The European Commission has issued adequacy decisions for countries including Japan, the UK, the US and Switzerland. Credit: NEKOMURA / Shutterstock.com.
Ireland’s Data Protection Commission (DPC) has opened an investigation into Chinese online retailer Shein over the transfer of European users’ personal data to China.
The inquiry, launched under Section 110 of the Data Protection Act 2018, concerns Infinite Styles Services (Shein Ireland), the company’s Europe, Middle East and Africa (EMEA) headquarters in Dublin.
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
According to the DPC, the investigation will examine whether Shein Ireland complied with obligations under the EU’s General Data Protection Regulation (GDPR) when transferring personal data of users in the European Union (EU) and the European Economic Area (EEA) to China.
DPC deputy commissioner Graham Doyle said: “When an individual’s personal data is transferred to a country outside the EU, the GDPR requires that this personal data is afforded essentially the same protections as it would within the EU.
“Recent regulatory action by the DPC, together with complaints to other European supervisory authorities, has brought data transfers to China, in particular, into focus. The inquiry is an important strategic priority for the DPC, and we intend to cooperate closely with our peer European Supervisory Authorities as part of the investigation.”
The regulator said the probe will review compliance with GDPR principles under Article 5 relating to the processing of personal data, as well as transparency obligations outlined in Article 13.
The DPC stated that GDPR is designed to maintain a high level of personal data protection across the European Economic Area (EEA).
It added that transfers outside the bloc could reduce those protections if the conditions set out under Chapter V of the regulation are not met.
Under Article 45(1) of the GDPR, transfers of personal data outside the EU may proceed where the European Commission (EC) has adopted an “Adequacy Decision” confirming that a country ensures an adequate level of data protection.
The EC has issued adequacy decisions for countries, including Japan, the UK, the US and Switzerland. No such decision has been granted for China.
The DPC said that where no adequacy decision exists, organisations transferring personal data outside the EU or EEA must rely on alternative GDPR safeguards.
These include the use of Standard Contractual Clauses and demonstrating that the destination country provides protections broadly equivalent to those available within the EU.
The investigation could lead to enforcement measures or financial penalties if breaches of GDPR obligations are identified.
Sign up for our daily news round-up!
Give your business an edge with our leading industry insights.