Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GBA (MAINLAND-MACAO) SCC GUIDELINES

Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao).

粤港澳大湾区(内地、澳门)个人信息跨境流动标准合同实施指引

Jointly issued by: Cyberspace Administration of China; Economic and Technological Development Bureau of the Macao Special Administrative Region Government; Personal Data Protection Bureau of the Macao Special Administrative Region Government. Document type: Joint announcement (联合公告), Announcement No. 1 of 2024. Issued and effective: 10 September 2024.


These Implementation Guidelines implement the Cooperation Memorandum on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area concluded between the Cyberspace Administration of China and the Economic and Finance Bureau of the Macao Special Administrative Region Government (the Memorandum). They are accompanied by two annexes: Annex 1, the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao) (the Standard Contract), and Annex 2, a Commitment Letter template.


Implementation Guidelines

Article 1. In order to promote the safe and orderly cross-border flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area (the Greater Bay Area), to advance high-quality development of the Greater Bay Area, and to implement the Cooperation Memorandum on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area concluded between the Cyberspace Administration of the People’s Republic of China and the Economic and Finance Bureau of the Macao Special Administrative Region Government (the Memorandum), the Cyberspace Administration of China, the Economic and Technological Development Bureau of the Macao Special Administrative Region Government, and the Personal Data Protection Bureau of the Macao Special Administrative Region Government jointly formulate these Implementation Guidelines.

Article 2. The Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao) (the Standard Contract; see Annex 1) constitutes a facilitation measure under the Memorandum for promoting the cross-border flow of personal information within the Greater Bay Area. Personal information handlers and recipients within the Greater Bay Area may, in accordance with the requirements of these Implementation Guidelines, conduct cross-border flows of personal information between the Mainland and Macao within the Greater Bay Area by executing the Standard Contract. Personal information that has been classified as important data by the relevant authorities or regions, or that has been publicly announced as such, is excluded.

Personal information handlers and recipients must be registered in (for organizations) or located in (for individuals) the Mainland portion of the Greater Bay Area — that is, Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing in Guangdong Province — or the Macao Special Administrative Region.

Article 3. Cross-border provision of personal information conducted by executing the Standard Contract shall adhere to the principles of combining voluntary contracting with filing management, and combining the protection of personal information rights and interests with risk prevention, so as to safeguard the safe and free cross-border flow of personal information.

Article 4. A personal information handler that provides personal information cross-border by executing the Standard Contract in accordance with these Implementation Guidelines shall fulfill the obligations and responsibilities set out in the Standard Contract, including satisfying the following conditions:

(1) Before providing personal information cross-border, the personal information handler shall, in accordance with the laws and regulations of the jurisdiction in which it is located, give notice to the individual or obtain the individual’s consent; and

(2) The personal information shall not be provided to organizations or individuals outside the Greater Bay Area.

Article 5. Before a personal information handler provides personal information cross-border by executing the Standard Contract in accordance with these Implementation Guidelines, it shall conduct a Personal Information Protection Impact Assessment (PIPIA), focusing on the following:

(1) The lawfulness, legitimacy, and necessity of the purposes and methods by which the personal information handler and the recipient process personal information;

(2) The impact on the rights and interests of the individuals concerned and the security risks involved; and

(3) Whether the obligations the recipient has committed to assume, and its management and technical measures and capabilities for fulfilling those obligations, are sufficient to ensure the security of the personal information provided cross-border.

Article 6. The Standard Contract shall be executed strictly in accordance with the annex to these Implementation Guidelines. Cross-border provision of personal information may only commence after the Standard Contract has taken effect.

A personal information handler may agree with the recipient on additional terms, but such additional terms shall not conflict with the Standard Contract.

Article 7. The personal information handler and the recipient shall, within 10 working days of the date on which the Standard Contract takes effect, file the Standard Contract with the Guangdong Provincial Cyberspace Administration or the Personal Data Protection Bureau of the Macao Special Administrative Region Government in accordance with their respective jurisdiction. The following materials shall be submitted:

(1) A copy of the identity document of the legal representative;

(2) The Commitment Letter (template: Annex 2); and

(3) The Standard Contract.

