Ways

Authority

Implementation rules

Passing the security assessment in accordance with Article 40 of the PIPL.

Cyberspace Administration of China ('CAC') or its local counterparts.

Mandatory for significant data controllers/processors, in draft form.

Obtaining certification.

Certification institutions approved by the CAC.

Voluntary.

Concluding a contract stipulating both parties' rights and obligations with the overseas recipient in accordance with the standard contract formulated by the CAC.

Data controllers/processors, under the supervision of the CAC.

Pending, likely voluntary.

Passing the security assessment required by industry regulators.

Industry regulators.

Mandatory for the relevant industries, such as intelligent connected vehicles, healthcare, and finance.

International treaties, if any.

Relevant authorities.

None.

Scenario

Applicant

Party responsible for legal consequences

Single Entity Scenario

Data controller/processor located within China.

Domestic or foreign data controllers/processors involved.

PIPL Article 3 Scenario

Established or designated representative located within China.

Representative, and domestic or foreign data controllers/processors involved.

Basic principles

• lawfulness, legitimacy, necessity, and integrity;
• publicity and transparency;
• accuracy and integrity of the personal information processed;
• same level of protection;
• accountability; and
• voluntary certification.

Basic requirements

• executing binding and enforceable instruments to ensure data subject rights, including the types and scope of personal information, warranties on compliance, warranties of being subject to the supervision of certifying institutions and designated organisations, and taking legal responsibility;
• designating a responsible person (e.g. a data protection officer) and establishing an organisation in charge of personal information protection;
• complying with uniform rules on how to process personal information across borders, including but not limited to retention periods, data security measures, and emergency plan; and
• conducting prior Data Protection Impact Assessments.

Data subject rights

• how data subjects' rights can be guaranteed, including:
  • the data subject being the beneficiary party of a relevant legal instrument and entitled to request a copy of the relevant sections regarding its rights;
  • the right to know, decide, restrict, and/or refuse its personal information to be processed by a certain data processor;
  • the right to review, copy, correct, supplement, and delete its personal information;
  • the right to request explanations on relevant processing rules;
  • the right to refuse automatic decision as the only available decision-making mechanism;
  • the right to complain and report to competent PRC authorities; and
  • the right to sue at the venue of its residence.

• how a participating data controller/processor's responsibility can be fulfilled, including:
  • notifying the data subject of the identity of the data processors and obtaining the data subject's separate consent;
  • complying with the executed legal instruments;
  • providing ways for data subject to exercise its rights to check, copy, correct, supplement, or delete its personal information;
  • terminating processing activities in events of uncertainties to ensure the security of personal information;
  • taking measures in events of potential or actual personal information security incidents and notifying competent authorities as well as data subjects;
  • providing, at the data subject's request, a copy of the relevant sections of the legal instrument;
  • cooperating and complying with inspections and other enforcements by the certifying institution; and
  • complying with relevant laws and regulations and being subject to the jurisdiction of PRC courts.