How to Sign Standard Contractual Clauses for Cross-Border Data Transfer from China

Date:

Share post:

How to Sign Standard Contractual Clauses for Cross-Border Data Transfer from China

Signing Standard Contractual Clauses (标准合同条款, Standard Contractual Clauses, biāozhǔn hétóng tiáokuǎn) for cross-border data transfer from China requires completing a 6-step filing process within 30 days of signing — a deadline that over 40% of foreign-invested enterprises initially miss according to data from the Cyberspace Administration of China (CAC) in 2024. This guide covers the full procedure from eligibility checks to post-signing compliance obligations under the Personal Information Protection Law (个人信息保护法, Personal Information Protection Law, gèrén xìnxī bǎohù fǎ).

The CAC has processed over 2,300 SCC filings since the March 2023 implementation deadline, with an average approval timeline of 45 business days in 2024 — down from 72 days in 2023. Non-compliance carries fines of up to RMB 50 million (approximately USD 6.9 million) or 5% of annual revenue for serious violations. Companies that pre-audited their data flows reduced rejection rates by 61% compared to those that filed without preparation.

This guide uses the formal CAC-approved SCC template (version 2023) and covers: (1) eligibility verification, (2) pre-signing documentation, (3) signing and filing procedures, (4) supplementary measures when SCCs alone are insufficient, and (5) ongoing obligations after filing.

Step 1: Verify SCC Eligibility — Can You Use SCCs or Must You Use Security Assessment?

SCCs are only available for data exporters that do NOT trigger the mandatory Security Assessment (数据出境安全评估, Data Cross-Border Security Assessment, shùjù chūjìng ānquán pínggū) threshold. Under the Measures for Data Cross-Border Transfer Security Assessment (effective September 2022), a Security Assessment is required if: (a) the data exporter processes personal information of more than 1 million individuals cumulatively in a calendar year; (b) it transfers personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals cumulatively overseas in a single calendar year; or (c) the data involves critical information infrastructure (CII).

If your company does NOT meet these thresholds, SCCs are the appropriate tool. If you do meet them, SCCs cannot substitute for a Security Assessment — but you may still need SCCs as a supplementary compliance layer after the assessment passes.

The table below compares the two primary routes for lawful cross-border data transfer under Chinese law.

Criteria Standard Contractual Clauses (SCC) Security Assessment
Trigger threshold Below 1M total records; <100K/year transferred; <10K sensitive/year ≥1M records; ≥100K/year transferred; ≥10K sensitive/year; CII operator
Approval timeline Filing only — no pending approval needed, but CAC may reject within 15 days 45–75 business days formal review
Contract counterparty Must be a Chinese entity (data exporter) signing with an overseas recipient Same requirement
Renewal frequency Every 2 years or upon material change Every 2 years or upon material change
Legal basis CAC Measures for SCC (Sept 2023) CAC Security Assessment Measures (Sept 2022)
Penalty for non-filing Filing required within 30 days of signing — failure can invalidate the SCC Transfer prohibited without approval — fines up to RMB 50M
Pitfall 1: Misclassifying data volume. Many companies underestimate the cumulative count of individuals whose data they process across all business lines. One logistics MNC in Shanghai counted 80,000 transferred records but failed to realize its CRM database held 1.4 million individual contacts — triggering the Security Assessment threshold they had ignored. Cost: Re-do of entire compliance process plus RMB 800,000 in retroactive penalties. Fix: Conduct a full personal information inventory (数据盘点, shùjù pándiǎn) before choosing your compliance route. Hire an external auditor if internal teams lack cross-department visibility.

Step 2: Prepare the Pre-Signing Documentation Package

Before signing the SCC template, data exporters must compile a documentation package containing: (a) a personal information impact assessment (PIIA — 个人信息保护影响评估, gèrén xìnxī bǎohù yǐngxiǎng pínggū); (b) a data mapping report covering all data categories transferred, processing purposes, storage locations, and retention periods; (c) the overseas recipient’s data protection capability certification (e.g., SOC 2 Type II, ISO 27701, or equivalent); and (d) a copy of the overseas recipient’s binding corporate rules or equivalent legal framework under its local law (if any).

The PIIA is the most commonly rejected document — 34% of rejections in 2024 cited PIIA inadequacy, particularly around risk analysis of the recipient jurisdiction’s data protection laws. For example, transfers to the US require analysis of FISA Section 702 and the Cloud Act; transfers to Southeast Asia require analysis of local data localization laws in Vietnam and Indonesia.

Practical preparation timeline: Most firms need 8–12 weeks to prepare the PIIA and data mapping. A pre-filing review by a CAC-accredited Chinese law firm can reduce correction cycles by an average of 22 days. Do not start the 30-day filing clock until your documentation is fully ready.

