Measures for the Standard Contract for Outbound Transfer of Personal Information

By Yoni HaoLast Updated on Mar 16, 2023
Measures for the Standard Contract for Outbound Transfer of Personal Information

Promulgation Authorities: Cyberspace Administration of China

Release Date: 2023-02-22

Effective Date: 2023-06-01

Source: http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm

Original Title: 个人信息出境标准合同办法

Measures for the Standard Contract for Outbound Transfer of Personal Information

Decree No. 13 of the Cyberspace Administration of China

Article 1 For the purposes of protecting personal information rights and interests, and regulating outbound transfer of personal information, the Measures for the Standard Contract for Outbound Transfer of Personal Information (the “Measures”) are enacted in accordance with the Personal Information Protection Law of the People’s Republic of China and other laws and administrative regulations of the People’s Republic of China.

Article 2 Any personal information handler who enters into a standard contract for the outbound transfer of personal information outside the People’s Republic of China (the “Standard Contract”) with a foreign recipient shall apply the Measures.

Article 3 When conducting any outbound transfer of personal information by means of concluding the Standard Contract, the personal information handler shall stick to the combination of autonomous contracting with record-filing management, the protection of interests with security risk prevention, and the ensurance of security and free flow of personal information.

Article 4Any personal information handler transferring personal information abroad by entering into the Standard Contract shall meet all of the following conditions:

(1) it is not a critical information infrastructure operator;

(2) it processes the personal information of less than 1 million individuals;

(3) it has cumulatively transferred abroad the personal information of less than 100,000 individuals since January 1 of the previous year; and

(4) it has cumulatively transferred abroad the sensitive personal information of less than 10,000 individuals since January 1 of the previous year.

Where there are other relevant provisions in any laws, administrative regulations or rules of the Cyberspace Administration of China, such provisions shall apply.

When using the Standard Contract for outbound transfer of personal information, the personal information handler shall not use methods such as quantity splitting of the personal information that is required by law to undergo the outbound security assessment.

Article 5 Prior to the outbound transfer of personal information, the personal information handler shall conduct a personal information protection impact assessment, with the focus of the following:

(1) the legality, legitimacy and necessity of the purpose, scope and method of the processing personal information by the personal information handler and the foreign recipient;

(2) the volume, scope, category, and sensitivity of personal information to be transferred abroad, and the risks to the personal information rights and interests that may be caused by the outbound transfer of personal information;

(3) the obligations that the foreign recipient promises to undertake, and whether the management and technical measures and capabilities of the foreign recipient to perform the obligations can ensure the security of the personal information to be transferred abroad;

(4) risk of tampering, damage, leakage, loss and abuse after outbound transfer of personal information, and whether the channels for individuals to exercise their personal information rights and interests are accessible and smooth;

(5) the impact of policies and regulations for the protection of personal information on the performance of the Standard Contract in the country or region where the foreign recipient is located; and

(6) other factors that may affect the security of outbound transfer of personal information.

Article 6 The Standard Contract shall be concluded in strict accordance with the Annex of the Measures. The Cyberspace Administration of China may adjust the Annex in light of actual circumstances.

The personal information handler may agree on other terms with the foreign recipient, provided that such terms do not conflict with the Standard Contract.

The outbound transfer of personal information shall not be carried out until the Standard Contract enters into force.

Article 7 The personal information handler shall, within 10 working days after the Standard Contract enters into effect, apply for filing with the cyberspace administration at the provincial level. The following materials shall be submitted for the record-filing:

(1)the Standard Contract; and

(2) the personal information protection impact assessment report.

The personal information handler shall be responsible for the authenticity of the record-filing materials.

Article 8 Where any of the following circumstances occurs during the validity period of the Standard Contract, the personal information handler shall conduct personal information protection impact assessment again, supplement or re-sign the Standard Contract, and conduct relevant record-filing formalities:

(1) the purpose, scope, category, sensitivity, method and storage location of personal information transferred abroad, or the purpose and method of personal information processing by the foreign recipient has changed, or the retention period of personal information located abroad is extended;

(2) the personal information rights and interests will be affected by the changes in the policies and regulations on personal information protection in the country or region where the foreign recipient is located; or

(3) other circumstances that may affect the personal information rights and interests.

Article 9 The cyberspace administration and its personnel shall keep confidential the personal privacy, personal information, trade secrets, confidential business information, etc. that they have accessed in performing their duties in accordance with the law, and shall not disclose them, illegally provide them to others, or illegally use them.

Article 10 Any organization or individual may report to the cyberspace administration at the provincial level or above if it finds that any personal information handler has engaged in outbound transfer of personal information in violation of the Measures.

Article 11 Where the cyberspace administration at the provincial level or above finds that there are relatively high risks in the outbound transfer of personal information, or that a personal information security incident has occurred, it may interview the personal information handler in accordance with the law. The personal information handler shall make rectifications and eliminate hidden dangers as required.

Article 12 Any violation of the Measures shall be punished in accordance with the Personal Information Protection Law of the People’s Republic of China, and other laws and regulations; where a crime is constituted, criminal responsibility shall be investigated according to the law.

Article 13 The Measures shall enter into force on June 1, 2023. For the outbound transfer of personal information that has already happened before the Measures takes effect, if it is found that any such transfer is not in compliance with the Measures, rectification shall be completed within 6 months upon the effective date of the Measures.