Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GBA (MAINLAND-HONG KONG) SCC GUIDELINES

Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong).

粤港澳大湾区(内地、香港)个人信息跨境流动标准合同实施指引

Promulgated by: Cyberspace Administration of China (CAC) and Innovation, Technology and Industry Bureau of the Hong Kong Special Administrative Region Government. Document No.: Announcement No. 3 of 2023 of the Cyberspace Administration of China and the Innovation, Technology and Industry Bureau of the Hong Kong SAR Government. Signed by: Wang Jingtao (Cyberspace Administration of China) and Sun Dong (Innovation, Technology and Industry Bureau of the Hong Kong SAR Government). Issued and effective: December 10, 2023.


Implementation Guidelines

Article 1. In order to promote the safe and orderly cross-border flow of personal information within the Guangdong-Hong Kong-Macao Greater Bay Area (“Greater Bay Area”), advance high-quality development of the Greater Bay Area, and implement the Memorandum of Cooperation between the Cyberspace Administration of the People’s Republic of China and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region on Promoting Cross-Border Data Flows in the Guangdong-Hong Kong-Macao Greater Bay Area (hereinafter “the Memorandum”), the Cyberspace Administration of China and the Innovation, Technology and Industry Bureau of the Hong Kong Special Administrative Region Government have jointly formulated these Implementation Guidelines.

Article 2. The Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (hereinafter “the Standard Contract”; see Annex 1) constitutes a facilitation measure under the Memorandum for promoting cross-border flows of personal information within the Greater Bay Area. Personal information handlers and recipients within the Greater Bay Area may, in accordance with these Implementation Guidelines, carry out cross-border flows of personal information between the mainland and Hong Kong within the Greater Bay Area by entering into the Standard Contract. Personal information that has been notified or publicly released as important data by the relevant authorities or regions is excluded.

Personal information handlers and recipients shall be registered in (for organisations) or located in (for individuals) the mainland portion of the Greater Bay Area — that is, the cities of Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing in Guangdong Province — or in the Hong Kong Special Administrative Region.

Article 3. Cross-border provision of personal information effected by entering into the Standard Contract shall adhere to the principles of combining voluntary contracting with filing management, and of combining the protection of personal information rights and interests with risk prevention, so as to safeguard the safe and free cross-border flow of personal information.

Article 4. Cross-border provision of personal information by entering into the Standard Contract in accordance with these Implementation Guidelines shall be subject to performance of the obligations and responsibilities set out in the Standard Contract, including satisfaction of the following conditions:

(1) Before providing personal information cross-border, the personal information handler shall notify the individual or obtain the individual’s consent in accordance with the laws and regulations of the jurisdiction where the personal information handler is located.

(2) The personal information shall not be provided to organisations or individuals outside the Greater Bay Area.

Article 5. Before providing personal information cross-border by entering into the Standard Contract in accordance with these Implementation Guidelines, the personal information handler shall conduct a Personal Information Protection Impact Assessment (PIPIA), with emphasis on assessing the following:

(1) The lawfulness, legitimacy, and necessity of the purposes and methods by which the personal information handler and the recipient process personal information;

(2) The impact on the rights and interests of individuals and the security risks involved; and

(3) Whether the obligations undertaken by the recipient and the management and technical measures and capabilities for fulfilling those obligations can ensure the security of the personal information provided cross-border.

Article 6. The Standard Contract shall be entered into strictly in accordance with the annexes to these Implementation Guidelines; cross-border provision of personal information may only commence after the contract has come into effect.

The personal information handler may agree on additional clauses with the recipient, provided that such clauses do not conflict with the Standard Contract.

Article 7. Where the purpose, scope, categories, or method of cross-border provision of personal information changes, or where the purposes or methods of the recipient’s processing of the personal information change, the retention period is extended, or other circumstances arise that affect or may affect the rights and interests of individuals, the personal information handler shall conduct a fresh Personal Information Protection Impact Assessment, supplement or re-enter into the Standard Contract, and fulfil the corresponding filing procedures.

