Legal Netlink Alliance Resources
Gain insights into new or unfamiliar markets.
.png)
Legal Netlink Alliance Resources
Gain insights into new or unfamiliar markets.
AnJie Broad Law Firm's Quick Guide to Chinese SCCs
1. When can the Chinese SCCs be used?
A company can only choose to sign the Chinese SCCs, if:
• It is not a critical information infrastructure operator (“CIIO”);
• It processes the personal information of less than one million individuals;
• It has provided personal information of less than 100,000 individuals in aggregate to overseas recipients since 1 January of the previous year; and
• It has provided sensitive personal information of less than 10,000 individuals in aggregate to any overseas recipients since 1 January of the previous year.
If any of the above conditions are not met, a company must apply to the Cyberspace Administration of China (“CAC”) for data export security assessment, and it cannot choose to sign the Chinese SCCs.
For those who can sign Chinese SCCs to legitimize their outbound data transfers, the following steps are necessary:
Outbound Data Personal Information Finalizing the SCCs between the personal Filing the signed SCCs and the
Transfer Mapping Protection Impact Assessment (“PIPIA”) information processor and the overseas recipient PIPIA report with the government
Step 1: Outbound Data Transfer Mapping.
This is a necessary step to understand the purpose, scope, type, quantity, sensitivity, scale and method of personal information processing by the personal information processor and the overseas recipient.
Step 2: Personal Information Protection Impact Assessment (“PIPIA”).
A PIPIA is required before the personal information processor transfers personal information to any overseas recipient. A PIPIA report also needs to be filed with the government.
Step 3: Finalizing the SCCs between the personal information processor and the overseas recipient.
The parties cannot change the terms of the Chinese SCCs. However, the parties will need to fill in certain information concerning intended outbound data transfers, such as: the purpose and method of processing, the scale of personal information involved, types of personal information and sensitive personal information, overseas storage period and storage location.
Step 4: Filing the signed SCCs and the PIPIA report with the government.
The signed SCCs and a completed PIPIA report need to be filed with the provincial Cyberspace Administration of China within ten (10) working days after the signed SCCs take effect.
2. When do companies need to complete the above steps?
The regulations governing the use of Chinese SCCs will come into force on 1 June 2023. It provides a
6-month grace period for past and current outbound data transfers. This means that companies will need to complete the above steps by 30 November 2023.
