Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

(b) does not process the data for any of the person’s own purposes.

6.27

The following are some examples of outsourcing the processing of personal data by a

data user to a “data processor”:

• a service provider engaged to input personal data to computer systems of the data

user;

• a contractor engaged to shred confidential documents which contain personal data;

• a marketing company engaged to carry out customer opinion survey using

customers’ personal data provided by the data user.

6.28

DPP2(3) does not provide further the specific terms that have to be incorporated into a

data processing contract in order to comply with the requirements. Given the vast

variety of outsourcing activities, arguably no exhaustive list can be drawn up to cover all

kinds of these activities. A data user is in the best position, having regard to its business

nature and the extent of the privacy risks to which it is exposed, to decide what

contractual obligations it should impose upon the data processor. A data user should

also take steps to ensure that the contractual obligations are duly observed by its data

processor.

6.29

Sometimes, a data user may not be able to enter into a contract with its data processor

to protect the personal data entrusted to it for handling. DPP2(3) provides flexibility by

allowing the use of “other means” of compliance. Whilst “other means” is not defined

under the Ordinance, data users may engage non-contractual oversight and auditing

mechanisms to monitor their data processor’s compliance with the data protection

requirements.

6.30

The duty to comply with the new requirement under DPP2(3) aside, a data user remains

accountable under section 65(2) of the Ordinance for the acts done and practices

engaged in by the data processor who acts as its agent and with its express or implied

authority.

6.31

Data users may make reference to the information leaflet issued by the Commissioner

to facilitate understanding of and compliance with the new obligations. The information

leaflet gives examples of the types of obligations to be imposed on data processors by

contract and measures to be adopted in engaging non-contractual oversight and audit

mechanisms to monitor data processors’ compliance with the data protection

requirements. It also provides recommendations for good practice where personal data

is transferred outside Hong Kong for processing by data processors.

See information leaflet on

Outsourcing the Processing of Personal Data to Data Processors

, available on the Website: