Lawzana Lawzana Logo
FIND A LAWYER
Lawzana Logo
For Lawyers
Pricing & Plans Websites for lawyers Marketing services Legal Jobs Blog
REGISTER FOR FREE

Existing user? Sign in

Sending Data Out of China 2025 Exemptions for HR & Contracts

Media, Technology and Telecoms
China
Updated Nov 20, 2025
  • The CAC's 2025 FAQ softens outbound data rules for common B2C and HR scenarios, but it does not weaken controls on "important data" or large-scale datasets.
  • Under the "contract performance" exemption, you can send personal data abroad without a CAC security assessment or Standard Contract filing if the transfer is strictly necessary to perform a contract with the individual (for example, travel bookings or cross-border e-commerce delivery).
  • Under the "HR management" exemption, you can transfer employee data from China to global HQ for payroll, benefits, and routine HRIS purposes without a CAC Standard Contract filing, provided the transfer is necessary, proportionate, and not for marketing or external analytics.
  • Data classified as "important data" remains subject to security assessments and cannot rely on these new exemptions; sector catalogues and data classification exercises are still critical.
  • Foreign companies should redesign data-mapping, contract templates, and internal approval workflows to route qualifying transfers through the new exemptions while reserving traditional mechanisms for high-volume or high-risk data.
  • Enforcement focus is shifting toward unregistered large-scale exports, misuse of exemptions, and sectors with critical infrastructure or high geo-location and financial data concentrations.

What is the current legal framework for media, technology and telecoms data in China?

The core rules for data and outbound transfers in China sit in three national laws - the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law - and a web of CAC measures and sector regulations. The 2025 CAC FAQ does not replace these laws; it explains how existing exemptions apply in practice, especially for contract performance and HR management transfers.

For media, technology, and telecoms (MTT) players, several layers matter at once:

  • Foundational statutes:
    • Cybersecurity Law (CSL): network operators, critical information infrastructure (CII), security obligations.
    • Data Security Law (DSL): "important data" concept, data classification, national security orientation.
    • Personal Information Protection Law (PIPL): lawful bases, cross-border transfers, data subject rights.
  • CAC outbound transfer regime (key for foreign companies):
    • Security Assessment Measures for Outbound Data Transfers (CAC): triggers for mandatory assessment.
    • Standard Contract Measures for Outbound Personal Information (CAC): template clauses and filing rules.
    • Certification route for cross-border processing, mainly for intra-group transfers via certified institutions.
  • Sectoral rules:
    • MIIT regulations for telecoms and internet platforms.
    • NBDS, NMPA, CBIRC, PBOC rules in broadcasting, health, insurance, and financial services.
  • Supervisory authorities:
    • CAC - lead regulator for cybersecurity and data export controls.
    • MIIT, SAMR, sector regulators - product compliance, apps, telecoms, and industry-specific enforcement.

Before the 2025 FAQ, outbound data rules were perceived as near-blanket "data localization by default." The FAQ aligns enforcement with commercial reality by emphasizing two existing PIPL legal bases - contract performance and HR management - as operational exemptions from some outbound transfer procedures.

When can you export personal data under the "contract performance" exemption in China?

You can rely on the "contract performance" exemption when sending personal data abroad is objectively necessary to fulfill a contract with the individual, and the transfer is limited to what the contract reasonably requires. According to the 2025 CAC FAQ, such transfers do not require a CAC security assessment or Standard Contract filing if they do not involve important data or large-scale exports.

Core legal logic

  • PIPL lawful basis: Article 13 PIPL recognizes "conclusion or performance of a contract to which the individual is a party" as a lawful basis to process personal information.
  • Outbound transfer overlay: Article 38 PIPL and CAC measures introduced extra outbound formalities (security assessment, Standard Contract, or certification).
  • 2025 FAQ clarification: For contract performance scenarios directed at an individual, the FAQ clarifies that:
    • No CAC security assessment is required solely due to cross-border transfer.
    • No Standard Contract filing is required for these specific transfers.
    • General PIPL obligations (transparency, security, access rights) still apply.

