Promulgated by: Cyberspace Administration of China (CAC).
Document No.: Decree No. 13 of the Cyberspace Administration of China.
Adopted at the 11th executive meeting of the CAC in 2023 on February 22, 2023. Effective June 1, 2023.
Article 1. For the purposes of protecting personal information rights and interests, and regulating outbound transfer of personal information, the Measures on the Standard Contract for Outbound Transfer of Personal Information (the “Measures”) are enacted in accordance with the Personal Information Protection Law of the People’s Republic of China and other laws and administrative regulations of the People’s Republic of China.
Article 2. Any personal information handler who enters into a standard contract for the outbound transfer of personal information outside the People’s Republic of China (the “Standard Contract”) with a foreign recipient shall apply the Measures.
Article 3. When conducting any outbound transfer of personal information by means of concluding the Standard Contract, the personal information handler shall stick to the combination of autonomous contracting with record-filing management, the protection of interests with security risk prevention, and the ensurance of security and free flow of personal information.
Article 4. Any personal information handler transferring personal information abroad by entering into the Standard Contract shall meet all of the following conditions:
(1) it is not a critical information infrastructure operator;
(2) it processes the personal information of less than 1 million individuals;
(3) it has cumulatively transferred abroad the personal information of less than 100,000 individuals since January 1 of the previous year; and
(4) it has cumulatively transferred abroad the sensitive personal information of less than 10,000 individuals since January 1 of the previous year. Where there are other relevant provisions in any laws, administrative regulations or rules of the Cyberspace Administration of China, such provisions shall apply. When using the Standard Contract for outbound transfer of personal information, the personal information handler shall not use methods such as quantity splitting of the personal information that is required by law to undergo the outbound security assessment.
Article 5. Prior to the outbound transfer of personal information, the personal information handler shall conduct a personal information protection impact assessment, with the focus of the following:
(1) the legality, legitimacy and necessity of the purpose, scope and method of the processing personal information by the personal information handler and the foreign recipient;
(2) the volume, scope, category, and sensitivity of personal information to be transferred abroad, and the risks to the personal information rights and interests that may be caused by the outbound transfer of personal information;
(3) the obligations that the foreign recipient promises to undertake, and whether the management and technical measures and capabilities of the foreign recipient to perform the obligations can ensure the security of the personal information to be transferred abroad;
(4) risk of tampering, damage, leakage, loss and abuse after outbound transfer of personal information, and whether the channels for individuals to exercise their personal information rights and interests are accessible and smooth;
(5) the impact of policies and regulations for the protection of personal information on the performance of the Standard Contract in the country or region where the foreign recipient is located; and
(6) other factors that may affect the security of outbound transfer of personal information.
Article 6. The Standard Contract shall be concluded in strict accordance with the Annex of the Measures. The Cyberspace Administration of China may adjust the Annex in light of actual circumstances. The personal information handler may agree on other terms with the foreign recipient, provided that such terms do not conflict with the Standard Contract. The outbound transfer of personal information shall not be carried out until the Standard Contract enters into force. 10
Article 7. The personal information handler shall, within 10 working days after the Standard Contract enters into effect, apply for filing with the cyberspace administration at the provincial level. The following materials shall be submitted for the record-filing:
(1)the Standard Contract; and
(2) the personal information protection impact assessment report. The personal information handler shall be responsible for the authenticity of the record-filing materials.
Article 8. Where any of the following circumstances occurs during the validity period of the Standard Contract, the personal information handler shall conduct personal information protection impact assessment again, supplement or re-sign the Standard Contract, and conduct relevant record-filing formalities:
(1) the purpose, scope, category, sensitivity, method and storage location of personal information transferred abroad, or the purpose and method of personal information processing by the foreign recipient has changed, or the retention period of personal information located abroad is extended;
(2) the personal information rights and interests will be affected by the changes in the policies and regulations on personal information protection in the country or region where the foreign recipient is located; or
(3) other circumstances that may affect the personal information rights and interests.
