Provisions on Standard Contracts for the Export of Personal Information (Draft for Solicitation of Comments)

[Source]http://www.cac.gov.cn/2022-06/30/c_1658205969531631.htm

Article 1: These provisions are formulated on the basis of the PRC Personal Information Protection Law so as to regulate activities sending personal information abroad, to protect rights and interests in personal information, and to promote the secure and free flow of personal information across borders.

Article 2: Where personal information handlers conclude contracts with a foreign recipient to provide personal information outside the borders of the PRC on the basis of Article 38(3) of the PRC Personal Information Protection Law, they shall sign a standard contract on the export of personal information (hereinafter "standard contract") in accordance with these Provisions.

Other contracts signed between personal information handlers and foreign recipients related to the export of personal information must not conflict with the standard contract.

Article 3: The carrying out of activities exporting personal information on the basis of the standard contract should persist in combining independent agreements and filing management to prevent security risks to personal information from its export, and safeguard its lawful and orderly free flow.

Article 4: Personal information handlers that concurrently satisfy the following conditions may provide personal information abroad by signing the standard contract:

(1) Are operators of non-critical information infrastructure;

(2) Handle the personal information of less than 1 million people;

(3) Since January 1 of the previous year, the cumulative amount of personal information provided overseas has not reached 100,000 people;

(4) Since January 1 of the previous year, the cumulative amount of sensitive personal information provided overseas has not reached 10,000 people.

Article 5: Before personal information handlers provide personal information abroad, they shall first carry out a personal information protection impact assessment, emphasizing the assessment of the following content:

(1) The legality, propriety, and necessity, of the purposes, scope, and methods of the handling of personal information by the personal information handlers and foreign recipient;

(2) The volume, scope, type, and degree of sensitivity of the personal information exported and the potential risks to the rights and interests in personal information that might be brought;

(3) The responsibilities and obligations that the foreign recipient has pledged to bear, as well as whether the management and technical measures and capacity for the performance of responsibilities and obligations can ensure the security of the exported personal information;

(4) The risk of personal information being leaked, destroyed, altered, abused, and so forth after it is exported, and whether there are clear channels for individuals to preserve rights and interests in personal information, etc.;

(5) The impact of the policies, laws, and regulations of the foreign recipient's nation or region on the performance of a standard contract;

(6) Other matters that might impact the security of exported personal information.

Article 6: Standard contracts are to include the following principle content:

(1) Basic information on the personal information handlers and foreign recipient, including, but not limited to, their name, address, contact persons, and contact information;

(2) The purpose, scope, type, degree of sensitivity, volume, methods, storage period, and storage location for personal information and its exportation;

(3) The responsibilities and obligations of personal information handlers and foreign recipients for protecting personal information, as well as technical and management measures employed to prevent risks that might be brought by the exportation of the personal information, etc.;

(4) The impact of the policies, laws, and regulations of the foreign recipient's nation or region on compliance with the contract provisions;

(5) The rights of the personal information subjects as well as the paths and methods for safeguarding the rights of personal information subjects;

(6) Remedies, contract rescission, liability for breach of contract, dispute resolution, etc.

Article 7: Personal information handlers shall file with the provincial-level internet information department for their area within 10 working days of the standard contract taking effect. The following materials shall be submitted in following:

(1) the standard contract;

(2) The personal information protection impact assessment report.

Personal information handlers are responsible for the veracity of the materials they file. The personal information handlers may carry out activities exporting personal information only after the standard contract takes effect.

Article 8: Where any of the following circumstances occur during the period for which the standard contract is effective, the personal information handlers shall newly sign a standard contract and file:

(1) Where there are changes to the purpose, scope, types, degree of sensitivity, volume, methods, storage period, or storage location of personal information and its provision abroad, or to the foreign recipient's uses and methods, or where the period for storage of personal information abroad is extended;

(2) Where there are changes to the policies, laws, or regulations on the protection of personal information for the foreign recipient's nation or territory that might impact rights and interests in personal information;

(3) Other circumstances that might impact rights and interests in personal information.

Article 9: Entities and individuals participating in standard contracts and filings shall lawfully preserve the confidentiality of personal privacy, personal information, commercial secrets, secret commercial information, and other information that shall be kept confidential in accordance with laws that they learn of in the course of performing their duties, and must not disclose it, illegally provide it to others, or illegally use it.

