New Guide for Cross-Border Personal Data Transfers in the GBA: A Roadmap for Compliance and Security

Posted by Written by Giulia Interesse Reading Time: 6 minutes

The Technical Committee for Information Security Technology (TC260) has released a new guide to standardize cross-border personal data transfers between the Chinese Mainland and Hong Kong within the Guangdong-Hong Kong-Macao Greater Bay Area (GBA). This guide introduces enhanced security standards and mutual recognition mechanisms, aiming to facilitate smoother data flows while ensuring robust protection of personal information.

On November 21, the Technical Committee for the Standardization of Information Security Technology (TC260) released a new Cybersecurity Standards Practice Guide (hereinafter, the “Guide”) outlining requirements for cross-border personal information processing and protection within the Guangdong-Hong Kong-Macao Greater Bay Area (GBA).

The Guide provides a framework for businesses and organizations transferring personal data between the Chinese Mainland and Hong Kong, focusing on security standards and mutual recognition mechanisms. It offers a pathway for voluntary certification and inclusion in the “Greater Bay Area Cross-Border Personal Data Transfer Recognition List,” managed by Hong Kong’s Privacy Commissioner.

This article breaks down the Guide’s key provisions and its practical implications for businesses and investors operating in the GBA.

Background: Developments in data transfer rules in the GBA

Find Business Support
Gain intelligence about diversifying your Asia supply chain ⟶

Cross-border data transfers (CBDT) have become a key focus in the GBA as the region works to enhance economic integration while addressing data protection challenges. Since December 2023, facilitation measures have been in place to streamline personal data transfers between nine Mainland GBA cities—Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, and Zhaoqing—and Hong Kong.

These measures aim to harmonize the varying regulatory frameworks within the region, particularly between the Chinese Mainland and Hong Kong.

Hong Kong, however, lacks specific rules governing the transfer of personal data outside its jurisdiction, raising questions about the extent to which businesses in Hong Kong would engage with these GBA measures. By contrast, the Chinese Mainland’s Personal Information Protection Law (PIPL) imposes stringent restrictions on cross-border data transfers. The GBA measures marked a significant step forward by relaxing some of these restrictions for transfers from Guangdong to Hong Kong, reflecting efforts to balance security with business practicality.

A major regulatory development followed on March 22, 2024, when the Cyberspace Administration of China (CAC) issued the New CBDT Rules.

These rules, introduced after consultations on a draft released in September 2023, addressed concerns from businesses about the burdensome requirements under the previous framework. The New CBDT Rules substantially eased restrictions on cross-border transfers, signaling a more business-friendly approach while maintaining robust data security standards.

Building on this momentum, the latest Guide announcement introduces detailed requirements for cross-border data transfers between the Chinese Mainland and Hong Kong within the GBA. The Guide represents a further refinement of the region’s regulatory framework, offering clearer guidance for businesses navigating cross-border data flows.

What is the scope of the Guide?

Find Business Support
De-Risk Your Asia Business with a Company Health Check Review and Professional Advisory

The Guide sets out the principles and requirements for personal information processors and recipients in the GBA to enable cross-border data transfers between the Chinese Mainland and Hong Kong through a security mutual recognition mechanism. It provides a framework for certification (for entities in The Chinese Mainland) and recognition (for entities in Hong Kong) of cross-border personal information security within the GBA.

The Guide specifically outlines provisions related to:

  • Entities in the GBA that voluntarily apply for cross-border personal information security certification in accordance with relevant mutual recognition documents.
  • Entities in Hong Kong that voluntarily apply to join the “Greater Bay Area Cross-Border Personal Data Transfer Recognition List” maintained by the Office of the Privacy Commissioner for Personal Data (PCPD).

Personal information classified as critical data by relevant authorities or regions is excluded.

Notably, GBA Personal Information Processors or Recipients are defined as:

  • Organizations registered, or individuals located, in the Mainland GBA cities (Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen, Zhaoqing) or Hong Kong.

What are the personal information processing requirements?

The Guide establishes detailed requirements for the processing of personal information within the GBA. These requirements reflect the principles of local compliance and responsible data handling, providing a framework that aligns with both The Chinese Mainland’s PIPL and Hong Kong’s Personal Data (Privacy) Ordinance (PDPO).

Below is an overview of the key provisions.

