Interpretation of Contract Measures and Filing Guidelines for Personal Information Exit Standards
The "Standard Contract Measures for the Exit of Personal Information" (hereinafter referred to as the "Measures") officially came into effect on June 1, 2023. On May 30, 2023, the National Cyberspace Administration issued the "Guidelines for the Filing of Personal Information Exit Standard Contracts (First Edition)" (hereinafter referred to as the "Guidelines"). The Measures and Guidelines provide clear guidance for personal information processors to provide personal information overseas by signing standard contracts.
At present, there are three ways for personal information processors to provide personal information overseas: (1) through security assessments organized by the national network information department; (2) Certified by a professional organization for personal information protection; (3) Sign a contract with the recipient in accordance with the standard contract formulated by the national network information department. The three kinds of personal information exit routes have different application conditions. The provision of personal information overseas by signing a standard contract must also meet the conditions of "subject+quantity", that is, the personal information processor is not the operator of key Information infrastructure, and has handled less than 1 million personal information. Since January 1 of last year, less than 100000 people have provided personal information overseas accumulatively, and less than 10000 people have provided sensitive personal information overseas accumulatively since January 1 of last year. At the same time, it should be noted that measures such as quantity splitting should not be taken, and personal information that should pass the exit security assessment according to law should be provided overseas through the establishment of standard contracts.
According to the provisions of the "Measures" and "Guidelines", if a personal information processor provides personal information overseas by signing a standard contract, it should first determine whether the exit route is applicable based on the "subject+quantity" condition; Secondly, conduct a personal information protection impact assessment, including identifying risk sources and assessing the likelihood of security incidents, analyzing the impact of personal rights and interests and determining the degree of impact, and conducting a comprehensive assessment of personal information protection risks. Finally, draw conclusions on the impact assessment of outbound activities and form a personal information protection impact assessment report; Once again, strictly follow the standard contracts formulated by the network information department to sign contracts with overseas recipients; Finally, within 10 days from the effective date of the standard contract, the standard contract and personal information protection impact assessment report shall be submitted to the online information department for filing. After the filing is approved, personal information exit activities shall be implemented.