Article 9. The cyberspace administration and its personnel shall keep confidential the personal privacy, personal information, trade secrets, confidential business information, etc. that they have accessed in performing their duties in accordance with the law, and shall not disclose them, illegally provide them to others, or illegally use them.
Article 10. Any organization or individual may report to the cyberspace administration at the provincial level or above if it finds that any personal information handler has engaged in outbound transfer of personal information in violation of the Measures.
Article 11. Where the cyberspace administration at the provincial level or above finds that there are relatively high risks in the outbound transfer of personal information, or that a personal information security incident has occurred, it may interview the personal information handler in accordance with the law. The personal information handler shall make rectifications and eliminate hidden dangers as required.
Article 12. Any violation of the Measures shall be punished in accordance with the Personal Information Protection Law of the People’s Republic of China, and other laws and regulations; where a crime is constituted, criminal responsibility shall be investigated according to the law. ____________________ ______________________________ __________________________ _____ _________________ ________________________ ______________________________ __________________________ _____ _________________ ____ __ __ _________ “ ” “ ” “ ” “ ” “ ” “ ” “ ” “ ” “ ” “ ” 30 __________________________________________ “ ”
(1)
(2)
(3)
(4) “ ”
(1)
(2)
(3) __________________________ _____________ __ __ __ Article 13 The Measures shall enter into force on June 1, 2023. For the outbound transfer of personal information that has already happened before the Measures takes effect, if it is found that any such transfer is not in compliance with the Measures, rectification shall be completed within 6 months upon the effective date of the Measures.
Annex: Standard Contract for Outbound Transfer of Personal Information Formulated by the Cyberspace Administration of China In order to ensure that the activity of processing Personal Information by the Foreign Recipient meets the standards of Personal Information protection stipulated by the Relevant Laws and Regulations of the People’s Republic of China, and to specify the rights and obligations of the Personal Information Handler and the Foreign Recipient, the Parties hereby enter into this Contract upon negotiation. Personal Information Handler: _______________________________ Address: ___________________________________________________ Contact Information: _________________________ Contact person: __________ Position: __________ Foreign Recipient: __________________________________________ Address: ___________________________________________________ Contact Information: _________________________ Contact person: __________ Position: __________ The Personal Information Handler and the Foreign Recipient will carry out the activities concerning the outbound transfer of Personal Information in accordance with this Contract. The Parties [have entered into] / [agreed to enter into] a commercial contract to further the commercial acts related to such activities, namely [description of commercial contract] on [MM/DD/YY]. The major body of this Contract is drafted in accordance with the requirements of the Measures on the Standard Contract for Outbound Transfer of Personal Information. Other agreements between the parties, if any, may be specified in Appendix II. The Appendix forms an integrated part of this Contract. Article 1Definitions In this Contract, unless the context otherwise requires: 1. “Personal Information Handler” refers to any organization or individual that independently decides the purpose and method of the Personal Information processing activities and transfers Personal Information outside the territory of the People’s Republic of China. 2. “Foreign Recipient” refers to an organization or individual outside the territory of the People’s Republic of China that receives Personal Information from the Personal Information Handler. 3. Personal Information Handler or Foreign Recipient are referred to individually as a “Party”, and collectively as the “Parties”. 4. “Personal Information Subject” refers to a natural person identified by or associated with the Personal Information. 5. “Personal Information” refers to all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, excluding information that has been anonymized. 6. “Sensitive Personal Information” refers to the Personal Information that , once leaked or illegally used, is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety, including biometric recognition, religious belief, specific identity, medical health, financial account, personal whereabouts, and the Personal Information of minors under the age of 14. 