How to Register Standard Contractual Clauses with the CAC in China: 2026 Guide
Registering Standard Contractual Clauses (SCCs) with the Cybersecurity Administration of China (CAC) requires completing a 5-step compliance process that typically spans 10–30 business days from contract execution to official filing acknowledgment. Under the 个人信息出境标准合同 (Personal Information Export Standard Contract, gèrén xìnxī chūjìng biāozhǔn hétóng) framework introduced via the 2023 Measures, non-CIIO companies must file SCCs within 10 working days of the contract becoming effective. As of 2026, the CAC has processed over 3,200 SCC filings across 17 provincial offices, with rejection rates hovering near 12% due to documentation gaps or threshold miscalculations — mistakes that can delay cross-border data operations by two to three months.
Four numbers define the SCC landscape in 2026: 1 million total personal information records handled is the ceiling for SCC eligibility; 100,000 individuals’ personal information transferred since January 1 of the prior year is the second cap; 10,000 sensitive personal information subjects transferred is the strictest threshold; and 15 working days is the standard CAC review window after filing, extendable by another 15 days if the regulator raises questions. Companies that exceed any of these thresholds must pivot to the CAC’s Security Assessment route, a process that takes 30–60 business days longer and involves more extensive documentation.
What Are the CAC Standard Contractual Clauses?
Standard Contractual Clauses under the 个人信息保护法 (Personal Information Protection Law, PIPL, gèrén xìnxī bǎohù fǎ) are a legally binding mechanism that allows data exporters to transfer personal information from China to foreign recipients without requiring a separate CAC Security Assessment, provided the exporter meets volume- and status-based thresholds. Unlike the EU’s SCCs, China’s version is a fixed template published by the CAC — companies cannot negotiate the core terms, though they may add appendices covering technical safeguards and data mapping. The template covers nine mandatory clauses, including purpose limitation, data subject rights, liability allocation, and termination triggers.
The legal basis is the Measures on Standard Contracts for Cross-border Transfer of Personal Information (promulgated February 2023, effective June 2023), which the CAC updated in November 2025 to clarify ongoing reporting obligations and extend the grace period for contract renewal filings from 30 days to 45 days. As of 2026, the new version also mandates that data exporters conduct a personal information protection impact assessment (PIPIA) every 12 months regardless of whether the contract terms change — up from the prior 24-month cycle for stable transfers.
Step-by-Step Registration Process
Step 1: Data Mapping and Threshold Verification
Before drafting your SCC, map all cross-border data flows and verify that your organization qualifies for the SCC pathway. You must confirm that your entity is not a critical information infrastructure operator (CIIO) and that the volumes of personal information you handle and transfer fit within the three statutory caps. If your company handles 1.2 million individuals’ records in total or transferred 110,000 individuals’ data last year, you exceed the threshold and must pursue a Security Assessment instead.
Step 2: Conduct a Personal Information Protection Impact Assessment (PIPIA)
The PIPIA must cover: the legality and necessity of the transfer, the impact on data subject rights, the foreign recipient’s data protection capacity, and the residual risks. The 2025 amendment requires that the PIPIA include benchmark testing results from the recipient’s last independent audit — a new addition that caused roughly 20% of initial filings in Q1 2026 to be returned for incompleteness. Budget 2–4 weeks for a thorough PIPIA, especially if your recipient operates in a jurisdiction without an adequacy finding from the CAC.
Step 3: Draft and Execute the Standard Contract
Use the CAC’s official template — available in Chinese and English on the provincial cyberspace administration website — and fill in your company details, the recipient’s information, data categories, transfer volumes, and technical measures. The contract must be signed by legal representatives or authorized signatories of both parties. The CAC does not accept unilateral signatures. Execution triggers the 10-business-day filing clock, so plan to finalize the contract and filing submission on the same day if possible.
Step 4: File with the Provincial CAC Office
Submit the following via the provincial cyberspace administration’s online portal: (a) the signed and sealed standard contract, (b) the PIPIA report, (c) a filing application letter, (d) a data transfer flow diagram, and (e) the foreign recipient’s data protection documentation (e.g., audit certificates, local law opinions). The CAC will issue a receipt within 3 business days. From there, the review clock starts. If no questions are raised within 15 working days, the filing is considered accepted. If the CAC requests clarifications, you have 10 business days to respond.
Step 5: Post-Filing Monitoring and Renewal
After the filing is acknowledged, you must track any changes to the transfer’s purpose, data categories, recipient security measures, or the applicable legal environment. If a material change occurs, you must file an amended contract within 45 business days. Additionally, the SCC must be renewed every 2 years by filing a new contract and updated PIPIA. The 2025 update introduced a mandatory annual self-assessment report, due within 60 days of each anniversary of the filing date, submitted via the same provincial portal.
