TD SYNNEX (Hong Kong) Ltd is an international IT distribution and solutions aggregator focusing on connecting compelling IT products, services and technology vendors with customers worldwide. With a global network of 23,500 co-workers, the company helps its customers around the world maximize their technology investments and demonstrate business outcomes.
Hong Kong has a very high standard of personal data protection and privacy, enforced by the Personal Data (Privacy) Ordinance (“PDPO”) that sets out rights of individuals and obligations of data controllers. The PDPO governs collection, handling, processing, holding and use of personal data through six data protection principles.
It is not possible to transfer personal data outside of Hong Kong without complying with the PDPO, except in very limited circumstances. In most cases, a Hong Kong business will need to conduct a data transfer impact assessment, or DTIA, before it can transfer personal data abroad. A DTIA is a thorough evaluation of a proposed transfer of personal data that considers the effects on individuals, and takes into account the level of protection provided in the destination jurisdiction.
When conducting a DTIA, the first step is to identify the relevant personal data and class of persons to whom the personal data will be transferred. Then, the DTIA examines whether or not that data meets the definition of personal data in the PDPO. Personal data is information that can be used to identify a natural person, and includes all information relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
The second step is to determine whether the foreign jurisdiction’s laws and practices are adequate to protect the personal data. If not, the DTIA must identify and adopt supplementary measures that will bring the data protection standards up to Hong Kong standards. These supplementary measures may be technical (such as encryption, anonymisation or pseudonymisation), or contractual.
Finally, the DTIA must prepare a report and submit it to the PCPD. The report should include an assessment of the supplementary measures and a description of the measures taken to safeguard the personal data, together with any evidence that the personal data will not be subjected to undue risk in the destination country.
The PCPD has previously published guidance on data transfers, including recommended model clauses for inclusion in contracts dealing with transfer of personal data, which will facilitate adherence to section 33 of the PDPO once implemented. However, increased cross-border data flow has meant that section 33’s implementation has been pushed back, and resistance to change from the business community has become apparent.