Data Protection Clauses for Cross-Border Transfers

When it comes to data hk, there are no statutory restrictions on the transfer of personal data outside Hong Kong. This is why it is important that businesses consider the obligations that do exist and best practice and ethical standards in their governance of personal data. It is also why it is important to ensure that they have contracts in place that will protect personal data in cross-border transfers from Hong Kong.

The PCPD has recently published two sets of recommended model contractual clauses. These are designed to cover the transfer of personal data from one data user to another, and the transfer of personal data from a data user to its data processor. The recommended model clauses will be of interest to any business that is considering transferring data out of Hong Kong or intending to do so.

In the case of a transfer between one data user and another, the model clauses provide for a series of steps that the transferring data user must take in order to fulfil its obligations under PDPO (Data Protection Principles) and DPP3 (“Collection of personal information”). The first step requires that the transferring data user expressly informs the data subject on or before collection of the personal data of the purposes for which it is being collected, as well as of the classes of persons to whom it may be transferred. This information can be provided as part of a PICS, or in the form of separate notices or schedules to the main commercial agreement.

Once the data has been collected, it can only be used for the purposes stated in the PICS or for a new purpose for which the consent of the data subject is obtained. Furthermore, the transferring data user must not use the personal data transferred or allow its sub-processors to do so in a location outside of Hong Kong other than where that processing is already taking place.

It is also a requirement that the transferring data user undertakes not to permit the transferred personal data to be processed in a way that is inconsistent with the requirements of PDPO. For this reason, it is necessary to carry out a transfer impact assessment before the personal data is transferred.

A transfer impact assessment will identify the adequacy of protections in the destination jurisdiction. If the assessing data user finds that the level of protection in the destination jurisdiction is insufficient, it will need to consider whether to adopt any supplementary measures. These might include technical measures such as encryption, pseudonymisation or split or multi-party processing; or contractual provisions imposing audit, inspection and reporting, beach notification, compliance support and co-operation obligations.

In short, the transferring data user will need to put in place a comprehensive package of measures in order to fulfil its obligations under PDPO and DPP3. This is why it is so important for all businesses to take the time to understand these requirements, and the implications of a failure to comply.