China: Long-awaited standard contract released and filing requirement added for transfer of personal information out of China 中国:期待已久的“个人信息出境标准合同”终于公布并新增备案要求

Posted in Bulletin Board for Members on

 

On 24 February 2023, the Cyber Administration of China (“CAC”) issued measures containing a standard contract template for transfers of personal information, detailed guidelines including for a required impact assessment and a filing-requirement for transfers of personal information from China to other countries.

2023224日,中华人民共和国国家互联网信息办公室(“网信办”)公布了《个人信息出境标准合同办法》,该办法明确了个人信息传输标准合同范本,并涵盖了包括个人信息保护影响评估、以及备案要求等从中国向其他国家传输个人信息的细化规定。

These measures come into effect on 1 June 2023 and are highly relevant for multinational companies with a presence in China.

该办法将于2023年6月1日起正式施行,并将涉及所有在中国设有实体公司的跨国公司。

1 Processing and cross-border transfer of personal information in China

在中国处理以及跨境传输个人信息

China’s data privacy law, the Personal Information Protection Law (“PIPL“) entered into force on 1 November 2021 and it also regulates cross-border transfers of personal information.

《个人信息保护法》(“《个保法》”)作为中国的数据隐私保护法于2021年11月1日施行,其对在中国跨境传输个人信息作出了详细规定。

On 24 February 2023, CAC issued the “Circular on the Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Information” (“Measures“), together with an enclosed standard contract template to be used for cross-border transfers in applicable scenarios.

2023年2月24日,网信办发布《个人信息出境标准合同办法》(“《办法》”)。该《办法》同时颁布了个人信息传输标准合同范本,从而为在中国开展个人信息跨境传输提供了更为切实可行的操作方案。

2 Standard contract as legal basis for transfers

标准合同作为传输的依据

Pursuant to the issued Measures, those personal information processors adhering to all of the following four requirements may use the standard contract:

《办法》要求同时符合下列情形的个人信息处理者方可通过订立标准合同的方式开展个人信息跨境传输:

  1. The personal information processor is not a critical information infrastructure operator (often referred to as “CIIO“); 非关键信息基础设施运营者;
  2. The personal information processor handles personal information of less than one million individuals;处理个人信息不满100万人的;
  3. The personal information processor transfers personal information of less than 100,000 individuals, in aggregate, to overseas recipients since 1 January of the previous calendar year; and 自上年1月1日起累计向境外提供个人信息不满10万人的;以及
  4. The personal information processor processes sensitive personal information of less than 10,000 individuals, in aggregate, to overseas recipients since 1 January of the previous year. 自上年1月1日起累计向境外提供敏感个人信息不满1万人的。

Personal information processors who do not qualify for the above requirements shall rely on other legal basis for cross-border transfer, such as passing the special security assessment of local CAC, etc.

不符合上述要求的个人信息处理者应通过满足其他条件以开展个人信息出境,如通过网信部门组织的安全评估等。

Pursuant to the template standard contract enclosed with the Measures, a standard contract must include basic information on the personal information processor, the overseas recipient, the purpose, scope, type, sensitivity and quantity of personal information, method, retention period, storage location, and other aspects of the personal information to be transferred.

根据《办法》公布的标准合同范本,标准合同需包含个人信息处理者和境外接收方的基本信息、传输目的、传输范围、个人信息的敏感性以及数量、传输方式、保存期限、保存地点以及其他传输的个人信息等内容。

3 Requirement for personal information protection impact assessment

个人信息保护影响评估要求

In addition to the standard contract, the personal information processor transferring personal information out of China must also conduct a “personal information protection impact assessment” (“PIPIA“), cf. the Measures, article 5. A PIPIA must containing the following:

除标准合同外,根据《办法》第5条,个人信息处理者向中国境外传输个人信息还必须开展个人信息保护影响评估(“影响评估”),重点评估以下内容:

  1. description of the legality, legitimacy, and necessity of the purpose, scope, and method for processing personal information by the personal information processor and the overseas recipient; 个人信息处理者和境外接收方处理个人信息的目的、范围、方式等的合法性、正当性、必要性;
  2. listing of the quantity, scope, type, and sensitivity of the personal information to be transferred overseas, and the risk(s) that the cross-border transfer may pose; 出境个人信息的规模、范围、种类、敏感程度,个人信息出境可能对个人信息权益带来的风险;
  3. the obligations that the overseas recipient undertakes, and whether its management, technical measures and capabilities sufficiently fulfil such obligations ensuring safety of the personal information to be transferred; 境外接收方承诺承担的义务,以及履行义务的管理和技术措施、能力等能否保障出境个人信息的安全;
  4. after transfer abroad, the risk of disclosure, destruction, or interference of the personal information, and whether there is a channel for individuals to protect their rights and interests in their personal information; 个人信息出境后遭到篡改、破坏、泄露、丢失、非法利用等的风险,个人信息权益维护的渠 道是否通畅等;
  5. the impact of personal information protection policies and regulations in the country or region of the overseas recipient on the performance stipulated in the standard contract; and 境外接收方所在国家或者地区的个人信息保护政策和法规对标准合同履行的影响;以及
  6. 0ther matters that may affect the security of the personal information to be transferred overseas. 其他可能影响个人信息出境安全的事项。

4 Filing requirement

备案要求

Once a standard contract has been executed and the PIPIA has been completed, the personal information processor in China is required to file both of these documents with the local or higher-level CAC at the place where the personal information processor is located. Such filing must occur within 10 working days from the effective date of the standard contract.

一旦标准合同签署且影响评估完成后,在中国的个人信息处理者应将该两份文件向所在地省级网信部门备案。该备案应在标准合同生效之日起10个工作日内进行。

It is worth noting that regardless of whether the personal information processor is a larger group of companies who share personal information with other group companies or whether the overseas recipient is an external third party provider outside of China, the personal information processor in China needs to have a separate standard contract and conduct a separate impact assessment report for each overseas recipient.

应注意无论个人信息处理者是否是向其集团公司内部分享个人信息的大型集团公司,还是境外接收方是外部第三方外包公司,在中国的个人信息处理者需就每一个接收方单独签署一份标准合同并开展单独的影响评估。

5 Key take-away

关键要点

With the announcement of the Measures and the standard contract template, all companies transferring personal information from China got a new set of detailed requirements it must adhere to from 1 June 2023. Especially the preparation for entering into the standard contracts and conducting PIPIA in accordance with the Measures can be challenging.

《办法》以及标准合同范本公布后,所有在中国开展跨境传输个人信息的公司应做好自2023年6月1日起遵守这项新规定的准备,尤其应注意按照《办法》签署标准合同并开展影响评估对很多公司来说是颇具有挑战性的复杂任务。

It is therefore our recommendation that companies initiate these processes as soon as possible to avoid that their cross-border transfer of personal information are in breach of PIPL. Non-compliance with PIPL may lead to fines up to RMB 100,000 for persons in charge or directly liable for the violation and/or fines up to RMB 50,000,000 or 5% of previous year’s turnover for the company and even withdrawal of the right to conduct business in China.

因此我们建议公司应尽快开始行动以避免其跨境传输个人信息违法《个人信息保护法》。违反《个人信息保护法》将可能导致直接负责的主管人员和其他直接责任人员面临最高十万元的罚款及/或公司面临最高五千万元或者上一年度营业额百分之五的罚款甚至被责令停止在中国经营的处罚风险。

 

Content provided by SwedCham Gold Partner: Wikborg Rein

if you have any questions, please contact:

 

Xiaomin Qu at: xqu@wrco.com.cn

 

Sherry Qiu at: shq@wrco.com.cn

Leave a Reply

Your email address will not be published. Required fields are marked *