Data Hk Obligations and Common Questions

Data hk is an important and sometimes confusing topic for businesses. In particular, if a business is planning to transfer personal data outside of Hong Kong, it must be aware of the obligations that exist under the PDPO. This article will provide an overview of those obligations. It will also examine the common questions that arise in this context.

Firstly, it is important to note that the PDPO only applies where a person has operations controlling collection, holding, processing or use of personal data in or from Hong Kong. This is in line with the definition of personal data in many other legal regimes – such as the Personal Information Protection Law that applies in mainland China or the General Data Protection Regulation that applies in the European Economic Area. This means that if the person in question does not control such operations, the PDPO does not apply and the obligations arising under it do not arise.

The most significant obligations are those relating to the purpose of collection and the use of data. These include the requirement to notify data subjects of the classes of persons to whom their personal data may be transferred (DPP 1) and the requirement to obtain their voluntary and express consent before transferring their personal data for a new purpose that is not set out in their PICS (DPP 3). It should also be noted that the statutory recognition that a data user is responsible and liable for its agents’ breaches of PDPO is consistent with the approach taken by other jurisdictions.

Furthermore, when a person transfers personal data abroad, they are required to conduct a transfer impact assessment. This essentially involves assessing the level of data protection in the destination jurisdiction and taking steps to bring that up to the standards that are required under the PDPO. The assessment will typically involve both technical and contractual measures. The latter may include techniques such as encryption or pseudonymisation, and split or multi-party processing arrangements. The former will likely include additional contractual provisions relating to audit, inspection and reporting, beach notification, compliance support and co-operation.

These are significant and onerous obligations. However, the good news is that extensive guidance exists on how to fulfil these requirements. It is also possible to structure these obligations so that they do not impose an excessive administrative burden on small and medium-sized enterprises. This could include the incorporation of the necessary provisions in separate contracts or schedules to the main commercial agreements.

Tech Data Distribution (Hong Kong) Limited (“Tech Data HK”), a TD SYNNEX company, is the leading global distributor and solutions aggregator for the IT ecosystem. The company is an innovative partner helping customers maximize value from their technology investments, demonstrate business outcomes and unlock growth opportunities. Tech Data HK is dedicated to uniting compelling IT products, services and solutions from 1,500+ best-in-class technology vendors.