Skip to content

EU General Data Protection Regulation

EU General Data Protection Regulation (GDPR)

I. European Union (EU) - General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR), adopted in 2016, came into force on 25 May 2018, replacing the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Directive). The GDPR involves new provisions and enhanced rights. In the wake of technological developments and globalisation and the constitutionalisation of the fundamental right to data protection in the EU, the GDPR aims to harmonise the framework for the digital single market, put individuals in control of their data and formulate a modern data protection governance.

Why is the GDPR relevant to Hong Kong organisations/ businesses?

In Hong Kong, the Personal Data (Privacy) Ordinance, Cap 486 of the Laws of Hong Kong (PDPO) protects the privacy of individuals in relation to personal data. When the PDPO was drafted, reference was made to the relevant requirements under the OECD Privacy Guidelines 1980 and the EU Directive. Given that the GDPR constitutes significant developments of data protection law from the EU Directive, the new regulatory framework includes a number of requirements that are not found under the PDPO.

One of the key developments introduced under the GDPR to the data protection landscape outside the EU is the explicit requirement of compliance by organisations established in non-EU jurisdictions in specified circumstances. Given the diversified business or transaction models (e.g. online transactions), it is all the more important for businesses in Hong Kong to ascertain if the GDPR is applicable to them, and to keep up with the new developments.


II. New Standard Contractual Clauses adopted by the European Commission under the GDPR for International Data Transfers


III. Publications and Articles on the GDPR


IV. Guidance and reference materials issued by the European Union


V. Highlight of Important Decisions and Major Developments under the GDPR




II. New Standard Contractual Clauses adopted by the European Commission under the GDPR for International Data Transfers

The European Commission adopted a new set of Standard Contractual Clauses (which came into effect on 27 June 2021) for the transfer of personal data to non-EU regions (“New SCCs”). From 27 September 2021 onwards, data exporters and data importers can only conclude contracts incorporating the New SCCs for the transfer of personal data out of the European Union. The PCPD publishes, for public reference, a set of frequently asked questions and answers on the implementation framework of the New SCCs and the obligations of parties entering into cross-border data transfer agreements using the New SCCs.

For more information, please refer to the set of frequently asked questions and answers:
https://www.pcpd.org.hk/english/data_privacy_law/eu/files/eu_faq.pdf

Please click here to read the "Introduction to the European Commission’s New Standard Contractual Clauses for International Data Transfers".

Please click here to download the presentation files and watch the video of the Webinar on “the New Standard Contractual Clauses of the EU for Transfer of Personal Data from EU to Non-EU Regions” organised by the PCPD



III. Publications and Articles on the GDPR

To raise the awareness amongst organisations / businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the GDPR, the PCPD has issued the following publication:

 eu   Booklet: 
An Update on European Union General Data Protection Regulation 2016
(May 2020 Revised Edition)


IV. Guidance and reference materials issued by the European Union

European Data Protection Board

Subject Matter Recommendations/Guidelines
Codes of conduct Guidelines 04/2021 on codes of conduct as tools for transfers
Consent Guidelines 05/2020 on consent
Controller and processor Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Data breach notification
Data portability Guidelines on right to data portability
Data protection by design and by default Guidelines 4/2019 on Article 25 data protection by design and by default
Data protection impact assessments Guidelines on data protection impact assessments
Derogations Guidelines 2/2018 on derogations of Article 49 under the GDPR
Processing of personal data in providing online services Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) of the GDPR in the context of the provision of online services to data subjects
Processing of personal data through video devices Guidelines 3/2019 on processing of personal data through video devices
Restrictions Guidelines 10/2020 on restrictions (on the scope of rights of data subject and obligations of controllers/processors) under Article 23 of the GDPR
Targeting of social media users Guidelines 8/2020 on the targeting of social media users
Territorial scope Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Transfer tools Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
Transparency Guidelines on transparency


European Commission

Subject Matter Reference Materials
Data protection regime Overview of the data protection regime in the EU
GDPR requirements Introduction to the requirements of the GDPR


V. Highlight of Important Decisions and Major Developments under the GDPR

A. Highlight of Important Decisions under the GDPR

Date of Decision Data Protection Authority Penalty Imposed and Violations
15 March 2022 The Data Protection Commission of Ireland

The Data Protection Commission of Ireland fined Meta Platforms (formerly Facebook) 17 million Euro for infringements of Article 5(2) of the GDPR (in relation to the purpose limitation principle). For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.

10 February 2022 The Italian Data Protection Authority (GPDP)

The Italian Data Protection Authority (GPDP) fined Clearview AI Inc. 20 million Euro for processing personal data unlawfully without an appropriate legal basis and infringements in relation to transparency, purpose limitation and storage limitation, etc. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.

27 January 2022 The Hellenic Data Protection Authority of Greece

The Hellenic Data Protection Authority of Greece fined telecommunications companies Cosmote and OTE 9.25 million Euro in total for violations of the principles of legality and transparency, putting in place inadequate security measures, etc., following a personal data breach notification received. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.

14 January 2022 The Dutch Data Protection Authority

The Dutch Data Protection Authority fined DPG Media Magazines 525,000 Euro for unnecessarily requesting copies of identity documents. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.

22 December 2021 The Austrian Data Protection Authority (DSB) The Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics tool by an Austrian website operator in its website violated Article 44 of the GDPR in transferring personal data to Google LLC in the United States. In particular, DSB held that the standard contractual clauses which the website operator concluded with Google LLC did not offer an adequate level of protection to the personal data concerned. For details of the decision, please refer to the summary of decision issued by the DSB entitled “Information from the data protection authority on the decision on the use of Google Analytics”.
16 December 2021 The Italian Data Protection Authority (GPDP)

The Italian Data Protection Authority (GPDP) fined Enel Energia 26.5 million Euro for aggressive telemarketing and improper handling of cases where data subjects requested for access to their personal data or raised objection against processing of their personal data for marketing purposes. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.

