Company B and the remaining 90.65%
are customers of FA). Customer-related information may be collected,
including company name, address, department, taxpayer code, company
bank account information, project information, and personal
information of the business contacts. Among them, project
information generally includes the product end-users, devices,
project name, location, etc., and sometimes the production capacity
data of the project will also be collected; the personal information
of the business contacts generally includes the individual’s name,
title, and mobile phone number (i.e., the personal mobile phone
number or mobile phone number provided by the company to employees).
Considering that many of the Assessed Entities’ customers are
state-owned enterprises and other large enterprises, such as
SINOCHEM GROUP, SEI, Sany Group, etc., based on our experience,
Assessed Entities may have access to important data when conducting
business with these companies and more stringent network security
and data protection measures need to be taken. According to current
laws, regulations and practices, we understand that the important
data include but are not limited to the following categories: 1)
manufacturing data, R&D information, intellectual property rights,
business operation data, operation and maintenance data, and supply
chain data of the important network facilities and/or information
systems in important sectors such as public communication and
information services, energy, transportation, water conservancy,
finance, public services, government affairs, national defense
science and technology and other network facilities and/or
information systems which may seriously endanger national security,
national economy and people’s livelihood, and public interests once
destroyed, lose functions or encounter data leaks incidents; 2) map
data; 3) navigation data; 4) surveying data; 5) important geographic
information; 6) security equipment data, security deployment
data; 7) energy reserve information. Amongst them, after confirming
with the Company B and Company C teams through questionnaires, their
responses to the question in item 1.2 of the questionnaire on
whether the products and services involve processing important data
is that Company B and Company C “do not access to such data”, “no
sensitive data is involved”. Although the terminology of “sensitive
data” mentioned by the Company B and Company C teams and “important
data” asked in item 1.2 of our questionnaire is different, from the
questions and responses in item 1.2, it is clear that Company B and
Company C do not collect important data of the customers. However,
in the process of the Company B and Company C teams’ filling out and
providing responses on item 3.1 of the questionnaire, we noticed
that the colleagues from the Company B and Company C teams mentioned
that as to the information collected from customers, “some sensitive
information may be collected from the institutes, including 711
Institute, 718 Institute (they are the institutes owned by the PRC
military), etc.”. After further verifying the meaning of “sensitive
information” mentioned here, we learned from the Company that the
“sensitive information” mentioned here is “mainly the project name
and production capacity”. At the same time, as confirmed by Company
B and SEC, the two companies had business dealings with some
institutes (including 711 and 718) and/or institutions owned by the
military five years ago. However, the Company currently has no
business dealings with these institutes and does not intend to have
business dealings with them in the future as well. In addition, the
relevant personnel of Company A and Company D mentioned that they
may have access to the information of sensitive industries such as
military industry-related information during the business process,
but at the same time they also responded in item 1.2 of the
questionnaire that Company A and Company D would not have access to
important data.
We further learned that in terms of storage and protection of
customer information, the customer information including project
information may be stored in CRM and ERP systems. In addition, the
teams such as sales and operation teams of the Assessed Entities
mentioned in the interview that during the process of business
connection, in practice, they may have access to some “sensitive
information” through email correspondences, but such information
will not enter the CRM or ERP system, nor will it be transmitted
abroad⁶.
The Assessed entities will typically enter into confidentiality
agreements with the customers. In respect of the text of the
confidentiality agreement, Company B has provided us with the
Confidentiality Commitment unilaterally issued by Company B to ABB
Engineering (Shanghai) Ltd. (“ABB”), which stipulates the
confidential information, purpose of use, confidentiality
obligation, confidentiality period and liability for breach of
contract are stipulated and Company B even promises to entitle ABB
to inspect and audit on PA’s confidentiality system and measures. In
addition, we have also received the confidentiality agreement signed
by Company B and Zhejiang SUPCON Technology Co., Ltd., which
stipulates the data protection obligations of both parties. Based on
the above-mentioned information, we learned that Company B and
Company C used different texts/templates when signing
confidentiality agreements with the customers and some of them are
the templates provided by the customers, and some of them are the
unilateral confidentiality commitments signed by Company B or
Company C rather than the mutual confidentiality agreements.
FA provided us with the Confidentiality Agreement signed with
HIKROBOT Technology Co., Ltd. (“HIKROBOT Confidentiality
Agreement”) and the Supplier Confidentiality and Integrity
Agreement signed with Hainan Jinpan Smart Technology Co., Ltd.
(“Jinpan Technology Confidentiality Agreement”). These two
agreements stipulate the confidential information, purpose of use,
confidentiality obligations, confidentiality period, and liability
for breach of contract. Amongst them, the Jinpan Technology
Confidentiality Agreement mainly stipulates that FA, as “Party B”,
unilaterally has confidentiality obligations to Hainan Jinpan Smart
Technology Co., Ltd., and there is no specific provision on personal
information/data protection. In addition, Company A provided us with
a sales contract with Suzhou Electrical Apparatus Science Academy
Co., Ltd. However, this contract does not contain data protection
provision, either.
VMT provided us with 3 confidentiality agreements, i.e., the
confidentiality agreement (WORD version) with Durr Paintshop Systems
Engineering (Shanghai) Co., Ltd., the confidentiality agreement
signed with Beijing Hinsong Yicheng Machinery & Electric Engineering
Co., Ltd. and the confidentiality agreement signed with EBZ SysTec
(Shenyang) Limited. According to the content of these three
agreements, the three confidentiality agreements mainly stipulated
the unilateral confidentiality obligations of Company D to the other
party under the agreements, and only the confidentiality agreement
signed with EBZ SysTec (Shenyang) Limited stipulated the unilateral
data compliance obligations of VMT, and the other two
confidentiality agreements do not stipulate anything relating to
personal information/data protection.

[Potential Compliance Risks:]{.underline}

(1) The agreements signed with some customers do not include data
protection clauses, and there is no commitment by customers that the
information provided by them is collected in compliance with
relevant laws and regulations. In addition, there is no “firewall”
clause to protect the Assessed Entities from the risks associated
with the customer’s unlawful collection of data.
(2) Different colleagues from the Assessed Entities may have
different views and determination on sensitive data and important
data. Additionally, the Company does not have any written
determination criteria or generate any common criteria or measures
for determining for identifying sensitive data and important data
from its practices, which may cause inaccuracy or discrepancies in
identifying the important data.
(3) There is no fixed template for the confidentiality agreement
signed or to be signed between the Assessed Entities and the
customers. Some of the confidentiality agreements signed between the
Company and the customers are the templates provided by the
customers, and some of them are even unilateral confidentiality
commitments by the Assessed Entities rather than a mutual
confidentiality agreement. Moreover, most confidentiality agreements
do not contain data protection clauses.

[Primary Suggestions:]{.underline}

(1) It is recommended that the data protection clauses be added to
agreements signed or to be signed with customers, setting up a
“firewall” to protect the Assessed Entities from any risks caused by
the customers’ collecting information in violation of the legal
requirements.
(2) It is recommended to establish the important data
identification guidelines and procedures with reference to the
Information Security Technology - Important Data Identification
Guidelines (Draft for Comments) drafted by the National Information
Security Standardization Technical Committee and published on
January 13, 2022, and to provide training regarding the important
data identification guidelines and procedures to all employees who
may have access to customer information and hold relevant propaganda
and implementation activities, so that employees would be capable of
accurately identifying the important data of customers when they
have access to such data and protect such data in accordance with
the management and technical protection measures applicable to
important data.
It is recommended that the Company should draft, update and amend
the template for a mutual confidentiality and data protection
agreement so that such fixed template could firstly be used and
signed by the parties when conducting business with the customers in
future. Such template should stipulate the confidentiality
obligations of both parties, rather than Corporate G ’ unilateral
confidentiality obligations. If any customer mandatorily requests
Corporate G to sign a confidentiality agreement or a unilateral
confidentiality commitment template drafted and provided by the
customers, such agreement or template should be carefully examined
on whether the confidentiality obligations set forth therein are
practical for the Assessed Entities, e.g., if the customer requests
to inspect or audit on the Assessed Entities’ confidentiality
measures for protecting customer information, then the Assessed
Entities should consider whether the Assessed Entities is in a
position to distinguish such customer’s data from that of other
customers and the Assessed Entities so that allowing such customer
to conduct an inspection or audit would not cause the Assessed
Entities violate confidentiality obligations to other customers and
would not result in the leak of information.

