Important Points to Consider When Dealing With a Personal Data Transfer in Hong Kong

Gambling Blog Jan 27, 2025

A slew of data privacy-related news items has been making headlines in recent weeks. A number of them have focused on the use of personal data for direct marketing purposes. Investigation and prosecution of such practices remains one of the principal enforcement priorities for the Office of the Privacy Commissioner.

In this article, Padraig Walsh from the Tanner De Witt Data Privacy practice group guides us through some key points to consider when dealing with a personal data transfer in Hong Kong.

The first consideration is whether the personal data transferred falls within the scope of the PDPO. This requires a careful assessment of both the intention and the actual meaning of the phrase “personal data”. The definition in Hong Kong is more narrow than that used in other data protection regimes (such as the Personal Information Protection Law that applies in mainland China or the General Data Protection Regulation that applies in the European Economic Area). For example, it does not include any information that is capable of being used to identify an individual.

Another important point to note is that the PDPO does not contain any express provisions conferring extra-territorial application. Its jurisdictional reach is strictly limited to a person who controls the collection, holding, processing or use of personal data through operations controlled in or from Hong Kong.

A further consideration is whether the transferring entity must fulfil any data user obligations under the PDPO in relation to the transferred personal data. The most important of these are DPP1 and DPP3. These require a data user to expressly inform a data subject, on or before collecting the personal data, of the purpose for which it is collected, and the classes of persons to whom the data may be transferred.

In addition, a data user must comply with the six DPPs in respect of the processing of the personal data. This includes ensuring that the personal data is secure and only used for the purpose specified in the PICS.

Finally, the transferring entity must take steps to ensure that the level of data protection in the foreign country meets the standards set by the PDPO. This may involve technical measures, such as encryption or anonymisation, or contractual arrangements that impose obligations on audit, inspection and reporting, beach notification, compliance support and co-operation.