Article 10: Where any organization or individual discovers that personal information handlers have violated these Provisions, they have the right to make a complaint or report to the provincial-level internet information department.

Article 11: Where internet information departments at the provincial level or above discover that activities exporting personal information through the signing of a standard contract no longer comply with requirements for managing the security of exported personal information, they shall notify the personal information handlers in writing to stope the activities. Personal information handlers shall immediately stop activities exporting personal information after receiving the notice.

Article 12: Where any of the following circumstances occurs in personal information handlers providing personal information through a standard contract signed with a foreign recipient in accordance with these Provisions, an internet information department at the provincial level or higher is to order that corrections be made in a set period of time in accordance with the PRC Personal Information Protection Law; where corrections are refused or rights and interests in personal information are harmed, order that activities exporting personal information are stopped, and give punishment in accordance with law; and where a crime is constituted, pursue criminal responsibility in accordance with law.

(1) where filing procedures were not performed or where false materials were provided in filing;

(2) Where responsibilities and obligations agreed to in standard contracts are not fulfilled, violating rights and interests in personal information and causing harm;

(3) Where other circumstances impacting rights and interests in personal information occur.

Article 13: These regulations shall come into force on XX/XX/XXXX.

Attachments:
Standard Contract for Export of Personal Information

中华人民共和国国家互联网信息办公室年日签署。
The text of this contract is drawn up in accordance with the requirements of the "Provisions on Standard Contracts for the Export of Personal Information", and if there are any other agreements between the two parties, they may be described in Appendix II, and the appendix is to constitute a component of this contract.

Article 1: Definitions

In this contract, except where context provides otherwise:

(1) Personal information handlers or foreign recipients are individually "a party" and collectively "the parties".

(2) Personal information and sensitive personal information have the same meaning as provided in the PRC Personal Information Protection Law.

(3) “Personal information subject” refers to the natural persons identified or associated with personal information.

(4) "Personal information handler" has the same meaning as provided in the PRC Personal Information Protection Law.

(5）"Foreign Recipient" refers to an organization or individual located outside the borders of the People's Republic of China that receives personal information from personal information handlers.

(6) "Regulatory body" refers to internet information departments at the provincial level or higher in the PRC.

（七） “相关法律法规”是指《中华人民共和国民法典》《中华人民共和国网络安全法》《中华人民共和国数据安全法》《中华人民共和国个人信息保护法》《个人信息出境标准合同规定》等中华人民共和国法律法规和部门规章，以及对前述法律法规和部门规章作出修订、修改或补充的法律法规和部门规章，包括取代原法律法规和部门规章的后续法律法规和部门规章。

(8) The meaning of terms not defined in this contract should remain consistent with their meaning in related laws and regulations.

Article 2: Obligations of Personal Information Handlers

The personal information handler hereby represents, guarantees, and pledges as follows:

(1) The collection, use, and other handling of personal information is in conducted in accordance with relevant laws and regulations; the scope of exported information is limited to the minimum necessary to realize the purposes of handling.

（二） 已向个人信息主体告知境外接收方的名称或姓名、联系方式、附录一“个人信息出境说明”中的相关情况，以及行使个人信息主体权利的方式和程序等事项，并已取得个人单独同意，但相关法律法规规定不需要取得个人单独同意的除外。如涉及敏感个人信息，已向个人信息主体告知传输敏感个人信息的必要性及对个人的影响；涉及不满十四周岁未成年人个人信息的，已取得未成年人的父母或者其他监护人的同意；法律、行政法规规定应当取得书面同意的，已取得书面同意，相关法律法规规定无需取得书面同意的除外。

（三） 已向个人信息主体告知其与境外接收方通过本合同约定个人信息主体为第三方受益人，如果个人信息主体未在三十天内明确拒绝，则可以依据该合同享有第三方受益人的权利。

（四） 已尽合理的努力确保境外接收方能够履行本合同规定的义务并采取如下技术和管理措施（综合考虑个人信息的类型、数量、范围及敏感程度、传输的数量和频率、个人信息传输及境外接收方保存的期限、个人信息处理目的等可能带来的个人信息安全风险）：

(such as encryption, anonymization, de-identification, access controls, and other technical and management measures)

(5) As requested by the foreign recipient, copies of relevant laws, regulations, and technical standards are to be provided to the foreign recipient.

