New Standard Contractual Clauses (“SCC” - PR China)
- Author: Ioanna Zacharopoulou, DP-Dock GmbH
- Last updated: May 2023
- Category: General Obligations
On 24 February 2023, the Cyberspace Administration of China (CAC) – released the final form of the Personal Information Export Standard Contract (Standard Contract), along with the Measures on the Standard Contract, which can roughly be described as the Chinese Standard Contractual Clauses (“Chinese SCCs”).
The Chinese SCCs will take effect on 1 June 2023 and concern data transfers to and from mainland China. What we see in these new Chinese SCCs is the fact that the Chinese government strives for a more robust way to safeguard data transfers. More importantly, businesses shall sign the Chinese SCCs for transferring data outside of mainland China, when the following conditions have been met:
- The data exporter is not a critical information infrastructure operator — which is broadly defined to cover business entities in financial, energy, telecom, public utility, health care, transportation, e-government and other sectors that have a concern on national security and public interest of China.
- The data exporter has not processed personal data exceeding 1 million individuals.
- The data exporter has not made aggregated transfers of personal data exceeding 100,000 individuals since January 1 of the preceding year.
- The data exporter has not made aggregated transfers of sensitive personal data exceeding 10,000 individuals since January 1 of the preceding year.
It is crucial to know, that if an international group is transferring personal data from EEA to third countries and from China out of China, Intragroup Agreements shall not suffice: It must sign both the EU SCCs and the Chinese SCCs. The implementation of the Chinese SCCs also involves conducting a transfer impact assessment (PIPIA) and for international entities it may also mean updating the intragroup data transfer agreements. Since companies have an additional six months (until November 30, 2023) to comply with the SCCs’ requirements for the transfer of data outside of mainland China, DP-Dock recommends to its clients to take immediate action to implement those regulatory changes.