3. Supplier-related Data Compliance

Data Compliance of PA’s and SEC’s Suppliers

<!-- -->

According to the information provided by the Assessed Entities,
Company B engaged the following types of the suppliers, i.e., two
explosion-proof certification institutes, three finished product
suppliers, five logistics suppliers. Company C has raw material
suppliers, machining suppliers, technical service providers,
equipment suppliers, etc., totaling about 600 suppliers. In the
process of contacting these suppliers, Company B and Company C may
collect the supplier’s company name, address, email address, company
bank account information, contact person’s name, contact person’s
mobile phone number, title of the contact person, etc. Most of the
information is stored in M3, which is stored on a local server at
Corporate G headquarters in Mannheim, Germany. Information about the
suppliers (e.g., information about the certification institutes) may
be shared by Company B and Company C to Corporate G ’ affiliates but
will not be shared to other third parties.
With respect to the supplier information protection, first, Company
B and Company C do not have confidentiality agreements or data
protection agreements with all the suppliers, and there are no
specific clauses for data protection in the relevant procurement
contracts or other cooperation agreements, either.
Second, Company B and Company C provided us with the general terms
and conditions applicable to their procurement process, i.e., the
Terms and Conditions for Purchase of Goods and/or Services and
Article 13 (Confidentiality) of this document is a confidentiality
clause that requires the suppliers to keep information relating to
Corporate G ’ operations and technology confidential. However, this
clause does not protect data other than confidential business and
technical information, such as the personal information of Corporate
G ’ employees who the suppliers may contact in the course of the
cooperation, or the information that is not confidential but needs
to be protected. In other words, the Terms and Conditions for
Purchase of Goods and/or Services does not contain specific data
protection clauses.
Additionally, Company B and Company C provided us with the
Agreement on the Principles of Cooperation applicable to the
supplier which also contains a confidentiality clause, i.e., Article
13 “Confidentiality of P+F/Information”. In this clause, the term
“P+F Information” refers to “all information provided by Corporate G
or its representatives or subcontractors to supplier in connection
with the operations, programs, goods and services covered by this
Contract, including, without limitation, pricing and other terms of
this Contract, specifications, data, formulas, compositions,
designs, sketches, photographs, samples, prototypes, test vehicles,
manufacturing, packaging or shipping methods and processes and
computer software and programs (including object code and source
code). P+F information also includes any materials or information
that contains, or based on, any P+F information, whether prepared by
Buyer, Supplier or any other person.” This clause is more protective
than the Clause 13 (Confidentiality) in the Terms and Conditions
for Purchase of Goods and/or Services mentioned above, specifying
the purpose of use and scope of disclosure of the said data, but
still lacking other necessary data protection requirements, such as
return or destruction of data, maximum retention period of data,
etc.

[Potential Compliance Risks:]{.underline}

(1) Company B and Company C have not signed the confidentiality or
data protection agreements with all suppliers, nor are there
specific provisions for data protection in the procurement contracts
or other cooperation agreements. There is no template for the
confidentiality agreements with the suppliers.
(2) The agreement on data protection in the template of the Terms
and Conditions for Purchase of Goods and/or Services and the
Agreement on the Principles of Cooperation provided by Company B
and Company C is not sufficient.

[Preliminary Suggestions]{.underline}：

(1) It is recommended to update and improve the template for a
mutual confidentiality and data protection agreement between the
Company and supplier, so that when dealing with suppliers in the
future, the parties can first choose to use the fixed template for
signing. Simultaneously, it is recommended to add the personal
information protection and data security clauses to the existing
agreements with the suppliers, and a “firewall” clause that protects
the Assessed Entities from any risk caused by the supplier’
processing data in violation of the legal requirements.
(2) It is recommended to update and improve the templates of the
Terms and Conditions for Purchase of Goods and/or Service and the
Agreement on the Principles of Cooperation. In specific, in
addition to the terms and conditions of Confidentiality, add data
protection terms and conditions, specifying the scope of data to be
protected, the purpose of use, disclosure restrictions, sharing
restrictions, maximum use period, return or destruction of data, and
requiring the suppliers to make commitments on the compliance of
their internal policies and measures for data protection, hardware
and software conditions for data protection, etc., and entitling
Corporate G to monitor, inspect and audit the implementation of the
above data protection work of suppliers.
1. FA’s and VMT’s Supplier-related Data Compliance
FA’s and VMT’s suppliers mainly include logistics suppliers
(including SF-express, EMS, TVS, FedEx, DHL), raw material
suppliers, machining suppliers, labor subcontracting suppliers,
human resource service providers, software service providers, event
service providers, etc. Company A and Company D would collect the
suppliers’ company name, address, email address, company bank
account information, contact person’s name, contact person’s mobile
phone number, contact person’s title, etc. Most of the information
is stored in the ERP system used by the Finance Department, and the
contact information is also stored on the mailbox or mailbox server.
Information on the Assessed Entities’ international business with
SF-express and EMS will also be reported to Corporate G Singapore
office at the same time.
In addition to the software purchase agreements mentioned above,
Company A and Company D also provided us with a copy of the
Purchase and Sale Contract with Tianjin Dongdian Chuangxin
Technology Development Co., Ltd; a copy of the Celebration Service
Agreement with Shenzhen Deshanghui Culture Communication Co., Ltd;
a copy of the WORD version of the Software Development Cooperation
Contract for the PV Project; and a copy of the WORD version of the
Ningxia Longji 101 Workshop Short Side Subcontracting Agreement,
the Postal Import Commercial Express Service Contract signed with
the China Post Corporation Shanghai Branch (“EMS”). Among them,
the Purchase and Sale Contract does not contain confidentiality
and data protection clauses; the Celebration Activity Service
Agreement does not contain confidentiality and data protection
clauses; the two WORD versions contracts only stipulate the
supplier’s confidentiality obligations to FA, and there is no
stipulation on data protection; the Postal Import Commercial
Express Service Contract contains confidentiality clauses, which
has some stipulation on personal information protection, but the
relevant content is not sufficient to cover the relevant personal
information protection obligations. In addition, we also learned
that Company A and Company D usually use the supplier’s agreement
templates when concluding agreements with the supplier and they use
Corporate G 's own template only when concluding software
development contracts.

[Potential Compliance Risks:]{.underline}

Firstly, given that Company A and Company D currently use the
supplier’s agreement templates when entering into agreements with
suppliers except for concluding the software development agreements,
if a supplier’s agreement template does not contain a
confidentiality and/or data protection clause, the final signed
agreement will not contain a confidentiality and/or data protection
clause, either. In other words, the parties will not be able to
clarify their respective data compliance obligations, and there will
be no “firewall” clause to protect FAs and Company D from any breach
of data handling by the other party. Besides, some of the agreements
with some existing suppliers do not contain protection and data
security clauses and a “firewall” clause that protect Company A and
Company D from any unlawful processing of data by the supplier.

[Preliminary Suggestions:]{.underline}

It is recommended to develop, update and amend the template of the
mutual confidentiality and data protection agreement, so that
Company A and Company D and their suppliers could firstly select
such fixed template for execution when dealing with the suppliers in
the future. Meanwhile, it is also recommended to add the clauses on
personal information protection and data security, as well as a
“firewall” clause that protect Company A and Company D from any
unlawful data processing activities by the supplier to the existing
supplier agreements.

4. Internal Employee-related Data Compliance

Collection of Personal Information of Candidates

<!-- -->

According to the Personal Information Protection Law and other
relevant laws, personal information processors shall inform
individuals of the purpose of collection, etc. and obtain their
consent in accordance with the law and shall follow the principle of
“minimum necessity” when processing personal information. Storage of
personal information shall follow the principle of necessity, unless
otherwise provided for by laws and administrative regulations, the
storage period of personal information shall be the minimum period
necessary for achieving the purpose of processing.
Based on our review of the Liepintong Service Contract between
Company C and Tongdao Jingying (Tianjin) Information Technology Co.,
Ltd., we understand that one of the major recruitment channels of
Company C and Company B is recruitment on the third-party platform
and that the third-party platform engaged by Company C and Company B
is the “Liepin” platform operated by Tongdao Elite (Tianjin)
Information Technology Co., Ltd (“Liepin”). In this recruitment
process, Liepin sends candidates’ resumes to the two companies, and
the two companies will obtain the relevant personal information of
the candidates after receipt of the candidates’ resumes. In general,
the personal information contained in the resumes includes but is
not limited to name, mobile phone number, email address, age,
education level, working experience and so on. After our review of
the Liepintong Service Contract between the Company C and Liepin,
we do not find any terms that provide explanatory provisions on how
Liepin deliver such resumes to the two Companies or guarantee the
compliance on such practice. The Personal Information Protection
Policy of Liepin provides that “you acknowledge and agree that
Liepin users within the scope of users you choose to disclose your
resume may pay a fee to view your resume in order to obtain
information on the resume you submit or upload”. However, in
practice, we cannot rule out the possibility that a Liepin candidate
is not specifically aware that his/her resume will be sent to
Company B and SEC. Therefore, in order to prevent such risks,
Company B and SEC, as the information recipients, may require Liepin
to ensure that their collection and sharing of such personal
information with the two companies comply with applicable laws and
regulations, so as to avoid being implicated due to the
non-compliance of third-party recruitment platforms during their
processing of personal information. In addition to recruitment
through third-party platforms, Company B and Company C also make
recruitment through internal referral⁷. When collecting
candidates’ CVs through internal referral, the candidate is deemed
to give his/her consent to the two companies’ processing of the
personal information provided by the candidate for recruitment
purposes when the candidate sends the resume to the two companies or
the employee of the two companies. In addition, from the relevant
functional departments’ personnel’s responses to the questionnaire,
we learned that Company B and Company C do not collect any
additional information directly from the candidates during the
interview (e.g., the two companies do not ask the candidates to
complete an information form during the interview). For uniquified
candidates, Company B and Company C will delete candidates’ resumes
within 3 months after the completion of recruitment for the
corresponding positions.
Regarding the collection of candidates’ information by Company A and
Company D in the recruitment process, according to the information
provided by Company A and VMT, the two entities will carry out the
recruitment and collect the candidates’ information through 51job,
Liepin, Boss Zhipin, headhunter companies, the two companies’ WeChat
account and internal referral⁸. Currently, Company A and Company
D have not provided us with any service agreement with 51jobs,
Liepin and Boss Zhipin⁹. At the same time, the current user
agreements and privacy policies of the above-mentioned online
recruitment platforms mainly describe what types of the user
information will be collected and processed by the platforms, what
protection measures will be taken, and what channels are available
for personal information subjects to exercise their relevant
personal information rights. During the recruitment process,
information collected by the two entities include the candidate’s
name, mobile phone number, email address, personal work experience,
etc. After the initial screening of resumes, the companies will
arrange the interview with the candidate and the candidate will be
required to fill out an interview registration form (the “Personal
Data Sheet”)¹⁰. In the Personal Data Sheet, some personal
information such as name, ID number, date of birth, mobile phone
number, home address, marital status, emergency contact name and
contact information, educational background, work experience, family
member information, etc. needs to be filled out by the candidate,
but the form does not contain a provision for the candidate’s
written authorization to consent to the companies’ processing of
personal information. Resumes and the Personal Data Sheet provided
by the unqualified candidates will generally be retained in the HR
Department for six months to one year and can only be accessed by
the HR Department and will not be transferred overseas. The reason
for retaining the unemployed candidate’s information is that some
candidates may still be employed by the companies. If such storage
period expired, such unemployed candidates’ information will be
deleted and shredded. However, the two companies do not inform such
candidates of how the companies will deal with his/her information.

