China Releases First Guidelines for Cross-Border Data Transfer Application
China’s cybersecurity authorities have released new guidelines for companies to apply for permission to transfer personal information and important data outside of China. The guidelines offer a comprehensive explanation of the procedures and documents required to apply for cross-border data transfer in compliance with China’s personal information and data protection laws. We provide an overview of the new China data export application guidelines, including English translations of key instructions and templates.
The Cybersecurity Administration of China (CAC), China’s top cybersecurity authority, has released a set of guidelines for the application of cross-border data transfer. The guidelines, titled the Guidelines for Data Exit Security Assessment and Declaration (First Edition), explain the procedures and processes for companies to apply for permission to export data out of China and include complete lists of required documents, templates for documents such as security assessment declarations, and application forms.
The new guidelines follow the release of the finalized version of the Measures for Data Export Security Assessment (the “Security Assessment Measures”), which came into effect on September 1, 2022. These measures detail specific requirements for security reviews for cross-border data transfer, as required under Article 38 of the Personal Information Protection Law (PIPL).
Under this provision, companies that wish to export over a certain volume of personal information (PI) or “important” data collected from subjects in China are required to take certain steps to get approval. This may include a security review by the CAC, PI protection certification by a professional institution, signing a contract with the foreign recipient of the PI, or meeting other unspecified requirements.
The new guidelines provide information on how to declare a security assessment in order to transfer a certain volume of PI or “important” data overseas. For information on who is required to submit a security assessment to engage in cross-border data transfer and the specific requirements for the assessment, see our article here.
Below we provide the step-by-step procedures for submitting a security assessment as outlined in the guidelines and offer an English translation of the template forms and letters.
Application method and procedures
Companies are required to apply for the data security assessment to the central CAC through the provincial CAC branch in the jurisdiction in which they are located.
The application must be submitted by sending the hard copy of the application materials and attaching the electronic version in the form of a CD-ROM.
The provincial CAC department will check whether the materials provided are complete within five working days of receiving them. If the materials are complete, the provincial CAC will then submit the materials to the top national-level CAC. If they are not complete, the applicant will receive a notice of the return of the application.
The central CAC will then determine whether to accept the application within seven days of receiving the materials from the provincial CAC and notify the applicant in writing. The applicant must supplement or correct any materials or information at the earliest time possible if told to do so by the CAC. The security assessment will be terminated if the applicant fails to provide or amend the materials as required with a justifiable reason. If the situation is deemed complex, the applicant may be told that the assessment period has been extended.
Once the security assessment has been completed, the applicant will receive a notice of the result of the assessment. If there are no objections to the results of the assessment, the company must then proceed with the cross-border data transfer activities in compliance with relevant laws and regulations and requirements laid out in the notice on the assessment result.
If the applicant has objections to the result of the assessment, then they can apply for a re-assessment to the central CAC within 15 days of receiving the result. The results of the re-assessment will however be final.
Below are the materials that companies must submit in the application for the security assessment. The corresponding electronic documents must be submitted on a CD-ROM along with the hard copies.
The company is responsible for the authenticity of the submitted materials and can be held legally liable should any of the materials be false or fabricated.
|China Data Export Security Assessment Application Material Requirements|
|1||Photocopy of the Unified Social Credit Code (unique 18-digit code issued by the Standardization Administration of China to all entities and businesses in China)||Photocopy with official seal|
|2||Photocopy of legal representative’s ID card||Photocopy with official seal|
|3||Photocopy of ID card of person in charge||Photocopy with official seal|
|4||Delegation of authority to the person in charge of data export (see template below)||Original copy|
|5||Data export security assessment declaration form (found on Pages 8 and 9 of the Guidelines)|
|5.1||Letter of commitment (see template below)||Original copy|
|5.2||Data export security assessment application form (found on Page 8 of the Guidelines) (see instructions below)||Original copy|
|6||Photocopies of data export-related contracts or other legally binding documents to be concluded with overseas recipients||Photocopy with official seal||Highlight, underline, or otherwise point out agreed terms related to data export. The Chinese version of legal documents must prevail. If there is only a non-Chinese version of the document, an accurate Chinese translation must be submitted along with the original version|
|7||Data export risk self-assessment report (see instructions below [insert anchor link])||Original copy|
|8||Other relevant certification materials||Original copy or photocopy with official seal||The Chinese version of any relevant certification materials must prevail. If there are only non-Chinese versions, accurate Chinese translations must be submitted along with the original versions.|
|Disclaimer: Above translation of required documents has been provided by China Briefing for reference only. For technical information and legal understanding, please reach out to our experts at firstname.lastname@example.org.|
Completing a data export risk self-assessment report
Companies are required to submit a self-assessment report when applying for cross-border data transfer. The company is responsible for the authenticity of the self-assessment and any supplementary materials. The self-assessment must be completed within three months of the application being submitted. If a third party is involved in the self-assessment, then the applicant must explain the circumstances around the third party’s involvement in the self-assessment report and affix the third-party organization’s official seal on any relevant content pages.
The contents of the self-assessment report must follow the format below.
Summary of the data export risk self-assessment work
Details on the circumstances of the self-assessment process, including the start and end time of the self-assessment, organization, implementation process, and implementation methods.
Description of the overall situation of outbound activities
A detailed explanation of the basic situation of the company, the business and information systems involved in the data export, the situation of the outbound data, the company’s security assurance capabilities, the situation of the overseas recipient, and legal agreements stipulated in legal documents. This includes (but is not limited to):
- Basic company information:
- Basic information of the organization and individuals involved in the data export;
- Shareholding structure and information on the organization or individual holding the controlling stake;
- Information on the organizational structure;
- Information on the data security management agency;
- Overall business and data situation; and
- Domestic and foreign investment.
