Assessment Report Regarding Data Compliance

Assessment Report Regarding Data Compliance

Privileged and Confidential

[To: Company A]

[From: Law Firm F, Shanghai]

Tel: 86-21 xxxx xxxx

Fax: 86-21 xxxx xxxx

[Date: December 7, 2022]

Re: Assessment Report Regarding Data Compliance of Corporate G
China

To: Company A

We are a law firm duly qualified and authorized to practice Chinese law
in the People’s Republic of China (the “PRC”). We have been
requested by Company A to provide a legal assessment regarding the data
compliance management of Corporate G China.

For this purpose, we investigated and assessed the data compliance
management of Corporate G China through the following steps, and issue
this report for your reference:

1. Review various relevant documents, policies, contracts and / or templates provided by the four Corporate G entities in the PRC;
2. Collecting further information through the meetings, communications and other written exchanges with the relevant teams of the four Corporate G entities in the PRC.

This report is produced in accordance with the valid PRC laws,
regulations, applicable circulars, and policies, as well as by reference
to the publication on governmental websites and material provided by the
company as of the date of this report and is solely for the above
purpose. Any factual change or changes of legislation or otherwise
governmental information thereafter may alter our view and analysis
hereunder. This report shall not be viewed as a guarantee of any
particular outcome.

Executive Summary

Corporate G SE ("Corporate G ") is a professional sensor company
with a long reputation in the global automation industry and a global
sensor supplier with outstanding research and supplying with
high-quality products from inductive sensors to ultrasonic sensors, from
photoelectric sensors to rotary encoders, from identification systems to
fieldbus systems, from liquid level and material level sensors to safety
light screens, from explosion-proof sensors to safety grids, isolation
grids and other sensors. Corporate G SE has invested and set up a number
of business entities in China, among which the entities that fall within
the scope of this data compliance assessment include: Company A
(“Company A”), Corporate G (Beijing) Process Automation Co., Ltd.
(“Company B”), Corporate G (Shanghai) Automation Engineering Co., Ltd.
(“Company C”), Company D(“Company D”) (collectively referred to as
“Assessed Entities” or the “Company”).

Based on the business of the Assessed Entities and the types of data
they processed, as well as other information we learned in the
assessment, we understand that currently, the Company is not a “Critical
Information Infrastructure Operator” under the Cybersecurity Law. In
addition, among the data that the Company has accessed and processed so
far, apart from personal information data, the data processed and
accessed by the Company does not involve “important data” under the
Data Security Law. Therefore, at present, the focus of the Company’s
data compliance management is personal information protection. However,
considering that the Company may access “important data” in its future
business, we also put forward some preliminary suggestions for the
identification and compliance management of important data in the
Company’s business for the Company’s reference in this report. In this
report, we will analyze the Company’s information systems, products and
services, supplier data, internal employee data, data storage and
transfer, data use and sharing, network security and data compliance
management, etc. In this executive summary, we selected and listed some
major compliance risks we identified in the assessment and provided the
corresponding suggestions for improvement and prepare a summary table as
follows. We would like to kindly remind that this summary only lists the
major compliance risks and please refer to the full version of the
assessment report and suggestions for improvement set out in the main
text.

Main Text

1. Corporate G SE ("Corporate G ") is a well-known company specializing in sensor technology in the global automation industry which conducts distinguished research and provides high-quality products from inductive sensors to ultrasonic sensors, from photoelectric sensors to rotary encoders, from identification systems to fieldbus systems, from liquid level and material level sensors to safety light curtains, from explosion-proof sensors to safety barriers, isolation barriers and other sensors. Corporate G has invested and established some business operation entities in the PRC, and amongst them, the entities falling within the scope of this data compliance assessment include: the three foreign legal person sole proprietorship limited liability company directly invested by Corporate G SE, i.e., Company A (“Company A”), Corporate G (Beijing) Process Automation Co., Ltd. (“Company B”), Corporate G (Shanghai) Automation Engineering Co., Ltd. (“Company C”), and an affiliated business entity, i.e., Company D Vision Technology (Shanghai) Co., Ltd. (“Company D”) (collectively referred to as “Assessed Entities” or the “Company”). Amongst them:

2. FA was established in 2006 and is mainly engaged in the research, development, design, production, sales, supporting services, technical consulting and other business of sensors, encoders, identification systems and optical data transfer systems in the field of automated components and systems.

3. PA was established in 2009 and is mainly engaged in the research, development, design, production, sales, supporting services, technical consulting and other business of explosion-proof electrical equipment and lamps, customized terminal boxes, junction boxes and cabinets, controlling equipment products and components of process automation equipment.

4. SEC was established in 2015, and is mainly engaged in the production, sales, supporting services, technical consulting and other business of automation instruments and meters, explosion-proof electrical equipment and lamps, terminal boxes, junction boxes and cabinets, automation equipment and accessories.

5. VMT was established in 2014 and is mainly engaged in the research and development of technology, design, system integration and sales in the field of image technology and automation technology research and development of industrial image processing technology and supporting software, wholesale, supporting services, technical consulting, and other business of image processing equipment and supporting facilities.

6. During this assessment, the management team of the Assessed Entities divided the Assessed Entities into two groups based on relevancy of management team and business among the Assessed Entities, i.e., Company A and Company D are assessed as one group, and Company B and Company C are assessed as another group. The two groups separately provided responses to the questionnaires on the data processing activities prepared by us (unless explained otherwise in the responses). Therefore, this compliance assessment report will analyze the various data process activities of the Assessed Entities in their daily business and assess the risks of any based on the responses and information provided by the Assessed Entities pursuant to the above group allocation.

1. Information System Compliance

1. According to the information provided by the Assessed Entities, the ERP system used by the Assessed Entities is the Sales and Finance modules of M3 provided by Infor; the CRM system used by the Assessed Entities is the CRM module of Siebel provided by Oracle; the above modules are globally purchased and provided by Corporate G . The HR system and workflow software used by the Assessed Entities are purchased from the PRC domestic software vendors (specifically, the Assessed Entities use DigiWin on-leave request and reimbursement system, and Company A and Company D also purchased an information system for payroll calculation from Cityray). The Assessed Entities provided us with two software procurement contracts, including theDigiWin Workflow Software V3.1 Maintenance Contract signed with Digiwin Software Co., Ltd. and the Sales Contract signed with SoftwareOne (Shanghai) Software Trading Co., Ltd. The above two software procurement contracts do not contain specific clauses related to data protection, and even if the contracts contain confidentiality clauses, the purpose of the confidentiality clauses is only for the protection of trade secrets.
2. In terms of the access to information systems, the Assessed Entities set general accessing permission primarily based on the employee’s position/job role and temporary accessing permission based on the direct supervisor’s approval and process owner’s authorization. Amongst them, the DigiWin system and the Cityray system cannot be access by the Corporate G ’ headquarters and other offshore affiliates of the Assessed Entities. In conclusion, we understand that the above practice of the Assessed Entities regarding the access permission setting basically complies with the necessity principle and minimization principle regarding the use of data.
3. In addition, the four Assessed Entities have provided us with theZVEI-VDMA Code of Conduct (updated in January 2022), which, according to the information provided by the Assessed Entities, is applicable to all the subsidiaries of Corporate G including the four Assessed Entities and is published on Corporate G official website. This document briefly introduces Corporate G ’ compliance management principles, and Article 3.5 Data Protection Clause of this document includes the protection of personal information. It shows that Corporate G attaches great importance to data compliance.

[Potential Compliance Risks:]

1. The software procurement contracts signed by the Assessed Entities and external third parties do not contain special clauses related to data protection, and even if they contain confidentiality clauses, the purpose is only for the protection of trade secrets. In the process of using outsourced software, according to the answers provided by the Assessed Entities, in general, the supplier cannot access the data stored in the software used by the Assessed Entities, but it does not rule out the possibility that the supplier may access some data of the Assessed Entities in the process of providing software operation and maintenance services. Therefore, the contract with the supplier should include a miscellaneous provision on data compliance and personal information protection. However, at present, there are no compliance clauses regarding data security and personal information protection in the contracts signed with software suppliers.

[Primary Suggestions:]

1. Software is generally a standardized product, and its procurement contract is often a standard contract provided by the software supplier. Before signing such standard contracts, it is recommended that the Assessed Entities review and revise it. If the Assessed Entities find that there is no stipulation on data protection, they shall add the stipulation accordingly and require the software supplier to comply with it. Under this circumstance, if a data security incident or dispute occurs, such stipulation in the contract would provide convenience for the Assessed Entities to protect their rights. In addition, the Company is recommended to add relevant data protection clauses to the contracts with the existing software suppliers.

