Data Hk – New Website of the Privacy Commissioner for Personal Data

Posted on by

Data hk is the new website of the Hong Kong Privacy Commissioner for Personal Data, established to bring together information on the protection of personal data. This website is intended to help businesses understand the requirements of our local data protection legislation and to encourage compliance.

The Hong Kong Privacy Commissioner for Personal Data (“PCPD”) is focusing on cross-border data transfer issues, and has published two sets of recommended model contractual clauses to be included in contracts dealing with transfer of personal data abroad. These model clauses are designed to cater for the different scenarios where a Hong Kong data user transfers personal data outside of Hong Kong, including:

A person is defined as a “data user” under the Personal Data (Privacy) Ordinance (“PDPO”) if that person controls all or any part of the collection, holding, processing and use of personal data within, or from, Hong Kong. This definition is very broad and covers virtually all forms of data processing. As a result, many companies will be considered to be a data user under the PDPO even if they do not have an office in Hong Kong.

If a company is a data user, it will be required to fulfil a wide range of statutory obligations under the PDPO, including complying with the six core data protection principles (“DPPs”). These DPPs form a fundamental set of laws in Hong Kong. In particular, a data user must expressly inform a data subject on or before the collection of personal data of the purposes for which it will be used and the classes of persons to whom the data will be transferred.

In addition, the PDPO requires a data user to protect personal data against unauthorised access, disclosure or destruction, and to take such technical measures as are appropriate in the circumstances. This may include encryption, anonymisation or pseudonymisation, and split or multi-party processing. Finally, a data user must implement and maintain a comprehensive data security regime, which will likely involve regular audits, risk assessments and a written information management plan.

It is also necessary for a data user to ensure that it has in place contractual arrangements with the entity to which it is transferring personal data, such as a data sharing agreement or a processing arrangement. These arrangements may be in the form of separate agreements, schedules to a main commercial agreement or as contractual provisions within the main commercial agreement. However, the form ultimately does not matter; what matters is that they contain sufficient provisions to protect personal data in accordance with PDPO.

In the absence of a statutory restriction on the transfer of personal data outside of Hong Kong, it will be important for business to have in place arrangements that reflect the standards of data protection under PDPO. A further issue is that the PCPD may ask a data exporter to agree to standard contractual clauses proposed by an EEA data exporter where the data exporter’s assessment reveals that the law of the foreign jurisdiction to which the personal data is being transferred does not adequately protect the data. In this case, the data exporter must submit itself to the jurisdiction of and co-operate with that data importer’s supervisory authority in respect of any procedures relating to those arrangements.

Gambling Blog