Hong Kong (PDPO)
The Trust Challenge

Obligations of Data users

Pointer

A Data user may collect personal data from data subject if:

  • It’s for a lawful purpose directly related to a function or activity of the data user.
  • Collection is necessary for or indirectly related to that purpose.
  • Data which is to be collected is a adequate and not excessive.
Pointer

Data users are required to ensure the security of the personal data.

Pointer

Further, data users have a responsibility of ensuring that the personal data is retained only till the period it is necessary for the fulfillment of the purpose for which the personal data is used.

Pointer

If a data user engages a data processor for handling personal data of other persons, the data user ought to enter into a contractual agreement to facilitate the data processor's adherence to the retention obligations.

Pointer

Data users are required to ensure that the personal data, which is no longer required for the purpose for which the data is used, ought to be erased.

Pointer

Data subject rights:- PDPO confers upon the individual data subjects a battery of different data subject rights, such as right to access, right to correct, right to erasure, etc.

Pointer

Data users are required to, by contractual agreement, ensure that their data processors meet the applicable requirements of the PDPO.

Win-Win Situation

Additional aspects to be considered

Pointer

Data breach notification: Data users are not mandatorily required to notify authorities or data subjects pertaining to the data breaches in Hong kong. But, the office of the privacy commissioner for personal data (PCPD) has issued a non-binding guidance (like best practices), which mentions notifying the PCPD and the data subjects, in case of data breach, where there would be a risk of harm by not notifying.

Pointer

Transfer of personal data: Currently, there are no restrictions on the transfer of personal data outside of Hong Kong under the PDPO. But PDPO sets out requirements pertaining to the cross-border transfer, which are yet to come into force. Further, though such requirements are not currently effective, the office of the privacy commissioner for personal data (PCPD) encourages data users to adopt practices recommended in its guidance as part of their corporate governance responsibility to protect personal data.

The Trust Challenge

Obligations of Data users

Pointer

A Data user may collect personal data from data subject if:

  • It’s for a lawful purpose directly related to a function or activity of the data user.
  • Collection is necessary for or indirectly related to that purpose.
  • Data which is to be collected is a adequate and not excessive.
Pointer

Data users are required to ensure the security of the personal data.

Pointer

Further, data users have a responsibility of ensuring that the personal data is retained only till the period it is necessary for the fulfillment of the purpose for which the personal data is used.

Pointer

If a data user engages a data processor for handling personal data of other persons, the data user ought to enter into a contractual agreement to facilitate the data processor's adherence to the retention obligations.

Pointer

Data users are required to ensure that the personal data, which is no longer required for the purpose for which the data is used, ought to be erased.

Pointer

Data subject rights:- PDPO confers upon the individual data subjects a battery of different data subject rights, such as right to access, right to correct, right to erasure, etc.

Pointer

Data users are required to, by contractual agreement, ensure that their data processors meet the applicable requirements of the PDPO.

The Trust Challenge

Additional aspects to be considered

Pointer

Data breach notification: Data users are not mandatorily required to notify authorities or data subjects pertaining to the data breaches in Hong kong. But, the office of the privacy commissioner for personal data (PCPD) has issued a non-binding guidance (like best practices), which mentions notifying the PCPD and the data subjects, in case of data breach, where there would be a risk of harm by not notifying.

Pointer

Transfer of personal data: Currently, there are no restrictions on the transfer of personal data outside of Hong Kong under the PDPO. But PDPO sets out requirements pertaining to the cross-border transfer, which are yet to come into force. Further, though such requirements are not currently effective, the office of the privacy commissioner for personal data (PCPD) encourages data users to adopt practices recommended in its guidance as part of their corporate governance responsibility to protect personal data.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us