My codes are:
== #emph[Case Study 3: Global Cloud Migration]
#emph[Scenario:] A multinational retail corporation with headquarters in the #emph[EU] and branches in #emph[Hong Kong and Mainland China] is moving its customer records to a global cloud provider based in the #emph[United States].
- #emph[Discussion Questions:]
- 1\. #emph[EU Data Flows:] Under the GDPR's #emph["Adequacy" model], what must the corporation check before moving data from its Paris branch to the US? If the US is not deemed "adequate," what secondary mechanisms (like #emph[SCCs]) could they use?
- 2\. #emph[China Data Flows:] How does China's #emph["Security Assessment & Permission"] model differ from the EU's approach for this transfer?
- 3\. #emph[ROPA:] The company has 500 employees. Is it legally required to maintain a #emph[Record of Processing Activities (ROPA)] for this migration? What specific "ingredients" must be in that record?
- 4\. #emph[Liability:] If the US cloud provider suffers a data breach, who is held responsible under the PIPL—the retail corporation (the handler) or the cloud provider (the entrusted party)?```
and
```typ
== #emph[Case Study 3: Global Cloud Migration]
- #emph[EU Data Flows:] Under the GDPR, the corporation must first check if the US has #emph["Adequacy" status]. Because the US is generally a "non-adequate" country, the exporter must provide #emph["appropriate safeguards,"] such as #emph[Standard Contractual Clauses (SCCs)] or #emph[Binding Corporate Rules (BCRs)].
- #emph[China Data Flows:] China's model is a #emph["Permission" model] focused on the exporter's profile and data volume. While the EU focuses on whether the destination (the US) is safe, China focuses on whether the exporter is a #emph[Critical Information Infrastructure Operator (CIIO)] or is sending a volume of data that triggers a mandatory #emph[government security assessment].
- #emph[ROPA:] Since the company has 500 employees, it is #emph[legally required] to maintain a #emph[Record of Processing Activities (ROPA)] under the GDPR. The record must include the name of the controller, #emph[purposes of processing], categories of data subjects, #emph[recipients in third countries] (the US Cloud), retention periods, and security measures.
- #emph[Liability:] Under the PIPL, the #emph[data handler] (the retail corporation) remains responsible for how the "entrusted party" (the cloud provider) handles the data. The handler must conduct #emph[legal and technical due diligence] because they can be held liable for breaches by their third-party vendors.```
My preamble is:
```typ
#import "@preview/showybox:2.0.4": showybox
#import "@preview/touying:0.6.1": *
#import themes.metropolis: *
#import "@preview/numbly:0.1.0": numbly
#set quote(block: true, quotes: true)
#set text(
font: ("Libertinus Serif", "STFangsong"), // "SimSun" "STsong" "Songti TC" "Libertinus Serif", "Times New Roman"
// lang: "zh",
// region: "tw",
lang: "en",
region: "uk",
// size: 10pt,
hyphenate: true,
)
#show: metropolis-theme.with(
aspect-ratio: "16-9",
config-info(
title: "name",
subtitle: "name",
author: "John Doe",
date: "2026", //date: datetime.today(),
// institution: "The institution",
// logo: emoji.school,
),
)
#set heading(numbering: numbly("{1}.", default: "1.1"))
#title-slide()
= Outline <touying:hidden>
#outline(title: none, indent: 1em, depth: 1)```
?