EN 中文EnglishItalianoFrançais

Approved Standard Contract Clause for Export of Personal Data

Time:2023-03-07 17:25:47Browse:



The Cyberspace Administration of China (CAC) has announced the Standard Contract Measures for the Cross-Border Transfer of Personal Information (SCC Measures), which will take effect on June 1, 2023. These measures were first introduced in draft form in June 2022 for public comments, but have now been finalized and officially promulgated. With the introduction of the SCC Measures, the regulatory framework for all three channels to transfer personal information under the Personal Information Protection Law (PIPL) is almost complete. This means that the CAC now has the legal authority to take enforcement actions against any violations.

The SCC Measures were introduced by the CAC to uphold the PIPL provisions and safeguard the rights and interests of PI subjects. They also aim to regulate the export of personal information. These measures allow PI processors to establish standard contracts with overseas recipients for outbound PI transfer. To use the SCC template, Chinese PI processors must meet certain eligibility criteria such as:

  • processing (Personal Information) PI of less than 1 million people and 

  • having provided overseas PI to less than 100,000 people or 

  • Sensitive PI to less than 10,000 people since the previous year. 

Once a standard contract is in effect, the PI processor must file it with their provincial-level CAC within 10 days. Circumventing this assessment by subdividing the volume of PI exported is prohibited.

According to the SCC Measures, PI processors must conduct a self-assessment of the impact of PI protection before transferring it overseas. Furthermore, they need to file a report of this self-assessment with the provincial-level CAC along with the standard contracts.

If there is a significant change to the key information subject to the standard contract, such as a change in the purpose, scope, type of data, sensitivity level, data storage location, uses of the data by overseas recipients, or changes in the laws and regulations of the recipient's home country that could affect the protection of the PI, then PI processors must re-assess the impact of PI protection, supplement or enter into new standard contracts, and repeat the CAC filing.

The SCC Measures also provide a template SCC attachment that specifies Chinese law as the governing law of the contract and requires foreign data recipients to accept Chinese law jurisdiction. 

PI processors in China have a 6-month grace period, from June 1, 2023, through December 1, 2023, to comply with the requirements of the SCC Measures for outbound data transfer activities, as is the case with the Security Assessment Measures.

For further information, please contact our expert Eloisa Hu at: eloisahu@wjngh.cn 



声明

本文仅为交流探讨之目的,不代表广悦律师事务所或其律师出具的任何形式之法律意见或建议。如需转载或引用本文的任何内容,请与本所沟通授权事宜,并于转载或引用时注明出处。如您有意就相关议题进一步交流或探讨,欢迎与本所联系。


本文作者


图片

律师

Eloísa Hu

胡亮兼

涉外法律服务部

证书:

注册信息隐私专家(GDPR合规)

注册隐私信息管理人


邮箱/Email:eloisahu@wjngh.cn


Follow:

  • Disclaimer
  • Privacy Policy
  • Site Map

Copyright 2020 Wang Jing & GH Law Firm. All Rights Reserved. 粤ICP备13002423号-2 Designed by Wanhu