In our previous articles, we analyzed the Measures for data export security assessment (available here), the Guidelines for the application of such Measures (available here) and the implementation rules for personal information protection certification (available here). In this article we will analyze another condition that the personal information controller shall meet in case the company “truly” need to transfer personal information outside the borders of the People’s Republic of China for business or other such requirements: the standard contract. Specifically, this article introduces the Guidelines for the filing of the standard contract in order to transfer personal information outside the Chinese territory (1st version) (the “Guidelines”, in Chinese “个人信息出境标准合同备案指南, 第一版”)issued by the Cyberspace Administration of China (the “CAC”) the last 30th May 2023, right before the effective date (1st June 2023) of the Measures for Standard Contract of Cross-border Transfer of Personal Information (the “Measures”, in Chinese “个人信息 出境标准合同办法”, available here, only in Chinese). The Guidelines contains specific indications about the materials to be submitted with the standard contract for cross-border transfer of personal information (the "Chinese SCC”) and on the procedure to be followed by the controller. Moreover, the Guidelines address widely concerned issues such as how to conduct personal information protection impact assessment (the “PIPIA”). This article aims at helping companies (including European companies) on how use the Chinese SCC for cross-border transfer of personal information and to understand the filing procedure provided by the CAC, in case of entering into a contract, in accordance with the standard contract formulated by the CAC, with the foreign receiving party, stipulating and agreeing the rights and obligations of both parties. Application Scope As well as the Measures, the Guidelines specify that the Chinese SCC mechanism can be adopted by the controller of personal information who intends transfer data overseas where the following circumstances shall be met simultaneously: Controllers cannot split the amount of personal information in order to adopt another mechanism and therefore mislead the requirements provided by the Chinese legislation to transfer personal information (such as pass a cross-border transfer security assessment conducted by the CAC). Submission procedure As provided in the Measures, the Chinese SCC and other materials shall be submitted to the cyberspace administration at the provincial level (the “local CA”) within 10 working days after the Chinese SCC enters into effect. The Guidelines clarifies that the submission shall be done by the delivery of written materials and by sending the electronic versions of the materials. In the future, it seems quite likely that online filing platforms will be opened. This is actually happening, for example, with the security assessment like in Suzhou (Jiangsu Province) where they opened an online channel for notifying security assessment for cross-border transfer of personal information. Upon receipt of the submitted materials, the local CA will complete the examination of the materials within 15 working days and notify the result of the submission. The scenario will be different: Materials On the basis of the Measures, the Guidelines further specifies that the following materials shall be submitted: In addition to the Chinese SCC, the Guidelines also includes templates of the power of attorney for the person in charge, the letter of commitment and the PIPIA report. Moreover, it is worth mentioning that the PIPIA shall be completed within 3 months prior to the date of the submission and no significantly change must have occurred at the date of the submission. Regarding the Chinese SCC, it is necessary to bear in mind that, in principle, the terms of the Chinese SCC cannot be modified. The contracting parties can agree to add other clauses, but they cannot be in conflict with the Chinese SCC content. Controllers are responsible for the authenticity of the materials submitted, and those who submit false materials will be held legally responsible for the corresponding legal responsibilities. Re-submission procedure In specific circumstances occurs during the validity period of the contract, the Guidelines provides that a re-submission shall be done. In particular, a new PIPIA shall be conducted, and Chinese SCC shall be supplemented or re-signed and submitted. Those specific circumstances are: The local CA shall review the re-submitted materials within 15 working days. The announcement and the Guidelines are both available here, only in Chinese.