[Potential Compliance Risks]{.underline}

(1) If the third-party platform Liepin unlawfully sends the
candidate’s resumes to Company B and Company C without the
candidate’s acknowledge and consent to the person to whom the resume
was sent to, thereby implicating Company B and SEC. The agreement
with Liepin did not contain Liepin’s commitment to processing data
in compliance with the laws and regulations.
(2) When Company A and Company D ask candidates to provide
personal information during interviews, they do not inform the
candidate of the purpose of processing personal information, etc.
and do not obtain the relevant individuals’ authorized consent to
collect their personal information.
(3) The user agreements and privacy policies of the online
recruitment platforms used by Company A and Company D mainly
introduce how they process personal information. Company A and
Company D probably does not enter into exclusive service agreements
with the online job platforms to define the parties’ rights and
obligations in respect of data protection and to set up a “firewall”
to prevent risks arising from unlawful processing of data by
third-party online recruitment platforms.

[Preliminary Suggestions:]{.underline}

(1) It is recommended that Company C and Company B add a clause in
the service agreement signed with Liepin (and other third-party
recruitment platforms or headhunters in the future if any) requiring
the other party to undertake that its collection and sharing of
candidates’ personal information data to the Company C and Company B
is in full compliance with the relevant laws and that there is no
illegal collection, use and processing. (Also applicable if Company
A and Company D make recruitment through third-party headhunters)
(2) Considering that when Company A and Company D recruit through
the online platforms, they obtain the candidates’ resumes through
the platforms, if disputes arise between the platforms and
candidates in the processing of candidates’ information, Company A
and Company D could also be implicated. Therefore, it is recommended
that Company A and Company D sign the specific service agreements
with 51 jobs, Liepin, and Boss Zhipin to clarify the data compliance
obligations and set up “firewall” clauses to prevent the risks of
non-compliance with data processing by the third-party online
recruitment platforms.
(3) A clause for obtaining an individual’s authorization and
consent shall be added to the registration form to be filled out by
the candidate as required by Company A and VMT. This clause shall
inform the candidate of the type, method, purpose and storage period
of the information to be processed and obtain his/her consent in
accordance with the Personal Information Protection Law.
(4) If the Assessed Entities make recruitment through the
Corporate G website, i.e., the candidate fills out the information
and upload the CV on the website, the Assessed Entities shall have a
privacy policy on the website and require the candidate to read the
policy and kick the checkbox “I acknowledge the company’s policy and
consent to the company’s processing of my personal information in
accordance with the privacy policy”. In addition, the privacy policy
shall explain on how the company will process the personal
information for recruitment purpose and provide a channel for the
individual to exercise his/her personal information rights in
accordance with the laws and regulations of the PRC.

<!-- -->

Background Check on the Proposed Employee before Employment

<!-- -->

Based on the responses to the questionnaire from the relevant
functional staff, we understand that Company B and Company C will
engage a third-party service provider, i.e., FSG (Shanghai Foreign
Service (Group)) Co., Ltd.), to conduct a background check on the
proposed employees before onboarding. The background check is
conducted without the consent of the proposed employee. According to
general experience, the content of the background check may include
all the information on the resume of the proposed employee, such as
identity information and education information. We have reviewed the
service agreement signed by Company A and FSG provided by FA, which
is also applicable to Company B and Company C according to the
Company and found that this service agreement is primarily an
agreement for the provision of payroll services by FSG to the
Assessed Entities, and does not include the provision of background
checks, nor does this service agreement include the clauses on
personal information protection and/or data compliance. For Company
A and VMT, background checks are currently performed by the HR
itself and no third party is engaged.

[Potential Compliance Risks:]{.underline}

According to the Personal Information Protection Law, a personal
information processor shall inform the individuals and obtain their
consent when providing the personal information collected from such
individuals to a third party. Therefore, if the Assessed Entities do
not inform the proposed employees of the background check to be
conducted and obtain their consents, the Company’s providing the
proposed employee’s personal information to the background check
company may constitute the providing personal information to a third
party without the consent of the subject of the personal
information, in violation of the relevant provisions of the
Personal Information Protection Law.

[Preliminary Suggestions]{.underline}

(1) Company B and Company C shall first obtain the proposed
employee’s authorization and consent for the processing of such
personal information before requiring FSG to conduct a background
check on the proposed employee. If the Assessed Entities provide any
sensitive personal information of the proposed employee to FSG, a
separate consent should be obtained from the proposed employee. In
addition, the service agreement with FSG should clearly stipulate
the rights, obligations and responsibilities of both parties on the
protection of personal information and contain a “firewall” clause
to prevent the risk associated with unlawful processing of personal
information by FSG. In addition, in order to reduce the
uncontrollable risks, add a clause prohibiting the subcontracting of
background check services in the service agreement with FSG. If
Company A and Company D intend engage a third party to conduct the
background check on the proposed employee in the future, Company A
and Company D may adopt the suggestions here if appropriate.
(2) The Company shall establish a personal information protection
policy and set out compliance requirements for the HR and other
employees when processing personal information.

<!-- -->

Collection of Personal Information of Officially Hired Employees

<!-- -->

Based on the responses to the questionnaire from the relevant
functional staff, after deciding to formally hire the candidate, the
Assessed Entities will ask such employee to fill out the Employee
Information Form (for Company B and SEC) or the Personal Data
Sheet ¹¹(for Company A and VMT), which require the employee to
provide his/her personal information such as name, ID number,
contact information, address, bank card number, marital status,
children’s status, family members’ information including contact
phone numbers, education, etc., and sign the Employment Contract
with the employee, and require such employee to acknowledge and sign
for the Employee Handbook. In the daily work, if the employee asks
for a leave, the Assessed Entities could also collect the employee’s
information such as the sick leave statement. In addition, if
Company A and Company D intend to organize the employee’s onboarding
health check and the annual health check, they could also collect
the employee’s name, ID number, and review the employee’s health
check report. According to the Personal Information Protection Law
and other laws, when collecting the personal information, the
Company shall inform the individual of the purpose of collection and
obtaining his/her consent, and the collection shall comply with the
“minimum necessity” principle. In particular, the Employee
Information Form of Company B and Company C contains the statement
that “this form is for archival purposes and must be filled out
truthfully and carefully by each employee”; the Personal Data
Sheet of Company A and Company D contains the statement that “I
declare that the above information provided by me is factually
correct”. The Employee Handbook of the 4 Assessed Entities
provides that “if false information is provided, the company has the
right to terminate the employment contract” but does not contain a
clause explaining the specific use of the information collected, or
a clause on the employee’s consent to the collection of personal
information by the Assessed Entities. In addition, the employment
contract templates provided by the four Assessed Entities did not
contain provisions on the protection of personal information.
Regarding the data related to the employee attendance check, we
learned that SEC, Company A and Company D use fingerprint checking
for employee attendance on a daily basis. The fingerprints data of
the employees of Company C is stored in attendance checking machine
and is not stored on local servers or other devices located in
mainland China, nor is it provided to the Corporate G headquarters
in Germany, other affiliated companies outside of China, or other
third parties. The fingerprints data of Company A and Company D
employees is stored in the attendance checking machine and local
servers located in mainland China and are not provided to Corporate
G headquarters or affiliated companies outside of China. Currently,
only relevant personnel from the HR and IT departments of SEC,
Company A and Company D respectively have access to such
fingerprints data. However, PA, Company A and Company D did not
obtain the consent of the employees before collecting their
fingerprints data.
In addition, Company B and Company C installed cameras in their
plants and posted warning signs at the entrance of the plants, but
the monitoring act was not mentioned in the two companies’ Employee
Handbook or Employment Contract. The security cameras were also
installed in the offices of Company A and VMT, but there were no
warning signs notifying that the individual will be in the
monitoring area, and such monitoring act was not mentioned in the
two companies’ Employee Handbook or Employment Contract.

[Potential Compliance Risks:]{.underline}

The four Assessed Entities do not obtain written consent from the
employees for the collection of personal information, including the
sensitive personal information such as ID numbers, mobile phone
numbers, bank card numbers, and fingerprint characteristics (SEC,
FA, and Company D collect employees’ fingerprints for attendance
purposes) which shall be collected upon the individuals’ separate
consent; there are no provisions regarding the protection of
personal information in the Employee Handbook or Employment
Contracts. In addition, the Company may not have reviewed the forms
that require employees to fill out information to assess whether the
types and the scope of information currently collected from the
employees are consistent with the “minimum necessity” principle.
Company A and Company D do not place notification signs in the areas
where cameras are installed to indicate that the individuals are
entering the monitoring areas.

