Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GB/T 46901-2025 (PI PORTABILITY)

Data Security Technology — Requirements for Personal Information Transfer Based on Individual Requests (GB/T 46901—2025).

数据安全技术 基于个人请求的个人信息转移要求(GB/T 46901—2025)

FILED UNDER · Personal Information

Promulgated by: State Administration for Market Regulation (SAMR) and Standardization Administration of China (SAC).
Document No.: GB/T 46901—2025.
Drafted under the auspices of the National Information Security Standardization Technical Committee (TC260). Issued December 31, 2025. Effective July 1, 2026.


Chapter 1. Scope

Article 1 (Scope). This document specifies the scope of application, preconditions, process requirements, and other requirements for specific circumstances applicable to the transfer of personal information based on a request of the personal information subject.

This document applies to guiding personal information handlers in responding to a personal information subject’s request to transfer personal information, and also serves as a reference for the relevant supervision, administration, and assessment activities of regulatory authorities and third-party assessment institutions.

Chapter 2. Normative References

Article 2 (Normative References). The content of the following documents constitutes indispensable provisions of this document through normative references in the text. For dated references, only the edition corresponding to that date applies to this document; for undated references, the latest edition (including all amendments) applies to this document.

GB/T 25069—2022, Information Security Technology — Terminology

GB/T 35273—2020, Information Security Technology — Personal Information Security Specification

Chapter 3. Terms and Definitions

Article 3 (Terms and Definitions). The terms and definitions established in GB/T 25069—2022 and GB/T 35273—2020, together with the following terms and definitions, apply to this document.

3.1 Personal information transfer (个人信息转移). The process by which a personal information handler that processes personal information at the request of the personal information subject transfers the personal information it processes to another personal information handler designated by the personal information subject.

3.2 Derived personal information (衍生个人信息). New data related to an individual that is derived from the analysis, computation, or processing of personal information.

Note: Such data may differ from the original data but remains personal information and retains the characteristic of being associated with an individual.

3.3 Requester (请求人). The subject who initiates a request for personal information transfer.

Note: This includes the personal information subject personally, the personal information subject’s guardian, and a trustee entrusted by the personal information subject to initiate the transfer request.

3.4 Structured (结构化). A manner of organizing data that has certain rules, formats, or patterns, enabling software to extract specific elements of the data.

Note 1: For example, in a spreadsheet, data is represented in rows and columns.

Note 2: Structured data is generally composed of a defined schema, template, and fields, in which each data element has a specific meaning and type and follows a specific format, convention, and standard, so as to facilitate automatic processing and interpretation by computers and other programs.

3.5 Machine-readable (机器可读). The capability of being read, converted, generated, transmitted, or used by a machine, software, or automated system.

Chapter 4. Abbreviations

Article 4 (Abbreviations). The following abbreviations apply to this document.

CSV: Comma-Separated Values

JSON: JavaScript Object Notation

SFTP: SSH File Transfer Protocol

XML: Extensible Markup Language

Chapter 5. Transfer Methods

Article 5 (Overview). The personal information transfer process involves roles such as the personal information subject, the personal information handler, and the personal information recipient. Based on the role each party plays in the transfer process, personal information transfer methods can be divided into two models: personal-information-subject-as-intermediary transfer and personal-information-handler-as-intermediary transfer.

Article 6 (Personal-Information-Subject-as-Intermediary Transfer). In personal-information-subject-as-intermediary transfer, the personal information subject initiates the personal information transfer request; the personal information handler completes verification of the transfer request and provides the personal information to be transferred to the personal information subject. After receiving the transferred personal information, the personal information subject provides it to the personal information recipient. This is illustrated in Figure 1.

Figure 1 — Personal-information-subject-as-intermediary transfer of personal information

Article 7 (Personal-Information-Handler-as-Intermediary Transfer). The personal information handler and the personal information recipient have in advance made public the interfaces used for sending and receiving personal information. In personal-information-handler-as-intermediary transfer, the personal information subject initiates a personal information transfer request to the personal information handler. After receiving the request, the personal information handler completes verification of the personal information subject and, once verification is complete, sends the verification result and the personal information requested for transfer directly to the personal information recipient designated by the personal information subject. This is illustrated in Figure 2.

