data user must provide the prescribed information

32

to the data subject in writing. Before

the data user proceeds to provide the data, it must have received a reply in writing from

the data subject indicating that the data subject consents or does not object to the

data user doing so.

7.81

It is an offence for a data user to use or provide personal data to another person for use

in direct marketing without taking the requisite actions or obtaining the data subject’s

consent.

33

On conviction, an offender is liable to a maximum fine of HK$500,000 and

imprisonment for three years.

34

If the non-compliance relates to the provision of personal

data to another person for use in direct marketing for gain, the penalty level is raised to

maximum fine of HK$1,000,000 and five years’ imprisonment.

35

Consent and Use Regarding Pre-existing Data

7.82

The amended direct marketing requirements under Part 6A, which took effect on 1 April

2013, only have a prospective effect and do not generally apply to personal data

collected prior to 1 April 2013 (save in certain circumstances). Further details regarding

this “grandfathering” arrangement are set out in paragraphs 5.103 to 5.105 of Chapter 5.

Data Subject Withdrawing Consent (Opt-out Right) under Part 6A

7.83

The Amendment Ordinance does not make changes to the duty of the data user to

notify the data subject of his opt-out right. Under section 35F(1), a data user must, when

using a data subject’s personal data in direct marketing for the first time, inform the data

subject that the data user must, without charge to the data subject, cease using the

data in direct marketing if the data subject so requires. A data user who fails to notify

the data subject in accordance with section 35F(1) commits an offence. This obligation

applies even if the personal data has been obtained by the data user from a third party,

and not the data subject himself.

7.84

A data subject may require the data user to cease using or providing his personal data

for direct marketing purposes, notwithstanding that he may have given his consent

previously to the data user.

36

He may also ask the data user to notify any person to

whom his data has been so provided to cease using the data in direct marketing.

37

Although there is no requirement under the Ordinance for the opt-out to be given by

the data subject in writing (verbal indication of withdrawal of consent suffices), the

32

Section 35J(2).

33

Sections 35C(1) and 35E(1).

34

Sections 35C(5) and 35E(4). A storage service provider took over the business of another company and sent direct

marketing email to a customer of that company without taking the specified actions as required under section 35C(1)

and (2). On 14 September 2015, the storage service provider was convicted upon its guilty plea of the offence under

section 35C(5) and was fined HK$10,000 (Case No. ESS 26904/2015).

35

Sections 35J(5) and 35K(4). In December 2015, a real estate agent was convicted, after trial, of his failure to take

specified action and obtain the data subject's consent before providing his personal data to a third party for use in

direct marketing. The real estate agent was fined HK$5,000 (Case No. ESS 24178/2015).

36

Sections 35G(1) and 35L(1)(a).

37

Section 35L(1)(b).