2. Products and Services-related Data Compliance

1. Basic Information of Products and Services
2. According to the information provided by the Assessed Entities, the products provided by Company B and Company C to the market include e explosive-proof interface modules, engineered solutions, explosive-proof mobile & communication, ethernet-APL & fieldbus, wireless solution, remote I/O, bus, power supply, software product. In addition, Company B and Company C also provide supporting services such as sales, technical training, on-site service, repair, return.
3. The products provided by Company A and Company D to the market mainly include proximity sensors, photoelectric sensors, ultrasonic sensors, rotary encoders and system products including RFID, filed bus modular and vision products. For engineering projects, Company A and Company D also provide installation, programing and system integrate service based on Corporate G hardware products. In addition to the aforementioned services, VMT’s product line also includes customized vision solutions and services such as measurement, positioning and recognition of 2D and 3D.1. Basic Information of Customers and Customer Information > Protection
4. According to the information provided by the Assessed Entities, the buyers/end-users of the products and services from Company B and Company C are typically market participants in the following industries: petrochemical, oil & gas, utilities, pharmaceutical, biochemistry, offshore and marine, wastewater, power generation, food & beverage, and Company B also has certain business dealings with customers in the nuclear industry, but the business volume involved is relatively limited. We also learned that the market roles of buyers purchasing the products and services from Company B and Company C include the following categories: DCS companies, system integrators, agency/distributors, end users, OEMs, research institutes. From the perspective of the ownership type of the enterprises, the above-mentioned customers include state-owned enterprises and private enterprises. From the perspective of the flow of products and services, most of the products and services of Company B and Company C are provided to the Chinese customers, and only about 1% of the products and services are provided to customers located in Southeast Asia.
5. Buyers/end-users of products and services of Company A and Company D are generally the market participants in the following industries: automotive, machinery, logistics, gate control, process equipment, food packaging industry, electronics, metallurgy, tobacco, new energy, robotics and transport. From the perspective of the ownership type of the enterprises, FA’s and VMT’s customers include state-owned enterprises and private enterprises. In addition, colleagues from the Company A team mentioned that Company A and Company D have very few customers in the military industry, such as the Shanghai Electric Control Research Institute (i.e., 218 Research Institute, affiliated to China Ordnance Equipment Group). From the perspective of the flow of the products and services, FA’s products and services are only sold to the domestic customers in China, while VMT’s products and services mainly served in China, a few products and services are sold to foreign customers, which mainly include the customers in India, Thailand, and Vietnam.
6. During the process of providing the above-mentioned products and services by the four Assessed Entities of Corporate G , they accumulated about 42,000 customers (about 11.7% are Company B customers and 88.3% are Company A customers) over a period of about 15 years and contact about 100,000 business contact persons (about 9.35% are business contacts of Company B and the remaining 90.65% are customers of FA). Customer-related information may be collected, including company name, address, department, taxpayer code, company bank account information, project information, and personal information of the business contacts. Among them, project information generally includes the product end-users, devices, project name, location, etc., and sometimes the production capacity data of the project will also be collected; the personal information of the business contacts generally includes the individual’s name, title, and mobile phone number (i.e., the personal mobile phone number or mobile phone number provided by the company to employees).
7. Considering that many of the Assessed Entities’ customers are state-owned enterprises and other large enterprises, such as SINOCHEM GROUP, SEI, Sany Group, etc., based on our experience, Assessed Entities may have access to important data when conducting business with these companies and more stringent network security and data protection measures need to be taken. According to current laws, regulations and practices, we understand that the important data include but are not limited to the following categories: 1) manufacturing data, R&D information, intellectual property rights, business operation data, operation and maintenance data, and supply chain data of the important network facilities and/or information systems in important sectors such as public communication and information services, energy, transportation, water conservancy, finance, public services, government affairs, national defense science and technology and other network facilities and/or information systems which may seriously endanger national security, national economy and people’s livelihood, and public interests once destroyed, lose functions or encounter data leaks incidents; 2) map data; 3) navigation data; 4) surveying data; 5) important geographic information; 6) security equipment data, security deployment data; 7) energy reserve information. Amongst them, after confirming with the Company B and Company C teams through questionnaires, their responses to the question in item 1.2 of the questionnaire on whether the products and services involve processing important data is that Company B and Company C “do not access to such data”, “no sensitive data is involved”. Although the terminology of “sensitive data” mentioned by the Company B and Company C teams and “important data” asked in item 1.2 of our questionnaire is different, from the questions and responses in item 1.2, it is clear that Company B and Company C do not collect important data of the customers. However, in the process of the Company B and Company C teams’ filling out and providing responses on item 3.1 of the questionnaire, we noticed that the colleagues from the Company B and Company C teams mentioned that as to the information collected from customers, “some sensitive information may be collected from the institutes, including 711 Institute, 718 Institute (they are the institutes owned by the PRC military), etc.”. After further verifying the meaning of “sensitive information” mentioned here, we learned from the Company that the “sensitive information” mentioned here is “mainly the project name and production capacity”. At the same time, as confirmed by Company B and SEC, the two companies had business dealings with some institutes (including 711 and 718) and/or institutions owned by the military five years ago. However, the Company currently has no business dealings with these institutes and does not intend to have business dealings with them in the future as well. In addition, the relevant personnel of Company A and Company D mentioned that they may have access to the information of sensitive industries such as military industry-related information during the business process, but at the same time they also responded in item 1.2 of the questionnaire that Company A and Company D would not have access to important data.
8. We further learned that in terms of storage and protection of customer information, the customer information including project information may be stored in CRM and ERP systems. In addition, the teams such as sales and operation teams of the Assessed Entities mentioned in the interview that during the process of business connection, in practice, they may have access to some “sensitive information” through email correspondences, but such information will not enter the CRM or ERP system, nor will it be transmitted abroad.
9. The Assessed entities will typically enter into confidentiality agreements with the customers. In respect of the text of the confidentiality agreement, Company B has provided us with theConfidentiality Commitment unilaterally issued by Company B to ABB Engineering (Shanghai) Ltd. (“ABB”), which stipulates the confidential information, purpose of use, confidentiality obligation, confidentiality period and liability for breach of contract are stipulated and Company B even promises to entitle ABB to inspect and audit on PA’s confidentiality system and measures. In addition, we have also received the confidentiality agreement signed by Company B and Zhejiang SUPCON Technology Co., Ltd., which stipulates the data protection obligations of both parties. Based on the above-mentioned information, we learned that Company B and Company C used different texts/templates when signing confidentiality agreements with the customers and some of them are the templates provided by the customers, and some of them are the unilateral confidentiality commitments signed by Company B or Company C rather than the mutual confidentiality agreements.
10. FA provided us with the Confidentiality Agreement signed with HIKROBOT Technology Co., Ltd. (“HIKROBOT Confidentiality Agreement”) and the Supplier Confidentiality and Integrity Agreement signed with Hainan Jinpan Smart Technology Co., Ltd. (“Jinpan Technology Confidentiality Agreement”). These two agreements stipulate the confidential information, purpose of use, confidentiality obligations, confidentiality period, and liability for breach of contract. Amongst them, the Jinpan Technology Confidentiality Agreement mainly stipulates that FA, as “Party B”, unilaterally has confidentiality obligations to Hainan Jinpan Smart Technology Co., Ltd., and there is no specific provision on personal information/data protection. In addition, Company A provided us with a sales contract with Suzhou Electrical Apparatus Science Academy Co., Ltd. However, this contract does not contain data protection provision, either.
11. VMT provided us with 3 confidentiality agreements, i.e., the confidentiality agreement (WORD version) with Durr Paintshop Systems Engineering (Shanghai) Co., Ltd., the confidentiality agreement signed with Beijing Hinsong Yicheng Machinery & Electric Engineering Co., Ltd. and the confidentiality agreement signed with EBZ SysTec (Shenyang) Limited. According to the content of these three agreements, the three confidentiality agreements mainly stipulated the unilateral confidentiality obligations of Company D to the other party under the agreements, and only the confidentiality agreement signed with EBZ SysTec (Shenyang) Limited stipulated the unilateral data compliance obligations of VMT, and the other two confidentiality agreements do not stipulate anything relating to personal information/data protection.

[Potential Compliance Risks:]{.underline}

1. (1) The agreements signed with some customers do not include data protection clauses, and there is no commitment by customers that the information provided by them is collected in compliance with relevant laws and regulations. In addition, there is no “firewall” clause to protect the Assessed Entities from the risks associated with the customer’s unlawful collection of data.
2. (2) Different colleagues from the Assessed Entities may have different views and determination on sensitive data and important data. Additionally, the Company does not have any written determination criteria or generate any common criteria or measures for determining for identifying sensitive data and important data from its practices, which may cause inaccuracy or discrepancies in identifying the important data.
3. (3) There is no fixed template for the confidentiality agreement signed or to be signed between the Assessed Entities and the customers. Some of the confidentiality agreements signed between the Company and the customers are the templates provided by the customers, and some of them are even unilateral confidentiality commitments by the Assessed Entities rather than a mutual confidentiality agreement. Moreover, most confidentiality agreements do not contain data protection clauses.

[Primary Suggestions:]{.underline}

1. (1) It is recommended that the data protection clauses be added to agreements signed or to be signed with customers, setting up a “firewall” to protect the Assessed Entities from any risks caused by the customers’ collecting information in violation of the legal requirements.
2. (2) It is recommended to establish the important data identification guidelines and procedures with reference to theInformation Security Technology - Important Data Identification Guidelines (Draft for Comments) drafted by the National Information Security Standardization Technical Committee and published on January 13, 2022, and to provide training regarding the important data identification guidelines and procedures to all employees who may have access to customer information and hold relevant propaganda and implementation activities, so that employees would be capable of accurately identifying the important data of customers when they have access to such data and protect such data in accordance with the management and technical protection measures applicable to important data.
3. It is recommended that the Company should draft, update and amend the template for a mutual confidentiality and data protection agreement so that such fixed template could firstly be used and signed by the parties when conducting business with the customers in future. Such template should stipulate the confidentiality obligations of both parties, rather than Corporate G ’ unilateral confidentiality obligations. If any customer mandatorily requests Corporate G to sign a confidentiality agreement or a unilateral confidentiality commitment template drafted and provided by the customers, such agreement or template should be carefully examined on whether the confidentiality obligations set forth therein are practical for the Assessed Entities, e.g., if the customer requests to inspect or audit on the Assessed Entities’ confidentiality measures for protecting customer information, then the Assessed Entities should consider whether the Assessed Entities is in a position to distinguish such customer’s data from that of other customers and the Assessed Entities so that allowing such customer to conduct an inspection or audit would not cause the Assessed Entities violate confidentiality obligations to other customers and would not result in the leak of information.