Typical scenarios that usually qualify

These examples align with the FAQ's practical intent and existing PIPL wording, assuming transfers are limited to what is necessary.

  • Travel and hospitality:
    • Chinese customer books a hotel abroad on your platform; you send name, contact details, booking dates, and preferences to the overseas hotel.
    • Airline or OTA shares passenger information and itinerary with foreign carriers or partners to issue tickets and provide services.
  • Cross-border e-commerce:
    • Platform in China sends buyer address and contact information to an overseas seller or logistics provider to deliver goods.
    • After-sales services such as returns or warranty handled by overseas merchants using buyer data.
  • Consumer SaaS and digital content:
    • App in China gives an overseas SaaS provider user account details to provide a paid subscription service chosen by the user.
    • Streaming or gaming services where user data must reach non-China servers to enable access to purchased content.
  • Payment and settlement directly tied to the contract:
    • Transfer of cardholder data to overseas payment processors for a specific transaction initiated by the individual.

Key conditions you must satisfy

To safely rely on the contract performance exemption, foreign-invested MTT businesses should build a checklist around four pillars.

  1. Necessity
    • The service cannot reasonably be delivered without sending the data abroad.
    • If onshore processing or anonymization can achieve the same result, the exemption is weaker.
  2. Scope limitation
    • Transfer only data points that are functionally required (for example, no full profile when only name and contact are needed).
    • Do not bundle extra analytics, profiling, or unrelated marketing purposes into the same transfer.
  3. Purpose alignment
    • The overseas recipient must use the data only to perform that contract or closely related after-sales tasks.
    • Secondary use by the overseas entity (for example, broad advertising) breaks the exemption and triggers full outbound requirements.
  4. No "important data" element
    • The dataset must not contain categorized important data as defined under DSL, sector catalogues, or security assessments.
    • If any part of the transfer is "important data," you revert to the full security assessment route.

What still requires a contract and DPIA, even if exempt from CAC filing

The FAQ reduces procedural steps with the CAC but does not create a compliance free zone. Companies should still do the following for each contract performance export:

  • Data protection impact assessment (DPIA) focused on:
    • Purpose and necessity.
    • Data categories and volumes.
    • Overseas legal environment and security controls.
  • Contractual safeguards with overseas partners:
    • Purpose limitation to contract performance.
    • Security and breach notification obligations.
    • Deletion or return after completion of the contract.
  • Transparent notices to users, in Chinese, describing:
    • Which categories of data go abroad.
    • Names and locations of key overseas recipients.
    • How to exercise rights such as access or deletion.

Common misuses of the exemption to avoid

  • Using "contract performance" to justify ongoing exports to foreign analytics or ad-tech vendors that are not needed to provide the user-facing service.
  • Aggregating multiple contracts to justify bulk export of historical data, far beyond what is necessary to serve current transactions.
  • Hiding B2B back-end purposes (for example, global profiling, product development) under a thin consumer contract.

How does the "HR management" exemption work for outbound employee data from China?

You can rely on the "HR management" exemption to send employee personal data from China to global HQ or regional hubs for payroll, benefits, performance, compliance, and internal HRIS without using the CAC Standard Contract filing route. The 2025 CAC FAQ confirms that such internal HR transfers, when necessary and proportionate, can bypass Standard Contract filing and in most typical cases also fall below security assessment thresholds.

Where the HR exemption comes from

  • PIPL lawful basis: Article 13 PIPL recognizes processing necessary for "human resources management implemented in accordance with lawfully formulated labor rules and lawfully concluded collective contracts."
  • Outbound dimension: The FAQ interprets this HR lawful basis as covering routine intra-group outbound HR flows that:
    • Serve internal employment management only, and
    • Do not involve important data or extremely large employee populations.

HR activities that usually qualify

Assuming a standard multinational structure and typical headcount, the following use cases often fit the exemption.