Key provisions Details
Legal basis for personal information processing In Mainland GBA cities processing personal information is permitted under any of the following conditions:

  • Consent has been obtained from the individual;
  • The processing is necessary for the execution of a contract to which the individual is a party or for HR management under legally established regulations;
  • Compliance with legal or statutory obligations;
  • Protection of public health during emergencies or safeguarding the life, health, or property of individuals in urgent situations;
  • Actions in the public interest, such as news reporting or public oversight, within reasonable bounds;
  • Processing information that has been voluntarily or legally disclosed by the individual; and
  • Other scenarios stipulated by laws or regulations.

In Hong Kong, Processing must comply with the PDPO.
Personal information collection When collecting personal information, organizations must:

  • Clearly inform individuals about the purpose, scope, and methods of data collection, as well as the types of personal information being collected.
  • Publish clear and comprehensible rules for handling personal information, disclosing:
    • The name and contact details of the data processor.
    • The purpose, method, and types of personal information being processed.
    • Data retention periods and any third-party sharing arrangements.
    • The rights of individuals and how they can exercise them.
  • Ensure consent is informed, voluntary, and explicit where required.
  • Obtain parental or guardian consent for processing data of minors:
    • Mainland: Required for individuals under 14 years old.
    • Hong Kong: Required for individuals under 18 years old.
  • Avoid denying services solely because of non-consent, except where the processing is essential to the service.
Storage, use, processing Personal information storage and usage must be conducted responsibly:

  • Data retention should not exceed the minimum time necessary to fulfill the purpose of processing.
  • Changes to the purpose, method, or scope of data processing require renewed consent.
  • Data used for commercial marketing requires individual consent and disclosure of the purpose and types of information processed.

Automated decision-making systems must allow individuals to opt out of personalized processing or provide alternative options.
Delegation, disclosure When delegating processing or sharing personal information:

  • Contracts must define the processing purpose, duration, methods, and protections.
  • Individuals must be informed of the recipient, purpose, and nature of the data shared. Consent must be obtained unless otherwise stipulated by local laws.

Public disclosure of personal information requires appropriate technical measures, such as anonymization, to mitigate risks.


What are the cybersecurity rights requirements?

Personal information subject rights

Personal information subjects are entitled to the following rights under local laws:

  • Access and copying: Individuals have the right to access and obtain copies of their personal information being processed.
  • Correction and supplementation: If personal information is inaccurate or incomplete, individuals may request corrections or additions.
  • Explanation of processing rules: Individuals can request explanations of how their personal information is processed unless excluded by local regulations.
  • Deletion of personal information: Individuals may request deletion of their personal information under specific conditions, such as when the processing purpose has been fulfilled or is no longer necessary; or, the processing violates applicable laws or agreed-upon terms. Local regulations may define exceptions to this right.

Ensuring personal information rights

To facilitate the exercise of these rights, processors must:

  • Provide accessible channels for individuals to request access, copies, corrections, additions, deletions, or to refuse further processing of their information.
  • Establish a mechanism for receiving and processing requests, responding promptly within timeframes specified by local laws. Any refusal to honor requests must be accompanied by a clear explanation.
  • If deletion is not feasible due to unexpired retention periods or technical constraints, processors must cease further processing, apart from necessary storage and security measures.
  • If notified by regulatory authorities of risks to individuals’ rights, national security, or sovereignty due to cross-border data flows, processors must immediately halt such activities and notify all relevant parties.

Personal information security requirements

Organizations must implement rigorous measures to safeguard personal information against unauthorized access, modification, destruction, or misuse:

  • Appointing a protection officer: Assign a dedicated personal information protection officer to oversee processing activities and security measures.
  • Developing security policies: Create comprehensive personal information security management policies and procedures, with regular employee training.
  • Sensitive data protection: Apply encryption and other security measures when transmitting or storing sensitive information, including biometric, financial, medical, and minor-related data.
  • Access restrictions and confidentiality: Limit operational access to personal information, especially sensitive data, and require relevant personnel to sign confidentiality agreements.
  • Technical safeguards: Utilize encryption, de-identification, access controls, identity verification, and security audits to prevent unauthorized access or data breaches.
  • Incident response and notification: Prepare an emergency response plan for data breaches or other security incidents. Immediately take remedial action in the event of a breach and notify local regulatory authorities. Inform affected individuals as required by local laws, including details on the type of data involved, causes, measures taken, and recommendations for mitigating potential risks.

These measures collectively reinforce the protection of personal information, ensuring compliance with local regulations while mitigating risks associated with cross-border and domestic data processing.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.