---
title_en: "Measures for the Certification of the Cross-border Provision of Personal Information"
title_zh: "个人信息出境认证办法"
hierarchy: "rule"
issuing_body: "Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR)"
adopted_date: 2025-07-21
effective_date: 2026-01-01
status: "effective"
related_laws: ["pipl", "cross-border-data-flows-provisions", "data-export-security-assessment-measures"]
domains: ["cross-border", "personal-information"]
url: https://datacompliancechina.com/laws/cross-border-pi-certification-measures/
summary: "The third of CAC's three cross-border transfer pathways — PI Protection Certification — finally given its own dedicated rules effective January 1, 2026. Joint issuance with SAMR (which administers the certification body accreditation regime). Establishes who can be certified, eligibility thresholds, what certification covers, and the relationship to the Security Assessment and Standard Contract pathways."
---
**Promulgated by:** Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR).  
**Document No.:** Order No. 20 of CAC and SAMR (jointly).  
**Adopted at the 17th executive meeting of the CAC in 2025 on July 21, 2025. Effective January 1, 2026.**

---

**Article 1.** In order to protect personal information rights and interests, regulate certification activities for the cross-border provision of personal information, and promote the efficient and secure cross-border flow of personal information, these Measures are formulated in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Administration of Network Data Security, the Regulations of the People’s Republic of China on Certification and Accreditation, and other laws and regulations.

**Article 2.** Where a personal information processor provides personal information to outside the territory of the People’s Republic of China by means of personal information protection certification, these Measures shall apply.

**Article 3.** For the purposes of these Measures, certification of cross-border provision of personal information refers to the conformity assessment activities conducted, in accordance with Item (2) of Paragraph 1 of Article 38 of the Personal Information Protection Law of the People’s Republic of China, by professional certification bodies that have lawfully obtained personal information protection certification qualifications, to attest that personal information processing activities such as the provision of personal information by personal information processors to outside the territory of the People’s Republic of China conform to relevant laws, administrative regulations, departmental rules, standards, and technical specifications.

**Article 4.** The National level cyberspace administration department, together with the National level data administration department and other relevant departments, shall formulate relevant standards and technical specifications for the certification of cross-border provision of personal information. The State Administration for Market Regulation, together with the National level cyberspace administration department, shall formulate personal information protection certification rules and unified certification certificates and marks. 1 1 10 100 1

**Article 5.** Where a personal information processor provides personal information to outside the territory by means of certification of cross-border provision of personal information, it shall simultaneously meet the following conditions: (1) It is not an operator of critical information infrastructure;

(2) Since January 1 of the current year, it has cumulatively provided abroad personal information of 100,000 persons or more but less than 1,000,000 persons (excluding sensitive personal information), or sensitive personal information of less than 10,000 persons. The personal information provided abroad as referred to in the preceding paragraph does not include important data. Where laws, administrative regulations, or the National level cyberspace administration department provide otherwise, such provisions shall prevail. Personal information processors shall not adopt means such as quantity splitting to provide, by means of certification of cross-border provision of personal information, to outside the territory personal information that, according to law, shall be provided abroad only after passing a security assessment for data export.

**Article 6.** Prior to applying for certification to provide personal information abroad, personal information processors shall perform the obligations of notification, obtaining separate consent of individuals, conducting personal information protection impact assessment, etc., in accordance with the provisions of laws and administrative regulations. The personal information protection impact assessment shall focus on evaluating the following: (1) The legality, legitimacy, and necessity of the purposes, scope, methods, etc., of personal information processing by the personal information processor and the overseas recipient;

(2) The scale, scope, types, and sensitivity of the personal information to be exported, and the risks that the cross-border provision of personal information may pose to national security, public interests, and personal information rights and interests;

(3) Whether the obligations the overseas recipient undertakes to assume, and the management and technical measures and capabilities to perform such obligations, can ensure the security of the personal information provided abroad;

(4) The risks of personal information being tampered with, damaged, leaked, lost, illegally used, etc., after being provided abroad, and whether the channels for safeguarding personal information rights and interests are smooth;

(5) The impact of personal information protection policies and regulations of the country or region where the overseas recipient is located on the security of the personal information provided abroad and the personal information rights and interests;

(6) Other matters that may affect the security of cross-border provision of personal information.