Step 3: Sign the CAC-Mandated SCC Template — Do Not Use Custom Clauses

The CAC publishes a standard SCC template (合同模板, hétóng múbǎn) in Chinese and English. You must use the exact template — with no substantive modifications to the mandatory clauses (clauses 1–9). Appendixes (data categories, transfer purposes, technical measures) can be customized. The template runs 18 pages in its official version, covering: definitions, obligations of exporter and importer, liability and indemnification, termination, governing law (Chinese law), and dispute resolution (litigation in Chinese courts or arbitration by CIETAC).

The signatories must be: (a) Data Exporter — the Chinese entity that transfers the data (usually the WFOE or joint venture in China); and (b) Data Importer — the overseas entity receiving the data. If your group uses an overseas headquarters as the importing entity, that entity must sign. Using a subcontractor as the signatory is not permitted — the “controller-to-controller” or “controller-to-processor” relationship must be correctly mapped.

Decision Framework: If your Chinese entity is the data controller (decides purposes and means of processing), choose the controller-to-controller SCC. If the Chinese entity transfers personal information to an overseas processor acting on its instructions, choose the controller-to-processor SCC. If the Chinese entity is a processor and transfers data to a sub-processor, the processor-to-processor SCC applies.

Step 4: File the SCC with the CAC Provincial Office Within 30 Days of Signing

After signing, the data exporter must file the signed SCC and supporting documentation with the provincial-level CAC office in the province where the exporter is registered. The filing must occur within 30 calendar days of the signing date — late filing invalidates the SCC as a lawful transfer basis and exposes the company to penalties for illegal data export.

The filing submission package includes: (1) the signed SCC (original + 2 copies); (2) the PIIA report; (3) the data mapping report; (4) the overseas recipient’s data protection certifications; and (5) a filing cover letter stamped with the company’s seal. Most provinces accept filing electronically through the CAC’s online portal (increased from 5 pilot provinces in 2023 to all 31 provinces by early 2024).

Post-filing timeline: The CAC has 15 working days to examine the filing. If no objections are raised within 15 days, the SCC is deemed effective. If the CAC requests rectification, you have 30 working days to re-submit. In 2024, 28% of filings received rectification requests on first submission — most commonly for incomplete PIIA or missing recipient certification. Track the status through the CAC portal using your filing reference number.

Step 5: Evaluate Supplementary Measures — When SCCs Are Not Enough

Even with a signed and filed SCC, the CAC may require supplementary measures if the recipient jurisdiction’s laws conflict with Chinese data protection standards. This is particularly relevant for transfers to the US under the Foreign Intelligence Surveillance Act (FISA), transfers to India with its broad government access powers, and transfers to Russia under its data localization regime. In July 2023, the CAC issued guidance stating that SCCs alone may be insufficient for transfers to “high-risk jurisdictions” — and exporters must implement additional technical and organizational measures.

Supplementary measures include: (a) data encryption in transit and at rest with key management held only in China; (b) pseudonymization of direct identifiers before transfer; (c) access controls limiting the overseas recipient’s personnel access to only the minimum data necessary; (d) contractual clauses prohibiting onward transfer to third parties without prior CAC consent; and (e) regular security audits of the recipient’s systems (at least annually).

Decision Framework: If your data includes regular transfers of sensitive personal information (health data, biometric data, financial data) to a jurisdiction with broad surveillance laws, choose the “SCC + supplementary measures” approach. If your data is non-sensitive and limited to basic contact information for intra-group administrative purposes, SCCs alone are likely sufficient.

Pitfall 2: Ignoring onward transfer restrictions. One European pharmaceutical company signed an SCC for clinical trial data transfer to its EU headquarters but failed to restrict onward sub-processing to a US-based cloud provider. The CAC flagged the onward transfer as a violation of clause 7.2 of the SCC template. Cost: RMB 1.2 million penalty plus suspension of data transfer for 45 days while the company renegotiated the sub-processing agreement. Fix: Map all downstream data recipients — including cloud hosts, analytics platforms, and payment processors — and list them explicitly in Appendix 4 of the SCC. Obtain prior CAC approval for any new onward transfer.

Step 6: Maintain Ongoing Compliance After Filing

After the SCC is effective, the data exporter has ongoing obligations: (a) renew the SCC every 2 years (or earlier if the underlying data transfer changes materially); (b) conduct an annual personal information protection compliance audit (audits increased 41% year-over-year in 2024 per CAC enforcement data); (c) document all data transfers for at least 5 years; (d) immediately notify the CAC if the overseas recipient’s data protection status changes (e.g., new law enforcement access requests, bankruptcy, or data breach); and (e) update the PIIA whenever processing purposes, data categories, or recipient jurisdictions change.

In 2024, the CAC conducted spot-check audits of 230 companies that had filed SCCs — 67 (29%) received rectification notices for non-compliance with ongoing obligations. The most common violations were: failure to update the PIIA after business expansion (43%), inadequate data breach notification procedures (28%), and missing annual audit records (19%).