[Preliminary Suggestions:]{.underline}

(1) Prepare a separate notification of consent for the processing
of personal information of employees, as well as a notification of
consent for the processing of sensitive personal information¹²
(and a notification of processing of personal information of minors
under 14 years of age if necessary), specifying the types of data
that may be collected, the purposes of collection, other data
processing activities that may be involved (please refer to the
below analysis for details), the retention period of the data, the
rights that individuals have with respect to their personal
information and the channels for exercising such rights and ask
employees to sign them.
(2) Add provisions on the protection of personal information to
the existing Employment Contract and Employee Handbook.
(3) Review the information collection forms that need to be
completed by employees to ensure that the information to be
collected from employees is necessary based on the day-to-day
operations and management of the Company, and, if necessary, add
representations regarding the authorization of consent for the
processing of personal information to the relevant forms.
(4) Company A and Company D shall set up warning signs notifying
the individuals that they are in the monitoring area at conspicuous
places in the monitoring area.

<!-- -->

Other Processing Activities of Employees’ Personal Information

<!-- -->

Based on the responses to the questions in the questionnaire from
the relevant functional staff and the review of the relevant
documents, we learned that the Assessed Entities’ other processing
activities regarding the employees’ personal information are as
follows:
(1) Personal information (name, mobile phone number, etc.) of the
employees is provided to counterparties in the course of daily
business. But there is no statement on the protection of personal
information in the relevant agreements.
(2) Storage activities, i.e., i) providing employees’ personal
information to the German headquarters. To be specific, because the
employee data (not including sensitive personal information) of the
four Assessed Entities is currently stored in the ERP system, and
all data in the ERP system is stored in the local servers of
Corporate G German headquarters, such data storage conduct could be
deemed as cross-border transfers of personal information. However,
as mentioned above, such processing is not stipulated in the
relevant employee information forms, Employment Contract,
Employee Handbook, etc., and is not consented to by the employees.
Meanwhile, pursuant to the Personal Information Protection Law,
any of the following conditions must be satisfied prior to
cross-border transfer of personal information, namely: passing the
security assessment organized by the Cyberspace Administration of
China (“CAC”); or being certified by a specialized agency on the
protection of personal information; or entering into cross-border
data transfer agreements with the overseas recipient in accordance
with the standard contract formulated by the CAC. Amongst them,
according to the Security Assessment Measures for Outbound Data
Transfers, for 1) a data processor processing the personal
information of more than one million people, or 2) a data processor
has provided personal information of 100,000 people or sensitive
personal information of 10,000 people in total to overseas since
January 1 of the previous year, or 3) a CIIO, if any of them
transfers personal information to overseas, they shall apply for
security assessment on cross-border data transfer to be conducted by
CAC. In addition, if a data processor transfers critical data to
overseas, it shall also apply for security assessment on
cross-border data transfer to be conducted by CAC. According to the
information provided by the Assessed Entities, none of the Assessed
Entities is currently recognized by any national regulatory
authority as a CIIO, nor do the Assessed Entities process any
critical data. At the same time, according to the information
provided by the Assessed Entities, from 1 January 2021 to 25
November 2022, the total number of employees of the Assessed
Entities in China is 344¹³. Some of the personal information of
the aforementioned employees (excluding sensitive personal
information) is stored on a local server in Germany; the total
number of contacts of business partners including customers,
distributors and suppliers of the Assessed Entities stored in the
information system of the Assessed Entities is approximately
18,528¹⁴, the aforementioned contact information is stored on a
local server located in Germany. In conclusion, there are 18,872
PRC-located individuals in total whose personal information is
stored on the local server in Germany, i.e., the Assessed Entities
have transferred the personal information of around 18,872
PRC-located individuals to overseas. In addition, the total number
of personal information accessed by the Assessed Entities from 1
January 2021 to 21 November 2022 through websites, e-commerce
platforms and other channels in the course of conducting their
online sales business is 4,100¹⁵, and if these data are also
transferred to overseas, the total number of the PRC-based
individual whose personal information is transferred abroad is
approximately 22,972¹⁶, which is less than the 100,000 as
specified in the Security Assessment Measures for Outbound Data
Transfers. Therefore, based on the above data provided by the
Assessed Entities and the aforementioned calculations, as of the
date of this report, the cross-border data transfer activities by
the Assessed Entities are not in a situation where a security
assessment on cross-border data transfer is required for the time
being. However, as of the date of this report the Assessed Entities
transfer activities has not been certified by a specialized
institution on the protection of personal information as required by
the Personal Information Protection Law, nor did it sign the
relevant cross-border data transfer agreement with the German
headquarter entity (and other affiliated parties abroad)¹⁷; ii)
the Company’s HR systems store the employee’s information including
the information of the employee’s relatives and the employee’s sick
leave statement¹⁸. The laptops of the HR personnel store the
employees’ personal information as well. In addition, the HR
department also retain the employee’s personal profile in hardcopy.
(3) Some employees of one Assessed Entity can view the information
about the employees of another Assessed Entity based on their
management authority. To be specific, we learned that the Assessed
Entities may share the same functional teams. For example, the IT
head of the four Assessed Entities is currently the same person, and
although his legally established the employment relationship (i.e.,
sign the employment contract) with one of the four Assessed
entities, he is able to view the data of all the four Assessed
Entities in practice based on his or her management authority as the
IT head of Corporate G China. In such cases, although all the four
Assessed Entities are the business entities of Corporate G China in
terms of the corporate management structure, but from legal
perspective, all the four Assessed Entities are legal entities
independent of each other. Therefore, from legal perspective, if the
employees of company A can view the internal data of company B,
company C and company D could be deemed as these three companies’
providing their internal data to Company A, and according to the
Personal Information Protection Law, the conduct of providing
personal information to external entities shall be notified to the
individual and the individual’s consent shall be obtained. A written
agreement shall also be signed with the external entity to clarify
the respective rights and obligations. Currently, we learned that no
personal information transfer and sharing agreements have been
signed among the four Assessed Entities.
(4) Sharing the employee’s personal information to third-party
organizations, such as:
(a) Providing the employee’s personal information such as the
name, ID Card number, contact information and other sensitive
personal information to the third-party services provider, i.e.,
Ctrip (applicable for Company B and SEC) and Spring Tour (applicable
for Company A and VMT) for the purpose of assisting the employees to
book air tickets, hotel tickets and other itineraries for their
business trips. Such information sharing behavior is not stipulated
in the documents such as the Employee Information Form, the
Employment Contract or the Employee Handbook, etc. or consented
to by the employees; the service agreements with Ctrip and Spring
Airlines contain no provisions regarding personal information
protection and data compliance, either. (b) Providing the employee’s
name, gender, age and contact information of employees to
third-party medical check companies based on the Company’s employee
medical examination benefit policy, and such information sharing
behavior is not specified in the documents such as the Employee
Information Form, the Employment Contract, the Employee
Handbook, etc., and is not consented to by the employees in writing
in advance. © The employees’ personal information such as ID
numbers and dates of birth is provided to third-party insurance
agencies, AIG (applicable for Company B and SEC) and Sun Life
Everbright Life Insurance Co., Ltd (applicable for Company A and
VMT) based on the Company’s benefit policy regarding purchasing
accident insurance, such data sharing conduct is not specified in
the documents such as the Employee Information Form, the
Employment Contract, the Employee Handbook, or is consented to
by the employees, and the agreements respectively signed with AIG
and Sun Life Everbright Life Insurance Co., Ltd do not contain data
protection provisions related to the use of the aforementioned
personal information and confidentiality requirements. (d)
Entrusting a third party (i.e. China International Intellectech
(Shanghai) Co., Ltd. (“CIIC”, applicable for FA) to provide
services related to the employees’ endowment insurance, medical
insurance, unemployment insurance, employment injury insurance and
maternity insurance, and housing provident fund, personnel file
management and work documents for entering Shanghai for work, handle
the evaluation on the professional and technical title, and the
handling of the registration of the collective Hukou, in which the
Company may need to provide the employees’ personal information to
CIIC. Such data sharing conduct is not stipulated in documents such
as Employee Information Form, the Employment Contract, the
Employee Handbook, and is not consented to by the employees in
writing in advance.
(5) According to the Personal Information Protection Law, the
personal information processor shall delete the personal information
if any of the following circumstances occurs: (i) where the purpose
of processing has been achieved, it is impossible to achieve such
purpose, or it is no longer necessary to achieve such purpose; (ii)
where the personal information processor ceases to provide products
or services, or the storage period has expired; (iii) where the
individual withdraws his/her consent; (iv) where the personal
information processor processes personal information in violation of
laws, administrative regulations or the agreement; or (v) other
circumstances stipulated by laws and administrative regulations.
Therefore, in principle, according to the requirements of the
Personal Information Protection Law, if the candidate is not
employed or the employee resigns, the Company should delete his or
her personal information as soon as possible. Of course, in
practice, based on other legal provisions and necessary management
needs of the Company (for example, to prevent post-employment labor
disputes, the company may retain the information of the ex-employees
for a period of time), assuming that the Company has reasonably
determined the storage period applicable to the Company’s practice
and informed the individual and obtain his consent, the Company may
retain the information of the corresponding individual within the
storage period determined by the Company. However, it should be
noted that if an individual requests the Company to delete his or
her personal information within the storage period, the Company
should delete it in accordance with the provisions of the Personal
Information Protection Law. With regard to processing of the
information of employees after the termination of their employment,
according to information provided by Company B and SEC’s HR, Company
B and Company C generally store the personal information of the
employees for certain period of time following their termination of
employment. The retention period of the hardcopy of the personal
information is usually 5 years and above, while that of the softcopy
of the personal information is three years. Company A and VM’s
regulations and practices on storage and deletion of the employee
information are to be confirmed. It is important to note that,
according to the information provided by the IT department of the
Company, the Company has not set up a unified deletion period for
the moment, i.e., based on the current practice, even if the HR
department has its own internal regulations on the storage and
deletion of data, which may not be known to the IT and other
departments, it is possible that employee data would be stored in
the Company’s internal information system for a longer period of
time in practice.