  • Global payroll and benefits:
    • Sending salary, tax identifiers, bank account details, and benefits selections to global HQ or regional payroll centers.
    • Health insurance enrollment data sent to overseas group-level benefits managers or brokers.
  • HRIS and talent management:
    • Consolidating basic employee records (ID, role, reporting line, performance ratings) in a global HRIS hosted outside China.
    • Using foreign LMS or performance platforms to track training and evaluation.
  • Compliance and internal investigations:
    • Sharing limited employee data with overseas compliance teams for whistleblowing investigations or sanctions checks, if grounded in internal policies and law.

Conditions for using the HR exemption

  1. Employment context and policies
    • Transfers must be directly tied to the employment relationship or HR management.
    • Company labor rules and privacy notices should clearly describe cross-border HR data flows.
  2. Intra-group and internal use
    • Data should flow to group entities or processors under the group's control, not to unrelated third parties for independent purposes.
    • Overseas recipients use the data for HR only, not for external marketing or product analytics.
  3. Proportionality and minimization
    • Avoid exporting entire mailboxes or large log files unless strictly necessary for a defined HR or compliance purpose.
    • Separate HR data from customer data so "important data" is not mixed into HR transfers.
  4. Volume and sensitivity checks
    • Large employers approaching the CAC assessment thresholds (for example, hundreds of thousands of staff) should validate whether aggregate HR transfers trigger a security assessment.
    • For highly sensitive categories (for example, detailed medical records), run a stricter DPIA and consider additional safeguards.

What the HR exemption does not cover

  • Using employee data for external marketing campaigns managed abroad.
  • Exporting employee-generated customer data or trade secrets to HQ without separating HR and operational roles.
  • Transferring data about contractors, partners, or users and mislabeling it as "HR data."

Operational steps for HR teams

  • Update China employee privacy notices to describe cross-border HR flows and the HR management basis.
  • Embed data minimization standards into HRIS configuration, access control, and report design.
  • Create a global China HR transfer register to show:
    • Which systems hold China HR data abroad.
    • Which entities access it and for which HR purposes.
  • Align with works councils or unions where applicable, to avoid labor-relations friction.

What outbound data transfers still require CAC security assessment or Standard Contract filing?

You must still use CAC security assessment or Standard Contract filing for outbound transfers that do not fall within the clarified contract performance or HR management exemptions, or that meet volume and sensitivity thresholds. In practice, most B2B, platform-level, and analytics-driven exports remain within the full outbound regime.

Security assessment triggers that still apply

According to current CAC measures (as of the latest public texts) you generally need a security assessment if you:

  • Are a critical information infrastructure operator (CIIO) exporting any personal information or important data, or
  • Process personal information of over 1 million individuals and export any of it, or
  • Since 1 January of the current year, have exported either:
    • Personal information of 100,000 individuals or more, or
    • Sensitive personal information of 10,000 individuals or more.

The 2025 FAQ did not revoke those thresholds. It instead clarifies that certain consumer and HR transfers can be carved out before counting against them, if they strictly fit the exemptions.

When Standard Contracts or certification are still needed

Where you do not hit security assessment thresholds but still export personal information, and no FAQ exemption applies, you usually choose between:

  • Standard Contract route: sign the CAC template Standard Contract with overseas recipients and file it with the local CAC branch.
  • Certification route: obtain certification for cross-border processing from a designated body, often for intra-group transfers.

Common outbound use cases that typically still require one of these mechanisms include:

  • Global analytics and profiling:
    • Exporting user logs, behavioral data, and clickstreams from Chinese apps to global data lakes for product analytics or AI training.
  • Global CRM and marketing:
    • Pushing China customer data into a global CRM hosted abroad for segmentation, cross-selling, and lifecycle marketing.
  • Shared IT and support services:
    • Remote administration of Chinese systems by overseas teams with access to production databases containing user data.
  • Cloud and SaaS infrastructure:
    • Architectures where core databases for China users sit on non-China servers without a narrow contract performance link.

What still qualifies as "important data" under Chinese law after the 2025 CAC FAQ?

