Notice of the Cybersecurity Administration of China on Seeking Public Comments on the Provisions on Standard Contracts for Cross-border Transfers of Personal Information (Exposure Draft)

Promulgation Authorities: Cyberspace Administration of China

Release Date: 2022-06-30

Effective Date: TBC

Source: http://www.cac.gov.cn/2022-06/30/c_1658205969531631.htm

Original Title: 国家互联网信息办公室关于《个人信息出境标准合同规定（征求意见稿）》公开征求意见的通知

Notice of the Cybersecurity Administration of China on Seeking Public Comments on the Provisions on Standard Contracts for Cross-border Transfers of Personal Information (Exposure Draft)

In order to regulate the cross-border transfer of personal information, protect the rights and interests of personal information, and promote the security and free flow of personal information across the border, we have drafted the Provisions on Standard Contracts for Cross-border Transfers of Personal Information (Exposure Draft) in accordance with the Law of the People’s Republic of China on the Protection of Personal Information, which are hereby promulgated for public comments. The public may give feedback through any of the following channels and ways:

1. Log in the China Government Legislative Information Network of the Ministry of Justice of the People’s Republic of China (www.moj.gov.cn, www.chinalaw.gov.cn) and click the column of “Soliciting Comments on Legislation” on the main menu on the homepage to give your comments;

2. Send comments by e-mail to: shujuju@cac.gov.cn; and

3. Send comments by correspondence to: No.15 Fucheng Road, Haidian District, Beijing, Cyberdata Administration under the Cyberspace Administration of China, postal code: 100048, and indicate “Comments Sought on the Provisions on Standard Contracts for Cross-border Transfers of Personal Information” on the envelope.

The period for feedback will end on July 29, 2022.

Annex: Provisions on Standard Contracts for Cross-border Transfers of Personal Information (Exposure Draft)

Cybersecurity Administration of China

June 30, 2022

Provisions on Standard Contracts for Cross-border Transfers of Personal Information

(Draft for Comment)

Article 1 In order to regulate the cross-border transfer of personal information, protect the rights and interests of personal information, and promote the security and free flow of personal information across the border, the present Provisions are enacted in accordance with the Law of the People’s Republic of China on the Protection of Personal Information.

Article 2 Any personal information processor who enters into a contract with an overseas recipient in accordance with Item (3), Paragraph 1 of Article 38 of the Law of the People’s Republic of China on the Protection of Personal Information to provide personal information outside the territory of the People’s Republic of China shall conclude a standard contract for the cross-border transfer of personal information (hereinafter referred to as the “standard contract”) in accordance with the present Provisions.Any other contract related to the cross-border transfer of personal information concluded by and between the personal information processor and the overseas recipient shall not conflict with the standard contract.

Article 3 In carrying out the cross-border transfer of personal information under a standard contract, it is imperative to combine independent contracting and record- filing management to prevent the security risk of cross-border transfer of personal information and ensure the orderly and free flow of personal information in accordance with the law.

Article 4 Any personal information processor meeting all of the following circumstances may provide personal information abroad by concluding a standard contract:

(I) where it is not a key information infrastructure operator;

(II) where it processes not more than one million persons’ personal information;

(III) where it has provided the personal information of not more than 100,000 persons accumulatively overseas since January 1 of the previous year; and

(IV) where it has provided sensitive personal information of not more than 10,000 persons accumulatively overseas since January 1 of the previous year.

Article 5 Prior to the provision of personal information to overseas parties, any personal information processor shall assess the impact on the protection of personal information, with focus on the following contents:

(I) the lawfulness, legitimacy and necessity of, among others, the purposes, scopes and methods for the personal information processor and the oversea recipient concerned to process personal information;

(II) the quantity, scope, type and sensitivity of outbound personal information, and the risks to personal information rights and interests that are likely to be caused by the cross-border transfer of personal information;

(III) the responsibilities and obligations to be undertaken by the overseas recipient as promised, and whether the management and technical measures and capabilities of the overseas recipient for performing its responsibilities and obligations can guarantee the safety of the transmitted personal information;

(IV) risks of, among others, leakage, damage, falsification and misuse of personal information after it is transferred overseas, and whether the channels for individuals to safeguard their rights and interests in personal information are smooth;

(V) the impacts of personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of the standard contract; and

(VI) other matters that may affect the security of cross-border transfer of personal information.

