---
title_en: "Data Security Technology — Security Certification Requirements for Cross-Border Processing of Personal Information (GB/T 46068-2025)"
title_zh: "数据安全技术 个人信息跨境处理活动安全认证要求 (GB/T 46068-2025)"
abbreviation: "GB/T 46068"
hierarchy: "standard"
issuing_body: "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)"
status: "effective"
related_laws: ["cross-border-pi-certification-measures", "pipl"]
domains: ["cross-border", "personal-information"]
url: https://datacompliancechina.com/laws/gbt-46068-cross-border-pi-certification-requirements/
summary: "GB/T 46068-2025 is a recommended national standard setting the security requirements for certifying cross-border processing of personal information — the personal-information protection certification route that PIPL Article 38 offers as one lawful basis for transferring personal information abroad. It specifies the requirements that handlers and overseas recipients must meet to be certified, including legally binding agreements, organizational and technical safeguards, and protection of data subjects' rights. It elevates and complements the earlier TC260 certification specification."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/gbt-46068-cross-border-pi-certification-requirements/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Data Security Technology — Security Certification Requirements for Cross-Border Processing of Personal Information (GB/T 46068-2025)", https://datacompliancechina.com/laws/gbt-46068-cross-border-pi-certification-requirements/
> *DCC summary, not a translation.* GB/T 46068-2025 is a copyrighted national standard. The structured summary below is DCC's own paraphrase grounded in the standard's title and number; specific clauses should be checked against the published text.

## Scope

GB/T 46068-2025 specifies **security certification requirements for cross-border processing activities involving personal information**. It applies to the parties to a cross-border personal-information transfer — the domestic personal-information handler and the overseas recipient — and to the certification bodies assessing them. It is the technical basis for the **personal-information protection certification** route to lawful cross-border transfer.

It is a **recommended** standard in the "Data Security Technology" (数据安全技术) series, and supersedes/upgrades the earlier TC260 *Practice Guide — Security Certification Specification for Cross-Border Processing of Personal Information* as the reference for this certification route.

## Key contents

At a structural level the standard is expected to cover:

- **Basic principles** for cross-border personal-information processing — lawfulness, transparency, purpose limitation, and ensuring the overseas recipient affords protection meeting Chinese requirements.
- **Legally binding agreement** — requirements for a binding instrument between the handler and the overseas recipient allocating responsibilities and protecting data subjects' rights.
- **Organizational and accountability requirements** — designation of responsible personnel/bodies, binding internal rules, and accountability across the two parties (including for onward transfers).
- **Technical and management safeguards** for the data both before and after it leaves China.
- **Data-subject rights protection** — ensuring individuals can exercise PIPL rights against both parties and have recourse, including a mechanism for accepting jurisdiction/responsibility within China.
- **Continuing-supervision** expectations consistent with the certification scheme.

> *Editor: verify specific clauses against the published standard.*

## How it fits the regime

GB/T 46068 underpins one of the three lawful bases for cross-border personal-information transfer under **PIPL Article 38**: passing a **security assessment** (CAC), concluding the **standard contract**, or obtaining **personal-information protection certification** from a specialized body. Certification is the focus of this standard.

It is the technical companion to the **Measures for the Certification of Cross-Border Processing of Personal Information** (and the broader personal-information-protection certification scheme), supplying the substantive requirements certification bodies test against. For overseas compliance teams — particularly multinational groups moving personal information intra-group across the Chinese border — it is the reference for what a certifiable cross-border transfer arrangement must contain. It works alongside the standard-contract and security-assessment routes and the **Provisions on Promoting and Regulating Cross-Border Data Flows**, which set the thresholds and exemptions that determine which route (if any) applies.
