1. Conditions to Use Standard Contract

A personal information processor may cross-border transfer personal information through executing a standard contract only when all the following conditions are met:

• It is not a critical information infrastructure operator;
• It processes not more than one million individuals’ personal information;
• It has accumulatively transferred abroad personal information of not more than 100,000 individuals since January 1 of the preceding year; and
• It has accumulatively transferred abroad sensitive personal information of not more than 10,000 individuals since January 1 of the preceding year.

2. Prior Impact Assessment  

The processor should conduct a personal information protection impact assessment prior to cross-border transfer of personal information, focusing on the following:

• whether the purpose, scope and means of personal information processing of the pressor and the overseas recipient are lawful, fair and necessary;
• the quantity, scope, categories and sensitivity of personal information to be transferred abroad, and risks to legitimate rights and interests of individuals;
• responsibilities and obligations that the overseas recipient undertakes to perform; whether managerial and technical measures and capability for performing such responsibilities and obligations can ensure the security of personal information to be transferred abroad;
• risks of personal information falsification, damage, leakage, abuse after cross-border transfer; whether individuals may easily defend their rights and interests with respect to their personal information;
• the impact on the performance of standard contract by the personal information protection policies and laws in the country/region of the overseas recipient; and
• other matters that may affect the security of personal information transferred abroad.

3. Key Terms of Standard Contract

The standard contract shall at least include the following:

• basic information of the personal information processor and the overseas recipient, including but not limited to name, address, name and contact information of contact person, etc.;
• the purpose, scope, categories, sensitivity, quantity, means, storage period, storage place, etc. of personal information to be transferred abroad;
• the responsibilities and obligations that the personal information processor and the overseas recipient undertake to protect personal information, as well as the technical and managerial measures adopted to prevent the possible security risks arising from the cross-border transfer of personal information;
• the impact on the compliance with the terms of the standard contract by the personal information protection polices and laws in the country or region where the overseas recipient is located;
• the rights of personal information subjects, as well as approaches and means to safeguard the rights of personal information subjects;
• remedy, contract termination, liability for breach of contract and dispute resolution, etc.

4. Filing with CAC

The personal information processor should file the standard contract together with the personal information protection impact assessment report with provincial-level cyberspace administration within 10 working days from the date when the standard contract takes effect.

The Draft Provisions clarify that the personal information processor may start to cross-border transfer personal information upon the effectiveness of the standard contract.

The Draft Provisions require the personal information processor to resign a standard contract and make a new filing in the event of any of the following circumstances during the term of the standard contract:

• changes to the purpose, scope, categories, sensitivity, quantity, means, storage period, storage place of the cross-border personal information transfer; changes to use and means of processing of personal information by overseas recipient; or extension of overseas storage period of personal information;
• changes to personal information protection policies and laws in the country or region where overseas recipient is located, which may affect the rights and interests in the personal information;
• other circumstances that might affect the rights and interests in the personal information.