Data hk is an open and collaborative platform for sharing best practice in cross-border data transfers. It provides insight and guidance that reduce business risk while increasing compliance across organisations. The platform is managed by Tanner De Witt’s data privacy team led by Padraig Walsh.
Under Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”), data users who collect personal data must meet certain obligations when collecting it, including informing data subjects before collecting their personal data of its purpose(s and who it may be transferred to. This requirement can be seen through publishing a Personal Information Collection Statement (“PICS”).
Data users, for the purposes of this article, refers to any person responsible for collecting, holding, processing or using personal data. According to PDPO definition, personal data identifies or can reasonably be used to identify living individuals; as well as being handled fairly and according to principles set out by PDPO.
One key provision of the PDPO states that data users cannot transfer or disclose personal data of data subjects outside Hong Kong without either having a valid lawful basis or their consent. This principle can apply in numerous circumstances, but is especially significant when moving personal information across borders.
Hong Kong’s Personal Data Protection Department has issued a set of model clauses designed to satisfy the requirements of the Personal Data Protection Ordinance (PDPO). Furthermore, guidance has also been published by PCPD on conducting a transfer impact assessment which should aid implementation of such model clauses.
Hong Kong differs from Europe in that data importers do not need to agree to standard contractual clauses proposed by EEA data exporters under GDPR; however, Hong Kong businesses will increasingly find themselves needing to conduct transfer impact analyses or contribute towards them due to being importers of personal data of EEA subjects from EEA data exporters.
As the global economy becomes ever more interdependent, businesses rely heavily on cross-border data transfers to meet their commercial objectives and meet customer, client, and stakeholder demands. Therefore, it is critical that businesses understand and comply with PDPO requirements regarding personal data transfers.