DCC summary, not a translation. GB/T 46068-2025 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase grounded in the standard’s title and number; specific clauses should be checked against the published text.
Scope
GB/T 46068-2025 specifies security certification requirements for cross-border processing activities involving personal information. It applies to the parties to a cross-border personal-information transfer — the domestic personal-information handler and the overseas recipient — and to the certification bodies assessing them. It is the technical basis for the personal-information protection certification route to lawful cross-border transfer.
It is a recommended standard in the “Data Security Technology” (数据安全技术) series, and supersedes/upgrades the earlier TC260 Practice Guide — Security Certification Specification for Cross-Border Processing of Personal Information as the reference for this certification route.
Key contents
At a structural level the standard is expected to cover:
- Basic principles for cross-border personal-information processing — lawfulness, transparency, purpose limitation, and ensuring the overseas recipient affords protection meeting Chinese requirements.
- Legally binding agreement — requirements for a binding instrument between the handler and the overseas recipient allocating responsibilities and protecting data subjects’ rights.
- Organizational and accountability requirements — designation of responsible personnel/bodies, binding internal rules, and accountability across the two parties (including for onward transfers).
- Technical and management safeguards for the data both before and after it leaves China.
- Data-subject rights protection — ensuring individuals can exercise PIPL rights against both parties and have recourse, including a mechanism for accepting jurisdiction/responsibility within China.
- Continuing-supervision expectations consistent with the certification scheme.
Editor: verify specific clauses against the published standard.
How it fits the regime
GB/T 46068 underpins one of the three lawful bases for cross-border personal-information transfer under PIPL Article 38: passing a security assessment (CAC), concluding the standard contract, or obtaining personal-information protection certification from a specialized body. Certification is the focus of this standard.
It is the technical companion to the Measures for the Certification of Cross-Border Processing of Personal Information (and the broader personal-information-protection certification scheme), supplying the substantive requirements certification bodies test against. For overseas compliance teams — particularly multinational groups moving personal information intra-group across the Chinese border — it is the reference for what a certifiable cross-border transfer arrangement must contain. It works alongside the standard-contract and security-assessment routes and the Provisions on Promoting and Regulating Cross-Border Data Flows, which set the thresholds and exemptions that determine which route (if any) applies.