Figure 2 — Personal-information-handler-as-intermediary transfer of personal information

Chapter 6. Scope of Application of Personal Information Transfer

Article 8 (Scope of Information That May Be Requested for Transfer). The personal information that a personal information subject may request to be transferred includes:

a) personal information actively provided by the personal information subject with knowledge of the provision (for example, name, gender, age, etc.); and

b) specific service record information generated by the personal information subject’s use of a product or service (for example, navigation record information generated by using a map application or navigation application, health-monitoring record data collected through the use of an IoT device to provide health-monitoring services, etc.).

Note: Personal information transfer does not apply to derived personal information formed by the personal information handler’s processing of the two categories of personal information described above (such as friend relationship chains, profiling tags, etc.), network log information retained pursuant to law, information involving trade secrets, or information that has undergone anonymization.

Article 9 (Requirements Regarding the Subject Eligible to Request Transfer). The requirements regarding the subject of a personal information transfer request include:

a) only the personal information subject may request the transfer of their personal information;

b) a minor under the age of 14 enjoys the right to personal information transfer, but the transfer of their personal information shall be consented to by the minor’s parents or other guardian (Note 1: Chapter 12 sets out specific requirements concerning the exercise of personal information transfer rights by minors); and

c) the personal information of a deceased person does not fall within the scope of application of personal information transfer (Note 2: except where the deceased made other arrangements before death, or where laws and regulations otherwise provide).

Chapter 7. Preconditions for Personal Information Transfer

Article 10 (Legality Requirement). This requirement includes the following:

a) the personal information requested for transfer shall be personal information processed on the basis of consent or as necessary for the conclusion or performance of a contract; and

b) personal information processed on the basis of the following legal bases does not fall within the scope of a personal information transfer request:

  1. processing necessary for the performance of statutory duties or statutory obligations;

  2. processing personal information within a reasonable scope for news reporting or public-opinion supervision in the public interest; or

  3. processing, within a reasonable scope and as required by laws and regulations, personal information that individuals have disclosed on their own initiative or that has otherwise been lawfully disclosed.

Article 11 (Requirement Not to Harm the Lawful Rights and Interests of Others). This requirement includes the following:

a) in principle, the personal information involved in a personal information transfer shall not include the personal information of any person other than the personal information subject. Where the personal information handler finds that responding to the personal information subject’s transfer request would also require transferring the personal information of another person, the personal information handler may de-identify that other person’s personal information. Where de-identification is not feasible, or where de-identification would render the purpose sought by the personal information subject’s transfer request unachievable:

  1. the requester shall provide materials proving that the processing purpose for the other person’s personal information involved in the transfer is limited to what is necessary for private or household activities and can only be independently controlled by the personal information subject, or shall provide materials proving that the other person’s express consent has been obtained for the personal information involved in the transfer; and

  2. where, after verifying the materials provided by the requester, the personal information handler confirms the circumstances described in item 1) above, the personal information handler may, after conducting a personal information security impact assessment, respond to the requester’s transfer request, and shall inform the requester or the personal information recipient of the processing-purpose limitations that must be observed when processing the other person’s personal information; where the personal information handler considers that the requester cannot demonstrate that the circumstances in item 1) are satisfied, the personal information handler may decline to respond to the personal information subject’s transfer request, shall explain to the personal information subject the reasons for declining to respond, and shall retain the corresponding records; and

b) where the personal information handler considers that transferring the personal information may infringe upon its own rights and interests (such as trade secrets and other lawful competitive interests, etc.), the personal information handler may decline to respond to the requester’s transfer request, shall explain to the personal information subject the reasons for declining to respond, and shall retain the corresponding records.

Article 12 (Reasonableness Requirement). A request to transfer personal information shall be within reasonable limits. The specific requirements include the following:

a) the personal information subject shall designate, as the personal information recipient, a subject that has already entered into a personal information transfer agreement with the personal information handler;

b) the frequency of the personal information subject’s requests to transfer personal information shall fall within a reasonable time interval (for example, no more than twice within one calendar year). The personal information handler may assess the reasonableness of the time interval based on the following factors:

  1. the frequency with which the personal information changes;

  2. the nature of the personal information;

  3. the purpose of processing the personal information; and

  4. whether a subsequent request involves the same type of personal information or processing activity as a prior request; and

c) the personal information handler may decline requests that are manifestly unfounded or excessive, but shall record the basic circumstances and inform the personal information subject.

Note: For provisions on a personal information handler declining a personal information subject’s request, see Article 17.

Chapter 8. Basic Requirements for Personal Information Transfer

Article 13 (Basic Process). The basic process for exercising a personal information transfer request (illustrated in Figure 3) mainly comprises five steps: request initiation, request verification, request processing, personal information export, and import of the transferred personal information. Each step, and the format of the transferred personal information, shall satisfy the requirements of 8.2 through 8.7.

Figure 3 — Basic process for personal information transfer

Article 14 (Initiation of Requests). The personal information handler shall, in a prominent manner and in clear and easy-to-understand language, inform individuals truthfully, accurately, and completely of the method and procedure for exercising a personal information transfer request, and shall provide the personal information subject with a convenient channel for initiating a request. The specific requirements include:

a) a personal information transfer request may be submitted online, in writing, or by other means; and

b) a personal information handler that has already implemented automated tools to process personal information transfer requests may determine for itself the frequency at which it processes such requests.

Article 15 (Verification of Requests). The personal information handler shall verify the personal information subject’s request, including verification of the personal information subject’s identity, the content of the request, and the frequency of the request. The verification requirements include the following:

a) the personal information handler shall implement an identity verification procedure for the personal information subject in order to establish the authenticity of the personal information transfer request and to safeguard the security of its entire process for handling the personal information transfer request;

b) the personal information required to complete identity verification of the personal information subject shall follow the principle of minimum necessity;

c) where the personal information handler has reasonable doubts about the personal information subject’s identity, it may require the personal information subject to provide additional information, provided that such additional information shall be limited to what is necessary to confirm identity and shall not exceed the information provided by the personal information subject at the time of use or registration;

d) where a third party (such as a relative or friend) is entrusted to submit a personal information transfer request on the personal information subject’s behalf, the personal information handler shall confirm the validity of the request, for example by verifying the authenticity of the proof provided by the third party;

e) for a personal information transfer request submitted by a close relative of a deceased person on the basis of the relative’s own lawful rights and interests, the personal information handler shall confirm the necessity and reasonableness of the request, for example by verifying the authenticity of the proof provided by the close relative;

f) where a personal information transfer request fails verification, the personal information handler shall inform the personal information subject in a clear manner through an appropriate channel; and

g) where a personal information subject resubmits a personal information transfer request on the ground that the reply received was incomplete or did not give a sufficient reason for refusal, the personal information handler shall not count the request as a new request, but shall count it as a request for reconsideration of the original request.

Article 16 (Processing of Requests — Responding to Requests). For a personal information transfer request that has passed verification, the requirements for the personal information handler include:

a) it shall respond within 15 working days of receiving the request; where processing the personal information transfer request is unusually complex, the personal information handler may appropriately extend the response period, but the extension shall not exceed two months from receipt of the request; and

b) where the requester submits multiple personal information transfer requests within 30 days, the last request to exercise the right shall be treated as the valid request, and the processing period shall be recalculated starting from the time of that last request. Between the time a response is given to the requester and the completion of processing, the personal information handler need not respond further to requests from the same requester.

Article 17 (Processing of Requests — Declining Requests). The requirements for a personal information handler declining a personal information transfer request include the following:

a) the personal information handler may decline a corresponding transfer request where it finds that the request falls under any of the following circumstances:

  1. it does not fall within the scope of application prescribed in Chapter 6;

  2. it does not satisfy the conditions for exercise prescribed in Chapter 7;

  3. it fails the verification prescribed in Article 15; or

  4. it is a repeat application for personal information transfer without reasonable grounds; and

b) when declining a personal information transfer request, the personal information handler shall inform the requester, in clear language, of the following matters: the reason for not responding to the request; and the possibility of the personal information subject lodging an appeal and the channel for doing so, among other matters.

Article 18 (Processing of Requests — Fees for Processing Requests). As a general matter, the personal information handler shall not charge a fee for a personal information transfer request. However, where either of the following circumstances applies, the personal information handler may charge a reasonable fee within the scope of the cost incurred in responding to the request:

a) the personal information transfer request being responded to is not within reasonable limits; or

b) the personal information handler and the personal information recipient need to additionally execute a personal information transfer agreement.

Article 19 (Data Format for Personal Information Transfer). When transferring personal information, the data shall be provided in a structured and machine-readable format, and the data shall be able to accurately represent the content of the personal information. Unless otherwise specially provided by an industry or sector, the personal information shall be provided using open, general-purpose formats such as CSV, XML, and JSON; where a special format is required by special provisions of an industry or sector, the personal information shall be provided in a manner that satisfies the structured and machine-readable requirements.

Article 20 (Export of Personal Information — Method of Export). The requirements for a personal information handler exporting the personal information involved in a personal information subject’s request include:

a) where technically feasible, the personal information handler may directly provide the personal information involved in the request, or provide an automated tool (such as an SFTP server or web portal) that can extract the personal information involved in the request (Note: personal information shall be exported and provided in electronic format, unless the personal information subject requests otherwise); and

b) where personal information such as photographs or videos of large size or in large quantity is being transmitted, it should be provided by way of export through a third-party secure access interface.

Article 21 (Export of Personal Information — Security Safeguards for Exported Personal Information). The security requirements for personal information exported by the personal information handler include:

a) the personal information handler shall adopt appropriate measures to safeguard the security of personal information transmission;

b) the personal information handler shall adopt appropriate measures to confirm that the personal information has been transmitted to the personal information recipient designated by the personal information subject; and

c) the personal information handler shall clearly inform the personal information subject of the relevant security risks.

Article 22 (Export of Personal Information — Explanation of Exported Personal Information). Where the personal information subject has a reasonable doubt regarding the content, type, or quantity of the exported personal information, the personal information handler shall give a reasonable explanation.

Article 23 (Import of Personal Information — Legality Requirement). The legality requirements for a personal information recipient importing personal information include:

a) when importing the personal information involved in a transfer request, the personal information recipient shall confirm that it has a lawful basis for processing that personal information, and that its subsequent processing of the imported personal information will not adversely affect the lawful rights and interests of any other person; and

b) for imported personal information that does not satisfy the conditions above, the personal information recipient shall delete it as soon as possible.

Article 24 (Import of Personal Information — Purpose Limitation on the Processing of Other Persons’ Information). Where the imported personal information involves the personal information of another person, the personal information recipient shall not process that other person’s personal information beyond the scope of that person’s authorization or beyond statutory grounds — for example, pushing information to individuals or conducting commercial marketing by means of automated decision-making beyond the scope of authorization.

Chapter 9. Requirements for Personal-Information-Subject-as-Intermediary Transfer

Article 25 (Requirements for Personal-Information-Subject-as-Intermediary Transfer). The requirements for this transfer model are as follows:

a) the personal information handler shall complete verification of the request within 15 working days of receiving the personal information transfer request, and shall clearly inform the personal information subject of the verification result; where the personal information transfer request fails verification, the personal information handler shall clearly explain the reason for the failure;

b) for a personal information transfer request that has passed verification by the personal information handler, the personal information handler shall, within 15 working days, provide the personal information to be transferred to the personal information subject in a machine-readable format;

c) after receiving the personal information import request, the personal information recipient shall complete identity verification of the personal information subject within 15 working days; and

d) the personal information recipient shall complete processing of the personal information import within 15 working days and shall clearly inform the personal information subject of the result of the processing. Where the import of personal information fails, the personal information recipient shall clearly explain to the personal information subject the reason why it was not completed.