3. Supplier-related Data Compliance

1. Data Compliance of PA’s and SEC’s Suppliers

<!-- -->

1. According to the information provided by the Assessed Entities, Company B engaged the following types of the suppliers, i.e., two explosion-proof certification institutes, three finished product suppliers, five logistics suppliers. Company C has raw material suppliers, machining suppliers, technical service providers, equipment suppliers, etc., totaling about 600 suppliers. In the process of contacting these suppliers, Company B and Company C may collect the supplier’s company name, address, email address, company bank account information, contact person’s name, contact person’s mobile phone number, title of the contact person, etc. Most of the information is stored in M3, which is stored on a local server at Corporate G headquarters in Mannheim, Germany. Information about the suppliers (e.g., information about the certification institutes) may be shared by Company B and Company C to Corporate G ’ affiliates but will not be shared to other third parties.
2. With respect to the supplier information protection, first, Company B and Company C do not have confidentiality agreements or data protection agreements with all the suppliers, and there are no specific clauses for data protection in the relevant procurement contracts or other cooperation agreements, either.
3. Second, Company B and Company C provided us with the general terms and conditions applicable to their procurement process, i.e., theTerms and Conditions for Purchase of Goods and/or Services and Article 13 (Confidentiality) of this document is a confidentiality clause that requires the suppliers to keep information relating to Corporate G ’ operations and technology confidential. However, this clause does not protect data other than confidential business and technical information, such as the personal information of Corporate G ’ employees who the suppliers may contact in the course of the cooperation, or the information that is not confidential but needs to be protected. In other words, the Terms and Conditions for Purchase of Goods and/or Services does not contain specific data protection clauses.
4. Additionally, Company B and Company C provided us with theAgreement on the Principles of Cooperation applicable to the supplier which also contains a confidentiality clause, i.e., Article 13 “Confidentiality of P+F/Information”. In this clause, the term “P+F Information” refers to “all information provided by Corporate G or its representatives or subcontractors to supplier in connection with the operations, programs, goods and services covered by this Contract, including, without limitation, pricing and other terms of this Contract, specifications, data, formulas, compositions, designs, sketches, photographs, samples, prototypes, test vehicles, manufacturing, packaging or shipping methods and processes and computer software and programs (including object code and source code). P+F information also includes any materials or information that contains, or based on, any P+F information, whether prepared by Buyer, Supplier or any other person.” This clause is more protective than the Clause 13 (Confidentiality) in the Terms and Conditions for Purchase of Goods and/or Services mentioned above, specifying the purpose of use and scope of disclosure of the said data, but still lacking other necessary data protection requirements, such as return or destruction of data, maximum retention period of data, etc.

[Potential Compliance Risks:]{.underline}

1. (1) Company B and Company C have not signed the confidentiality or data protection agreements with all suppliers, nor are there specific provisions for data protection in the procurement contracts or other cooperation agreements. There is no template for the confidentiality agreements with the suppliers.
2. (2) The agreement on data protection in the template of the Terms and Conditions for Purchase of Goods and/or Services and theAgreement on the Principles of Cooperation provided by Company B and Company C is not sufficient.

[Preliminary Suggestions]{.underline}：

1. (1) It is recommended to update and improve the template for a mutual confidentiality and data protection agreement between the Company and supplier, so that when dealing with suppliers in the future, the parties can first choose to use the fixed template for signing. Simultaneously, it is recommended to add the personal information protection and data security clauses to the existing agreements with the suppliers, and a “firewall” clause that protects the Assessed Entities from any risk caused by the supplier’ processing data in violation of the legal requirements.
2. (2) It is recommended to update and improve the templates of theTerms and Conditions for Purchase of Goods and/or Service and theAgreement on the Principles of Cooperation. In specific, in addition to the terms and conditions of Confidentiality, add data protection terms and conditions, specifying the scope of data to be protected, the purpose of use, disclosure restrictions, sharing restrictions, maximum use period, return or destruction of data, and requiring the suppliers to make commitments on the compliance of their internal policies and measures for data protection, hardware and software conditions for data protection, etc., and entitling Corporate G to monitor, inspect and audit the implementation of the above data protection work of suppliers.1. FA’s and VMT’s Supplier-related Data Compliance
3. FA’s and VMT’s suppliers mainly include logistics suppliers (including SF-express, EMS, TVS, FedEx, DHL), raw material suppliers, machining suppliers, labor subcontracting suppliers, human resource service providers, software service providers, event service providers, etc. Company A and Company D would collect the suppliers’ company name, address, email address, company bank account information, contact person’s name, contact person’s mobile phone number, contact person’s title, etc. Most of the information is stored in the ERP system used by the Finance Department, and the contact information is also stored on the mailbox or mailbox server. Information on the Assessed Entities’ international business with SF-express and EMS will also be reported to Corporate G Singapore office at the same time.
4. In addition to the software purchase agreements mentioned above, Company A and Company D also provided us with a copy of thePurchase and Sale Contract with Tianjin Dongdian Chuangxin Technology Development Co., Ltd; a copy of the Celebration Service Agreement with Shenzhen Deshanghui Culture Communication Co., Ltd; a copy of the WORD version of the Software Development Cooperation Contract for the PV Project; and a copy of the WORD version of theNingxia Longji 101 Workshop Short Side Subcontracting Agreement, the Postal Import Commercial Express Service Contract signed with the China Post Corporation Shanghai Branch (“EMS”). Among them, the Purchase and Sale Contract does not contain confidentiality and data protection clauses; the Celebration Activity Service Agreement does not contain confidentiality and data protection clauses; the two WORD versions contracts only stipulate the supplier’s confidentiality obligations to FA, and there is no stipulation on data protection; the Postal Import Commercial Express Service Contract contains confidentiality clauses, which has some stipulation on personal information protection, but the relevant content is not sufficient to cover the relevant personal information protection obligations. In addition, we also learned that Company A and Company D usually use the supplier’s agreement templates when concluding agreements with the supplier and they use Corporate G 's own template only when concluding software development contracts.

[Potential Compliance Risks:]{.underline}

1. Firstly, given that Company A and Company D currently use the supplier’s agreement templates when entering into agreements with suppliers except for concluding the software development agreements, if a supplier’s agreement template does not contain a confidentiality and/or data protection clause, the final signed agreement will not contain a confidentiality and/or data protection clause, either. In other words, the parties will not be able to clarify their respective data compliance obligations, and there will be no “firewall” clause to protect FAs and Company D from any breach of data handling by the other party. Besides, some of the agreements with some existing suppliers do not contain protection and data security clauses and a “firewall” clause that protect Company A and Company D from any unlawful processing of data by the supplier.

[Preliminary Suggestions:]{.underline}

1. It is recommended to develop, update and amend the template of the mutual confidentiality and data protection agreement, so that Company A and Company D and their suppliers could firstly select such fixed template for execution when dealing with the suppliers in the future. Meanwhile, it is also recommended to add the clauses on personal information protection and data security, as well as a “firewall” clause that protect Company A and Company D from any unlawful data processing activities by the supplier to the existing supplier agreements.

4. Internal Employee-related Data Compliance

1. Collection of Personal Information of Candidates

<!-- -->

1. According to the Personal Information Protection Law and other relevant laws, personal information processors shall inform individuals of the purpose of collection, etc. and obtain their consent in accordance with the law and shall follow the principle of “minimum necessity” when processing personal information. Storage of personal information shall follow the principle of necessity, unless otherwise provided for by laws and administrative regulations, the storage period of personal information shall be the minimum period necessary for achieving the purpose of processing.
2. Based on our review of the Liepintong Service Contract between Company C and Tongdao Jingying (Tianjin) Information Technology Co., Ltd., we understand that one of the major recruitment channels of Company C and Company B is recruitment on the third-party platform and that the third-party platform engaged by Company C and Company B is the “Liepin” platform operated by Tongdao Elite (Tianjin) Information Technology Co., Ltd (“Liepin”). In this recruitment process, Liepin sends candidates’ resumes to the two companies, and the two companies will obtain the relevant personal information of the candidates after receipt of the candidates’ resumes. In general, the personal information contained in the resumes includes but is not limited to name, mobile phone number, email address, age, education level, working experience and so on. After our review of the Liepintong Service Contract between the Company C and Liepin, we do not find any terms that provide explanatory provisions on how Liepin deliver such resumes to the two Companies or guarantee the compliance on such practice. The Personal Information Protection Policy of Liepin provides that “you acknowledge and agree that Liepin users within the scope of users you choose to disclose your resume may pay a fee to view your resume in order to obtain information on the resume you submit or upload”. However, in practice, we cannot rule out the possibility that a Liepin candidate is not specifically aware that his/her resume will be sent to Company B and SEC. Therefore, in order to prevent such risks, Company B and SEC, as the information recipients, may require Liepin to ensure that their collection and sharing of such personal information with the two companies comply with applicable laws and regulations, so as to avoid being implicated due to the non-compliance of third-party recruitment platforms during their processing of personal information. In addition to recruitment through third-party platforms, Company B and Company C also make recruitment through internal referral. When collecting candidates’ CVs through internal referral, the candidate is deemed to give his/her consent to the two companies’ processing of the personal information provided by the candidate for recruitment purposes when the candidate sends the resume to the two companies or the employee of the two companies. In addition, from the relevant functional departments’ personnel’s responses to the questionnaire, we learned that Company B and Company C do not collect any additional information directly from the candidates during the interview (e.g., the two companies do not ask the candidates to complete an information form during the interview). For uniquified candidates, Company B and Company C will delete candidates’ resumes within 3 months after the completion of recruitment for the corresponding positions.
3. Regarding the collection of candidates’ information by Company A and Company D in the recruitment process, according to the information provided by Company A and VMT, the two entities will carry out the recruitment and collect the candidates’ information through 51job, Liepin, Boss Zhipin, headhunter companies, the two companies’ WeChat account and internal referral. Currently, Company A and Company D have not provided us with any service agreement with 51jobs, Liepin and Boss Zhipin. At the same time, the current user agreements and privacy policies of the above-mentioned online recruitment platforms mainly describe what types of the user information will be collected and processed by the platforms, what protection measures will be taken, and what channels are available for personal information subjects to exercise their relevant personal information rights. During the recruitment process, information collected by the two entities include the candidate’s name, mobile phone number, email address, personal work experience, etc. After the initial screening of resumes, the companies will arrange the interview with the candidate and the candidate will be required to fill out an interview registration form (the “Personal Data Sheet”). In the Personal Data Sheet, some personal information such as name, ID number, date of birth, mobile phone number, home address, marital status, emergency contact name and contact information, educational background, work experience, family member information, etc. needs to be filled out by the candidate, but the form does not contain a provision for the candidate’s written authorization to consent to the companies’ processing of personal information. Resumes and the Personal Data Sheet provided by the unqualified candidates will generally be retained in the HR Department for six months to one year and can only be accessed by the HR Department and will not be transferred overseas. The reason for retaining the unemployed candidate’s information is that some candidates may still be employed by the companies. If such storage period expired, such unemployed candidates’ information will be deleted and shredded. However, the two companies do not inform such candidates of how the companies will deal with his/her information.

