Where a personal information processor needs to provide personal information outside the territory of the People’s Republic of China due to business or other needs, it shall meet any of the following conditions:
(I) where it has passed the security assessment organized by the State cyberspace administration in accordance with Article 40 hereof;
(II) where it has been certified by a specialized in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information;
(III) where it has concluded a contract with an overseas recipient according to the standard contract formulated by the State cyberspace administration, specifying the rights and obligations of both parties; or
(IV) where it has satisfied other conditions prescribed by laws, administrative regulations, or the State cyberspace administration.
Where the international treaties and agreements that the People’s Republic of China has concluded or participated in have provisions on the conditions for providing personal information outside the territory of the People’s Republic of China, such provisions may be complied with.
Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this law.