Data hk is the term for the personal data which, or which may be inferred from, or connected with, an identified or identifiable natural person. Personal data includes all information relating to that person, whether it relates to his/her name, identity card number, telephone number, address, gender or other details, and whether they are recorded in manual, electronic, photographic, audio, video or other formats.
Most modern data privacy regimes contain a statutory restriction on the transfer of personal data outside the country or jurisdiction where it was collected. Hong Kong is no exception, and has a statutory restriction in section 33 of the Personal Data Protection Ordinance (“PDPO”).
A data user must obtain the voluntary and express consent of the data subject to the purposes for which his personal data will be used and to the classes of persons whom it will be transferred to on or before the date of collection of the personal data. However, if he is transferring his personal data to a class of persons for which a PICS has already been prepared, then this requirement does not arise. In either case, a data user must comply with the six core data obligations under the PDPO.
This requirement is a necessary safeguard to ensure that the processing of personal data is fair, transparent and lawful. It also enables data users to take the appropriate steps to minimise or eliminate any risks of harm caused by the transfer of personal data overseas. The PDPO contains detailed requirements, and the PCPD has issued a comprehensive set of guidelines on how to fulfil this obligation.
If a Hong Kong data exporter transfers personal data of an EEA data subject to a non-EEA data importer, the PDPO requires that the data exporter prepare a standard contractual clause and contributes to a transfer impact assessment. The data exporter must also adhere to principles of data transparency and communicate with the data subject about the purpose for which the personal data will be transferred abroad, as well as a summary of the underlying grounds.
The standard contractual clauses are an essential tool for data exporters to protect their business operations from privacy threats and legal liability. They can be incorporated as separate agreements or schedules to commercial contracts or as contractual provisions within the main commercial agreement. However, it is important for businesses to seek legal advice before relying on the standard contractual clauses to comply with their statutory obligations.
As the volume of cross-border data flows increases, businesses should be aware of their responsibilities to protect personal data. Although section 33 of the PDPO is not currently being enforced vigorously, it remains important to comply with this provision and to keep up with changes in global regulatory developments regarding data transfer, including the use of standard contractual clauses. Data exporters should also consider putting in place adequate supplementary measures. This is particularly important for businesses that are engaged in large-scale transactions with customers in the Mainland of China, which is considered a different legal jurisdiction to Hong Kong under the “one country, two systems” principle.