BACKGROUND OF THE GUIDELINES

On 1 September 2022, the Cyberspace Administration of China ("CAC") issued the Guidelines for Outbound Data Transfer Security Assessment Applications ("Guidelines"). The Guidelines were specially formulated to help data processors complete security assessments for outbound data transfers in a standardised and orderly manner. The Guidelines supplement the Measures for the Security Assessment of Outbound Data Transfers ("Measures"), promulgated on 7 July 2022, which created a legal framework for the regulation of outbound data transfers from China that involve:

(1) outbound transfer of important data by a data processor; (2) outbound transfer of personal information by a critical information infrastructure operator or a personal information processor who has processed the personal information of more than 1,000,000 people; (3) outbound transfer of personal information by a personal information processor who has made outbound transfers of the personal information of 100,000 people cumulatively or the sensitive personal information of 10,000 people cumulatively since 1 January of the previous year; or (4) other circumstances where an application for the security assessment of an outbound data transfer is required...

The Guidelines consist of 4 sections and 4 annexes. The annexes include a list of materials required for applications, a standardised power of attorney, a standard application form, and a template for completing self-assessments.

The 4 annexes are indispensable for entities that want to transfer data out of China. As such, we thought that it might be helpful to our clients and overseas professional colleagues if we prepared a translation for them to enjoy!

数据出境安全评估申报指南(第一版)

GUIDELINES FOR OUTBOUND DATA TRANSFER SECURITY ASSESSMENT APPLICATIONS - (1ST EDITION)

《数据出境安全评估办法》自2022年9月1日起施行。为指导和帮助数据处理者规范、有序申报数据出境安全评估,特制定本指南。

The Measures for the Security Assessment of Outbound Data Transfers will be implemented from 1 September 2022. These guidelines are specially formulated to guide and help data processors complete their security assessments for outbound data transfers in a standardised and orderly manner.

一、 适用范围

SCOPE OF APPLICATION

数据处理者向境外提供数据,有下列情形之一的,应当通过所在地省级网信办向国家网信办申报数据出境安全评估:

In any of the following circumstances, a data processor that transfers data overseas shall declare the data transfer to the Cyberspace Administration of the People's Republic of China for a security assessment through the provincial-level Cyberspace Administration where it is located:

(一) 数据处理者向境外提供重要数据;
The data processor transfers important data overseas;

(二) 关键信息基础设施运营者和处理100万人以上个人信息的数据处理者向境外提供个人信息;
A critical information infrastructure operator or a data processor handling the personal information of over 1 million individuals transfers personal information overseas;

(三) 自上年1月1日起累计向境外提供10万人个人信息或者1万人敏感个人信息的数据处理者向境外提供个人信息;
A data processor who has transferred the personal information of 100,000 individuals or the sensitive personal information of 10,000 individuals overseas since 1 January of the previous year;

(四) 国家网信办规定的其他需要申报数据出境安全评估的情形。
Other circumstances stipulated by the Cyberspace Administration of China that require an outbound data security assessment application.

以下情形属于数据出境行为:

The following circumstances are deemed outbound data transfers:

(一) 数据处理者将在境内运营中收集和产生的数据传输、存储至境外;
A data processor transmits and stores data that was collected and generated during domestic business operations in an overseas location;

(二) 数据处理者收集和产生的数据存储在境内,境外的机构、组织或者个人可以查询、调取、下载、导出;
Data collected and generated by a data processor is stored in China, and overseas institutions, organisations or individuals can access, retrieve, download, or export that data;

(三) 国家网信办规定的其他数据出境行为。
Other outbound data transfer activities stipulated by the Cyberspace Administration of China.

二、 申报方式及流程

APPLICATION METHODS AND PROCEDURES

数据处理者申报数据出境安全评估,应当通过所在地省级网信办申报数据出境安全评估。申报方式为送达书面申报材料并附带材料电子版。

Data processors applying for outbound data transfer security assessments shall go through their local provincial-level cyberspace administration to apply for outbound data transfer security assessments. Application materials shall be submitted in both hard and soft copies.