[Potential Compliance Risks:]{.underline}

According to the provisions of the Personal Information Protection
Law, the Company should notify the individual of the aforementioned
data processing activities and obtain the consent of the individual
and should comply with the principle of “minimum necessity”.
Therefore, the following risks may exist in the current practice of
the aforementioned data processing activities by the Assessed
Entities:
(1) There are no provisions for the protection of personal
information in the agreements with the customers and the
distributors.
(2) Providing employee personal information (which may include
sensitive personal information) to other Corporate G China entities
without the employees’ consent.
(3) Not being certified by a specialized institution on the
protection of personal information in accordance with the Personal
Information Protection Law, or signing the relevant cross-border
information transfer agreements with the German headquarter (as well
as other overseas affiliates if any).
(4) Provide the employees’ personal information to an external
third-party institution without the consent of employees, and the
service agreement with the external third-party institution does not
include a data protection clause.
(5) The departments vary in the practice on the setting of storage
method and the period of storage of employees’ personal information.
In addition, in practice, the former employees’ personal information
may be stored for a longer period than “the minimum period necessary
for the purpose of processing”.

[Preliminary Suggestions：]{.underline}

(1) As mentioned above, prepare a separate notification consent
form for the processing of personal information as well as a
notification consent form for the processing of sensitive personal
information, and add the provisions of personal information
protection to the existing Employment Contract and Employee
Handbook.
(2) Add the personal information protection clauses to the
agreements with the relevant suppliers and customers, as mentioned
above.
(3) Arrange for the execution of the data sharing agreements among
the four Assessed Entities.
(4) Sign a cross-border data transfer agreement with Corporate G
German headquarters (and/or other offshore entities that need the
Assessed Entities to share their employees’ personal information).
At the same time, regularly calculate the quantity of personal
information transferred to overseas in terms of the number of the
individuals(including the quantity of personal information stored in
overseas servers, and the quantity of personal information provided
to overseas affiliated entities via email, etc.), and conduct work
and apply for security assessment on cross-border data transfer when
the data transferred to overseas meets the circumstances under which
a security assessment is required.¹⁹It should be noted that the
Personal Information Protection Law stipulates that for
cross-border transfer of personal information, one of the following
three conditions needs to be met: 1) completion of a security
assessment, or 2) certification on personal information protection,
or 3) drafting and signing of a cross-border data transfer agreement
with the overseas recipient in accordance with the contract template
issued by the CAC. Among the three requirements, as mentioned
above, the Assessed Entities are not currently in a situation where
security assessment on cross-border data transfers is required, but
the Assessed Entities are required to regularly calculate the
quantity of personal information transferred to overseas in terms of
the number of the individuals and ensure that the security
assessment is reported to the CAC in a timely manner when the
security assessment for outbound data transfers is triggered. With
regard to the other two requirements, some of the practical
guidelines for the certification on personal information protection
are to be further clarified²⁰, and with regard to the third
method, i.e., signing cross-border data transfer agreements, the CAC
has only released a Draft of Standard Contracts for Cross-border
Transfers of Personal Information, and which has not been finalized
and promulgated yet²¹. Given that the Company is not currently
defined by the regulator as a Critical Information Infrastructure
Operator and currently does not process important data, based on the
nature of the Company and the type of data processed by the Company,
we consider that before the further refined practical guidelines for
cross-border data transfer are issued, the Company may adopt the
approach of signing the data transfer agreements with overseas
recipients. Although no template or model agreement has been
officially come into force, if the cross-border data transfer
agreements between the Company and overseas recipients is drafted in
accordance with the draft standard contract issued by the CAC and
comply with the requirements for data security and information
protection under the Personal Information Protection Law and other
relevant laws, the risks associated with cross-border transfer of
personal information could be relatively manageable. We will
continue to monitor the issuance of the relevant regulations and
rules and keep the Company posted in a timely manner and take
appropriate measures to ensure that the Company’s cross-border data
transfer practices are in compliance with the effective legal
requirements.
(5) If the Company’s information systems store the personal
information of employees, as well as the personal information of
employees’ relatives, when storing such information, a strict access
management shall by adopted. If the sensitive personal information
is stored in the information systems (such as bank accounts, ID
numbers, mobile phone numbers, sick leave statement, medical check
reports, etc.), it is recommended that stricter protection measures,
such as encrypted storage, should be taken to further reduce the
risk of such information being leaked. At the same time, it is
suggested that the Company should establish a unified personal
information protection policy (which should include provisions on
personal information storage and access requirements).
(6) Sign the data sharing and transfer agreements with relevant
external third parties.
(7) Regarding the storage period of the personal information of
resigned employees, it is recommended to consider the factors such
as the period agreed in the non-competition agreement, limitation of
litigation, and the necessity of the company’s daily management to
reasonably determine the length of such storage period and the
scope, so as to form a unified information retention policy. At the
same time, the Company should inform the individuals and obtain
their consent and take the same protective measures as that of the
current employees. After the storage period expires, the personal
information should be deleted or anonymized. If the resigned
employees request the Company to delete their personal information
within the retention period, the company should delete it as
requested.

5. Storage and Transfer of Data

As we have analyzed the storage and transfer of personal information
of the employees in Part 4, in this part we will discuss the storage
and transfer of the data other than that of personal information of
the employees.
Regarding the transfer and sharing of data among the four Assessed
Entities, as stated in previous paragraphs, the entities share some
members of management and functional departments. Although the four
Assessed Entities in China are all subsidiaries of Corporate G in
terms of business management, they are all separate legal entities
in law. Therefore, when the employees of the company A have access
to data of company B, company C, company D, it is deemed as the
three companies providing data to company A, so a data transfer and
sharing agreement shall be signed and consent of the information
subjects must be obtained. For the collection of personal
information of the employees of customers or suppliers, as it is
based on necessity of business and performing related personnel’s
duty, the four Assessed Entities need not obtain consent from them
but should inform them that the data collected (including the
contact person’s personal information) might be shared among the
four entities of Corporate G China. We learned that neither data
transfer and sharing agreement has been signed among the four
entities, nor efforts to inform the customer and supplier of the
data transfer have been made by the four entities in the relevant
agreements with customers and suppliers.
Besides, according to the response from relevant functional
departments to our questionnaire, we learned that except for Digiwin
on-leave and reimbursement system and Cityray HR system whose data
are stored within the PRC, all the other data in the systems
including ERP and CRM are stored in Mannheim, Germany. Therefore,
when the data is generated during day-to-day business and uploaded
to ERP system and CRM systems by the Assessed Entities, as the
servers are located overseas, the data is in fact transferred
overseas automatically which may constitute cross-border transfer of
personal information if such data includes personal
information²². On the other hand, as the Assessed Entities and
their German headquarters are separate legal entities, such transfer
also constitutes “providing personal information to third parties”
under the Personal Information Protection Law. According to the
information provided by the Assessed Entities, none of the four
entities have taken measures prescribed by the Personal Information
Protection Law for cross-border transfer such as security
assessment, certification on personal information protection,
signing a cross-border transfer agreement, and have informed the
customers and suppliers that the personal information might be
transferred abroad.
For the protection of data, the Assessed Entities adopted a series
of measures including using SSL encryption channels during transfer,
setting access permissions according to the principle of employee
access necessity, using IAM to manage file server permissions,
encrypting laptop hard disks, backing up mail servers and file
servers while using disks and tapes for multiple types of copy
backups, conducting backups on a regular one-week basis, adopting a
collocated backup method (use full backups and incremental backups),
etc. in the storage management process. But the entities do not set
deletion period of the data, nor have they formed a data protection
policy that includes access management, data source labeling, data
encryption and storage, data transfer security, data anonymization,
and data classification and hierarchical protection system, etc.
The Personal Information Protection Law requires that the storage
of personal information should follow the principle of necessity,
i.e., unless otherwise provided by laws and administrative
regulations, the retention period of personal information shall be
the shortest period necessary to achieve the purpose of processing.
According to the information provided by the Assessed Entities, the
Assessed Entities have not set a deletion period for the stored data
which leads to compliance risks, for instance, the personal
information of some contacts of the customers which is no longer
valid is still retained, or some customers have changed their
contact personal, but the personal information of the contact that
has been invalid is still retained.
In addition, according to the information provided by the Assessed
Entities, the employees of the Assessed Entities have their working
email set up by the IT team of Corporate G China, and the email
correspondences are stored on local servers located in the PRC.

[Potential Compliance Risks:]{.underline}

(1) Employees of one of the Assessed Entities may have access to
data of another Assessed Entity based on management authority, but
no data sharing agreement has been signed by the relevant entities.
(2) The Assessed Entities do not notify the customers before
transfer of data, nor have they been certified on personal
information protection or signed cross-border transfer agreement
with the German headquarters (or other affiliated overseas entities)
as required by the Personal Information Protection Law.
The Assessed Entities did not set a deletion period for some of the
stored electronic data.