Article 8. Personal information handlers and recipients shall, within ten working days from the date on which the Standard Contract comes into effect, file the Standard Contract with the Guangdong Provincial Cyberspace Administration or the Office of the Government Chief Information Officer of the Government of the Hong Kong Special Administrative Region in accordance with their respective jurisdictions, submitting the following materials:

(1) A photocopy of the identity document of the legal representative;

(2) A commitment letter (template at Annex 2); and

(3) The Standard Contract.

Personal information handlers and recipients shall be responsible for the authenticity of the materials filed.

Article 9. Personal information handlers and recipients shall be subject to the supervision and administration of the regulatory authorities of their respective jurisdictions, including but not limited to:

(1) Pursuant to Items 7 and 10 of Article 2 of the Standard Contract, the personal information handler shall respond to enquiries from the regulatory authority and bear the burden of proof for performance of the contractual obligations and responsibilities;

(2) Pursuant to Item 12 of Article 3 of the Standard Contract, the recipient shall accept the supervision and administration of the regulatory authority, including compliance with decisions issued by the regulatory authority and provision of proof that necessary action has been taken; and

(3) Pursuant to Item 2 of Article 6 of the Standard Contract, the personal information handler shall notify the regulatory authority upon terminating the Standard Contract.

Article 10. Any organisation or individual that discovers that a personal information handler or recipient is carrying out cross-border flows of personal information within the Greater Bay Area in accordance with these Implementation Guidelines but is not performing the obligations and responsibilities required by these Implementation Guidelines and the Standard Contract may lodge a complaint or report with the Cyberspace Administration of China, the Guangdong Provincial Cyberspace Administration, the Innovation, Technology and Industry Bureau of the Hong Kong SAR Government, the Office of the Government Chief Information Officer, or the Office of the Privacy Commissioner for Personal Data of Hong Kong.

Where the department receiving the complaint or report finds that the cross-border personal information activity poses a significant security risk or that a personal information security incident has occurred, it may require the personal information handler or recipient to rectify the situation; where the matter needs to be handled by another enforcement department, it shall be referred to the relevant department for handling in accordance with law.

Article 11. Where a personal information handler or recipient experiences a personal information security incident such as a leakage of personal information in the course of processing personal information, it shall immediately take remedial measures and, in accordance with its jurisdiction, notify the Cyberspace Administration of China and the Guangdong Provincial Cyberspace Administration, or the Innovation, Technology and Industry Bureau of the Hong Kong SAR Government, the Office of the Government Chief Information Officer, and the Office of the Privacy Commissioner for Personal Data of Hong Kong.

Article 12. The foregoing provisions shall not affect the right of mainland departments performing duties of personal information protection and the Office of the Privacy Commissioner for Personal Data of Hong Kong to strengthen personal information protection and supervision and administration within the scope of their respective duties in accordance with law, including handling complaints and reports relating to personal information protection, and investigating and handling unlawful personal information processing activities.

Article 13. Relevant departments and their staff shall keep confidential, in accordance with law, personal privacy, personal information, trade secrets, and confidential commercial information of which they become aware in the performance of their duties, and shall not disclose such information or illegally provide it to others or use it illegally.

Article 14. The Cyberspace Administration of China and the Innovation, Technology and Industry Bureau of the Hong Kong Special Administrative Region Government may, based on actual circumstances and by mutual agreement, amend these Implementation Guidelines and their annexes.

Article 15. These Implementation Guidelines shall take effect from the date of issuance.


Annex 1: Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)

Formulated by: Cyberspace Administration of China, Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region, and the Office of the Privacy Commissioner for Personal Data of Hong Kong.

Preamble: In order to promote the safe and orderly cross-border flow of personal information within the Greater Bay Area and to clarify the rights, obligations, and responsibilities of personal information handlers and recipients in protecting personal information, the parties, having reached agreement through negotiation, enter into this Contract.

Article 1 Definitions

In this Contract, unless the context otherwise requires:

(1) “Personal information handler” means, in respect of the mainland, an organisation or individual that independently determines the purposes and methods of processing in personal information processing activities; in respect of the Hong Kong SAR, the term also encompasses “data users” — that is, persons who, in respect of personal data, control the collection, holding, processing, or use of that data, alone or jointly or in common with other persons. The personal information handler under this Contract is the cross-border provider of personal information.

(2) “Recipient” means an organisation or individual that receives personal information cross-border from the personal information handler.