7. “Regulatory Authority” refers to the Cyberspace Administration of the People’s Republic of China at the provincial level or above. 8. “Relevant Laws and Regulations” refer to the laws and regulations of the People’s Republic of China, such as the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Civil Code of the People’s Republic of China, Civil Procedure Law of the People’s Republic of China, and Measures on the Standard Contract for Outbound Transfer of Personal Information. 9. The meanings of other terms not defined in the Contract are in line with those stipulated in the Relevant Laws and Regulations. Article 2Obligations of the Personal Information Handler The Personal Information Handler shall perform the following obligations: 1. Process Personal Information in accordance with the Relevant Laws and Regulations. The Personal Information to be transferred abroad shall be limited to the minimum scope required for the purpose of processing. 2. Inform the Personal Information Subject of matters such as the name and contact information of the Foreign Recipient, the purpose of processing, method of processing, type of Personal Information, retention periods, and the methods and procedures for the Personal Information Subject to exercise his/her rights specified in Appendix I “Description of the Outbound Transfer of Personal Information”. Where Sensitive Personal Information is transferred abroad, the Personal Information Subject shall be informed of the necessity of the outbound transfer of Sensitive Personal Information and the impact on the rights and interests of the Personal Information Subject, unless otherwise provided in the laws and administrative regulations that such notification is not require 3. If Personal Information is transferred abroad based on the consent of the individual, the separate consent of the Personal Information Subject shall be obtained. Where the Personal Information involves that of a minor under the age of 14, the separate consent of the minor’s parent or any other guardian, shall be obtained. Where written consent is required by laws and administrative regulations, the written consent shall be obtained. 4. Inform the Personal Information Subject that the Personal Information Handler and the Foreign Recipient have agreed that the Personal Information Subject is a third-party beneficiary under this Contract, and if the Personal Information Subject fails to raise an express rejection within thirty days, the Personal Information Subject shall be entitled to act as a third-party beneficiary in accordance with the Contract. 5. Make reasonable efforts to ensure that the Foreign Recipient has taken the following technical and organizational measures to perform its obligations under this Contract (taking into account potential Personal Information security risks that may be caused by the purpose of Personal Information processing, the type, scale, scope and sensitivity of the Personal Information, the scale and frequency of the transfer, the period of the outbound transfer of Personal Information, the period of retention by the Foreign Recipient, and other matters that may lead to a Personal Information security risk): (such as encryption, anonymization, de-identification, access control or other technical and organizational measures) 6. Provide copies of Relevant Laws and Regulations and technical standards to the Foreign Recipient upon request. 7. Reply to inquiries from the Regulatory Authority about the Foreign Recipient’s processing activities. 8. Carry out a Personal Information Protection Impact Assessment in accordance with the Relevant Laws and Regulations regarding the proposed transfer of Personal Information to the Foreign Recipient. The assessment shall focus on the following matters:
(1) the legality, legitimacy and necessity of the purpose, scope and method of processing Personal Information by the Personal Information Handler and Foreign Recipient;
(2) the scale, scope, type, and sensitivity of Personal Information to be transferred overseas, and the risks to Personal Information that may be caused by the outbound transfer of Personal Information;
(3) the obligations that the Foreign Recipient promises to undertake, and whether the organizational and technical measures and capabilities to perform the obligations can guarantee the security of the Personal Information to be transferred abroad;
(4) risk of Personal Information being tampered with, destroyed, leaked, lost, illegally used, etc. after the outbound transfer, and whether there are channels for individuals to smoothly exercise Personal Information rights and interests etc.;
