Documents can be submitted through the https://sjcj .cac.gov.cn portal. Instructions for using the portal can be found on the portal's main page.

Key information infrastructure operators or other entities for which the above portal is not appropriate can submit their documentation offline. (For requirements, please see Question 2).

Entities that have submitted the needed documentation in person do not need to resubmit the forms through the portal.

The second edition guides have refined and optimized the requirements for security assessment forms, data export risk self-assessment reports, and personal data protection impact reports. Please pay special attention to the rules for filing forms and the formatting guidelines, including font, spacing, and page layout.

The Regulations lay out two conditions under which filing is required. First, if key information infrastructure operators transfer personal information or important data abroad. Second, if data handlers at other entities send important data abroad, or if they transfer ordinary data on more than 1 million people abroad in a calendar year or sensitive data on more than 10,000 people in a calendar year. For circumstances outlined in Articles 3, 4, 5, and 6 of the Regulations, please follow the relevant rules.

In addition to key information infrastructure operators, data handlers who transfer the ordinary personal information of between 100,000 and 1 million users in a calendar year or sensitive information on fewer than 10,000 users are legally required to sign a standard personal information export contract with the receiving party or get a personal information security certificate. For circumstances outlined in Articles 3, 4, 5, and 6 of the Regulations, please follow the relevant rules.

Please specify which conditions you meet when filling out the form. Submissions without data support or which do not meet the requirements will not be accepted.

Calculations will be made beginning from January 1 of a given year until the date of the assessment, and will be based on the number of natural persons (not including duplicate users).

Users covered under Articles 3, 4, 5 (including the first three pages of Subarticle 1), and Article 6 of the Regulations are not included.

The following cases do not require data handlers to file a security assessment or standard contract: 1) Non-personal or non-key data collected in the process of international trade, cross-border logistics, academic cooperation, transnational manufacturing, or marketing;

2) Personal data collected abroad and sent to China for processing before being re-sent abroad, provided no personal data or important information related to Chinese users is added to the data during processing;

3) Data involved in the conclusion or carrying-out of a contract between an individual and another entity, such as a cross-border purchase, shipping, remittance, payment, account opening, airline or hotel reservation, visa application, or test service, provided the transfer of data is truly necessary;

4) Data involved in legally sanctioned labor contracts, whether individual or collective, that require cross-border HR management;

5) Data sent abroad under exigent circumstances, such as saving a person's life or property;

6) Non-sensitive data collected by non-key information infrastructure operators that does not meet the 100,000-person threshold for reporting.
In scenarios 3, 4, 5, and 6, the personal data sent abroad cannot include anything listed or publicized by the relevant authorities and regions as "important."

Province-level cyberspace authorities should complete the approval process within five working days of submission.

The province-level cyberspace authorities will receive and examine submitted contracts within 15 working days. If more information is needed, data handlers will have 10 working days to respond. If the needed information is not submitted in time, the filing will be terminated.

In cases where the Measures for Evaluating Cross-Border Data Transfer(国家互联网信息办公室令第11号),the Measures for Filing Personal Information Overseas Transfer Contracts(国家互联网信息办公室令第13号),or other rules contradict the newly released Regulations, the Regulations will take precedence.

If you have additional questions, please contact the CASM at 64271056 (available Monday-Friday from 9 a.m. to 11 a.m. and 2 p.m. to 5 p.m.)