[Preliminary Suggestions:]{.underline}

(1) As mentioned above, it is recommended that data sharing
agreements be signed among the Assessed Entities.
(2) As mentioned above, it is recommended that cross-border data
transfer agreements be signed between Assessed Entities and the
German headquarters (or other overseas affiliated entities). At the
same time, regularly calculate the quantity of personal information
to be provided abroad based in terms of the number of the
individuals (including the quantity of personal information stored
in overseas servers, and the quantity of personal information
transferred to overseas affiliates via email, etc.), and conduct
work and apply for the security assessment on cross-border data
transfer when the data to be provided abroad meets the circumstances
under which the security assessment is required.
(3) Review and check on the customers’ contact information, delete
the personal information of the invalid contacts, add statements to
obtain consent for the customers’ personal information such as
contact information to be transmitted across borders and stored in
overseas servers in the agreements or emails with customers and
inform the customers of the method to submit their requests of
deletion.
(4) Form a unified data storage policy based on the Company’s
practical needs.

6. Processing, Use and Share of Data

As Part 4 of this report has analyzed the processing, use and
sharing of employees’ personal information, this part will mainly
discuss the processing, use and sharing of other data including the
personal information of the contacts of the suppliers and customers.
According to the response of relevant functional departments to our
questionnaires, the purpose of collection of customers’ or
suppliers’ information (including contact person’s name, mobile
number, email address, product needs and financial account of the
company) is to set up the customer or supplier file in the internal
system, process order, issue invoice, conduct production and sales
prediction²³, conduct product marketing activities, organize
customer activities and conduct internal and external trainings.
Regarding the promotional information sent to customers, the
Assessed Entities would send them through the Universal Messenger
software operated by the German headquarters with the server at
Germany or through the email sender at Germany. The emails contain
methods for the customers to unsubscribe, but it is unclear whether
consent is obtained beforehand²⁴.
Regarding the sales activities of the Assessed Entities, the main
sales modes include online sales and offline sales.
Regarding online sales, the Assessed Entities would use the DCP
platform operated by Corporate G Germany (applicable to Company A
and VMT) and some third-party platforms (i.e., Company B and Company
C use EPEC, Company A uses JD, VIPMRO and 1688) for sales business,
including receiving orders, order settlement, aftersales service,
etc. To be specific:
(1) Regarding the DCP website operated by Corporate G headquarters
in Germany, customers can register on this website to make purchases
by providing contact name, contact number, shipping address and
invoice requirements at the time of registration. The state-owned
enterprises or state-owned research institutes customers of Company
A and Company D do not currently have DCP accounts. Corporate G can
view all DCP customer data, including basic customer information,
customer order details and shipping addresses. In addition, for the
Chinese distributors or authorized agents who currently use DCP more
frequently, Company A has signed the Online Order Agreements with
them (FA provides a template agreement for our reference). According
to Article 9 “Security and Confidentiality Obligations” of this
agreement, the parties agree that the other party shall treat the
other party’s network programs, account numbers and passwords,
computers, telephone numbers or similar information as
“confidential” or “proprietary information”. For unfamiliar users
who applies for an account, they only need to kick the “Terms and
Conditions of Sale”. At the same time, the DCP website has a privacy
policy to inform users of how they will process the personal
information provided by users. It should be noted that since the DCP
website is operated by the German headquarters, we understand that
in this case, if the Chinese distributor registers as a user on the
DCP website, the German headquarters will collect the personal
information of the contact person directly through the DCP website.
According to the Personal Information Protection Law, overseas
individuals and entities that process personal information from the
territory of the PRC for the purpose of providing products or
services to the individuals in the PRC shall comply with the
provisions of this law. Therefore, the DCP website’s processing of
such personal information shall comply with the provisions of the
Personal Information Protection Law. At present, the privacy
policy on the DCP website is mainly based on the EU GDPR and needs
to be further revised in accordance with the laws of the PRC. In
addition, the existing Online Order Agreement, although containing
provisions on privacy protection, is not sufficient to cover the
rights and obligations of both parties with respect to data
protection.
(2) With regard to the business of Company B and Company C on the
EPEC platform, in accordance with the service agreement provided by
the Assessed Entities and the information we found on the EPEC
Platform, Company B and Company C employees can receive personal
information such as real names, company phone numbers, mobile phone
numbers, email address, company address and other personal
information of the contact person of the platform supplier and
purchasers after registering as members, they may then contact the
relevant individual and process online transactions. At the same
time, according to the agreement and policy of the EPEC platform,
the platform member shall not download personal information to the
local server of the platform member. Therefore, Company B and
Company C may receive personal information from the purchaser
contacts person on the platform but are not allowed to download such
personal information to PA’s and SEC’s local servers. Apart from
personal information, the types of data involved in PA’s and SEC’s
interaction with suppliers and partners do not include other
“important data” under the Data Security Law based on the
responses of personnel from relevant functional departments to the
questionnaires and our review of relevant documents. The
cooperation/service agreement between Company B and Company C and
the third-party platform does not contain data protection clauses
for the clarification on rights and obligations between the two
parties. In addition, we understand that Company B and Company C
currently do not have policies regarding the processing of personal
information.
(3) Regarding FA’s sales business on JD, according to the
information provided by FA, there are currently two Corporate G
stores on JD. One is called “Corporate G JD Self-operated Flagship
Store”, which is not directly operated by FA, but operated by FA’s
online authorized distributor “Suzhou VIPMRO”. Company A cannot
directly view or download consumer or store membership data for this
store. After reviewing the Online Distribution Agreement signed by
Company A with Suzhou VIPMRO Information Technology Co., Ltd., it
does not contain relevant provisions on data compliance and personal
information protection or requiring distributor to process data in
accordance with legal regulations. The other store, the “Corporate G
Official Flagship Store”, is directly operated by FA. All e-commerce
team members responsible for operating the “Corporate G Official
Flagship Store” can view and download the order information of the
store through the store’s backend system. The order information
contains the ID number who placed the order, customer name, customer
address, contact number. If the customer chooses to invoice, they
can also see the invoicing information filled out by the customer
(such as the name of the party the invoice is issued to, tax number,
company address, the bank of deposit and account number). The
e-commerce team employees currently have the authority to send
messages to the consumers of the store, which is currently handled
by the store managers and customer service representatives. The
messages contain an option to unsubscribe, but according to the
information provided by the Company at present, it is uncertain
whether the consumers are informed in writing before sending such
messages. Besides, at present, Company A does not have a privacy
policy applicable to its self-operated store. It should be noted
that whether Company A directly views and downloads the store order
information when operating a store or obtain the consumers’ personal
information from the third-party agent or the online platform when
entrusting a third party to operate a store on its behalf, it shall
perform the corresponding personal information protection
obligations and process relevant personal information in accordance
with the provisions of the Personal Information Protection Law. In
addition, when entrusting VIPMRO to operate the store, it should
require VIPMRO to process the consumer data in accordance with
relevant laws and regulations and the provisions of the JD platform.
At present, Company A does not have a corresponding policy for the
protection of personal information.
(4) Regarding the sales business of Company A on the VIPMRO
platform, according to the information provided by FA, the VIPMRO
platform belongs to the FA’s online authorized distributor “Suzhou
VIPMRO”. Company A has no stores on VIPMRO and only provides
Corporate G products on the platform and does not directly operate
the online transactions. Therefore, Company A cannot directly view
or download order and consumer data. After reviewing the Online
Distribution Agreement signed by Company A with Suzhou VIPMRO
Information Technology Co., Ltd., we found that it does not contain
relevant provisions on data compliance and personal information
protection or requires distributors to process data in accordance
with legal regulations. In addition, it should be noted that if
Company A obtains consumers’ personal information from VIPMRO
platform for necessary purposes such as post-sales services, it
shall perform the corresponding personal information protection
obligations and process relevant personal information in accordance
with the provisions of the Personal Information Protection Law. As
mentioned above, Company A does not currently have a policy in place
regarding the protection of personal information.
(5) Regarding FA’s sales business on the 1688 platform, there are
two Corporate G officially authorized stores on the 1688 platform
operated by two authorized distributors of Corporate G . Corporate G
e-commerce team members have the backend sub-accounts of the two
stores, so they can view the stores’ orders and the buyers’
information stipulated in the orders (i.e., the ID making the order,
the recipient, delivery address, contact number), but cannot
directly download such data. If they need to download the data, the
distributor’s designated person in charge of store operation will do
so and send it to the Company A employees. The person in charge of
store operations designated by the distributor can send messages to
the consumers of the stores and there is an option to unsubscribe.
After reviewing the Cooperation Agreement on Authorizing Shanghai
Baice Self-Control Technology Co., Ltd. to Open a Corporate G Store
and the Cooperation Agreement on Authorizing Shanghai Wudie Trading
Co., Ltd. to Open a Corporate G Store provided by FA, there is a
confidentiality obligation of the distributor regarding customer
data, sales records, document vouchers and other information
provided of FA, and when Corporate G requests or the agreements are
terminated, such information shall be all returned to Corporate G or
destroyed in accordance with Corporate G ’ instructions. However,
the two agreements do not contain provisions on personal information
and data compliance or requiring the distributors to process data in
accordance with the laws. In addition, it should be noted that when
viewing or obtaining consumer information, Company A employees shall
perform the corresponding personal information protection
obligations and process relevant personal information in accordance
with the provisions of the Personal Information Protection Law.
Besides, as mentioned above, Company A does not currently have a
policy in place regarding the protection of personal information.
In addition, the Company sells products and services by signing
distribution agreements with offline distributors. According to the
Distributor Agreement it signed with Beijing Hot Innovation
Control System Co., Ltd. and the Distributor Agreement it signed
with Chongqing Xikaiang Technology Co., Ltd., Company A may request
the distributor in writing to provide information such as the
destination of the distributed products, that means in practice it
is possible that Company A obtains end-users’ information (which
may also include the personal information of the contact person)
from the distributor. The two distributor agreements do not contain
provisions on personal information protection and data compliance,
nor do they contain “firewall” clauses to prevent distributors from
implicating Company A due to their processing of data in violation
of regulations.

