Data HK – How to Transfer Personal Data to or From Hong Kong
Data hk is a comprehensive source of market intelligence on industries, economies and consumers worldwide. It aggregates statistics from market research organizations, businesses and governments. It also offers reports, research, emerging trends and forecasts on the economy and its consumers. Its database contains data on more than 200 countries and territories across every sector of the global economy. A fee is charged for access to the detailed data.
The Hong Kong Personal Data (Privacy) Ordinance (PDPO), introduced on 20 December 1996, is one of the world’s leading privacy laws. It establishes a wide range of rights for individuals and specific obligations for data users through six key data protection principles. The PDPO has been amended several times, most recently in 2012 and in 2021.
Under the PDPO, “personal data” refers to any information which identifies a living individual. This definition is broader than that used in some other legislative regimes – for example, the General Data Protection Regulation (GDPR) which applies in the European Union. A data user is required to notify the purposes for which it collects personal data and the classes of persons to whom it may transfer the personal data to on or before collecting the data. This is typically fulfilled by means of a personal information collection statement that is given to the data subject on or before the collection of their personal data.
Data transfers are a necessary and essential part of business operations, but they come with a host of regulatory issues that need to be considered carefully in order to avoid breaches and ensure efficient compliance. Padraig Walsh from Tanner De Witt’s Data Privacy practice group outlines the main points to consider when transferring personal data to or from Hong Kong.
When a data user transfers personal data to or from Hong Kong, they need to ensure that the transfer is compliant with the PDPO. In particular, they need to ensure that the transfer is in accordance with their obligations under DPP1 and DPP3. This includes ensuring that any data processors who are located outside of Hong Kong are bound by contractual or other arrangements which ensure that personal data transferred to them is protected against unauthorised or accidental access, processing, erasure, loss or use.
The PDPO imposes severe penalties on data users who breach the law. These can include fines of up to HK$ 1 million and imprisonment. It is therefore critical that businesses who are operating in the Hong Kong SAR or intending to do so take the time to understand their responsibilities under the PDPO.