Promulgation Date: 2023-2-22 Title: Measures on Standard Contracts for the Export of Personal Information Document Number:CAC Order No. 13 Expiration date: Promulgating Entities: Cybersecurity Administration Source of text: http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm
Article 1: These Measures are translated on the basis of the Personal Information Protection Law of the PRC and other laws and regulations, so as to protect the rights and interests in personal information and regulate activities that export personal information.
Article 2: These Measures apply to personal information handlers’ provision of personal information outside the mainland territory of the People's Republic of China by concluding standard contracts for the export of personal information (hereinafter standard contracts) with overseas recipients.
Article 3: The export of personal information through the conclusion of standard contracts shall persist in combining independent contracting with filing and management, and combining rights protections with risk prevention, to ensure the cross-border security and free flow of personal information.
Article 4: Where personal information handlers provide personal information outside the mainland by concluding standard contracts, they shall concurrently satisfy the following conditions:
(1) Are operators of non-critical information infrastructure;
(2) Handle the personal information of less than 1 million people;
(3) Have cumulatively provided the personal information of fewer than 100,000 persons overseas since January 1, of the previous year;
(4) Have cumulatively provided the sensitive personal information of fewer than 10,000 persons overseas since January 1, of the preceding year;
Where laws, administrative regulations, or the state Internet information department provide otherwise, follow those provisions.
Personal information handlers must not use the tactic of dividing volumes into groups, to provide personal information that requires an export security assessment overseas by concluding standard contracts in accordance with law.
Article 5: Before personal information handlers provide personal information abroad, they shall carry out a personal information protection impact assessment, emphasizing the assessment of the following content:
(1) The legality, propriety, and necessity, of the purposes, scope, and methods of the handling of personal information by the personal information handlers and foreign recipient;
(2) The scale, scope, types, and degree of sensitivity of the personal information exported and the potential risks to the rights and interests in personal information that might be brought;
(3) The obligations that the foreign recipient has pledged to bear, as well as whether the management and technical measures and capacity for the performance of obligations can ensure the security of the exported personal information;
(4) Risks such as of data being altered, destroyed, leaked, lost, or transferred after being exported, or of it being illegally obtained or used; and whether the channels for preserving rights and interests in personal information are clear, etc.;
(5) The impact of the personal information protection policies and regulations of the foreign recipient's nation or region on the performance of the standard contract;
(6) Other matters that might impact the security of exported personal information.
Article 6: Standard contracts shall be concluded in strict accordance with the attachment to these Measures. The state internet information department may adjust the attachment based on actual conditions.
Personal information handlers may make agreements on other clauses with the foreign recipient, but they must not conflict with the standard contract.
Activities exporting personal information may only be carried out after the standard contract takes effect.
Article 7: Personal information handlers shall file with the provincial-level internet information department for their area within 10 working days of the standard contract taking effect. The following materials shall be submitted in following:
(1) the standard contract;
(2) The personal information protection impact assessment report.
Personal information handlers shall be responsible for the veracity of the materials they file.
Article 8: Where any of the following situations occurs during the period for which the contract is effective, the personal information handlers shall conduct a new personal information protection impact assessment, supplement or newly conclude the standard contract, and perform the corresponding filings;
(1) Where there are changes to the purpose, scope, types, degree of sensitivity, methods, or storage location of personal information, or to the foreign recipient's uses and methods of handling the personal information, or where the period for storage of personal information abroad is extended;
(2) Where there are changes to the policies, laws, or regulations on the protection of personal information for the foreign recipient's nation or territory that might impact rights and interests in personal information;
(3) Other situations that might impact rights and interests in personal information.
Article 9: Internet information departments and their staffs shall lawfully preserve the confidentiality of personal privacy, personal information, commercial secrets, secret commercial information, and other information that must be kept confidential in accordance with laws, that they learn of in the course of performing their duties, and must not disclose it, illegally provide it to others, or illegally use it.
Article 10: Where any organization or individual discovers that personal information handlers have provided personal information abroad in violation of these Measures, they may make a report to an internet information department at the provincial level or above.
Article 11: Where internet information departments at the provincial level or above discover that there are major risks in activities exporting personal information or that personal information security incidents have occurred, they may conduct a meeting with the personal information handlers in accordance with law. The personal information handlers shall make corrections as required and eliminate risks.
Article 12: Where the provisions of these Measures are violated, it is to be handled in accordance with laws and regulations such as the Personal Information Protection Law of the PRC, and where a crime is constituted, criminal responsibility is pursued in accordance with law.
Article 13: These measures take effect on June 1, 2023. Where personal information export activities carried out before these Measures take do not comply with the provisions of these measures, corrections shall be completed within 6 months from the date on which these Measures take effect.
Attachment (Standard Personal Information Contract) Chinese
Be First to Comment