[Potential Compliance Risks]{.underline}

1. (1) If the third-party platform Liepin unlawfully sends the candidate’s resumes to Company B and Company C without the candidate’s acknowledge and consent to the person to whom the resume was sent to, thereby implicating Company B and SEC. The agreement with Liepin did not contain Liepin’s commitment to processing data in compliance with the laws and regulations.
2. (2) When Company A and Company D ask candidates to provide personal information during interviews, they do not inform the candidate of the purpose of processing personal information, etc. and do not obtain the relevant individuals’ authorized consent to collect their personal information.
3. (3) The user agreements and privacy policies of the online recruitment platforms used by Company A and Company D mainly introduce how they process personal information. Company A and Company D probably does not enter into exclusive service agreements with the online job platforms to define the parties’ rights and obligations in respect of data protection and to set up a “firewall” to prevent risks arising from unlawful processing of data by third-party online recruitment platforms.

[Preliminary Suggestions:]{.underline}

1. (1) It is recommended that Company C and Company B add a clause in the service agreement signed with Liepin (and other third-party recruitment platforms or headhunters in the future if any) requiring the other party to undertake that its collection and sharing of candidates’ personal information data to the Company C and Company B is in full compliance with the relevant laws and that there is no illegal collection, use and processing. (Also applicable if Company A and Company D make recruitment through third-party headhunters)
2. (2) Considering that when Company A and Company D recruit through the online platforms, they obtain the candidates’ resumes through the platforms, if disputes arise between the platforms and candidates in the processing of candidates’ information, Company A and Company D could also be implicated. Therefore, it is recommended that Company A and Company D sign the specific service agreements with 51 jobs, Liepin, and Boss Zhipin to clarify the data compliance obligations and set up “firewall” clauses to prevent the risks of non-compliance with data processing by the third-party online recruitment platforms.
3. (3) A clause for obtaining an individual’s authorization and consent shall be added to the registration form to be filled out by the candidate as required by Company A and VMT. This clause shall inform the candidate of the type, method, purpose and storage period of the information to be processed and obtain his/her consent in accordance with the Personal Information Protection Law.
4. (4) If the Assessed Entities make recruitment through the Corporate G website, i.e., the candidate fills out the information and upload the CV on the website, the Assessed Entities shall have a privacy policy on the website and require the candidate to read the policy and kick the checkbox “I acknowledge the company’s policy and consent to the company’s processing of my personal information in accordance with the privacy policy”. In addition, the privacy policy shall explain on how the company will process the personal information for recruitment purpose and provide a channel for the individual to exercise his/her personal information rights in accordance with the laws and regulations of the PRC.

<!-- -->

1. Background Check on the Proposed Employee before Employment

<!-- -->

1. Based on the responses to the questionnaire from the relevant functional staff, we understand that Company B and Company C will engage a third-party service provider, i.e., FSG (Shanghai Foreign Service (Group)) Co., Ltd.), to conduct a background check on the proposed employees before onboarding. The background check is conducted without the consent of the proposed employee. According to general experience, the content of the background check may include all the information on the resume of the proposed employee, such as identity information and education information. We have reviewed the service agreement signed by Company A and FSG provided by FA, which is also applicable to Company B and Company C according to the Company and found that this service agreement is primarily an agreement for the provision of payroll services by FSG to the Assessed Entities, and does not include the provision of background checks, nor does this service agreement include the clauses on personal information protection and/or data compliance. For Company A and VMT, background checks are currently performed by the HR itself and no third party is engaged.

[Potential Compliance Risks:]{.underline}

1. According to the Personal Information Protection Law, a personal information processor shall inform the individuals and obtain their consent when providing the personal information collected from such individuals to a third party. Therefore, if the Assessed Entities do not inform the proposed employees of the background check to be conducted and obtain their consents, the Company’s providing the proposed employee’s personal information to the background check company may constitute the providing personal information to a third party without the consent of the subject of the personal information, in violation of the relevant provisions of thePersonal Information Protection Law.

[Preliminary Suggestions]{.underline}

1. (1) Company B and Company C shall first obtain the proposed employee’s authorization and consent for the processing of such personal information before requiring FSG to conduct a background check on the proposed employee. If the Assessed Entities provide any sensitive personal information of the proposed employee to FSG, a separate consent should be obtained from the proposed employee. In addition, the service agreement with FSG should clearly stipulate the rights, obligations and responsibilities of both parties on the protection of personal information and contain a “firewall” clause to prevent the risk associated with unlawful processing of personal information by FSG. In addition, in order to reduce the uncontrollable risks, add a clause prohibiting the subcontracting of background check services in the service agreement with FSG. If Company A and Company D intend engage a third party to conduct the background check on the proposed employee in the future, Company A and Company D may adopt the suggestions here if appropriate.
2. (2) The Company shall establish a personal information protection policy and set out compliance requirements for the HR and other employees when processing personal information.

<!-- -->

1. Collection of Personal Information of Officially Hired Employees

<!-- -->

1. Based on the responses to the questionnaire from the relevant functional staff, after deciding to formally hire the candidate, the Assessed Entities will ask such employee to fill out the Employee Information Form (for Company B and SEC) or the Personal Data Sheet (for Company A and VMT), which require the employee to provide his/her personal information such as name, ID number, contact information, address, bank card number, marital status, children’s status, family members’ information including contact phone numbers, education, etc., and sign the Employment Contract with the employee, and require such employee to acknowledge and sign for the Employee Handbook. In the daily work, if the employee asks for a leave, the Assessed Entities could also collect the employee’s information such as the sick leave statement. In addition, if Company A and Company D intend to organize the employee’s onboarding health check and the annual health check, they could also collect the employee’s name, ID number, and review the employee’s health check report. According to the Personal Information Protection Law and other laws, when collecting the personal information, the Company shall inform the individual of the purpose of collection and obtaining his/her consent, and the collection shall comply with the “minimum necessity” principle. In particular, the Employee Information Form of Company B and Company C contains the statement that “this form is for archival purposes and must be filled out truthfully and carefully by each employee”; the Personal Data Sheet of Company A and Company D contains the statement that “I declare that the above information provided by me is factually correct”. The Employee Handbook of the 4 Assessed Entities provides that “if false information is provided, the company has the right to terminate the employment contract” but does not contain a clause explaining the specific use of the information collected, or a clause on the employee’s consent to the collection of personal information by the Assessed Entities. In addition, the employment contract templates provided by the four Assessed Entities did not contain provisions on the protection of personal information.
2. Regarding the data related to the employee attendance check, we learned that SEC, Company A and Company D use fingerprint checking for employee attendance on a daily basis. The fingerprints data of the employees of Company C is stored in attendance checking machine and is not stored on local servers or other devices located in mainland China, nor is it provided to the Corporate G headquarters in Germany, other affiliated companies outside of China, or other third parties. The fingerprints data of Company A and Company D employees is stored in the attendance checking machine and local servers located in mainland China and are not provided to Corporate G headquarters or affiliated companies outside of China. Currently, only relevant personnel from the HR and IT departments of SEC, Company A and Company D respectively have access to such fingerprints data. However, PA, Company A and Company D did not obtain the consent of the employees before collecting their fingerprints data.
3. In addition, Company B and Company C installed cameras in their plants and posted warning signs at the entrance of the plants, but the monitoring act was not mentioned in the two companies’ Employee Handbook or Employment Contract. The security cameras were also installed in the offices of Company A and VMT, but there were no warning signs notifying that the individual will be in the monitoring area, and such monitoring act was not mentioned in the two companies’ Employee Handbook or Employment Contract.

[Potential Compliance Risks:]{.underline}

1. The four Assessed Entities do not obtain written consent from the employees for the collection of personal information, including the sensitive personal information such as ID numbers, mobile phone numbers, bank card numbers, and fingerprint characteristics (SEC, FA, and Company D collect employees’ fingerprints for attendance purposes) which shall be collected upon the individuals’ separate consent; there are no provisions regarding the protection of personal information in the Employee Handbook or Employment Contracts. In addition, the Company may not have reviewed the forms that require employees to fill out information to assess whether the types and the scope of information currently collected from the employees are consistent with the “minimum necessity” principle. Company A and Company D do not place notification signs in the areas where cameras are installed to indicate that the individuals are entering the monitoring areas.

