The Data Privacy Regulations in Hong Kong impose a number of restrictions on the transfer of personal data. These restrictions are designed to reduce business risk and promote efficient compliance data transfers across organisations. In this article, Padraig Walsh from the Data Privacy practice group of Tanner De Witt, examines some key points to bear in mind when transferring personal data between locations.
In a global economy, it is essential for businesses to move their data around between their various operations and customers. However, the rules governing such data transfers vary between jurisdictions. In this article, the author discusses the main points to consider when transferring data from Hong Kong to other locations, or vice versa.
Firstly, it is important to understand the meaning of personal data in the PDPO. This is important because it determines whether a person’s rights under the PDPO are affected when their personal information is transferred to another location. The definition of personal data under the PDPO is broadly in line with the definition used in other legislative regimes (such as the Personal Information Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area).
Once a person is defined as a “data user”, then they are subject to the provisions of the PDPO. This means that they must ensure that any personal information collected is processed fairly and lawfully, and that the purpose for collection is specified and limited. The purpose must also be related to a function or activity of the data user, and not for any other purposes.
If the data exporter’s assessment reveals that the foreign jurisdiction does not provide adequate protection of personal data, then they must take any supplementary measures necessary to bring their level of protection up to Hong Kong standards. This could include technical measures such as encryption or anonymisation, or contractual provisions that impose additional obligations on audit, inspection and reporting, beach notification, compliance support and co-operation.
The data exporter must also take steps to ensure that any personal data that is being transferred to a third party is protected by the same safeguards as would be required in Hong Kong. This is an important requirement, as it prevents a third party from using the personal information transferred to them in a way that would violate a person’s rights under the DPPO.
Finally, the data exporter must put in place written records of any supplementary measures that they take. This helps them demonstrate that they are complying with their duties under the PDPO. This can be useful if there are any complaints made against them in relation to their handling of personal information. However, it is important to remember that these measures are only effective if they are actually implemented. Otherwise, the data exporter will be in breach of their duties. Fortunately, there are a number of resources available to help them implement these measures. For example, the ISO offers a set of standardised record keeping templates that can be used to create a data processing plan.