[Potential Compliance Risks:]{.underline}

(1) The Germany headquarters possibly sends emails containing
commercial advertisements to the personal email address of the
customers’ contact without the individual’s consent. Besides, the
persons operating the online stores possibly send the promotional
messages to the VIP members of the online stores without the
relevant individuals’ consent.
(2) The privacy policy on the DCP website needs to be reviewed
and revised in accordance with the relevant laws and regulations of
the PRC, and the Online Order Agreement signed with some
distributors which use DCP more frequently is not comprehensive on
the provisions regarding the protection of personal information.
(3) There are no provisions on personal information protection
and data compliance in the agreements with online, offline
distributors and third-party online platforms. There are no
“firewall” clauses to prevent the Company from being implicated by
third parties due to the third parties’ unlawful processing of
personal information, either.
(4) For FA’s self-operated store, the Company has not signed a
specific service agreement with JD to clarify the rights and
obligations of both parties in addition to a standard user
agreement, and the self-operated store has not formulated
corresponding privacy policies, nor has it informed the consumers
of how the store will process their personal information collected.
(5) The Assessed Entities do not establish policies for the
protection of personal information to regulate employees’ use of
personal information obtained from third-party.

[Preliminary Suggestions:]{.underline}

(1) It is recommended to add the stipulation in the
correspondence or cooperation agreements with the customers to
obtain the customer’s consent to receiving promotional emails. The
Company should also notify the customer that it may entrust third
parties to send such promotional emails and obtain the customer’s
consent. If the processing of the sensitive personal information is
involved, the relevant part should be highlighted, and separate
consent should be obtained. When sending the messages to the
consumers of the online stores, the consumers should be informed in
writing and consent should be obtained.
(2) Review the privacy policy of the DCP website and the Online
Order Agreement signed with some distributors who use DCP more
frequently based on the current PRC laws and regulations and make
necessary amendments.
(3) Add the provisions on personal information protection and
data compliance in the agreements with online distributors and
offline distributors and the EPEC platform, as well as “firewall”
clauses to prevent the Company from being implicated in the
unlawful processing of personal information by third parties.
(4) For FA’s self-operated store, if feasible, sign a specific
service agreement with JD to clarify the rights and obligations of
both parties. At the same time, formulate a privacy policy for the
self-operated store and inform the consumers of how the stores will
process the personal information.
(5) Establish policies for the protection of personal
information.

7. Cybersecurity and Data Compliance Management

By reviewing the documents provided by the Company and interviews
with the relevant business departments of the Assessed Entities, we
understand that although the Company has certain practical
requirements for cybersecurity, data security and personal
information data protection in its daily operations, such as
setting up a dedicated cybersecurity/data compliance officer,
setting up certain access permission to some data, requiring the
overseas parent company or affiliates to comply with certain
management processes to obtain permission to view such data, using
SSL encrypted channel for transfer, etc. However, the requirements
in these practices are not sufficient to cover the obligations the
Company should fulfill in terms of network security, data security
and personal information protection as a network operator and data
processor. Such obligations may include formulating a data
classification policy, the network security management related
policies, a network security accident emergency response policy, an
information security accident management policy, network and
information security internal audit management policy and operating
procedures.
In addition, by reviewing the documents provided by the Company and
interviews with relevant business department in the Assessed
Entities, we understand that the Assessed Entities is not
classified as a “Critical Information Infrastructure Operator”
under the Cybersecurity Law and that the data accessed and
processed by the Company includes personal information and other
business data which do not fall under the “important data” as
defined under the Data Security Law. This means the data that the
Company processes do not involve the important data which may
endanger national security and public safety once tampered with,
destroyed, or illegally acquired or exploited. At present, the
Assessed Entities have not formulated corresponding management
policies and operating procedures under the Personal Information
Protection Law, such as the personal information collection rules,
personal information use rules, sensitive personal information
processing rules, personal information storage and protection
policies, personal information sharing, provision, transfer and
entrusting the processing rules, personal information cross-border
transfer rules, etc.

[Potential Compliance Risks:]{.underline}

As a network operator under the Cybersecurity Law and a personal
information processor under the Personal Information Protection
Law, the Assessed Entities have not conducted relevant assessments
in accordance with the relevant provisions of the Cybersecurity
Law and the Personal Information Protection Law, nor have they
formulated internal management policies and operating procedures
related to network security protection and personal information
protection.

[Preliminary Suggestions:]{.underline}

(1) According to the current practice of the law enforcement, the
law enforcement departments may have a certain degree of tolerance
if a company is not involved in the network security and personal
information security incidents, but considering that the Assessed
Entities conducts a large amount of domestic and overseas
information interaction, it is suggested that the establishment of
the relevant internal policies and procedures for network security,
data security and personal information protection be started as
soon as possible. Meanwhile, it is recommended that the Assessed
Entities consider completing the grading, filing and evaluation of
network security classified protection, which will generally
include the following steps: (a) Determine the protection grade of
the system in accordance with the relevant laws and
regulations²⁵. To be specific, the information system operator
should determine the security grade of the information system, use
the information technology products that meet the corresponding
requirements, carry out safety construction and reconstruction
work, formulate and implement the security management system
required by the corresponding security protection grade. (b) On the
condition that the grading is accurate and filing is needed²⁶,
the operator should go to the public security organ at or above the
municipal level in the local area to handle the filing
formalities²⁷. © Obtain a filing certificate. After the
submitted filing materials are reviewed and approved, the public
security organ at the municipal level or above in the local area
will issue the “Information System Security Grade Protection
Filing Certificate”. (d) Carry out graded security assessments.
Information systems operators should regularly carry out the
security assessments. The frequency of the security assessment on a
Level I system is at least once a year. The frequency of the Level
IV system is at least once every six months. The Level V
information system needs to be evaluated according to special
security needs. The system operator should promptly submit the
assessment report of the information system to the public security
organs. If there is need for rectification, the rectification
report should be submitted to the public security for the record
after the completion of rectification. At the same time, the public
security organs will also inspect the Level III and Level IV
information systems at the same frequency of assessment. The Level
V information systems are subject to inspection by special
departments designated by the state. It should be noted that the
first step, i.e., system grading, is particularly critical and the
public security organs will require the operator to make
rectification if the grading is inaccurate and may also recommend
that the operator to organize experts for a re-grading review.
Therefore, in order to ensure compliance from grading to
evaluation, many companies will choose to engage a third-party
institution with relevant qualifications and experience to assist
them in handling the matters from the beginning of system grading
to the following stages. We also recommend that the Assessed
Entities, if feasible, consider engaging a third-party institution
with relevant qualifications and experience to assist in the
grading, filing and evaluation of the network security grade
protection²⁸.
(2) In addition, in the practice of data compliance management
involving external entities (in particular third parties providing
data processing services to the Company), if the signatory party to
the agreement is one of the Corporate G entity, but the agreement
in fact covers all the Corporate G entities, assuming that the data
of the other Corporate G entities is leaked due to a data security
incident by a third party, causing losses to the other Corporate G
entities, in the process of claim for damages, it may be more
difficult to make claims because the other Corporate G entities are
not the signing parties. Therefore, it is recommended to sort out
whether this situation exists (after our preliminary sorting and
feedback from the Company, this situation does exist, such as an
agreement signed with the FSG, etc.). If so, it is recommended to
sign a supplementary agreement with the other party to the
contract, clarifying that the content of the agreement covers all
the relevant Corporate G entities, or clarify that the Corporate G
entity that signed the agreement with the external party is
entitled to make claims on behalf of the other entities in the
event of a dispute through an internal agreement among the relevant
Corporate G entities.

8. Compliance Tips for Using a Corporate VPN²⁹

According to the information provided by the Company by email on
May 20, 2022, the four Assessed Entities currently use “self-built”
corporate VPN by their headquarters in Germany, and Checkpoint
provides these corporate VPN-related services for Corporate G . To
be specific, Checkpoint signed the services agreement with
Corporate G headquarters to provide the corporate VPN services to
Corporate G globally.
In 2017, the Ministry of Industry and Information Technology issued
the Notice on Clearing and Regulating the Internet Network Access
Service Market, which further clarifies that without the approval
of the competent telecommunications authorities, it is not allowed
to use other channels by establishing or renting specific channels
(including virtual private network VPNs) to carry out cross-border
business activities³⁰. The international special channel leased
by the basic telecommunications enterprise to the user shall be
recorded in a collective user file and notify the user that the
users shall only make use of it for internal office work and shall
not use it to connect the domestic or overseas data centers or
business platforms to carry out telecommunications business
activities. This means when foreign trade enterprises and
multinational enterprises need the cross-border networking through
special channel due to the reasons such as internal office use,
they can rent the special channel services from telecommunication
business operators who operate international communication entrance
and exit channel business in accordance with the laws.
Based on the above provisions of the Ministry of Industry and
Information Technology and current market practice, currently, a
company can use the corporate VPN by the following two methods. One
method is to use the services provided by the basic telecom
operators (i.e., China Telecom, China Mobile, China Unicom) that
have a VPN business license. The companies with the needs can
communicate their needs with such operators (or through agents who
have cooperative relationships with such operators), and the
operators will provide corresponding service plan according to the
needs of the companies and implement the plan accordingly. The
other method is to establish an entirely independent
self-established corporate VPN (i.e., not using the VPN service of
Chinese mainland basic telecom operators), which generally needs to
first go through the approval/filling process of the ministry of
industry and information technology and other regulatory
authorities before setting up the channel and configuration
facilities in both the domestic office and overseas office of the
company. There are relatively few companies that currently use this
method because it needs to be reported to the regulatory
authorities and time-consuming.
Through public search and telephone consultations, Checkpoint, a
corporate VPN service provider for Corporate G , has a
representative office in Beijing, China (i.e., Israel Checkpoint
Security Software Technology Co., Ltd., Beijing Representative
Office). According to the information displayed on its official
website in China³¹, Checkpoint has offices in Beijing, Shanghai
and Guangzhou in Chinese mainland, but it does not have a VPN
business license according to our inquiry. After telephone
consultation, we found that Checkpoint is only an agent when
providing conducting VPN business, serving mainly as a
communication channel between the customers and the operators such
as exchanging the needs, confirming program details, etc. The
specific program design and implementation work are still operated
by the basic telecom operators. In summary, we understand that if
Checkpoint provides corporate VPN services for the Assessed
Entities in this way, the corporate VPN service of Checkpoint
currently used by the Assessed Entities is actually provided by the
basic telecom operator with the VPN business license.³² In
addition, according to our telephone communication with the head of
the Company’s IT department on July 5, 2022, the Company also
purchases hardware equipment for the corporate VPN from an agent of
Checkpoint