(3) “Party” means either the personal information handler or the recipient individually; “parties” means both of them collectively.

(4) Personal information processed by a mainland personal information handler is determined in accordance with the Personal Information Protection Law of the People’s Republic of China; personal information processed by a personal information handler in the Hong Kong SAR is determined in accordance with “personal data” under the Personal Data (Privacy) Ordinance of the Hong Kong SAR.

(5) “Individual” means, in respect of the mainland, the natural person identified or associated with the personal information; in respect of the Hong Kong SAR, the term also encompasses “data subject” — that is, the individual who is the subject of the personal data.

(6) “Regulatory authority” means, in respect of the mainland, the Cyberspace Administration of China and the Guangdong Provincial Cyberspace Administration; in respect of the Hong Kong SAR, the Innovation, Technology and Industry Bureau of the Hong Kong SAR Government, the Office of the Government Chief Information Officer, and the Office of the Privacy Commissioner for Personal Data of Hong Kong.

(7) “Applicable laws and regulations” means, in respect of the mainland, the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other applicable laws and regulations; in respect of the Hong Kong SAR, the Personal Data (Privacy) Ordinance and other applicable laws and regulations.

Article 2 Obligations and Responsibilities of the Personal Information Handler

The personal information handler shall perform the following obligations and responsibilities:

(1) Process personal information in accordance with applicable local laws and regulations and the requirements of this Contract, and limit the personal information provided to the recipient to the minimum scope necessary to achieve the processing purposes.

(2) Notify individuals of the recipient’s name or given name and contact details, the processing purposes, processing methods, categories of personal information, retention period, circumstances of provision of personal information to third parties within the same jurisdiction, and the means and procedures for exercising individual rights, as set out in Appendix 1 “Statement on Cross-Border Provision of Personal Information”. Where applicable local laws and regulations do not require such notification, those regulations shall prevail.

(3) Before providing personal information cross-border to the recipient, obtain the individual’s consent in accordance with applicable local laws and regulations.

(4) Notify individuals that this Contract establishes them as third-party beneficiaries; if an individual has not expressly refused within 30 days, the individual may enjoy the rights of a third-party beneficiary under this Contract.

(5) Make reasonable efforts to ensure that the recipient adopts the following technical and management measures — taking into account the purposes of personal information processing, the categories, scale, scope, volume, and frequency of transmission of personal information, and the retention period of the personal information handler and the recipient, and the security risks thereby posed — in performing the obligations and responsibilities agreed under this Contract. (e.g. technical and management measures such as encryption, anonymization, de-identification, access control, etc.)

(6) Provide the recipient, upon the recipient’s request, with copies of the applicable local laws and regulations and technical standards.

(7) Respond to enquiries from the local regulatory authority regarding the recipient’s personal information processing activities.

(8) Conduct a Personal Information Protection Impact Assessment in respect of the proposed cross-border provision of personal information to the recipient, with emphasis on assessing the following:

  1. The lawfulness, legitimacy, and necessity of the purposes and methods by which the personal information handler and the recipient process personal information;
  2. The impact on individual rights and interests and the security risks involved; and
  3. Whether the obligations undertaken by the recipient and the management and technical measures and capabilities for fulfilling those obligations can ensure the security of the personal information provided cross-border.

The personal information protection impact assessment report shall be retained for at least three years.

(9) Provide a copy of this Contract to individuals upon request. Where trade secrets or confidential commercial information are involved, the relevant content of the copy may be appropriately handled without prejudicing the individual’s understanding of the Contract.

(10) Bear the burden of proof for performance of the obligations and responsibilities under this Contract.

(11) In accordance with applicable local laws and regulations and the requirements of this Contract, provide the local regulatory authority with the information referred to in Item 10 of Article 3, including all compliance audit results.

Article 3 Obligations and Responsibilities of the Recipient

The recipient shall perform the following obligations and responsibilities:

(1) Process personal information in accordance with the agreement set out in Appendix 1 “Statement on Cross-Border Provision of Personal Information”. If the agreed processing purposes, processing methods, or categories of personal information processed are to be exceeded, the personal information handler shall be notified in advance, the Standard Contract shall be supplemented or re-entered into, and the corresponding filing procedures shall be fulfilled. Where applicable local laws and regulations of the personal information handler do not require such notification, those regulations shall prevail.

