The Basics of a PDPO Transfer Impact Assessment

If you are a data exporter looking to transfer personal data to Hong Kong, it’s important to understand your obligations and best practices. The PDPO requires a number of steps be taken to protect data subjects’ personal privacy, including a transfer impact assessment. This article outlines the basics of this assessment, and what businesses need to know.

The PDPO sets out certain rights and obligations for data subjects, as well as regulations to control the collection, processing, holding, and use of personal data through six data protection principles. These principles are designed to help data users avoid inappropriate uses of personal information and safeguard the privacy of data subjects.

This includes a requirement for a clear data retention policy, which specifies how long personal data should be retained. However, this is not always adhered to in practice, and it appears that many data users do not have a clear data retention policy or do not disclose the length of time their personal data will be kept. This creates a situation where, even if a data subject enquires with a data user about how long their personal information will be retained, the answer they will receive may simply be that it is required by law to be kept for a specified period.

The PDPO does not contain any express provisions conferring extraterritorial application, and therefore it is unclear whether the PDPO applies to personal data transferred outside Hong Kong. However, it does contain some general provisions that, if taken in combination with the other provisions in the PDPO, are likely to have extraterritorial effect. These include the principle that a data user’s responsibilities are not diminished by the fact that the data processing cycle occurs in another jurisdiction, and the principle that the PDPO should be read in conjunction with any relevant legislation in the territory where the personal data is being processed.

In particular, the PDPO requires a data user to put in place safeguards (either by contractual or other means) to ensure that personal data is not accessible to unauthorised persons and is not subject to unlawful processing, access, erasure or destruction. It also requires a data user to take steps to verify that any contractor or agent it engages is complying with the PDPO.

This is a key area where the PDPO differs from the GDPR, and it is something that businesses should bear in mind when considering transferring personal data overseas. This is particularly important in the case of M&A transactions, where it is common for personal data to be transferred between group companies. For example, a staff card showing an individual’s name, photograph, company name and employee number is likely to constitute personal data. Consequently, it is important for the M&A adviser to carefully consider any potential transfer impacts and implement appropriate data protection measures in the M&A agreement. This will help to ensure that the PDPO is not triggered in any case where personal data is transferred.