Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information
Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information
Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information
Ordre of the Cyberspace Administration of China No.13
February 22, 2023
The Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information, adopted at the 2nd office meeting of the Cyberspace Administration of China in 2023 on February 3, 2023, are hereby issued and shall come into force on June 1, 2023.
Zhuang Rongwen, Director of the Cyberspace Administration of China
Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information
Article 1 The Measures are formulated in accordance with the Personal Information Protection Law of the People's Republic of China and other laws and regulations to protect personal information rights and interests and regulate the outbound cross-border transfer of personal information.
Article 2 The Measures apply to the provision of personal information to any recipient outside of the territory of the People’s Republic of China by a personal information processor under a standard contract for outbound cross-border transfer of personal information executed with such overseas recipient (hereinafter referred to as the “Standard Contract”).
Article 3 Where personal information is transferred overseas under a Standard Contract, a practice of independent contracting combined with compliance with the record-filing requirement, and protection of rights combined with prevention of risks shall be maintained to ensure a secure and free flow of personal information across borders.
Article 4 To provide personal information to an overseas recipient through a Standard Contract executed, a personal information processor shall meet the following criteria:
(1) not being a critical information infrastructure operator;
(2) handling personal information of fewer than one million individuals;
(3) having provided personal information of fewer than 100,000 individuals in aggregate to overseas recipients since January 1 of the previous year; and
(4) having provided sensitive personal information of fewer than 10,000 individuals in aggregate to any overseas recipients since January 1 of the previous year.
Where it is otherwise provided in any law or administrative regulations, or by the national cyberspace authority, those provisions shall prevail.
A personal information processor must not split up the amount of personal information to be transferred overseas or otherwise act in order to provide personal information,the outbound cross-border transfer of which should be subject to a security assessment according to the law, to an overseas recipient through a Standard Contract.
Article 5 Before providing any personal information to an overseas recipient, a personal information processor shall conduct a personal information protection impact assessment focused on the following matters:
(1) the legality, legitimacy, and necessity of the purpose, scope, and method of the personal information processing by the personal information processor and the overseas recipient;
(2) the quantity, scope, type, and sensitivity of personal information to be transferred overseas, and the risk that the outbound cross-border transfer may pose to personal information rights and interests;
(3) the responsibilities and obligations that the overseas recipient undertakes to assume, and whether the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations are sufficient to ensure the security of personal information to be transferred;
(4) the risk of the personal information being tampered with, sabotaged, disclosed, lost, or illegally used after the it is transferred overseas, and whether there is a smooth channel for protecting the rights and interests in the personal information;
(5) the impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on the performance of the Standard Contract; and
(6) other matters that may affect the security of personal information to be transferred overseas.
Article 6 A Standard Contract shall be executed in strict accordance with the content of the annex of the Measures.
......
Ordre of the Cyberspace Administration of China No.13
February 22, 2023
The Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information, adopted at the 2nd office meeting of the Cyberspace Administration of China in 2023 on February 3, 2023, are hereby issued and shall come into force on June 1, 2023.
Zhuang Rongwen, Director of the Cyberspace Administration of China
Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information
Article 1 The Measures are formulated in accordance with the Personal Information Protection Law of the People's Republic of China and other laws and regulations to protect personal information rights and interests and regulate the outbound cross-border transfer of personal information.
Article 2 The Measures apply to the provision of personal information to any recipient outside of the territory of the People’s Republic of China by a personal information processor under a standard contract for outbound cross-border transfer of personal information executed with such overseas recipient (hereinafter referred to as the “Standard Contract”).
Article 3 Where personal information is transferred overseas under a Standard Contract, a practice of independent contracting combined with compliance with the record-filing requirement, and protection of rights combined with prevention of risks shall be maintained to ensure a secure and free flow of personal information across borders.
Article 4 To provide personal information to an overseas recipient through a Standard Contract executed, a personal information processor shall meet the following criteria:
(1) not being a critical information infrastructure operator;
(2) handling personal information of fewer than one million individuals;
(3) having provided personal information of fewer than 100,000 individuals in aggregate to overseas recipients since January 1 of the previous year; and
(4) having provided sensitive personal information of fewer than 10,000 individuals in aggregate to any overseas recipients since January 1 of the previous year.
Where it is otherwise provided in any law or administrative regulations, or by the national cyberspace authority, those provisions shall prevail.
A personal information processor must not split up the amount of personal information to be transferred overseas or otherwise act in order to provide personal information,the outbound cross-border transfer of which should be subject to a security assessment according to the law, to an overseas recipient through a Standard Contract.
Article 5 Before providing any personal information to an overseas recipient, a personal information processor shall conduct a personal information protection impact assessment focused on the following matters:
(1) the legality, legitimacy, and necessity of the purpose, scope, and method of the personal information processing by the personal information processor and the overseas recipient;
(2) the quantity, scope, type, and sensitivity of personal information to be transferred overseas, and the risk that the outbound cross-border transfer may pose to personal information rights and interests;
(3) the responsibilities and obligations that the overseas recipient undertakes to assume, and whether the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations are sufficient to ensure the security of personal information to be transferred;
(4) the risk of the personal information being tampered with, sabotaged, disclosed, lost, or illegally used after the it is transferred overseas, and whether there is a smooth channel for protecting the rights and interests in the personal information;
(5) the impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on the performance of the Standard Contract; and
(6) other matters that may affect the security of personal information to be transferred overseas.
Article 6 A Standard Contract shall be executed in strict accordance with the content of the annex of the Measures.
......