Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRM

Email: zhu.yingying@mdlaw.cn

Date: November 18, 2025

Introduction

One of our clients wrote to me recently and asked: “Hi Yingying, we need to transfer our customers’ data to some of our overseas suppliers for processing and have done all the notification work and obtained the consent, but one of the suppliers was reluctant to sign the agreement that you suggested for us, the one with the China standard contractual clauses, and insisted that they would rather use their own template of agreement. What should we do? Are there any other mechanisms for cross-border personal data transfer available to us? You know we felt like passing a security assessment might not be a suitable choice for us.” 

The good news for the client is that the Measures for Certification of Cross-border Personal Data Transfer (hereinafter the “Measures”) have been promulgated by the Cyberspace Administration of China (hereinafter the “CAC”) on October 14, 2025, and will come into effect starting from January 1, 2026[1].

As advised in one of our previous articles on the similar topic[2], obtaining a Personal Information (hereinafter the “PI”) protection certification issued by the professional institution is one of the mechanisms provided under Article 38 of the Personal Information Protection Law of the People’s Republic of China (hereinafter the “PIPL”)[3], in order for PI Handlers[4] to transfer PI outside of China. The other mechanisms available include passing a security assessment administered by CAC or concluding an agreement with the overseas recipient of PI based on the China Standard Contractual Clauses (hereinafter the “China SCCs”) for the PI transfers.

The release of the Measures provides a practical and time efficient mechanism for PI Handlers to transfer PI outside of China and would be a more friendly choice for those who would frequently transfer PI cross the border and would not bother to sign multiple agreements based on the China SCCs with multiple overseas recipients, or who, like the client that I mentioned at the beginning of this article, was confronted with certain suppliers not willing to sign an agreement based on the China SCCs for some unknown reasons or concerns.

Highlights

I. Threshold & Criteria

If a PI Handler would like to transfer PI cross border through obtaining a certification, the following conditions must be simultaneously satisfied:

1) The PI Handler is not a critical information infrastructure[5] operator;

2) Since January 1 of the current year, the PI Handler has cumulatively provided more than 100,000 but less than 1 million pieces of PI (excluding sensitive PI[6] ) to overseas entities, or less than 10,000 pieces of sensitive PI. The amount should not be intentionally split up to avoid a security assessment;

3) The PI for cross-border transfer does not include important data[7].

It is worth noting that the above conditions are consistent with the criteria for the applicability of transferring PI by an agreement signed based on the China SCCs[8]. Therefore, PI Handlers can choose whichever of these two tools they deem suitable, depending on the specific circumstances.

II. Obligations before certification

PI Handlers should fulfill the obligations such as providing notification, obtaining data subject’s consent, and conducting an impact assessment on PI protection in accordance with the provisions of the relevant laws and administrative regulations.

The key points of the PI protection impact assessment include the following:

1) the legality, legitimacy, and necessity of the purposes, scope, and methods of processing PI by the PI Handler and the overseas recipient;

2) the scale, scope, type, and sensitivity of the PI being transferred, as well as the risks that the transfer of PI may bring to national security, public interests, and rights of the data subject;

3) the obligations undertaken by the overseas recipient, and whether the management and technical measures, as well as the capabilities, to fulfill these obligations can ensure the security of the transferred PI;

4) the risks of PI being tampered with, damaged, leaked, lost, or illegally utilized after it is transferred, and whether the channels for protecting data subject’s rights are readily accessible;

5) the impact of the PI protection policies and regulations of the country or region where the overseas recipient is located on the security of the transferred PI and the protection of data subject’s rights;

6) other matters that may affect the security of the transfer of PI.

III. Validity period

The validity period of the certificate for the PI transfer certification is three years after its issuance date. If the same certificate needs to be used after its expiration, a new certification application must be submitted six months before its expiration date.

The long validity period of the certificate for the PI transfer certification would prove it a time-efficient choice for PI Handlers whose business mandates frequent needs for cross-border PI transfer over a long period of time.

IV. Overseas PI Handlers

The Measures specifically stipulate that for PI Handlers located outside of China applying for the certification of PI transfer, they should have their dedicated institutions or designated representatives in China assist in the application process.

This means an on-the-spot contact is required for all overseas applicants who would like to apply for the certification of PI transfer.

V. Professional Institutions

The Measures set the following requirements for professional institutions who provide the certification services:

1) They should conduct cross-border PI transfer certification activities in accordance with the basic norms of certification and the rules for PI protection certification. If the certification requirements are met, they should promptly issue the certification certificate.

2) Within 5 working days after issuing the certification certificate or when the status of the certification certificate changes, they should submit relevant information of the certification to the national certification and accreditation information public service platform, including the certificate number, the name of the certified PI Handler, the certification scope, and information on the change of the certificate status, etc.

3) If it is found that the certified PI Handler has situations such as PI transfer inconsistent with the certification scope or other circumstances that no longer meet the certification requirements, they should suspend its use or have it revoked.

4) If it is found that PI transfer activities violate laws, administrative regulations and relevant national provisions, they should promptly report to the CAC and relevant departments.

5) They should complete the filing procedures with the CAC within 10 working days after obtaining the qualification for PI protection certification from the national market supervision department, and be responsible for the authenticity of the filed materials.

6) They should keep confidential in accordance with the law the personal privacy, PI, business secrets and confidential business information that they acquired in the course of performing their duties.

Conclusion

The Measures specify how a certification mechanism can be utilized as an appropriate safeguard for cross-border PI transfer, what criteria it must meet, what are the obligations of the involved parties, and how to supervise its implementation. 

Around the globe, certification mechanisms are considered helpful tools for bridging the gap between national privacy security requirements and international trading and communication needs. The GDPR framework also includes certification as a data transfer tool and provides the relevant guidelines[9]. 

With the Measures in place, PI Handlers would have an additional practical and time-efficient choice to safeguard the PI whenever cross-border PI transfer becomes a necessity.

[1]See https://www.cac.gov.cn/2025-10/17/c_1762449728720008.htm.

[2]See http://en.mdlaw.cn/news_view.aspx?TypeId=5&Id=428&Fid=t2:5:2.

[3]On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users or have other legitimate basis in order to collect/process the users’ PI.

[4]PI Handlers determine the purpose and the method of processing of PI and operate in a way similar to “data controllers” under other privacy and data protection laws (e.g., the European Union’s General Data Protection Regulation (2016/679) (“GDPR”).

[5]“Critical information infrastructure” (normally referred to as “CII”) means any of network facilities and information systems in important industries and fields—such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and science, technology and industry for national defense.

[6]Sensitive personal information” (the “SPI”) is defined as “the kind of ‘personal information’ (the “PI”)  that the leakage or illegal use of which could easily lead to the violation of personal dignity of data subject or harm to the data subject’s personal or property safety, including, but not limited to, information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, etc., and the PI of minors under the age of fourteen.” Only PI handlers with a specific purpose and sufficient necessity may process SPI, and strict protection measures should be taken to safeguard the SPI.

[7]As defined under Data Export Security Assessment Measures, effective from September 1, 2022, Important data refers to the data that, once tampered with, damaged, leaked, illegally obtained, or illegally utilized, may pose risks to national security, economic operation, social stability, public health and safety, etc.

[8]See https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm.

[9]See https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-072022-certification-tool-transfers_en.