Data hk is an essential and common part of many business transactions. It is therefore important for businesses to understand the privacy regulation imposed on data transfers to reduce business risk and promote efficient compliance across the company. This article, by Padraig Walsh from the Tanner De Witt Data Privacy practice group, outlines some key points to consider regarding data transfers.
Data transfer is an important element of cross-border commercial arrangements, particularly in relation to the operation of online e-commerce sites, and the provision of outsourcing services such as call centre support or payroll processing. The statutory data protection regime in Hong Kong has significant and onerous obligations on data users (which also includes processors) with regard to cross-border transfers of personal data, which are set out in the Personal Data Protection Ordinance (“PDPO”).
As with other data privacy laws around the world, the PDPO defines “personal data” as information that concerns an identified or identifiable individual, such as the name, telephone number, date of birth and address of that person. The PDPO further requires that personal data be collected for a specified purpose, and that the use of that data is necessary and adequate in relation to that purpose. The PDPO does not expressly limit the jurisdictional scope of its application – although several other data privacy regimes do so, and a number of international standards have been established with regard to extra-territorial application.
A common misconception is that the PDPO applies only to “data users”. In fact, the PDPO only applies to a person if that person controls the collection, holding, processing or use of personal data, whether in Hong Kong or elsewhere. This test is quite different from other jurisdictions, where the definition of a data user is broader and more inclusive.
Moreover, the PDPO contains an obligation on data users to inform data subjects of certain information in respect of the collection of their personal data. This is mainly in the form of a Personal Information Collection Statement (“PICS”), which must be provided to the data subject on or before the collection of their personal data. The PICS must include an explanation of how the personal data will be used, including a description of any cross-border transfers that may take place.
In terms of cross-border data transfers, the PDPO requires data users to ensure that contractual provisions are in place with any data exporters to prevent unauthorised access to personal data and unlawful processing of such data. This is normally achieved through the inclusion of recommended model clauses in the contracts. These can be inserted either as separate documents or as Schedules to the main commercial agreements.
The PDPO also provides a range of other obligations for data users with regard to the use and transfer of personal data. These are primarily set out in DPP1 (Purpose and collection of personal data) and DPP3 (Use of personal data). For example, the PDPO requires that a data user have clear data retention policies so that a data subject can easily ascertain the period during which their personal data will be retained by the data user.