China
Conduct a personal data impact assessment (PIA) to evaluate risks associated with the transfer, and implement appropriate safeguards—such as data transfer agreements or equivalent contracts—based on the assessment results to protect the data subjects; Keep accurate records of the sharing, disclosure, or transfer, including the date, scope, purpose, and basic information of the recipient; Transfer personal data only when necessary for processing purposes, and avoid sharing or transferring personal biometric data or other particularly sensitive information if prohibited by relevant laws or regulations; and Establish contractual terms that require entrusted data processors to comply with data protection obligations or assist the Personal Data Processor in fulfilling these obligations. 5.6. Cross-border transfer of data 5.6.1. Legitimate mechanisms Before transferring personal data overseas, Personal Data Processors must implement one of the three lawful mechanisms provided by the PIPL—unless an exemption applies. (1)CAC Security Assessment A Personal Data Processor must undergo a security assessment conducted by the CAC if it transfers
important data overseas, is classified as a Critical Information Infrastructure Operator (CIIO), or has processed personal data above certain thresholds (where an entity exports personal information of more than one million people, or sensitive personal information of more than ten thousand people since January 1 of a given year). Before submission, the Processor must complete a self-assessment to evaluate risks posed by data transfer to national security, public interest, and individual rights. The report is submitted to both provincial and national CAC offices. If approved, the CAC will issue a decision valid for three years, renewable for another three if no major changes occur in the transfer. (2) Standard Contractual Clauses (SCCs) If the Personal Data Processor does not meet the CAC’s security assessment thresholds, it may adopt the Standard Contractual Clauses (SCCs) mechanism. This applies to cross-border transfers involving personal data within certain thresholds (where an entity exports personal information of over 100,000 people, or any sensitive personal information, since January 1 of a given year). Under this approach, the Processor must sign an SCC with the overseas recipient and, within 10 working days
www.llinkslaw.com
Made with FlippingBook - PDF hosting