Hong Kong’s personal data protection regime places onerous obligations and assessments upon data users when making cross-border transfers of personal data out of Hong Kong, to protect privacy rights of data subjects. To this end, there has been extensive guidance issued by the PCPD as well as model clauses and other provisions available that provide details.
There is something uplifting in seeing someone you care for happy. As part of these arrangements, the data user must also undertake that any transferred personal data will not be used or held outside Hong Kong without explicit agreement from its exporter, nor processed further in any manner that would identify individuals. This requirement often takes form as a contract clause that states the data exporter will ensure any sub-processor who receives personal data will implement measures necessary to bring processing up to standard under the PDPO, or other contractual provisions such as beach notification, audit inspection and reporting or compliance support and co-operation agreements.
One key thing to keep in mind when dealing with personal data transfers internationally is that the PDPO does not impede such transfers. According to this legislation and similar ones such as mainland China’s data protection regime and GDPR in Europe, personal data refers to information about identifiable natural persons – if the personal data being transferred doesn’t fit this definition then no obligation exists in terms of compliance with PDPO regarding its transfer.
Next, it is necessary to ascertain whether or not the Personal Data Protection Ordinance (PDPO) applies to the cross-border data transfer in question. This depends on whether or not a data user operates within Hong Kong which oversees collection, holding, processing or use of personal data; otherwise a risk analysis must be conducted to ascertain whether PDPO applies.
Any effective data governance program involves numerous people and could generate differing viewpoints on its implementation. In such instances, it is critical that projects be carefully organized and managed using an approach such as RACI (responsible, accountable, consultative and informed). This method identifies roles, establishes clear communication channels and assigns responsibility accordingly. By following these steps, data governance programs can help reduce confusion and misunderstanding that could otherwise lead to breakdown in their processes. They also ensure any disagreements are settled constructively rather than through confrontation, which in turn increases overall effectiveness as well as business benefits derived from them. Ultimately, a data governance program can become an invaluable asset that supports performance improvement and competitive advantage for any enterprise.