(2) Provide a copy of this Contract to individuals upon request. Where trade secrets or confidential commercial information are involved, the relevant content of the copy may be appropriately handled without prejudicing the individual’s understanding of the Contract.

(3) Process personal information in the manner that has the least impact on individual rights and interests.

(4) Retain personal information for the shortest period necessary to achieve the processing purposes; upon expiry of the retention period, delete the personal information (including all backups). Where the entrustment contract for processing personal information on behalf of the personal information handler has not come into effect, is invalid, has been revoked, or has been terminated, or at the personal information handler’s request, the personal information shall be deleted and a written statement provided to the personal information handler. Where deletion of personal information is technically infeasible, processing shall cease other than storage and the adoption of necessary security protection measures.

(5) Ensure the security of personal information processing in the following manner:

  1. Adopt technical and management measures including but not limited to those in Item 5 of Article 2 of this Contract, and conduct regular inspections to ensure the security of personal information; and
  2. Ensure that personnel authorised to process personal information perform confidentiality obligations and responsibilities, and establish minimum-authorisation access control permissions.

(6) Where tampering, damage, leakage, loss, unlawful use, unauthorised provision, or unauthorised access to or inspection of the personal information being processed has occurred or may occur, the following steps shall be taken:

  1. Promptly take appropriate remedial measures to mitigate adverse impacts on individuals;
  2. Immediately notify the personal information handler and report to the local regulatory authority. The notification shall contain the following items: (i) the categories, causes, and potential harm of the personal information that has been or may have been tampered with, damaged, leaked, lost, unlawfully used, or accessed or inspected without authorisation; (ii) remedial measures already taken; (iii) measures that individuals may take to reduce harm; and (iv) the contact details of the person or team responsible for handling the matter;
  3. Where applicable laws and regulations require notification to individuals, the notification shall include the matters in Item 2 above; and
  4. Record and retain all circumstances relating to the actual or potential tampering, damage, leakage, loss, unlawful use, or unauthorised provision, access, or inspection, including all remedial measures taken.

(7) Not provide personal information received under this Contract to organisations or individuals outside the Greater Bay Area.

(8) Provide personal information to a third party within the same jurisdiction — the mainland or the Hong Kong SAR — only where all of the following conditions are satisfied:

  1. There is a genuine business need;
  2. The individual has been informed of the third party’s name or given name, contact details, processing purposes, processing methods, categories of personal information, retention period, and the means and procedures for exercising individual rights. Where applicable local laws and regulations of the personal information handler do not require such notification, those regulations shall prevail;
  3. Where processing is based on individual consent, the individual’s consent shall be obtained in accordance with the applicable local laws and regulations of the personal information handler; and
  4. Personal information is provided to the third party within the same jurisdiction in accordance with the agreement set out in Appendix 1 “Statement on Cross-Border Provision of Personal Information”.

(9) Where, having been entrusted by the personal information handler to process personal information, the recipient sub-entrusts a third party to process that information, the prior consent of the personal information handler shall be obtained; the third party shall be required not to process personal information beyond the processing purposes and methods agreed in Appendix 1 to this Contract; and the third party’s personal information processing activities shall be supervised.

(10) Undertake to provide the personal information handler with the necessary information to demonstrate compliance with the obligations and responsibilities under this Contract, permit the personal information handler to conduct compliance audits of the processing activities covered by this Contract, and facilitate such compliance audits.

(11) Maintain an objective record of personal information processing activities conducted, and retain the records for at least three years.

(12) Agree to accept the supervision and administration of the local regulatory authority in the supervision procedures related to the implementation of this Contract, including but not limited to responding to the regulatory authority’s enquiries, cooperating with the regulatory authority’s inspections, complying with measures taken or decisions issued by the regulatory authority, and providing written proof that necessary action has been taken.

(13) Where a government department or judicial authority in the recipient’s jurisdiction requires the recipient to provide personal information under this Contract, the personal information handler shall be immediately notified.

