On May 30, 2023, the Cyberspace Administration of China issued the Guidelines for the Filing of the Standard Contract of Cross-border Transfer of Personal Information (1 st Version) ("Guidelines", 《个人信息出境标准合同备案指南(第一版)》in Chinese), right before the effective date (June 1, 2023) of the Measures for Standard Contract of Cross-border Transfer of Personal Information ("Measures", 《个人信息 出境标准合同办法》in Chinese).
The Guidelines setsforth specific requirements on the method, procedures and materials for the filing of China's standard contract for cross-border transfer of personal information ("China SCC"), and addresses widely concerned issues like how to conduct personal information protection impact assessment ("PIPIA") for cross-border data transfer.
This alert will introduce the Guidelines from a practical perspective for reference by enterprises, especially multinationals, who will be able to use China SCC for international transfer of personal information.
I. Application Scope
The Guidelines reiterates the application scope of the filing system for China SCC stipulated in the Measures. Specifically, where personal information is provided abroad by means of concluding China SCC, the following circumstances shall be met simultaneously by the personal information handler:
(1) NOT a critical information infrastructure operator;
(2) has processed personal information of LESS THAN 1 million people;
(3) has NOT provided abroad personal information of MORE THAN 100,000 people accumulatively since January 1st of last year; and
(4) has NOT provided abroad sensitive personal information of MORE THAN 10,000 people accumulatively since January 1st of last year.
II. Method of Filing
As provided in the Measures, the filing of China SCC shall be applied for, with the cyberspace administration at the provincial level, within 10 working days after the China SCC enters into effect.
The Guidelines clarifies that, the submission shall be done by the delivery of written materials accompanied by electronic versions of the materials. However, hopefully, online filing platforms will be opened in the future, as Suzhou in Jiangsu Province has opened an online channel for notifying security assessment for cross-border transfer of personal information.
III. Materials for Filing
On the basis of the Measures, the Guidelines further specifies the following materials to be submitted for filing:
(1) Unified social credit code certificate (i.e., business license) (photocopy with official seal);
(2) ID card of legal representative (photocopy with official seal);
(3) ID card of the person in charge of application for filing (photocopy with official seal);
(4) Power of attorney for the person in charge of application for filing (original); (5) Statement of commitment (original);
(6) Standard contract of cross-border transfer of personal information (original);
(7) Personal information protection impact assessment report (original).
In addition to the China SCC (i.e., item (6) above), the Guidelines also includes templates for the materials of (4), (5) and (7).
IV. Filing Procedures
Upon receipt of the filing materials, the provincial cyberspace administration will complete the review of the materials within 15 working days and notify the result of filing. If it is approved, the registration number will be issued to the applicant. If the filing is failed, the applicant will receive a notice and reasons for the rejection. If the applicant is asked to supplement and improve the materials, it shall complete such supplement and re-submit the materials again within 10 working days. The specific
V. Re-filing
Following the provisions under the Measures, the Guidelines also provides that, if any of the following circumstances occurs during the validity period of the contract, a new PIPIA shall be conducted, and China SCC shall be supplemented, re-concluded, and re[1]filed:
(1) changes in the purpose, scope, type, sensitivity, manner, and place of storage of personal information provided abroad or in the use or manner of processing personal information by the overseas recipient, or extension of the storage period of personal information abroad;
(2) changes in the policies and regulations on the protection of personal information in the country or region where the overseas recipient is located, etc. that may affect the personal information related rights and interests; or
(3) any other circumstances that may affect the personal information related rights and interests.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
