China’s cybersecurity authorities have released new guidelines for companies to apply for permission to transfer personal information and important data outside of China. The guidelines offer a comprehensive explanation of the procedures and documents required to apply for cross-border data transfer in compliance with China’s personal information and data protection laws. We provide an overview of the new China data export application guidelines, including English translations of key instructions and templates.
The Cybersecurity Administration of China (CAC), China’s top cybersecurity authority, has released a set of guidelines for the application of cross-border data transfer. The guidelines, titled the Guidelines for Data Exit Security Assessment and Declaration (First Edition), explain the procedures and processes for companies to apply for permission to export data out of China and include complete lists of required documents, templates for documents such as security assessment declarations, and application forms.
The new guidelines follow the release of the finalized version of the Measures for Data Export Security Assessment (the “Security Assessment Measures”), which came into effect on September 1, 2022. These measures detail specific requirements for security reviews for cross-border data transfer, as required under Article 38 of the Personal Information Protection Law (PIPL).
Under this provision, companies that wish to export over a certain volume of personal information (PI) or “important” data collected from subjects in China are required to take certain steps to get approval. This may include a security review by the CAC, PI protection certification by a professional institution, signing a contract with the foreign recipient of the PI, or meeting other unspecified requirements.
The new guidelines provide information on how to declare a security assessment in order to transfer a certain volume of PI or “important” data overseas. For information on who is required to submit a security assessment to engage in cross-border data transfer and the specific requirements for the assessment, see our article here.
Below we provide the step-by-step procedures for submitting a security assessment as outlined in the guidelines and offer an English translation of the template forms and letters.
Companies are required to apply for the data security assessment to the central CAC through the provincial CAC branch in the jurisdiction in which they are located.
The application must be submitted by sending the hard copy of the application materials and attaching the electronic version in the form of a CD-ROM.
The provincial CAC department will check whether the materials provided are complete within five working days of receiving them. If the materials are complete, the provincial CAC will then submit the materials to the top national-level CAC. If they are not complete, the applicant will receive a notice of the return of the application.
The central CAC will then determine whether to accept the application within seven days of receiving the materials from the provincial CAC and notify the applicant in writing. The applicant must supplement or correct any materials or information at the earliest time possible if told to do so by the CAC. The security assessment will be terminated if the applicant fails to provide or amend the materials as required with a justifiable reason. If the situation is deemed complex, the applicant may be told that the assessment period has been extended.
Once the security assessment has been completed, the applicant will receive a notice of the result of the assessment. If there are no objections to the results of the assessment, the company must then proceed with the cross-border data transfer activities in compliance with relevant laws and regulations and requirements laid out in the notice on the assessment result.
If the applicant has objections to the result of the assessment, then they can apply for a re-assessment to the central CAC within 15 days of receiving the result. The results of the re-assessment will however be final.
Below are the materials that companies must submit in the application for the security assessment. The corresponding electronic documents must be submitted on a CD-ROM along with the hard copies.
The company is responsible for the authenticity of the submitted materials and can be held legally liable should any of the materials be false or fabricated.
Companies are required to submit a self-assessment report when applying for cross-border data transfer. The company is responsible for the authenticity of the self-assessment and any supplementary materials. The self-assessment must be completed within three months of the application being submitted. If a third party is involved in the self-assessment, then the applicant must explain the circumstances around the third party’s involvement in the self-assessment report and affix the third-party organization’s official seal on any relevant content pages.
The contents of the self-assessment report must follow the format below.
Summary of the data export risk self-assessment work
Details on the circumstances of the self-assessment process, including the start and end time of the self-assessment, organization, implementation process, and implementation methods.
Description of the overall situation of outbound activities
A detailed explanation of the basic situation of the company, the business and information systems involved in the data export, the situation of the outbound data, the company’s security assurance capabilities, the situation of the overseas recipient, and legal agreements stipulated in legal documents. This includes (but is not limited to):
Risk assessment of planned outbound activities
The company must provide an explanation of the risks associated with each of the following items, focusing on the problems and hidden dangers found in the assessment, as well as the corresponding measures taken to correct these situations and the outcomes of the corrective actions.
Conclusion of the data export risk self-assessment report
Draw an objective risk self-assessment conclusion for the data export activities that will be declared based on the risk assessment and corresponding corrective measures described above, and fully explain the reasons and arguments for this conclusion.
Below we have provided an English translation of the template application materials provided in the guidelines. The translation is for reference only. The Chinese versions can be found on pages 5 to 7 of the guidelines.
I, name (ID number: xxx) the legal representative of company name, hereby delegate authority to name (ID number: xxx) to be the person in charge for the data export security assessment and declaration. All actions of the person in charge in the process of data export security assessment and declaration on behalf of our company, including the signed and uploaded materials, are recognized by our company and will bear the corresponding legal responsibility.
Authorization period: Year / Month / Day to Year / Month / Day
Company name (company seal):
Legal Representative (signature):
Person in charge (signature):
Year / Month / Day
The company hereby promises:
This company knows and fully understands the content of the above commitments. If the commitments are false or violate the commitments, we are willing to bear the corresponding legal responsibilities.
Legal representative (signature):
For assistance with cross-border data transfer procedures, including determining which responsibilities and requirements apply to your company or export activity, please contact firstname.lastname@example.org.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « China’s SaaS Market is Booming: Why Foreign Investors Should Pay Attention (Updated)
Next Article How Did The Previous Communist Party Congress Proceed With China’s Economy, Policy, and Regulatory Developments? »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Doing Business in China 2022 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With the scope and penalties of China’s social credit system being further clarified in 2021, legal and regu...
As a legitimate tool for reasonable tax planning and cost saving, tax incentives play an important role. Compa...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.