The personal information handler and the recipient shall be responsible for the authenticity of the materials filed.

Article 8. Where the purpose, scope, type, or method of the cross-border provision of personal information changes, where the purpose or method by which the recipient processes the personal information changes, where the storage period is extended, or where any other circumstance occurs that affects or may affect the rights and interests of individuals in relation to their personal information, the personal information handler shall conduct a fresh PIPIA, supplement or re-execute the Standard Contract, and complete the corresponding filing procedures.

Article 9. Any organization or individual that discovers that a personal information handler or recipient is conducting cross-border flows of personal information within the Greater Bay Area in accordance with these Implementation Guidelines but is failing to fulfill the obligations and responsibilities required by these Guidelines and the Standard Contract may lodge a complaint or report with the Cyberspace Administration of China, the Guangdong Provincial Cyberspace Administration, the Economic and Technological Development Bureau of the Macao Special Administrative Region Government, or the Personal Data Protection Bureau of the Macao Special Administrative Region Government.

Upon receiving a complaint or report, the receiving authority, upon discovering that significant security risks exist in the cross-border activities or that a personal information security incident has occurred, may require the personal information handler or the recipient to rectify the situation; where it is necessary to refer the matter to another enforcement authority, it shall refer the matter to the relevant authority for handling in accordance with law.

Article 10. Where a personal information security incident — such as a leak — occurs during the processing of personal information by a personal information handler or a recipient, immediate remedial measures shall be taken and the relevant authorities shall be notified in accordance with the jurisdiction of the relevant party: specifically, the Cyberspace Administration of China and the Guangdong Provincial Cyberspace Administration, or the Economic and Technological Development Bureau and the Personal Data Protection Bureau of the Macao Special Administrative Region Government.

Article 11. The foregoing provisions shall not affect the authorities responsible for performing personal information protection duties on the Mainland, or the Personal Data Protection Bureau of the Macao SAR, from strengthening personal information protection and supervisory management within their respective remits in accordance with law, including handling complaints and reports relating to personal information protection and investigating and handling unlawful personal information processing activities.

Article 12. Authorities and their personnel shall, in accordance with law, keep confidential the personal privacy, personal information, trade secrets, and confidential commercial information that come to their knowledge in the performance of their duties, and shall not disclose such information or provide it to third parties or use it illegally.

Article 13. The Cyberspace Administration of China and the Economic and Technological Development Bureau of the Macao Special Administrative Region Government may, in light of actual circumstances and by mutual agreement, amend these Implementation Guidelines and their annexes.

Article 14. These Implementation Guidelines shall take effect from the date of promulgation.


Annexes (structural summary)

Structural summary — not the operative contract text. DCC summarizes the structure of the two annexes below for orientation. The authoritative, executable templates are those published by the issuing authorities; consult the official source linked in this page’s metadata before drafting or filing. The Standard Contract substantially mirrors the national Standard Contract under the SCC Measures, adapted for the Mainland–Macao context.

Annex 1 — Standard Contract for the Cross-Border Flow of Personal Information within the GBA (Mainland, Macao). A preamble records the parties’ details. Its articles cover: Art. 1 definitions (mapping Mainland and Macao terms — e.g. “personal information handler”/“data controller”, “individual”/“data subject”, and the respective supervisory authorities and applicable laws); Art. 2 obligations of the personal information handler (notice and consent, minimum-scope provision, a PIPIA retained for at least three years, third-party-beneficiary notice, and burden of proof); Art. 3 obligations of the recipient (process only within Appendix I, storage limitation and deletion, security and access-control measures, breach notification, no onward transfer outside the GBA, sub-processing controls, ≥3-year records, and cooperation with supervision); Art. 4 rights of individuals as third-party beneficiaries; Art. 5 remedies (a designated contact, complaints, and a choice of Mainland or Macao courts); Art. 6 termination; Art. 7 breach liability (including joint and several liability with a right of recourse); and Art. 8 miscellaneous (governing law of the handler’s jurisdiction, notices, and arbitration or litigation). Appendix I records the description of the cross-border provision (purpose, method, scale, data types by reference to GB/T 35273, onward recipients, transmission method, storage period, and storage location); Appendix II is for additional terms agreed by the parties.

Annex 2 — Commitment Letter (template). A short undertaking that the filing materials are authentic, complete, and accurate; that the party will cooperate with the filing under the Standard Contract; and that the PIPIA was completed within the three months before filing with no material change since.

Practical Guidance

1. Relationship to National Cross-Border Transfer Pathways

The GBA (Mainland-Macao) SCC Guidelines establish a distinct intra-Bay-Area facilitation arrangement that operates alongside — but is separate from — the three national cross-border transfer routes under the Personal Information Protection Law (PIPL): the CAC Data Export Security Assessment (for critical information infrastructure operators and high-volume handlers), the Personal Information Protection Certification, and the national Standard Contract for the Outbound Transfer of Personal Information governed by the Measures on the Standard Contract for the Outbound Transfer of Personal Information (the SCC Measures, effective 1 June 2023).

Key threshold relief. Under the national framework, non-critical information infrastructure operators must undergo a CAC security assessment if they propose to transfer the personal information of one million or more individuals (non-sensitive) or 10,000 or more individuals (sensitive) outside the PRC. The GBA Macao arrangement explicitly overrides this threshold for eligible parties: a non-critical information infrastructure operator registered in one of the nine Guangdong GBA cities may use the GBA Standard Contract to transfer personal information to Macao — even at volumes exceeding those national thresholds — without conducting a CAC security assessment. This is the same relief afforded under the parallel GBA (Mainland-Hong Kong) SCC Guidelines (December 2023).

2. Scope of Eligible Parties

Both the personal information handler and the recipient must be registered in (for organizations) or located in (for individuals) the nine Guangdong GBA cities or the Macao SAR. Parties registered or located outside these jurisdictions — including those in Hong Kong, other Guangdong cities, or other provinces — cannot use this arrangement. The exclusion for important data applies regardless of data volume.

3. Filing Procedure

Within 10 working days of the Standard Contract taking effect, both parties must file with the competent authority of their respective jurisdiction:

  • Mainland-side parties file with the Guangdong Provincial Cyberspace Administration (广东省互联网信息办公室);
  • Macao-side parties file with the Personal Data Protection Bureau of the Macao SAR Government (澳门特别行政区政府个人资料保护局).

The filing package consists of: (i) a copy of the legal representative’s identity document; (ii) the Commitment Letter (using the Annex 2 template); and (iii) the executed Standard Contract. The PIPIA report need not be submitted at filing but must be retained for at least three years.

4. Individual Rights Under the Standard Contract

A distinctive feature of the Standard Contract is its third-party beneficiary clause (Article 4). Individuals whose personal information is transferred under the Contract are designated as third-party beneficiaries and may invoke specified provisions of the Contract directly against either or both parties. The Standard Contract specifies the means by which individuals may receive a copy of the Contract, raise complaints with supervisory authorities, or bring proceedings before a competent court in the Mainland or in Macao.

5. Governing Law and Dispute Resolution

The Standard Contract is governed by the laws and regulations of the personal information handler’s jurisdiction. Disputes between the parties may be resolved through arbitration (before any of the specified institutions) or litigation before a competent Mainland or Macao court. Individual third-party beneficiaries may bring proceedings in the Mainland or in Macao under applicable procedural and mutual recognition frameworks.

6. Comparison with GBA (Mainland-Hong Kong) SCC Guidelines

The Macao Guidelines closely follow the structure of the Hong Kong Guidelines (issued 13 December 2023) but differ in the following respects: (i) the co-issuing authority is the Macao Economic and Technological Development Bureau and the Personal Data Protection Bureau of the Macao SAR Government (rather than the Innovation, Technology and Industry Bureau of the Hong Kong SAR); (ii) the filing authority on the Macao side is the Personal Data Protection Bureau of the Macao SAR (rather than the Office of the Government Chief Information Officer of Hong Kong); (iii) the applicable Macao personal data law governs Macao-side handlers and individuals; and (iv) the Macao Guidelines contain 14 articles (the Hong Kong Guidelines contain 15, with a separate article on supervision). The Standard Contract itself adapts the relevant defined terms and governing law references to reflect Macao’s legal system.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →