Data hk is the new home for global business and one of the densest network hubs in Asia, connecting businesses, networks and IT service providers from multiple industries into a vibrant industry ecosystem. Discover what services Equinix Hong Kong has available that could meet all your digital supply chain requirements.
Data transfers are an integral component of business operations, but they come with significant compliance risks. Padraig Walsh from Tanner De Witt’s Data Privacy team discusses some important considerations when planning data transfers within or between organizations.
Before initiating any transfer, it is crucial to assess if it falls within the scope of PDPO. In general, it applies to any person responsible for collecting, holding, processing or using personal data; this means there may be certain instances in which an impact assessment must be completed even though its transfer may not be subject to restrictions under PDPO.
Similarly, data users seeking to transfer personal data outside Hong Kong for purposes other than those specified in their PICS must first obtain voluntary and express consent of data subjects before doing so. Once purpose has been stated in a PICS, any alteration will require their express permission before transfer can take place for another purpose without their prior agreement – an indication that PCPD considers data transfer an act of data use subject to its regulations.
Another key aspect is that the PDPO requires data exporters to take additional measures to ensure that the level of protection for data transferred meets or exceeds that required under it. These may include technical measures like encryption, anonymization or pseudonymisation as well as contractual provisions imposing audit, inspection, reporting obligations as well as beach notifications as well as compliance support and co-operation obligations.
The PCPD has published two sets of recommended model clauses that address various scenarios related to personal data transfer. When creating contracts involving data transfers, these should be consulted for optimal preparation. Whether or not specific cases require these model clauses should be assessed individually.
Although Hong Kong may seem different than international trends when it comes to section 33 compliance, our approach makes sense when taken within our unique context. With growing personal data flows with mainland China and internationally being transferred daily and needing to be managed properly by various means. Change will come over time; but businesses should focus on compliance with section 33 in the meantime and prepare for potential developments.