Measures on Standard Contracts for the Export

of Personal Information
BY CHINA LAW TRANSLATE ON 2023/02/24
Post Views: 1,201
Promulgation Date: 2023-2-22
Title: Measures on Standard Contracts for the Export of Personal
Information
Document Number:CAC Order No. 13
Expiration date:
Promulgating Entities:Cybersecurity Administration
Source of text:
http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm

Article 1: These Measures are translated on the basis of the Personal Information
Protection Law of the PRC and other laws and regulations, so as to protect the rights
and interests in personal information and regulate activities that export personal
information.

Article 2: These Measures apply to personal information handlers’ provision of

personal information outside the mainland territory of the People's Republic of China
by concluding standard contracts for the export of personal information (hereinafter
standard contracts) with overseas recipients.

Article 3: The export of personal information through the conclusion of standard

contracts shall persist in combining independent contracting with filing and
management, and combining rights protections with risk prevention, to ensure the
cross-border security and free flow of personal information.

Article 4: Where personal information handlers provide personal information outside

the mainland by concluding standard contracts, they shall concurrently satisfy the
following conditions:

(1) Are operators of non-critical information infrastructure;

(2) Handle the personal information of less than 1 million people;

(3) Have cumulatively provided the personal information of fewer than 100,000
persons overseas since January 1, of the previous year;
(4) Have cumulatively provided the sensitive personal information of fewer than
10,000 persons overseas since January 1, of the preceding year;

Where laws, administrative regulations, or the state Internet information department

provide otherwise, follow those provisions.

Personal information handlers must not use the tactic of dividing volumes into groups,
to provide personal information that requires an export security assessment overseas
by concluding standard contracts in accordance with law.

Article 5: Before personal information handlers provide personal information abroad,

they shall carry out a personal information protection impact assessment, emphasizing
the assessment of the following content:

(1) The legality, propriety, and necessity, of the purposes, scope, and methods of the
handling of personal information by the personal information handlers and foreign
recipient;

(2) The scale, scope, types, and degree of sensitivity of the personal information
exported and the potential risks to the rights and interests in personal information that
might be brought;

(3) The obligations that the foreign recipient has pledged to bear, as well as whether
the management and technical measures and capacity for the performance of
obligations can ensure the security of the exported personal information;

(4) Risks such as of data being altered, destroyed, leaked, lost, or transferred after
being exported, or of it being illegally obtained or used; and whether the channels for
preserving rights and interests in personal information are clear, etc.;

(5) The impact of the personal information protection policies and regulations of the
foreign recipient's nation or region on the performance of the standard contract;

(6) Other matters that might impact the security of exported personal information.

Article 6: Standard contracts shall be concluded in strict accordance with the

attachment to these Measures. The state internet information department may adjust
the attachment based on actual conditions.

Personal information handlers may make agreements on other clauses with the foreign
recipient, but they must not conflict with the standard contract.
Activities exporting personal information may only be carried out after the standard
contract takes effect.

Article 7: Personal information handlers shall file with the provincial-level internet
information department for their area within 10 working days of the standard contract
taking effect. The following materials shall be submitted in following:

(1) the standard contract;

(2) The personal information protection impact assessment report.

Personal information handlers shall be responsible for the veracity of the materials
they file.

Article 8: Where any of the following situations occurs during the period for which
the contract is effective, the personal information handlers shall conduct a new
personal information protection impact assessment, supplement or newly conclude the
standard contract, and perform the corresponding filings;

(1) Where there are changes to the purpose, scope, types, degree of sensitivity,
methods, or storage location of personal information, or to the foreign recipient's uses
and methods of handling the personal information, or where the period for storage of
personal information abroad is extended;

(2) Where there are changes to the policies, laws, or regulations on the protection of
personal information for the foreign recipient's nation or territory that might impact
rights and interests in personal information;

(3) Other situations that might impact rights and interests in personal information.

Article 9: Internet information departments and their staffs shall lawfully preserve the
confidentiality of personal privacy, personal information, commercial secrets, secret
commercial information, and other information that must be kept confidential in
accordance with laws, that they learn of in the course of performing their duties, and
must not disclose it, illegally provide it to others, or illegally use it.

Article 10: Where any organization or individual discovers that personal information
handlers have provided personal information abroad in violation of these Measures,
they may make a report to an internet information department at the provincial level
or above.
Article 11: Where internet information departments at the provincial level or above
discover that there are major risks in activities exporting personal information or that
personal information security incidents have occurred, they may conduct a meeting
with the personal information handlers in accordance with law. The personal
information handlers shall make corrections as required and eliminate risks.

Article 12: Where the provisions of these Measures are violated, it is to be handled in
accordance with laws and regulations such as the Personal Information Protection
Law of the PRC, and where a crime is constituted, criminal responsibility is pursued
in accordance with law.

Article 13: These measures take effect on June 1, 2023. Where personal information
export activities carried out before these Measures take do not comply with the
provisions of these measures, corrections shall be completed within 6 months from
the date on which these Measures take effect.