Data hk is a portal set up by the Hong Kong Privacy Commissioner for Personal Data to provide information and guidance on various matters concerning data protection. The portal covers everything from the data transfer process to how to comply with data-related laws and regulations. It also provides links to useful resources, including laws, regulations and policies and guidance on how to implement these laws and regulations.
In terms of compliance, one of the key issues that data hk addresses is the requirement to undertake a transfer impact assessment before exporting personal data outside Hong Kong. A transfer impact assessment is a necessary step to ensure that the level of protection offered by the destination jurisdiction meets Hong Kong’s standards. The assessment can help businesses mitigate the risks of their transfers, and the PCPD has produced a series of recommended model contractual clauses that they recommend businesses include in their commercial arrangements with the data importers.
These models contain a number of clauses, including those that specify that the data importer will only use the personal data in accordance with the written instructions of the data user and will protect and retain the personal data in their possession (including any copies) in full compliance with the PDPO, and that they will not disclose or transfer the personal data to any third parties. The models are designed to be incorporated into the commercial agreements between data users and data processors, and they may take the form of separate agreements or schedules to existing commercial arrangements.
Another issue that the data hk website addresses is the definition of personal data, which is often misinterpreted and misunderstood. The current definition of personal data under the PDPO is very broad, and it is possible that this will need to be amended in the future to narrow its scope. This would be in line with the definition of personal data under other legal regimes, such as the Personal Information Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the European Union.
An important consideration is whether the personal data in question actually falls within the definition of “personal data”. A number of factors are taken into account, and there are certain categories of data that are not protected under the PDPO. These include:
There is a growing number of circumstances in which it will be necessary for data users to conduct a transfer impact assessment, especially where the business operates in a multi-jurisdictional context. The PCPD’s advice and the model contract clauses are a helpful starting point, but it is essential that businesses also keep in mind their own particular legal obligations, which will be determined by their respective legal advisers. If you are concerned about your data transfer processes, please get in touch with our data privacy team. We are always happy to discuss your concerns and advise on what steps should be taken to ensure that you remain compliant.
