Data hk is a resource for market research reports, forecasts and statistics on industries, economies and consumers worldwide. It also provides trend analysis and data visualization services. The website is free to use but subscriptions are available for more detailed information.
Data protection legislation is a cornerstone of Hong Kong’s legal system. The Personal Data Protection Ordinance (“PDPO”), which was first enacted in 1996 and significantly amended in 2012 and 2021, defines a wide range of data subject rights and specific obligations to data controllers. It regulates the collection, processing, holding and use of personal data through six data protection principles.
It is essential to consider whether a person falls within the jurisdiction of the PDPO when assessing the appropriateness of transferring data between Hong Kong and other locations. One of the most important factors is whether the data in question is personal. This includes data that identifies a natural person, including their name or HKID number. It also extends to their contact details, health records and credit records. For example, a combination of an employee’s name, photograph, job title and staff number contained on their company staff card is likely to constitute personal data and therefore fall within the scope of the PDPO.
If the data in question is not personal, it is unlikely that any PDPO requirements will apply. In this context, it is helpful to remember that the PDPO applies only where a person controls any part of a data cycle within or from Hong Kong. This is unlike some data privacy regimes which include express extra-territorial application.
When deciding whether to transfer data, it is important to assess both the benefits and risks of doing so. This should be done by carrying out a transfer impact assessment. The assessment should cover both the jurisdictions in which the data will be transferred and the laws and practices that apply to personal data protection. It should also cover national security considerations and other issues that may arise during the transfer process.
Finally, it is important to assess whether a person will have an obligation to provide a PICS when transferring their data to another jurisdiction. If they do, then they will have an obligation to comply with a range of statutory obligations relating to their use of the data (DPP1, DPP3 and DPP5), including the obligation to inform a data subject of the purposes for which their personal data is collected and the classes of persons to whom the data may be transferred.