Article 4 Rights of Individuals

The parties agree that individuals, as third-party beneficiaries of this Contract, shall enjoy the following rights:

(1) Individuals shall enjoy, in accordance with the applicable local laws and regulations of the personal information handler and this Contract, the right to know and the right to decide with respect to the processing of their personal information; the right to restrict or refuse the processing of their personal information by others; the right to request access to, copying, correction, supplementation, or deletion of their personal information; and the right to request an explanation of the rules governing the processing of their personal information.

(2) When an individual wishes to exercise the above rights with respect to personal information transmitted under this Contract, the individual may request the personal information handler to take appropriate measures, or may submit a request directly to the recipient. Where the personal information handler is unable to do so, it shall notify the recipient and require the recipient to cooperate.

(3) The recipient shall, in accordance with the personal information handler’s notification or at the individual’s request, give effect within a reasonable period to the rights that individuals enjoy under the applicable local laws and regulations of the personal information handler and this Contract.

The recipient shall inform individuals of relevant matters in a prominent manner and in language that is clear and easy to understand, truthfully, accurately, and completely.

(4) Where the recipient refuses an individual’s request, the recipient shall inform the individual of the reasons for the refusal and of the channels through which the individual may lodge a complaint with the personal information handler or the relevant regulatory authority in the recipient’s jurisdiction, and seek judicial relief.

(5) Individuals, as third-party beneficiaries of this Contract, are entitled to invoke, against one or both parties, the following clauses of this Contract relating to individual rights:

  1. Article 2, except Items 5, 6, 7, and 11 of Article 2;
  2. Article 3, except Items 2 and 4 of Sub-item 6, and Items 9, 10, 11, 12, and 13 of Article 3;
  3. Article 4;
  4. Article 5;
  5. Items 2 and 3 of Article 7; and
  6. Item 5 of Article 8.

The foregoing shall not affect the rights and interests that individuals enjoy under the applicable local laws and regulations of the personal information handler or the recipient.

Article 5 Remedies

(1) The recipient shall designate a contact person authorised to respond to enquiries or complaints regarding personal information processing, and shall handle enquiries or complaints from individuals in a timely manner. The recipient shall inform the personal information handler of the contact person’s details, and shall inform individuals of those details in a concise and easy-to-understand manner, through a separate notice or a notice on its website.

(2) Where a dispute arises between a party and an individual in the performance of this Contract, the other party shall be notified, and both parties shall cooperate to resolve the dispute.

(3) Where a dispute has not been amicably resolved and an individual exercises third-party beneficiary rights under Article 4, the recipient accepts that the individual may seek to enforce those rights by the following means:

  1. Lodging a complaint with the relevant regulatory authority; or
  2. Bringing legal proceedings before the court agreed under Item 5 of this Article.

(4) Both parties agree that where an individual exercises third-party beneficiary rights with respect to a dispute under this Contract and elects to apply the applicable local laws and regulations of the personal information handler, that election shall prevail.

(5) Both parties agree that where an individual exercises third-party beneficiary rights with respect to a dispute under this Contract, the individual may bring legal proceedings before a court of competent jurisdiction in the mainland or in Hong Kong in accordance with the Civil Procedure Law of the People’s Republic of China, the Arrangement on Reciprocal Recognition and Enforcement of Judgments in Civil and Commercial Matters by the Courts of the Mainland and of the Hong Kong Special Administrative Region pursuant to Choice of Court Agreements between Parties Concerned of the Supreme People’s Court, or Hong Kong laws and regulations.

(6) Both parties agree that any choice of enforcement action made by individuals shall not diminish their right to seek remedies under other laws and regulations.

Article 6 Termination of Contract

(1) Where the recipient breaches the obligations and responsibilities agreed under this Contract, or is subject to compulsory measures that prevent performance of this Contract, the personal information handler may suspend cross-border provision of personal information to the recipient until the breach has been remedied or the Contract has been terminated.

(2) In any of the following circumstances, the personal information handler has the right to terminate this Contract and notify the local regulatory authority of the personal information handler:

  1. The personal information handler’s suspension of cross-border provision of personal information to the recipient pursuant to Item 1 of this Article has lasted more than one month;
  2. The recipient has seriously or persistently breached the obligations and responsibilities agreed under this Contract; or
  3. A final decision by a court of competent jurisdiction or a regulatory authority has found that the recipient or the personal information handler has breached the obligations and responsibilities agreed under this Contract.