(5) in accordance with Article 4 hereof, to evaluate whether the performance of this Contract will be affected by the local policies and regulations with respect to protection of Personal Information; and
(6) other matters that may affect the security of outbound transfer of Personal Information. The Personal Information Protection Impact Assessment Report shall be kept for at least three years. 9. Provide a copy of this Contract to the Personal Information Subject upon the Personal Information Subject ‘s request. If trade secrets or confidential business information are involved, the relevant contents of the copy of this Contract may be appropriately redacted, provided that such redaction will not affect the understanding of the Personal Information Subject. 10. Assume a burden of proof for the performance of obligations under this Contract. 11. In accordance with Relevant Laws and Regulations, provide the Regulatory Authority with all information as described in Article 3.11, including all compliance audit results. Article 3Obligations of the Foreign Recipient The Foreign Recipient shall perform the following obligations: 1. Process the Personal Information in accordance with Appendix I “Description of the Outbound Transfer of Personal Information”. Where the Foreign Recipient processes the Personal Information in a way beyond the purpose and method of the Personal Information processing, and types of the Personal Information as agreed, it shall obtain the separate consent of the Personal Information Subject in advance if the processing of Personal Information is based on the consent of the Personal Information Subject; where the Personal Information of a minor under the age of 14 is involved, the separate consent of the minor’s parent,or any other guardian, shall be obtained. 2. Where the Foreign Recipient is contracted by the Personal Information Handler to process Personal Information, the Foreign Recipient shall process the Personal Information in accordance with the agreement with the Personal Information Handler and shall not process the Personal Information in a way beyond the purpose or method of the Personal Information processing. 3. Provide a copy of this Contract to the Personal Information Subject upon the Personal Information Subject’s request. If trade secrets or other confidential business information are involved, relevant parts of this Contract may be appropriately redacted, provided that such redaction will not affect the understanding of the Personal Information Subject. 4. Process the Personal Information in a manner that has the least impact on the rights and interests of the Personal Information Subject. 5. The retention period of Personal Information shall be the minimum period necessary for achieving the purpose of processing. Upon expiry of the retention period, the Personal Information (including all back-up copies) shall be deleted. Where the processing of Personal Information is contracted by the Personal Information Handler, and the personal information processing agreement fails to become effective, becomes null and void, or is cancelled or terminated, the Personal Information being processed shall be returned to the Personal Information Handler or deleted, and a written statement shall be provided to the Personal Information Handler. If it is technically difficult to delete the Personal Information, the processing of the Personal Information, other than the storage and any necessary measures taken for security protection, shall be ceased. 6. Ensure the security of Personal Information processing in the following ways:
(1) take technical and organizational measures including but not limited to those listed in Article 2.5 of this Contract and carry out regular inspections to ensure the security of Personal Information; and
(2) ensure that the personnel authorized to process Personal Information perform their confidentiality obligations and establish access control permissions of minimum authorization. 7. In the event that Personal information is or may be tampered with, destroyed, leaked, lost, illegally used, provided or accessed without authorization, the Foreign Recipient shall:
(1) promptly take appropriate measures to mitigate the adverse impact on the Personal Information Subject;
(2) immediately notify the Personal Information Handler and report to the Regulatory Authority in accordance with the Relevant Laws and Regulations. The notice shall contain the following contents: i. the type of Personal Information to which the tampering with, destruction, leakage, loss, illegal use, unauthorized provision or access occurs or may occur, the cause of such event or potential event, and the potential harm; ii. remedial measures that have been taken; iii. measures that can be taken by the Personal Information Subject to mitigate harm; and iv. contact information of the person, or team, in charge of handling the situation.
