On May 30, 2023, the Cyberspace Administration of China issued the Guidelines for  the Filing of the Standard Contract of Cross-border Transfer of Personal Information  (1 st Version) ("Guidelines", 《个人信息出境标准合同备案指南(第一版)》in  Chinese), right before the effective date (June 1, 2023) of the Measures for Standard  Contract of Cross-border Transfer of Personal Information ("Measures", 《个人信息 出境标准合同办法》in Chinese).

The Guidelines setsforth specific requirements on the method, procedures and materials  for the filing of China's standard contract for cross-border transfer of personal  information ("China SCC"), and addresses widely concerned issues like how to  conduct personal information protection impact assessment ("PIPIA") for cross-border  data transfer.

This alert will introduce the Guidelines from a practical perspective for reference by  enterprises, especially multinationals, who will be able to use China SCC for international transfer of personal information.

I. Application Scope

The Guidelines reiterates the application scope of the filing system for China SCC stipulated in the Measures. Specifically, where personal information is provided abroad  by means of concluding China SCC, the following circumstances shall be met  simultaneously by the personal information handler:

(1) NOT a critical information infrastructure operator;

(2) has processed personal information of LESS THAN 1 million people;

(3) has NOT provided abroad personal information of MORE THAN 100,000 people  accumulatively since January 1st of last year; and

(4) has NOT provided abroad sensitive personal information of MORE THAN 10,000  people accumulatively since January 1st of last year.

II. Method of Filing

As provided in the Measures, the filing of China SCC shall be applied for, with the  cyberspace administration at the provincial level, within 10 working days after the China SCC enters into effect.

The Guidelines clarifies that, the submission shall be done by the delivery of written  materials accompanied by electronic versions of the materials. However, hopefully,  online filing platforms will be opened in the future, as Suzhou in Jiangsu Province has opened an online channel for notifying security assessment for cross-border transfer of  personal information.

III. Materials for Filing

On the basis of the Measures, the Guidelines further specifies the following materials  to be submitted for filing:

(1) Unified social credit code certificate (i.e., business license) (photocopy with official  seal);

(2) ID card of legal representative (photocopy with official seal);

(3) ID card of the person in charge of application for filing (photocopy with official  seal);

(4) Power of attorney for the person in charge of application for filing (original);  (5) Statement of commitment (original);

(6) Standard contract of cross-border transfer of personal information (original);

(7) Personal information protection impact assessment report (original).

In addition to the China SCC (i.e., item (6) above), the Guidelines also includes  templates for the materials of (4), (5) and (7).

IV. Filing Procedures

Upon receipt of the filing materials, the provincial cyberspace administration will complete the review of the materials within 15 working days and notify the result of  filing. If it is approved, the registration number will be issued to the applicant. If the  filing is failed, the applicant will receive a notice and reasons for the rejection. If the  applicant is asked to supplement and improve the materials, it shall complete such  supplement and re-submit the materials again within 10 working days. The specific


V. Re-filing

Following the provisions under the Measures, the Guidelines also provides that, if any of the following circumstances occurs during the validity period of the contract, a new  PIPIA shall be conducted, and China SCC shall be supplemented, re-concluded, and re[1]filed:

(1) changes in the purpose, scope, type, sensitivity, manner, and place of storage of  personal information provided abroad or in the use or manner of processing personal information by the overseas recipient, or extension of the storage period  of personal information abroad;

(2) changes in the policies and regulations on the protection of personal information in  the country or region where the overseas recipient is located, etc. that may affect  the personal information related rights and interests; or

(3) any other circumstances that may affect the personal information related rights and  interests.

Download : Data Protection And Cybersecurity Alert: China Released The First Guidelines For Filing Standard  Contract Of Cross-border Transfer Of Personal Information

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.