Article 6 A standard contract shall include the following main particulars:

(I) basic information on the personal information processor and the overseas receiver, including but not limited to the name, address, name and contact information of the contact person, etc.;

(II) the purpose, scope, type, sensitivity, quantity, method, storage period, storage place, etc. of outbound personal information;

(III) the responsibilities and obligations of the personal information processor and overseas recipient to protect personal information, as well as the technical and management measures adopted to prevent the possible security risks arising from cross-border transfer of personal information;

(IV) the impacts of the policies and regulations on personal information protection of the country or region where the overseas recipient is located on the compliance with the terms of the contract;

(V) the rights of the subjects of personal information, as well as the channels and methods for protection of the rights of the subjects of personal information; and

(VI) remedy, contract rescission, liability for breach of contract and dispute resolution, etc.

Article 7 The personal information processor shall, within ten working days after the effective date of the standard contract, file the standard contract with the cyberspace administration at the provincial level of the place where it is located for the record. The following materials shall be submitted for the filing:

(I) the standard contract; and

(II) an assessment report on the impacts on personal information protection.The personal information processor shall be responsible for the authenticity of the filed materials. The personal information processor may carry out the activity of cross-border transfer of personal information upon the standard contract enters into force.

Article 8 Where any of the following circumstances occurs during the validity period of the standard contract, the personal information processor shall re-sign and file the standard contract for record:

(I) the purpose, scope, type, sensitivity, quantity, method, storage period and storage place of the personal information transferred overseas, or the purpose and method of the overseas recipient to process personal information have changed, or the storage period of personal information overseas is extended;

(II) the rights and interests of personal information may be affected by the changes in the policies and regulations on personal information protection of the country or region where the overseas recipient is located; and

(III) other circumstances that may affect the rights and interests of personal information.

Article 9 The organizations and personnel participating in the filing of a standard contract shall keep confidential the personal privacy, personal information, trade secrets, confidential business information, etc. that they have accessed in performing their duties in accordance with the law, and shall not disclose them or illegally provide them to others or illegally use them.

Article 10 Any organization or individual may complain or report to a cyberspace administration at the provincial level or above if it finds that any personal information processor violates the present Provisions.

Article 11 Where a cyberspace administration at the provincial level or above finds that the activities of cross-border transfer of personal information by concluding a standard contract no longer meet the requirements for safety administration of cross-border transfer of personal information in the actual process of handling, it shall notify the personal information processor concerned in writing to terminate the activities of cross-border transfer of personal information. The personal information processor shall, upon receipt of the notice, forthwith terminate the activities of cross-border transfer of personal information.

Article 12 With regard to a personal information processor who enters into a standard contract with an overseas recipient in accordance with the present Provisions to provide personal information to the overseas party, where any of the following circumstances occurs, the cyberspace administration at the provincial level or above shall order it to make corrections within a prescribed time limit in accordance with the Law of the People’s Republic of China on the Protection of Personal Information; in case that the processor refuses to make corrections or damages the rights and interests of personal information, it shall be ordered to stop the activities of cross-border transfer of personal information and be punished in accordance with the law; and the criminal liability shall be investigated in accordance with the law if a crime is constituted:

(I) failure to perform the record-filing procedure or submit false materials for record-filing;

(II) failure to perform the responsibilities and obligations agreed upon in the standard contract and infringing upon the rights and interests of personal information, causing damage; and

(III) other circumstances affecting the rights and interests of personal information.

Article 13 The present Provisions shall come into force on dd/mm/yy. Standard Contract for Cross-border Transfer of Personal Information (Only Title Translated)