(3) where the Relevant Laws and Regulations require the notification of the Personal Information Subject, the content of the notice shall include the foregoing contents in Article 3.7. (2) above; where the processing of Personal Information is contracted by the Personal Information Handler, the Personal Information Handler shall notify the Personal Information Subject;
(4) record and retain all the situations thereof relating to the occurrence or potential occurrence of tampering, destruction, leakage, loss, illegal use, unauthorized provision or access, including all remedial measures taken. 8. The Foreign Recipient may provide Personal Information to the third party located outside the territory of the People’s Republic of China only, if all of the following requirements are met:
(1) there is a necessity from the business perspective;
(2) the Personal Information Subject has been informed of such third party’s name, contact information, the purpose of processing, method of processing, type of Personal Information, retention periods, and the methods and procedures for the Personal Information Subject to exercise his/her rights. Where Sensitive Personal Information is provided to such third party, the Personal Information Subject should also be informed of the necessity of the outbound transfer of Sensitive Personal Information and the impact on the rights and interests of the Personal Information Subject. However, unless otherwise provided by laws and administrative regulations that such notification is not required;
(3) Where the processing of Personal Information is based on the consent of the Personal Information Subject, the separate consent of the Personal Information Subject shall be obtained; where the Personal Information of a minor under the age of 14 is involved, the separate consent of the minor’s parent, or any other guardian, shall be obtained. Where written consent is required by laws and administrative regulations, such written consent shall be obtained;
(4) enter into a written agreement with the third party to ensure that the processing of Personal Information by the third party meets the standards for protection of Personal Information required by the Relevant Laws and Regulations of the People’s Republic of China, and the Foreign Recipient will assume the liability for the infringement of Personal Information Subject’s rights due to the provision of Personal Information to the third party located outside the territory of the People’s Republic of China;
(5) provide a copy of the above agreement to the Personal Information Subject upon the Personal Information Subject’s request. If trade secrets or other confidential business information are involved, relevant parts of the agreement may be appropriately redacted provided that such redaction will not affect the understanding of the Personal Information Subject. 9. Where the Foreign Recipient is contracted by the Personal Information Handler to process Personal Information, and the Foreign Recipient intends to sub-contract the processing to a third party, the Foreign Recipient shall obtain the consent of the Personal Information Handler in advance and shall ensure that the sub-contractor will not process Personal Information in a way beyond the purpose and method of the processing as specified in Appendix I “Description of the Outbound Transfer of Personal Information”, and shall monitor the Personal Information processing activities of the third party. 10. When making use of Personal Information for automated decision-making, the Foreign Recipient shall ensure the transparency of decision-making and fair and impartial results, and shall not carry out unreasonable or differential treatment of the Personal Information Subject in terms of transaction conditions, such as transaction price. Where automated decision-making is used for pushing information and commercial marketing to the Personal Information Subject, the Foreign Recipient shall also provide the Personal Information Subject with options that are not specific to the individuals’ characteristics, or a convenient way for the Personal Information Subject to reject the automated decision-making. 11. Undertake to provide the Personal Information Handler with all necessary information required to comply with the obligations under this Contract, provide the Personal Information Handler access to review the necessary data documents, and files, or conduct a compliance audit of the processing activities under this Contract, and the Foreign Recipient shall facilitate the compliance audit conducted by the Personal Information Handler. 12. Maintain an accurate record of the Personal Information processing activities carried out for at least 3 years and provide the relevant records and documents to the Regulatory Authority directly or through the Personal Information Handler, as required by the Relevant Laws and Regulations. 13. Agree to be subject to supervision by the Regulatory Authority during an enforcement procedure related to supervising the implementation of this Contract, including but not limited to responding to inquiries and inspections by the Regulatory Authority, following the actions taken or decisions made by the Regulatory Authority, and providing written confirmation that necessary measures have been taken etc. Article 4The Impact of Personal Information Protection Policies and Regulations in the Foreign Recipient’s Country or Region on the Performance of this Contract 1. The Parties warrant that they have exercised reasonable care when entering into this Contract and are not aware of Personal Information protection polices and regulations in the Foreign Recipient’s country or region (including any requirements on providing Personal Information or authorizing public authorities to access Personal Information) that would have an impact on the Foreign Recipient’s performance of its obligations under this Contract. 2. The Parties declare that, when making the warranties in Article 4.1, they have conducted the assessment in conjunction with the following circumstances:
(1) the specific circumstances of outbound transfer, including the purpose of processing the Personal Information, the types, scale, scope and sensitivity of the Personal Information transferred, the scale and frequency of transfer, the period of the outbound transfer of Personal Information and the retention period of the Foreign Recipient, the previous experience of the Foreign Recipient with respect to outbound transfer and processing of similar Personal Information, whether any Personal Information security incident had occurred to the Foreign Recipient and whether such incident was timely and effectively handled, whether the Foreign Recipient has received any request to provide Personal Information to the public authority of the country or region where it is located and how the Foreign Recipient has responded to such request;
(2) the Personal Information protection policies and regulations of the country or region where the Foreign Recipient is located, including the following elements: i. the existing Personal Information protection laws, regulations and generally applicable standards of the country or region; ii. the regional or global organizations of Personal Information protection that the country or region accedes to, and binding international commitments made by the country or region; and iii. the mechanisms for Personal Information protection implemented in the country or region, such as whether there are supervision and enforcement authorities and relevant judicial authorities responsible for protecting Personal Information.