（六） 将答复来自监管机构关于境外接收方的个人信息处理活动的询问，但双方均同意由境外接收方作出答复的除外；在此情况下，若境外接收方在要求答复的期限内未答复，个人信息处理者仍将根据其合理掌握的信息在合理期限内作出答复。

(7) A personal information protection impact assessment has already been conducted for activities providing personal information to foreign recipients in accordance with relevant laws and regulations. The assessment has considered:

1. The legality, propriety, and necessity of the purpose, scope, and methods of the personal information handlers' and foreign recipients' handling of personal information;

2. The volume, scope, type, and degree of sensitivity of exported personal information, and risks that export of personal information might be brought to rights and interests in personal information;

3. The responsibility and obligations pledged and borne by the foreign recipient, as well as whether management and technical measures and capacities for the performance of responsibilities and obligations can ensure security in exporting personal information;

4. Risks of leaking, destruction, alteration, or abuse after the export of personal information, and whether channels for preserving rights and interests in personal information are clear;

5. The impact that local policies and regulations might have on observing the provisions of this contract per the assessment of article 4 of this contract;

6. Other matters that might impact the security of personal information exports.

The period for retaining a personal information protection impact report is to be at least 3 years.

（八） 根据个人信息主体要求向个人信息主体提供本合同的副本。在为保护商业秘密或其他机密信息（例如受保护的知识产权内容等）所必需的范围内，可以在提供副本之前对本合同相关内容进行适当遮蔽，但承诺向个人信息主体提供有效摘要以助其理解合同内容。

(9) Bear the burden of proof in proving that the obligations of this contract have been fulfilled.

(10) Based on the requirements of relevant laws and regulations, the provision of the information described in article 3(10) to the regulatory bodies includes all audit results.

Article 3: Obligations of Foreign Recipients

The overseas recipient hereby represents, guarantees, and pledges as follows:

(1) Handle personal information in accordance with the agreements listed in Appendix 1, "Instructions for the Export of Personal Information", except where the prior consent of the personal information subject is obtained.

(2) Provide a copy of this contract to the personal information subjects at their request. The relevant contents of this contract may be appropriately blacked out before copies are provided within the scope necessary to protect commercial secrets or other confidential information (such as protected intellectual property rights, etc.), but a pledge is to be made to provide effective summaries to the personal information subjects to help them understand the contents of this contract.

(3) The scope of exported personal information is limited to the minimum scope necessary to achieve the purposes of handling.

(4) The period for storing personal information is to be the minimum necessary time period for achieving the goals of the handling; after that period is exceeded, the personal information (including all copies) is to be deleted or anonymized, unless the independent consent of the personal information subject is obtained regarding the period for storage. Where one is entrusted by the information handlers to handle personal information, a related audit report is to be made to the personal information handlers after the deletion or anonymization.

(5) Ensuring the security of personal information handling in accordance with the following measures:

1.采取有效的技术和管理措施，以确保个人信息的安全，包括防止个人信息遭到意外或非法破坏、丢失、篡改、未经授权提供或访问（以下简称“数据泄露”）。为了履行这一义务，采取第二条第（四）款中规定的技术和管理措施。进行定期检查，以确保这些措施持续维持适当的安全水平；

2.确保授权处理个人信息的人员履行保密义务，并建立最小授权的访问控制策略，使前述人员只能访问职责所需的最小必要的个人信息，且仅具备完成职责所需的最少的数据操作权限。

(6) If data leaks occur in the handling of personal information:

1. Promptly take appropriate remedial measures to mitigate the adverse impact on the personal information subject;

2. Immediately notify the personal information handlers and report to the PRC regulatory bodies as required by relevant laws. The notification is to include the following content:

(1) The reason for the leak of personal information;

(2) The type of personal information leaked and the possible resulting harms;

(3) The remedial measures that have been taken;

(4) measures that individuals can take to mitigate the harm;

(5) The contact methods for the person or team in charge with responsibility for handling data leaks.

3. Where relevant laws and regulations require notification of personal information subjects, the content of the notification is to include the content described in item 2 above;

4. Record and retain all matters related to data leaks and their impact, including all remedial measures employed;

5. When entrusted to handle personal information by personal information handlers, the personal information handlers are to bear the obligations in item 3 above on notifying personal in information subjects.

