On 22 March 2024, the Cyberspace Administration of China (CAC) adopted the Guidelines for the Submission of Standard Contracts for the Transmission of Personal Data. The guidelines provide a structured process for organisations to standardise and file contracts for transferring personal data abroad. Furthermore, it mandates registration for processors meeting specific criteria, prohibits circumvention of security assessments, and outlines a detailed filing procedure. This includes material submission, inspection, feedback, and the necessity for supplements or re-filing in case of changes. In particular, processors must register with local regulatory authorities if they are not critical information infrastructure operators (CIIOs) and if, since 1 January of the given year, they have provided overseas personal information to more than 10’000 but less than one million individuals (excluding sensitive personal information), or if, since 1 January 2024, they have provided less than 10’000 individuals' personal information overseas. Failure to comply with the measures may result in authorities cancelling the registration and imposing potential legal consequences.
Original source