"Important data" remains a national security and public interest concept under the Data Security Law, covering certain non-personal and mixed datasets with high strategic or security value. The 2025 FAQ does not create any exemption for important data; exports of such data must still go through CAC security assessment and cannot rely on contract performance or HR exemptions.

Legal sources and definitions

  • Data Security Law:
    • Requires a data classification and grading system.
    • Defines "important data" broadly as data that, once tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security or the public interest.
  • Sector catalogues and drafts:
    • Some sectors have or are developing important data catalogues (for example, industrial, transport, mapping).
    • Local and pilot catalogues guide enforcement even before nationwide lists are fully finalized.

Typical forms of important data for MTT companies

The following categories often fall into or border on "important data," especially when aggregated:

  • Network and infrastructure data:
    • Detailed topology of communication networks and critical data centers.
    • Traffic statistics and capacity information relating to critical communications.
  • High-precision geo-location and mapping data:
    • Non-public high accuracy maps, street-level scans, or positioning data tied to sensitive facilities.
  • Large-scale financial and transaction data:
    • Aggregated, granular payment flows across regions or sectors that could reveal systemic patterns.
  • Industrial and IoT operational data:
    • Real-time control data from critical manufacturing, energy, or transport systems.
  • Public opinion and media datasets:
    • Comprehensive, high-frequency datasets on public opinion, media consumption, or content dissemination patterns, especially where they intersect with political or social stability risk.

Why important data cannot use the new exemptions

  • The contract performance and HR exemptions rest on PIPL logic about personal information, not DSL logic about important data.
  • Where data exported under a consumer or HR scenario also contains important data, the important data aspect dominates and triggers full security assessment obligations.
  • For mixed datasets, companies should:
    • Separate important data from ordinary data before export, or
    • Apply the higher standard to the entire export.

Practical steps to manage important data risk

  • Run a data classification project that labels:
    • State secrets (must never be exported).
    • Important data (export only after assessment).
    • Ordinary data (where exemptions or lighter regimes may apply).
  • Engage with industry regulators to interpret sector catalogues and draft lists.
  • Design architectures where important data remains onshore, with only derived, anonymized, or aggregated indicators going abroad where legally permissible.

How should foreign companies operationalize the new CAC exemptions in China?

To use the 2025 exemptions safely, companies should redesign their outbound data governance so that qualifying contract performance and HR flows follow a fast, documented path, while higher risk exports still use Standard Contracts or security assessments. The goal is to reduce unnecessary filings without triggering enforcement for misclassification or over-broad reliance on exemptions.

Step 1: Refresh your China data map and system inventory

  1. Identify data flows:
    • List every system where data about individuals in China is stored or processed.
    • Mark whether each system is located in China or abroad.
  2. Identify transfer paths:
    • Document all regular and ad hoc exports from China to overseas systems, vendors, and group entities.
  3. Tag relevant attributes:
    • Personal vs non-personal data.
    • Potential "important data".
    • Volumes (individual counts) per year.

Step 2: Classify transfers into four buckets

Create an internal taxonomy to decide which compliance route applies.

  • Bucket A - Contract performance transfers:
    • Consumer-facing, transactional, necessary to fulfill a specific user contract.
  • Bucket B - HR management transfers:
    • Internal employee data, necessary for employment and HRIS management.
  • Bucket C - Other personal information transfers:
    • Analytics, product development, marketing, shared IT services, etc.
  • Bucket D - Important data transfers:
    • Any export involving data flagged as important under DSL logic.

Step 3: Define governance rules for each bucket

  • Bucket A (Contract performance):
    • Use a short-form DPIA and checklist on necessity and data scope.
    • Use commercial contracts with tailored privacy clauses, but no CAC Standard Contract filing.
    • Log each class of transfer in a contract performance register.
  • Bucket B (HR management):
    • Use an HR-specific DPIA template.
    • Update global HR policies and handbooks to reflect China cross-border flows.
    • Use intra-group agreements with strong confidentiality and access control clauses.
  • Bucket C (Other personal information):
    • Assess whether security assessment triggers are met.
    • If not, adopt the CAC Standard Contract or certification route and file locally as required.
  • Bucket D (Important data):
    • Prepare for a full CAC security assessment before export.
    • Where possible, re-architect to keep this data onshore.