省级网信办收到申报材料后,在5个工作日内完成申报材料的完备性查验。通过完备性查验的,省级网信办将申报材料上报国家网信办;未通过完备性查验的,数据处理者将收到申报退回通知。

After receiving the application materials, the provincial Cyberspace Administration checks the completeness of the application materials within 5 working days. If the applicant passes the completeness check, the provincial-level Cyberspace Administration will forward the application materials to the Cyberspace Administration of China. If the completeness check is not passed, the data processor will be notified that its application materials have been rejected.

国家网信办自收到省级网信办上报申报材料之日起7个工作日内,确定是否受理并书面通知数据处理者。

Within 7 working days of receiving the application materials submitted by the provincial-level Cyberspace Administration, the Cyberspace Administration of China decides whether to accept the application and notify the data processor of its decision in writing.

数据处理者如被告知补充或者更正申报材料,应当及时按照要求补充或者更正材料。无正当理由不补充或者更正申报材料的,安全评估将会终止。情况复杂的,数据处理者将被告知评估预计延长的时间。

If the data processor is notified to supplement or correct the application materials, it must supplement or correct them as required in a timely manner. The security assessment will be terminated if the application materials are not supplemented or corrected without good reason. The data processor will be given and notified of an extended deadline for the assessment in complicated situations.

评估完成后,数据处理者将收到评估结果通知书。对评估结果无异议的,数据处理者须按照数据出境安全管理相关法律法规和评估结果通知书的有关要求,规范相关数据出境活动;对评估结果有异议的,数据处理者可以在收到评估结果通知书15个工作日内向国家网信办申请复评,复评结果为最终结论。

Upon completion of the security assessment, the data processor will receive an assessment results notice. If there is no objection to the assessment results, the data processor must manage its outbound data transfer activities following relevant laws and regulations, and the requirements of the assessment results notice related to the security management of outbound data transfer. If there are any objections to the assessment results, the data processor may apply to the Cyberspace Administration of China for a re-evaluation within 15 working days of receiving the assessment results notice, and the re-evaluation results will be the final.

三、 申报材料

APPLICATION MATERIALS

数据处理者申报数据出境安全评估,应当提交如下材料(数据出境安全评估申报材料要求见附件1):

Data processors applying for outbound data security assessments shall submit the following materials to support their application (see Annex 1 for the requirements for outbound data transfer security assessment application materials):

  1. 统一社会信用代码证件影印件
    Photocopy of its unified social credit code certificate;
  2. 法定代表人身份证件影印件
    Photocopy of the legal representative's ID;
  3. 经办人身份证件影印件
    Photocopy of the agent's ID;
  4. 经办人授权委托书(模板见附件2)
    Power of Attorney for the Agent (see Annex 2 for the template);
  5. 数据出境安全评估申报书(模板见附件3)
    Outbound Data Transfer Security Assessment Application Form (see Annex 3 for the template);
  6. 与境外接收方拟订立的数据出境相关合同或者其他具有法律效力的文件影印件
    Photocopy of a contract or other legally effective document related to the data transfer concluded with the overseas recipient;
  7. 数据出境风险自评估报告(模板见附件4)
    Outbound Data Transfer Self-Risk-Assessment Report (see Annex 4 for the template); and
  8. 其他相关证明材料
    Other relevant certification materials.

数据处理者对所提交材料的真实性负责,提交虚假材料的,按照评估不通过处理,并依法追究相应法律责任。

The data processor is responsible for ensuring the application materials' authenticity. If the data processor submits false materials, it will fail the security assessment, and the data processor will be investigated and face legal liability under the law.

四、 申报咨询

APPLICATION CONSULTATION

电子邮箱:sjcj@cac.gov.cn
联系电话:010-55627135
Email: sjcj@cac.gov.cn
Tel: 010-55627135

附件:

ANNEXES:

  1. 数据出境安全评估申报材料要求
    Outbound Data Transfer Security Assessment Application Material Requirements
  2. 经办人授权委托书(模板)
    Power of Attorney from the Agent (Template)
  3. 数据出境安全评估申报书(模板)
    Outbound Data Transfer Security Assessment Application Form (Template)
  4. 数据出境风险自评估报告(模板)
    Outbound Data Transfer Self-Risk-Assessment Report (Template)

Click here to continue reading . . .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.