Data Hk – An Overview of Personal Data Protection Law in Hong Kong

Data hk is an independent website dedicated to providing Hong Kong data privacy issues and news with expert knowledge and transparency on data protection law in Hong Kong.

Hong Kong may not present particular challenges for exporting personal data outside the EEA; nevertheless it remains important to carefully consider any cross-border data transfers and ensure compliance with PDPO. Padraig Walsh from Tanner De Witt’s Data Privacy practice provides an overview of key points related to personal data transfers in this article.

First and foremost, it is crucial to comprehend how the PDPO interprets personal data and applies in relation to cross-border transfers of such information. As a general guideline, the PDPO will apply when someone controls (whether alone, jointly with others or collectively with other persons) the collection, holding, processing or use of personal data collected for any PDPO purposes with voluntary and express consent of data subjects being sought prior to such use.

The PDPO defines personal data as any information pertaining to an identifiable natural person, including, but not limited to: name, address, telephone number, email address or any other identifier that can reasonably be used to identify that individual. Under its provisions, personal data collected must only be used for its intended purposes and once collected should only be made available when needed by those authorized for those specific uses; any unauthorised disclosure would constitute a serious breach of the PDPO and can result in legal consequences.

One key provision of the PDPO is Section 33, which prohibits transfers out of Hong Kong without satisfying certain conditions. Unfortunately, however, circumstances exist where Hong Kong businesses may need to conduct a transfer impact assessment due to laws or practices in other jurisdictions in which they export personal data.

At the same time, there are practical steps you can take to meet data transfer requirements. For instance, data exporters should implement standard contractual clauses to ensure that personal data transferred complies with PDPO laws. Data exporters must also keep detailed records of all personal information transferred abroad and make every effort to meet transfer requirements. Before entering into contracts involving personal data transfers, exporters should seek legal advice in order to satisfy all PDPO statutory obligations and ensure business operations do not suffer due to compliance issues. For more information about how you can reduce data risks contact us on +852 2811 4000 today!