Data hk is a community website which brings together businesses and individuals involved in data governance. It covers topics ranging from the latest developments in legislation, policy and best practice to the challenges and opportunities of implementing and managing data governance projects. It also offers a platform for discussions and debate on data governance issues and questions.
In addition, the PCPD publishes recommended model contractual clauses which are to be included in contracts involving data transfers. These are designed to ensure that the transfered personal data is protected against unauthorised access, processing, erasure or loss. The model clauses cover the most common scenarios arising in the context of cross-border data flow.
Aside from the model contractual clauses, there are some other provisions in the PDPO that are relevant to the protection of personal data transferred to a third party, particularly when that third party is located outside Hong Kong. A key one is section 33 which prohibits the transfer of personal data from Hong Kong to a place where the law does not provide the same level of protection as in Hong Kong (or in a way that would violate the fundamental freedoms guaranteed by the Basic Law of Hong Kong).
If a business decides to transfer personal data out of Hong Kong to a jurisdiction where the law does not provide the same level or type of protection as in Hong Kong, it must carry out a transfer impact assessment. An adverse assessment may lead to the requirement that the business either suspends the transfer or implement adequate supplementary measures.
The supplementary measures are intended to ensure that the personal data is treated in a manner which is at least as protective as that under the law of Hong Kong and the transferring law. This includes requiring the data importer to comply with the decision of a competent authority in respect of the transferred personal data (DPP 2(2)).
A data transfer impact assessment should take into account the following factors:
Another factor that is relevant is whether the business has agreed to standard contractual clauses proposed by the EEA data exporter under GDPR. If the business agrees to such clauses, it must agree to submit itself to the jurisdiction of, and co-operate with, the EEA data exporter in relation to any procedures aimed at ensuring compliance with those clauses (DPP 2(3)).
In addition, the business should have in place policies, standards and guidance on how to protect the transferred personal data against unauthorised access, processing or deletion (DPP 2(4)). Finally, the business should be clear in its communication with data subjects about the purposes for which the personal data is collected, including the underlying reasons for the transfer (DPP 1(b)).