Important Points to Consider When Processing Personal Data in Hong Kong

The collection and analysis of data hk is an important business tool used by many different industries including finance, insurance and marketing. It allows businesses to make more informed decisions and identify trends that may otherwise be difficult to understand. However, it is imperative that businesses comply with data privacy regulation to ensure their actions are legal. This article by Padraig Walsh, a Partner in the Data Protection group at Tanner De Witt outlines some of the main points to consider.

Data hk is any information that can be linked back to an individual. This could include their name, email address or telephone number. The Hong Kong Personal Data Protection Policy (“PDPO”) governs data hk through six data protection principles. It establishes data subject rights and imposes specific obligations on data users. It also requires the express consent of individuals before collecting their personal data, unless the processing is permitted under one of the exemptions contained in the PDPO.

Despite the broad nature of the term, the PDPO only applies to data that can be directly linked back to an individual. The PDPO defines “personal data” in a way that is similar to international norms. Photographs of crowds at concerts, for example, do not constitute the collection of personal data under PDPO because there is no evidence that specific individuals can be identified. In addition, CCTV recordings of persons entering car parks and records of meetings held in hotels are not the collection of personal data because they do not contain enough details to identify an individual. However, the combination of an individual’s name, HKID number and staff number on their staff card does constitute personal data because this is sufficient to link them back to an individual.

Another important point to consider is the jurisdictional scope of the PDPO. Several data privacy regimes now have some form of extra-territorial application, but this is not the case in HK. The PDPO only has jurisdiction where the data user controls all or any part of the collection, holding, processing and use of the data in, or from, Hong Kong.

If a company wishes to transfer personal data outside of Hong Kong, they must first satisfy the requirements of DPP1 and DPP3. In particular, they must expressly inform the individual on or before the collection of their personal data of the purposes for which the information will be used, and the classes of persons to whom it will be transferred (DPP1). Furthermore, they must also adopt contractual or other means to ensure that the data processor is bound by law to protect the personal data from unauthorised access, processing, erasure, loss or use, regardless of where the personal data is processed (DPP2). If a Hong Kong-based data user transfers the personal data to a non-resident data user in the EU, it is required to carry out a transfer impact assessment before doing so (DPP5).