Despite the fact that Hong Kong is an international financial center, it has strict laws and framework to protect workers’ rights. This has led to a growing number of companies outsourcing some HR-related tasks to EORs. However, it is important to perform a cost analysis before selecting the right EOR for your company. Choose an EOR with a deep understanding of local labor laws and practices to ensure your company’s expansion in new territories is seamless.
The statutory definition of “data user” under the PDPO is broad and encompasses anyone who controls the collection, holding or processing of personal data. It extends to any person who acts on behalf of a data user, including agents or contractors. The PDPO requires that a data user fulfills certain obligations, and one of those is to expressly inform the data subject of the purposes for which the data will be collected. This is usually accomplished by means of a PICS, or personal information collection statement, prior to collecting the data.
Under the PDPO, a data user is also required to use contractual or other measures to prevent personal data transferred to data processors, whether within or outside of Hong Kong, from being kept longer than necessary for processing of that data, and to prevent such transfered personal data from unauthorised access, processing, erasure, loss or use. The PCPD has published recommended model clauses that may be included in contracts involving data transfers to data processors.
In some cases, the need for a data transfer impact assessment arises because of the need to comply with the PDPO and its DPPs, especially where the business processes involve data that will be processed outside of Hong Kong. However, there has been a move away from imposing a mandatory requirement for conducting such an assessment in light of the perceived difficulty and expense of doing so and the fact that, given the close ties between businesses operating in Hong Kong and mainland China under the “one country, two systems” principle, such an assessment is unlikely to significantly change the flow of personal data across the border.
This trend is likely to continue, with the recent signing of the Memorandum on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area by the Hong Kong Innovation, Technology and Industry Bureau and the Cyberspace Administration of China, which promotes data flows and facilitates digital economic development. However, there will remain a significant number of circumstances in which an impact assessment will need to be conducted by a data user whose operations control the collection, holding, processing or use of personal data in, or from, Hong Kong. This will particularly be the case where a data exporter under the GDPR agrees to standard contractual clauses proposed by a data importer under the PDPO. This is because a data importer under the PDPO will be subject to the jurisdiction of, and co-operate with, the competent supervisory authority of the data exporter.