Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



China simplify international data exchange

PrintMailRate-it

​​​​​​​​​​​​​published on 8 April 2024 | reading time approx. 3 minutes


On March 22, 2024, the Cyberspace Administration of China (CAC) published new regulations on cross-border data flow, which took effect immediately. These regulations further relax the requirements for cross-border data transfers.

The regulations provide six cases where a data processor is exempt from the obligation to conduct a security assessment for cross-border personal data transfer, conclude a standard contract for outbound transfer of personal information, or perform a personal information protection certification. However, a Personal Information Protection Impact Assessment Report (PIPIA) is still required before cross-border transfer of personal information.

In two specific cases, a data processor must undergo a security assessment by the CAC. The security assessment result is valid for three years and can be extended if the data processing circumstances for cross-border data transfer remain unchanged.

Pilot free trade zones may develop their own negative lists for data transfer, setting out the data which are subject to cross-border security assessment, conclusion of standard contract for outbound transfer of personal information, or personal information protection certification.

The regulations also repeat that a data processor shall identify and report “important data” according to the relevant regulations. But if there are no regulations which define certain data as important data, a data processor need not conduct a security assessment for cross-border data transfer.

The regulations will push the relevant departments or regions to accelerate the process for identification and defining of important data.

The updated security assessment guide and standard contract guide stipulate an official online channel for security assessment and standard contract filing.

Overseas entities processing personal information of Chinese domestic natural persons are also regarded as conducting cross-border transfer of personal information. In this case, overseas entities must establish a special agency or designate a representative in China to fulfil the personal information protection compliance requirements under Chinese laws and regulations.

With the implementation of the eased compliance requirements under the regulations, many foreign invested enterprises are released from filing and review formalities with CAC. However, they must continue to observe other relevant obligations when providing personal information or other data to abroad.

To enjoy the eased requirements, foreign invested enterprises should avoid transferring sensitive personal data overseas. The CAC may strengthen the supervision before, during or after the cross-border transfer of data. In case of refusal to correct or in case of severe consequences, the authorities may pursue corresponding legal liabilities for the enterprise concerned or the responsible person(s) based on Chinese laws and regulations.

Companies operating in China should now commence a more detailed data protection related “health check” to identify at an early convenience whether and if yes, which actions are recommendable in their individual case.

 DATA PROTECTION BITES

author

Contact Person Picture

Sebastian Wiendeck

Partner

+86 21 6163 5329

Invia richiesta

 RÖDL & PARTNER CHINA

​​Discover more about our offices in China. Read more »
Deutschland Weltweit Search Menu