Data hk offers businesses guidance on their legal obligations and best practice when it comes to the transfer of personal data across borders. This article looks at principles underlying this provision as well as necessary contractual arrangements necessary to fulfil it – this has practical ramifications for overall commercial arrangements of businesses.
First and foremost, one should determine whether the PDPO’s transfer requirements apply. This may not always be straightforward given that its definition of “data user” encompasses anyone who controls the collection, holding, processing or use of personal data – an expansive definition which differs significantly from many other data privacy regimes – making the obligation for such persons to have suitable contractual arrangements in place to fulfill this obligation quite broad.
As part of Hong Kong’s international obligations and national security requirements, arrangements to protect personal data transfer may be exempted from compliance requirements under certain circumstances. These may include protecting Hong Kong’s national security, defence, international relations and prevent or detect crime; collecting taxes or duties assessed or collected upon their assessment or collection; operating public utilities; performing legal obligations or duties; news activities or life-threatening emergencies situations.
Once it is established that the Transfer requirements of the PDPO do apply, the next step should be assessing whether its general requirements also do. These require data users to provide notice to data subjects about how their personal data will be processed (PICs), as well as take measures to protect such personal data against unauthorised access, disclosure, modification loss or destruction (DPP2 and DPP4).
Hong Kong data users increasingly face the necessity of conducting or contributing to transfer impact assessments when sending personal data outside the EEA where local laws may not provide sufficient protection for it. Typically this involves agreeing standard contractual clauses proposed by their data exporter within the EEA.
Transfer impact assessments may not always be required in these circumstances, but should nevertheless be seen as good practice and part of a commitment to data ethics. According to the PDPO, data exporters must notify data importers about any findings of transfer impact assessments as well as any remedial actions taken following its results – this exercise can prove invaluable for both parties as it helps identify any forms of personal data which pose particular risks, with adequate countermeasures taken against these threats, helping lower legal risks and save costs in legal disputes.