A personal information handler that truly needs to provide personal information for a party outside the territory of the People’s Republic of China for business sake or other reasons, shall meet one of the following requirements:
- passing the security assessment organized by the national cyberspace department in accordance with Article 40 of this Law;
- obtaining personal information protection certification from the relevant specialized institution according to the provisions issued by the national cyberspace department;
- concluding a contract stipulating both parties’ rights and obligations with the overseas recipient in accordance with the standard contract formulated by the national cyberspace department; and
- meeting other conditions set forth by laws and administrative regulations and by the national cyberspace department.
Where an international treaty or agreement that the People’s Republic of China has concluded or acceded to stipulates conditions for providing personal information for a party outside the territory of the People’s Republic of China, such stipulations may be followed.
The personal information handler shall take necessary measures to ensure that the personal information handling activities of the overseas recipient meet the personal information protection standards set forth in this Law.
- Certain transfers requiring security assessment
- Approval needed for transfers to foreign authorities
- List of restricted overseas recipients
- Consent for cross-border transfers
- Impact assessment required for cross-border transfers
Relevant PIPL Compliance Documents
(Subscription Services Required)
- 2021 Outbound Data Transfer Security Assessment Measures
- 2022 Guidelines for Application of Data Exit Security Evaluation (First Edition)
- 2017 IT Guidelines for Cross-border Data Transfer