Promulgated by: Cyberspace Administration of China (CAC). Issued on 27 June 2025. Effective on 27 June 2025.
In accordance with the Measures for the Security Assessment of Data Export and the Provisions on Promoting and Regulating Cross-border Data Flows, and in order to guide and assist data handlers in filing declarations for a Data Export Security Assessment in a standardised and orderly manner, these Guidelines are formulated.
Section I. Scope of Application
(I) Circumstances requiring a declaration for a Data Export Security Assessment
A data handler that provides data to an overseas recipient must file a declaration for a Data Export Security Assessment where any of the following applies:
-
The data handler is a critical information infrastructure operator (CIIO) that provides personal information or important data overseas.
-
The data handler is not a CIIO but provides important data overseas, or has, cumulatively from 1 January of the current year, provided overseas the personal information of more than one million individuals (excluding sensitive personal information) or the sensitive personal information of more than ten thousand individuals.
Where a situation falls within Articles 3, 4, 5, or 6 of the Provisions on Promoting and Regulating Cross-border Data Flows, those provisions shall govern.
(II) Circumstances constituting a cross-border data transfer
The following constitute cross-border data transfer activities:
-
A data handler transmits overseas data that it has collected and generated in the course of its domestic operations.
-
A data handler’s collected and generated data is stored within the territory, but overseas institutions, organisations, or individuals are able to query, retrieve, download, or export it.
-
Activities that fall within Article 3, paragraph 2, of the Personal Information Protection Law (PIPL) involving the processing of personal information of natural persons within the territory from outside the territory, and other such data processing activities.
Section II. Declaration Method and Process
A data handler filing a declaration for a Data Export Security Assessment must submit declaration materials through online means. CIIOs and other data handlers for whom online filing through the declaration system is not appropriate shall file offline via the provincial-level Cyberspace Administration at their place of registration, which will forward the materials to the CAC.
(I) System login and project declaration
The Data Export Declaration System URL is: https://sjcj.cac.gov.cn
1. Account registration and login. A data handler logging into the declaration system for the first time should click “Register Account” and fill in a username, password, mobile phone number, and other required information. After successful registration, log in to the declaration system and complete the basic information entry: the data handler’s entity name, unified social credit code (USCC), and province of entity registration.
2. Creating a new project and filing. The data handler selects the “Data Export Security Assessment” module, selects “Add New Declaration Project”, and uploads the prepared declaration materials.
Declaration materials (for document requirements see Annex 1) include:
(1) A photocopy of the unified social credit code certificate
(2) A photocopy of the legal representative’s identity document
(3) A photocopy of the case-handler’s identity document
(4) A power of attorney for the case-handler (template: Annex 2)
(5) The Data Export Security Assessment Declaration Form (template: Annex 3)
(6) The data-export-related contract or other legally effective document proposed to be entered into with the overseas recipient
(7) The data export risk self-assessment report (template: Annex 4)
(8) Other relevant supporting materials
The data handler bears responsibility for the authenticity of all submitted materials. Submission of false materials shall be treated as a failure to pass the assessment, and corresponding legal liability shall be pursued in accordance with law.
(II) Completeness review and project acceptance
Data handlers may track the progress of filed projects through the declaration system:
1. The provincial-level Cyberspace Administration completes the completeness review of the declaration materials within 5 working days from the date the data handler submits the materials, and simultaneously updates the completeness review result in the declaration system. Where the materials fail the completeness review, the provincial-level Cyberspace Administration notifies the data handler of the reasons for failure.
2. Where the materials pass the completeness review, the provincial-level Cyberspace Administration submits the declaration materials to the CAC for acceptance. The CAC, within 7 working days from the date it receives the declaration materials submitted by the provincial-level Cyberspace Administration, determines whether to accept the project and notifies the data handler in writing, simultaneously updating the acceptance result in the declaration system.
(III) Supplementation or correction of materials and tracking assessment progress
After issuing a notice of acceptance of the assessment project, the CAC will immediately organise and carry out the Data Export Security Assessment. Where supplementation or correction of declaration materials is required, the data handler must promptly supplement or correct the materials through the declaration system in accordance with the notification requirements.
Where a data handler, without legitimate reason, fails to supplement or correct declaration materials, the CAC may terminate the security assessment.
Where circumstances are complex or supplementation or correction of materials is required, the CAC may extend the assessment period as appropriate and notify the data handler of the anticipated additional time needed.
