Data hk is a website that helps businesses with their cross-border personal data transfer compliance obligations. Its aim is to reduce the business risk of such transfers and promote efficient compliance across organisations.
Padraig Walsh, partner in Tanner De Witt’s Data Privacy practice group, discusses key issues regarding personal data transfers that businesses should consider.
A significant proportion of international trade is based on the movement of personal data. It is therefore vital that any business that transfers personal data internationally has a robust understanding of the local laws and practices applicable to such movements in order to comply with the applicable data protection regulation.
In the context of Hong Kong, these rules are established by the Personal Data (Protection) Ordinance (“PDPO”). It imposes specific data processing obligations on data controllers and provides data subjects with rights and remedies. It also regulates the collection, storage, processing, holding and use of personal data through six data protection principles.
One of the core requirements under PDPO is that personal data should only be collected for a lawful purpose and that the data obtained should be adequate but not excessive in relation to that purpose. In addition, a requirement is that personal data should be kept no longer than necessary for the purposes for which it was collected.
As a result, there are some restrictions on the processing of personal data, such as the prohibition of the disclosure of any information that could be used to identify an individual. Further, there is a requirement to adopt contractual or other measures that prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred for processing. In some cases, this may require a written data processing agreement to be in place with the processor.
A further issue that arises is that, in contrast to many other data privacy regimes, PDPO does not include an express extra-territorial application. It is only applicable if the data user controls the collection, holding, processing or use of the personal data in or from Hong Kong, even if some elements of the data cycle occur elsewhere.
As a result, when transferring personal data to a jurisdiction that does not have comparable legislation, it is often necessary for a Hong Kong data user to agree to standard contractual clauses proposed by the EEA data exporter and to contribute to a transfer impact assessment. These arrangements can be documented in separate contracts, as schedules to the main commercial agreements or as contractual provisions within the main commercial arrangements. The form ultimately does not matter – what matters is the substance and content of those arrangements. This article has been reviewed and revised by Tanner De Witt. For further information, please contact us on 020 7580 8200 or email.