bureaux or departments is subject to the relevant restrictions under DPP3. For a more

comprehensive discussion of DPP1(1)(c) and DPP3, readers are referred to paragraphs

5.1 to 5.29 in Chapter 5 and Chapter 7.

4.24

To further illustrate this point, a government department may operate through different

district offices or branch offices under its supervision and control. In the event of any

breach of a requirement under the Ordinance by a staff of one of these offices, the

Commissioner will look to the government department in question as the data user and

hence the target of investigation. This is because the government department

concerned is viewed as a single person who is capable of devising, reviewing,

supervising and controlling the personal data policies and practices to be followed by

all the district offices or branch offices operated under it. The same applies, for example,

to the case of the Hospital Authority which manages and supervises a number of public

hospitals in Hong Kong.

Joint Data Users

4.25

The definition of the term “data user” extends to situations where more than one person

is found to be in control of the collection, holding, processing or use of the data, in

which case they are jointly regarded as data users who are obliged to observe and

comply with the requirements under the Ordinance.

4.26

An example is found in the case in which two or more persons who jointly or in common

hold the legal title of real property leased it out to a tenant for rental profits. They may

have collected the tenant’s personal data in circumstances where they jointly control

the holding, processing or use of such data. Thus, when a dispute arises or a complaint is

lodged by the tenant regarding the improper handling of his personal data, all of the

owners who satisfy the definition of data user will be jointly held accountable for the act

or practice in question.

4.27

Another common situation in which more than one person may qualify as a data user is

found in cross-marketing activities whereby the personal data of customers held by

company A (the transferor company) is transferred to another company, company B

(the partner company) for the purpose of conducting activities in the nature of a joint

marketing campaign. The joint marketing campaign may involve the marketing of

products or services of A or B or both to customers of A and/or B. When A and B jointly

control the collection, holding, processing or use of the data, they will be regarded as

joint data users under the Ordinance.

3

4.28

When a potential customer’s personal data is first used for marketing purposes, the data

user is obliged under section 35F(1) of the Ordinance to inform him of his right to opt-out

of such marketing activities and to comply with the opt-out request pursuant to section

35G(3). If the data user continues to use personal data about the individual for direct

marketing after receiving his opt-out request, he may be considered as having

3

Even if the joint marketing campaign does not involve transfer of customers’ personal data, A and B may still be

considered as joint data users as long as they jointly control the collecting, holding, processing or use of the data.