and

•

the data user had not in relation to such use contravened any provision of the

Ordinance as in force at the time of the use.

5.104

For example, if a bank had obtained a customer’s mobile phone number, residential

address and residential telephone number as well as his email address before 1 April

2013, explicitly and clearly notified its customer that such personal data would be used

for marketing banking and insurance services, and the bank had so used the mobile

phone number before 1 April 2013, and such use had not been vitiated by the

customer’s indication of opting out, then not only would the mobile phone number be

exempted but the use of the other personal data already held by the bank prior to 1

April, 2013, viz. residential address, email address and residential telephone number

would also be exempted from the notification and consent requirement.

5.105

The grandfathering arrangement also applies to updates of personal data held by a

data user before 1 April 2013. For instance, if a data user held a data subject’s

residential address before 1 April 2013 and the data subject moved after 1 April 2013,

the data user may use the new residential address for continued marketing of the

services without the need to notify the data subject and obtain his consent anew.

5.106

For the avoidance of doubt, the grandfathering arrangement does not apply to, and

the notification and consent obligations outlined in paragraphs 5.96, 5.97, 5.99, 5.100

and 5.101 must be complied with in relation to:

•

the use of the personal data of the data subject in relation to a different class of

marketing subjects from that previously made known and/or consented to by the

data subject prior to 1 April 2013;

•

new personal data collected or acquired by the data user after 1 April 2013; and

•

the transfer of personal data to another person for that other person's use for direct

marketing, irrespective of whether or not notification was provided and consent

obtained from the data subject prior to 1 April 2013.

Section 35D(2): Data Collected from a Third Person

5.107

Data users should be reminded that the duty to inform the data subject of their intention

to use the data subject’s personal data in direct marketing is absolute and not

dependent on whether the personal data is collected from the data subjects directly or

not. It is not uncommon that a data user may obtain personal data from a partner, an

associate or a subsidiary company in a cross-marketing scheme. If the data user is

planning to use the data received from a third party for direct marketing, the data user

is still required to inform the data subject of the intention to use the data for direct

marketing unless the third party confirms that:

•

it has given written notice to the data subject and obtained his written consent to

the provision of personal data to the class of transferees to which the data user

belongs; and

•

the products or services that the data user intends to market fall within the class of