Data hk provides Hong Kongers with information and guidance regarding data protection regulations, while encouraging best practice and ethical standards when managing personal information. It aims to help them become familiar with these policies as well as promote best practice in handling it responsibly.

Hong Kong’s Personal Data Protection Ordinance (“PDPO”) is the cornerstone of our data protection regime and governs all aspects of collecting, processing, holding and using personal information in our jurisdiction. It outlines both data subject rights as well as specific obligations of data controllers.

One of the key aspects of PDPO is its extraterritorial application. This means that its scope includes any personal data collected in Hong Kong or processed here before being transferred elsewhere – even if physically located outside its jurisdiction.

When Hong Kong personal data importers receive personal data from an overseas data exporter, they may be required to carry out a transfer impact assessment (TIA). This review of protection levels in the foreign jurisdiction can help assess if any additional steps could be implemented to bring those levels up to comparable standards set out in PDPO section 33.

If a TIA determines that the level of protection in a foreign jurisdiction does not meet PDPO’s requirements, they will need to enter into model contractual clauses with the data exporter in order to safeguard personal data from unauthorised access, processing or disclosure; loss, erasure or any other incidents which might compromise its security.

At our various premises, cameras and microphones are deployed at entrance points to monitor visitor numbers and evaluate fire safety measures. When visitors arrive, they are asked to register their name and organizational affiliation in order to ensure a quick and efficient reception experience; their data is saved on HK-dir servers until their stay concludes, after which it will be deleted within an appropriate period. The legal basis for this processing of personal data lies within GDPR article 6, paragraph 1, letters d) and f), which authorize processing if required in fulfilling contracts or protecting legitimate interests that outweighs an individual’s need for privacy rights.

Companies often transfer personal data across borders. This process is made easier because Hong Kong does not impose statutory restrictions on the export of personal data, making it an attractive option as a destination for overseas investment and an entry point into Greater Bay Area businesses from Mainland China. Unfortunately, cross-boundary flows create additional compliance obligations which businesses need to understand fully; Padraig Walsh of Tanner De Witt offers this article which highlights key points when planning or managing such transfers.