(7) Do not provide personal information to third parties either within the PRC or abroad, except where the following requirements are all met:

1. There is a true operational need to provide the personal information;

2.已告知个人信息主体该第三方身份、联系方式、处理目的、处理方式、个人信息种类以及行使个人信息主体权利的方式和程序等事项，并已取得个人单独同意，相关法律法规规定无需取得个人单独同意的除外；涉及敏感个人信息的，向个人信息主体告知传输敏感个人信息的必要性及对个人的影响；涉及不满十四周岁未成年人个人信息的，取得未成年人的父母或者其他监护人的同意；法律、行政法规规定应当取得书面同意的，取得书面同意，相关法律法规规定无需取得书面同意的除外。在难以告知或者难以取得个人信息主体单独同意时，及时告知个人信息处理者，并请求个人信息处理者协助其告知个人信息主体或者取得个人信息主体单独同意；

3.与第三方达成书面协议，以保障第三方对个人信息的保护水平不低于中华人民共和国相关法律法规规定的个人信息保护标准，并承担因再提供而可能导致对个人信息主体造成损害的连带责任；

4. A copy of this agreement is provided to the personal information handler.

（八） 受个人信息处理者委托处理个人信息，转委托第三方处理时，事先征得个人信息处理者同意；确保转委托的第三方不超出本合同附录一“个人信息出境说明”中约定的处理目的、处理方式等处理个人信息，并对该第三方的个人信息处理活动进行监督。

（九） 利用个人信息进行自动化决策，保证决策的透明度和结果公平、公正，不对个人在交易价格等交易条件上实行不合理的差别待遇。通过自动化决策方式向个人进行信息推送、商业营销，同时提供不针对其个人特征的选项，或者提供便捷的拒绝方式。

（十） 承诺向个人信息处理者提供所有必要的信息，用以证明遵守本合同中规定的义务，允许个人信息处理者对数据文件和文档进行查阅，或对本合同涵盖的处理活动进行审计。在决定进行查阅或审计时，为个人信息处理者自行开展或者委托第三方开展的审计提供便利，并按个人信息处理者的要求向其提供所持有的个人信息保护方面的资质认证情况。

（十一） 对开展的个人信息处理活动进行客观记录，保存记录至少年；按相关法律法规要求直接或通过个人信息处理者向监管机构提供相关记录文件。

（十二） 同意在监督本合同实施的相关程序中接受监管机构的监督管理，包括但不限于答复监管机构询问，配合监管机构检查，服从监管机构采取的措施或作出的决定，并提供已采取必要行动的书面证明。

Article 4: The Impact of Local Policies, Laws, and Regulations for the Protection of Personal Information on Compliance with the Provisions of this Contract

（一） 双方在此保证，经过合理努力仍不知晓境外接收方所在国家或者地区的个人信息保护政策法规（包括任何提供个人信息的要求或授权公共机关访问个人信息的规定）,会阻止境外接收方履行本合同规定的义务。

（二） 双方在此声明，在提供第四条第（一）款中的保证时，已经考虑了以下要素：

1.出境的具体情况，包括涉及传输的个人信息的类型、数量、范围及敏感程度、传输的规模和频率、个人信息传输及境外接收方保存的期限、个人信息处理目的、境外接收方此前类似的个人信息跨境传输和处理相关经验、境外接收方是否曾发生数据安全相关事件及是否进行了及时有效地处置、境外接收方是否曾收到其所在国家或者地区公共机关要求其提供个人信息请求及境外接收方应对的情况；

2.境外接收方所在国家或者地区的个人信息保护政策法规，包括以下要素：

（1） 该国家或地区现行的个人信息保护法律法规及普遍适用的标准情况；

（2） 该国家或地区加入的区域或全球性的个人信息保护方面的组织，以及所做出的具有约束力的国际承诺；

（3） 该国家或地区落实个人信息保护的机制，如是否具备个人信息保护的监督执法机构和相关司法机构等。

3.境外接收方安全管理制度和技术手段保障能力。

（三）境外接收方保证，在根据第四条第（二）款进行评估时，已尽最大努力为个人信息处理者提供了必要的相关信息。（四）双方应记录根据第四条第（二）款进行的评估过程和结果。

