Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
China: CAC requests comments on Standard Contract Provisions for the Exit of Personal Information
The Cyberspace Administration of China ('CAC') requested, on 30 June 2022, public comments on its draft of the Standard Contract Provisions for the Exit of Personal Information. In particular, if adopted, the draft provisions would apply to personal information processors who enter into contracts with overseas recipients to provide personal information outside the People's Republic of China ('PRC'), particularly emphasising that other contracts made between personal information processors and overseas recipients must not conflict with the provisions. More specifically, the draft provisions outline that personal information processors may sign a standard contract if they meet the following requirements:
- they are operators of non-critical information infrastructure;
- they handle personal information of less than one million people;
- since 1 January of the previous year, the cumulative amount of personal information provided overseas has not reached 100,000; and
- since 1 of the previous year, the accumulatively provided overseas sensitive personal information is less than 10,000.
In addition, the draft provisions detail the requirement to conduct a Data Protection Impact Assessment ('DPIA') in advance of providing information overseas. Likewise, the draft provisions state a standard contract must include, among other things, basic information on each party, the responsibilities and obligations, and the impact of domestic laws and regulations on personal information processing. Furthermore, the draft provisions note circumstances which require the recording of changes to and re-signing of such contracts, including changes to, among others, purpose, scope, storage period, storage location, and the regulations of the third country.
Equally, the draft provisions stipulate that personal information processors must, within 10 working days of the effective date of the standard contract, file the contract and the DPIA report with the local provincial cybersecurity and informatisation department.
Public comments can be submitted to [email protected] until 29 July 2022.
You can read the draft provisions, only available in Chinese, here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