Data handlers may track assessment progress at any time through the declaration system. Upon completion of the assessment, the CAC issues an assessment result notice to the data handler. The data handler must conduct its data export activities in a compliant manner in accordance with the relevant laws and regulations governing data export security management and the requirements of the assessment result notice.
Where a data handler objects to the assessment result, it may, within 15 working days of receiving the assessment result notice, apply to the CAC for a review (复评). The outcome of the review is the final determination.
Section III. Applying to Extend the Validity Period of an Assessment Result
(I) Applicable conditions
Where an assessment result authorises certain data export activities and all of the following conditions are concurrently satisfied, the data handler may, within 60 working days before the expiry of the validity period of the assessment result, apply through the provincial-level Cyberspace Administration at its place of registration to the CAC to extend the validity period:
-
The purpose, scope, and other aspects of the data export have not changed.
-
The data handler, the overseas recipient, and other relevant parties have not changed.
-
For exports of personal information: the number of natural persons to be covered in the following three years does not exceed the number approved in the original assessment result for the past three years by more than 20%.
-
For exports of important data: the scale of data to be exported in the following three years (MB/GB/TB) does not exceed the scale of data approved in the original assessment result for the past three years by more than 20%.
-
The legal document entered into with the overseas recipient complies with the requirements of Article 9 of the Measures for the Security Assessment of Data Export.
-
The data export activities over the past three years have been conducted in strict compliance with the assessment result notice, and no major data security incident has occurred.
(II) Filing the extension application
Data handlers applying to extend the validity period of an assessment result must submit application materials through the declaration system. CIIOs and other data handlers for whom system-based applications are not appropriate shall submit materials offline.
For extension applications relating to assessment results obtained through online filing: after logging into the declaration system, the data handler selects the original declaration project and performs the “Apply for Extension” operation, uploading the application materials.
For extension applications relating to assessment results obtained through offline filing: after logging into the declaration system, the data handler applies under the “Extension of Assessment Result Validity Period” module, enters the acceptance number for the original project, and uploads the application materials.
Application materials include:
-
A photocopy of the unified social credit code certificate (may be omitted if unchanged)
-
A photocopy of the legal representative’s identity document (may be omitted if unchanged)
-
A photocopy of the case-handler’s identity document (may be omitted if unchanged)
-
A power of attorney for the case-handler (template: Annex 2)
-
The Application Form for Extension of Assessment Result Validity Period (template: Annex 5)
(III) Completeness review
Data handlers may track the completeness review status of their extension applications through the declaration system. The provincial-level Cyberspace Administration completes the completeness review within 5 working days from the date the data handler submits the application materials, and simultaneously updates the review result in the system. Where materials fail the completeness review, the provincial-level Cyberspace Administration notifies the data handler of the reasons for failure. Where materials pass the completeness review, the provincial-level Cyberspace Administration submits them to the CAC.
(IV) Review of extension of assessment result validity period
The CAC, within 20 working days from the date it receives the application materials submitted by the provincial-level Cyberspace Administration, determines whether to approve the extension and notifies the data handler in writing. Where circumstances are complex or supplementation or correction of materials is required, the review period may be extended appropriately, and the data handler will be notified of the anticipated additional time.
Data handlers may track the review progress for the extension application through the declaration system, and may supplement or correct materials through the system. Upon receiving the notice on the extension of assessment result validity period, the data handler must conduct its data export activities in a compliant manner in accordance with the relevant laws and regulations governing data export security management and the requirements of the notice.
Section IV. Consultation and Reporting Contact Information
Data handlers encountering any questions or requiring assistance during the declaration process are welcome to contact us:
Telephone: 010-55627135
Email: sjcj@cac.gov.cn
Annex 1. Requirements for Data Export Security Assessment Declaration Materials
| No. | Material Name | Requirements | Notes |
|---|---|---|---|
| 1 | Photocopy of unified social credit code certificate | Stamped with official seal | |
| 2 | Photocopy of the legal representative’s identity document | Stamped with official seal | |
| 3 | Photocopy of the case-handler’s identity document | Stamped with official seal | |
| 4 | Power of attorney for the case-handler | ||
| 5 | Data Export Security Assessment Declaration Form | Completed in Chinese | |
| 6 | Data-export-related contract or other legally effective document proposed to be entered into with the overseas recipient | Relevant data-export provisions must be prominently highlighted (e.g., highlighted text or boxes). Legal documents must be in a Chinese-language version; if only a non-Chinese version exists, an accurate Chinese translation must also be submitted. | |
| 7 | Data export risk self-assessment report | Written in Chinese | |
| 8 | Other relevant supporting materials |
Note: Data handlers submitting declaration materials offline must simultaneously submit corresponding electronic versions on optical disc (CD/DVD).