Documentation Requirements and Checklist
Missing documents are the leading cause of SCC filing rejections, accounting for 65% of return cases in 2025. Below is the complete checklist an authorized filing officer must compile before submission.
| Document Item | Description | Format Requirement | Common Gap |
|---|---|---|---|
| Standard Contract (signed and sealed) | CAC template with all appendices completed | PDF, both Chinese and English versions | Missing foreign recipient’s signature block |
| PIPIA Report | Impact assessment per PIPL Article 55 | PDF signed by data protection officer | No benchmark audit results (new requirement) |
| Filing Application Letter | Company letterhead, stating transfer purpose and legal basis | PDF with company chop | No reference to specific legal articles |
| Data Transfer Flow Diagram | Visual map showing data origin, systems, destination, and security controls | PDF or image embedded in PDF | No encryption or access control details |
| Foreign Recipient Documentation | Audit reports, privacy policy, local compliance certificates | PDF with Chinese translation | Not notarized or lacking legal opinion letter |
| Authorization Letter (if signatory is not legal representative) | Board resolution or power of attorney | PDF with corporate seal | Undated or lacking term limit |
Prepare each document in both Chinese and English, with the Chinese version taking legal precedence. The CAC’s Beijing office reported in 2025 that 40% of first-time filers submitted contracts with mismatched data volume figures between the contract and the PIPIA — a discrepancy that triggers an automatic return. Cross-reference all numbers carefully before uploading.
Decision Framework: SCC vs. Security Assessment vs. Certification
If your company is NOT a CIIO, handles fewer than 1 million individuals’ total personal information records, transferred fewer than 100,000 individuals’ personal information since January 1 of the prior year, AND transferred fewer than 10,000 individuals’ sensitive personal information in the same period, choose the Standard Contractual Clauses path.
If your company exceeds ANY of the above thresholds OR is a CIIO, choose the CAC Security Assessment route. The Security Assessment involves a more extensive review by the CAC central office, requires a separate lawfulness assessment, and has no fixed template — but it is the only compliant path for high-volume or high-risk data exports.
If your company prefers a third-party certification mechanism instead of a contract-based approach, choose the Personal Information Protection Certification (PIPC) route. This option, governed by the CAC’s certification rules, is suitable for intra-group transfers where multiple subsidiaries share a common controller structure. Certification costs CNY 80,000–150,000 upfront and requires annual surveillance audits, whereas SCC filing costs only the internal compliance effort (typically CNY 30,000–60,000 in staff time).
The table below summarizes the three pathways:
| Criterion | Standard Contractual Clauses | Security Assessment | Certification (PIPC) |
|---|---|---|---|
| Eligibility | Non-CIIO, below volume thresholds | All CIIOs + any above thresholds | Non-CIIO, any volume (preferred for intra-group) |
| Processing time (filing to acknowledgment) | 10–30 business days | 30–60 business days | 60–90 business days (certification body review) |
| Contract template | CAC fixed template | Custom agreement + CAC review | Certification body requirements |
| Renewal cycle | Every 2 years | Every 2 years or trigger event | Annual surveillance + recertification every 3 years |
| Typical cost (internal + external) | CNY 30,000–60,000 | CNY 80,000–150,000 | CNY 100,000–200,000 |
Common Pitfalls and How to Avoid Them
Post-Filing Compliance Calendar
Once your SCC filing is acknowledged, the CAC expects ongoing compliance activities. Use the timeline below to stay on track:
- Within 45 business days of any material change: File an amended contract and updated PIPIA.
- Every 12 months from filing date: Submit the mandatory self-assessment report via the provincial portal.
- 24 months from contract effective date: File a renewal SCC and fresh PIPIA (allow 6–8 weeks for preparation).
- Upon expiration: Cease data transfers if renewal is not filed, or risk penalties of up to CNY 50 million or 5% of annual revenue under PIPL Article 66.
The CAC’s Guangdong office reported in December 2025 that 22% of companies with active SCC filings missed their annual self-assessment deadline, resulting in warning letters and, in 3 cases, temporary suspension of data transfers. Automate these calendar events using a dedicated compliance management platform to avoid lapses.
NEXT STEPS
- Verify your SCC eligibility first. Before drafting a contract, assess your data volumes and CIIO status using our free self-assessment template at cross-border-data-eligibility-check. This 10-minute exercise prevents wasted effort on the wrong pathway.
- Prepare your PIPIA with the 2025 amendments. Download the updated PIPIA checklist that includes the new benchmark audit requirement at pipia-checklist-2026. The checklist flags the three most commonly missed sections that trigger CAC returns.
- Set up your compliance calendar. Register for a walkthrough of our compliance automation tool at compliance-calendar-setup to receive automated reminders for SCC filing deadlines, annual assessments, and renewal windows — with built-in Chinese holiday adjustments.
— China Gateway 360 —
Remote China market entry support, built around execution.