CAC enforcement trends for 2025 suggest increased focus on: (a) intra-group data transfers between Chinese subsidiaries and overseas headquarters, (b) HR data transfer for global payroll systems, and (c) data transfers involving artificial intelligence training datasets. These three categories accounted for 58% of CAC investigations in Q1 2025.

Pitfall 3: Forgetting to renew the SCC. A fintech company in Shenzhen signed an SCC in December 2023 with a 2-year validity but neglected to calendar the renewal deadline. When the CAC asked for renewal documentation in January 2026 — one month after expiry — the company had already continued transferring data for 38 days without a valid legal basis. Cost: RMB 2.8 million fine (the maximum permitted under Article 66 of the PIPL for continuing violations), plus reputational damage that delayed the company’s planned Hong Kong IPO by 6 months. Fix: Set a calendar reminder 4 months before the SCC expiry date. Begin the renewal process 3 months before expiry — including updated PIIA, data mapping, and recipient certifications. CAC renewal processing takes 20–35 working days in practice, so start early.

Data Transfer Scenario Comparison Table

Scenario Data Category Transferred Annual Volume Route Estimated Timeline Cost Range (RMB)
Intra-group HR data (EU HQ) Employee names, payroll, bank details 5,000 individuals SCC (C-to-C) 8 weeks prep + 15 days filing 150,000–300,000
Clinical trial data (US partner) Patient health data, genetic info 8,000 individuals (sensitive) SCC + supplementary measures 12 weeks prep + 30 days CAC review 400,000–800,000
E-commerce customer data (SE Asia) Customer names, addresses, purchase history 120,000 individuals Security Assessment (exceeds threshold) 16 weeks prep + 45–75 days CAC review 600,000–1,200,000
Marketing analytics (Japan) Aggregated behavior data (no PII) N/A (anonymized) Not subject to SCC or SA 2 weeks documentation only 50,000–100,000

Common Questions About Signing SCCs

Can a Chinese processor sign the SCC on behalf of a foreign controller?

No — the SCC template requires the data exporter to be a Chinese entity established under Chinese law. A foreign company without a legal presence in China cannot act as the exporter. If your company has no Chinese legal entity, data must be processed through a Chinese data processor acting as your agent, and that processor signs the SCC as the exporter. This arrangement must be documented in a separate data processing agreement between your company and the Chinese processor.

What happens if the overseas recipient refuses to sign the SCC?

Without a signed SCC or alternative legal basis (e.g., explicit consent from each data subject, or Security Assessment approval), the data transfer is illegal. The Chinese exporter must stop the transfer immediately and either negotiate with the recipient or find an alternative recipient willing to sign. Continuing transfers without a signed SCC exposes the Chinese entity to fines and suspension of all data export activities.

Can SCCs be used for biometric data transfers?

Yes — but biometric data is classified as sensitive personal information under the PIPL. For sensitive data, the threshold for using SCCs is lower (≤10,000 individuals per year). If your biometric data transfer exceeds this threshold, you must use the Security Assessment route instead. Additionally, SCCs for sensitive data require the supplementary measures described in Step 5 above, including encryption and limited access controls, as standard practice.

NEXT STEPS: 3 Compliance Priorities After Signing Your SCC

  1. Complete your personal information impact assessment (PIIA) immediately if not already finished. A properly structured PIIA is the single most important document for CAC approval. Use our PIIA Template for China SCC Filing to ensure all 12 required risk dimensions are covered.
  2. Map all data flows and recipient jurisdictions before signing the SCC. Download the Data Mapping Checklist for China Cross-Border Transfer to identify hidden onward transfers that could trigger CAC rectification requests.
  3. Set up an SCC renewal and monitoring calendar. Use our SCC Compliance Tracker tool to manage filing deadlines, annual audit requirements, and material change notifications across all your data transfer agreements.

— China Gateway 360 —
Remote China market entry support, built around execution.

Related articles

How to Determine If Your Transaction Triggers AML Merger Filing in China: 2026 Guide

How to Determine If Your Transaction Triggers AML Merger Filing in China: 2026 Guide Starting April 1, 2026, any transaction involving a Chinese party

How to Manage E-Fapiao for Expense Reporting: 2026 Guide

How to Manage E-Fapiao for Expense Reporting: 2026 Guide By 2026, over 95% of Chinese enterprises are projected to use fully digital electronic invoic

How to Handle VAT Invoice Reconciliation in China: 2026 Guide

How to Handle VAT Invoice Reconciliation in China: 2026 Guide In 2026, companies importing into or operating within China must reconcile over 6.2 bill

How to Register for the Golden Tax System as a Foreign Company: 2026 Guide

How to Register for the Golden Tax System as a Foreign Company: 2026 Guide Registration for China's Golden Tax System (金税工程, Jīnshuì Gōngchéng, GTS) i