[Potential Compliance Risks:]{.underline}

It should be noted that if the agreements respectively signed with
Checkpoint and the hardware equipment supplier do not require that
the corporate VPN services or products provided by them should
comply with the relevant laws and regulations of the PRC, it may
cause losses to Corporate G if they are in breach of law.

[Preliminary Suggestions:]{.underline}

It is recommended that Corporate G include a “firewall” clause that
requires Checkpoint and the hardware equipment supplier to provide
VPN services or products in compliance with relevant Chinese laws
and regulations in the service agreements respectively signed with
Checkpoint and the hardware equipment supplier so as to prevent
Corporate G from being implicated by their violations of laws and
regulations.

In this report, the assessment and analysis on cross-border
transmission of data was drafted based on the Assessment Entity’s
responses to the relevant questions on 25 November 2022, and the
assessment and analysis on the remaining data processing activities
is drafted based on the information provided by the Assessed
Entities as of 6 July 2022. ↩︎
https://files.Corporate
G.com/webcat/navi/productInfo/doct/tdoct5900c_eng.pdf?v=20220428132148 ↩︎
This document mentioned that Corporate G will process personal
information in accordance with the applicable laws and regulations
and only when appropriate technical and organizational measures are
used to protect personal information from loss, modification and
unauthorized use or disclosure. ↩︎
Based on the Company’s response, the DigiWay on-leave system and
the Cityrays payroll system use SQL Server database, and the
software vendors do not have the DBA authority of the database and
therefore cannot access to the database. ↩︎
For information systems used due to Corporate G’s global
procurement, we also recommend adding a data protection clause under
the laws of the PRC to the software procurement agreement, if
feasible. The detailed practices can be further discussed after
understanding the Company’s existing operations. ↩︎
Based on the information provided by the Company, the working
mailboxes of all the four Assessed Entities are opened by IT in
China, and the email correspondences are also stored on local
servers located within mainland China. Please inform us if the
Company later discovers during operation that there is any
possibility of such data being transferred to overseas. ↩︎
The internal referral is conducted mainly via email and WeChat
group announcements ↩︎
Where resumes of candidates are collected via the two companies’
official WeChat accounts or through internal referral, when the
candidate send over his/her CV to the company or the employee of the
company, the candidates shall be deemed to have agreed that the
company could processes the personal information provided by the
candidates for recruitment purpose. ↩︎
We have received a Services Agreement between Company B and
Liepin from PA. Please let us know if this is also applicable to FA
and VMT. ↩︎
According to the Assessed Entities, FA and VMT employees are not
required to complete a separate registration form at the time of
onboarding. ↩︎
According to FA and VMT’s responses, the Personal Data Sheet
will be completed during the interview and will be integrated into
the employee’s profile after official recruitment and the employee
is not required to complete the form separately when onboarding. ↩︎
If Company B and Company C view the health information such as
the employee’s pre-employment medical check report and annual
medical check report, such information is also sensitive personal
information. ↩︎
Amongst which 249 are employees of FA, 47 are employees of PA, 33
are employees of Company C and 15 are employees of VMT. ↩︎
Amongst which 16,690 contacts of business partners for FA, 1, 238
business partner contacts for PA，500 business partner contact for
Company C and the number of business contacts for VMT shall be no
more than 100 according to the responses from the Assessed Entities. ↩︎
We understand that such personal information mainly includes the
recipient’s name, contact phone number and address, and does not
involve sensitive personal information. Please let us know if our
understanding is wrong. ↩︎
Even if the personal information (not including sensitive
personal information) of the relatives of the employees provided is
stored on the local server in Germany, the number of relatives of
employees whose personal information is stored on local servers in
Germany is estimated at 344*5=1,720, based on an average of five
relatives per employee. Adding this number to the total number of
the PRC-based personal information stored in the overseas server,
the number of people whose personal information is stored overseas
is 22,972 + 1,720 = 24,692, which is less than the 100,000
individuals as specified in the Security Assessment Measures for
Outbound Data Transfers. ↩︎
According to the responses provided by the Assessed Entities on
25 November 2022, the Assessed Entities are expected to sign
cross-border data transfer agreements with the relevant offshore
entities in December 2022. ↩︎
As mentioned above, such sensitive personal information is stored
on the local server within mainland China. ↩︎
Based on the information currently provided by the Assessed
Entities, the Assessed Entities are not critical information
infrastructure operators (“CIIO”) and don’t handle critical data.
Therefore, the Assessed Entities shall pay attention to: whether the
number of personal information processed has reached 1 million
individuals; whether the cumulative number of sensitive personal
information transferred abroad since 1 January of the previous year
has reached 10,000 or whether the cumulative number of personal
information transferred abroad has reached 100,000 since 1 January
of the previous year. If, in the follow-up business of the Assessed
Entities, any critical data is transferred abroad or the Assessed
Entities are listed as CIIOs, the Assessed Entities shall conduct
relevant work and apply for the security assessment on cross-border
data transfers in time. transferred ↩︎
According to the announcement issued by the State Administration
for Market Regulation and the CAC on November 4, 2022, certification
institutions engaged in personal information protection
certification shall carry out certification activities after the
being approved and implement certification in accordance with the
Rules for the implementation of personal Information Protection
Certification. We understand that in view of the fact that the
announcement has only been officially released recently, it remains
to be further clarified as to what approval the certification
institutions need to obtain and which organizations have already
been approved, etc. ↩︎
The CAC issued the Provisions on Standard Contracts for
Cross-border Transfers of Personal Information (Draft for Comments)
on 30 June 2022, but it has not yet come into force officially. ↩︎
Based on the information provided by Corporate G for us, the data
processed does not contain important data at the moment. If
important data is involved in the future, the relevant regulations
regarding critical data would apply. ↩︎
If the Company would hire a third party in the process of sales
prediction and analysis, please inform us. ↩︎
We understand that the data of customers in the Universal
Messenger are from the ERP system of the Company, the data of which
are stored in the servers of the German headquarter in Germany and
are inaccessible for the personnel of Universal Messengers. Besides,
if the email senders are set by the German IT, all record of the
emails is also stored in the servers in Germany. Please inform us
otherwise if our understanding is inaccurate. ↩︎
According to the Guidelines for grading information system for
the classified protection of information security, it is currently
mainly divided into five levels. At the first level, when an
information system is damaged, it will cause damage to the
legitimate rights and interests of citizens, legal persons and other
organizations, but will not harm national security, social order and
the public interest. At the second level, when an information system
is damaged, it will cause serious damage to the legitimate rights
and interests of citizens, legal persons and other organizations, or
cause damage to social order and the public interest, but not to
national security. At the third level, when information systems are
damaged, they can cause serious damage to social order and the
public interest, or damage to national security. At the fourth
level, when information systems are damaged, they can cause
particularly serious damage to social order and the public interest,
or serious damage to national security. At the fifth level, when
information systems are damaged, they can cause particularly serious
damage to national security. ↩︎
According to relevant laws and regulations, information systems
of Level II or above that have been operated (operated) shall go
through the filing formalities at the public security organ at the
districted municipal level or above where it is located. ↩︎
Specific material requirements can be seen at the official
website of the Ministry of Public Security
https://zwfw.mps.gov.cn/work.html. ↩︎
We can also recommend third-party organizations with relevant
experience depending on the needs of Corporate G. ↩︎
“VPN” here specifically refers to the VPN in the context of
cross-border networking. ↩︎
In 2019, a foreign trade enterprise in Zhejiang Province used
“circumvention software” to access the overseas blocked websites,
and its behavior has constituted unauthorized establishment and use
of non-statutory channels for international networking. The Haiting
police gave the company an administrative penalty of ordering it to
stop using “circumvention software” and giving a warning in
accordance with the relevant provisions of the Interim Provisions
of the People’s Republic of China on the Management of
International Networking of Computer Information Networks. ↩︎
https://www.checkpoint.com.cn/about-us/contact-us/ ↩︎
After a telephone consultation with Checkpoint, we learned that
Checkpoint provides services through this method. If the Company and
Checkpoint’s cooperation method is different from what we currently
know, please inform us. ↩︎

Assessment Report Regarding Data Compliance

Assessment Report Regarding Data Compliance

Guess you like