Security Measures Checklist for Cross-border Research Data Transfer

While transferring the personal data beyond Hong Kong borders, departments/research units in the University should consider the security controls to safeguard personal data during the cross-border transfer and ensure the compliance with the Hong Kong Personal Data (Privacy) Ordinance, as well as the EU General Data Protection Regulation (GDPR) and the Chinese Mainland Personal Information Protection Law (PIPL).  Given the broad nature of CUHK’s research activities, non‑compliance may result in significant reputational, regulatory, and financial consequences for both the University and affected individuals.

Below are the 2 security measures checklists which assist departments/research units in assessing and ensuring adherence to the cross‑border data protection obligations under the EU GDPR and the Chinese Mainland PIPL:

• EU GDPR – Cross-Border Research Data Transfer Security Measures Checklist
• Chinese Mainland PIPL – Cross-Border Research Data Transfer Security Measures Checklist

These checklists will be reviewed and updated periodically to reflect evolving technologies, regulatory changes, and emerging security best practices.

Reference Materials:

• 数据出境安全评估办法_中央网络安全和信息化委员会办公室
• 个人信息出境标准合同办法_中央网络安全和信息化委员会办公室
• 促进和规范数据跨境流动规定_中央网络安全和信息化委员会办公室
• 国家互联网信息办公室发布《数据出境安全评估申报指南（第二版）》和《个人信息出境标准合同备案指南（第二版）》_中央网络安全和信息化委员会办公室
• 数据出境安全评估申报指南（第二版）
• 个人信息出境标准合同备案指南（第二版）
• 《粵港澳大灣區（內地、香港）個人信息跨境流動標準合同》便利措施 | 數字政策辦公室
• 粵港澳大灣區（內地、香港）個人信息跨境流動標準合同實施指引  
• 內地《數據出境安全評估辦法》今生效
  • 数据出境安全评估: 背景和要点
  • EU General Data Protection Regulation (GDPR)
  • eu_faq.pdf
• Information and Cyber Security Within the Government
• 32 GDPR – Security of processing – General Data Protection Regulation (GDPR)
• Technical and Organizational Measures (TOMs) Under the GDPR

Published on:  15 Jan 2026