Sample workflow outputTier 1 · Flash Q&A

Data-transfer threshold question

A general PIPL data-export question becomes a citation-backed orientation answer with caveats and clear escalation triggers.

Illustrative demo only. Not legal advice, tax advice or a guaranteed outcome.

Demo input

What the user typed

“Are we required to file a CAC security assessment if we transfer the HR records of 30 China-based employees to our US parent for global payroll?”

Detected domains

Classification

Domain: IP, Data & Technology
Related: People, Operations & Risk · Legal & Compliance
Corridor: Global-to-China
Jurisdiction: PRC PIPL · cross-border personal information transfer

Missing facts

What we still need to confirm

Whether any sensitive personal information is included (e.g. health, biometric, financial)
Annual transfer volume across the group, not just this batch
Controller / processor relationship between the China entity and the US parent
Existing intra-group data processing agreement

Source map

Where the answer comes from

PIPL Article 38PIPL §38
PIPL Article 40 (CIIO + threshold)PIPL §40
CAC Standard Contract for cross-border PI transferCAC SCC 2023
CAC Measures for security assessmentCAC 2022/04

Suggested route

Where this matter goes

Flash Q&A — orientation answer with explicit thresholds and escalation triggers.

Confidence0.82

Sample output

Orientation answer (excerpt)

30 employees alone is well below the 100,000 non-sensitive PI threshold under PIPL §40 + CAC 2022/04.
If sensitive PI (e.g. medical records, financial accounts) is included, the threshold drops to 10,000 PI subjects.
Even where security assessment is not required, a transfer route under PIPL §38 must still be in place — typically the CAC Standard Contract or certification.
Confirm controller/processor mapping; intra-group transfers still require a written DPA referencing PIPL.
Escalate to scoped service if (i) global headcount changes the threshold, (ii) sensitive PI is involved, or (iii) the China entity is a Critical Information Infrastructure Operator.

What happens next

If you start this matter

If your facts cross any of the escalation triggers above, ExpertDesk can route this to a Tier 2 scoped review for a fixed-fee data-transfer route memo, or to Tier 3 expert review when CIIO status, sensitive PI volumes or sectoral regulators are in play.

Try this with your own facts.

Start a matter→See pricing tiers

Orientation answer (excerpt)

30 employees alone is well below the 100,000 non-sensitive PI threshold under PIPL §40 + CAC 2022/04.
If sensitive PI (e.g. medical records, financial accounts) is included, the threshold drops to 10,000 PI subjects.
Even where security assessment is not required, a transfer route under PIPL §38 must still be in place — typically the CAC Standard Contract or certification.
Confirm controller/processor mapping; intra-group transfers still require a written DPA referencing PIPL.
Escalate to scoped service if (i) global headcount changes the threshold, (ii) sensitive PI is involved, or (iii) the China entity is a Critical Information Infrastructure Operator.