AstraIA Gear

Ad Astra Per Aspera 

China: Standard Contractual Clauses 

Trang Anh

China Standard Contractual Clauses

On Friday February 24, 2023, the Cyberspace Administration of China (the CAC) and the Office of the Central Cyberspace Affairs Commission published their official Standard Contractual Clauses for Personal Information cross-border transfers from Mainland China.  

Image by evening_tao on Freepik

Public consultation in 2022 

Last year, on June 30, the CAC issued a consultation paper on these clauses. The companies (data controllers) and the overseas recipients may use them to govern the rights and liabilities of the companies, the overseas recipients and individuals when the companies transfer the personal data of the individuals to the overseas recipients. 

Conditions to uses the Chinese SCCs*

Only companies fulfilling all of the following conditions may lean on these Chinese SCCs to transfer personal data from the Mainland China (article 4): 

  1. They are not a critical information infrastructure operator; 
  2. They process personal data of less than one million individuals; 
  3. They have cumulatively provided abroad the personal information of less than 100,000 individual since January 1 of the preceding year; and 
  4. They have cumulatively provided overseas sensitive personal information of less than 10,000 individuals since January 1 of the previous year. 

The sensitive personal data refers to the personal information of which the leak or illegal use can easily lead to the infringement of personal dignity of natural persons or the harm on personal and property safety. The sensitive personal information may be inclusive of biometrics, religious beliefs, specific identities, medical health, financial accounts, behaviour tracking, and other information, as well as the personal information of minors under the age of fourteen (14).

Rights of the data subjects*

The SCCs grant the data subjects, considered as a third-party beneficiary of the SCCs, may enjoy the following rights: 

  1. They have the right to know, decide, restrict or refuse others to process their personal information; 
  2. They retain the right to request for accessing, correcting, supplementing, deleting their personal information; 
  3. They can also request an explanation of personal data processing. 

In case the overseas recipient refuses the data subjects’ request, the recipient must inform the personal data subject of the reasons, recours to lodge their complaint to the competent authority, seek judicial relief or bring the lawsuit before the People’s court. 

Disclaimer

*We analyse the SCCs based on the translation of the models by Google. We highly recommend you seek professional advice to integrate these SCCs into your contract. We are not liable for any kind of use of the information in this post. 

Source: http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm 

For more personal data protection news on AstraIA Gear: https://www.astraiagear.com/2023/02/23/update-on-data-protection-in-the-eu-this-week/    

For more short news, connect with us on LinkedIn

LinkedIn Page

To have further discussion with me

Follow me on LinkedIn

Posted

in

,

by

Trang Anh

Tags:

, ,