Effective Date: January 1, 2000
Document ID: COMP-PRIV--001
Sundayou Guqin (hereinafter referred to as "the Company") solemnly commits to strictly comply with all applicable privacy and data protection laws and regulations when conducting business globally. We are committed to:
Legal Compliance: Ensuring all data processing activities comply with legal requirements in operating locations
Transparent Operations: Clearly explaining data processing practices to users
Responsibility: Establishing a comprehensive privacy governance system
Continuous Improvement: Regularly reviewing and updating compliance measures
General Data Protection Regulation (GDPR) - EU Regulation 2016/679
California Consumer Privacy Act (CCPA/CPRA) - California Civil Code Sections 1798.100-1798.199
Personal Information Protection Law (PIPL) - Presidential Order No. 91 of China
Data Protection Act 2018 - United Kingdom
Act on the Protection of Personal Information (APPI) - Japan
Federal Data Protection Act (BDSG) - Germany
Payment Card Industry Data Security Standard (PCI DSS) - For processing payment information
ISO/IEC 27001:2022 - Information Security Management System
Children's Online Privacy Protection Act (COPPA) - United States
Health Insurance Portability and Accountability Act (HIPAA) - Only applicable to related health information processing
EU-U.S. Data Privacy Framework
Standard Contractual Clauses (SCCs)
Binding Corporate Rules (BCRs)
Data Protection Board ├── Data Protection Officer (DPO) │ ├── Compliance Team │ ├── Legal Team │ └── IT Security Team └── Department Privacy Leaders
Data Protection Officer (DPO):
Overseeing GDPR compliance
Handling data subject requests
Conducting privacy impact assessments
Contacting supervisory authorities
Compliance Team:
Monitoring regulatory changes
Implementing compliance measures
Employee training
Auditing and reporting
Data Processing Activity Register: Recording all data processing activities
Data Flow Analysis: Identifying cross-border data transfer paths
Third-Party Vendor List: Recording all data processors
Determining legal basis according to processing purposes:
| Processing Purpose | Legal Basis | Applicable Regulation |
|---|---|---|
| Contract Performance | Contract Necessity | GDPR Article 6(1)(b) |
| Legal Obligation | Legal Requirement | GDPR Article 6(1)(c) |
| Legitimate Interests | Legitimate Interest | GDPR Article 6(1)(f) |
| Marketing Communications | Explicit Consent | CCPA/CPRA |
| Sensitive Data Processing | Explicit Consent | PIPL Article 13 |
Explicit Consent: Obtained through clear and unambiguous means
Consent Records: Storing consent time, content, and method
Withdrawal Mechanism: Providing easy consent withdrawal methods
Age Verification: Ensuring parental consent for processing children's data
We have established the following rights response mechanisms:
| Right Type | Response Time | Processing Procedure |
|---|---|---|
| Right of Access | 30 days | Identity Verification → Data Retrieval → Providing Report |
| Right to Rectification | 30 days | Accuracy Verification → Data Update → Notifying Third Parties |
| Right to Erasure | 30 days | Eligibility Assessment → Secure Deletion → Confirmation Completion |
| Right to Data Portability | 30 days | Preparing Structured Data → Secure Transfer |
| Right to Object | 30 days | Basis Assessment → Stopping Processing → Notifying Result |
Technical Measures:
End-to-End Encryption (AES-256)
Multi-Factor Authentication
Intrusion Detection and Prevention Systems
Regular Vulnerability Scanning
Data Backup and Recovery
Organizational Measures:
Employee Background Checks
Privacy and Security Training
Access Control
Incident Response Plan
Vendor Due Diligence
EU Data Transfers: Using European Commission-approved Standard Contractual Clauses
US Data Transfers: Participating in EU-U.S. Data Privacy Framework
China Data Transfers: Complying with PIPL Chapter 3 requirements
Other Regions: Based on adequacy decisions or appropriate safeguards
Mainland China: Storing personal information within China
Russia: Complying with Federal Law No. 242-FZ localization requirements
India: Following draft Personal Data Protection Bill requirements
| Regulation | Reporting Time | Reporting To |
|---|---|---|
| GDPR | Within 72 hours | Supervisory Authority + Data Subjects |
| PIPL | Immediately | Supervisory Authority |
| CCPA | Within 72 hours | California Attorney General + Affected Individuals |
| HIPAA | Within 60 days | Department of Health and Human Services |
Detection and Confirmation
Containment and Assessment
Notification and Reporting
Recovery and Repair
Review and Improvement
Introduction of new systems or processes
Large-scale data processing
Sensitive data processing
Systematic monitoring
Use of new technologies
Data processing clauses in contracts
Security compliance certification
Regular audits
Breach handling mechanisms
All data processing agreements must include:
Purpose limitation of data processing
Security obligations
Breach notification requirements
Audit rights
Contract termination clauses
| Record Type | Retention Period | Regulatory Basis |
|---|---|---|
| Consent Records | 5 years | GDPR Article 7(1) |
| Processing Activity Records | Continuously updated | GDPR Article 30 |
| Data Breach Records | 3 years | GDPR Article 33(5) |
| Employee Training Records | 3 years | Compliance Requirements |
Privacy policies and notices
Data processing agreements
Privacy impact assessment reports
Training materials and records
Audit reports
New Employee Training: Completing basic privacy training upon hiring
Annual Update Training: All employees receive updated training annually
Role-Specific Training: Additional training for data handlers
Awareness Activities: Regular privacy awareness enhancement activities
Basic principles of data protection
Data subject rights
Security best practices
Incident reporting procedures
Specific job responsibilities
Frequency: At least once per year
Scope: Covering all data processing activities
Reporting: Submitted to management and DPO
Follow-up: Corrective action tracking
ISO 27001 Certification: Information security management
SOC 2 Type II Report: Service organization controls
Regular Legal Review: Compliance status assessment
European Union: Relevant national data protection authorities
United States: Federal Trade Commission (FTC)
China: Cyberspace Administration of China
United Kingdom: Information Commissioner's Office (ICO)
California: California Privacy Protection Agency (CPPA)
Promptly respond to regulatory inquiries
Provide required documents and information
Implement regulatory recommendations
Participate in regulatory consultations
| Regulation | Maximum Penalty |
|---|---|
| GDPR | €20 million or 4% of global turnover |
| PIPL | ¥50 million or 5% of turnover |
| CCPA/CPRA | $7,500 per violation |
| BDSG | €300,000 |
Cyber Liability Insurance: $5 million
Data Breach Response Insurance
Regulatory Investigation Insurance
Data Protection Officer
Email: dpo@sundayou.com
EU Representative
Email: eu-representative@sundayou.com
Annual Review: Conducted in the fourth quarter each year
Incident-Triggered Review: Immediate review after significant incidents
Regulatory Change Review: Within 60 days after relevant regulatory changes
Regulatory change analysis
Impact assessment
Draft development
Internal review
Legal review
Approval and release
Employee communication
Public notification
This Legal Compliance Statement does not constitute legal advice. Specific compliance requirements may vary depending on jurisdiction, business nature, and data processing activities. It is recommended to consult professional legal counsel to ensure full compliance.
Document Control Information
Version: 1.0
Approved By: Data Protection Board
Next Review Date: October 1, 2025
Distribution Scope: All employees, relevant third parties
Confidentiality Level: Public
© Sundayou Guqin. All rights reserved.