（五）因境外接收方所在国家或地区的个人信息保护政策法规发生变化（包括境外接收方所在国家或地区更改法律，或者采取强制性措施）导致境外接收方无法履行本合同的，境外接收方应在知道前述变化后立即通知个人信息处理者。

Article 5: The Rights of Personal Information Subjects

双方承认，按照相关法律法规赋予个人信息主体作为第三方受益人执行本合同中双方关于个人信息保护义务的权利。

（一） 个人信息主体依据相关法律法规，拥有知情权、决定权、限制或拒绝他人对其个人信息进行处理的权利、查阅权、复制权、更正与补充的权利、删除权，以及要求对其个人信息处理规则进行解释说明的权利。

（二） 当个人信息主体要求对已经出境的个人信息行使上述权利时，个人信息主体可以请求个人信息处理者采取适当措施实现，或直接向境外接收方提出请求。个人信息处理者无法实现的，应当通知并要求境外接收方协助实现。

（三） 境外接收方应当按照个人信息处理者的通知，或根据个人信息主体的请求，在合理时限内实现个人信息主体依照相关法律法规行使的权利。

境外接收方应当以显著方式、清晰易懂的语言真实、准确、完整地告知个人信息主体相关信息。

（四） 如个人信息主体提出过多或不合理要求，尤其是具有重复性的要求，境外接收方可在考虑到要求获准的执行和操作成本后，可以收取合理的费用，或拒绝按其要求行事。

（五） 如境外接收方拟拒绝个人信息主体的请求，应告知个人信息主体其拒绝的原因，以及个人信息主体向相关监管机构提出投诉、寻求司法救济的途径。

（六） 个人信息主体作为本合同第三方受益人有权向个人信息处理者和境外接收方任何一方主张并要求履行本合同项下与个人信息主体权利相关的下列条款：

1.第二条，但第二条第（四）款、第（五）款、第（六）款、第（十）款除外；

2.第三条，但第三条第（六）款第项和第项、第（八）款、第（十）款、第（十一）款、第（十二）款除外；

3. Article 4;

4. Article 6;

5. Article 7;

6. Paragraphs (3), (4) and (6) of Article 8;

7. Paragraphs (4) and (6) of Article 9.

Article 6: Remedies

（一） 境外接收方应在组织内部确定一个联系人，授权其答复有关个人信息处理的询问或投诉，并应及时处理个人信息主体的任何询问或投诉。境外接收方应将联系人信息告知个人信息处理者，并以简单易懂的方式，通过单独通知或在其网站公告，告知个人信息主体该联系人信息，具体为：

联系人及联系方式（办公电话或电子邮箱）

（二） 双方同意，如个人信息主体与其中一方在遵守本合同方面发生争议，应互相通知对方有关情况，并合作以及时解决争议。

（三） 如争议未能友好解决，而个人信息主体根据第六条第（二）款规定行使第三方受益人的权利，境外接收方接受个人信息主体的下列维权主张：

1.向监管机构提出投诉；

2.向第九条第（四）款中规定的法院提起诉讼。

（四） 境外接收方同意有关个人信息主体就本合同争议的解决依据为中华人民共和国相关法律法规。

（五） 境外接收方同意个人信息主体所作的维权选择不会减损个人信息主体根据其他法律法规寻求救济的实体性或程序性权利。

Article 7: Recision of Contract

（一） 如果境外接收方违反本合同规定的义务，则个人信息处理者可以暂停向境外接收方传输个人信息，直到违约行为被更正或合同被解除。

(2) In any of the following circumstances, personal information handlers have the right to rescind this contract, and notify the regulatory bodies when necessary;

1.个人信息处理者根据第七条第（一）款的规定暂停向境外接收方传输个人信息的时间超过一个月；

2.境外接收方遵守本合同将违反其所在国家的法律规定；

3. The foreign recipient seriously or continuously violates obligations provided for in this contract;

4.根据境外接收方的主管法院或监管机构作出的不能上诉的终局性决定，境外接收方或个人信息处理者违反了本合同的规定；

5.境外接收方破产、解散或清算：无论是以个人还是组织名义提出的有关境外接收方依法解散的请求未在法定期限内被驳回；境外接收方作出解散决定；境外接收方被指定破产管理人；境外接收方自行开展破产、解散或清算程序；境外接收方在其国家或地区出现类似情况；在前述第或项的情况下，境外接收方也可以解除本合同。（三）如果监管机构按照相关法律法规作出个人信息出境相关的决定，例如个人信息出境安全评估等导致本合同无法执行的，则任何一方均可解除本合同。

