Date: 12 May 2022
PCPD Issues Guidance on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data
Given the increasing digitalisation in the handling of personal data and globalisation of business operations in recent years, the challenges and complexities encountered by local enterprises, especially the small and medium-sized enterprises, in cross-border data transfers are set to mount. This is particular so with the proliferation and advancement of information and communication technology, including big data, cloud computing and data analytics. Against this background, the Office of the Privacy Commissioner for Personal Data (PCPD) today (12 May) issued the “Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data” (Guidance) and provided two sets of Recommended Model Contractual Clauses (RMCs) to cater for two different scenarios in cross-border data transfers, namely (i) from one data user to another data user; and (ii) from one data user to a data processor.
The general terms and conditions in the RMCs are applicable to (i) cross-border transfers of personal data from a Hong Kong entity to another entity outside Hong Kong; or (ii) between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “It is of fundamental importance for stakeholders to shoulder up their responsibilities in protecting the personal data privacy of data subjects, notwithstanding the transfer of data outside Hong Kong. The RMCs serve to provide a practical basis for facilitating transfers of personal data from Hong Kong, enabling organisations to come to a clear agreement for transferring personal data in line with the requirements of the Personal Data (Privacy) Ordinance and good data ethics.”
For instance, the RMCs provide that:
Use/processing: A transferee should only use or process the personal data for the purposes of transfer.
Onward transfers: A transferee should not make any onward transfer of the personal data except as agreed by the parties; and should ensure that onward transfers of the personal data meet the requirements of the applicable RMCs.
Security: A transferee should apply agreed security measures to the use or processing of the personal data.
Retention and erasure: A transferee should retain the personal data only for a period which is necessary for the fulfillment of the purposes of transfer and take all practicable steps to erase the personal data once the purposes of transfer have been achieved.
The “Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data” can be downloaded at the PCPD’s website: