Security Measures Checklist for Cross-border Data Transfer

When transferring personal data beyond Hong Kong borders, departments/research units/staff in the University should apply the minimum security controls and requirements to safeguard personal data during the cross-border transfer and ensure all research and academic activities conducted in the University comply with the General Data Protection Regulation (GDPR) of European Union (“EU”) and the Personal Information Protection Law (PIPL) of the People’s Republic of China (“PRC”).  Given the broad nature of CUHK’s academic & research activities, non‑compliance of the GDPR or PIPL may result in significant reputational, regulatory, and financial consequences for both the University and affected individuals.

Below are the 2 security measures checklists which facilitate departments/research units in assessing and ensuring adherence to the cross‑border data protection obligations under the GDPR of EU and the PIPL of PRC:

• GDPR of EU – Cross-Border Data Transfer Security Measures Checklist
• PIPL of PRC – Cross-Border Data Transfer Security Measures Checklist

These checklists will be reviewed and updated from time to time as the technology advances, regulatory changes, and emerging security best practices.

Reference Materials:

• 数据出境安全评估办法_中央网络安全和信息化委员会办公室
• 个人信息出境标准合同办法_中央网络安全和信息化委员会办公室
• 促进和规范数据跨境流动规定_中央网络安全和信息化委员会办公室
• 国家互联网信息办公室发布《数据出境安全评估申报指南（第二版）》和《个人信息出境标准合同备案指南（第二版）》_中央网络安全和信息化委员会办公室
• 数据出境安全评估申报指南（第二版）
• 个人信息出境标准合同备案指南（第二版）
• 《粵港澳大灣區（內地、香港）個人信息跨境流動標準合同》便利措施 | 數字政策辦公室
• 粵港澳大灣區（內地、香港）個人信息跨境流動標準合同實施指引  
• 內地《數據出境安全評估辦法》今生效
  • 数据出境安全评估: 背景和要点
  • EU General Data Protection Regulation (GDPR)
  • eu_faq.pdf
• Information and Cyber Security Within the Government
• 32 GDPR – Security of processing – General Data Protection Regulation (GDPR)
• Technical and Organizational Measures (TOMs) Under the GDPR

Published on:  15 Jan 2026

Last Update on:  26 Mar 2026