Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

partners, the scope for marketing the goods or services to include those offered by the

subsidiaries and partners was found to be too broad. It should have specified the types

of products or services that would be potentially marketed by these subsidiaries and

partners, which could be totally different from the products and services offered and

covered by the programme. Hence, it is likely that the purpose of the use of data,

nature of subsidiaries’ and partners’ business, and scope of marketing would fall outside

the reasonable expectation of the programme members. The Commissioner was of the

view that when the statement of purposes of use was drafted in such a manner that

there was no clear limit, it could not meaningfully be qualified as a purpose, whether in

general or specific terms, for the purposes of DPP1(3)(b)(i)(A). (See paragraphs 5.91 to

5.108 below for details on the new requirements regarding direct marketing.)

5.82

In another investigation, the Commissioner looked at the situation where frontline

telemarketers of an association approached the data subjects by phone. The

telemarketers asked the call recipients to provide contact data on the pretext of

sending gifts to them when in fact the data was transferred to an insurance company to

facilitate its direct marketing activities. As a result, the call recipients were not able to

ascertain with a reasonable degree of certainty the purposes of use of their personal

data and the classes of transferees. The Commissioner found that the association was in

breach of DPP1(3)(b)(i).

The Classes of Persons to Whom the Data May Be Transferred

5.83

Paragraph (B) of DPP1(3)(b)(i), which concerns the classes of persons to whom the data

may be transferred, is also very often the bone of contention between the data user

and the data subject. For example, a transaction involving the collection of personal

data from an individual may entail the further transfer of such data to a third party for a

purpose directly related to the original purpose of collection but the individual may not

be able to foresee the further transfer. In this connection, a specific transferee clause in

a PICS will help avoid any unpleasant surprise or dispute. The transfer of personal data of

a debtor by a credit provider to a debt collection agent for the purpose of debt

recovery is a case in point. In AAB No. 21/2009, a telecommunications company

transferred the personal data of a customer who had defaulted in payments of the

service fee to a debt collection agent. The AAB found the telecommunications

company had failed to expressly include the debt collectors in the class of transferees in

the PICS on or before collection of his personal data. The telecommunications company

was found to have contravened DPP1(3)(b)(i)(B). Again, in AAB No. 51/2011, the AAB

ruled that the telecommunications company in question should have specified clearly

that the debt collectors (instead of “agent”) were a permitted class of transferee.

5.84

It is also important to note that the word “use”, in relation to personal data, is defined in

section 2(1) of the Ordinance to include acts to “disclose” or “transfer” the data. In

other words, “transfer” is one type of “use”. On this basis, the Commissioner takes the

view that paragraph (B) in DPP1(3)(b)(i) should be read subject to paragraph (A). Put

simply, the transfer of data to a third party coming within paragraph (B) may only arise

where the purpose for such transfer comes within paragraph (A), but not otherwise.

See Investigation Report No.13-1138, available on the Website: