A data hk is a person or organisation who has control over the collection, holding, processing, or use of personal information. The person may also be responsible for compliance with the six data protection principles in Hong Kong. The data hk is also responsible for informing the subject of their purposes, and obtaining their consent. Moreover, the data hk must make an assessment of the risks involved in the transfer and put safeguards in place.
Several data privacy laws now include some element of extra-territorial application. However, the data hk applies only to those who have operations controlling the collection, holding, processing or use of personal information in, or from, Hong Kong.
It is therefore important that businesses understand how the data hk will impact them, particularly where they are exporting personal data to jurisdictions outside Hong Kong. There are a growing number of circumstances where data users will need to prepare and conduct a transfer impact assessment.
The main point to remember is that any transfer of personal data out of Hong Kong cannot take place unless there are certain conditions fulfilled. This is a key principle of the PDPO and should be remembered in any discussions about transfer.
A key aspect of the condition is that the transferee must provide a level of data protection comparable to that of Hong Kong. This is a challenging requirement to meet. However, the PDPO does allow for some flexibility where it recognises that some jurisdictions do not have the resources to implement strong data protection measures and it is appropriate to transfer data to these jurisdictions in order to achieve the desired result.
It is also important that any transferee is able to respond adequately to any complaint or dispute brought by the data subject. This will require the provision of sufficient contact details and a clear description of what is being transferred and why.
Lastly, it is essential to consider whether the data being transferred could be considered “personal data”. The definition of personal data in the PDPO is quite broad and includes any information which relates to an identifiable person. This means that there is a significant risk that some data transfers will not be covered by the transfer impact assessment requirement in the PDPO.
If you are interested in transferring personal data outside Hong Kong, then you should speak to an expert. We can help you to assess the risk, develop a transfer impact assessment, and create appropriate safeguards for your data. To get started, please contact us.