Article 38 – Cross-Border Transfers

A personal information handler that truly needs to provide personal information for a party outside the territory of the People’s Republic of China for business sake or other reasons, shall meet one of the following requirements:

  1. passing the security assessment organized by the national cyberspace department in accordance with Article 40 of this Law;
  2. obtaining personal information protection certification from the relevant specialized institution according to the provisions issued by the national cyberspace department;
  3. concluding a contract stipulating both parties’ rights and obligations with the overseas recipient in accordance with the standard contract formulated by the national cyberspace department; and
  4. meeting other conditions set forth by laws and administrative regulations and by the national cyberspace department.

Where an international treaty or agreement that the People’s Republic of China has concluded or acceded to stipulates conditions for providing personal information for a party outside the territory of the People’s Republic of China, such stipulations may be followed.

The personal information handler shall take necessary measures to ensure that the personal information handling activities of the overseas recipient meet the personal information protection standards set forth in this Law.

Related provisions:

Relevant PIPL Compliance Documents
(Subscription Services Required)

For detailed information on XL Law Subscription content, click here or email