Global menu

Our global pages


New Standard Contractual Clauses for the Cross-border Transfer of Personal Information out of Mainland China | 中国大陆个人信息出境的新标准合同规定

  • Hong Kong
  • Privacy, data protection and cybersecurity - ePrivacy
  • Technology, Media and Telecoms - General


On 30 June 2022, in connection with the requirements for cross-border transfer of personal information under the Personal Information Protection Law in the PRC (“PIPL”), the Cyberspace Administration of China (“CAC”) published the Draft Rules on Standard Contracts Regarding Export of Personal Information (个人信息出境标准合同规定(征求意见稿)) (the “Draft Rules”). Public consultation on the Draft Rules has commenced and will conclude on 29 July 2022.

Under Article 38 of the PIPL, the adoption of standard contractual clauses (“Standard Contractual Clauses”) between the personal information processor (which is akin to a “data controller” under the GDPR), who transfers personal information to a location outside the PRC, and the offshore recipient, is one of four compliance methods under the PIPL which lawfully facilitate the offshore transfer of personal information from the PRC. The Draft Rules set out requirements relating to the use and applicability of the Standard Contractual Clauses, along with a template data processing agreement with the Standard Contractual Clauses for reference.

Who may use the Standard Contractual Clauses?

Importantly, an personal information processor may only rely on the Standard Contractual Clauses (as one of the four permitted methods) to facilitate cross-border transfer if it satisfies all of the following conditions:

  1. the personal information processor is not a “critical information infrastructure operator”;

  2. the personal information processor processes personal information of less than one million individuals;

  3. since January 1st of the previous year, the personal information processor has transferred personal information of less than 100,000 individuals on a cumulative basis to outside the PRC; and

  4. since January 1st of the previous year, the personal information processor has transferred sensitive personal information of less than 10,000 individuals on a cumulative basis to outside the PRC.

Personal information processors which do not satisfy the above conditions will be required to pass a CAC-led security assessment before they can transfer personal information to outside the PRC.

Standard Contractual Clauses – is it what we expected?

On the one hand, the Standard Contractual Clauses (in the form of the template data processing agreement) set out terms that are commonly seen in the form of standard contractual clauses (or equivalent) of other jurisdictions. For instance, the Standard Contractual Clauses set out:

  • the details of the personal information being processed, including but not limited to purpose of the transfer, scope, type, level of sensitivity, quantity, method, retention period and storage location;

  • the respective responsibilities and obligations of the personal information processor and the offshore recipient, as well as the technical and organisational measures taken to protect the personal information against security risks; and

  • the rights of the data subjects.

On the other hand however (and as somewhat expected), the Standard Contractual Clauses also contain provisions which specifically implement principles unique to the PIPL or PRC data privacy regime, such as:

  • Unlike the EU Standard Contractual Clauses which adopt four modules (namely, controller to controller, controller to processor, processor to sub-processor and processor to controller) based on the parties’ data processing roles, there is only one form of Standard Contractual Clauses to be entered into by and between the personal information processor and an offshore recipient (who may act either as the personal information processor or entrusted party (which is akin to “processor” under the GDPR)).

  • the personal information processor is expressly required to carry out a data protection impact assessment (“DPIA”) prior to the transfer of personal information, which should be retained for at least 3 years;

  • the offshore recipient is expressly required to keep objective records of the personal information processing activities carried out, and retain such records for at least 3 years; and

  • where the offshore recipient will use personal information in connection with automated decision making, it warrants not to apply unreasonable differential treatment to individuals, such as adopting processes and means which may result in different pricing terms applying to different individuals.

How should the Standard Contractual Clauses be used?

Under the Draft Rules, the Standard Contractual Clauses shall be used in the following manner:

  1. before personal information is transferred to outside the PRC, the personal information processor must enter into the Standard Contractual Clauses with the offshore data recipient;

  2. prior to transferring personal information to outside the PRC, the personal information processor must also conduct a DPIA; and

  3. within 10 working days of the Standard Contractual Clauses coming into effect, a record-filing must be made to the local provincial branch of the CAC. The Standard Contractual Clauses and the DPIA must be submitted.

