China’s Cross-Border Data Transfer: Key Insights from Official Q&A (III)

Posted by Written by Qian Zhou Reading Time: 5 minutes

China’s cross-border data transfer Q&A III provides the latest official insights for foreign investors navigating compliance in China, which further clarifies exemptions, obligations, and certification standards.

Find Business Support
Our services cover data protection regulations, including advisory for China data privacy laws, ASEAN data governance, and cross-border data compliance to help businesses meet legal requirements and mitigate risks.

China’s regulatory framework for cross-border data transfers has become a cornerstone of its digital governance strategy. The Cyberspace Administration of China (CAC) continues to refine rules to ensure data security while supporting international business operations. For foreign investors, compliance with these regulations is critical to avoid operational disruptions and legal risks.

In October 2025, CAC released another official Q&A addressing common questions from businesses regarding the implementation of the Provisions on Promoting and Regulating Cross-Border Data Flow (the Provisions) and related measures. This guidance clarifies exemptions, obligations, and procedural requirements, helping enterprises navigate complex compliance scenarios.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Official Q&A

Q1. The Provisions list exemption scenarios such as “cross-border shopping, cross-border delivery, …, examination services, etc.” How should “etc.” be understood?

Answer: Article 5(1)(a) of the Provisions states: “For concluding or performing a contract where the individual is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel booking, visa processing, examination services, etc., if it is necessary to provide personal information abroad, security assessment, standard contract, or certification may be exempted.” The term “etc.” means other similar scenarios can be included, not limited to those listed.

Exemption scenarios must meet two conditions:

  • It is for concluding or performing a contract where the individual is a party; and
  • It is necessary to provide personal information abroad. The minimum necessary scope should be judged based on laws, regulations, standards, and actual outbound scenarios.

Also, under Article 10, when providing personal information abroad, processors must inform individuals, obtain separate consent, and conduct a personal information protection impact assessment (PIPIA).

Q2. Do the data of domestic individuals booking domestic hotels qualify for exemption?

Answer: No. Outbound personal information in this case does not meet the condition of “necessary for concluding or performing a contract where the individual is a party and providing personal information abroad.”  It still needs to go through a security assessment, standard contract, or certification.

Q3. Does providing employees’ ID, passport, and bank account information abroad fall under the HR management exemption?

Answer: Article 5(1)(b) provides that “For implementing cross-border human resources management under lawfully formulated labor rules and lawfully signed collective contracts, if it is necessary to provide employees’ personal information abroad,” security assessment, standard contract, or certification may be exempted. Only information necessary for HR management should be processed, following principles of necessity, clear purpose, and minimization. Whether ID, passport, and bank account details are “necessary” should be judged accordingly.

Q4. After being notified of holding ‘important data,’ can companies have more time beyond two months to apply for a security assessment?

Answer: No. If notified or data is publicly identified as important, and outbound transfer continues, the processor must apply within two months via the provincial CAC. For complex scenarios, companies should prepare materials during the identification process to avoid delays.

Q5. In the Guide for Security Assessment Application (Version 3), what does “overseas” mean in the phrase ‘overseas entities can query, retrieve, download, export data stored in China’?

Answer: “Overseas” refers to where the data access occurs. If the staff of an overseas entity accesses data while physically in China without transferring it abroad, it is not considered a cross-border data transfer.

Q6. If outbound data scenarios and recipients remain unchanged but systems are upgraded or replaced, is re-assessment required?

Answer: Under Article 14 of the Measures for Security Assessment of Outbound Data, re-assessment is required if changes affect data security (purpose, method, scope, type, recipient’s use, or control). If system upgrades do not involve such changes, re-assessment is not needed.

Q7. For continuous outbound transfers of personal information, must standard contracts be filed multiple times?

Answer: If transfers involve the same recipient and annual volumes meet standard contract conditions, filing once based on reasonable forecasts is sufficient. If, starting from January 1 of the current year, cumulative volumes reach security assessment thresholds, the processor must submit the security assessment application to the national CAC through the provincial CAC where it is located.

Q8. After filing a standard contract, when must it be re-executed? What if new outbound scenarios arise?

Answer: Article 8 of the Measures for Standard Contracts specifies that during the validity period of a standard contract, if any of the following situations occur, the personal information processor must re-conduct a PIPIA, supplement or re-execute the standard contract, and complete the corresponding filing procedures:

  1. Changes in the purpose, scope, type, sensitivity level, method, storage location of outbound personal information, or changes in the overseas recipient’s purpose or method of processing personal information, or extension of the retention period of personal information abroad.
  2. Changes in the personal information protection policies and regulations of the country or region where the overseas recipient is located may impact the recipient’s personal information rights.
  3. Other circumstances that may affect personal information rights.

After completing the initial filing, if new outbound personal information scenarios arise due to business development and these scenarios fall under any of the above conditions, the processor must re-conduct the PIPIA, supplement or re-execute the standard contract, and fulfill the filing obligations accordingly.

Q9. Can the overseas recipient share personal information transferred under the standard contract with overseas third parties?

Answer: If the overseas recipient needs to provide the personal information (originally transferred under the standard contract) to any overseas third party, this must be clearly specified in Appendix 1 of the standard contract template under section “(6) Overseas recipient only provides personal information to the following overseas third parties (if applicable).” Both parties should ensure this disclosure is accurate and complete before signing.

Q10. After the Measures for Certification of Personal Information Outbound Transfers take effect, what standards apply?

Answer: Certification agencies and enterprises should follow the 2022 Announcement on Implementing Personal Information Protection Certification and the national standard GB/T 46068-2025. Additionally, the CAC will publish a list of qualified certification agencies in accordance with the procedures outlined in the Measures. Businesses should monitor official updates on the CAC website for the latest information.

Key takeaways for foreign investors

China’s cross-border data transfer regime is designed to strike a balance between safeguarding data security and enabling global business operations. For foreign investors, understanding these nuances is critical:

  1. Leverage exemptions carefully: Exemptions can simplify compliance, but they are not blanket permissions. Ensure both conditions are met: the transfer must be necessary for fulfilling a contract where the individual is a party, and only the minimum required personal information should be shared. Misinterpreting these rules can lead to compliance risks.
  2. Compliance obligations remain mandatory: Even when exemptions apply, obligations such as informing individuals, obtaining explicit consent, and conducting PIPIA do not disappear. These steps are essential for demonstrating accountability and avoiding penalties.
  3. Plan ahead for HR and operational data: Cross-border HR management often involves sensitive personal information. Review labor agreements and internal policies to ensure they align with legal requirements. Adopt the principle of data minimization – only process what is strictly necessary for HR purposes.
  4. Prepare for important data scenarios early: If your business handles data that could be classified as “important,” start preparing documentation and assessment materials before official notification. The two-month deadline for security assessment applications leaves little room for delay.
  5. Monitor changes proactively: System upgrades, changes in overseas recipients, or shifts in foreign data protection laws can trigger reassessment obligations. Establish a monitoring mechanism to track regulatory updates and operational changes so you can respond quickly.

China’s approach reflects a pragmatic balance between security and business facilitation. Foreign investors should adopt proactive compliance strategies, integrate data governance into daily operations, and maintain open communication with local CAC authorities. Staying informed and prepared will help ensure smooth, compliant cross-border data activities while minimizing business disruption.

With support from our in-house legal, HR, finance, and IT specialists, Dezan Shira & Associates helps clients strengthen defenses, prepare for audits, and build privacy programs that transform data compliance from a risk into a competitive advantage. Get in touch with our local experts to schedule a consultation: China@dezshira.com.

About Us

China Briefing is one of five regional Asia Briefing publications. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong in China. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in Vietnam, Indonesia, Singapore, India, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to China Briefing’s content products, please click here. For support with establishing a business in China or for assistance in analyzing and entering markets, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.