[Preliminary Suggestions:]{.underline}

1. (1) Prepare a separate notification of consent for the processing of personal information of employees, as well as a notification of consent for the processing of sensitive personal information (and a notification of processing of personal information of minors under 14 years of age if necessary), specifying the types of data that may be collected, the purposes of collection, other data processing activities that may be involved (please refer to the below analysis for details), the retention period of the data, the rights that individuals have with respect to their personal information and the channels for exercising such rights and ask employees to sign them.
2. (2) Add provisions on the protection of personal information to the existing Employment Contract and Employee Handbook.
3. (3) Review the information collection forms that need to be completed by employees to ensure that the information to be collected from employees is necessary based on the day-to-day operations and management of the Company, and, if necessary, add representations regarding the authorization of consent for the processing of personal information to the relevant forms.
4. (4) Company A and Company D shall set up warning signs notifying the individuals that they are in the monitoring area at conspicuous places in the monitoring area.

<!-- -->

1. Other Processing Activities of Employees’ Personal Information

<!-- -->

1. Based on the responses to the questions in the questionnaire from the relevant functional staff and the review of the relevant documents, we learned that the Assessed Entities’ other processing activities regarding the employees’ personal information are as follows:
2. (1) Personal information (name, mobile phone number, etc.) of the employees is provided to counterparties in the course of daily business. But there is no statement on the protection of personal information in the relevant agreements.
3. (2) Storage activities, i.e., i) providing employees’ personal information to the German headquarters. To be specific, because the employee data (not including sensitive personal information) of the four Assessed Entities is currently stored in the ERP system, and all data in the ERP system is stored in the local servers of Corporate G German headquarters, such data storage conduct could be deemed as cross-border transfers of personal information. However, as mentioned above, such processing is not stipulated in the relevant employee information forms, Employment Contract,Employee Handbook, etc., and is not consented to by the employees. Meanwhile, pursuant to the Personal Information Protection Law, any of the following conditions must be satisfied prior to cross-border transfer of personal information, namely: passing the security assessment organized by the Cyberspace Administration of China (“CAC”); or being certified by a specialized agency on the protection of personal information; or entering into cross-border data transfer agreements with the overseas recipient in accordance with the standard contract formulated by the CAC. Amongst them, according to the Security Assessment Measures for Outbound Data Transfers, for 1) a data processor processing the personal information of more than one million people, or 2) a data processor has provided personal information of 100,000 people or sensitive personal information of 10,000 people in total to overseas since January 1 of the previous year, or 3) a CIIO, if any of them transfers personal information to overseas, they shall apply for security assessment on cross-border data transfer to be conducted by CAC. In addition, if a data processor transfers critical data to overseas, it shall also apply for security assessment on cross-border data transfer to be conducted by CAC. According to the information provided by the Assessed Entities, none of the Assessed Entities is currently recognized by any national regulatory authority as a CIIO, nor do the Assessed Entities process any critical data. At the same time, according to the information provided by the Assessed Entities, from 1 January 2021 to 25 November 2022, the total number of employees of the Assessed Entities in China is 344. Some of the personal information of the aforementioned employees (excluding sensitive personal information) is stored on a local server in Germany; the total number of contacts of business partners including customers, distributors and suppliers of the Assessed Entities stored in the information system of the Assessed Entities is approximately 18,528, the aforementioned contact information is stored on a local server located in Germany. In conclusion, there are 18,872 PRC-located individuals in total whose personal information is stored on the local server in Germany, i.e., the Assessed Entities have transferred the personal information of around 18,872 PRC-located individuals to overseas. In addition, the total number of personal information accessed by the Assessed Entities from 1 January 2021 to 21 November 2022 through websites, e-commerce platforms and other channels in the course of conducting their online sales business is 4,100, and if these data are also transferred to overseas, the total number of the PRC-based individual whose personal information is transferred abroad is approximately 22,972, which is less than the 100,000 as specified in the Security Assessment Measures for Outbound Data Transfers. Therefore, based on the above data provided by the Assessed Entities and the aforementioned calculations, as of the date of this report, the cross-border data transfer activities by the Assessed Entities are not in a situation where a security assessment on cross-border data transfer is required for the time being. However, as of the date of this report the Assessed Entities transfer activities has not been certified by a specialized institution on the protection of personal information as required by the Personal Information Protection Law, nor did it sign the relevant cross-border data transfer agreement with the German headquarter entity (and other affiliated parties abroad); ii) the Company’s HR systems store the employee’s information including the information of the employee’s relatives and the employee’s sick leave statement. The laptops of the HR personnel store the employees’ personal information as well. In addition, the HR department also retain the employee’s personal profile in hardcopy.
4. (3) Some employees of one Assessed Entity can view the information about the employees of another Assessed Entity based on their management authority. To be specific, we learned that the Assessed Entities may share the same functional teams. For example, the IT head of the four Assessed Entities is currently the same person, and although his legally established the employment relationship (i.e., sign the employment contract) with one of the four Assessed entities, he is able to view the data of all the four Assessed Entities in practice based on his or her management authority as the IT head of Corporate G China. In such cases, although all the four Assessed Entities are the business entities of Corporate G China in terms of the corporate management structure, but from legal perspective, all the four Assessed Entities are legal entities independent of each other. Therefore, from legal perspective, if the employees of company A can view the internal data of company B, company C and company D could be deemed as these three companies’ providing their internal data to Company A, and according to thePersonal Information Protection Law, the conduct of providing personal information to external entities shall be notified to the individual and the individual’s consent shall be obtained. A written agreement shall also be signed with the external entity to clarify the respective rights and obligations. Currently, we learned that no personal information transfer and sharing agreements have been signed among the four Assessed Entities.
5. (4) Sharing the employee’s personal information to third-party organizations, such as:
6. (a) Providing the employee’s personal information such as the name, ID Card number, contact information and other sensitive personal information to the third-party services provider, i.e., Ctrip (applicable for Company B and SEC) and Spring Tour (applicable for Company A and VMT) for the purpose of assisting the employees to book air tickets, hotel tickets and other itineraries for their business trips. Such information sharing behavior is not stipulated in the documents such as the Employee Information Form, theEmployment Contract or the Employee Handbook, etc. or consented to by the employees; the service agreements with Ctrip and Spring Airlines contain no provisions regarding personal information protection and data compliance, either. (b) Providing the employee’s name, gender, age and contact information of employees to third-party medical check companies based on the Company’s employee medical examination benefit policy, and such information sharing behavior is not specified in the documents such as the Employee Information Form, the Employment Contract, the Employee Handbook, etc., and is not consented to by the employees in writing in advance. © The employees’ personal information such as ID numbers and dates of birth is provided to third-party insurance agencies, AIG (applicable for Company B and SEC) and Sun Life Everbright Life Insurance Co., Ltd (applicable for Company A and VMT) based on the Company’s benefit policy regarding purchasing accident insurance, such data sharing conduct is not specified in the documents such as the Employee Information Form, theEmployment Contract, the Employee Handbook, or is consented to by the employees, and the agreements respectively signed with AIG and Sun Life Everbright Life Insurance Co., Ltd do not contain data protection provisions related to the use of the aforementioned personal information and confidentiality requirements. (d) Entrusting a third party (i.e. China International Intellectech (Shanghai) Co., Ltd. (“CIIC”, applicable for FA) to provide services related to the employees’ endowment insurance, medical insurance, unemployment insurance, employment injury insurance and maternity insurance, and housing provident fund, personnel file management and work documents for entering Shanghai for work, handle the evaluation on the professional and technical title, and the handling of the registration of the collective Hukou, in which the Company may need to provide the employees’ personal information to CIIC. Such data sharing conduct is not stipulated in documents such as Employee Information Form, the Employment Contract, theEmployee Handbook, and is not consented to by the employees in writing in advance.
7. (5) According to the Personal Information Protection Law, the personal information processor shall delete the personal information if any of the following circumstances occurs: (i) where the purpose of processing has been achieved, it is impossible to achieve such purpose, or it is no longer necessary to achieve such purpose; (ii) where the personal information processor ceases to provide products or services, or the storage period has expired; (iii) where the individual withdraws his/her consent; (iv) where the personal information processor processes personal information in violation of laws, administrative regulations or the agreement; or (v) other circumstances stipulated by laws and administrative regulations. Therefore, in principle, according to the requirements of thePersonal Information Protection Law, if the candidate is not employed or the employee resigns, the Company should delete his or her personal information as soon as possible. Of course, in practice, based on other legal provisions and necessary management needs of the Company (for example, to prevent post-employment labor disputes, the company may retain the information of the ex-employees for a period of time), assuming that the Company has reasonably determined the storage period applicable to the Company’s practice and informed the individual and obtain his consent, the Company may retain the information of the corresponding individual within the storage period determined by the Company. However, it should be noted that if an individual requests the Company to delete his or her personal information within the storage period, the Company should delete it in accordance with the provisions of the Personal Information Protection Law. With regard to processing of the information of employees after the termination of their employment, according to information provided by Company B and SEC’s HR, Company B and Company C generally store the personal information of the employees for certain period of time following their termination of employment. The retention period of the hardcopy of the personal information is usually 5 years and above, while that of the softcopy of the personal information is three years. Company A and VM’s regulations and practices on storage and deletion of the employee information are to be confirmed. It is important to note that, according to the information provided by the IT department of the Company, the Company has not set up a unified deletion period for the moment, i.e., based on the current practice, even if the HR department has its own internal regulations on the storage and deletion of data, which may not be known to the IT and other departments, it is possible that employee data would be stored in the Company’s internal information system for a longer period of time in practice.

