Hong Kong, as an international center of finance and business, serves as an ideal setting for the storage and processing of personal data. Therefore, companies operating within the region must abide by local privacy laws to ensure personal information is handled in accordance with local legislation. The Personal Data (Privacy) Ordinance (“PDPO”) serves as the primary statutory instrument that establishes data subject rights as well as obligations on data controllers; furthermore it regulates collection, holding, processing and use through six data protection principles.
PDPO applies to anyone responsible for collecting, holding, processing or using personal data within Hong Kong or from Hong Kong. Personal data defined under PDPO includes any information that can be used to identify an individual – though its interpretation can often be complex.
One situation which can add an additional layer of complexity is when a company transfers personal data outside of Hong Kong to a third party. When this occurs, data users are required to obtain consent from each individual whose information is being sent off before initiating this transfer and ensure there are adequate safeguards in place against breaches in protection of personal information from happening.
The Data Protection and Privacy Order (DPPO) mandates that data controllers only collect personal data for purposes outlined clearly and reasonably in a legal document, to limit its use only as needed for its intended purpose and minimize privacy invasion risks. Furthermore, legal entities are required to keep records of their personal data processing activities.
An important requirement of the DPPO that may create confusion for companies operating in Hong Kong, where individuals’ right to privacy is highly esteemed, is securing voluntary and express consent before disclosing or using personal data for new purposes. This could prove a difficult feat.
Businesses need to understand the PDPO to successfully navigate its complexities, which our Data Privacy practice has extensive expertise in. We can assist our clients in making sure their data protection practices comply with this regulation – contact us for more details!