This is an interesting case, and not only for the reasons mentioned in the press. It doesn’t give us much to work with but…
What strikes me, which is often overlooked by organisations are that employees and ex-employees -as is the case here- have rights under GDPR. Every employee is a data subject…. although of course you knew that 😉
What seems to be common with dissatisfied customers applies to unhappy ex-employees (in this case) they exercise their rights under GDPR. This guy wanted to be forgotten and access (on what couldn’t be deleted one can assume). This means that even if your organisation is a role of processor in the delivery of services to your customers, who are the controller, you are still regardless the controller to your employees.
What was used for the transfer of employee data over to China is contractual clauses. However, the award of the fine, a meagre €5k was for not responding to the ex-employee as per his rights, not on the use of contractual clauses…. would be interesting to know more on this.