China released the first guidelines for the submission of the standard contract to transfer personal information outside the borders of the People’s Republic of China

8 Giugno 2023

In our previous articles, we analyzed the Measures for data export security assessment (available here), the Guidelines for the application of such Measures (available here) and the implementation rules for personal information protection certification (available here).

In this article we will analyze another condition that the personal information controller shall meet in case the company “truly” need to transfer personal information outside the borders of the People’s Republic of China for business or other such requirements: the standard contract.

Specifically, this article introduces the Guidelines for the filing of the standard contract in order to transfer personal information outside the Chinese territory (1st version) (the “Guidelines”, in Chinese “个人信息出境标准合同备案指南, 第一版”)issued by the Cyberspace Administration of China (the “CAC”) the last 30th May 2023, right before the effective date (1st June 2023) of the Measures for Standard Contract of Cross-border Transfer of Personal Information (the “Measures”, in Chinese “个人信息 出境标准合同办法”, available here, only in Chinese).

The Guidelines contains specific indications about the materials to be submitted with the standard contract for cross-border transfer of personal information (the "Chinese SCC”) and on the procedure to be followed by the controller. Moreover, the Guidelines address widely concerned issues such as how to conduct personal information protection impact assessment (the “PIPIA”).

This article aims at helping companies (including European companies) on how use the Chinese SCC for cross-border transfer of personal information and to understand the filing procedure provided by the CAC, in case of entering into a contract, in accordance with the standard contract formulated by the CAC, with the foreign receiving party, stipulating and agreeing the rights and obligations of both parties.

Application Scope

As well as the Measures, the Guidelines specify that the Chinese SCC mechanism can be adopted by the controller of personal information who intends transfer data overseas where the following circumstances shall be met simultaneously:

  • is not designated as a critical information infrastructure operator (“CIIO”);
  • has processed personal information of less than 1 million individuals;
  • has not provided or does not intend to provide abroad personal information of more than 100,000 individuals accumulatively since January 1st of last year; and
  • has not provided or does not intend to provide abroad sensitive personal information of more than 10,000 individuals accumulatively since January 1st of last year.

Controllers cannot split the amount of personal information in order to adopt another mechanism and therefore mislead the requirements provided by the Chinese legislation to transfer personal information (such as pass a cross-border transfer security assessment conducted by the CAC).

Submission procedure

As provided in the Measures, the Chinese SCC and other materials shall be submitted to the cyberspace administration at the provincial level (the “local CA”) within 10 working days after the Chinese SCC enters into effect.

The Guidelines clarifies that the submission shall be done by the delivery of written materials and by sending the electronic versions of the materials. In the future, it seems quite likely that online filing platforms will be opened. This is actually happening, for example, with the security assessment like in Suzhou (Jiangsu Province) where they opened an online channel for notifying security assessment for cross-border transfer of personal information.

Upon receipt of the submitted materials, the local CA will complete the examination of the materials within 15 working days and notify the result of the submission. The scenario will be different:

  • in case of approval, the registration number will be issued to the applicant;
  • in case of refusal, the applicant will receive a notice including the reasons of the rejection;
  • in case of supplement, the local CA require to the applicant to supplement the materials. The supplement and the re-submission of the materials shall be completed within 10 working days.

Materials

On the basis of the Measures, the Guidelines further specifies that the following materials shall be submitted:

  • a photocopy stamped with the official seal of the unified social credit code certificate (i.e., business license);
  • a photocopy stamped with the official seal of the ID card of the legal representative of the company;
  • a photocopy stamped with the official seal of the ID card of the person in charge of application for the submission;
  • an original of the power of attorney for the person in charge of application for the submission;
  • an original of the letter of commitment;
  • an original of the standard contract of cross-border transfer of personal information;
  • an original of the PIPIA report conducted by the CAC.

In addition to the Chinese SCC, the Guidelines also includes templates of the power of attorney for the person in charge, the letter of commitment and the PIPIA report.

Moreover, it is worth mentioning that the PIPIA shall be completed within 3 months prior to the date of the submission and no significantly change must have occurred at the date of the submission.

Regarding the Chinese SCC, it is necessary to bear in mind that, in principle, the terms of the Chinese SCC cannot be modified. The contracting parties can agree to add other clauses, but they cannot be in conflict with the Chinese SCC content.

Controllers are responsible for the authenticity of the materials submitted, and those who submit false materials will be held legally responsible for the corresponding legal responsibilities.

Re-submission procedure

In specific circumstances occurs during the validity period of the contract, the Guidelines provides that a re-submission shall be done. In particular, a new PIPIA shall be conducted, and Chinese SCC shall be supplemented or re-signed and submitted.

Those specific circumstances are:

  • changes in the purpose, scope, type, sensitivity, method, and storage location of the personal information to be exported or in the purpose or method of processing personal information by the overseas recipient, or extension of the storage period of personal information;
  • changes in the legislation and regulations on the protection of personal information in the country or region where the overseas recipient is located, that may affect the rights and interest of the personal information subjects; or
  • any other circumstances that may affect the rights and interests of the personal information subjects.

The local CA shall review the re-submitted materials within 15 working days.

The announcement and the Guidelines are both available here, only in Chinese.

2024 - Morri Rossetti

I contenuti pubblicati nel presente sito sono protetti da diritto di autore, in base alle disposizioni nazionali e delle convenzioni internazionali, e sono di titolarità esclusiva di Morri Rossetti e Associati.
È vietato utilizzare qualsiasi tipo di tecnica di web scraping, estrazione di dati o qualsiasi altro mezzo automatizzato per raccogliere informazioni da questo sito senza il nostro esplicito consenso scritto.
Ogni comunicazione e diffusione al pubblico e ogni riproduzione parziale o integrale, se non effettuata a scopo meramente personale, dei contenuti presenti nel sito richiede la preventiva autorizzazione di Morri Rossetti e Associati.

cross