On this page
    • On this page

    16 October 2023

    Chinese Standard Contractual Clauses – what to consider as a recipient of personal data from China

    • Quick read

    What are the Chinese standard contractual clauses?

    Comparable to the requirements of the GDPR, Chinese data protection law also contains requirements for the transfer of data from China to third countries. The available transfer mechanisms include the Chinese Standard Contractual Clauses (“Chinese SCCs”).

    For whom apply the Chinese Standard Contractual Clauses?

    The Chinese SCCs are designed to safeguard data transfers from China to third countries, meaning all countries outside of China. Accordingly, the Chinese SCCs are also relevant for international companies that receive data from China, e.g. in the context of group data transfers or if your company provides services to companies in China.

    When do the Chinese Standard Contractual Clauses apply?

    The Chinese SCCs have already come into force on June 1, 2023. The implementation period for the Chinese SCCs ends by the end of November 2023.

    What do I have to do if a Chinese exporter wants to conclude the Chinese Standard Contractual Clauses with my company?

    The Chinese SCCs are roughly based on the structure of the European Commission's standard contractual clauses (“EU SCCs”), but differ in the details. Signing the Chinese SCCs is therefore not enough for the data importer. Rather, the Chinese SCCs provide for various obligations for data importers that only partially correspond to those from the GDPR or the EU SCCs. Consequently, before signing the Chinese SCCs, data importers must adapt or, if necessary, re-implement internal processes in order to comply with the requirements of the Chinese SCCs. Furthermore, there are formal peculiarities when signing the Chinese SCCs.

    What are the sanctions?

    Chinese data protection law provides for fines of up to 5% of the previous year's turnover for violations of the standards on third-country transfers. This makes the potential fines even larger than under the GDPR, where the maximum amount is 4% of the previous year's turnover.

    If you have any questions, please do not hesitate to contact us.

    Wiebke Reuter, LL.M. (London)

    Senior Associate

    D +49 30 885636 0
    Berlin
    View profile

    Dr. Paul Voigt, Lic. en Derecho, CIPP/E

    Partner

    D +49 30 885636 0
    Berlin
    View profile
    Services and Groups Data protection & cyber
    Call To Action Arrow Image

    Latest insights in your inbox

    Subscribe to newsletters on topics relevant to you.

    Subscribe
    Subscribe

    Related Insights

    Data protection & cyber

    The Data Act – Important new obligations for all cloud and edge services

    26 January 2024
    Briefing

    by Dr. Paul Voigt, Lic. en Derecho, CIPP/E and Richard Gläser

    Click here to find out more
    Data protection & cyber

    Political agreement on the CRA

    1 December 2023
    Quick read

    by Dr. Paul Voigt, Lic. en Derecho, CIPP/E and Alexander Schmalenberger, LL.B.

    Click here to find out more
    Data protection & cyber

    Stricter IT security requirements in the healthcare sector

    5 September 2023
    Briefing

    by Dr. Paul Voigt, Lic. en Derecho, CIPP/E and Alexander Schmalenberger, LL.B.

    Click here to find out more

    © Taylor Wessing