Compliance of Cross-border Data Transfers

In the development of Internet industries such as cloud computing, big data, Internet of Things, artificial intelligence and blockchain, enterprises have a great demand for cross-border data transfers in the course of their daily business. Cross-border data transfers have increased due to the need for unified global management and the R & D, production and promotion of multinational companies. Regulatory frameworks for data localization and cross-border transfers have been developed and improved in various jurisdictions around the world, including China. With the promulgation in China of the Cyber Security Law, the Data Security Law, the Personal Information Protection Law, the Security Assessment Measures for  Data Cross-border Transfers and other relevant laws, regulations and national standards, a management system for the cross-border transfer of important data and personal information has been established in China. However, many countries still lack sound systems and detailed requirements for cross-border data transfers, and enterprises are faced with great challenges brought about by this uncertainty.


JunHe has advised many clients in various industries regarding their cross-border data transfers. Based on regulatory requirements, corporate practices and the analysis of legislation and enforcement trends, JunHe can assist clients to implement cross-border data compliance work in a regulatory environment faced with great challenges. The work for cross-border data transfer compliance can lay the foundation for companies to establish a comprehensive and complete network security and data protection compliance system to cope with increasingly stringent security compliance regulatory requirements.


JunHe provides the following services in data cross-border transfer compliance:


Assist companies on data mapping to sort out the data cross-border transfer scenarios


We suggest that companies conduct a comprehensive review and evaluation of their data transfer situation. Our specific work includes:


  • unHe to prepare a due diligence checklist on data cross-border transfer compliance.

  • Company to arrange and coordinate with the relevant departments both home and abroad to reply to the DD checklist and designate contact persons for the relevant departments in the project.

  • JunHe to assist company to sort out data cross-border transfer scenarios according to the DD result and follow-up interviews,such as the type, nature and volume of the data transfer, the purpose and method of the data transfer, the business scenario involved, the data transfer link, and the overseas recipients involved.


Cross-border Data Transfer Compliance Paths (Three Paths: Security Assessment, Standard Contract, Personal Information Protection Certification)


Based on the sorted data cross-border transfer scenarios and in accordance with laws and regulations, a preliminary evaluation will be made on the scale, scope, quantity and nature of data to be exported so as to determine the compliance path and make suggestions for the data transfer, such as:


  • Whether the data transfer triggers a security assessment, and if a security assessment is triggered, how to make applications

  • If the data transfer doesn’t trigger a security assessment, which compliance path should be chosen

  • If the standard contract is chosen as the data transfer compliance path, with which overseas recipients should a standard contract be signed, and how to sign the standard contract

  • How to carry out a personal information protection impact assessment and the action plan for such assessment

  • If the certification path is chosen, then the certification schemes and solutions and the compliance work needed to complete the certification shall be confirmed


Assist companies to carry out cross-border data transfer implementation work


Security Assessment


JunHe can assist companies to complete security assessment work of cross-border data transfer, such as :


  •  Make supplemental summaries required for a security assessment according to the  preliminary results of the cross-border data transfer of companies

  • Assist companies to complete self-assessment of cross-border data transfer and prepare self-assessment report

  • Provide legal opinions and assist with rectifications in respect to compliance gaps discovered during self-assessment

  • Prepare and sign data transfer agreements and documents

  • Assist in the preparation of application materials to be submitted to the relevant regulatory authorities, such as the self-assessment report, the data transfer agreement and other application materials

  • Communicate and coordinate with regulatory authorities and assist in obtaining approval from the regulatory authorities


Standard Contract


  • JunHe can assist companies to complete compliance work for the standard contract path:

  • Make supplemental summaries required for personal information protection impact assessment according to the results of preliminary results of the cross-border data transfer of companies

  • Assist companies to complete personal information protection impact assessment and prepare assessment report

  • Provide legal opinions and assist with rectifications in respect to compliance gaps discovered during impact assessment

  • Supplement and assist companies to sign the standard contract;

  • Assist in the preparation of documents required for filing, including personal information protection impact assessment report and standard contract

  • Assist in completing personal information protection impact assessment and filing standard contract


Personal Information Protection Certification


JunHe can assist companies to complete personal information protection certification. Services include assisting companies to confirm with the certification agency regarding the implementation plan and procedures of certification, analyze the compliance gaps in the current personal information transfers according to the requirements of personal information protection certification, and put forward rectification suggestions and assist in completing rectification, so as to comply with the personal information protection certification requirements.


Follow up on the development and implementation of future regulations and national standards


It is advisable for company to pay close attention to the revision of data export regulations and national standards and the implementation rules released by relevant regulatory authorities. JunHe could assist in the interpretation and analysis of relevant legislative and regulatory changes and trends.

Recent Representative Cases

  • Assisted several well-known multi-national corporations to carry out cross-border data transfer security assessments;


  • Assisted several industry leading multi-national corporations to carry out cross-border data flow compliance assessments, data export impact assessments, and assisted in the negotiation and drafting of cross-border data transfer agreements.