top of page

Foreign companies must follow guidelines for Cross-Border Data Transfer Application

International companies operating in China should pay close attention to the new edition of guidelines issued by the Cyberspace Administration of China (CAC) regarding the transfer of personal information and important data outside of China. These guidelines as well as the Measures for Security Assessment of Cross-border Data Transfer (Measures) came into effect on September 1.

Consistent with the measures, the guidelines confirm that the CAC-led security assessment applies to cross-border data transfers from China under the following circumstances:

Transfer of important data (any data that, once tampered with, sabotaged, leaked, or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety).

Transfer of personal information by a critical information infrastructure (CII) operator.

Transfer of personal information by a data exporter processing 1 million or more individuals.

Accumulative transfers of personal information exceeding 100,000 individuals since Jan. 1 of the preceding year.

Accumulative transfers of sensitive personal information exceeding 10,000 individuals since Jan. 1 of the preceding year.

Other situations where relevant Chinese laws and regulations require security assessments.

Accounting and Tax Services

The guidelines explain the procedures and processes for companies to apply for permission to export data out of China and include complete lists of required documents, templates for documents such as security assessment declarations, and application forms.

Companies must provide a copy of cross-border data transfer agreements to be signed with the data recipient(s) outside of China, a self-assessment report on cross-border data transfer risks, as well as some basic documentation on the China-based data exporter (e.g., its business license).

In addition to a general description of data transfer flows (such as an overview of transfer scenarios, transfer purposes, data to be transferred and information on data importers outside of China), certain technical details about cross-border data transmission must be included in the application form.

Specifically, the data exporter needs to specify the data transmission service provider, the number of data transmission lines and bandwidth, and the location of data centers inside and outside of China, as well as IP addresses of such infrastructure.

Since the Cybersecurity Law was approved in 2017, there have been debates on what constitutes cross-border data transfers. Several previous draft regulations issued by the CAC tried to provide some clarification, but those regulations were never finalized. Now the guidelines offer further clarification on how to declare a security assessment to transfer a certain volume of PI or “important” data overseas.

Companies are required to apply for the data security assessment to the central CAC through the provincial CAC branch in the jurisdiction in which they are located. The application must be submitted by sending the hard copy of the application materials and attaching the electronic version in the form of a CD-ROM.

Within five days, the provincial CAC department will check the materials and submit them to the national-level CAC. If they are not complete, the applicant will receive a notice. Subsequently, the central CAC will determine whether to accept the application.

The applicant must supplement or correct any materials or information, or the security assessment will be terminated.

The applicant will receive a notice of the result of the assessment. If there are no objections, the company must then proceed with the cross-border data transfer activities in compliance with relevant laws and regulations. If there are objections, it can apply for re-assessment within 15 days.

Companies must submit in the application for the security assessment documents such as copy of the Unified Social Credit Code, copy of legal representative’s ID card, copy of ID card of person in charge, data export security assessment declaration form, copies of data export-related contracts with overseas recipients and data export risk self-assessment report, among other.

The company is responsible for the self-assessment report and must complete it within three months of the application being submitted. If a third party is involved, the applicant must explain the reason for this and affix the third-party organization’s official seal on any relevant pages.

There are a few important issues that a data exporter must consider when executing a self-assessment, such as whether it is legal, necessary, and appropriate to transfer the data abroad; what is the scope, category, size, and sensitivity of the data to be transferred; and what impact the data transfer may have for China’s national security and public interest.

It should also evaluate whether the data exporter and overseas data recipient can adopt strong organizational and technical measures to protect the data from loss or damage; and whether the cross-border data transfer agreement can provide sufficient data protection.

The guidelines offer a template self-assessment report, which requires the data exporter to provide a wide range of information, including a brief description of the self-assessment, the corporate, investment and business model as well as the data center and IP address of the data exporter, the purpose, category, volume, sensitivity, and related industry sector of the data to be transferred outside China and whether there will be onward data transfers.

Additional information should include a description of data protection capabilities of both the data exporter and foreign data recipient, outline of the data protection regime of the foreign country where the overseas data recipient is based, and key terms of the cross-border data transfer agreement.

The data exporter is also required to analyze the risks associated with the contemplated cross-border data transfer.

The company should include a copy of the cross-border data transfer agreement in the documents submitted to the CAC. In case of an inter-group data transfer where there is no specific agreement, the data exporter is required to provide other documents such as the corporate policy governing cross-border data transfer to illustrate how cross-border data transfers are managed.

Can Woodburn help you?

The guidelines do not expressly require the cross-border data transfer agreement to be drafted based on the Standard Data Export Contract. However, they require the cross-border data transfer agreement to include certain necessary clauses. An agreement based on the CAC standard contract is likely to be processed quicker given the reviewing officials’ familiarity with that version.

The guidelines provide a template application form, consisting of a standard letter of undertaking stating the data exporter’s commitment to warrant the correctness and accuracy of information delivered, and a prescribed table.

It is required in the guidelines that reference to key terms of the cross-border data transfer agreement in relation to the necessity and purpose of the transfer, overseas storage, onward transfer and remedy mechanism, and liability and dispute resolution should be highlighted or framed in the Application Form with explicit reference to the corresponding page numbers in the agreement.

All documents submitted must have a Chinese version if the original is prepared in a foreign language. Failure to comply with these requirements will risk the application being rejected or delayed.

Noncompliance with the measures and guidelines may expose companies and the executive to significant administrative, civil, and criminal liabilities.

Recently, Chinese authorities have enforced regulations by conducting dawn raids and investigations, removing noncompliant applications, ordering business suspension for rectification, and imposing hefty fines on violating companies and executives.

It is common for multinational corporations to run shared IT infrastructures and applications for their Chinese subsidiaries to share employee or customer data with the global headquarters or affiliates outside China.

With the measures and guidelines in place, these scenarios will fall within the application scope of the mandatory security assessment if the data transfer threshold is met. Foreign companies are encouraged to map out the data flow, assess whether the data activities fall under the guidelines and, if yes, take the necessary compliance actions.


Woodburn Accountants & Advisors is one of China’s most trusted business setup advisory firms.

Woodburn Accountants & Advisors is specialized in inbound investment to China and Hong Kong. We focus on eliminating the complexities of corporate services and compliance administration. We help clients with services ranging from trademark registration and company incorporation to the full outsourcing solution for accounting, tax, and human resource services. Our advisory services can be tailor-made based on the companies’ objectives, goals and needs which vary depending on the stage they are at on their journey.


Talk to an expert

Schedule a 30-mins complimentary, no-obligation call to see how Woodburn can help you. Book a call with our Head of Business Advisory - Kristina Koehler-Coluccia.

Topics we can advise on include:

  • Company Registration

  • Cloud Accounting & Financial Reporting

  • Cloud Payroll Services

  • Tax & Audit Services

  • Recruitment

  • Employer-of-Record

  • Visa Application

  • Trademark Registration

  • Switch to Woodburn

  • Partner with Woodburn (cross referral) 

Our calls are automatically scheduled via Zoom - or via Teams, WeChat or WhatsApp upon direct request. 

Our advisory calls are available from Monday-Friday from 8am to 5pm CEST and Wednesday until 9pm CEST.


Woodburn Accountants & Advisors is one of China and Hong Kong’s
most trusted business setup advisory firms

bottom of page