20 August 2021 The Data Protection Commission of Ireland

The Data Protection Commission of Ireland issued its final decision of imposing a fine of 225 million Euro upon WhatsApp Ireland Ltd., along with a reprimand and an order for WhatsApp Ireland Ltd. to bring its processing into compliance by taking a range of specified remedial actions in respect of  infringements of, inter alia, the principle of transparency in providing information to users across Europe about its service. The final decision was issued after the adoption of a binding decision by the European Data Protection Board under Article 65 of the GDPR (a dispute resolution process triggered as a result of the opposing views among the supervisory authorities concerned). For details of the decision, please refer to the decision of the Data Protection Commission of Ireland and its press release dated 2 September 2021.

Remarks: The decision of the Data Protection Commission of Ireland against WhatsApp Ireland Ltd. is being appealed.

21 June 2021 The Swedish Authority for Privacy Protection (IMY)

The Swedish Authority for Privacy Protection (IMY) fined SL, which operates public transport in Stockholm, SEK 16 million for unlawful use of body cameras in the public transport. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.

29 April 2021 The Dutch Data Protection Authority

The Dutch Data Protection Authority fined municipality 0.6 million Euro for using Wi-Fi tracking which was possible to track shoppers and people who live or work in the city centre. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.



B.Major Developments under the GDPR

Date Major Developments
25 March 2022

The new Trans-Atlantic Data Privacy Framework between the EU and the United States (“US”)

On 16 July 2020, the Court of Justice of the European Union struck down the framework of the EU-US Privacy Shield in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems and intervening parties (commonly known as “Schrems II Judgment”). Since 2016, the EU-US Privacy Shield had been implemented as a major mechanism for effecting transfers of personal data from EU companies to US companies.

Following continuous discussions between the European Commission and the US, the parties announced on 25 March 2022 that an agreement had been reached in principle on a new Trans-Atlantic Data Privacy Framework (“New Framework”), with a view to re-establishing a legal mechanism for the transfer of personal data from the EU to the US.

In particular, the New Framework ensures that (i) signals intelligence activities undertaken by the US should be necessary and proportionate in advancing legitimate national security objectives; (ii) a new redress mechanism with independent and binding authority will be established to direct remedial measures for affected EU individuals; and (iii) US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

As the next step forward, the European Commission and the US will continue to work on the legal documents required to be adopted by both sides for putting the New Framework into practice.

For further details of the New Framework, please refer to (1) the European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework  and (2) the Press Statement issued by the White House of the US, both dated 25 March 2022.

21 March 2022

New Transfer Instruments for Transferring Personal Data from the United Kingdom

The GDPR is retained in the domestic law in the United Kingdom (“the UK”) as the “UK GDPR”. Article 46(1) of the UK GDPR allows international transfers of personal data, inter alia, where the data exporter has provided appropriate safeguards (including through standard data protection clauses issued by the Information Commissioner, etc.).

On 21 March 2022, two new transfer instruments, namely (i) the International Data Transfer Agreement (“IDTA”) and (ii) the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers adopted in June 2021 (“Addendum”) issued by the Information Commissioner came into force. In particular, the new instruments are intended to replace the existing Standard Contractual Clauses recognised in the UK, i.e. the Standard Contractual Clauses adopted in the EU in the pre-GDPR era (“the Old SCCs”).

The practical implications of the introduction of the IDTA and the Addendum for data transferors and data transferees are that:

  • Contracts concluded on or before 21 September 2022 on the basis of the Old SCCs shall continue to provide appropriate safeguards for the purpose of the UK GDPR (provided that the processing operations that are the subject matter of the contract remain unchanged) until 21 March 2024.
  • From 22 September 2022, either the IDTA or the Addendum will have to be incorporated for new contracts concerning international transfers of personal data under the UK GDPR.
  • From 22 March 2024, the old SCCs will no longer be deemed to provide “appropriate safeguards” for the purpose of the UK GDPR. All contracts that have incorporated the old SCCs will have to be substituted by either the IDTA or the Addendum by 21 March 2024.

For further details of the IDTA and the Addendum, please refer to the introduction provided by the Information Commissioner’s Office of the UK.

17 December 2021

The children’s privacy guidelines published by the Data Protection Commission of Ireland

On 17 December 2021, the Data Protection Commission of Ireland published its “Fundamentals For A Child-oriented Approach To Data Processing”, providing guidance and recommended best practices in respect of protecting children’s personal data privacy during processing activities. For details of the publication, please refer to the summary issued by the Data Protection Commission of Ireland.

17 December 2021

The adequacy decision for South Korea

On 17 December 2021, the European Commission adopted the decision that the Republic of Korea ensures an adequate level of protection for personal data transferred from the EU to entities in the Republic of Korea subject to the Personal Information Protection Act as contemplated by the additional safeguards stipulated therein, together with the relevant official representations, assurances and commitments.

For details of the adequacy decision for South Korea, please refer to the Joint Press Statement by Didier Reynders, Commissioner for Justice of the European Commission, and Yoon Jong In, Chairperson of the Personal Information Protection Commission of the Republic of Korea.

28 June 2021

The adequacy decision for the United Kingdom

On 28 June 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the GDPR and the other for the Law Enforcement Directive. Free flow of personal data from the EU to the United Kingdom is allowed where the United Kingdom ensures essentially an equivalent level of personal data protection to that guaranteed under the EU law.

For details of the adequacy decision for the United Kingdom, please refer to the press release issued by the European Commission.