（四） 经双方当事人同意解除合同，但本合同的解除并不免除其在个人信息处理过程中的个人信息保护义务。

（五） 合同解除时，境外接收方应及时返还、销毁或匿名化处理其根据本合同所接收到的个人信息，并提供已经销毁或者匿名化处理的审计报告。

Article 8: Liability for Breach of Contract

(1) Both parties shall be liable to the other party for any damages caused to the other party due to their breach of this contract.

(2) The liability between the two parties is limited to the losses suffered by the non-defaulting party.

（三） 每一方因违反本合同而侵害个人信息主体作为第三方受益人而享有的权利，应当对个人信息主体承担责任；个人信息主体有权获得赔偿。这不影响个人信息处理者在相关法律法规项下应承担的责任。

（四） 个人信息处理者和境外接收方对因违反本合同而共同对个人信息主体造成的任何物质或非物质损害负责的，个人信息处理者和境外接收方应对个人信息主体承担连带责任。

(5) Both parties agree that if one party (“indemnifying party”)

对违反本合同的行为对个人信息主体承担连带责任且赔偿方承担的连带责任超过其应承担的责任份额，则赔偿方有权向被追偿方追偿。

（六） 尽管有第八条第（三）款和第八条第（四）款的规定，个人信息处理者应就境外接收方因违反本合同而对个人信息主体造成的任何物质和非物质损失向个人信息主体负责，个人信息主体有权向其主张损害赔偿责任。

（七） 双方同意，个人信息处理者根据第八条第（六）款因境外接收方造成的损害承担责任的，有权向境外接收方追偿。

Article 9: Other

(1) If this contract conflicts with any other agreements that exist at the time it is reached or signed, priority is given to the application of the provisions of this contract.

(2) This contract is applicable to the relevant laws and regulations of the People's Republic of China.

（三） 由一方向其它方发出的所有通知以电子邮件、电报、电传、传真（以航空信件寄送确认副本）或航空挂号信迅速发往或寄往（具体地址）天视为收讫，如用电子邮件、电报、电传或传真发出，则应在发出以后的种方式加以解决（如选择仲裁，请勾选仲裁机构）：

1. Arbitration. Submit the dispute to

□ China International Economic and Trade Arbitration Commission

□China Maritime Arbitration Commission

□Beijing Arbitration Commission (Beijing International Arbitration Center)

□ Other arbitration institutions that are members of the "Convention on the Recognition and Enforcement of Foreign Arbitral Awards" ____ to conduct arbitration in _____ (arbitration location) according to their then-effective arbitration rules;

2. Litigation. Lawsuits are to be filed in a people's court with jurisdiction in China in accordance with the law.

（四） 本合同应按照相关法律法规的规定进行解释，不得以与相关法律法规规定的权利、义务相抵触的方式解释本合同。

(5) This contract is made in duplicate having the same legal efficacy

(6) This contract is established and takes effect immediately after being formally signed by both parties.

本合同由个人信息处理者和境外接收方在签订。

Personal information processor: (seal)

法定代表人/委托代理人： 年日 （签字或盖章）

Foreign Recipient: (seal)

Legal representative/authorized agent: (signature or seal)

Date:

Appendix I

Explanation on the Export of Personal Information

根据本合同向境外提供个人信息的详情约定如下：

（一） 传输的个人信息属于下列类别的个人信息主体：

（二） 传输是为了以下目的：

（三） 传输个人信息的数量：

（四） 出境个人信息类别（参考35273《信息安全技术个人信息安全规范》和相关标准）：

（五） 出境敏感个人信息类别（如适用，参考35273《信息安全技术个人信息安全规范》和相关标准）：

（六） 境外接收方传输的个人信息只向以下接收方提供：

（七） 传输方式：

（八） 出境后存储时间：

（九） 出境后存储地点：

（十） 其他事项（视情况填写）：

附录二双方约定的其他条款（如需要）