**Article 7.** Where a personal information processor provides personal information abroad by means of certification, it shall apply to a professional certification body for certification of cross-border provision of personal information. Where a personal information processor outside the territory of the People’s Republic of China applies for certification of cross-border provision of personal information, the application shall be assisted by its specially established institution or designated representative within the territory. 3 6 Article 8 Professional certification bodies shall carry out certification activities for cross-border provision of personal information in accordance with basic certification norms and personal information protection certification rules. Where certification requirements are met, professional certification bodies shall promptly issue certification certificates. The validity period of a certification certificate shall be three years. Where the certificate needs to continue to be used upon expiry, the personal information processor shall file an application for certification six months prior to the expiration of the validity period. 5

**Article 9.** Professional certification bodies shall, within five working days after issuing certification certificates or after the status of certification certificates changes, submit relevant information on certification certificates for cross-border provision of personal information to the National level Certification and Accreditation Information Public Service Platform, including the certification certificate number, the name of the certified personal information processor, the scope of certification, and information on changes in certificate status, etc. The State Administration for Market Regulation and the National level cyberspace administration department shall establish a mechanism for sharing certification information.

**Article 10.** Where professional certification bodies discover that a certified personal information processor has circumstances such as inconsistency between the cross-border provision of personal information and the certification scope, and is no longer in conformity with certification requirements, they shall suspend its use until revoking the relevant certification certificate. Where the National level cyberspace administration department and relevant departments discover, in the course of supervision and administration over personal information protection, that a certified personal information processor has the circumstances set out in the preceding paragraph, professional certification bodies shall cooperate to suspend its use until revoking the relevant certification certificate. The circumstances set out in the preceding two paragraphs shall be published via the National level Certification and Accreditation Information Public Service Platform.

**Article 11.** Where, in the course of carrying out certification activities, professional certification bodies discover that cross-border provision of personal information violates laws, administrative regulations, or relevant national provisions, they shall promptly report to the National level cyberspace administration department and relevant departments. 30 30 Article 12 Professional certification bodies that carry out certification for cross-border provision of personal information shall, within ten working days from the date on which they are approved by the State Administration for Market Regulation to obtain personal information protection certification qualifications, complete filing procedures with the National level cyberspace administration department. When handling filing, the following materials shall be submitted: (1) The circumstances of the obtained certification qualifications in the field of personal information protection;

(2) The professional work circumstances engaged in the field of data security and personal information protection during the past three years;

(3) Security background check materials of the personnel of the professional certification body;

(4) Implementation rules and work plan for personal information protection certification;

(5) Mechanisms for preventing personal information security risks;

(6) Continuous supervision mechanisms regarding the conformity of the certified personal information processor’s cross-border provision of personal information with certification standards;

(7) Complaint handling and dispute resolution mechanisms;

(8) Other materials required to be submitted. Professional certification bodies shall be responsible for the authenticity of the filed materials. Upon receipt of the filing materials submitted by the professional certification bodies, the National level cyberspace administration department, together with the National level data administration department, shall review the filing materials. Where the materials are complete, filing shall be completed within thirty working days and made public; where the materials are incomplete, filing shall not be completed, and the professional certification body shall be notified within thirty working days with reasons explained.

**Article 13.** The State Administration for Market Regulation and the National level cyberspace administration department shall supervise certification activities for cross-border provision of personal information, conduct regular or ad hoc inspections, carry out spot checks on certification processes and certification results, and conduct spot checks and evaluations of professional certification bodies.

**Article 14.** State organs, professional certification bodies, and other institutions engaged in certification activities and their staff shall, in accordance with law, keep confidential the personal privacy, personal information, trade secrets, and confidential business information that they become aware of in the performance of their duties, and shall not disclose, illegally provide to others, or illegally use such information.

**Article 15.** Where any organization or individual discovers that a certified personal information processor provides personal information abroad in violation of these Measures, they may lodge complaints or report to professional certification bodies, cyberspace administration departments, and relevant departments.

**Article 16.** Where cyberspace administration departments at the provincial level or above and relevant departments discover that the certified personal information processor’s cross-border personal information activities pose significant risks or that personal information security incidents have occurred, they may, in accordance with law, conduct interviews with the certified personal information processor. The certified personal information processor shall make rectifications as required and eliminate hidden dangers.

**Article 17.** Where these Measures are violated, disposition shall be made in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Administration of Network Data Security, the Regulations of the People’s Republic of China on Certification and Accreditation, and other laws and regulations; where a crime is constituted, criminal liability shall be pursued according to law.

**Article 18.** Where relevant provisions on certification of cross-border provision of personal information formulated prior to the implementation of these Measures are inconsistent with these Measures, these Measures shall prevail. 2026 1 1 Article 19 These Measures shall come into force on January 1, 2026. PAGE/NUMPAGES PAGE/NUMPAGES