In the circumstances described in Item 3 above, the recipient may also terminate this Contract.

(3) Termination of the Contract shall not exempt either party from personal information protection obligations and responsibilities incurred in the course of personal information processing.

(4) Upon termination of the Contract, the recipient shall promptly return or delete the personal information received pursuant to this Contract (including all backups), and provide the personal information handler with a written statement. Where deletion of personal information is technically infeasible, processing shall cease other than storage and the adoption of necessary security protection measures.

Article 7 Liability for Breach

(1) Each party shall bear liability for losses caused to the other party by its breach of this Contract.

(2) Where a party’s breach of this Contract infringes upon the rights that individuals enjoy, that party shall bear civil legal liability to the individuals, without prejudice to the administrative, criminal, or other legal liability that applicable laws and regulations impose on the personal information handler.

(3) Where both parties bear joint and several liability in accordance with law, individuals have the right to hold one or both parties liable. A party that has borne liability in excess of its proportionate share has the right to seek contribution from the other party.

Article 8 Miscellaneous

(1) In the event of a conflict between this Contract and any other legal document entered into by the parties, the provisions of this Contract shall prevail.

(2) The formation, validity, performance, and interpretation of this Contract, and any dispute between the parties arising from this Contract, shall be governed by the applicable local laws and regulations of the personal information handler.

(3) Notices under this Contract shall be sent by email, telegram, telex, facsimile (with an air-mail confirmation copy), or registered airmail to the designated address, or to such other address as may be substituted by written notice. Notices sent by registered airmail shall be deemed received on the ____th day after the postmark date; notices sent by email, telegram, telex, or facsimile shall be deemed received ____ working days after dispatch.

(4) Disputes arising from this Contract between the parties, and any claim for contribution by a party that has made advance compensation to individuals, shall be resolved through negotiation; if negotiation fails, either party may resolve the matter by one of the following means (if arbitration is selected, please tick the arbitration institution):

  1. Arbitration. Submit the dispute to [one of the following institutions]: China International Economic and Trade Arbitration Commission; China Maritime Arbitration Commission; Guangzhou International Arbitration Commission; Greater Bay Area International Arbitration Centre; Hong Kong International Arbitration Centre — for arbitration at [place of arbitration] in accordance with the arbitration rules then in force; or
  2. Litigation. Bring proceedings before a court of competent jurisdiction in the mainland or in Hong Kong in accordance with law.

(5) This Contract shall be interpreted in accordance with the applicable local laws and regulations of the personal information handler, and shall not be interpreted in a manner inconsistent with the rights, obligations, and responsibilities under those laws and regulations.

(6) This Contract shall be executed in ____ originals, with each party holding ____ originals, all of equal legal effect, and signed at [place] on [date].


Appendix 1 to the Standard Contract: Statement on Cross-Border Provision of Personal Information

The particulars of the personal information to be provided to the recipient pursuant to this Contract are agreed as follows:

(1) Processing purposes:

(2) Processing methods:

(3) Scale of cross-border provision of personal information:

(4) Categories of personal information to be provided cross-border (with reference to GB/T 35273 Information Security Technology — Personal Information Security Specification or applicable local standards of the personal information handler):

(5) Third parties within the same jurisdiction (mainland or Hong Kong SAR) to whom the recipient shall provide personal information (if applicable):

(6) Method of transmission:

(7) Retention period after cross-border provision: (from ____ to ____)

(8) Storage location after cross-border provision:

(9) Other matters (to be completed as applicable):


Appendix 2 to the Standard Contract: Additional Clauses Agreed by the Parties (if required)


Annex 2: Commitment Letter (Template)

I/We solemnly commit as follows:

  1. All content of the filing materials is true, complete, accurate, and valid;

  2. I/We will provide the necessary cooperation and support for the filing work under the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong); and

  3. The Personal Information Protection Impact Assessment was completed within three months before the date of filing and no material changes have occurred as of the date of filing.

I/We acknowledge and fully understand the content of the above commitments. If the commitments are untrue or are breached, I/We are willing to bear the corresponding legal liability.

Signature of legal representative: _______________

Organisation seal (for organisations): _______________

Date: _____ year ____ month ____ day

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →