CNIL decides that the French subsidiary of a Chinese parent company is the data controller

On 18 September 2023, the French Data Protection authority (CNIL) imposed an administrative fine of EUR 200,000 against SAF LOGISTICS, a French company that carries out air cargo activity from China. An intriguing aspect of the decision concerns the issue of the status of the relevant actors under the GDPR (controller or processor). More straightforward is CNIL’s analysis of the specific violations of the GDPR on the part of SAF LOGISTICS.

SAF LOGISTICS is owned by the Chinese company Sinotrans Hongfeng Shanghai Limited and mostly employs Chinese nationals residing in France. In 2020, SAF LOGISTICS distributed a form, which it obtained from its Chinese parent company, for its employees to fill out if they wished to apply for positions in China.

On the role of the data controller

When the French subsidiary helps French citizens to obtain a form devised by the Chinese parent company to apply for positions in China, it is not self-evident who in that set-up is the data controller or the data processor. CNIL decided that SAF LOGISTICS, the French subsidiary, is a data controller. CNIL did not expressly decide on the status, if any, of the Chinese parent company under the GDPR.

As defined in Article 4(7) of the GDPR, a controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. In accordance with Article 26 of the GDPR, “where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”.

SAF LOGISTICS’ parent company in China created the form to recruit employees. SAF LOGISTICS stated that it acted as a “mailbox” for the employees to deliver their applications for positions in China.

However, CNIL decided that SAF LOGISTICS, the company based in France, was the data controller because SAF LOGISTICS asked the Chinese parent company to send it the form, rather than the parent company ordering SAF LOGISTICS to furnish the form to employees. SAF LOGISTICS determined the “why” of the processing: identification of employees potentially interested in working in China. It also determined the “how” (the means) of processing, by obtaining the form from the parent company and distributing the form to around twenty people.

In addition, CNIL found that in relation to collecting contact info of the employees’ relatives in case of an emergency, SAF LOGISTICS processed the employees’ data for its own specific purposes.

On data minimisation

The CNIL found that SAF LOGISTICS breached the principle of data minimisation (Article 5(1)(c) of the GDPR) by collecting an excessive range of personal data about the employees’ emergency contacts, as such information was not needed to achieve the purpose of contacting the relatives.

According to Article 5(1)(c), personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

The CNIL argued that it would have been sufficient to provide the name, relationship to the employee, and phone number of employee’s relative. Instead, the form required employees to provide additional categories of personal data, such as their date and place of birth, gender, employer, and marital status.

On the processing of special categories of personal data

Some of the data required in the form, including data revealing racial or ethnic origin, political opinions, and data concerning health, constituted special categories of personal data. CNIL determined that SAF LOGISTICS used such data without a proper legal basis because the consent received from the employees was not freely given.

According to Article 9(1) of the GDPR, the processing of special categories of personal data is prohibited, unless falling under the exceptions provided in Article 9(2) of the GDPR. One of the exceptions from Article 9(2) is the data subject’s explicit consent to the processing of special category data. Pursuant to Article 4(11) of the GDPR, consent must be freely given. SAF LOGISTICS maintained that the form was optional and that the employees who had completed the form had, in doing so, consented to the processing of their personal data.

CNIL concluded that the employees’ consent was not freely given because completing the form was the only way to apply for the positions in China and it was obligatory to complete all fields in the form, including the fields concerning special category data, in order to be able to submit it.

Comment

According to the CNIL, what determined the status of SAF LOGISTICS as the data controller is that the processing of the personal data occurred at the initiative of the company. If SAF LOGISTICS had not requested the form from the Chinese parent company, the processing would not have taken place

It is not entirely clear from CNIL’s decision whether the Chinese company used the form only for local recruitment purposes and SAF LOGISTICS then repurposed the form by making it a tool for applications by French citizens, or whether the Chinese company created the form so that its foreign subsidiaries could use it as a tool for employing foreign-based individuals in China. In the latter scenario, although the parent company did not order SAF LOGISTICS to furnish the form to employees, presumably the very purpose of the form – determined by the parent company – was that it could be used by its subsidiaries abroad. In that case, an argument could be made that the Chinese company is a joint controller with SAF LOGISTICS.