How should we, as a company doing business with foreign countries, enter into and conduct registration for a standard contract for personal information?

Answer: Currently, the signing and filing of personal information standard contracts should be the channel for personal information outbound compliance that the vast majority of companies, including domestic and foreign-funded enterprises, must follow.


The signing and filing process of personal information standard contracts is governed by the “Measures for Personal Information Outbound Standard Contract.” Generally, we recommend that companies allocate at least three to four months for preparation to adequately arrange and complete the following tasks:  


  1. Preliminary Assessment: Before providing personal information to overseas entities, the data processor should conduct a personal information protection impact assessment. The assessment report is a necessary document for filing with the cyberspace administration.


  1. Autonomous Contracting: Data processors can autonomously enter into personal information outbound contracts based on the standard contract templates provided by the Cyberspace Administration.


  1. Post-filing: Data processors should file with the provincial-level cyberspace administration within 10 working days from the effective date of the standard contract. The filing should include the signed standard contract and the personal information protection impact assessment report.


Re-assessment, Contracting, and Filing: In cases where re-assessment is required during the validity period of the standard contract, the data processor should conduct a new personal information protection impact assessment, supplement or renegotiate the standard contract, and complete the necessary filing procedures.


The “Personal Information Outbound Standard Contract” is a contract signed between the data processor (such as a foreign-funded enterprise in China) and the overseas recipient of personal information (such as the parent company), regulating the outbound transfer of personal information from China. This contract stipulates that personal information should only be transferred with the consent of the data subject, and the overseas recipient should fulfil corresponding obligations (such as not exceeding the agreed-upon scope of use of the personal information and cooperating with inquiries and investigations by the Chinese network information security management department). Both parties should provide a copy of the contract to the data subject, outlining their rights (including the right to complain or file a lawsuit), and the parties can agree to resolve disputes related to the contract through Chinese courts or international arbitration institutions. Additional clauses can be added to the contract, provided they do not conflict with the standard contract. The data processor should register the contract with the provincial-level cyberspace administration within ten days after signing.  


It’s important to note that according to Article 13 of the “Measures for Personal Information Outbound Standard Contract,” the compliance transition period for signing standard contracts for the outbound transfer of personal information should be completed before December 31, 2023. This means that if, after January 1, 2024, you share an employee’s performance data with your overseas headquarters without having signed a personal information standard contract, it would be considered a violation of the regulations on the outbound transfer of personal information.