Data hk is an industry leader in data centre design and delivers best-in-class technical solutions focused on resiliency. Whether you require a single point of presence or a multi-megawatt data hall solution our expert team is on hand to provide advice and guidance.
The Personal Data Protection Act (“PDPO”) lays down a comprehensive framework for protecting the privacy of personal data. It imposes specific obligations on data users and sets out a wide range of rights for data subjects, through six data protection principles. The PDPO was first enacted in 1996 and was substantially amended in 2012 and 2021.
Data user obligations under the PDPO generally relate to the purpose of collecting personal data and to the classes of persons to whom the personal data may be transferred. These obligations are typically fulfilled through the provision of a PICS to a data subject before the collection of personal data (see our article on “What is a PICS?”). A data user must also obtain the voluntary and express consent of the person before he transfers his personal data outside Hong Kong to a class of persons that was not set out in the PICS, or for a use other than that for which he collected the data.
A broad definition of personal data applies under the PDPO, and the term has been given additional meaning in other legislative regimes such as the PIPL and the GDPR – it includes any information relating to an identifiable natural person which allows the individual to be identified, directly or indirectly, including:
While the PDPO does not contain a statutory restriction on the transfer of personal data abroad, there are still a number of important matters that need to be considered in connection with such a transfer. One such matter is that the transferring entity must identify and adopt supplementary measures to bring the level of protection of the personal data transferred up to Hong Kong standards. Such measures can be either technical or contractual. They can be included in a separate document or as schedules to the main commercial agreement between the parties. In some cases, the supplementary measures can be embedded in the main commercial agreement itself without significantly altering its substance and scope. The supplemental measures can also include a requirement to comply with the requirements of a data importer’s local law. This can be a significant hurdle for some entities that are seeking to transfer data abroad.