Step 4: Build internal approval workflows

  • Create a China data export committee (legal, compliance, IT, business) to approve:
    • New cross-border projects.
    • Reclassification of flows into or out of exemption buckets.
  • Integrate approvals into:
    • Vendor onboarding.
    • New product launches.
    • Architecture changes.
  • Automate checks inside your privacy management platform or ticketing system where possible.

Step 5: Train front-line and regional teams

  • Provide short, role-based training for:
    • Product managers on when contract performance applies.
    • HR on the limits of HR management transfers.
    • IT on classifying important data and tracking data volumes.
  • Issue simple one-page decision trees so non-lawyers can spot:
    • When a transfer is clearly exempt, and
    • When to escalate to legal or compliance.

What are typical compliance costs and timelines for China outbound data strategies?

Using the new exemptions usually lowers both time and external costs compared with full CAC filings, but you still face internal project spend on mapping, DPIAs, and contract updates. Broadly, exempt flows can be operationalized in weeks, while security assessments may run for many months.

Route Typical use cases Regulatory interaction Indicative timeline Indicative cost range (RMB)
Contract performance exemption Travel bookings, cross-border e-commerce delivery, consumer SaaS access No CAC filing if conditions met; internal DPIA and contracts only 2-6 weeks to design templates and roll out; then BAU Internal project: 50,000-200,000; external advice per project: 30,000-150,000
HR management exemption Payroll, benefits, HRIS, internal investigations No Standard Contract filing; internal documentation and intra-group agreements 4-8 weeks to update HRIS, notices, and policies Internal: 80,000-300,000; external policy/contract review: 50,000-200,000
Standard Contract route Global CRM, moderate-scale analytics, overseas support centers Sign CAC template; file with provincial CAC Internal prep 1-3 months; CAC review often several weeks Internal: 150,000-500,000; external: 100,000-400,000 per filing
CAC security assessment CIIOs, large platforms, high-volume exports, important data Formal submission to CAC; potential Q&A and remediation 3-9+ months including pre-assessment and regulator engagement Internal: 300,000-1,500,000; external (legal + technical): 300,000-1,000,000+
Onshore processing / localization Re-architecting to avoid outbound exports of key datasets No outbound filings; may require other approvals (for example telecoms, cloud) 6-18+ months depending on system complexity Capex: 1,000,000+; Opex: vendor and hosting fees ongoing

Figures above are market-style ranges, not official fees. Many multinationals blend routes, using exemptions for narrow flows, Standard Contracts for mid-risk operations, and localization for the most sensitive datasets.

What risks and enforcement trends should MTT companies expect in China?

Regulators are likely to focus on companies that over-claim exemptions, silently run large-scale exports, or touch important data without proper assessment. For MTT players, risk spans administrative fines, business disruption, app store takedowns, and reputational damage in a highly visible regulatory environment.

Key enforcement levers and penalties

  • PIPL penalties:
    • Fines up to 50 million RMB or 5 percent of annual turnover for grave violations.
    • Possible suspension of services, business license revocation, or individual liability for responsible persons.
  • DSL and CSL penalties:
    • Severe fines for mishandling important data or network security incidents.
    • Enhanced penalties where national security or CII is involved.
  • App and platform controls:
    • CAC app inspections can lead to removal from app stores for non-compliant data export practices.

Trends that impact foreign MTT businesses

  • Thematic inspections:
    • Sector-wide reviews of outbound data practices in online platforms, cloud, and telecoms.
  • Documentation audits:
    • Requests for DPIAs, data export registers, and internal policies to check if exemptions are applied correctly.
  • Cross-border cooperation:
    • Scrutiny of global architectures where China data feeds global AI or ad-tech models.

