Fact Sheet No. 1, April 1997
TRANSFER OF PERSONAL DATA OUTSIDE HONG KONG: SOME COMMON QUESTIONS
Section 33 of the Personal Data (Privacy) Ordinance prohibits the transfer of personal data to places outside Hong Kong unless one of a number of conditions is met. One of these conditions is that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data concerned are given equivalent protection to that provided for by the Ordinance. One method for achieving this is for the parties to the transfer to enter into a contract, or other acceptable agreement applying the data protection principles to the data upon its transfer to the place outside Hong Kong. The main purpose of this Fact Sheet is to assist data users in complying with section 33 in this manner.
1. What are "personal data"?
"Personal data" are any data relating directly or indirectly to a living individual (data subject), from which it is practical to ascertain the identity of the individual and which are in a form in which access or processing is practicable.
2. What transfers are subject to section 33?
Section 33 covers two situations, namely transfers from Hong Kong to a place outside Hong Kong and transfers between two other jurisdictions where the transfer is controlled by a Hong Kong data user.
3. What restrictions are imposed on transfers outside Hong Kong?
Section 33 provides that before a data user may transfer personal data outside Hong Kong, at least one of the following requirements must be satisfied:
4. How can a data user fulfill this last requirement of due diligence?
The law of contract and similar agreements represent the principal mechanism whereby transfers may fulfill this requirement of due diligence. The contract, or other agreement, would be between the data user transferring the personal data and the recipient.
5. What provisions should a contract include?
To assist data users adopting this contractual solution, the Privacy Commissioner has prepared a model contract. The clauses of the model contract are based on an agreement jointly prepared by the Council of Europe, the Commission of the European Communities and the International Chamber of Commerce. They have been adapted to meet the requirements of the Ordinance.