Data hk provides information and guidance on Hong Kong data protection law and related practices. It is updated regularly to reflect the latest changes in the law and developments in practice. The website is designed to be useful to a broad range of users, including businesses and professionals involved in the collection and use of personal data.
In particular, the website focuses on data transfers and data governance. It also covers a number of other topics relevant to the handling of personal data in Hong Kong, such as privacy by design, the use of pseudonyms, and the enforcement of breaches of the six data protection principles.
The website also contains detailed information on the application of Hong Kong’s personal data transfer laws, including the requirements to carry out a transfer impact assessment and the obligations to agree to standard contractual clauses. These provisions are applicable in circumstances where a data importer will be processing personal data of EEA persons obtained from a data exporter established in the EEA and intending to transfer that data outside of the EEA to a non-EEA jurisdiction.
As with other data privacy regimes around the world, the PDPO sets out a range of core obligations for data users in respect of personal data transfers. One of these is to expressly inform a data subject on or before the collection of their personal data of the purposes for which it will be used, and the classes of persons to whom it may be transferred (noting that “transfer” is a form of use).
There are no exceptions to this requirement, even if an individual can be identified from the transferred data. The principle can be applied to CCTV recordings, logs of individuals entering car parks and records of meetings held in rooms where attendees can be seen by others. It is also relevant to the taking of photographs at public events, which are often intended to identify a crowd.
The PCPD has published two sets of recommended model contractual clauses to cater for different scenarios, namely the transfer of personal data from a data user to another data user; and the transfer of personal data between entities both of which are data users (including between entities both of which are controlled by a data user). The latter set of recommendations is less prescriptive than that for the former scenario.
As with any data governance program, it is essential to have the right people in place to support, sponsor, steward and operationalize the framework. The best data stewards are business savvy and have IT knowledge, and can act as communication bridges between the two. Enterprise architects and senior business analysts are good examples of data stewards. They will be able to translate the impacts of your governance program on business processes, decisions and interactions. They will also drive ongoing data audits and metrics that assess program success and ROI. They will be the primary points of escalation to the executive sponsor and steering committee.