Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

8.39

Data users may need to impose additional obligations on the data processor with

regard to factors such as the amount of personal data involved, the sensitivity of the

personal data, the nature of the data processing service and the harm that may result

from a security breach.

8.40

As an alternative to exercising control through contractual means, DPP4(2) provides

flexibility and allows the data user to use “other means” to ensure compliance with

DPP4(1) by the data processors. Whilst “other means” is not further defined in the

Ordinance, data users may consider adopting the following measures to monitor the

data processors engaged by them to ensure the security of personal data:

• data users will only select reputable data processors which offer sufficient guarantees

in respect of the technical competence and organisational measures governing the

processing of personal data to be carried out;

• data users undertake to exercise due diligence and satisfy themselves that the data

processors have in place robust policies and procedures and effective security

measures for processing personal data and that adequate training is provided to

their staff; and

• data users should ensure that they have the right to audit and inspect how the data

processors handle and store personal data.

8.41

The Commissioner also recommends that data users should adopt the following good

practices

when personal data is or will be transferred to data processors for processing:

• data users should make it plain to the data subjects in clear and understandable

language when collecting their personal data that it may be processed by data

processors, and should notify them of the classes of such data processors;

• if data processors are not operating in Hong Kong, the data users should make sure

that their contracts are enforceable both in Hong Kong and in the countries or places

in which the data processors are operating;

• both data users and data processors should keep proper records of all the personal

data that has been transferred for processing;

• data users should also consider the possibility of arranging all handling of the personal

data to be performed within the premises of the data users, in order to minimise the

risk of data loss; and

• before entrusting personal data to data processors for system testing, data users have

to consider whether the use of anonymised or dummy data by data processors can

equally serve the purpose.

See Information Leaflet on

Outsourcing the Processing of Personal Data to Data Processors

, available on the Website: