Chapter III Rules for Cross-border Provision of Personal Information
Article 40
Translation Notice
This is an unofficial English translation prepared for general informational purposes only. It does not constitute legal advice. In case of any discrepancy, the official Chinese text published by the competent authority shall prevail.
本文为非官方英文翻译,仅供一般信息参考,不构成法律意见。如与主管机关发布的中文正式文本不一致,以中文正式文本为准。
Chinese Original
第四十条 关键信息基础设施运营者和处理个人信息达到国家网信部门规定数量的个人信息处理者,应当将在中华人民共和国境内收集和产生的个人信息存储在境内。确需向境外提供的,应当通过国家网信部门组织的安全评估;法律、行政法规和国家网信部门规定可以不进行安全评估的,从其规定。
English Translation
Critical information infrastructure operators and personal information processors that process personal information in quantities reaching the threshold prescribed by the national cyberspace administration shall store within the territory personal information collected and generated within the territory of the People's Republic of China. Where it is truly necessary to provide such personal information outside the territory, they shall pass the security assessment organized by the national cyberspace administration. Where laws, administrative regulations, or the national cyberspace administration provide that a security assessment is not required, those provisions apply.
Plain English Note
Site explanation only. Not part of the translation.
Article 40 imposes domestic storage and security assessment obligations on critical information infrastructure operators and threshold-scale personal information processors.