Table of Contents Table of Contents
Previous Page  34 / 192 Next Page
Show Menu
Previous Page 34 / 192 Next Page
Page Background

committed an offence under section 35G(4).


In order to comply with the statutory

requirements under section 35G(3), a data user shall keep and maintain an opt-out list of

individuals who have chosen not to receive further marketing approaches. If direct

marketing activities are carried out by the partner company and a customer exercises

his opt-out right, the partner company should inform the transferor company about the

request made by the customer. The partner company as well as the transferor company

have to maintain the opt-out list and must not make any further marketing approaches

to those customers who have opted out


from the direct marketing activities in question.

In AAB No. 20/2009, the crux of the complaint was the repeated receipt by the

complainant of direct marketing materials sent by companies A and B which were joint

promotion partners. The Commissioner took the view that upon the receipt of an opt-out

request from the complainant by company A, it should have informed company B

about it so that the latter would cease using the complainant’s personal data for direct

marketing purposes.

What is the Relationship between a Data User and a Data Processor?


The Amendment Ordinance made changes to DPP2 and DPP4 by introducing the term

“data processor” which is defined as follows:

“Data processor” means a person who –

(a) processes personal data on behalf of another person; and

(b) does not process the data for any of the person’s own purposes.


It is common business practice these days for a data user to outsource the processing of

personal data to a contractor, for example, to a document shredding company for

carrying out safe destruction of confidential documents, and to an IT contractor to

manage and maintain the staff attendance and payroll IT systems.


These data processors are not data users as they do not control the collection, holding

and processing of the personal data and therefore are not subject to the regulatory

remit of the Ordinance. From the Commissioner’s regulatory experience, quite a number

of data breaches were committed by the contractors or agents appointed by the data

users to process personal data on their behalf.



To address this issue, the Amendment Ordinance sought to strengthen the protection of

personal data by imposing a duty on data users who engage these data processors to


Under section 35G(4), a data user who contravenes the requirements is liable to a maximum fine of $500,000 and to

imprisonment for three years.



New Guidance on Direct Marketing

, available on the Website:


For instance, the leakage of complainants’ sensitive personal data, which was the subject matter of the Commissioner's

Investigation Report No. R06-2599

( ),


caused by the uploading of the complainants’ personal data (including names, addresses and HKID numbers) by the IT

contractor onto a location of the server to which members of the public had access.