Personal Information Protection Law of the People's Republic of China: Article 38

English Translation

Where a personal information processor truly needs to provide personal information outside the territory of the People's Republic of China for business or other needs, it shall meet one of the following conditions: (1) it has passed the security assessment organized by the national cyberspace administration in accordance with Article 40 of this Law; (2) it has obtained personal information protection certification from a professional institution in accordance with the provisions of the national cyberspace administration; (3) it has concluded a contract with the overseas recipient according to the standard contract formulated by the national cyberspace administration, agreeing on the rights and obligations of both parties; or (4) other conditions provided by laws, administrative regulations, or the national cyberspace administration. Where international treaties or agreements concluded or acceded to by the People's Republic of China contain provisions on the conditions for providing personal information outside the territory of the People's Republic of China, those provisions may be followed. The personal information processor shall take necessary measures to ensure that the overseas recipient's processing of personal information reaches the personal information protection standards provided by this Law.