(3) the Foreign Recipient’s security management system and technical capabilities. 3. The Foreign Recipient warrants that it has used its best efforts to provide the Personal Information Handler with the necessary relevant information for the assessment under Article 4.2. 4. The Parties shall keep a record of any such assessment carried out under Article 4.2 as well as the assessment results. 5. Where the Foreign Recipient is unable to perform this Contract due to any change in the policies and regulations on Personal Information protection of the country or region where the Foreign Recipient is located (including any change of laws or mandatory measures in the country or region where the Foreign Recipient is located), the Foreign Recipient shall notify the Personal Information Handler immediately after being aware of the aforesaid change. 6. If the Foreign Recipient receives a request for provision of Personal Information under this Contract from a governmental authority or judicial authority in the country or region where the Foreign Recipient is located, it shall promptly notify the Personal Information Handler. Article 5Rights of the Personal Information Subject The Parties agree that the Personal Information Subject shall be entitled to the following rights as a third-party beneficiary under this Contract. 1. The Personal Information Subject, in accordance with Relevant Laws and Regulations, has the right to know and to make decisions on the processing of the Personal Information, the right to restrict or refuse processing of the Personal Information Subject’s Personal Information by others, the right to request access to, copy, correct, supplement or delete the Personal Information, and the right to request others to explain the rules for the processing of the Personal Information Subject’s Personal Information. 2. When the Personal Information Subject requests to exercise the above-mentioned rights regarding their Personal Information that has been transferred abroad, the Personal Information Subject may request the Personal Information Handler to take appropriate measures for the realization of those rights, or directly make the request to the Foreign Recipient. If the Personal Information Handler is unable to realize those rights, it shall notify the Foreign Recipient and request the Foreign Recipient to assist in the realization. 3. The Foreign Recipient shall, as notified by the Personal Information Handler or requested by the Personal Information Subject, realize the rights that the Personal Information Subject is entitled to within a reasonable period and in accordance with the Relevant Laws and Regulations. The Foreign Recipient shall inform the Personal Information Subject about the relevant information which shall be true, accurate and complete, in an obvious way and using clear and understandable language. 4. If the Foreign Recipient intends to refuse the request of the Personal Information Subject, it shall inform the Personal Information Subject the reasons of the refusal, as well as the channels for the Personal Information Subject to raise complaints with the relevant Regulatory Authority and seek judicial remedies. 5. The Personal Information Subject, as a third-party beneficiary to this Contract, has the right to claim against one or both of the Personal Information Handler and the Foreign Recipient in accordance with this Contract and require them to perform the following clauses under this Contract relating to the rights of the Personal Information Subject:
(1) Article 2, except for Articles 2.5, 2.6 and 2.7;
(2) Article 3, except for Articles 3.7(2) and 3.7(4), 3.9, 3.11, 3.12 and 3.13;
(3) Article 4, except for Articles 4.5 and 4.6;
(4) Article 5;
(5) Article 6;
(6) Article 8.2 and 8.3; and
(7) Article 9.5. The above agreement shall not affect the rights and interests of the Personal Information Subject in accordance with the Personal Information Protection Law of the People’s Republic of China. Article 6Remedies 1. The Foreign Recipient shall identify a contact person who is authorized to respond to enquiries or complaints concerning the processing of Personal Information, and it shall promptly deal with any enquiries or complaints from the Personal Information Subject. The Foreign Recipient shall notify the Personal Information Handler of the contact information and shall inform the Personal Information Subject of the contact information in a manner which is easy to understand, by separate notice or announcement on its website. To be specific: Contact person and contact information (office phone number or email address). 2. If a dispute arises between either Party and the Personal Information Subject with respect to the performance of this Contract, such Party shall notify the other Party and the Parties shall cooperate to resolve the dispute. 3. If the dispute cannot be resolved amicably and the Personal Information Subject exercises the rights as a third-party beneficiary in accordance with Article 5, the Foreign Recipient shall accept that the Personal Information Subject may safeguard his/her rights through either of the following means:
(1) lodging a complaint with the Regulatory Authority; and
(2) bringing a lawsuit to the court specified in Article 6.5. 4. The Parties agree that when the Personal Information Subject exercises the rights as a third-party beneficiary with respect to a dispute under this Contract, if the Personal Information Subject chooses to apply the Relevant Laws and Regulations of the People’s Republic of China, such choice shall prevail. 5. The parties agree that if the Personal Information Subject exercises the rights as a third-party beneficiary with respect to a dispute under this Contract, the Personal Information Subject may file a lawsuit with a competent court in accordance with the Civil Procedure Law of the People’s Republic of China. 6. The Parties agrees that the choices made by the Personal Information Subject to safeguard his/her rights will not impair the rights of the Personal Information Subject to seek remedies in accordance with other laws and regulations. Article 7Termination of the Contract 1. If the Foreign Recipient breaches the obligations specified in this Contract or the Foreign Recipient is unable to perform this Contract due to a change in the policies and regulations on Personal Information protection in the Foreign Recipient’s country or region (including amendment to the laws or adoption of compulsory measures in the Foreign Recipient’s country or region), the Personal Information Handler may suspend the provision of Personal Information to the Foreign Recipient until the breach is corrected or the Contract is terminated. 2. In case of any of the following circumstances, the Personal Information Handler shall be entitled to terminate this Contract and notify the Regulatory Authority where necessary:
(1) where the Personal Information Handler has suspended the provision of Personal Information to the Foreign Recipient for more than one month in accordance with Article 7.1;
(2) the Foreign Recipient’s compliance with this Contract will violate the laws and regulations of its own country or region;
(3) the Foreign Recipient seriously or persistently breaches the obligations under this Contract;
(4) the Foreign Recipient or the Personal Information Handler have breached this Contract pursuant to a final decision of a competent court or the regulatory body supervising the Foreign Recipient; and The Foreign Recipient may also terminate this Contract in case of sub-paragraph (1), (2) or (4) of above. 3. The Contract may be terminated upon mutual agreement by the Parties, provided that such termination shall not exempt the Parties from the obligations of protecting Personal Information during the processing of the Personal Information. 4. If the Contract is terminated, the Foreign Recipient shall promptly return or delete the Personal Information (including all back-up copies) received hereunder and provide the Personal Information Handler with a written statement. If it is technically difficult to delete the Personal Information, any processing of the Personal Information, other than the storage and taking necessary security protection measures, shall be ceased. Article 8Liability for Breach of the Contract 1. Each Party shall be liable to the other Party for any damage as a result of its breach of this Contract. 2. Each Party shall bear civil liabilities to the Personal Information Subject if its breach of this Contract infringes the rights of the Personal Information Subject, without prejudice to the administrative, criminal or other legal liabilities that shall be assumed by the Personal Information Handler under the Relevant Laws and Regulations. 