- Information on the business and information systems involved in the data export:
- The basic situation of the business involved in the export of data;
- Data assets of the business involved in the data export;
- Information system of the business involved in the export of data;
- Data centers (including cloud services) involved in data export;
- Information about data outbound links.
- Circumstances surrounding the planned outbound data
- Explanation of the purpose, scope, and processing method, as well as the legitimacy, justifiability, and necessity of the data export and overseas recipient’s processing of the data;
- Explanation of the scale, scope, type, and sensitivity of the data for export;
- Circumstances surrounding the system platform and data center that is planned to be used to store the data in China, and the system platform, data center, or other system planned to be used for storage of the data overseas;
- Circumstances surrounding the provision of the data to other recipients overseas after it has been exported
- The situation of the data security guarantee capabilities of the company
- The data security management capabilities, including the management organization system and system construction, systems for guaranteeing whole-process management, classification, emergency response, risk assessment, and personal information rights protection, as well as the circumstances surrounding their implementation;
- Data security technical capabilities, including security technical measures taken throughout the entire process of data collection, storage, use, processing, transmission, provision, disclosure, and deletion, among others.
- Proof of the effectiveness of the data security protection measures, such as data security risk assessments, capability certification, inspection and evaluations, compliance audits, and network security level protection evaluation, among others;
- Circumstances surrounding compliance with laws and regulations related to data and network security.
- Information on the overseas recipient
- Basic information of the overseas recipients
- The purpose and method of data processing by the overseas recipients;
- The data security guarantee capabilities of the overseas recipient
- The data security protection policies and regulations and network security environment of the country or region where the overseas recipient is located;
- A description of the entire process of data processing by overseas recipients.
- Information on legally binding agreements on data security protection responsibilities and obligations
- The purpose, method, and scope of data export, and the purpose and method of data processing by overseas recipients;
- The location and duration of data storage overseas, and the processing measures for outbound data after the agreed storage duration has elapsed, the agreed purpose for data processing is completed, or the legal documents have terminated;
- Binding requirements for overseas recipients to transfer outbound data to other organizations and individuals;
- Security measures that will be taken when the control rights or business scope of the overseas recipient changes substantially, or in the event of a change in the data security protection policies and regulations and/or cybersecurity environment of the country or region where the recipient is located, and other force majeure circumstances that could make it difficult to ensure data security.
- Remedial measures, liability for breach of contract, and dispute resolution mechanisms for breach of the data security protection obligations agreed upon in the legal documents;
- The requirements for proper emergency response and methods to protect the rights and interests of individuals in safeguarding their PI in the event that the outbound data is at risk of being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used.
- Any other situations that the company thinks may need explanation.
Risk assessment of planned outbound activities
The company must provide an explanation of the risks associated with each of the following items, focusing on the problems and hidden dangers found in the assessment, as well as the corresponding measures taken to correct these situations and the outcomes of the corrective actions.
- The legitimacy, justifiability, and necessity of the purpose for processing the data, the scope of data being processed, and the processing method for the data export and the overseas recipients
- The scale, scope, type, and sensitivity of the data for export, and the risks that the data export may pose to national security, public interests, and the legitimate rights and interests of individuals or organizations;
- The responsibilities and obligations undertaken by that the overseas recipient, and whether the management and technical measures and capabilities for fulfilling the responsibilities and obligations can ensure the security of outbound data;
- Risks of the data being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used during or after exiting the country, and whether there are unobstructed channels for safeguarding PI rights and interests;
- Whether the data export-related contract or other legally binding documents concluded with the overseas recipient fully stipulates the recipient’s responsibilities and obligations to data security protection;
- Other matters that may affect the security of the data for export.
Conclusion of the data export risk self-assessment report
Draw an objective risk self-assessment conclusion for the data export activities that will be declared based on the risk assessment and corresponding corrective measures described above, and fully explain the reasons and arguments for this conclusion.
Templates of the application materials
Below we have provided an English translation of the template application materials provided in the guidelines. The translation is for reference only. The Chinese versions can be found on pages 5 to 7 of the guidelines.
Delegation of authority to the person in charge of data export
I, name (ID number: xxx) the legal representative of company name, hereby delegate authority to name (ID number: xxx) to be the person in charge for the data export security assessment and declaration. All actions of the person in charge in the process of data export security assessment and declaration on behalf of our company, including the signed and uploaded materials, are recognized by our company and will bear the corresponding legal responsibility.
Authorization period: Year / Month / Day to Year / Month / Day
Company name (company seal):
Legal Representative (signature):
Person in charge (signature):
Year / Month / Day
Letter of Commitment
The company hereby promises:
- That the collection and use of the data declared for export is in compliance with relevant laws and regulations of the People’s Republic of China;
- That all contents of the declaration materials are true, complete, accurate, and valid;
- To cooperate and provide the necessary support for the data export security assessment organized and implemented by the Cyberspace Administration of China;
- That the self-assessment work has been completed within three months of the date of declaration, and no major changes have occurred up until the date of declaration.
This company knows and fully understands the content of the above commitments. If the commitments are false or violate the commitments, we are willing to bear the corresponding legal responsibilities.
Legal representative (signature):
Year / Month / Day
For assistance with cross-border data transfer procedures, including determining which responsibilities and requirements apply to your company or export activity, please contact email@example.com.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
- Previous Article China’s SaaS Market is Booming: Why Foreign Investors Should Pay Attention (Updated)
- Next Article How Did The Previous Communist Party Congress Proceed With China’s Economy, Policy, and Regulatory Developments?