































• 如果需要向境外提供100万人以上个人信息的,应当申报数据出境安全评估

• 如果预计一年内向境外提供不满1万人个人信息,无需申报数据出境安全评估即可出境

• 如果预计一年内向境外提供1万人以上、不满100万人个人信息,可以不申报数据出境安全评估,但需要与境外接收方订立个人信息出境标准合同并向省级网信部门备案或者通过个人信息保护认证

• 如果是为订立、履行个人作为一方当事人的合同所必需,如跨境购物、跨境汇款、机票酒店预订、签证办理等,必须向境外提供个人信息的,无需申报数据出境安全评估即可出境

• 如果是按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理,必须向境外提供内部员工个人信息的,无需申报数据出境安全评估即可出境

• 如果是紧急情况下为保护自然人的生命健康和财产安全等,必须向境外提供个人信息的,无需申报数据出境安全评估即可出境



• 如果预计一年内向境外提供不满1万人个人信息,无需订立个人信息出境标准合同或通过个人信息保护认证即可出境

• 如果是为订立、履行个人作为一方当事人的合同所必需,如跨境购物、跨境汇款、机票酒店预订、签证办理等,必须向境外提供个人信息的,无需订立个人信息出境标准合同或通过个人信息保护认证即可出境

• 如果是按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理,必须向境外提供内部员工个人信息的,无需订立个人信息出境标准合同或通过个人信息保护认证即可出境

• 如果是紧急情况下为保护自然人的生命健康和财产安全等,必须向境外提供个人信息的,无需订立个人信息出境标准合同或通过个人信息保护认证即可出境









• 确认自身是否属于自贸试验区以及自身跨境提供的数据是否在该自贸试验区制定的负面清单范围之外

• 持续关注自身所在相关行业部门、地区制定和发布的有关重要数据的目录、清单和文件

• 核查需要进行跨境提供的数据的数量并与《规定》中最新的数量要求进行对比

• 核查需要进行跨境提供的数据的内容,属于涉密敏感类数据的仍按照原本的法律要求执行,涉及到订立和履行个人作为一方当事人的合同、依据劳动规章或集体合同实施人力资源管理以及紧急情况下为保护自然人的生命健康和财产安全等情形的,可能适用《规定》中的简化要求。



Information of seeking public advice — ‘The Regulation for Standardizing and Promoting Cross-border Data Flow (Draft for Comments)’

Publisher: National Internet Information Office

Publish Date: September 28, 2023


To ensure national data security, protect personal information rights, and further regulate and promote data to flow freely in accordance with law and order, the office made following provisions, according to relevant laws and implementation of regulations on data export, such as “Assessment Methods of Data Export Security” and “Standard Contract Methods of Personal Information Export”:

1. Data generated from international trade, academic cooperation, cross-border production, and marketing activities that do not involve personal information or important data, are not required to report for assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection.

2. Data handlers are not required to report for assessment of data export security if they are not informed or publicly disclosed by relevant departments or regions as handling important data.
3. Providing foreign entities with personal information that was not collected within the borders is not required to report for assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection.
4. The following circumstances are not required to report for assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection:
(a) Providing foreign entities with personal information is required, for the necessity of conclusion or performance of a contract which the individual is one of the parties, such as cross-border shopping, remittances, plane tickets and hotel reservations, visa applications;
(b) Providing foreign entities with internal employee personal information is required, for the implementation of human resources management in accordance with legally formulated labor regulations and collective contracts;
(c) Providing foreign entities with personal information is required, for the protection of natural person’s life, health, and property security in emergency.
5. If it is predicted that foreign entities will be provided with less than 10,000 individuals’ personal information in a year, it is not required to report for assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection. However, if foreign entities are provided with personal information according to consent, it is required to receive the consent of the individual whose personal information is provided.
6. If it is predicted that foreign entities will be provided with more than 10,000 but less than one million individuals’ personal information in a year, but standard contracts for personal information export will be established with foreign recipients and provincial-level cyberspace administration will be filed, or personal information protection will be verified, it is not required to report for assessment of data export security. However, if foreign entities are provided with personal information according to consent, it is required to receive the consent of the individual whose personal information is provided.
7. Pilot free trade zones may independently formulate the data list (below referred to as the “negative list”) that is required to be included in the management of assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection. The negative list is required to be approved by the provincial-level cyberspace administration and filed to the national cyberspace administration.
Data export beyond the negative list is not required to report for assessment of data export security, establishment of standard contracts for personal information export and verification of personal information protection.
8. Providing foreign entities with personal information and important data, state organs and operators of key information infrastructure shall comply with relevant laws, administrative rules, and departmental regulations.

Providing foreign entities with sensitive information involving the Party, the government and the armed forces, sensitive information involving secret-related institutions and sensitive personal information, state organs and operators of key information infrastructure shall comply with relevant laws, administrative rules, and departmental regulations.

9. Providing foreign entities with important data and personal information, data handlers shall comply with laws and administrative rules, fulfill the obligations of data security protection and guarantee data export security. In occurrence of data export security incident or increased risk of data export security, data handlers shall take remedy measures and report to the cyberspace administration in time.
10. Local cyberspace administrations shall strengthen the guidance and supervision over data handlers’ data export activities, enhance regulation before, during, and after the data export activities and require data handlers to rectify and eliminate hidden risks in cases where significant risks are found in data export activities. If a data handler refuses to correct mistakes or the activities cause serious consequences, the data handler shall be required to stop data export activities in accordance with the law to ensure data security.
11. In case of any inconsistency between this regulation and relevant regulations, such as the “Methods for Data Export Security Assessment” and the “Methods for Standard Contracts of Personal Information Export,” this regulation shall prevail.

NOTE: Unofficial translation for reference only

QR Code 手机访问 微信分享