Skip to content

Guidance Notes

Guidance Notes

Fact Sheet No. 1, April 1997

TRANSFER OF PERSONAL DATA OUTSIDE HONG KONG: SOME COMMON QUESTIONS

INTRODUCTION

Section 33 of the Personal Data (Privacy) Ordinance prohibits the transfer of personal data to places outside Hong Kong unless one of a number of conditions is met. One of these conditions is that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data concerned are given equivalent protection to that provided for by the Ordinance. One method for achieving this is for the parties to the transfer to enter into a contract, or other acceptable agreement applying the data protection principles to the data upon its transfer to the place outside Hong Kong. The main purpose of this Fact Sheet is to assist data users in complying with section 33 in this manner.

1. What are "personal data"?

"Personal data" are any data relating directly or indirectly to a living individual (data subject), from which it is practical to ascertain the identity of the individual and which are in a form in which access or processing is practicable.

2. What transfers are subject to section 33?

Section 33 covers two situations, namely transfers from Hong Kong to a place outside Hong Kong and transfers between two other jurisdictions where the transfer is controlled by a Hong Kong data user.

3. What restrictions are imposed on transfers outside Hong Kong?

Section 33 provides that before a data user may transfer personal data outside Hong Kong, at least one of the following requirements must be satisfied:

  • the place to which the data are transferred has in force "any law which is substantially similar to, or serves the same purposes as, this Ordinance". The Privacy Commissioner may specify a place satisfying this requirement by notice in the gazette.
     
  • the data subject has consented in writing to the transfer.
     
  • the data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the data subject's consent, but if practicable, such consent would be given.
     
  • the data are exempt from data protection principle 3 by virtue of an exemption under "Part VIII - Exemptions" in the Ordinance.
     
  • the data user has taken "all reasonable precautions and exercised all due diligence to ensure" that the data will not be dealt with in a manner that would constitute a contravention of the Ordinance.

4. How can a data user fulfill this last requirement of due diligence?

The law of contract and similar agreements represent the principal mechanism whereby transfers may fulfill this requirement of due diligence. The contract, or other agreement, would be between the data user transferring the personal data and the recipient.

5. What provisions should a contract include?

To assist data users adopting this contractual solution, the Privacy Commissioner has prepared a model contract. The clauses of the model contract are based on an agreement jointly prepared by the Council of Europe, the Commission of the European Communities and the International Chamber of Commerce. They have been adapted to meet the requirements of the Ordinance.

 

Data Protection Principles

Model Contract

Next Page