Annex 2. Power of Attorney for the Case-Handler (Template)
I, [full name] (identity document number: ____), the legal representative of [data handler name], hereby authorise [full name] (identity document number: ____) of our entity to act as the case-handler for the Data Export Security Assessment declaration / Application for Extension of Assessment Result Validity Period. All actions taken by the case-handler on behalf of our entity, including documents signed and uploaded, are hereby acknowledged by our entity, which shall bear the corresponding legal liability.
Term of authorisation: from ____ year ____ month ____ day to ____ year ____ month ____ day.
The case-handler has no right to sub-delegate.
Entity name (stamped with official seal): ____________________
Legal representative (signature): ____________________
Case-handler (signature): ____________________
Date: ____ year ____ month ____ day
Annex 3. Data Export Security Assessment Declaration Form (Template)
Section 1 — Data Handler Information
| Field | Options / Notes |
|---|---|
| Entity name | |
| Nature of entity | Government department / Public institution / Enterprise / Social organisation / Other |
| Type of entity | Domestically invested / Foreign-invested / Sino-foreign joint venture / Hong Kong, Macao, or Taiwan-invested / Other |
| Registered address | |
| Operating address | |
| Number of employees | |
| Unified social credit code | |
| Whether a CIIO | Yes / No |
| Scale of personal information processed | Number of natural persons (de-duplicated) |
Section 2 — Legal Representative Information
| Field | Options / Notes |
|---|---|
| Name | |
| Title | |
| Nationality | |
| Contact telephone | |
| Email address | |
| Type of identity document | Resident identity card / Passport / Taiwan Residents Mainland Travel Permit / Permit for Hong Kong and Macao Residents Travelling to and from the Mainland / Other |
| Identity document number |
Section 3 — Data Security Officer and Management Body Information
| Field | Options / Notes |
|---|---|
| Name | |
| Title | |
| Nationality | |
| Contact telephone | |
| Email address | |
| Type of identity document | Resident identity card / Passport / Taiwan Residents Mainland Travel Permit / Permit for Hong Kong and Macao Residents Travelling to and from the Mainland / Other |
| Identity document number | |
| Management body name | |
| Management body headcount |
Section 4 — Case-Handler Information
| Field | Options / Notes |
|---|---|
| Name | |
| Title | |
| Nationality | |
| Contact telephone | |
| Email address | |
| Type of identity document | Resident identity card / Passport / Taiwan Residents Mainland Travel Permit / Permit for Hong Kong and Macao Residents Travelling to and from the Mainland / Other |
| Identity document number |
Section 5 — Data Handler’s Compliance with Chinese Laws, Administrative Regulations, and Departmental Rules
Briefly describe any administrative penalties or investigations and rectifications by competent supervisory authorities in the past 2 years in the course of business operations, with particular focus on matters relating to data and cybersecurity.
Section 6 — Data Export Scenario [No.] (repeat as needed for each scenario)
| Field | Options / Notes |
|---|---|
| Description of export scenario | Describe the business, purpose, and method of the data export in this declaration; must be consistent with the business name used in the legal document; no more than 100 characters. (Reference methods: public internet transmission, dedicated cross-border leased line transmission, remote access via public internet, remote access via dedicated cross-border leased line, etc.) |
| Data proposed for export: | |
| Data type | Important data / Personal information |
| If important data: name of the competent authority that identified it | |
| If personal information: whether it includes sensitive personal information | Yes / No |
| Industry / sector involved | Industry / Telecommunications / Transport / Finance / Natural resources / Health / Education / Science and technology / Energy / National defence science and industry / Culture and tourism / Cross-border e-commerce / Retail / Internet / Other |
| Number of natural persons involved (de-duplicated) | Including the number already exported in the current year, the projected number over the next three years, and the relationship between the two |
| Scale of important data involved | MB / GB / TB |
| Overseas recipient information: | |
| Name of overseas recipient | |
| Country or region | |
| Address | |
| Primary business | |
| Name of responsible person | |
| Title of responsible person | |
| Contact information | Telephone: / Email: |
| Statistical notes (if needed) |
Declaration by the data handler:
All content in the declaration materials is true, complete, accurate, and valid.
The necessary cooperation and support will be provided for the Data Export Security Assessment organised and implemented by the CAC.
