Pulsantiera di navigazione Home Page
Pagina Facebook Pagina Linkedin Canale Youtube Italian version
News
Legal news

DATA PROTECTION

China: new certification rules for the cross-border transfer of personal data are effective from January 1, 2026.

The Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR) have published the long-awaited Measures for the certification of the cross-border transfer of personal information, which will come into force on January 1, 2026.

With this measure, China completes the regulatory framework provided for by Article 38 of the Personal Information Protection Law (PIPL), which regulates the three legal paths for the transfer of personal data abroad:

  1. Safety assessment organized by the CAC;

  2. Safety certification by accredited bodies;

  3. Standard contract with the foreign recipient.

The adoption of  the Measures marks a crucial step: the regulatory system for international data transfers to China now becomes comprehensive and fully operational, offering companies a more certain and predictable framework.

The new Measures allow companies to choose the certification route  if:

  • they are not among the operators of critical IT infrastructures (CIIO);

  • during the year they transferred personal data of between 100,000 and 1,000,000 individuals, or "sensitive" personal data of less than 10,000 people;

  • They do not transfer "important data" under Chinese law.

Artificially splitting data volumes ("data splitting") in order to circumvent the security assessment requirement is prohibited.

Before applying for certification, holders must:

  • inform the data subjects about the transfer;

  • obtain separate consent;

  • carry out a personal data protection impact assessment (PIPIA), analysing the legality, necessity, type and risks of the transfer, as well as the safeguards offered by the foreign recipient and the adequacy of its legal system.

The PIPIA report must be kept for at least three years.

Applications must be submitted to an authorized certification body; for foreign subjects, through a local representative. Once issued, the certificate is valid for three years, with the obligation to renew it six months before expiry.

The system provides for an articulated supervisory network: national and provincial authorities will be able to conduct inspections and revoke or suspend certifications in the event of accidents or non-compliance.

The Measures specify the relationship between the two compliance tools provided for by the PIPL:

  • the standard contract represents a simplified and self-managed mode, suitable for occasional or limited volume transfers;

  • Certification  , on the other hand, is more structured and formal, based on an assessment by third parties and continuous checks.

Certification therefore offers greater public recognition and may be preferable for multinational groups that make frequent or large-scale transfers, or that want to enhance their reliability in terms of personal data protection.

With the entry into force of  the Measures, China now has a comprehensive three-way system for managing international data transfers. Companies operating in the country must:

  • assess which path (assessment, standard contract or certification) is best suited for your operations;

  • strengthen the internal governance of data flows;

  • promptly prepare the PIPIA analyzes and the documentation necessary for any certification.

Stampa la pagina