3. The Parties shall assume joint and several liability in accordance with the law. The Personal Information Subject shall have the right to request each Party or the Parties to assume liability. When the liability assumed by one Party exceeds the liability such Party shall be assumed, it shall have the right to claim against the other Party accordingly. Article 9Miscellaneous 1. If this Contract conflicts with any other legal documents existing between the Parties, the provisions of this Contract shall prevail. -2. The formation, validity, performance and interpretation of this Contract and any dispute between the Parties arising from this Contract shall be governed by the Relevant Laws and Regulations of the People’s Republic of China. -3. All notices shall be promptly transmitted or posted by electronic mail, cable, telex, facsimile (confirmation copy sent by airmail), or registered airmail to (specify address _________________________ or such other address as may be substituted for such address by written notice). Receipt of any notice under this Contract shall be deemed to have been received ________ days after its postmark-date in the case of registered airmail and ________ working days after dispatch in the case of e-mail, cable, telex or facsimile transmission. -4. Any dispute arising from this Contract between the Parties, the Personal Information Handler and the Foreign Recipient, as well as a claim by either Party against the other for recovery of compensation already paid to the Personal Information Subject, shall be resolved by the Parties through negotiation; if such negotiation fails, either Party may adopt any of the following methods to resolve the dispute (check the box for the chosen arbitration institution, if arbitration is required):1 □ □ □ □ □ ___________ ____________ 2 __ __ ______________ ____________ ____ __ __ ________________ ____ __ __ GB/T 35273 GB/T 35273
(1) Arbitration. The dispute shall be submitted to: China International Economic and Trade Arbitration Commission China Maritime Arbitration Commission Beijing Arbitration Commission (Beijing International Arbitration Center) Shanghai International Arbitration Center Other arbitration institutions that are members of the Convention on the Recognition and Enforcement of Foreign Arbitral Awards The arbitration shall be conducted in ________ (the place of arbitration) in accordance with its arbitration rules then in force.
(2) Litigation. Submit the dispute to a Chinese court with jurisdiction in accordance with the applicable laws. -5. This Contract shall be interpreted in accordance with Relevant Laws and Regulations and shall not be interpreted in a manner inconsistent with the rights and obligations set forth in Relevant Laws and Regulations. -6. This Contract shall be executed in _________ originals, and the Parties, the Personal Information Handler and the Foreign Recipient, shall each hold _________ original(s), with equal legal effect. This contract is signed at (place). This Contract is made and entered into by and between the Personal Information Handler and the Foreign Recipient at _________. Personal Information Handler: ______________________________________ (Seal) Legal Representative/Proxy: ______________________ (Signature or Seal) Date: ______________________ Foreign Recipient: ______________________________________ (Seal) Legal Representative/Proxy: ______________________ (Signature or Seal) Date: ______________________ Appendix I Description of the Outbound Transfer of Personal Information The details of the outbound transfer of Personal Information under this Contract are as follows: -1. Purpose of processing: -2. Method of processing: -3. The scale of Personal Information to be transferred abroad: -4. Type of Personal Information to be transferred abroad (see the types in the Information Security Technologies - Personal Information Security Specifications (GB/T 35273) and relevant standards): -5. Type of Sensitive Personal Information to be transferred abroad (where applicable, see the types in the Information Security Technologies - Personal Information Security Specifications of GB/T 35273 and relevant standards): -6. The Foreign Recipient transfers Personal Information only to the following third parties outside the People’s Republic of China (if applicable): -7. Method of transfer: -8. Retention period after the cross-border transfer: From [MM/DD/YY] to [MM/DD/YY] -9. Storage location after the outbound transfer: -10. Other matters (to be filled in as appropriate): Appendix II Other Terms as Agreed by the Parties (If Necessary). Note: this translation work is presented by Shihui Partners, translated by Jing Lu, Jeanette Wang and Raymond Wang and reviewed by Ian Read.