Following the completion of Steps 1 and 2, personal information may be transferred to outside the PRC.

However, it is important to note that new Standard Contractual Clauses may need to be signed and filed with the CAC (hence, the above steps are then repeated) if one of the following events occur:

  • there is a change of data processing activities (e.g. purpose of transfer, scope, type, level of sensitivity, method, retention period, storage location, etc.) or extension of retention period of personal information;

  • there is a change of the data privacy laws and regulations of the inbound jurisdiction to which the personal information is transferred, which may impact the rights and interests of individuals; or

  • there are present other circumstances which may affect the rights and interests of individuals.

In the event of (i) the personal information processor’s failure to complete record-filing as required, or provision of false materials for record-filing; (ii) the personal information processor’s failure to perform the responsibilities and obligations as agreed in the Standard Contractual Clauses, resulting in an infringement to the rights and interests of the data subjects and causing damage; or (iii) occurrence of other circumstances which affect the rights and interests of the data subjects, the CAC may order the relevant personal information processor to rectify the breach within a specified deadline, failing which the personal information processor may be ordered to suspend the cross-border transfer of personal information, or even be found to have committed a criminal offence.

To read the Draft Rules, please see here (in Chinese language only). To read our previous e-Briefing on obtaining security accreditation for cross-border transfer, which is another compliance method under the PIPL for transfer of personal information outside the PRC, please see here.

For more information on requirements for the cross-border transfers of personal information, please contact us.








  1. 非关键信息基础设施运营者;

  2. 处理个人信息不满100万人;

  3. 自上一年1月1日起累计向境外提供未达到10万人个人信息的;以及

  4. 自上一年1月1日起累计向境外提供未达到1万人敏感个人信息的。




  • 个人信息的具体细节,包括但不限于出境的目的、范围、类型、敏感程度、数量、保存期限、存储地点;

  • 个人信息的处理者和境外接收方各自的责任和义务,以及为保护个人信息免受安全风险而采取的技术和管理措施;以及

  • 个人信息主体的权利,以及保障个人信息主体权利的途径和方式。


  • 与欧盟标准合同条款当中根据各方的数据处理角色划分了四种个人数据跨境传输的场景不同(即控制者向控制者传输、控制者向处理者传输、处理者向次级处理者传输,以及处理者向控制者传输),中国的个人信息处理者和境外接收方(可作为个人信息处理者或受托方(类似于欧盟《通用数据保护条例》中的 “处理者”))之间只需签订一种形式的标准合同条款;

  • 个人信息处理者被明确要求应在向境外提供个人信息前展开个人信息保护影响评估,并保存该评估报告至少3年;

  • 境外接收方被明确要求应对开展的个人信息处理活动进行客观记录,并保存记录至少3年; 及

  • 如果境外接收方将利用个人信息进行自动化决策,其需要陈述、保证及承诺不会对个人在交易价格等交易条件上实行不合理的差别待遇(例如采用可能导致对不同个人适用不同定价条款的流程和方式)。



  1. 在个人信息被转移到中国境外之前,个人信息处理者必须与境外接收方签订标准合同;

  2. 在将个人信息转移到中国境外之前,个人信息处理者必须进行个人信息保护影响评估;以及

  3. 个人信息处理者应当在标准合同生效之日起10个工作日内,向所在地省级网信部门备案。备案应当提交标准合同以及个人信息保护影响评估报告。


  • 个人信息处理活动的变化(例如:向境外提供个人信息的目的、范围、类型、敏感程度、数量、方式、保存期限、存储地点等)或者延长个人信息境外保存期限的;

  • 境外接收方所在国家或者地区的个人信息保护政策法规发生变化等可能影响个人信息权益的;或

  • 可能影响个人信息权益的其他情况。

如果 (一)个人信息处理者未履行备案程序或者提交虚假材料进行备案;(二)个人信息处理者未履行标准合同约定的责任义务,侵害个人信息权益造成损害的;或(三)出现影响个人信息权益的其他情形,网信部门可以责令相关个人信息处理者在限期内改正违规行为。如个人信息处理者拒不改正的,网信部门可以责令其停止个人信息的出境活动,个人信息处理者甚至可能构成刑事犯罪。