The self-assessment was completed within the 3 months prior to the date of declaration and no material change has occurred as of the date of declaration. If the declaration is false or the commitments are breached, the entity accepts the corresponding legal liability.
Notes:
-
The content of the self-assessment report must be consistent with the content of the Declaration Form.
-
Item 6 of the Declaration Form must be described separately for each scenario; additional copies of Item 6 may be added as needed to correspond to the actual number of export scenarios being declared.
-
Where there are numerous overseas recipients, their scope is indeterminate, or they cannot be listed one by one, Item 6’s “overseas recipient information” may be completed with aggregate statistical data.
-
The Declaration Form must be completed strictly in accordance with the template, in Chinese, using size-4 “Fang Song” (仿宋) typeface; numerals and letters in size-4 “Times New Roman”; line spacing at a fixed value of 16 points; paragraph first-line indent of 2 characters. Page setup: A4 paper, top and bottom margins 2.54 cm, left and right margins 3.18 cm.
Annex 4. Data Export Risk Self-Assessment Report (Template)
[Data handler name:] ____________________ (stamped with official seal)
Date: ____ year ____ month ____ day
Instructions:
(I) The data handler is required to provide a self-assessment report when filing a declaration for a Data Export Security Assessment and bears responsibility for the authenticity of the submitted self-assessment report and its annexes.
(II) The self-assessment activities described in the report must have been completed within the 3 months prior to the date of the current declaration.
(III) If a third-party institution participated in the self-assessment, the basic information of that institution and its participation in the assessment must be explained in the self-assessment report.
(IV) The self-assessment report must be drafted strictly in accordance with the template, in Chinese; body text in size-4 “Fang Song” (仿宋) (with first-level headings in boldface, second-level headings in bolded regular-script (楷体加黑), and third-level headings in bolded Fang Song); numerals and letters in size-4 “Times New Roman”; line spacing at a fixed value of 26 points; paragraph first-line indent of 2 characters. Page setup: A4 paper, top and bottom margins 2.54 cm, left and right margins 3.18 cm.
I. Overview of the Self-Assessment Exercise
Briefly describe how the self-assessment was conducted, including the start and end dates, organisational arrangements, implementation process, and implementation methods.
II. Overall Circumstances of the Export Activities
Briefly describe the basic information of the data handler, the data handler’s security assurance capability, the overseas recipient’s circumstances, the provisions of the legal document, and so forth; provide detailed information on the data proposed for export. Include but are not limited to the following:
(I) Basic information of the data handler
-
Overview of basic information, including equity structure, actual controller, and domestic and overseas investment arrangements.
-
Organisational structure and information about the data security management body.
-
Overall business and data asset profile.
(II) Data proposed for export
-
The business activities and data assets involved in the data export.
-
The purpose, scope, and manner of the data export and of the overseas recipient’s processing of the data, and the lawfulness, legitimacy, and necessity thereof.
-
Set out, by declared business scenario, the corresponding exported data items; present the data-item inventory in tabular form and describe each item individually (as shown in the sample table below); data items within the same scenario must be de-duplicated.
| No. | Data item name | Content description | Necessity for export | Example / Notes |
|---|---|---|---|---|
| 1 | ||||
| 2 | ||||
| … |
-
The system platforms and data centres (including cloud services) in which the data proposed for export is stored within the territory; details of the data export links (domain names and network addresses of the data handler’s and overseas recipient’s network systems, and the method of data export); the system platforms and data centres planned for storage after export.
-
The circumstances in which the overseas recipient re-provides the exported data to other overseas organisations or individuals.
-
For exports involving personal information: state, counted by natural person (de-duplicated), the number already exported in the current year and estimate the number to be exported over the following 3 years.
(III) The data handler’s data security assurance capability
-
Data security management capability, including the management organisational system and institutional framework, and the implementation of systems covering full-lifecycle management, classification and grading, emergency response, risk assessment, protection of personal information rights and interests, and so forth.
(For exports involving personal information: provide a description and supporting materials demonstrating compliance with Article 39 of PIPL, including performance of the notice obligation and obtaining separate consent from individuals; no individual consent is required where the situation falls within Article 13(1)(ii) through (vii) of PIPL.)
-
Data security technical capability, including the security technical measures applied throughout the full lifecycle of data collection, storage, use, processing, transmission, provision, public disclosure, and deletion.
-
Evidence of the effectiveness of data security assurance measures, such as data security risk assessments, data security certifications, data security inspections and evaluations, data security compliance audits, and Multi-Level Protection Scheme (MLPS) assessments conducted.
