Key Takeaways
- This checklist helps collect facts before reviewing China cross-border data transfer pathways.
- It does not select a route, confirm compliance, or determine whether a filing or assessment is required.
- The output should be compared against official Chinese source text and current regulator materials.
This checklist helps organize facts before reviewing a China cross-border data transfer scenario. It is designed for research preparation, not for route selection. A reviewer can use the collected information to compare the scenario against PIPL Article 38, the Security Assessment Measures, the Standard Contract Measures, filing guidance, the 2024 Data Flow Provisions, and other official source text.
China cross-border data transfer analysis depends heavily on facts. The same transfer label can involve different legal questions depending on data category, processing scale, recipient, purpose, access arrangement, and whether important data or CIIO issues may be involved.
This page does not decide whether a security assessment, standard contract filing, certification, or another official condition applies. It helps collect the inputs needed for source-based review.
Official Source Basis
| Official document | Chinese title | Authority | Date | Official source |
|---|---|---|---|---|
| Personal Information Protection Law | 中华人民共和国个人信息保护法 | Standing Committee of the National People’s Congress | Effective 2021-11-01 | https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm |
| Security Assessment Measures | 数据出境安全评估办法 | CAC, Order No. 11 | Effective 2022-09-01 | https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm |
| Standard Contract Measures | 个人信息出境标准合同办法 | CAC, Order No. 13 | Effective 2023-06-01 | https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm |
| Standard Contract Filing Guidelines, First Edition | 个人信息出境标准合同备案指南(第一版) | CAC | Published 2023-05-30 | https://www.cac.gov.cn/2023-05/30/c_1687090906222927.htm |
| 2024 Data Flow Provisions | 促进和规范数据跨境流动规定 | CAC, Order No. 16 | Effective 2024-03-22 | https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm |
Source status: this checklist uses official source anchors. It does not reproduce official forms or determine whether any submission is complete.
1. Transfer Basics
Collect the basic transfer record:
- what data leaves China or is accessed from outside China;
- who sends or makes the data available;
- who receives or accesses the data overseas;
- why the transfer is needed;
- whether the transfer is continuous, repeated, or one-off;
- where the data is stored and how overseas access is technically arranged.
Do not treat these facts as a conclusion. They are the starting point for official-source review.
2. Data Category
Identify whether the dataset includes:
- personal information;
- sensitive personal information;
- important data;
- network data;
- mixed datasets with multiple categories;
- uncertain data categories that require review.
If the classification is uncertain, mark it for review rather than forcing it into a category.
3. Parties and Roles
Collect role information:
- personal information processor or other data handler;
- overseas recipient;
- entrusted processor if relevant;
- joint processing arrangement if relevant;
- CIIO issue if it may be relevant;
- affiliate, vendor, platform, or service-provider relationship.
The role analysis should be checked against the official text and the actual processing arrangement.
4. Volume, Scale, and Threshold-related Facts
Do not invent thresholds or rely on memory. Collect facts that may be relevant under current official rules:
- approximate number of individuals involved where personal information is transferred;
- whether sensitive personal information is involved;
- frequency and continuity of transfer;
- historical and expected transfer volume;
- whether large-scale processing may be relevant;
- whether prior transfer records exist.
These facts help later route review. They do not determine the route by themselves.
5. Individual Rights and Notification / Consent Inputs
Where personal information is provided outside China, collect:
- privacy notification materials;
- overseas recipient name or identity information where relevant;
- transfer purpose, processing method, and personal information category;
- rights request handling channel;
- separate consent records where the official text requires separate consent;
- withdrawal, correction, deletion, or explanation handling procedures.
This checklist does not provide consent wording. It identifies materials that may need review under PIPL Articles 38 and 39.
6. Route Analysis Inputs
Prepare information for each possible route:
| Route topic | Information to collect | Related source area | Review caution |
|---|---|---|---|
| Security assessment | Transfer facts, data category, risk materials, overseas recipient details, and prior assessment history. | Security Assessment Measures; 2024 Data Flow Provisions. | This checklist does not decide whether assessment is required. |
| China standard contract | Contract draft, filing materials, impact assessment records, recipient obligations, and change history. | Standard Contract Measures; Filing Guidelines. | This checklist does not validate filing completeness. |
| Certification | Certification history, certified entity scope, and source materials if available. | PIPL Article 38; certification details require separate review. | Detailed certification scope remains requires review. |
| Other official condition | Any later law, administrative regulation, or CAC rule that may apply. | PIPL Article 38 and related official sources. | Do not rely on unofficial route labels. |
7. Documents to Collect
For a source-based review, collect:
- data map and transfer flow description;
- transfer purpose description;
- overseas recipient description;
- personal information protection impact assessment records if relevant;
- standard contract draft or executed copy if relevant;
- prior filing, assessment, certification, or regulator communication history;
- security measures and access controls;
- retention, access, deletion, and onward-transfer arrangements;
- incident response and individual rights request handling procedures.
8. Source Documents to Read
Start with these official-source pages:
- PIPL Article 38 bilingual reference
- PIPL Article 39 bilingual reference
- PIPL Article 40 bilingual reference
- Security Assessment Measures: https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm
- Standard Contract Measures: https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm
- Standard Contract Filing Guidelines: https://www.cac.gov.cn/2023-05/30/c_1687090906222927.htm
- 2024 Data Flow Provisions: https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm
- Network Data Security Regulation where relevant: https://www.cac.gov.cn/2024-09/30/c_1729384452307680.htm
Output of This Checklist
The output should be a factual transfer record and source-reading plan. After collecting the information, a reviewer can compare the facts against official source text. This checklist does not decide whether a company should use security assessment, standard contract, certification, or another condition.
Related Pages
- China Cross-border Data Transfer Route Comparison
- Security Assessment vs SCC vs Certification
- PIPL Article 38 Explained
- Standard Contract Measures Overview
- 2024 Data Flow Provisions Overview
- What Is Cross-border Data Transfer?
Source and Review Note
This checklist is an independent editorial reference based on official Chinese source links. It is for general informational purposes only, does not constitute legal advice, and does not determine any company’s route or filing obligations. The official Chinese text prevails.