[Potential Compliance Risks:]{.underline}

1. According to the provisions of the Personal Information Protection Law, the Company should notify the individual of the aforementioned data processing activities and obtain the consent of the individual and should comply with the principle of “minimum necessity”. Therefore, the following risks may exist in the current practice of the aforementioned data processing activities by the Assessed Entities:
2. (1) There are no provisions for the protection of personal information in the agreements with the customers and the distributors.
3. (2) Providing employee personal information (which may include sensitive personal information) to other Corporate G China entities without the employees’ consent.
4. (3) Not being certified by a specialized institution on the protection of personal information in accordance with the Personal Information Protection Law, or signing the relevant cross-border information transfer agreements with the German headquarter (as well as other overseas affiliates if any).
5. (4) Provide the employees’ personal information to an external third-party institution without the consent of employees, and the service agreement with the external third-party institution does not include a data protection clause.
6. (5) The departments vary in the practice on the setting of storage method and the period of storage of employees’ personal information. In addition, in practice, the former employees’ personal information may be stored for a longer period than “the minimum period necessary for the purpose of processing”.

[Preliminary Suggestions：]{.underline}

1. (1) As mentioned above, prepare a separate notification consent form for the processing of personal information as well as a notification consent form for the processing of sensitive personal information, and add the provisions of personal information protection to the existing Employment Contract and Employee Handbook.
2. (2) Add the personal information protection clauses to the agreements with the relevant suppliers and customers, as mentioned above.
3. (3) Arrange for the execution of the data sharing agreements among the four Assessed Entities.
4. (4) Sign a cross-border data transfer agreement with Corporate G German headquarters (and/or other offshore entities that need the Assessed Entities to share their employees’ personal information). At the same time, regularly calculate the quantity of personal information transferred to overseas in terms of the number of the individuals(including the quantity of personal information stored in overseas servers, and the quantity of personal information provided to overseas affiliated entities via email, etc.), and conduct work and apply for security assessment on cross-border data transfer when the data transferred to overseas meets the circumstances under which a security assessment is required.It should be noted that thePersonal Information Protection Law stipulates that for cross-border transfer of personal information, one of the following three conditions needs to be met: 1) completion of a security assessment, or 2) certification on personal information protection, or 3) drafting and signing of a cross-border data transfer agreement with the overseas recipient in accordance with the contract template issued by the CAC. Among the three requirements, as mentioned above, the Assessed Entities are not currently in a situation where security assessment on cross-border data transfers is required, but the Assessed Entities are required to regularly calculate the quantity of personal information transferred to overseas in terms of the number of the individuals and ensure that the security assessment is reported to the CAC in a timely manner when the security assessment for outbound data transfers is triggered. With regard to the other two requirements, some of the practical guidelines for the certification on personal information protection are to be further clarified, and with regard to the third method, i.e., signing cross-border data transfer agreements, the CAC has only released a Draft of Standard Contracts for Cross-border Transfers of Personal Information, and which has not been finalized and promulgated yet. Given that the Company is not currently defined by the regulator as a Critical Information Infrastructure Operator and currently does not process important data, based on the nature of the Company and the type of data processed by the Company, we consider that before the further refined practical guidelines for cross-border data transfer are issued, the Company may adopt the approach of signing the data transfer agreements with overseas recipients. Although no template or model agreement has been officially come into force, if the cross-border data transfer agreements between the Company and overseas recipients is drafted in accordance with the draft standard contract issued by the CAC and comply with the requirements for data security and information protection under the Personal Information Protection Law and other relevant laws, the risks associated with cross-border transfer of personal information could be relatively manageable. We will continue to monitor the issuance of the relevant regulations and rules and keep the Company posted in a timely manner and take appropriate measures to ensure that the Company’s cross-border data transfer practices are in compliance with the effective legal requirements.
5. (5) If the Company’s information systems store the personal information of employees, as well as the personal information of employees’ relatives, when storing such information, a strict access management shall by adopted. If the sensitive personal information is stored in the information systems (such as bank accounts, ID numbers, mobile phone numbers, sick leave statement, medical check reports, etc.), it is recommended that stricter protection measures, such as encrypted storage, should be taken to further reduce the risk of such information being leaked. At the same time, it is suggested that the Company should establish a unified personal information protection policy (which should include provisions on personal information storage and access requirements).
6. (6) Sign the data sharing and transfer agreements with relevant external third parties.
7. (7) Regarding the storage period of the personal information of resigned employees, it is recommended to consider the factors such as the period agreed in the non-competition agreement, limitation of litigation, and the necessity of the company’s daily management to reasonably determine the length of such storage period and the scope, so as to form a unified information retention policy. At the same time, the Company should inform the individuals and obtain their consent and take the same protective measures as that of the current employees. After the storage period expires, the personal information should be deleted or anonymized. If the resigned employees request the Company to delete their personal information within the retention period, the company should delete it as requested.

5. Storage and Transfer of Data

1. As we have analyzed the storage and transfer of personal information of the employees in Part 4, in this part we will discuss the storage and transfer of the data other than that of personal information of the employees.
2. Regarding the transfer and sharing of data among the four Assessed Entities, as stated in previous paragraphs, the entities share some members of management and functional departments. Although the four Assessed Entities in China are all subsidiaries of Corporate G in terms of business management, they are all separate legal entities in law. Therefore, when the employees of the company A have access to data of company B, company C, company D, it is deemed as the three companies providing data to company A, so a data transfer and sharing agreement shall be signed and consent of the information subjects must be obtained. For the collection of personal information of the employees of customers or suppliers, as it is based on necessity of business and performing related personnel’s duty, the four Assessed Entities need not obtain consent from them but should inform them that the data collected (including the contact person’s personal information) might be shared among the four entities of Corporate G China. We learned that neither data transfer and sharing agreement has been signed among the four entities, nor efforts to inform the customer and supplier of the data transfer have been made by the four entities in the relevant agreements with customers and suppliers.
3. Besides, according to the response from relevant functional departments to our questionnaire, we learned that except for Digiwin on-leave and reimbursement system and Cityray HR system whose data are stored within the PRC, all the other data in the systems including ERP and CRM are stored in Mannheim, Germany. Therefore, when the data is generated during day-to-day business and uploaded to ERP system and CRM systems by the Assessed Entities, as the servers are located overseas, the data is in fact transferred overseas automatically which may constitute cross-border transfer of personal information if such data includes personal information. On the other hand, as the Assessed Entities and their German headquarters are separate legal entities, such transfer also constitutes “providing personal information to third parties” under the Personal Information Protection Law. According to the information provided by the Assessed Entities, none of the four entities have taken measures prescribed by the Personal Information Protection Law for cross-border transfer such as security assessment, certification on personal information protection, signing a cross-border transfer agreement, and have informed the customers and suppliers that the personal information might be transferred abroad.
4. For the protection of data, the Assessed Entities adopted a series of measures including using SSL encryption channels during transfer, setting access permissions according to the principle of employee access necessity, using IAM to manage file server permissions, encrypting laptop hard disks, backing up mail servers and file servers while using disks and tapes for multiple types of copy backups, conducting backups on a regular one-week basis, adopting a collocated backup method (use full backups and incremental backups), etc. in the storage management process. But the entities do not set deletion period of the data, nor have they formed a data protection policy that includes access management, data source labeling, data encryption and storage, data transfer security, data anonymization, and data classification and hierarchical protection system, etc.
5. The Personal Information Protection Law requires that the storage of personal information should follow the principle of necessity, i.e., unless otherwise provided by laws and administrative regulations, the retention period of personal information shall be the shortest period necessary to achieve the purpose of processing. According to the information provided by the Assessed Entities, the Assessed Entities have not set a deletion period for the stored data which leads to compliance risks, for instance, the personal information of some contacts of the customers which is no longer valid is still retained, or some customers have changed their contact personal, but the personal information of the contact that has been invalid is still retained.
6. In addition, according to the information provided by the Assessed Entities, the employees of the Assessed Entities have their working email set up by the IT team of Corporate G China, and the email correspondences are stored on local servers located in the PRC.

[Potential Compliance Risks:]{.underline}

1. (1) Employees of one of the Assessed Entities may have access to data of another Assessed Entity based on management authority, but no data sharing agreement has been signed by the relevant entities.
2. (2) The Assessed Entities do not notify the customers before transfer of data, nor have they been certified on personal information protection or signed cross-border transfer agreement with the German headquarters (or other affiliated overseas entities) as required by the Personal Information Protection Law.
3. The Assessed Entities did not set a deletion period for some of the stored electronic data.

[Preliminary Suggestions:]{.underline}

1. (1) As mentioned above, it is recommended that data sharing agreements be signed among the Assessed Entities.
2. (2) As mentioned above, it is recommended that cross-border data transfer agreements be signed between Assessed Entities and the German headquarters (or other overseas affiliated entities). At the same time, regularly calculate the quantity of personal information to be provided abroad based in terms of the number of the individuals (including the quantity of personal information stored in overseas servers, and the quantity of personal information transferred to overseas affiliates via email, etc.), and conduct work and apply for the security assessment on cross-border data transfer when the data to be provided abroad meets the circumstances under which the security assessment is required.
3. (3) Review and check on the customers’ contact information, delete the personal information of the invalid contacts, add statements to obtain consent for the customers’ personal information such as contact information to be transmitted across borders and stored in overseas servers in the agreements or emails with customers and inform the customers of the method to submit their requests of deletion.
4. (4) Form a unified data storage policy based on the Company’s practical needs.

