Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GB/T 46068

Data Security Technology — Security Certification Requirements for Cross-Border Processing of Personal Information (GB/T 46068-2025).

数据安全技术 个人信息跨境处理活动安全认证要求 (GB/T 46068-2025)

DCC summary, not a translation. GB/T 46068-2025 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase grounded in the standard’s title and number; specific clauses should be checked against the published text.

Scope

GB/T 46068-2025 specifies security certification requirements for cross-border processing activities involving personal information. It applies to the parties to a cross-border personal-information transfer — the domestic personal-information handler and the overseas recipient — and to the certification bodies assessing them. It is the technical basis for the personal-information protection certification route to lawful cross-border transfer.

It is a recommended standard in the “Data Security Technology” (数据安全技术) series, and supersedes/upgrades the earlier TC260 Practice Guide — Security Certification Specification for Cross-Border Processing of Personal Information as the reference for this certification route.

Key contents

At a structural level the standard is expected to cover:

  • Basic principles for cross-border personal-information processing — lawfulness, transparency, purpose limitation, and ensuring the overseas recipient affords protection meeting Chinese requirements.
  • Legally binding agreement — requirements for a binding instrument between the handler and the overseas recipient allocating responsibilities and protecting data subjects’ rights.
  • Organizational and accountability requirements — designation of responsible personnel/bodies, binding internal rules, and accountability across the two parties (including for onward transfers).
  • Technical and management safeguards for the data both before and after it leaves China.
  • Data-subject rights protection — ensuring individuals can exercise PIPL rights against both parties and have recourse, including a mechanism for accepting jurisdiction/responsibility within China.
  • Continuing-supervision expectations consistent with the certification scheme.

Editor: verify specific clauses against the published standard.

How it fits the regime

GB/T 46068 underpins one of the three lawful bases for cross-border personal-information transfer under PIPL Article 38: passing a security assessment (CAC), concluding the standard contract, or obtaining personal-information protection certification from a specialized body. Certification is the focus of this standard.

It is the technical companion to the Measures for the Certification of Cross-Border Processing of Personal Information (and the broader personal-information-protection certification scheme), supplying the substantive requirements certification bodies test against. For overseas compliance teams — particularly multinational groups moving personal information intra-group across the Chinese border — it is the reference for what a certifiable cross-border transfer arrangement must contain. It works alongside the standard-contract and security-assessment routes and the Provisions on Promoting and Regulating Cross-Border Data Flows, which set the thresholds and exemptions that determine which route (if any) applies.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →