China’s Personal Information Protection Law (PIPL) has strict rules around cross-border data flows and the Standard Contractual Clauses (SCCs) are one of three permissible ways to export personal data out of China.

The SCC is a legal mechanism to regulate the transfer of personal information from Mainland China to overseas recipients. It’s similar to data transfer tools under the GDPR but China's SCCs have rigid eligibility thresholds, a government filing requirement, and extensive obligations for overseas recipients.

*Disclaimer: This guide is intended for informational purposes only and does not constitute legal or regulatory advice. Chinafy is not a legal or corporate advisory entity. Given that legal obligations vary by business type and context, we recommend consulting with qualified legal counsel for advice specific to your organization. If needed, Chinafy can connect you with one of our experienced legal partners.

TL;DR: China’s Standard Contractual Clauses (SCCs) provide a structured pathway for personal data exports under the PIPL, but only for entities that fall below specific thresholds. The process includes completing a fixed-template contract, conducting a mandatory data protection assessment (PIPIA), and filing with the Cyberspace Administration of China (CAC). These clauses impose binding responsibilities on both Chinese data exporters and overseas recipients, and differ significantly from their EU counterparts in legal scope, governance, and enforceability.

In this guide, we’ll cover how the SCC clauses work, who can use them, and how they compare to other global and domestic mechanisms.

What are China’s SCCs and what is their purpose?

China’s Standard Contractual Clauses – also referred to as the PRC Standard Contract – are part of the Personal Information Protection Law (PIPL), aimed at enabling compliant cross-border personal data transfers.

China’s SCCs are one of three legal mechanisms under the PIPL:

CAC Security Assessment

Personal Information Protection Certification

Standard Contract (SCC)

The SCC’s core purposes include:

Protecting individual privacy rights for exported personal data.

Ensuring data security in cross-border transfers.

Promoting the regulated free flow of data, which is crucial for international business.

Who can use China’s SCCs?

China’s SCC mechanism is available to personal information processors (the PIPL term for an entity that decides why and how personal data is handled, akin to data controllers under GDPR), but only if they meet specific thresholds. A company can use SCCs only if the following are true:

They are not a Critical Information Infrastructure Operator (CIIO) (businesses in China that manage systems essential to national security, the economy, or public welfare).

They process the personal data of fewer than 1 million individuals.

They have not exported personal data of more than 100,000 individuals since January 1 of the preceding year.

They have not exported sensitive personal data of more than 10,000 individuals in the same timeframe.

Although the SCC eligibility criteria is the same for every industry, industries with large-scale data processing, sensitive data, or CIIO status (e.g., finance, telecom, healthcare, tech) are less likely to qualify due to their operational realities.

If any of the above conditions are not met (e.g., the organization is a CIIO or exceeds any of the data volume thresholds), the SCCs cannot be used, and a CAC-led security assessment is required instead.

What are the compliance steps for using China SCCs?

To use China’s SCCs, organizations tend to follow a defined regulatory process:

Conduct a Personal Information Protection Impact Assessment (PIPIA):

The PIPIA must be carried out before the SCC takes effect and refreshed whenever there is a material change in the processing activity (regulators generally view a PIPIA that is less than three months old as current).

Evaluates data handling practices, foreign legal environments, and security safeguards.

Execute the China Standard Contract:

A non-modifiable standard text with fill-in fields and optional supplementary clauses.

File with the local Cyberspace Administration of China (CAC):

Submit the SCC and PIPIA report within 10 working days after contract activation.

Although CAC calls this step a simple ‘filing,’ officials typically examine the submission, may ask follow‑up questions, and can reject or request revisions before accepting it.

All documentation must be submitted in Chinese, and detailed disclosures on data transfers are mandatory.

What’s inside China’s SCC and can it be modified?

The China SCC is a fixed template, not open to textual changes and is in this way, similar to the EU’s SCCs. China’s SCC includes:

Fillable fields and a choice of dispute resolution methods either via a Chinese court or through international arbitration.

Supplementary clauses (if they don’t conflict with the core terms).

The fact that it must be governed by PRC laws.

Crucially, data subjects are recognized as third-party beneficiaries, enabling them to pursue legal claims in Chinese courts.

What are the obligations and risks for parties?

Both the Chinese data exporter and the overseas recipient assume specific legal responsibilities:

Overseas recipients must:

Agree to CAC supervision, including potential audits.

Notify the Chinese partner and authorities in the event of data breaches.

Inform the Chinese party if approached by foreign courts or governments for data.

Under the SCCs, any onward transfer by the overseas recipient must itself comply with PRC standards, meaning consent (where required) is properly secured and equivalent contractual safeguards are put in place with any downstream third party.

Chinese controllers can suspend transfers if the foreign recipient violates contract terms or cannot comply due to foreign laws.

How do China’s SCCs compare to EU SCCs and other mechanisms?

Key differences vs. EU SCCs include:

China SCCs apply to controller-to-controller transfers only, unlike the EU’s SCCs which can be tailored to different transfer scenarios.

China mandates regulatory filing, unlike the EU.

China SCCs are governed strictly by PRC law, and allow court access for data subjects.

Onward transfer conditions and PIPIA requirements are more stringent than their EU counterparts. Conditions include new contracts, potential re-consents, and mandatory regulatory filings. This affects industries differently based on data volume and complexity, with tech and healthcare facing greater challenges due to their reliance on global data-sharing networks.

Multinationals using multiple SCC frameworks must invest in harmonizing obligations across jurisdictions.

Chinafy collaborates with specialized partners, such as Lianwei Pancloud and MS Advisory who can offer insight into regulatory trends and compliance considerations.

Get in touch with Chinafy today to better understand the next steps for your company’s website and data in China.