6. Processing, Use and Share of Data

1. As Part 4 of this report has analyzed the processing, use and sharing of employees’ personal information, this part will mainly discuss the processing, use and sharing of other data including the personal information of the contacts of the suppliers and customers.
2. According to the response of relevant functional departments to our questionnaires, the purpose of collection of customers’ or suppliers’ information (including contact person’s name, mobile number, email address, product needs and financial account of the company) is to set up the customer or supplier file in the internal system, process order, issue invoice, conduct production and sales prediction, conduct product marketing activities, organize customer activities and conduct internal and external trainings. Regarding the promotional information sent to customers, the Assessed Entities would send them through the Universal Messenger software operated by the German headquarters with the server at Germany or through the email sender at Germany. The emails contain methods for the customers to unsubscribe, but it is unclear whether consent is obtained beforehand.
3. Regarding the sales activities of the Assessed Entities, the main sales modes include online sales and offline sales.
4. Regarding online sales, the Assessed Entities would use the DCP platform operated by Corporate G Germany (applicable to Company A and VMT) and some third-party platforms (i.e., Company B and Company C use EPEC, Company A uses JD, VIPMRO and 1688) for sales business, including receiving orders, order settlement, aftersales service, etc. To be specific:
5. (1) Regarding the DCP website operated by Corporate G headquarters in Germany, customers can register on this website to make purchases by providing contact name, contact number, shipping address and invoice requirements at the time of registration. The state-owned enterprises or state-owned research institutes customers of Company A and Company D do not currently have DCP accounts. Corporate G can view all DCP customer data, including basic customer information, customer order details and shipping addresses. In addition, for the Chinese distributors or authorized agents who currently use DCP more frequently, Company A has signed the Online Order Agreements with them (FA provides a template agreement for our reference). According to Article 9 “Security and Confidentiality Obligations” of this agreement, the parties agree that the other party shall treat the other party’s network programs, account numbers and passwords, computers, telephone numbers or similar information as “confidential” or “proprietary information”. For unfamiliar users who applies for an account, they only need to kick the “Terms and Conditions of Sale”. At the same time, the DCP website has a privacy policy to inform users of how they will process the personal information provided by users. It should be noted that since the DCP website is operated by the German headquarters, we understand that in this case, if the Chinese distributor registers as a user on the DCP website, the German headquarters will collect the personal information of the contact person directly through the DCP website. According to the Personal Information Protection Law, overseas individuals and entities that process personal information from the territory of the PRC for the purpose of providing products or services to the individuals in the PRC shall comply with the provisions of this law. Therefore, the DCP website’s processing of such personal information shall comply with the provisions of thePersonal Information Protection Law. At present, the privacy policy on the DCP website is mainly based on the EU GDPR and needs to be further revised in accordance with the laws of the PRC. In addition, the existing Online Order Agreement, although containing provisions on privacy protection, is not sufficient to cover the rights and obligations of both parties with respect to data protection.
6. (2) With regard to the business of Company B and Company C on the EPEC platform, in accordance with the service agreement provided by the Assessed Entities and the information we found on the EPEC Platform, Company B and Company C employees can receive personal information such as real names, company phone numbers, mobile phone numbers, email address, company address and other personal information of the contact person of the platform supplier and purchasers after registering as members, they may then contact the relevant individual and process online transactions. At the same time, according to the agreement and policy of the EPEC platform, the platform member shall not download personal information to the local server of the platform member. Therefore, Company B and Company C may receive personal information from the purchaser contacts person on the platform but are not allowed to download such personal information to PA’s and SEC’s local servers. Apart from personal information, the types of data involved in PA’s and SEC’s interaction with suppliers and partners do not include other “important data” under the Data Security Law based on the responses of personnel from relevant functional departments to the questionnaires and our review of relevant documents. The cooperation/service agreement between Company B and Company C and the third-party platform does not contain data protection clauses for the clarification on rights and obligations between the two parties. In addition, we understand that Company B and Company C currently do not have policies regarding the processing of personal information.
7. (3) Regarding FA’s sales business on JD, according to the information provided by FA, there are currently two Corporate G stores on JD. One is called “Corporate G JD Self-operated Flagship Store”, which is not directly operated by FA, but operated by FA’s online authorized distributor “Suzhou VIPMRO”. Company A cannot directly view or download consumer or store membership data for this store. After reviewing the Online Distribution Agreement signed by Company A with Suzhou VIPMRO Information Technology Co., Ltd., it does not contain relevant provisions on data compliance and personal information protection or requiring distributor to process data in accordance with legal regulations. The other store, the “Corporate G Official Flagship Store”, is directly operated by FA. All e-commerce team members responsible for operating the “Corporate G Official Flagship Store” can view and download the order information of the store through the store’s backend system. The order information contains the ID number who placed the order, customer name, customer address, contact number. If the customer chooses to invoice, they can also see the invoicing information filled out by the customer (such as the name of the party the invoice is issued to, tax number, company address, the bank of deposit and account number). The e-commerce team employees currently have the authority to send messages to the consumers of the store, which is currently handled by the store managers and customer service representatives. The messages contain an option to unsubscribe, but according to the information provided by the Company at present, it is uncertain whether the consumers are informed in writing before sending such messages. Besides, at present, Company A does not have a privacy policy applicable to its self-operated store. It should be noted that whether Company A directly views and downloads the store order information when operating a store or obtain the consumers’ personal information from the third-party agent or the online platform when entrusting a third party to operate a store on its behalf, it shall perform the corresponding personal information protection obligations and process relevant personal information in accordance with the provisions of the Personal Information Protection Law. In addition, when entrusting VIPMRO to operate the store, it should require VIPMRO to process the consumer data in accordance with relevant laws and regulations and the provisions of the JD platform. At present, Company A does not have a corresponding policy for the protection of personal information.
8. (4) Regarding the sales business of Company A on the VIPMRO platform, according to the information provided by FA, the VIPMRO platform belongs to the FA’s online authorized distributor “Suzhou VIPMRO”. Company A has no stores on VIPMRO and only provides Corporate G products on the platform and does not directly operate the online transactions. Therefore, Company A cannot directly view or download order and consumer data. After reviewing the Online Distribution Agreement signed by Company A with Suzhou VIPMRO Information Technology Co., Ltd., we found that it does not contain relevant provisions on data compliance and personal information protection or requires distributors to process data in accordance with legal regulations. In addition, it should be noted that if Company A obtains consumers’ personal information from VIPMRO platform for necessary purposes such as post-sales services, it shall perform the corresponding personal information protection obligations and process relevant personal information in accordance with the provisions of the Personal Information Protection Law. As mentioned above, Company A does not currently have a policy in place regarding the protection of personal information.
9. (5) Regarding FA’s sales business on the 1688 platform, there are two Corporate G officially authorized stores on the 1688 platform operated by two authorized distributors of Corporate G . Corporate G e-commerce team members have the backend sub-accounts of the two stores, so they can view the stores’ orders and the buyers’ information stipulated in the orders (i.e., the ID making the order, the recipient, delivery address, contact number), but cannot directly download such data. If they need to download the data, the distributor’s designated person in charge of store operation will do so and send it to the Company A employees. The person in charge of store operations designated by the distributor can send messages to the consumers of the stores and there is an option to unsubscribe. After reviewing the Cooperation Agreement on Authorizing Shanghai Baice Self-Control Technology Co., Ltd. to Open a Corporate G Store and the Cooperation Agreement on Authorizing Shanghai Wudie Trading Co., Ltd. to Open a Corporate G Store provided by FA, there is a confidentiality obligation of the distributor regarding customer data, sales records, document vouchers and other information provided of FA, and when Corporate G requests or the agreements are terminated, such information shall be all returned to Corporate G or destroyed in accordance with Corporate G ’ instructions. However, the two agreements do not contain provisions on personal information and data compliance or requiring the distributors to process data in accordance with the laws. In addition, it should be noted that when viewing or obtaining consumer information, Company A employees shall perform the corresponding personal information protection obligations and process relevant personal information in accordance with the provisions of the Personal Information Protection Law. Besides, as mentioned above, Company A does not currently have a policy in place regarding the protection of personal information.
10. In addition, the Company sells products and services by signing distribution agreements with offline distributors. According to theDistributor Agreement it signed with Beijing Hot Innovation Control System Co., Ltd. and the Distributor Agreement it signed with Chongqing Xikaiang Technology Co., Ltd., Company A may request the distributor in writing to provide information such as the destination of the distributed products, that means in practice it is possible that Company A obtains end-users’ information (which may also include the personal information of the contact person) from the distributor. The two distributor agreements do not contain provisions on personal information protection and data compliance, nor do they contain “firewall” clauses to prevent distributors from implicating Company A due to their processing of data in violation of regulations.

[Potential Compliance Risks:]{.underline}

1. (1) The Germany headquarters possibly sends emails containing commercial advertisements to the personal email address of the customers’ contact without the individual’s consent. Besides, the persons operating the online stores possibly send the promotional messages to the VIP members of the online stores without the relevant individuals’ consent.
2. (2) The privacy policy on the DCP website needs to be reviewed and revised in accordance with the relevant laws and regulations of the PRC, and the Online Order Agreement signed with some distributors which use DCP more frequently is not comprehensive on the provisions regarding the protection of personal information.
3. (3) There are no provisions on personal information protection and data compliance in the agreements with online, offline distributors and third-party online platforms. There are no “firewall” clauses to prevent the Company from being implicated by third parties due to the third parties’ unlawful processing of personal information, either.
4. (4) For FA’s self-operated store, the Company has not signed a specific service agreement with JD to clarify the rights and obligations of both parties in addition to a standard user agreement, and the self-operated store has not formulated corresponding privacy policies, nor has it informed the consumers of how the store will process their personal information collected.
5. (5) The Assessed Entities do not establish policies for the protection of personal information to regulate employees’ use of personal information obtained from third-party.

[Preliminary Suggestions:]{.underline}

1. (1) It is recommended to add the stipulation in the correspondence or cooperation agreements with the customers to obtain the customer’s consent to receiving promotional emails. The Company should also notify the customer that it may entrust third parties to send such promotional emails and obtain the customer’s consent. If the processing of the sensitive personal information is involved, the relevant part should be highlighted, and separate consent should be obtained. When sending the messages to the consumers of the online stores, the consumers should be informed in writing and consent should be obtained.
2. (2) Review the privacy policy of the DCP website and the Online Order Agreement signed with some distributors who use DCP more frequently based on the current PRC laws and regulations and make necessary amendments.
3. (3) Add the provisions on personal information protection and data compliance in the agreements with online distributors and offline distributors and the EPEC platform, as well as “firewall” clauses to prevent the Company from being implicated in the unlawful processing of personal information by third parties.
4. (4) For FA’s self-operated store, if feasible, sign a specific service agreement with JD to clarify the rights and obligations of both parties. At the same time, formulate a privacy policy for the self-operated store and inform the consumers of how the stores will process the personal information.
5. (5) Establish policies for the protection of personal information.

7. Cybersecurity and Data Compliance Management

1. By reviewing the documents provided by the Company and interviews with the relevant business departments of the Assessed Entities, we understand that although the Company has certain practical requirements for cybersecurity, data security and personal information data protection in its daily operations, such as setting up a dedicated cybersecurity/data compliance officer, setting up certain access permission to some data, requiring the overseas parent company or affiliates to comply with certain management processes to obtain permission to view such data, using SSL encrypted channel for transfer, etc. However, the requirements in these practices are not sufficient to cover the obligations the Company should fulfill in terms of network security, data security and personal information protection as a network operator and data processor. Such obligations may include formulating a data classification policy, the network security management related policies, a network security accident emergency response policy, an information security accident management policy, network and information security internal audit management policy and operating procedures.
2. In addition, by reviewing the documents provided by the Company and interviews with relevant business department in the Assessed Entities, we understand that the Assessed Entities is not classified as a “Critical Information Infrastructure Operator” under the Cybersecurity Law and that the data accessed and processed by the Company includes personal information and other business data which do not fall under the “important data” as defined under the Data Security Law. This means the data that the Company processes do not involve the important data which may endanger national security and public safety once tampered with, destroyed, or illegally acquired or exploited. At present, the Assessed Entities have not formulated corresponding management policies and operating procedures under the Personal Information Protection Law, such as the personal information collection rules, personal information use rules, sensitive personal information processing rules, personal information storage and protection policies, personal information sharing, provision, transfer and entrusting the processing rules, personal information cross-border transfer rules, etc.

[Potential Compliance Risks:]{.underline}

1. As a network operator under the Cybersecurity Law and a personal information processor under the Personal Information Protection Law, the Assessed Entities have not conducted relevant assessments in accordance with the relevant provisions of the Cybersecurity Law and the Personal Information Protection Law, nor have they formulated internal management policies and operating procedures related to network security protection and personal information protection.

[Preliminary Suggestions:]{.underline}

1. (1) According to the current practice of the law enforcement, the law enforcement departments may have a certain degree of tolerance if a company is not involved in the network security and personal information security incidents, but considering that the Assessed Entities conducts a large amount of domestic and overseas information interaction, it is suggested that the establishment of the relevant internal policies and procedures for network security, data security and personal information protection be started as soon as possible. Meanwhile, it is recommended that the Assessed Entities consider completing the grading, filing and evaluation of network security classified protection, which will generally include the following steps: (a) Determine the protection grade of the system in accordance with the relevant laws and regulations. To be specific, the information system operator should determine the security grade of the information system, use the information technology products that meet the corresponding requirements, carry out safety construction and reconstruction work, formulate and implement the security management system required by the corresponding security protection grade. (b) On the condition that the grading is accurate and filing is needed, the operator should go to the public security organ at or above the municipal level in the local area to handle the filing formalities. © Obtain a filing certificate. After the submitted filing materials are reviewed and approved, the public security organ at the municipal level or above in the local area will issue the “Information System Security Grade Protection Filing Certificate”. (d) Carry out graded security assessments. Information systems operators should regularly carry out the security assessments. The frequency of the security assessment on a Level I system is at least once a year. The frequency of the Level IV system is at least once every six months. The Level V information system needs to be evaluated according to special security needs. The system operator should promptly submit the assessment report of the information system to the public security organs. If there is need for rectification, the rectification report should be submitted to the public security for the record after the completion of rectification. At the same time, the public security organs will also inspect the Level III and Level IV information systems at the same frequency of assessment. The Level V information systems are subject to inspection by special departments designated by the state. It should be noted that the first step, i.e., system grading, is particularly critical and the public security organs will require the operator to make rectification if the grading is inaccurate and may also recommend that the operator to organize experts for a re-grading review. Therefore, in order to ensure compliance from grading to evaluation, many companies will choose to engage a third-party institution with relevant qualifications and experience to assist them in handling the matters from the beginning of system grading to the following stages. We also recommend that the Assessed Entities, if feasible, consider engaging a third-party institution with relevant qualifications and experience to assist in the grading, filing and evaluation of the network security grade protection.
2. (2) In addition, in the practice of data compliance management involving external entities (in particular third parties providing data processing services to the Company), if the signatory party to the agreement is one of the Corporate G entity, but the agreement in fact covers all the Corporate G entities, assuming that the data of the other Corporate G entities is leaked due to a data security incident by a third party, causing losses to the other Corporate G entities, in the process of claim for damages, it may be more difficult to make claims because the other Corporate G entities are not the signing parties. Therefore, it is recommended to sort out whether this situation exists (after our preliminary sorting and feedback from the Company, this situation does exist, such as an agreement signed with the FSG, etc.). If so, it is recommended to sign a supplementary agreement with the other party to the contract, clarifying that the content of the agreement covers all the relevant Corporate G entities, or clarify that the Corporate G entity that signed the agreement with the external party is entitled to make claims on behalf of the other entities in the event of a dispute through an internal agreement among the relevant Corporate G entities.

8. Compliance Tips for Using a Corporate VPN

1. According to the information provided by the Company by email on May 20, 2022, the four Assessed Entities currently use “self-built” corporate VPN by their headquarters in Germany, and Checkpoint provides these corporate VPN-related services for Corporate G . To be specific, Checkpoint signed the services agreement with Corporate G headquarters to provide the corporate VPN services to Corporate G globally.
2. In 2017, the Ministry of Industry and Information Technology issued the Notice on Clearing and Regulating the Internet Network Access Service Market, which further clarifies that without the approval of the competent telecommunications authorities, it is not allowed to use other channels by establishing or renting specific channels (including virtual private network VPNs) to carry out cross-border business activities. The international special channel leased by the basic telecommunications enterprise to the user shall be recorded in a collective user file and notify the user that the users shall only make use of it for internal office work and shall not use it to connect the domestic or overseas data centers or business platforms to carry out telecommunications business activities. This means when foreign trade enterprises and multinational enterprises need the cross-border networking through special channel due to the reasons such as internal office use, they can rent the special channel services from telecommunication business operators who operate international communication entrance and exit channel business in accordance with the laws.
3. Based on the above provisions of the Ministry of Industry and Information Technology and current market practice, currently, a company can use the corporate VPN by the following two methods. One method is to use the services provided by the basic telecom operators (i.e., China Telecom, China Mobile, China Unicom) that have a VPN business license. The companies with the needs can communicate their needs with such operators (or through agents who have cooperative relationships with such operators), and the operators will provide corresponding service plan according to the needs of the companies and implement the plan accordingly. The other method is to establish an entirely independent self-established corporate VPN (i.e., not using the VPN service of Chinese mainland basic telecom operators), which generally needs to first go through the approval/filling process of the ministry of industry and information technology and other regulatory authorities before setting up the channel and configuration facilities in both the domestic office and overseas office of the company. There are relatively few companies that currently use this method because it needs to be reported to the regulatory authorities and time-consuming.
4. Through public search and telephone consultations, Checkpoint, a corporate VPN service provider for Corporate G , has a representative office in Beijing, China (i.e., Israel Checkpoint Security Software Technology Co., Ltd., Beijing Representative Office). According to the information displayed on its official website in China, Checkpoint has offices in Beijing, Shanghai and Guangzhou in Chinese mainland, but it does not have a VPN business license according to our inquiry. After telephone consultation, we found that Checkpoint is only an agent when providing conducting VPN business, serving mainly as a communication channel between the customers and the operators such as exchanging the needs, confirming program details, etc. The specific program design and implementation work are still operated by the basic telecom operators. In summary, we understand that if Checkpoint provides corporate VPN services for the Assessed Entities in this way, the corporate VPN service of Checkpoint currently used by the Assessed Entities is actually provided by the basic telecom operator with the VPN business license. In addition, according to our telephone communication with the head of the Company’s IT department on July 5, 2022, the Company also purchases hardware equipment for the corporate VPN from an agent of Checkpoint

[Potential Compliance Risks:]{.underline}

1. It should be noted that if the agreements respectively signed with Checkpoint and the hardware equipment supplier do not require that the corporate VPN services or products provided by them should comply with the relevant laws and regulations of the PRC, it may cause losses to Corporate G if they are in breach of law.

[Preliminary Suggestions:]{.underline}

1. It is recommended that Corporate G include a “firewall” clause that requires Checkpoint and the hardware equipment supplier to provide VPN services or products in compliance with relevant Chinese laws and regulations in the service agreements respectively signed with Checkpoint and the hardware equipment supplier so as to prevent Corporate G from being implicated by their violations of laws and regulations.