-
Compliance with data and cybersecurity laws and regulations. (Where administrative penalties or regulatory rectifications have been received, supporting materials demonstrating completion of rectification may be provided.)
(IV) Overseas recipient’s circumstances
-
Basic information about the overseas recipient.
-
The purposes and methods by which the overseas recipient processes the data.
-
The management and technical measures and capability of the overseas recipient to fulfil its responsibilities and obligations.
(V) Provisions in the legal document governing data security protection responsibilities and obligations
-
The purpose, manner, and scope of the data export, and the purposes and methods by which the overseas recipient processes the data.
-
The location and period of storage of the data overseas, and the measures for handling the exported data upon reaching the storage period, completing the agreed purpose, or termination of the legal document.
-
Binding requirements on the overseas recipient with respect to re-transferring the exported data to other organisations or individuals.
-
The security measures to be taken when, due to a material change in the actual control or business scope of the overseas recipient, a change in the data security protection laws, regulations, or cybersecurity environment in the overseas recipient’s country or region, or other force majeure circumstances, data security becomes difficult to ensure.
-
Remedies, liability for breach of contract, and dispute resolution mechanisms for failure to comply with data security protection obligations under the legal document.
-
Requirements for properly conducting emergency response when exported data is tampered with, damaged, leaked, lost, transferred, or unlawfully accessed or used, and the channels and methods for safeguarding individuals’ rights and interests in their personal information.
(VI) Other circumstances the data handler considers necessary to explain
III. Risk Self-Assessment Findings and Conclusions for the Export Activities
With reference to the matters specified in Article 5 of the Measures for the Security Assessment of Data Export, describe the risk self-assessment findings, with particular emphasis on issues identified during the self-assessment and the rectification undertaken.
Based on the overall risk self-assessment findings and the corresponding rectification, provide an objective risk self-assessment conclusion for the data export activities proposed for declaration, with a full explanation of the reasons supporting the conclusion.
Annex 5. Application Form for Extension of Assessment Result Validity Period (Template)
Section 1 — Basic Information
| Field | Notes |
|---|---|
| Data handler name | |
| Acceptance number of the assessment project for which extension is sought | |
| Whether the legal document entered into with the overseas recipient complies with the requirements of Article 9 of the Measures for the Security Assessment of Data Export | Yes / No |
Section 2 — Data Export Scenario [No.] (repeat as needed for each scenario)
| Field | Options / Notes |
|---|---|
| The purpose, scope, etc. of the data export have not changed | Yes / No |
| The data handler, overseas recipient, etc. have not changed | Yes / No |
| For personal information exports: percentage increase in the number of natural persons in the following three years (compared with the number approved in the original assessment result for the past three years) | ____% / Not applicable |
| For important data exports: percentage increase in the scale of data to be exported in the following three years (compared with the scale approved in the original assessment result for the past three years) | ____% / Not applicable |
| The data export links, storage systems, and data centres have not changed | Yes / No (if changed, describe in “Section 3”) |
| The purposes and methods of the overseas recipient’s data processing have not changed | Yes / No (if changed, describe in “Section 3”) |
Section 3 — Other Matters to be Explained
Describe the following matters as applicable (additional pages may be attached):
(1) Measures taken and related work to ensure the security of the data export.
(2) How the overseas recipient has fulfilled its data security responsibilities and obligations under the legal document.
(3) A summary of how data export activities have been conducted in compliance with the assessment result notice over the past three years.
(4) Any major data security incidents during the past three years, and any administrative penalties, investigations by competent supervisory authorities, and rectifications in the course of business operations.
Declaration by the data handler:
All content in the application materials is true, complete, accurate, and valid.
The necessary cooperation and support will be provided for the review of the extension of the assessment result validity period organised and implemented by the CAC.
If the declaration is false or the commitments are breached, the entity accepts the corresponding legal liability.
Notes:
-
Item 2 of the Application Form must be described separately for each scenario; additional copies of Item 2 may be added as needed to correspond to the actual number of export scenarios for which extension is sought.
-
The Application Form must be completed strictly in accordance with the template, in Chinese, using size-4 “Fang Song” (仿宋) typeface; numerals and letters in size-4 “Times New Roman”; line spacing at a fixed value of 16 points; paragraph first-line indent of 2 characters. Page setup: A4 paper, top and bottom margins 2.54 cm, left and right margins 3.18 cm.