Chapter 10. Requirements for Personal-Information-Handler-as-Intermediary Transfer

Article 26 (Requirements for Personal-Information-Handler-as-Intermediary Transfer). The requirements for this transfer model include:

a) after the personal information subject initiates a personal information transfer request to the personal information handler, the personal information handler shall complete verification of the request within 15 working days of receiving the personal information subject’s request;

b) where the personal information transfer request fails verification, the personal information handler shall clearly explain the reason for the failure;

c) for a personal information transfer request that has passed verification, the personal information handler shall, within 15 working days, provide the personal information to be transferred directly to the personal information recipient in a machine-readable format, and shall simultaneously transfer the verification information relating to the request; and

d) within 15 working days of receiving the transferred personal information, the personal information recipient shall complete processing of the personal information import and shall clearly inform the personal information subject of the import result. Where the import of personal information fails, the personal information recipient shall also clearly explain the reason why processing was not completed.

Chapter 11. Requirements for Automated Processing of Personal Information Transfer

Article 27 (Automated Processing). Where technically feasible, a personal information transfer request may be implemented by automated processing. Specific methods include:

a) the personal information handler responds to the personal information transfer request by automated means; and

b) the transferred personal information is transmitted directly between different personal information handlers by automated means.

Chapter 12. Requirements for Processing Personal Information Transfer Requests of Minors Under the Age of 14

Article 28 (Requirements for Minors Under 14). The requirements concerning a request to transfer personal information made in respect of a minor under the age of 14 include the following:

a) the personal information handler shall formulate rules for processing minors’ personal information that are suited to minors’ understanding, so that minors fully understand their rights. The rules for processing minors’ personal information shall explain the procedure for minors to exercise the right to personal information transfer, and appropriate safeguard measures shall be adopted to protect minors’ rights and interests; and

b) where a minor under the age of 14 submits a request to transfer personal information, the personal information handler shall:

  1. confirm that the request to transfer the personal information has been consented to by the minor’s parents or other guardian;

  2. taking into account the minor’s interests, remind the minor’s parents or other guardian that the transfer of the personal information will not have an adverse impact on the minor; and

  3. when transferring the personal information, remind the personal information recipient that the information being transferred is the personal information of a minor.

Chapter 13. Requirements for Processing Personal Information Transfer Requests Involving Third Parties

Article 29 (Requirements Involving Third Parties). Where the personal information handler has already provided the personal information involved in a transfer request to a third party by way of sharing, entrustment, or another arrangement, the personal information handler shall:

a) inform the personal information subject of the type and quantity of personal information provided to the third party; and

b) inform the personal information subject of the third-party processor’s name (or the name of the individual), contact information, processing purpose, processing method, the categories of personal information involved, and the method and procedure for exercising the right to personal information transfer against the third party, among other matters.

Chapter 14. Requirements for Processing Personal Information Transfer Requests Involving Cross-Border Provision

Article 30 (Requirements for Overseas Recipients). Where the personal information recipient designated by the personal information subject is located outside the territory of the People’s Republic of China, the personal information handler shall:

a) clearly inform the personal information subject of the legal risks of the cross-border transfer of personal information;

b) ensure that the transfer of personal information complies with the relevant requirements of China’s data export security administration regime; and

c) where it cannot ensure that the transfer of personal information complies with the relevant requirements of China’s data export security administration regime, clearly inform the personal information subject of this fact and provide the personal information subject with a means of obtaining a copy of the personal information.

Bibliography

[1] GB/T 39335—2020, Information Security Technology — Guide for Personal Information Security Impact Assessment

[2] ISO/IEC 29100:2011, Information technology — Security techniques — Privacy framework

[3] EU General Data Protection Regulation, 2016

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →