II. Practical Points and Tips from the Guidelines

The Guidelines provides certain specific guidance for multinational enterprises and other entities which urgently need to transfer personal information out of China by using the Standard Contract route, such as further clarification on what situations would be regarded as cross-border transfer of personal information, the filing methods and processes, the filing material requirements. Most of all, the Guidelines also provides a template personal information protection impact assessment report (“PIA Report”) which is a mandatory and crucial report to be filed pursuant to the Measures.

The content of the Guidelines is relatively similar to the guidelines issued by the CAC for the applications under the Security Assessment of Outbound Data Transfers which came into effect on September 1 2022 (hereinafter referred to as “Guidelines for Data Transfer”) . 

The following technical tips are summarized from our experience and shared for your attention:

Who Should Do the Filing

It is important to note that the entity to file the Standard Contract, the PIA Report and other supporting materials should be the personal information processors, i.e. the individuals or companies which provide personal information to overseas recipients. For multinational enterprises, it should be the domestic entities, not the overseas headquarters or companies, to do the filings.

The Result of the Filing

Unlike the Guidelines for Data Transfer, the Guidelines for personal information transfer specifies that the local provincial CAC will complete the examination within 15 working days after receiving the materials and notify the personal information processor of the filing result of PASS or FAIL. If FAIL, the personal information processor is required to submit additional materials within 10 working days.

Generally speaking, the local CAC’s review is kind of prima facie review. Nevertheless, it does not exclude the possibility that the local CAC may conduct an extensive investigation and review of the substance of the materials. Given the period for submitting supplementary materials is relatively short, the filing party is suggested to be well-prepared for the initial filing.

About the PIA Report

According to the template undertaking in Annex 3 of the Guidelines, the PIA Report should be completed within 3 months prior to the date of filing on the condition that no significant changes have occurred up to the date of filing.

The template PIA Report provided by CAC is basically the same as the template report provided in the Guidelines for Data Transfer, which seems to indicate that CAC does not lower the standard of the PIA simple because the entities are taking the easier mechanism, i.e the Standard Contract route, for cross-border transfer. According to the CAC’s Q&As on the Guidelines for Data Transfer, such template reports should be strictly applied.  Therefore, the filing party is recommended to fully sort out all the relevant information based on this template. If it is difficult to clarify certain issues (such as legality, legitimacy and necessity) or technical aspects of data security (such as technical capacity of personal information security, etc.), you may consult with lawyers or other data security professionals.

Template Standard Contract

Unlike the SCCs under GDPR, the template Standard Contract provided in the Measures does not allow any adjustment to the main body of the contract, and additional content that does not conflict with the main body can be provided as an appendix to the Standard Contract.

III. Grace Period

Thanks to our intern Ms Shuyu Wang for her contribution to the translation of the Guidelines.