Red flags that invite scrutiny

  • No clear data classification, so "important data" cannot be distinguished from ordinary data.
  • Large data exports labeled as "contract performance" although they serve analytics or advertising.
  • Use of offshore shared service centers with broad, uncontrolled access to China production databases.
  • High-profile data breaches involving overseas recipients of China data.

When should you hire a China data or cybersecurity lawyer or expert?

You should bring in specialized China counsel or technical experts when your data exports are large, touch possible important data, or involve complex global architectures, or when you plan to lean heavily on the new exemptions for critical revenue lines. External experts add most value in structuring your overall strategy, preparing filings, and stress testing your classification decisions.

Situations where expert help is highly advisable

  • Designing or overhauling your China data strategy:
    • Entering China or launching a new platform, app, or media service that will immediately involve cross-border data flows.
  • Borderline use of exemptions:
    • High-volume consumer platforms that want to treat substantial exports as contract performance.
    • Large employers or BPO operations where HR data volumes may approach assessment thresholds.
  • Possible important data exposure:
    • Telecoms backbones, mapping or navigation services, critical infrastructure IoT, or large-scale financial services data.
  • CAC interactions:
    • Responding to inquiries, inspections, or preparing a security assessment submission.

What to look for in an adviser

  • China-specific regulatory experience with CAC, MIIT, and relevant sector bodies.
  • Ability to work with technical architects to convert legal requirements into system designs.
  • Track record in cross-border data projects for MTT or platform businesses, not just generic privacy advice.

What practical next steps should compliance teams take now?

Compliance teams should immediately map existing outbound flows, classify them under the new framework, and adjust documentation and architectures where needed. Early action lets you capture the efficiency gains from the exemptions without increasing enforcement risk.

Action checklist for the next 3-6 months

  1. Map and classify
    • Complete an updated inventory of China-origin data exports.
    • Tag each flow as contract performance, HR, other personal data, or important data.
  2. Redesign your controls
    • For contract performance and HR flows, draft standard DPIA templates and playbooks describing when the exemption applies.
    • For other flows, confirm whether Standard Contracts, certification, or security assessment is needed.
  3. Update contracts and policies
    • Revise vendor and intra-group agreements to align with exemption-based transfers and, where needed, Standard Contract obligations.
    • Refresh privacy notices to clearly explain cross-border uses.
  4. Engage stakeholders
    • Brief China business, HR, product, and IT leaders on the new carve-outs and their limits.
    • Set KPIs for reducing unnecessary filings without weakening control over high-risk exports.
  5. Plan for reassessment
    • Schedule an annual review of outbound flows, data volumes, and important data classification.
    • Monitor future CAC notices and sector catalogues that may refine or narrow current exemptions.

Similar Articles

Hashemite Kingdom of Jordan Nov 19, 2025

PDPL Hashemite Kingdom of Jordan Is Your Business Compliant?

Jordan's PDPL (Law No. 24 of 2023) is in full force with a grace period that ends in March 2025 - regulators will expe...

Read Article
Nigeria Oct 30, 2025

Telecommunication Services in Nigeria: The Available Legal Rights and Remedies to Customers (Subscribers)

Telecommunications services are essential to modern society, which facilitates global communication, business, and conne...

Read Article
Hashemite Kingdom of Jordan Nov 19, 2025

Jordan 2023 Cybercrime: What Social Media Users Need to Know

Jordan's main online speech rules sit in the Cybercrime Law No. 17 of 2023, the Penal Code, and the Press and Publicat...

Read Article

Need Legal Guidance?

Connect with experienced corporate lawyers in your area for personalized advice.

Free consultation • No obligation

Find Lawyers

Media, Technology and Telecoms in China

Disclaimer:
The information provided on this page is for general informational purposes only and does not constitute legal advice. While we strive to ensure the accuracy and relevance of the content, legal information may change over time, and interpretations of the law can vary. You should always consult with a qualified legal professional for advice specific to your situation.

We disclaim all liability for actions taken or not taken based on the content of this page. If you believe any information is incorrect or outdated, please contact us, and we will review and update it where appropriate.