China: Measures for the standard contract for outbound transfer of personal information – part two

Managing IP is part of Legal Benchmarking Limited, 4 Bouverie Street, London, EC4Y 8AX

Copyright © Legal Benchmarking Limited and its affiliated companies 2025

Accessibility | Terms of Use | Privacy Policy | Modern Slavery Statement

China: Measures for the standard contract for outbound transfer of personal information – part two

Sponsored by

Tahota logo.JPG
network-4478146.jpg

In the second of a two-part series, Charles Feng, Lian Xue and Yifan Lu of Tahota delve deeper into China’s new measures for the cross-border sharing of personal information

Transferring via Standard Contract

According to Article 4 of the Measures for the Standard Contract for Outbound Transfer of Personal Information (the Measures), any personal information processor transferring personal information overseas by entering into the Standard Contract shall meet all of the following conditions: 

  • It is not a critical information infrastructure operator;

  • It processes the personal information of less than one million individuals;

  • It has cumulatively transferred abroad the personal information of less than 100,000 individuals since January 1 of the previous year; and

  • It has cumulatively transferred abroad the sensitive personal information of less than 10,000 individuals since January 1 of the previous year.

In contrast to the Security Assessment Measures for Outbound Data Transfer, the Cyberspace Administration of China (CAC) has clearly delineated the application of the two mechanisms. This is in terms of the specific identity of the data processor and the level of personal information processed. This provides a clear reference for enterprises to determine the path they need to follow based on their own identity and the specific circumstances of their cross-border data transfer.

The Standard Contract may apply more to small scaled personal information processors, rather than operators of critical information facilities that have a much larger impact on public interest. For personal information processors that may fall under the Security Assessment Measures for Outbound Data Transfers, they should submit the security assessment application to the cyberspace administration in accordance with the law. They are not allowed to take the approach of the Standard Contract, and split the amount of information and transfer them in multiple times.

The Measures will apply to the transfer of personal information of employees between the headquarters and branches of multinational companies inside and outside China, as well as the transfer via third party Chinese service providers.

Establishing a Standard Contract

If the cross-border personal information transfer of an enterprise falls within the scope of the Standard Contract under the Measures, the general process to enter a Standard Contract is as follows:

  • Conduct a personal information protection impact assessment;

  • Conclude the contract in accordance with the Standard Contract;

  • File a recordal to the provincial cyberspace administration;

  • Submit materials including Standard Contract and result of personal information protection impact assessment; and

  • Receive feedback from the cyberspace administration on possible supplementation or re-establishment of Standard Contracts or completion of recordals.

Impact assessment for Personal Information Protection

The Measure requires that the operator conducts an Assessment of Impact against Personal Information Protection before conducting the cross-border transfer. The factors that shall be evaluated include the following:

  • The legality and necessity of the purpose, scope and method of the personal information processing by the personal information processor and the overseas recipient;

  • The volume, scope, category, and sensitivity of personal information to be transferred abroad, and the risks to the personal information rights and interests that may be caused by the cross-border transfer;

  • Obligations that the overseas recipient promises to undertake, and whether the management, technical measures and capabilities of the overseas recipient to perform the obligations can ensure the security of the personal information to be transferred;

  • The risk of tampering, damage, leakage, loss and abuse of personal information after its transfer, and whether the channels for individuals to exercise their personal information rights and interests are accessible;

  • The impact of policies and regulations for the protection of personal information and performance of the Standard Contract in the jurisdiction where the overseas recipient is located; and

  • Other factors that may affect the security of cross-border personal information transfer.

Application of the Standard Contract

Enterprises shall enter into the contracts for cross-border personal information transfer strictly in accordance with the Standard Contract provided in the annex to the Measures. This stipulates that the personal information processor may agree with other terms with the overseas recipient, provided they do not conflict with the Standard Contract.

Besides, if the Standard Contract conflicts with other legal documents agreed by the parties, the terms of the Standard Contract shall prevail. Therefore, data processors need to pay attention to the relevant overseas legislations and regulations as well as the contracts previously agreed with overseas recipients for any conflicts.

If the circumstances specified in Article 8 of the Measures change during the performance of the Standard Contract, the processor is required to re-conduct the assessment of impact of personal information protection. They may then supplement or re-conclude the Standard Contract and re-file the recordal to the cyberspace administration.

Important time points

Within 10 working days from the effective date of the Standard Contract, processors shall file a recordal with the cyberspace administration where they are located.

Final thoughts

The Measures are widely regarded as an important regulation for cross-border personal information transfer, which significantly strengthen the protection of personal information. The Standard Contract system will also be helpful to unify the application of national standards with different administrative organs.

During the preparatory period from now on, processors of cross-border personal information transfers may want to develop corresponding compliance systems. They may also want to complete the assessment and rectification, as well as the recordation, to ensure that their business continues to run smoothly and prevent risks and avoid information security incidents.

Tahota would like to thank Jing-mei Luo for their contribution to the article.

more from across site and SHARED ros bottom lb

More from across our site

The court, which has handed down one of the highest ever IP damages awards in India, held Amazon liable for infringing the 'Beverly Hills Polo Club' trademark
In BSH v Electrolux, the CJEU said that courts can rule on patent infringement in other member states even where validity is raised as a defence
Exclusive data and analysis reveal the interplay between costs transparency and other factors in helping South African counsel pick their external advisers
A settlement between SharkNinja and Dyson, a costs dispute involving a pornography company, and people moves at Clifford Chance and Casalonga were among the top talking points
The treatment of USPTO employees has been haphazard and shows a misunderstanding of how the IP office works and the challenges it faces
Jeff Kuester discusses why IP is the perfect party conversation and why excitement and stress are two of a kind
IP counsel Anna Bien and global marketing manager Lesia Tarasenko explain how the brewery secured an EUTM and the lessons they learned
Federal employees, including at the USPTO, have been ordered to justify their roles by outlining what they accomplished in the last week
Philips wins more than $2m in damages as Delhi High Court comes down hard on Indian DVD makers for wasting the court’s time
Public documents in a long-running feud between Brainchild and CPA Global provide more information about how CPA manages patent renewal costs
Gift this article